For Party A’s security construction, SDL is an inseparable topic, which includes code audit work. I used the editor’s built-in search at the beginning, then used the fortify tool, and then felt that fortify’s scanning was too slow. Audit efficiency, and then I thought about integrating fortify into my own business system
In recent years, the security industry has developed rapidly, and there are more component security products that were rare before, such as semgrep that can customize scanning rules, and GitHub and codeQL products. There are more and more tools. If you still use the previous single tool to open The efficiency of the mode is not too high. So I just want to make a code aggregation audit system
Project address: https://github.com/StarCrossPortal/swallow
Overall development ideas
When I need to audit a certain project, I only need to store the code address in it, and then the system will automatically download the code, call various code audit tools to scan, and store the results in the system.
Here is part of the content, the first part is the realization of the underlying code scanning, the design of the database, and the display of the upper UI
underlying implementation
The definition I gave swallow before development is an efficiency system, so he just calls the results of other tools, and then aggregates and displays them. Then I need to consider using those tools.
Here I have four requirements, namely taint tracking, security rule retrieval, component dependency vulnerability, and WebShell detection
taint tracking
First of all, let’s talk about taint tracking. He needs to know where my program parameters are received, and then where the parameters are executed. There are not many products that meet the needs. The well-known ones are fortify and checkmax. Here I choose to call the fortify code audit system.
rule retrieval
Some business-related vulnerabilities may require writing corresponding inspection rules, so you need to choose a code scanner that is easier to customize the rules. There are two choices: semgrep and CodeQL. I personally think that semgrep is easier to use, so I chose it
component vulnerability
Component vulnerability mainly solves the problem that project A depends on project B, and project B has a vulnerability. There are many such tools on the market now, and I chose Murphy.
WebShell
The webshell scan is mainly to solve the situation that there may be Trojan horses in a large number of code files, using the hippo webshell detection tool
With these four tools, I can basically conduct a relatively comprehensive inspection of the code, but I still need to sort out the overall interaction logic and data format of the data. In order to simplify this process, I directly use the layout system of the Dragonfly platform. In this way, I basically don't need to write too much data interaction code, just visualize the drag and drop, and then pay attention to the situation of each node.
The data can directly use the database components in the Dragonfly Security Workbench, which satisfies the addition, deletion, modification and query of data
Database Design
I adopted the most trouble-free method for database design. First, I need a table to store the Git warehouse address, so I created a new git_add
table. In addition, the system needs some configuration, so I created a new project_conf
table, as shown in the figure below
Now I need to consider the problem of storing the data of the results of the four tools, so I created four new data tables at first, but later found that five tables are more suitable, as shown in the figure below
Because of Murphy's code scanning, his results need to be slightly different. His structure is a two-dimensional array, which is not conducive to database retrieval, so I divided Murphy's table structure into two, so there are two table structures
Front-end UI
The front-end UI originally wanted to use the UI framework of element, but this project is only developed by me, and the project itself is relatively simple, so it is more convenient to set the template directly.
So it was developed using bootstrap5 combined with thinkPHP6
The effect diagram is as follows
add warehouse
I won't talk about the installation process, just record how to use it and the effect.
First, you need to find the Add button in the warehouse list, put the Git warehouse address in it, and then it will be automatically added to the list
As shown in the figure above, multiple warehouses can be added at one time, with one warehouse address per line.
View dependency vulnerabilities
View WebShell
View dependent components
Author: Tang Qingsong
Date: 2023-04-03