Skip to content
This repository has been archived by the owner on Nov 28, 2023. It is now read-only.

Commit

Permalink
Merge pull request #555 from wufeifei/develop
Browse files Browse the repository at this point in the history
Released v2.0.0-alpha.2
  • Loading branch information
FeeiCN authored Sep 6, 2017
2 parents 886aae9 + 2d979c5 commit 885dafc
Show file tree
Hide file tree
Showing 30 changed files with 269 additions and 446 deletions.
28 changes: 28 additions & 0 deletions CHANGES.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
Cobra Changelog
===============

Here you can see the full list of changes between each Cobra release.

Version 2.0.0-alpha.2
---------------------

Released on Sep 06 2017

- 修复上传非支持的后缀提示
- 修复VirtualEnv环境下无法执行
- 修复grep/find路径位置变动
- 优化日志等级
- 优化Docker下路径错误
- 优化耗时计算
- 其它细节优化和Bug修复

Version 2.0.0-alpha.1
---------------------

Released on Sep 05 2017

内测正式版本

- 简化安装和使用成本
- 增加CLI模式
- 开源扫描规则
5 changes: 3 additions & 2 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,9 @@
仔细描述问题的复现步骤,并提供对应的运行环境信息(Python版本、系统版本)

## 提交代码
- Fork项目,切换到`develop`分支开发,或新建分支`feature-xxx`
- Fork项目,切换到`develop`分支开发
- 按照PEP8格式
- 所有代码都需要有对应的单元测试用例
- 运行所有测试用例
- 提交Pull Request
- 提交Pull Request到`develop`分支
- 等待测试稳定后合并到`master`分支
14 changes: 14 additions & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
FROM ubuntu:xenial

COPY . /code/
WORKDIR /code

RUN apt-get update && apt-get install -y python-pip curl \
&& apt-get autoremove \
&& apt-get clean \
&& apt-get autoclean \
&& pip install -r requirements.txt \
&& cp config.template config

EXPOSE 5000
CMD ["python", "cobra.py", "-H", "0.0.0.0", "-P", "5000"]
6 changes: 4 additions & 2 deletions cobra.py
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
#!/usr/bin/python

#!/usr/bin/env python
# -*- coding: utf-8 -*-

import re
import sys

from cobra import main


if __name__ == '__main__':
sys.argv[0] = re.sub(r'(-script\.pyw?|\.exe)?$', '', sys.argv[0])
sys.exit(main())

4 changes: 2 additions & 2 deletions cobra/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@
def main():
try:
# arg parse
t1 = time.clock()
t1 = time.time()
parser = argparse.ArgumentParser(prog=__title__, description=__introduction__, epilog=__epilog__, formatter_class=argparse.RawDescriptionHelpFormatter)

parser_group_scan = parser.add_argument_group('Scan')
Expand Down Expand Up @@ -80,7 +80,7 @@ def main():
# API call CLI mode
a_sid = args.sid
cli.start(args.target, args.format, args.output, args.special_rules, a_sid)
t2 = time.clock()
t2 = time.time()
logger.info('[INIT] Done! Consume Time:{ct}s'.format(ct=t2 - t1))
except Exception as e:
err_msg = unhandled_exception_message()
Expand Down
16 changes: 8 additions & 8 deletions cobra/__version__.py
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
__issue_page__ = 'https://github.com/wufeifei/cobra/issues/new'
__python_version__ = sys.version.split()[0]
__platform__ = platform.platform()
__version__ = '2.0.0-alpha'
__version__ = '2.0.0-alpha.2'
__author__ = 'Feei'
__author_email__ = 'feei@feei.cn'
__license__ = 'MIT License'
Expand All @@ -22,10 +22,10 @@
Cobra is a static code analysis system that automates the detecting vulnerabilities and security issue.""".format(version=__version__)
__epilog__ = """Usage:
{m} -t {td}
{m} -t {td} -r cvi-190001,cvi-190002
{m} -t {td} -f json -o /tmp/report.json
{m} -t {tg} -f json -o feei@feei.cn
{m} -t {tg} -f json -o http://push.to.com/api
sudo {m} -H 127.0.0.1 -P 80
""".format(m='./cobra.py', td='tests/vulnerabilities', tg='https://github.com/ethicalhack3r/DVWA')
python {m} -t {td}
python {m} -t {td} -r cvi-190001,cvi-190002
python {m} -t {td} -f json -o /tmp/report.json
python {m} -t {tg} -f json -o feei@feei.cn
python {m} -t {tg} -f json -o http://push.to.com/api
sudo python {m} -H 127.0.0.1 -P 80
""".format(m='cobra.py', td='tests/vulnerabilities', tg='https://github.com/ethicalhack3r/DVWA')
10 changes: 8 additions & 2 deletions cobra/api.py
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,8 @@

q = queue.Queue()
app = Flask(__name__, static_folder='templates/asset')
running_host = '0.0.0.0'
running_port = 5000


