Code Scanning/SAST/Static Analysis/Linting using many tools/Scanners with One Report (Code, IaC) - Betterscan
Home Page: https://betterscan.io
License: GNU Affero General Public License v3.0
We are using syft/gryft for sbom and vulnerability scanning, outputing in XML or JSON SBOM format. How can we integrate this with betterscan?
Hello:
I purchased the pro licence via the betterscan.io webpage and haven't recieved it yet, how can I get it?
Visual Studio automatically adds a unicode control character sequence at the beginning of every file, known as a BOM, to indicate the file's encoding. This sequence is being incorrectly identified as a Trojan Source exploit by the find_unicode_control2.py analyzer.
See this SO Answer for more details, including the exact byte sequence:
0xEF, 0xBB, 0xBF
When I run docker-compose up in the dockerhub directory for this repo, it creates two folders, data1 and data2. The worker then attempts to create log files in data2/tasks, but that directory doesn't exist, so the worker fails to run the task. Simply creating the tasks directory solves the issue.
The setup script should run mkdir on that directory so that the worker can write its logs.
Hi,
I trying to add betterscan in Azure devops pipeline using cli image. But getting error at last step
docker run -e CODE_DIR -v ${PWD}:${PWD} -ti scanmycode/scanmycode3-ce:worker-cli /bin/sh -c 'cd $CODE_DIR && checkmate issues'
Traceback (most recent call last):
File "/usr/local/bin/checkmate", line 33, in
sys.exit(load_entry_point('checkmate==0.2.0', 'console_scripts', 'checkmate')())
File "/usr/local/lib/python3.8/site-packages/checkmate-0.2.0-py3.8.egg/checkmate/scripts/manage.py", line 114, in main
result = command.run()
File "/usr/local/lib/python3.8/site-packages/checkmate-0.2.0-py3.8.egg/checkmate/management/commands/issues.py", line 65, in run
if issue["line"]==1:
File "/usr/local/lib/python3.8/site-packages/blitzdb3_ce-4.0.0-py3.8.egg/blitzdb/document.py", line 191, in getitem
return self.attributes[key]
KeyError: 'line'
Could you please help
I ran osv-scan directly against my project, and it detected 4 vulnerable packages, but betterscan didn't find any. I expected the scan reports to match.
I also included results for OWASP depedency-check in the zipfile since it provided similar results to osv-scan, but osv-scan has been more thorough in my testing against node.js and nuget projects.
I'm wondering if the issue I'm seeing is that the package-lock.json was updated in a commit that had been scanned before BetterScan added the osv-scan tool. It takes hours to run BetterScan against all commits in the repo, so I have not attempted to verify this yet.
I used the latest version of all of these tools as of today, 1/10/2023.
I have encountered multiple errors when using server and worker images both hosted on DockerHub and building from source.
Most errors arise from Python libraries missing from the images. I identified the following missing libraries:
Worker image: passlib, celery, jinja2, werkzeug, markupsafe
Server/Backend image: passlib, flask, jinja2, wtforms
Furthermore, the worker image seems to missing the following file: /srv/betterscan/settings.yml.
I solved it with the command:
ln -s /srv/betterscan/quantifiedcode/settings/default.yml /srv/betterscan/settings.yml
Finally, the following message was added to all html files:
* This file is part of Betterscan CE (Community Edition).
*
* Betterscan is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Betterscan is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with Betterscan. If not, see <https://www.gnu.org/licenses/>.
*
* Originally licensed under the BSD-3-Clause license with parts changed under
* LGPL v2.1 with Commons Clause.
* See the original LICENSE file for details.
*/
But this comment syntax /** */ is not hidden when displaying the pages.
It probably should be replaced with the syntax <!-- -->
Hi @marcinguy I'm trying to integrate betterscan in azure devops pipeline as per documentation but while running SAST task I'm betting below error message
Generating script.
========================== Starting Command Output ===========================
/bin/bash --noprofile --norc /__w/_temp/78c91d4f-67b0-43bc-8ab3-6df1b970aab7.sh
Switched to a new branch 'master'
/root
/__w/1/s
Loading plugin: git
Loading plugin: trufflehog3
Loading plugin: trojansource
Loading plugin: metrics
Loading plugin: bandit
Loading plugin: brakeman
Loading plugin: phpanalyzer
Loading plugin: gosec
Loading plugin: confused
Loading plugin: pmd
Loading plugin: semgrep
Loading plugin: semgrepdefi
Loading plugin: semgrepjs
Loading plugin: checkov
Loading plugin: kubescape
Loading plugin: insidersecswift
Loading plugin: insiderseckotlin
Loading plugin: insiderseccsharp
Loading plugin: pmdapex
Loading plugin: semgrepccpp
Loading plugin: semgrepjava
Loading plugin: semgrepeslint
Loading plugin: graudit
Loading plugin: text4shell
Loading plugin: yara
Cannot find a checkmate project in the current directory tree, aborting.
