When writing code, most of times we will use libraries from external parties. These libraries provide additional functionality to whatever we are developing. So how can we make sure that these libraries are secured. How can we make sure these libraries does not include any vulnerabilities. This is where the Software composition analysis tool comes into picture.
Software Composition analysis (SCA) is a process of automating the visibility into the Open source components for the purpose of risk managements, security and license compliance. Source Clear is one such tool.
Source clears helps developers by telling (scanning) then what open source components they are using, who created it and what it is doing in the application and what components have vulnerabilities. It allows the scanning to be part of the Developers workflow and examine the security risk of the open source code|libraries in real time. It analyzes the open source components and report many details from their origin, creation and impact on the applications
Installation - Source Clear tool is a SaaS based application which means all we need to download and install is a source clear tools and using them we need to scan the code. Once the code scan is done, the results are then passed to the source clear web application for which we need to request account. Register for a Source clear account from “https://www.sourceclear.com”. Once we take a account , on a mac based system run the following commands for installing source clear components and activation
brew tap srcclr/srcclr
brew install srcclr
srcclr activate
When we run the last command ,it will ask for a activation token. The token is something like a license which will be provided by the source clear when we are taking an account. Once the activation is done we can now scan our code. it would be something like this,
jagadishconsul$Wed Mar 13@ srcclr activate
Activation Token:
Now, scan a remote or local repository:
`srcclr scan --url https://github.com//`
`srcclr scan ~/path`
Once we activate the token with the srcclr command on our local machine we made a communication with the SourceClear. When ever we run the scan on our local machine the results will be sent to the source clear website where we can login with our credentials to see the results.
Run a Scan - Check out your GitHub source code and run the scan inside the directory as,
[root@ip-172-31-36-247 SampleTest]# /usr/local/bin/srcclr scan .
SourceClear scanning engine ready
Running the Maven scanner
Scanning completed
Found 64 lines of code
Processing results...
Processing results complete
Summary Report
Scan ID dc9ee77c-7335-493d-8ba4-a25a40551e46
Scan Date & Time Mar 14 2019 02:58AM UTC
Account type PRO
Scan engine 3.2.4 (latest 3.2.4)
Analysis time 30 seconds
User root
Project /home/centos/SampleTest
Package Manager(s) Maven
Open-Source Libraries
Total Libraries 17
Direct Libraries 13
Transitive Libraries 4
Vulnerable Libraries 4
Third Party Code 99.9%
Security
With Vulnerable Methods 0
High Risk Vulnerabilities 1
Medium Risk Vulnerabilities 5
Low Risk Vulnerabilities 0
Vulnerabilities - Public Data
CVE-2014-0114 High Risk Arbitrary Code Execution Through The Class Parameter Passed To The GetClass Apache Commons BeanUtils 1.8.3
CVE-2014-3596 Medium Risk Man In The Middle (MitM) Attacks Are Possible With Spoofed SSL Servers Axis Web Services 1.4
CVE-2012-5784 Medium Risk Man In The Middle (MitM) Attacks Are Possible With Spoofed SSL Servers Axis Web Services 1.4
CVE-2018-8032 Medium Risk Cross-Site Scripting (XSS) Axis Web Services 1.4
Vulnerabilities - Premium Data
NO-CVE Medium Risk Remote Code Execution (RCE) Via Java Object Deserialization Apache Commons IO 2.4
NO-CVE Medium Risk Potential Remote Code Execution Via Java Object Deserialization Apache Commons Collections 3.2.1
Licenses
Unique Library Licenses 5
Libraries Using GPL 1
Libraries With No License 3
Libraries With Multiple Licenses 1
Issues
Issue ID Issue Type Severity Description Library Name & Version In Use
13696119 Vulnerability 7.5 CVE-2014-0114: Arbitrary Code Execution Through The Class Parameter Passed To The GetClass Apache Commons BeanUtils 1.8.3
13696120 Vulnerability 5.1 NO-CVE: Remote Code Execution (RCE) Via Java Object Deserialization Apache Commons IO 2.4
13696121 Vulnerability 5.1 NO-CVE: Potential Remote Code Execution via Java Object Deserialization Apache Commons Collections 3.2.1
13696122 Vulnerability 4.3 CVE-2018-8032: Cross-Site Scripting (XSS) Axis Web Services 1.4
13696123 Vulnerability 5.8 CVE-2014-3596: Man In The Middle (MitM) Attacks Are Possible With Spoofed SSL Servers Axis Web Services 1.4
13696124 Vulnerability 5.8 CVE-2012-5784: Man in the Middle (MitM) Attacks are Possible with Spoofed SSL Servers Axis Web Services 1.4
13696125 Outdated Library 3.0 Latest version at scan: 1.9.3 Apache Commons BeanUtils 1.8.3
13696126 Outdated Library 3.0 Latest version at scan: 3.3.3 ZXing Core 2.0
13696127 Outdated Library 3.0 Latest version at scan: 1.5.0-b01 JavaMail API (compat) 1.4.7
13696128 Outdated Library 3.0 Latest version at scan: 1.1.1 JSON.simple 1.1
13696129 Outdated Library 3.0 Latest version at scan: 2.6 Apache Commons IO 2.4
13696130 Outdated Library 3.0 Latest version at scan: 3.2.2 Apache Commons Collections 3.2.1
13696131 Outdated Library 3.0 Latest version at scan: 3.0-alpha-1 JavaServlet(TM) Specification 2.5
Full Report Details https://technik.sourceclear.io/teams/wddUo70/scans/6031542
Once the scan is done, the results will give us a lot of data including, the no of libraries that we are using, vulnerability data telling what type of vulnerability, licenses information etc.
It also gives us a link where to find the same full information in User Interface. When we login to the source clear with the credentials, we can see
It gives us the Risk score along with the project inventory. It also gives us the vulnerability information as below,
Software composition analysis tools are very important when writing code. We always use the third party libraries for extending our functionality, it is very important to understand how good are using those libraries. More to Come, Happy Learning :-)
Good article. I am facing many of these issues as
ReplyDeletewell..