Open source software is an integral part of every tech product. There are amazing contributors who actively maintain their repositories. However, every coin has two sides. All OSS repositories may not be maintained properly, because of which, vulnerabilities may get introduced with time. Whereas, some OSS repos could be created by attackers themselves to trick the users. We need an OSS inspector to solve this problem. This tool will help us to identify the genuineness of the repos and perform a security health check.
We have built an application that can:-
- Analyze Github, github, pypi and npm repos.
- Perform the scan with repository link.
- Provides the rating for the repository based upon OWASP Top 10 vulnerabilities along with few other vulnerabilities.
- Display snippet of the code having vulnerabilities.
- There might be some vulnerabilities that may be False positives and We can manually mark those vulnerabilites as false positives or remove them from the detected vulnerabilities.
- Analyzes the statistics of the repo and the owner’s other repos to check for the genuineness of the repo using parameters such as repo stars, age of repository, time since the last commit, any pending security issues.
- HTML/CSS/Bootstrap
- JavaScript
- Python
- Flask
- PostgreSQL
- Semgrep
- gunicorn
Install Postgres and configure SQLALCHEMY_DATABASE_URI
in SecLyzer/settings.py
.
Format postgresql://<User>:<Password>@127.0.0.1/<Database_Name>
git clone https://github.com/parikshit3000/SecLyzer_is_back.git
cd SecLyzer
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
python3 global_functions.py initialize-db # Run once to generate database schema
./run.sh
This will run SecLyzer Web application at http://127.0.0.1:9090
- Suggestions for removing the vulnerabilites from the code.
- To give suggestions for removing vulnerabilities from the code.
- Increasing database of patterns for Semgrep analysis.
- Better quality patterns to reduce false positives and identify corner cases.
Team Name:- Code Smashers