##[error]Bash exited with code '255'.
Finishing: Static Application Security Test (SAST)
Thanks for creating and sharing this tool. Appreciate your idea and efforts.
I'm facing issues while running the pre-built docker images on MacOS with M1 chip.
"checkmate git init" step is stuck for hours.
Is there a debug option to run the command to troubleshoot further?
Please find below further details about this blocker:
❯ uname -a Darwin EELPD01407 21.3.0 Darwin Kernel Version 21.3.0: Wed Jan 5 21:37:58 PST 2022; root:xnu-8019.80.24~20/RELEASE_ARM64_T6000 arm64
`❯ docker run -ti scanmycode/scanmycode3-ce:worker-cli-arm64 checkmate
/root
/root
Loading plugin: git
Loading plugin: trufflehog3
Loading plugin: trojansource
Loading plugin: metrics
Loading plugin: bandit
Loading plugin: brakeman
Loading plugin: phpanalyzer
Loading plugin: gosec
Loading plugin: confused
Loading plugin: pmd
Loading plugin: semgrep
Loading plugin: semgrepdefi
Loading plugin: semgrepjs
Loading plugin: checkov
Usage: checkmate [command] [command] [...] [args]
Type "checkmate help" for help`
`❯ docker run -v /Users/karthik/Downloads/java-project-master:/Users/karthik/Downloads/java-project-master -ti scanmycode/scanmycode3-ce:worker-cli-arm64 bash
root@68484e859bd2:~# cd /Users/karthik/Downloads/java-project-master
root@68484e859bd2:/Users/karthik/Downloads/java-project-master#
root@68484e859bd2:/Users/karthik/Downloads/java-project-master# checkmate init
/root
/Users/karthik/Downloads/java-project-master
Loading plugin: git
Loading plugin: trufflehog3
Loading plugin: trojansource
Loading plugin: metrics
Loading plugin: bandit
Loading plugin: brakeman
Loading plugin: phpanalyzer
Loading plugin: gosec
Loading plugin: confused
Loading plugin: pmd
Loading plugin: semgrep
Loading plugin: semgrepdefi
Loading plugin: semgrepjs
Loading plugin: checkov
Initializing new project in the current directory.
root@68484e859bd2:/Users/karthik/Downloads/java-project-master# checkmate git init
/root
/Users/karthik/Downloads/java-project-master
/Users/karthik/Downloads/java-project-master
Loading plugin: git
Loading plugin: trufflehog3
Loading plugin: trojansource
Loading plugin: metrics
Loading plugin: bandit
Loading plugin: brakeman
Loading plugin: phpanalyzer
Loading plugin: gosec
Loading plugin: confused
Loading plugin: pmd
Loading plugin: semgrep
Loading plugin: semgrepdefi
Loading plugin: semgrepjs
Loading plugin: checkov`
Also tried on Linux machine and the result is same.
# uname -a Linux test-server 4.19.56-coreos-r1 #1 SMP Tue Jul 30 06:40:10 -00 2019 x86_64 Intel(R) Xeon(R) E-2278G CPU @ 3.40GHz GenuineIntel GNU/Linux
`# docker run -ti scanmycode/scanmycode3-ce:worker-cli bash
root@1421087bdf21:## checkmate init
root@1421087bdf21:
/root
/root
Loading plugin: git
Loading plugin: trufflehog3
Loading plugin: trojansource
Loading plugin: metrics
Loading plugin: bandit
Loading plugin: brakeman
Loading plugin: phpanalyzer
Loading plugin: gosec
Loading plugin: confused
Loading plugin: pmd
Loading plugin: semgrep
Loading plugin: semgrepdefi
Loading plugin: semgrepjs
Loading plugin: checkov
Initializing new project in the current directory.
root@1421087bdf21:~# checkmate git init
/root
/root
/root
Loading plugin: git
Loading plugin: trufflehog3
Loading plugin: trojansource
Loading plugin: metrics
Loading plugin: bandit
Loading plugin: brakeman
Loading plugin: phpanalyzer
Loading plugin: gosec
Loading plugin: confused
Loading plugin: pmd
Loading plugin: semgrep
Loading plugin: semgrepdefi
Loading plugin: semgrepjs
Loading plugin: checkov
client_loop: send disconnect: Broken pipe
❯`
Am I missing something?
I have seen the instructions here #45
but I am able to add public ssh keys to my github account, so I believe that thread isn't relevant to me.
