Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature/phpcs #177

Merged
merged 16 commits into from
Dec 7, 2020
Merged
Show file tree
Hide file tree
Changes from 15 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ Currently, performance analysis consists of:
* [GitLeaks][Gitleaks]
* PHP
* [Semgrep][Semgrep]
* [PHPCS][PHPCS]
* C/C++
* [Semgrep][Semgrep]
* [Flawfinder][Flawfinder]
Expand Down Expand Up @@ -187,3 +188,5 @@ This project exists thanks to all the [contributors]((https://github.com/ZupIT/h
[Semgrep]: https://github.com/returntocorp/semgrep
[EsLint]: https://github.com/eslint/eslint
[Flawfinder]: https://github.com/david-a-wheeler/flawfinder
[Flawfinder]: https://github.com/david-a-wheeler/flawfinder
[PHPCS]: https://github.com/FloeDesignTechnologies/phpcs-security-audit
wiliansilvazup marked this conversation as resolved.
Show resolved Hide resolved
4 changes: 4 additions & 0 deletions deployments/dockerfiles/phpcs/.semver.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
alpha: 0
beta: 0
rc: 0
release: v0.0.1
25 changes: 25 additions & 0 deletions deployments/dockerfiles/phpcs/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# Copyright 2020 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

FROM php:7.4-alpine

RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer

RUN composer global config bin-dir /usr/local/bin

RUN composer global require "squizlabs/php_codesniffer=*"

RUN composer require --dev pheromone/phpcs-security-audit

RUN phpcs --config-set installed_paths /vendor/pheromone/phpcs-security-audit/Security
82 changes: 82 additions & 0 deletions development-kit/pkg/entities/analyser/c/result_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
package c

import (
"github.com/ZupIT/horusec/development-kit/pkg/enums/severity"
"github.com/stretchr/testify/assert"
"testing"
)

func TestGetDetails(t *testing.T) {
result := &Result{
Warning: "test",
Suggestion: "test",
Note: "test",
}

t.Run("should success get details", func(t *testing.T) {
details := result.GetDetails()

assert.NotEmpty(t, details)
assert.Equal(t, "test test test", details)
})

}

func TestGetSeverity(t *testing.T) {
result := &Result{
Level: "0",
}

t.Run("should get severity low", func(t *testing.T) {
assert.Equal(t, severity.Low, result.GetSeverity())

result.Level = "1"
assert.Equal(t, severity.Low, result.GetSeverity())

result.Level = "2"
assert.Equal(t, severity.Low, result.GetSeverity())
})

t.Run("should get severity medium", func(t *testing.T) {
result.Level = "3"
assert.Equal(t, severity.Medium, result.GetSeverity())

result.Level = "4"
assert.Equal(t, severity.Medium, result.GetSeverity())

result.Level = "2"
assert.NotEqual(t, severity.Medium, result.GetSeverity())

result.Level = "5"
assert.NotEqual(t, severity.Medium, result.GetSeverity())
})

t.Run("should get severity high", func(t *testing.T) {
result.Level = "5"
assert.Equal(t, severity.High, result.GetSeverity())

result.Level = "6"
assert.Equal(t, severity.High, result.GetSeverity())

result.Level = "1"
assert.NotEqual(t, severity.High, result.GetSeverity())

result.Level = "4"
assert.NotEqual(t, severity.High, result.GetSeverity())
})
}

func TestGetFilename(t *testing.T) {
result := &Result{
File: "./test.c",
}

t.Run("should success get filename", func(t *testing.T) {
filename := result.GetFilename()

assert.NotEmpty(t, filename)
assert.NotContains(t, filename, "./")
assert.Equal(t, "test.c", filename)
})

}
26 changes: 26 additions & 0 deletions development-kit/pkg/entities/analyser/php/phpcs/message.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
package phpcs

import (
"strconv"
"strings"
)

type Message struct {
Message string `json:"message"`
Line int `json:"line"`
Column int `json:"column"`
Type string `json:"type"`
}

func (m *Message) GetLine() string {
return strconv.Itoa(m.Line)
}

func (m *Message) GetColumn() string {
return strconv.Itoa(m.Column)
}

func (m *Message) IsValidMessage() bool {
return m.Type == "ERROR" &&
!strings.Contains(m.Message, "This implies that some PHP code is not scanned by PHPCS")
}
52 changes: 52 additions & 0 deletions development-kit/pkg/entities/analyser/php/phpcs/message_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
package phpcs

import (
"github.com/stretchr/testify/assert"
"testing"
)

func TestGetLine(t *testing.T) {
message := &Message{
Line: 1,
}

t.Run("should success get line", func(t *testing.T) {
line := message.GetLine()

assert.NotEmpty(t, line)
assert.Equal(t, "1", line)
})
}

func TestGetColumn(t *testing.T) {
message := &Message{
Column: 1,
}

t.Run("should success get column", func(t *testing.T) {
column := message.GetColumn()

assert.NotEmpty(t, column)
assert.Equal(t, "1", column)
})
}

func TestIsValidMessage(t *testing.T) {
t.Run("should return false if invalid message", func(t *testing.T) {
message := &Message{
Message: "This implies that some PHP code is not scanned by PHPCS",
Type: "ERROR",
}

assert.False(t, message.IsValidMessage())
})

t.Run("should return true if valid message", func(t *testing.T) {
message := &Message{
Message: "",
Type: "ERROR",
}

assert.True(t, message.IsValidMessage())
})
}
5 changes: 5 additions & 0 deletions development-kit/pkg/entities/analyser/php/phpcs/result.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
package phpcs

type Result struct {
Messages []Message `json:"messages"`
}
3 changes: 3 additions & 0 deletions development-kit/pkg/enums/languages/languages.go
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ func ParseStringToLanguage(value string) (l Language) {
return Unknown
}

