Develop

Makefile

@@ -31,7 +31,7 @@ coverage-horusec-analytic:
 	deployments/scripts/coverage.sh 98 "./horusec-analytic"
 coverage-horusec-auth:
 	chmod +x deployments/scripts/coverage.sh
-	deployments/scripts/coverage.sh 97 "./horusec-auth"
+	deployments/scripts/coverage.sh 96 "./horusec-auth"
 coverage-horusec-webhook:
 	chmod +x deployments/scripts/coverage.sh
 	deployments/scripts/coverage.sh 99 "./horusec-webhook"

README.md

@@ -62,8 +62,10 @@ Currently, performance analysis consists of:
     * [GitLeaks][Gitleaks]
 * PHP
     * [Semgrep][Semgrep]
-* C
+    * [PHPCS][PHPCS]
+* C/C++
     * [Semgrep][Semgrep]
+    * [Flawfinder][Flawfinder]
 * HTML
     * [Semgrep][Semgrep]
 * JSON
@@ -185,3 +187,5 @@ This project exists thanks to all the [contributors]((https://github.com/ZupIT/h
 [SecuriyCodeScan]: https://security-code-scan.github.io/
 [Semgrep]: https://github.com/returntocorp/semgrep
 [EsLint]: https://github.com/eslint/eslint
+[Flawfinder]: https://github.com/david-a-wheeler/flawfinder
+[PHPCS]: https://github.com/FloeDesignTechnologies/phpcs-security-audit

deployments/dockerfiles/flawfinder/.semver.yaml

@@ -0,0 +1,4 @@
+alpha: 0
+beta: 0
+rc: 0
+release: v1.0.0

deployments/dockerfiles/flawfinder/Dockerfile

@@ -0,0 +1,18 @@
+# Copyright 2020 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM python:3.7-alpine
+
+RUN apk add --no-cache git bash
+RUN pip install flawfinder

deployments/dockerfiles/phpcs/.semver.yaml

@@ -0,0 +1,4 @@
+alpha: 0
+beta: 0
+rc: 0
+release: v1.0.0

deployments/dockerfiles/phpcs/Dockerfile

@@ -0,0 +1,25 @@
+# Copyright 2020 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM php:7.4-alpine
+
+RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer
+
+RUN composer global config bin-dir /usr/local/bin
+
+RUN composer global require "squizlabs/php_codesniffer=*"
+
+RUN composer require --dev pheromone/phpcs-security-audit
+
+RUN phpcs --config-set installed_paths /vendor/pheromone/phpcs-security-audit/Security

deployments/scripts/update-image-tool.sh

@@ -101,6 +101,14 @@ getDirectoryAndImageNameByToolName () {
             IMAGE_NAME="horuszup/eslint"
             DIRECTORY_CONFIG="$CURRENT_FOLDER/horusec-cli/internal/services/formatters/javascript/eslint/config.go"
             DIRECTORY_SEMVER="$CURRENT_FOLDER/deployments/dockerfiles/eslint";;
+        "phpcs")
+            IMAGE_NAME="horuszup/horusec-phpcs"
+            DIRECTORY_CONFIG="$CURRENT_FOLDER/horusec-cli/internal/services/formatters/php/phpcs/config.go"
+            DIRECTORY_SEMVER="$CURRENT_FOLDER/deployments/dockerfiles/phpcs";;
+        "flawfinder")
+            IMAGE_NAME="horuszup/horusec-flawfinder"
+            DIRECTORY_CONFIG="$CURRENT_FOLDER/horusec-cli/internal/services/formatters/c/flawfinder/config.go"
+            DIRECTORY_SEMVER="$CURRENT_FOLDER/deployments/dockerfiles/flawfinder";;
         "horusec-nodejs")
             IMAGE_NAME="horuszup/horusec-nodejs"
             DIRECTORY_CONFIG="$CURRENT_FOLDER/horusec-cli/internal/services/formatters/javascript/horusecnodejs/config.go"
@@ -111,7 +119,7 @@ getDirectoryAndImageNameByToolName () {
             DIRECTORY_SEMVER="$CURRENT_FOLDER/horusec-kubernetes";;
         *)
             echo "Param Tool Name is invalid, please use the examples bellow allowed and try again!"
-            echo "Params Tool Name allowed: bandit, brakeman, gitleaks, gosec, npmaudit, safety, securitycodescan, hcl, spotbugs, horusec-kotlin, horusec-java, horusec-leaks, horusec-csharp, horusec-nodejs, horusec-kubernetes"
+            echo "Params Tool Name allowed: bandit, brakeman, gitleaks, gosec, npmaudit, safety, securitycodescan, hcl, spotbugs, horusec-kotlin, horusec-java, horusec-leaks, horusec-csharp, horusec-nodejs, horusec-kubernetes, phpcs, flawfinder"
             exit 1;;
     esac
 }