I have tried cloning from within dockerhub_worker_1_1 but I get Permission denied (publickey)
# git clone [email protected]:jopfre/xxxx.git
Cloning into 'xxxx'...
The authenticity of host 'github.com (140.82.113.3)' can't be established.
ECDSA key fingerprint is XXXXXXXX
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'github.com,140.82.113.3' (ECDSA) to the list of known hosts.
[email protected]: Permission denied (publickey).
I added the public ssh key from betterscan dashboard > settings > git settings to https://github.com/settings/ssh/new
Am I missing a step perhaps?
Full log output:
[INFO / 2023-03-05 00:02:20] Running pre-analysis hooks for project aird (e55c2c0f7273437880aa58a4ea51d307).
[INFO / 2023-03-05 00:02:20] Fetching data for project aird (e55c2c0f7273437880aa58a4ea51d307).
[ERROR / 2023-03-05 00:02:21] Fetching data for project aird (e55c2c0f7273437880aa58a4ea51d307) failed!
[ERROR / 2023-03-05 00:02:21] Analysis of project aird (e55c2c0f7273437880aa58a4ea51d307) failed!
[ERROR / 2023-03-05 00:02:21] Traceback (most recent call last):
File "/srv/scanmycode/quantifiedcode/backend/tasks/project/analyze.py", line 42, in hook_step
settings.hooks.call(hook, project)
File "/srv/scanmycode/quantifiedcode/helpers/hooks.py", line 42, in call
hook(*args, **kwargs)
File "/srv/scanmycode/quantifiedcode/plugins/git/backend/tasks/fetch.py", line 100, in fetch_remote
raise IOError("Cannot fetch git repository!")
OSError: Cannot fetch git repository!
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/srv/scanmycode/quantifiedcode/backend/tasks/project/analyze.py", line 76, in analyze_project
_analyze_project(project)
File "/srv/scanmycode/quantifiedcode/backend/tasks/project/analyze.py", line 92, in _analyze_project
hook_step(project, "project.analyze.fetch", "Fetching data")
File "/srv/scanmycode/quantifiedcode/backend/tasks/project/analyze.py", line 45, in hook_step
logger.error("Exception {} {}.".format(e.__class__.__name__, e.message))
AttributeError: 'OSError' object has no attribute 'message'
[INFO / 2023-03-05 00:02:20] Running pre-analysis hooks for project aird (e55c2c0f7273437880aa58a4ea51d307).
[INFO / 2023-03-05 00:02:20] Fetching data for project aird (e55c2c0f7273437880aa58a4ea51d307).
[ERROR / 2023-03-05 00:02:21] Fetching data for project aird (e55c2c0f7273437880aa58a4ea51d307) failed!
[ERROR / 2023-03-05 00:02:21] Analysis of project aird (e55c2c0f7273437880aa58a4ea51d307) failed!
[ERROR / 2023-03-05 00:02:21] Traceback (most recent call last):
File "/srv/scanmycode/quantifiedcode/backend/tasks/project/analyze.py", line 42, in hook_step
settings.hooks.call(hook, project)
File "/srv/scanmycode/quantifiedcode/helpers/hooks.py", line 42, in call
hook(*args, **kwargs)
File "/srv/scanmycode/quantifiedcode/plugins/git/backend/tasks/fetch.py", line 100, in fetch_remote
raise IOError("Cannot fetch git repository!")
OSError: Cannot fetch git repository!
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/srv/scanmycode/quantifiedcode/backend/tasks/project/analyze.py", line 76, in analyze_project
_analyze_project(project)
File "/srv/scanmycode/quantifiedcode/backend/tasks/project/analyze.py", line 92, in _analyze_project
hook_step(project, "project.analyze.fetch", "Fetching data")
File "/srv/scanmycode/quantifiedcode/backend/tasks/project/analyze.py", line 45, in hook_step
logger.error("Exception {} {}.".format(e.__class__.__name__, e.message))
AttributeError: 'OSError' object has no attribute 'message'
hi, can you give some samples on how to enable\disable plugins ?
Due to the docker-hub images not being available (see #161) I tried to use the build information in the docker folder.
Running docker compose build results in this error:
...
7.291 mkdir -p newBuild/optimized/static/css
7.292 #we generate the output in the same directory, as relative imports won't work otherwise...
7.292 cleancss -o newBuild/static/css/main.min.css \
7.292 newBuild/static/css/main.css
7.539 #we move the file to another directory afterwards...
