How to fully utilize depscan's capability?

[harshit-kochar]

We are pocing with depscan and wanted to know what are some ways in which we can fully utilize depscan's reachability capabilities.

Setup

1. In a fresh python venv, installed depscan and cdxgen.
2. Cloned the following vulnerable repo: https://github.com/harekrishnarai/Damn-vulnerable-sca
3. Ran the below depscan command depscan --profile appsec --explain

Output

• Depscan Output:

• Depscan Universal Findings: depscan-universal.json

• Other tools Output:
  https://github.com/harekrishnarai/Damn-vulnerable-sca?tab=readme-ov-file#sca-scan-reports

Personal Thoughts

• with other repositories, I have tried creating a reachables slice file using atom which shows reachability to a vulnerable function, but depscan was not tagging it as reachable or exploitable.

[prabhu]

@harshit-kochar have you tried --profile research as mentioned in the readme?

Different profiles toggle different settings in cdxgen and depscan.

Appsec profile is for appsec users willing to do their own research (using chen). Research profile is the recommended option to help get started with reachability analysis using default settings.

https://github.com/CycloneDX/cdxgen/blob/e0da319111f4dd383926fbd3aa036b2a6b5a78fd/bin/cdxgen.js#L387

[prabhu]

Also try doing npm install before running depscan. There is no attribute called ImportedModules in the sbom, so the auto-tagging via chen will not work.

{
      "author": "",
      "publisher": "",
      "group": "",
      "name": "ip",
      "version": "1.1.8",
      "description": "",
      "scope": "required",
      "hashes": [
        {
          "alg": "SHA-512",
          "content": "3ee1313d8522bbaa8c0506f8974e9e726e93eae8f386687e31e25c5bdc1af3d3e8033e69bdde333e0379589575d3899be92d93d40c0d200681ef424dacb41686"
        }
      ],
      "licenses": [],
      "purl": "pkg:npm/ip@1.1.8",
      "type": "library",
      "bom-ref": "pkg:npm/ip@1.1.8",
      "properties": [
        {
          "name": "SrcFile",
          "value": "/home/prorajnikant/SCA/Damn-vulnerable-sca/package-lock.json"
        }
      ]
    },

You can run cdxgen with --deep argument and the environment variable CDXGEN_DEBUG_MODE=debug to troubleshoot further.

[prabhu]

With npm install, I see the following in reachables.slices.json

{
                    "id": 400,
                    "label": "IDENTIFIER",
                    "name": "my_ip",
                    "fullName": "",
                    "signature": "",
                    "isExternal": false,
                    "code": "ip.isPublic(my_ip)",
                    "typeFullName": "",
                    "parentMethodName": "anonymous8",
                    "parentMethodSignature": "",
                    "parentFileName": "index.js",
                    "parentPackageName": "<global>",
                    "parentClassName": "index.js::program",
                    "lineNumber": 267,
                    "columnNumber": 20,
                    "tags": "pkg:npm/ip@1.1.8"
                }

Since the particular purl doesn't have a vendor, this particular line is skipping the addition of Reachable label. Would you like to send a PR if (clinks.get("vendor") and package_type not in config.OS_PKG_TYPES) or reached_purls.get(purl):

if clinks.get("vendor") and package_type not in config.OS_PKG_TYPES:
            if reached_purls.get(purl):
                # If it has a poc, an insight might have gotten added above
                if not pkg_requires_attn:
                    insights.append(":receipt: Reachable")
                    plain_insights.append("Reachable")

[harshit-kochar]

Thanks a @prabhu for these updates, let me get through this information. Appreciate the time 🙇

[harshit-kochar]

Thanks a lot for the help @prabhu , the recommended fix regarding the missing purl check did the job 💯
Tested the changes locally, and its producing the desired output:

I will raise a PR soon.

[prabhu]

Thank you. Could you raise two PR one against master and one against release/5.x? You need two branches to avoid conflicts

[prabhu]

Thank you so much. 5.4.5 released with this fix.

[harshit-kochar]

Hello again 👋 😅
The reachables files is not being populated in a minimal sailsJS repo, but the usage file is. I had performed npm install before running the scan.