def producer(task):
Expand Down Expand Up @@ -204,7 +206,7 @@ def post():
code, result = 1001, {'sid': a_sid}
return {'code': code, 'result': result}
else:
return {'code': 1002, 'msg': "This extension can't support!"}
return {'code': 1002, 'result': "This extension can't support!"}


class ResultData(Resource):
Expand Down Expand Up @@ -309,7 +311,8 @@ def summary():
return render_template(template_name_or_list='index.html',
key=key)

status_url = request.url_root + 'api/status'
status_url = 'http://{host}:{port}/api/status'.format(host=running_host, port=running_port)
logger.critical(status_url)
post_data = {
'key': key,
'sid': a_sid,
Expand Down Expand Up @@ -481,6 +484,9 @@ def start(host, port, debug):
i.start()

try:
global running_port, running_host
running_host = host if host != '0.0.0.0' else '127.0.0.1'
running_port = port
app.run(debug=debug, host=host, port=int(port), threaded=True, processes=1)
except socket.error as v:
if v.errno == errno.EACCES:
Expand Down
48 changes: 37 additions & 11 deletions cobra/cve_parse.py → cobra/cve.py
Original file line number Diff line number Diff line change
@@ -1,9 +1,10 @@
# -*- coding: utf-8 -*-

"""
cobra
~~~~~
CVE
~~~
Implements cobra main
Implements CVE Rules Parser
:author: BlBana <635373043@qq.com>
:homepage: https://github.com/wufeifei/cobra
Expand Down Expand Up @@ -241,9 +242,9 @@ def log_result(self):
for cve_child in self._scan_result[module_]:
cve_id = cve_child
level = self._scan_result[module_][cve_id]
logger.warning('Find the module ' + module_ + ' have ' + cve_id + ',level: ' + level)
logger.debug('Find the module ' + module_ + ' have ' + cve_id + ',level: ' + level)
count = len(self._scan_result[module_])
logger.warning('The ' + module_ + ' module have ' + str(count) + ' CVE Vul(s)')
logger.debug('The ' + module_ + ' module have ' + str(count) + ' CVE Vul(s)')

def get_scan_result(self):
return self._scan_result
Expand Down Expand Up @@ -337,7 +338,7 @@ def store(results):
for module_ in results[0]:
for cve_id, cve_level in results[0][module_].items():
cve_path = results[1]
cve_vul = parse_math(cve_path, cve_id, cve_level, module_)
cve_vul = parse_math(cve_path, cve_id, cve_level, module_, target_directory)
cve_vuls.append(cve_vul)
else:
logger.debug('[SCAN] [STORE] Not found vulnerabilities on this rule!')
Expand Down Expand Up @@ -371,11 +372,12 @@ def scan_single(target_directory, cve_path):
return cve.get_scan_result(), cve_path


def parse_math(cve_path, cve_id, cve_level, module_):
def parse_math(cve_path, cve_id, cve_level, module_, target_directory):
flag = 0
file_path = 'unkown'
mr = VulnerabilityResult()
module_name, module_version = module_.split(':')
cvi = cve_path.lower().split('cvi-')[1][:6]
rule_name = '引用了存在漏洞的三方组件'
if cve_level == 'LOW':
cve_level = 2

Expand All @@ -385,13 +387,37 @@ def parse_math(cve_path, cve_id, cve_level, module_):
elif cve_level == 'HIGH':
cve_level = 8

mr.language = cve_id
for root, dirs, filenames in os.walk(target_directory):
for filename in filenames:
if filename == 'pom.xml' and flag != 2:
file_path = os.path.join(root, filename)
file_path = file_path.replace(target_directory, '')
flag = 1

elif filename == 'requirements.txt' and flag != 1:
file_path = os.path.join(root, filename)
file_path = file_path.replace(target_directory, '')
flag = 2

if flag != 0:
mr.file_path = file_path

else:
mr.file_path = 'unkown'
mr.language = '*'
mr.id = cvi
mr.rule_name = rule_name
mr.rule_name = cve_id
mr.level = cve_level
mr.file_path = module_name
mr.line_number = 1
mr.analysis = 'Dependencies Matched(依赖匹配)'
mr.code_content = module_name + ':' + module_version
mr.solution = """
三方依赖**""" + module_name + """:""" + module_version + """**存在CVE漏洞,CVE漏洞编号为: **""" + cve_id + """**
## 安全风险
## 安全修复
请根据对应厂商公告,及时更新三方依赖至安全版本
"""

logger.debug('[CVE {i}] {r}:Find {n}:{v} have vul {c} and level is {l}'.format(i=mr.id, r=mr.rule_name,
n=mr.file_path, v=mr.line_number,
Expand Down
6 changes: 3 additions & 3 deletions cobra/dependencies.py
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
# -*- coding: utf-8 -*-

"""
cobra
~~~~~
dependencies
~~~~~~~~~~~~
Implements cobra main
Implements Dependencies Check
:author: BlBana <635373043@qq.com>
:homepage: https://github.com/wufeifei/cobra
Expand Down
Loading

0 comments on commit 885dafc

Please sign in to comment.