Recently, I saw the publicity of the Swallow code audit system on Bilibili, and found that the function is more suitable for my current work needs. After installing and using it, I made a simple note and shared it with friends in need.
The underlying architecture is the dragonfly orchestration system, Murphy SCA, fortify, SemGrep, hema
project address: https://github.com/StarCrossPortal/swallow
installation and use video tutorial: https://www.bilibili.com/video/BV14h411V7m5/
add warehouse
I won't talk about the installation process, just record how to use it and the effect.
First, you need to find the Add button in the warehouse list, put the Git warehouse address in it, and then it will be automatically added to the list
As shown in the figure above, multiple warehouses can be added at one time, with one warehouse address per line.
Vulnerability Management
After adding it, after waiting for 5 minutes, some results were scanned. The vulnerability management list shows the vulnerabilities scanned by fortify.
Click to view the details, you can see the entry of the taint parameter, and the location of execution, as shown in the figure below
Fortify's report is in English, but it is also some common vocabulary, so it doesn't matter if you use it.
View dangerous functions
Dangerous functions are actually detected by dangerous rules implemented by semgrep. For example, when some sensitive functions are called, they will appear here; of course, not only dangerous functions appear, but there may be some other rules
After viewing the details, you will see detailed vulnerability information here.
As shown in the figure above, this prompt means that a function is used in the code system, and then it explains why this function has related security risks.
View dependency vulnerabilities
Dependency vulnerability means that project A uses the code of project B. If there is a vulnerability in project B, it may cause project A to also appear. Swallow's dependency vulnerability detection uses the Murphy SCA tool, as shown in the figure below
After expanding the details page, you can see the CVE number of the dependent vulnerability
View WebShell
The tool used for webshell detection is Hippo, which currently lists suspicious files, but does not provide Jewish detailed information
View dependent components
Finally, there is a list of dependent components, which will parse out all the components that the project depends on, but this information is only auxiliary, and it does not mean that all these components have security problems.