Can you please help here? Is it because the vulnerable lodash function template is not being populated in its corresponding ImportedModules?

• Vulnerable lodash version: 4.17.0

• Base repository

• Depscan command: docker run --rm -e CDXGEN_DEBUG_MODE=debug -v $PWD:/app ghcr.io/owasp-dep-scan/dep-scan:v5.4.5 --src /app --reports-dir /app/reports -t js --debug --profile research --explain --deep

• Branch with depscan scan results

• SBOM: bom.json

• Usages: usages.slices.json

• Debug output:

DEBUG [2024-09-12 13:27:39,015] BOM Profile: research
DEBUG [2024-09-12 13:27:39,015] ⚡︎ Executing "cdxgen -r -t js -o /app/bom.json --deep --profile research /app"
DEBUG [2024-09-12 13:28:24,053] Performing babel-based package usage analysis with source code at /app
Parsing /app/package-lock.json
Executing /usr/local/lib/node_modules/@cyclonedx/cdxgen/node_modules/@cyclonedx/cdxgen-plugins-bin-arm64/plugins/osquery/osqueryi-linux-arm64 --json select * from deb_packages where name like '%ssl%' OR name like '%crypto%';
Executing /usr/local/lib/node_modules/@cyclonedx/cdxgen/node_modules/@cyclonedx/cdxgen-plugins-bin-arm64/plugins/osquery/osqueryi-linux-arm64 --json select * from portage_packages where package like '%ssl%' OR package like '%crypto%';
Executing /usr/local/lib/node_modules/@cyclonedx/cdxgen/node_modules/@cyclonedx/cdxgen-plugins-bin-arm64/plugins/osquery/osqueryi-linux-arm64 --json select * from rpm_packages where name like '%ssl%' OR name like '%crypto%';
Executing /usr/local/lib/node_modules/@cyclonedx/cdxgen/node_modules/@cyclonedx/cdxgen-plugins-bin-arm64/plugins/osquery/osqueryi-linux-arm64 --json select * from python_packages where name like '%ssl%' OR name like '%crypto%';
Executing /usr/local/lib/node_modules/@cyclonedx/cdxgen/node_modules/@cyclonedx/cdxgen-plugins-bin-arm64/plugins/osquery/osqueryi-linux-arm64 --json select * from programs where name like '%ssl%' OR name like '%crypto%';
Executing /usr/local/lib/node_modules/@cyclonedx/cdxgen/node_modules/@cyclonedx/cdxgen-plugins-bin-arm64/plugins/osquery/osqueryi-linux-arm64 --json SELECT * FROM homebrew_packages where name like '%ssl%' OR name like '%crypto%';
Executing /usr/local/lib/node_modules/@cyclonedx/cdxgen/node_modules/@cyclonedx/cdxgen-plugins-bin-arm64/plugins/osquery/osqueryi-linux-arm64 --json SELECT * FROM authorized_keys;
Executing /usr/local/lib/node_modules/@cyclonedx/cdxgen/node_modules/@cyclonedx/cdxgen-plugins-bin-arm64/plugins/osquery/osqueryi-linux-arm64 --json SELECT * FROM certificates;
Executing /usr/local/lib/node_modules/@cyclonedx/cdxgen/node_modules/@cyclonedx/cdxgen-plugins-bin-arm64/plugins/osquery/osqueryi-linux-arm64 --json SELECT * FROM keychain_items;
Executing /usr/local/lib/node_modules/@cyclonedx/cdxgen/node_modules/@cyclonedx/cdxgen-plugins-bin-arm64/plugins/osquery/osqueryi-linux-arm64 --json SELECT * FROM kernel_keys;
Executing /usr/local/lib/node_modules/@cyclonedx/cdxgen/node_modules/@cyclonedx/cdxgen-plugins-bin-arm64/plugins/osquery/osqueryi-linux-arm64 --json SELECT * FROM yum_sources;
Creating reachables slice for /app. Please wait ...
Executing node /usr/local/lib/node_modules/@cyclonedx/cdxgen/node_modules/@appthreat/atom/index.js reachables --include-crypto -l js -o /app/app.atom --slice-outfile /app/reachables.slices.json /app
Generating data-flow dependencies from atom. Please wait ...
Slicing the atom for reachables. This might take a few minutes ...
Slices have been successfully written to /app/reachables.slices.json