development-kit/pkg/databases/relational/repository/account/account.go

@@ -25,6 +25,7 @@ type IAccount interface {
 	GetByAccountID(accountID uuid.UUID) (*authEntities.Account, error)
 	GetByEmail(email string) (*authEntities.Account, error)
 	Update(account *authEntities.Account) error
+	UpdatePassword(account *authEntities.Account) error
 	GetByUsername(username string) (*authEntities.Account, error)
 	DeleteAccount(accountID uuid.UUID) error
 }
@@ -61,7 +62,13 @@ func (a *Account) GetByEmail(email string) (*authEntities.Account, error) {
 
 func (a *Account) Update(account *authEntities.Account) error {
 	account.SetUpdatedAt()
-	return a.databaseWrite.Update(account.ToMap(), map[string]interface{}{"account_id": account.AccountID},
+	return a.databaseWrite.Update(account.ToUpdateMap(), map[string]interface{}{"account_id": account.AccountID},
+		account.GetTable()).GetError()
+}
+
+func (a *Account) UpdatePassword(account *authEntities.Account) error {
+	account.SetUpdatedAt()
+	return a.databaseWrite.Update(account.ToUpdatePasswordMap(), map[string]interface{}{"account_id": account.AccountID},
 		account.GetTable()).GetError()
 }
 

development-kit/pkg/engines/leaks/analysis/analysis_test.go

@@ -41,7 +41,7 @@ func TestAnalysis_StartAnalysis(t *testing.T) {
 		data := []engine.Finding{}
 		_ = json.Unmarshal(fileBytes, &data)
 		assert.NoError(t, os.RemoveAll(configs.GetOutputFilePath()))
-		assert.Equal(t, len(data), 17)
+		assert.Equal(t, len(data), 19)
 	})
 	t.Run("Should return success when read analysis and return two vulnerabilities", func(t *testing.T) {
 		configs := config.NewConfig()
@@ -117,6 +117,6 @@ func TestAnalysis_StartRegularAnalysis(t *testing.T) {
 				vulnCounter++
 			}
 		}
-		assert.Equal(t, vulnCounter, 10)
+		assert.Equal(t, 12, vulnCounter)
 	})
 }

development-kit/pkg/entities/analyser/c/result.go

@@ -0,0 +1,54 @@
+// Copyright 2020 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package c
+
+import (
+	"fmt"
+	"github.com/ZupIT/horusec/development-kit/pkg/enums/severity"
+	"strconv"
+	"strings"
+)
+
+type Result struct {
+	File       string `json:"file"`
+	Line       string `json:"line"`
+	Column     string `json:"column"`
+	Level      string `json:"level"`
+	Warning    string `json:"warning"`
+	Suggestion string `json:"suggestion"`
+	Note       string `json:"note"`
+	Context    string `json:"context"`
+}
+
+func (r *Result) GetDetails() string {
+	return fmt.Sprintf("%s %s %s", r.Warning, r.Suggestion, r.Note)
+}
+
+func (r *Result) GetSeverity() severity.Severity {
+	level, _ := strconv.Atoi(r.Level)
+	if level <= 2 {
+		return severity.Low
+	}
+
+	if level >= 3 && level <= 4 {
+		return severity.Medium
+	}
+
+	return severity.High
+}
+
+func (r *Result) GetFilename() string {
+	return strings.ReplaceAll(r.File, "./", "")
+}