7.540 mv newBuild/static/css/main.min.css \
7.540 newBuild/optimized/static/css/main.min.css
7.541 #we copy dependent resources (fonts) to the optimized directory
7.541 rsync -am --include="*.woff" --include="*.eot" --include="*.woff2" --include="*/" \
7.541 --exclude="*" -a newBuild/static/bower_components \
7.541 newBuild/optimized/static
7.573 rsync -am --include="*.woff" --include="*.eot" --include="*.woff2" --include="*/" \
7.573 --exclude="*" -a newBuild/static/bower_components/octicons/octicons/ \
7.573 newBuild/optimized/static/css
7.602 rsync -am --include="*.woff" --include="*.eot" --include="*.woff2" --include="*/" \
7.602 --exclude="*" -a newBuild/static/bower_components/font-awesome/fonts/ \
7.602 newBuild/optimized/static/fonts
7.649 mkdir -p newBuild/optimized/static
7.650 cp -rf newBuild/static/assets newBuild/optimized/static
7.658 cp -rf newBuild/static/extra/* newBuild/static/js
7.662 #r.js -o newBuild/static/js/build.js optimize=none
7.662 r.js -o newBuild/static/js/build.js
7.751
7.751 Tracing dependencies for: boot
7.984 Error: ENOENT: no such file or directory, open '/srv/betterscan/quantifiedcode/frontend/newBuild/static/js/components/subscription/settings.js'
7.984 In module tree:
7.984 boot
7.984 main
7.984 routes
7.984
7.985 Error: Error: ENOENT: no such file or directory, open '/srv/betterscan/quantifiedcode/frontend/newBuild/static/js/components/subscription/settings.js'
7.985 In module tree:
7.985 boot
7.985 main
7.985 routes
7.985
7.985 at Object.openSync (node:fs:596:3)
7.985
7.988 make: *** [Makefile:47: optimize-rjs] Error 1
------
failed to solve: process "/bin/sh -c sudo -u user make" did not complete successfully: exit code: 2
On an ARM (MacBook Pro with M3 processor) clone the project and run these commands:
cd docker
docker compose buildNo errors and an image being built.
Even adding service.server.platform: linux/amd64 to the docker-compose.yml didn't bring other results.
I have no idea what commands are available for the checkmate tool, other than what I found in the sh scripts. Where are the commands and arguments documented? checkmate help returns:
Unknown command: help
Hi there
I was using the cli-html option in a few repositories and it was working without issues, then last night the scan started to show this error:
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/checkmate-0.2.0-py3.8.egg/checkmate/lib/code/environment.py", line 561, in analyze_file_revision
analyzer_results = analyzer.analyze(file_revision)
File "/usr/local/lib/python3.8/site-packages/checkmate-0.2.0-py3.8.egg/checkmate/contrib/plugins/all/fluidattacksscanner/analyzer.py", line 72, in analyze
next(reader)
StopIteration
And now I'm stucked, if I try to run the scan again it says that it's already created and abort but I don't have the HTML report
Thanks in advance
On a private git repository, it has access, connects then gives:
dockerhub-server-1 | <blitzdb.backends.sql.queryset.QuerySet object at 0x7f58ae8c73d0>
dockerhub-server-1 | local variable 'branch' referenced before assignment
dockerhub-server-1 | Traceback (most recent call last):
dockerhub-server-1 | File "/srv/scanmycode/quantifiedcode/backend/api/resource.py", line 129, in handle
dockerhub-server-1 | handler_response = handler(*args, **kwargs)
dockerhub-server-1 | File "/srv/scanmycode/quantifiedcode/backend/decorators.py", line 381, in decorated_function
dockerhub-server-1 | return f(*args, **kwargs)
dockerhub-server-1 | File "/srv/scanmycode/quantifiedcode/backend/decorators.py", line 58, in decorated
dockerhub-server-1 | return func(*args, **kwargs)
dockerhub-server-1 | File "/srv/scanmycode/quantifiedcode/backend/decorators.py", line 124, in decorated_function
dockerhub-server-1 | return f(*args, **kwargs)
dockerhub-server-1 | File "/srv/scanmycode/quantifiedcode/backend/api/v1/badge.py", line 35, in get
dockerhub-server-1 | snapshot = get_snapshot(project, snapshot_id, raw=False, include=('project',))
dockerhub-server-1 | File "/srv/scanmycode/quantifiedcode/backend/helpers/snapshot.py", line 31, in get_snapshot
dockerhub-server-1 | snapshot = params['provider'](project, snapshot_id, raw=raw, only=only, include=include)
dockerhub-server-1 | File "/srv/scanmycode/quantifiedcode/plugins/git/backend/providers/snapshot.py", line 64, in resolve
dockerhub-server-1 | snapshot['branch'] = branch
dockerhub-server-1 | UnboundLocalError: local variable 'branch' referenced before assignment
Hi,
OSV.dev is asking future additions to https://github.com/google/osv.dev?tab=readme-ov-file#third-party-tools-and-integrations to consider adopting OpenSSF Scorecard and as a part of that, we're also making the request of legacy entrants.