Creating usages slice for /app. Please wait ...
Executing node /usr/local/lib/node_modules/@cyclonedx/cdxgen/node_modules/@appthreat/atom/index.js usages -l js -o /app/app.atom --slice-outfile /app/usages.slices.json /app
Slicing the atom for usages. This might take a few minutes ...
Slices have been successfully written to /app/usages.slices.json

bom.json created successfully.

DEBUG [2024-09-12 13:28:24,054] Scanning using the bom file /app/bom.json
INFO [2024-09-12 13:28:24,054] To improve performance, cache the bom file and invoke depscan with --bom /app/bom.json instead of -i
DEBUG [2024-09-12 13:28:24,069] Performing remote audit for /app of type js
╭─────────────────── Risk Audit Capability ───────────────────╮
│ Depscan supports OSS Risk audit for this project.           │
│ To enable set the environment variable ENABLE_OSS_RISK=true │
╰─────────────────────────────────────────────────────────────╯
DEBUG [2024-09-12 13:28:24,069] No of packages 317
DEBUG [2024-09-12 13:28:24,598] Remote audit yielded 4 results
INFO [2024-09-12 13:28:24,599] About to download the vulnerability database from ghcr.io/appthreat/vdb:v5-rafs. This might take a while ...
/usr/lib64/python3.12/tarfile.py:2252: RuntimeWarning: The default behavior of tarfile extraction has been changed to disallow common exploits (including CVE-2007-4559). By default, absolute/parent paths are disallowed and some mode bits are cleared. See https://access.redhat.com/articles/7004769 for more details.
  warnings.warn(
DEBUG [2024-09-12 13:29:58,651] VDB data is stored at: /root/.local/share/vdb
INFO [2024-09-12 13:30:54,341] Performing regular scan for /app using plugin js
DEBUG [2024-09-12 13:30:54,341] Scanning 317 oss dependencies for issues
DEBUG [2024-09-12 13:30:54,434] Adjusting fix version based on the initial suggestion {'pkg:npm/lodash@4.17.10': '4.17.21', 'pkg:npm/send@0.16.1': '0.19.0', 'pkg:npm/express@4.19.2': '4.20.0', 'pkg:npm/send@0.18.0': '0.19.0', 'pkg:npm/serve-static@1.15.0': '1.16.0', 'pkg:npm/body-parser@1.20.2': '1.20.3', 'pkg:npm/path-to-regexp@0.1.7': '0.1.10', 'pkg:npm/path-to-regexp@1.5.3': '1.9.0', 'pkg:npm/serve-static@1.13.1': '1.16.0'}
DEBUG [2024-09-12 13:30:54,434] Re-checking our suggestion to ensure there are no further vulnerabilities```

[prabhu]

sailsjs is not a supported framework. Can you share some more sample applications, so that I can find a way to make chen recognize them?

[harshit-kochar]

You can find some sailsJS apps here: sails101

Sample sailsjs repositories where reachables and usages were not generated:

• vulnerable-sails-jwt-login
• vulnerable-sailsjs-seed

Sample sailsjs repositories where reachables and usages were generated:

• ECommerce-Sailsjs-API
• nodejs-goof

[harshit-kochar]

Hello @prabhu 👋
will you get some time to implement support for sailsjs by this month's end?
Also, on another note, I was wondering how does depscan know that a particular function for a particular library is vulnerable and then tag that finding as reachable?

[prabhu]

Reachables slices is getting generated fine for https://github.com/harshit-kochar/vulnerable-sails-jwt-login. Did you do npm install prior to running depscan?

reachables.slices.json

[harshit-kochar]

Yes

[harshit-kochar]

Weird, I am able to generate one now too. 🤔
Anyways, are you able to generate one for this repo? I am still not able to generate for this repo.