//nolint
func SupportedLanguages() []Language {
return []Language{
Go,
Expand All @@ -60,6 +61,7 @@ func SupportedLanguages() []Language {
Generic,
Yaml,
C,
PHP,
Unknown,
}
}
Expand All @@ -78,6 +80,7 @@ func (l Language) MapEnableLanguages() map[string]Language {
Generic.ToString(): Generic,
Yaml.ToString(): Yaml,
C.ToString(): C,
PHP.ToString(): PHP,
}
}

Expand Down
4 changes: 2 additions & 2 deletions development-kit/pkg/enums/languages/languages_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ func TestToString(t *testing.T) {

func TestMapEnableLanguages(t *testing.T) {
t.Run("should map enable languages", func(t *testing.T) {
assert.Len(t, CSharp.MapEnableLanguages(), 12)
assert.Len(t, CSharp.MapEnableLanguages(), 13)
})
}

Expand All @@ -43,6 +43,6 @@ func TestParseStringToLanguage(t *testing.T) {

func TestSupportedLanguages(t *testing.T) {
t.Run("should return supported languages", func(t *testing.T) {
assert.Len(t, SupportedLanguages(), 13)
assert.Len(t, SupportedLanguages(), 14)
})
}
1 change: 1 addition & 0 deletions development-kit/pkg/enums/tools/tools.go
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ const (
Eslint Tool = "Eslint"
HorusecNodejs Tool = "HorusecNodeJS"
Flawfinder Tool = "Flawfinder"
PhpCS Tool = "PhpCS"
)

func (t Tool) ToString() string {
Expand Down
2 changes: 1 addition & 1 deletion development-kit/pkg/usecases/analysis/analysis.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@ import (
"time"

apiEntities "github.com/ZupIT/horusec/development-kit/pkg/entities/api"

horusecEntities "github.com/ZupIT/horusec/development-kit/pkg/entities/horusec"
EnumErrors "github.com/ZupIT/horusec/development-kit/pkg/enums/errors"
"github.com/ZupIT/horusec/development-kit/pkg/enums/horusec"
Expand Down Expand Up @@ -181,6 +180,7 @@ func (au *UseCases) sliceTools() []interface{} {
tools.Eslint,
tools.HorusecKubernetes,
tools.Flawfinder,
tools.PhpCS,
}
}

Expand Down
10 changes: 9 additions & 1 deletion horusec-cli/internal/controllers/analyser/analyser.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@ package analyser

import (
"fmt"
"github.com/ZupIT/horusec/horusec-cli/internal/services/formatters/c/flawfinder"
"log"
"os"
"os/signal"
Expand All @@ -25,6 +24,9 @@ import (
"strings"
"time"

"github.com/ZupIT/horusec/horusec-cli/internal/services/formatters/c/flawfinder"
"github.com/ZupIT/horusec/horusec-cli/internal/services/formatters/php/phpcs"

"github.com/ZupIT/horusec/horusec-cli/internal/services/formatters/csharp/horuseccsharp"
"github.com/ZupIT/horusec/horusec-cli/internal/services/formatters/javascript/horusecnodejs"
"github.com/ZupIT/horusec/horusec-cli/internal/services/formatters/yaml/horuseckubernetes"
Expand Down Expand Up @@ -191,6 +193,7 @@ func (a *Analyser) mapDetectVulnerabilityByLanguage() map[languages.Language]fun
languages.Generic: a.detectVulnerabilityGeneric,
languages.Yaml: a.detectVulnerabilityYaml,
languages.C: a.detectVulnerabilityC,
languages.PHP: a.detectVulnerabilityPHP,
}
}

Expand Down Expand Up @@ -260,6 +263,11 @@ func (a *Analyser) detectVulnerabilityC(projectSubPath string) {
go flawfinder.NewFormatter(a.formatterService).StartAnalysis(projectSubPath)
}

func (a *Analyser) detectVulnerabilityPHP(projectSubPath string) {
a.monitor.AddProcess(1)
go phpcs.NewFormatter(a.formatterService).StartAnalysis(projectSubPath)
}

func (a *Analyser) detectVulnerabilityGeneric(projectSubPath string) {
a.monitor.AddProcess(1)
go semgrep.NewFormatter(a.formatterService).StartAnalysis(projectSubPath)
Expand Down
26 changes: 26 additions & 0 deletions horusec-cli/internal/services/formatters/php/phpcs/config.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
// Copyright 2020 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package phpcs

const (
ImageName = "horuszup/horusec-phpcs"
ImageTag = "v0.0.1"
// nolint
ImageCmd = `
phpcs --report=json --standard=/vendor/pheromone/phpcs-security-audit/example_drupal7_ruleset.xml . > /tmp/result-ANALYSISID.json
cat /tmp/result-ANALYSISID.json
chmod -R 777 .
`
)
Loading