We feel it helps boost the security credibility of the projects and products we're linking to.
Here's the results of a one-time run:
RESULTS
-------
Aggregate score: 4.2 / 10
Check scores:
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| SCORE | NAME | REASON | DOCUMENTATION/REMEDIATION |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts | no binaries found in the repo | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#binary-artifacts |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Branch-Protection | branch protection not enabled | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#branch-protection |
| | | on development/release | |
| | | branches | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | CI-Tests | no pull request found | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#ci-tests |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | CII-Best-Practices | no effort to earn an OpenSSF | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#cii-best-practices |
| | | best practices badge detected | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Code-Review | Found 0/30 approved changesets | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#code-review |
| | | -- score normalized to 0 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Contributors | project has 0 contributing | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#contributors |
| | | companies or organizations -- | |
| | | score normalized to 0 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow | no dangerous workflow patterns | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#dangerous-workflow |
| | | detected | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#dependency-update-tool |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Fuzzing | project is not fuzzed | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#fuzzing |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | License | license file detected | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#license |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Maintained | 30 commit(s) and 19 issue | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#maintained |
| | | activity found in the last 90 | |
| | | days -- score normalized to 10 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Packaging | packaging workflow detected | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#packaging |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Pinned-Dependencies | dependency not pinned by hash | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#pinned-dependencies |
| | | detected -- score normalized | |
| | | to 0 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | SAST | no SAST tool detected | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#sast |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Security-Policy | security policy file not | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#security-policy |
| | | detected | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Signed-Releases | no releases found | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#signed-releases |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Token-Permissions | detected GitHub workflow | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#token-permissions |
| | | tokens with excessive | |
| | | permissions | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Vulnerabilities | 14 existing vulnerabilities | https://github.com/ossf/scorecard/blob/3155309aa81adf3395f4d62ee133b524ff316da1/docs/checks.md#vulnerabilities |
| | | detected | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
Hello,
as per README instructions, I tried to clone the repo on macOS 13.6.1 and start it, this is the output:
$ ./start.sh
[+] Running 142/4
⠼ server 36 layers [⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿] 0B/0B Pulling 292.4s
✔ postgres 14 layers [⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿] 0B/0B Pulled 289.5s
⠼ worker_1 82 layers [⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿] 0B/0B Pulling 292.4s
⠼ rabbitmq3 9 layers [⣿⣿⣿⣿⣿⣿⣿⣿⣿] 0B/0B Pulling 292.4s
failed to register layer: write /usr/local/lib/python3.8/site-packages/pylint/test/messages/func_e0204.txt: no space left on deviceMy docker configuration reserves as much as 64GB of disk space for virtual disks, the host has 38GB free: is that not enough for installation?
The web UI on http://localhost:5000 shows "Analysis in progress..." and a spinning symbol. Meanwhile the docker process started with start.sh is emitting hundreds of messages, although they seem to repeat a variation of themselves periodically.
This is a relatively small project although it has node_modules dependencies included in the repository so this may make it seem like more.
The PC running docker has plenty of RAM and cores.
The point is, will it take 10 minutes, 10 hours or 10 days, I have no idea?
Hello,
when I run the docker-compose up I have this error:
ERROR: yaml.scanner.ScannerError: mapping values are not allowed here in "./docker-compose.yml", line 4, column 31
Best regards and thanks
Tried to run scanmycode locally on my M1 Macbook with docker-for-mac and stumbled onto some problems.
I am testing this against a code base comprising >7k files (Java and JS mainly). The ensemble approach is great, but I have not been able to determine if it is possible to exclude issues from analysis and thereby speed up the overall analysis time.
The UI seems to have this functionality, but 1) the filtering API/current database schema does not seem to support selection or exclusion of e.g., "readbility" issues en masse (see my PR for a bug in this feature btw), and 2) manually deselecting via the on/off switch does not appear to affect scans currently in progress.
Any advise on how I can exclude issues from consideration for a scan, either before or after scan is started?
docker compose up
[+] Running 3/4
⠼ postgres Pulling 1.5s
✘ worker_1 Error 1.5s
✘ rabbitmq3 Error 1.5s
✘ server Error 1.5s
Error response from daemon: pull access denied for betterscan/betterscan-ce, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
https://hub.docker.com/r/betterscan/betterscan-ce shows a 404
Hi,
What about creating a betterscan-doc repo to start a documentation using a staticgen to replace https://github.com/marcinguy/betterscan-ce/wiki.
Because we can't contribute/PR to this embedded wiki.