development-kit/pkg/entities/analyser/c/result_test.go

@@ -0,0 +1,82 @@
+package c
+
+import (
+	"github.com/ZupIT/horusec/development-kit/pkg/enums/severity"
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func TestGetDetails(t *testing.T) {
+	result := &Result{
+		Warning:    "test",
+		Suggestion: "test",
+		Note:       "test",
+	}
+
+	t.Run("should success get details", func(t *testing.T) {
+		details := result.GetDetails()
+
+		assert.NotEmpty(t, details)
+		assert.Equal(t, "test test test", details)
+	})
+
+}
+
+func TestGetSeverity(t *testing.T) {
+	result := &Result{
+		Level: "0",
+	}
+
+	t.Run("should get severity low", func(t *testing.T) {
+		assert.Equal(t, severity.Low, result.GetSeverity())
+
+		result.Level = "1"
+		assert.Equal(t, severity.Low, result.GetSeverity())
+
+		result.Level = "2"
+		assert.Equal(t, severity.Low, result.GetSeverity())
+	})
+
+	t.Run("should get severity medium", func(t *testing.T) {
+		result.Level = "3"
+		assert.Equal(t, severity.Medium, result.GetSeverity())
+
+		result.Level = "4"
+		assert.Equal(t, severity.Medium, result.GetSeverity())
+
+		result.Level = "2"
+		assert.NotEqual(t, severity.Medium, result.GetSeverity())
+
+		result.Level = "5"
+		assert.NotEqual(t, severity.Medium, result.GetSeverity())
+	})
+
+	t.Run("should get severity high", func(t *testing.T) {
+		result.Level = "5"
+		assert.Equal(t, severity.High, result.GetSeverity())
+
+		result.Level = "6"
+		assert.Equal(t, severity.High, result.GetSeverity())
+
+		result.Level = "1"
+		assert.NotEqual(t, severity.High, result.GetSeverity())
+
+		result.Level = "4"
+		assert.NotEqual(t, severity.High, result.GetSeverity())
+	})
+}
+
+func TestGetFilename(t *testing.T) {
+	result := &Result{
+		File: "./test.c",
+	}
+
+	t.Run("should success get filename", func(t *testing.T) {
+		filename := result.GetFilename()
+
+		assert.NotEmpty(t, filename)
+		assert.NotContains(t, filename, "./")
+		assert.Equal(t, "test.c", filename)
+	})
+
+}

development-kit/pkg/entities/analyser/php/phpcs/message.go

@@ -0,0 +1,26 @@
+package phpcs
+
+import (
+	"strconv"
+	"strings"
+)
+
+type Message struct {
+	Message string `json:"message"`
+	Line    int    `json:"line"`
+	Column  int    `json:"column"`
+	Type    string `json:"type"`
+}
+
+func (m *Message) GetLine() string {
+	return strconv.Itoa(m.Line)
+}
+
+func (m *Message) GetColumn() string {
+	return strconv.Itoa(m.Column)
+}
+
+func (m *Message) IsValidMessage() bool {
+	return m.Type == "ERROR" &&
+		!strings.Contains(m.Message, "This implies that some PHP code is not scanned by PHPCS")
+}

development-kit/pkg/entities/analyser/php/phpcs/message_test.go

@@ -0,0 +1,52 @@
+package phpcs
+
+import (
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func TestGetLine(t *testing.T) {
+	message := &Message{
+		Line: 1,
+	}
+
+	t.Run("should success get line", func(t *testing.T) {
+		line := message.GetLine()
+
+		assert.NotEmpty(t, line)
+		assert.Equal(t, "1", line)
+	})
+}
+
+func TestGetColumn(t *testing.T) {
+	message := &Message{
+		Column: 1,
+	}
+
+	t.Run("should success get column", func(t *testing.T) {
+		column := message.GetColumn()
+
+		assert.NotEmpty(t, column)
+		assert.Equal(t, "1", column)
+	})
+}
+
+func TestIsValidMessage(t *testing.T) {
+	t.Run("should return false if invalid message", func(t *testing.T) {
+		message := &Message{
+			Message: "This implies that some PHP code is not scanned by PHPCS",
+			Type:    "ERROR",
+		}
+
+		assert.False(t, message.IsValidMessage())
+	})
+
+	t.Run("should return true if valid message", func(t *testing.T) {
+		message := &Message{
+			Message: "",
+			Type:    "ERROR",
+		}
+
+		assert.True(t, message.IsValidMessage())
+	})
+}

development-kit/pkg/entities/analyser/php/phpcs/result.go

@@ -0,0 +1,5 @@
+package phpcs
+
+type Result struct {
+	Messages []Message `json:"messages"`
+}

development-kit/pkg/entities/auth/account.go

@@ -118,6 +118,21 @@ func (a *Account) ToMap() map[string]interface{} {
 	}
 }
 
+func (a *Account) ToUpdateMap() map[string]interface{} {
+	return map[string]interface{}{
+		"email":        a.Email,
+		"username":     a.Username,
+		"updated_at":   a.UpdatedAt,
+		"is_confirmed": a.IsConfirmed,
+	}
+}
+
+func (a *Account) ToUpdatePasswordMap() map[string]interface{} {
+	return map[string]interface{}{
+		"password": a.Password,
+	}
+}
+
 func (a *Account) IsNotApplicationAdminAccount() bool {
 	return !a.IsApplicationAdmin
 }