Currently I installed betterscan-ce via Docker but when I try to run scan on a Private Git Repo I am not able to connect due to incorrect SSH Key. The tool is expecting us to add the SSH Public Key that it is sharing into the GIT Repo which is not allowed based on our Security Policies. Following are some questions that I need answers for:
Thanks
Srikanth
For my project "we" include some submodules with:
git submodule update --init --recursive
When importing the "main" project
[WARNING / 2022-02-14 13:16:50] Cannot read source file: test/test_helper/bats-assert [ERROR / 2022-02-14 13:16:50] Traceback (most recent call last): File "/usr/local/lib/python2.7/site-packages/checkmate-0.2.0-py2.7.egg/checkmate/lib/code/environment.py", line 546, in analyze_file_revision analyzer_results = analyzer.analyze(file_revision) File "/usr/local/lib/python2.7/site-packages/checkmate-0.2.0-py2.7.egg/checkmate/contrib/plugins/all/semgrep/analyzer.py", line 46, in analyze f.write(file_revision.get_file_content()) File "/usr/local/lib/python2.7/site-packages/checkmate-0.2.0-py2.7.egg/checkmate/lib/models.py", line 155, in get_file_content return self._file_content() File "/usr/local/lib/python2.7/site-packages/checkmate-0.2.0-py2.7.egg/checkmate/contrib/plugins/git/models.py", line 109, in <lambda> file_revision._file_content = lambda commit_sha = commit_sha, file_revision = file_revision: self.repository.get_file_content(commit_sha,file_revision.path) File "/usr/local/lib/python2.7/site-packages/checkmate-0.2.0-py2.7.egg/checkmate/contrib/plugins/git/lib/repository.py", line 517, in get_file_content raise IOError IOError
Example:
https://github.com/hestiacp/hestiacp/tree/main/test/test_helper
Please add the LICENSE on this repository. Thanks :).
Using this default command to run after installing docker and docker-compose
sh <(curl https://dl.betterscan.io/cli.sh)
Result
Scan Report
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━┳━━━━┓
┃ Description ┃ Severity ┃ File ┃ Line ┃ ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━╇━━━━┩
│ powershell │ Warning │ Please upgrade to PRO │ 1 │ ❌ │
│ Big_Numbers3 │ Warning │ Please upgrade to PRO │ 1 │ ❌ │
│ Big_Numbers1 │ Warning │ Please upgrade to PRO │ 1 │ ❌ │
│ Big_Numbers1 │ Warning │ Please upgrade to PRO │ 1 │ ❌ │
│ Big_Numbers3 │ Warning │ Please upgrade to PRO │ 1 │ ❌ │
│ Big_Numbers1 │ Warning │ Please upgrade to PRO │ 1 │ ❌ │
│ Big_Numbers1 │ Warning │ Please upgrade to PRO │ 1 │ ❌ │
While the documentation shown this image instead :
Is that normal? Isn't kinda misleading?
The documentation on the CE sample told us to use that so as a new user we will try the easiest tries first and see what it contains.
$ ./start.sh
Building server
Sending build context to Docker daemon 14.85kB
Step 1/30 : FROM python:2.7
---> 68e7be49c28c
Step 2/30 : WORKDIR /
---> Using cache
---> d6858cc88a37
Step 3/30 : RUN mkdir -p /srv
---> Using cache
---> b70ac21e5cb7
Step 4/30 : RUN git clone https://github.com/marcinguy/scanmycode-ce.git /srv/scanmycode
---> Using cache
---> d98392912441
Step 5/30 : WORKDIR /srv/scanmycode
---> Using cache
---> 2e54818b8ffa
Step 6/30 : RUN git pull
---> Using cache
---> 6619cf1ee554
Step 7/30 : RUN apt update && apt install -y libcurl4-nss-dev libssl-dev tree sudo git ssh rsync npm ruby-sass
---> Using cache
---> bc668975da08
Step 8/30 : RUN tree
---> Using cache
---> 6a8da75efb63
Step 9/30 : RUN pip install -r requirements.txt
---> Using cache
---> b1caa06fb2d0
Step 10/30 : RUN pip install pylint===1.9.2
---> Using cache
---> cda9ca606748
Step 11/30 : RUN pip install stripe
---> Using cache
---> fb63ce6873aa
Step 12/30 : RUN git clone https://github.com/marcinguy/checkmate-ce /checkmate
---> Using cache
---> 7d2b41952c77
Step 13/30 : WORKDIR /checkmate
---> Using cache
---> fd32c6a1e7b9
Step 14/30 : RUN tree /checkmate
---> Using cache
---> c4f585f63486
Step 15/30 : RUN python setup.py install
---> Using cache
---> 91e20749b951
Step 16/30 : RUN ln -s /srv/scanmycode/quantifiedcode/settings/default.yml /srv/scanmycode/settings.yml
---> Using cache
---> 69a72977d5fe
Step 17/30 : RUN pip install psycopg2 --upgrade
---> Using cache
---> 488aca4eaeab
Step 18/30 : WORKDIR /srv/scanmycode/quantifiedcode/frontend
---> Using cache
---> b7783c525c4f
Step 19/30 : RUN npm install -g bower
---> Using cache
---> bd1aa019f444
Step 20/30 : RUN npm install --save-dev @babel/core @babel/cli
---> Running in bc39259dec57
npm WARN npm npm does not support Node.js v10.24.0
npm WARN npm You should probably upgrade to a newer version of node as we
npm WARN npm can't make any promises that npm will work with this version.
npm WARN npm Supported releases of Node.js are the latest release of 4, 6, 7, 8, 9.
npm WARN npm You can find the latest version at https://nodejs.org/
npm WARN notice [SECURITY] clean-css has the following vulnerability: 1 low. Go here for more details: https://www.npmjs.com/advisories?search=clean-css&version=3.2.8 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.npm WARN tar write after end
npm WARN notice [SECURITY] bower has the following vulnerability: 1 high. Go here for more details: https://www.npmjs.com/advisories?search=bower&version=1.4.1 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN tar write after end
npm WARN tar write after end
npm WARN notice [SECURITY] uglify-js has the following vulnerabilities: 2 low. Go here for more details: https://www.npmjs.com/advisories?search=uglify-js&version=2.3.6 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN tar write after end
npm WARN tar write after end
npm WARN tar write after end
npm WARN tar write after end
npm WARN notice [SECURITY] ua-parser-js has the following vulnerability: 1 high. Go here for more details: https://www.npmjs.com/advisories?search=ua-parser-js&version=0.7.21 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN tar write after end
npm WARN tar write after end
npm WARN tar write after end
npm WARN tar write after end
npm WARN notice [SECURITY] trim-newlines has the following vulnerability: 1 high. Go here for more details: https://www.npmjs.com/advisories?search=trim-newlines&version=1.0.0 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] decompress-zip has the following vulnerability: 1 high. Go here for more details: https://www.npmjs.com/advisories?search=decompress-zip&version=0.1.0 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] bl has the following vulnerability: 1 high. Go here for more details: https://www.npmjs.com/advisories?search=bl&version=1.2.2 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN tar write after end
npm WARN tar write after end
npm WARN tar write after end
npm WARN notice [SECURITY] request has the following vulnerability: 1 moderate. Go here for more details: https://www.npmjs.com/advisories?search=request&version=2.53.0 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN tar write after end
npm WARN notice [SECURITY] handlebars has the following vulnerabilities: 2 critical, 4 high, 1 moderate. Go here for more details: https://www.npmjs.com/advisories?search=handlebars&version=2.0.0 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] set-value has the following vulnerability: 1 high. Go here for more details: https://www.npmjs.com/advisories?search=set-value&version=2.0.1 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN tar write after end
npm WARN notice [SECURITY] hawk has the following vulnerability: 1 high. Go here for more details: https://www.npmjs.com/advisories?search=hawk&version=1.1.1 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] node-fetch has the following vulnerability: 1 low. Go here for more details: https://www.npmjs.com/advisories?search=node-fetch&version=1.7.3 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN tar write after end
npm WARN notice [SECURITY] braces has the following vulnerability: 1 low. Go here for more details: https://www.npmjs.com/advisories?search=braces&version=1.8.5 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] tough-cookie has the following vulnerabilities: 1 high, 1 moderate. Go here for more details: https://www.npmjs.com/advisories?search=tough-cookie&version=0.12.1 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN tar write after end
npm WARN notice [SECURITY] path-parse has the following vulnerability: 1 moderate. Go here for more details: https://www.npmjs.com/advisories?search=path-parse&version=1.0.6 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] minimist has the following vulnerability: 1 low. Go here for more details: https://www.npmjs.com/advisories?search=minimist&version=0.0.10 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN tar write after end
npm WARN notice [SECURITY] lodash has the following vulnerabilities: 2 high. Go here for more details: https://www.npmjs.com/advisories?search=lodash&version=4.17.19 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] json-schema has the following vulnerability: 1 moderate. Go here for more details: https://www.npmjs.com/advisories?search=json-schema&version=0.2.3 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN tar write after end
npm WARN notice [SECURITY] glob-parent has the following vulnerability: 1 high. Go here for more details: https://www.npmjs.com/advisories?search=glob-parent&version=2.0.0 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] bl has the following vulnerability: 1 high. Go here for more details: https://www.npmjs.com/advisories?search=bl&version=0.9.5 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] lodash has the following vulnerabilities: 4 high, 2 low. Go here for more details: https://www.npmjs.com/advisories?search=lodash&version=2.4.2 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] ini has the following vulnerability: 1 low. Go here for more details: https://www.npmjs.com/advisories?search=ini&version=1.3.5 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] cryptiles has the following vulnerability: 1 high. Go here for more details: https://www.npmjs.com/advisories?search=cryptiles&version=0.2.2 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] hosted-git-info has the following vulnerability: 1 moderate. Go here for more details: https://www.npmjs.com/advisories?search=hosted-git-info&version=2.8.8 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN tar write after end
npm WARN notice [SECURITY] hoek has the following vulnerability: 1 moderate. Go here for more details: https://www.npmjs.com/advisories?search=hoek&version=0.9.1 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] deep-extend has the following vulnerability: 1 low. Go here for more details: https://www.npmjs.com/advisories?search=deep-extend&version=0.2.11 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] minimist has the following vulnerability: 1 moderate. Go here for more details: https://www.npmjs.com/advisories?search=minimist&version=0.0.8 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] hawk has the following vulnerability: 1 high. Go here for more details: https://www.npmjs.com/advisories?search=hawk&version=2.3.1 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] tunnel-agent has the following vulnerability: 1 moderate. Go here for more details: https://www.npmjs.com/advisories?search=tunnel-agent&version=0.4.3 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] qs has the following vulnerability: 1 high. Go here for more details: https://www.npmjs.com/advisories?search=qs&version=2.3.3 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] semver has the following vulnerability: 1 high. Go here for more details: https://www.npmjs.com/advisories?search=semver&version=2.3.2 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] hoek has the following vulnerability: 1 moderate. Go here for more details: https://www.npmjs.com/advisories?search=hoek&version=2.16.3 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] minimatch has the following vulnerability: 1 high. Go here for more details: https://www.npmjs.com/advisories?search=minimatch&version=2.0.10 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] cryptiles has the following vulnerability: 1 high. Go here for more details: https://www.npmjs.com/advisories?search=cryptiles&version=2.0.5 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm ERR! cb() never called!
npm ERR! This is an error with npm itself. Please report this error at:
npm ERR! <https://github.com/npm/npm/issues>
npm ERR! A complete log of this run can be found in:
npm ERR! /root/.npm/_logs/2022-02-07T04_48_57_242Z-debug.log
The command '/bin/sh -c npm install --save-dev @babel/core @babel/cli' returned a non-zero code: 1
ERROR: Service 'server' failed to build : Build failed
I think you just need to run the Docker build to pull in v1.1.0
It adds support for NuGet (C#) and PIP (Python).
Windows Defender automatically removes this file after I clone the repo, stating that it's a high risk backdoor exploit. I did not expect files in this repo to have active exploits in them. I was expecting heuristics for finding exploitable code.
The file is: analyzers\yara\WShell_THOR_Webshells.yar
[19/75] RUN ./go_installer:
#0 0.198 fatal: morestack on g0
#0 0.199 SIGTRAP: trace trap
#0 0.200 PC=0x8092f51 m=4 sigcode=128
#0 0.200
#0 0.200 goroutine 0 [idle]:
#0 0.201 runtime.morestack()
#0 0.201 /usr/local/google/home/cbro/go/src/runtime/asm_386.s:434 +0x21
#0 0.201
#0 0.201 goroutine 19 [syscall]:
#0 0.201 syscall.Syscall(0x3, 0x7, 0x186f0000, 0x8000, 0x0, 0x8000, 0x0)
#0 0.201 /usr/local/google/home/cbro/go/src/syscall/asm_linux_386.s:20 +0x5 fp=0x18621674 sp=0x18621670 pc=0x80aef95
#0 0.202 syscall.read(0x7, 0x186f0000, 0x8000, 0x8000, 0x18621601, 0x0, 0x0)
#0 0.202 /usr/local/google/home/cbro/go/src/syscall/zsyscall_linux_386.go:756 +0x45 fp=0x1862169c sp=0x18621674 pc=0x80ae345
#0 0.202 syscall.Read(0x7, 0x186f0000, 0x8000, 0x8000, 0x80563a8, 0x1, 0x0)
Hi, I am trying to use SAST tools on java projects, including betterscan-ce. And I want to find out what concrete rules better-ce uses to detect vuls. So is there some documentation about it like something in sonarqube, like this Java static code analysis?
Thanks a lot if you can point it out.
Mark
Couldn't find any documentation to this effect (PR's welcome?)
How would one add custom semgrep rules?
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.