Git Product home page Git Product logo

ifa-client's Introduction

IFA Server Documentation

Contained in the readme that ships with the IFA Server.

IFA Server SSL configuration

The IFA Server uses an IBM Liberty back end. To configure Liberty for proper SSL use go to IBM Liberty SSL Configuration

ifa-client

Client REST tool for Intelligent Finding Analytics (IFA) Server

Simple REST wrapper which simplifies the workflow for submitting an assessment for processing.

Main operations:

  1. IFA
  2. Fix grouping
  3. Delta analysis

Secondary operations:

  1. Health check
  2. Version
  3. Usage statement

Prerequisites

  • Java 1.8
  • Gradle 2.2.1+

Building

Run gradle in the java directory to build the jar. cd java gradle

Produces a jar in build/libs.

Usage

Run the jar to print out usage: java -jar ifa-client.jar

java -jar build/libs/ifa-client.jar 
Please enter an argument for the file or directory you wish to send to the IFA server

usage: java -jar ifa-client.jar [-c] [-g <Assessment File> | -i <Assessment
       File> | -n <Baseline Assessment> <New Assessment> | -r <Baseline Assessment>
       <New Assessment>] [-h <HOST>]    [-s] [-t <DIR>] [-v]
  -c,--heath-check                                              Performs a
                                                                health check of the host
  -g,--get-groups <Assessment File>                             Compare the
                                                                assessment(s) for -a with this baseline
  -h,--host <HOST>                                              Specify the
                                                                server host. Requires the protocol, host and port number to be specified - eg
                                                                http://server_1:9080 Default value: http://localhost:9080
  -i,--run-ifa <Assessment File>                                Apply IFA filtering to specified assessment.
  -n,--new-delta <Baseline Assessment> <New Assessment>         Delta new findings. Supply the baseline assessment.
  -r,--resolved-delta <Baseline Assessment> <New Assessment>    Delta resolved
                                                                findings. Supply the baseline assessment.
  -s,--accept-self-signed                                       Accept invalid
                                                                and self signed certificates.
  -t,--target-dir <DIR>                                         Specify the
                                                                target directory to place the IFA file. This option should be used to place the
                                                                results into a fresh directory. Files of the same name will be overwritten.
  -v,--version                                                  Prints the
                                                                version of the supplied host.
  -z,--remove-empty-delta                                       Remove delta
                                                              results with 0 findings

IFA

To run IFA on an assessment use java -jar ifa-client.jar -i <assessment file>

Saves the new assessment using _IFA.ozasmt

Example:

java -jar ifa-client.jar -i webgoat.ozasmt 
Processing: webgoat.ozasmt
Job submitted. ID: 6b61564a-129c-40c7-a7f4-8e858b657eb6
Processing webgoat.ozasmt for IFA - Completed.:100%                                                                                                                                                     
Verifying returned payload
Completed processing Processing webgoat.ozasmt for IFA                                                                                                                                                  
Job completed. URL: http://localhost:9080/rest/ifa/v1/triaged-assessments/6b61564a-129c-40c7-a7f4-8e858b657eb6


Time taken to apply IFA: 00:06.619
Details for WebGoat-Legacy-archive_5_4:
	Total Findings: 136
	High: 42
	Medium: 8
	Low: 86
	Info: 0
	Excluded: 1,460
IFA assessment path:./WebGoat-Legacy-archive_5_4_IFA.ozasmt

Fix grouping

To run fix grouping on an assessment use java -jar ifa-client.jar -g <assessment file>

Example:

java -jar ifa-client.jar -g WebGoat-Legacy-archive_5_4_IFA.ozasmt
Processing: WebGoat-Legacy-archive_5_4_IFA.ozasmt
Job submitted. ID: 3267bd00-d4cd-4921-b96a-89495b5a24d0
Processing WebGoat-Legacy-archive_5_4_IFA.ozasmt for solution groups - Completed.:100%                                                                                                                  
Verifying returned payload
Completed processing Processing WebGoat-Legacy-archive_5_4_IFA.ozasmt for solution groups                                                                                                               
Job completed. URL: http://localhost:9080/rest/ifa/v1/fix-group-assessments/3267bd00-d4cd-4921-b96a-89495b5a24d0

Fix Groups: 25
Time taken to determine solution groups: 00:01.482

Delta analysis

  1. New findings run java -jar ifa-client.jar -n <baseline assessment file> <new assessment file>
  2. Resolved findings run java -jar ifa-client.jar -r <baseline assessment file> <new assessment file>

Using the -z option in conjunction with either -n or -r will remove the returned assessment from the file system should it have 0 findings as a result of the delta operation.

Example

java -jar ifa-client.jar -r webgoat.ozasmt WebGoat-Legacy-archive_5_4_IFA.ozasmt
Processing: webgoat.ozasmt
Processing: WebGoat-Legacy-archive_5_4_IFA.ozasmt
Job submitted. ID: 6a852b90-f427-46c1-9e67-30d0f7af1058
Processing diff against webgoat.ozasmt - Completed.:100%                                                                                                                                                
Verifying returned payload
Completed processing Processing diff against webgoat.ozasmt                                                                                                                                             
Job completed. URL: http://localhost:9080/rest/ifa/v1/delta-assessments/6a852b90-f427-46c1-9e67-30d0f7af1058

Diff Results:
Original: WebGoat-Legacy-archive_5_4_IFA.ozasmt
Details for WebGoat-Legacy-archive_5_4:
	Total Findings: 136
	High: 42
	Medium: 8
	Low: 86
	Info: 0
	Excluded: 1,460
Baseline: webgoat.ozasmt
Details for WebGoat-Legacy-archive_5_4:
	Total Findings: 1,410
	High: 156
	Medium: 149
	Low: 1,105
	Info: 0
	Excluded: 0
Resolved: ./WebGoat-Legacy-archive_5_4_resolved.ozasmt
Details for WebGoat-Legacy-archive_5_4:
	Total Findings: 1,460
	High: 118
	Medium: 139
	Low: 1,203
	Info: 0
	Excluded: 0
Time taken to determine diff: 00:02.051

Using remote host

To use a remote host add the -h option java -jar ifa-client.jar -h http://remote:9080 -i webgoat.ozasmt

ifa-client's People

Contributors

kaddmann avatar mattmurp avatar patilrashmi avatar

Stargazers

avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar

Forkers

patilrashmi isabella232

ifa-client's Issues

APPScan CLIENT fails in docker container with appscan.sh version

I have been trying to upload a container with docker and the appscan cli, where I install this via curl. However I have come across several errors, first that the java in the folder jre/bin/java was not being found. installed some dependencies and changed the error to libraries that were not being found. I copied the libraries to the jre/lib/ folder and now the error is as follows:

/home/SAClientUtil.8.0.1445/bin/appscan.sh: line 142:  34 Segmentation fault      "$JAVACMD" -Xmx8g -Dcom.ibm.jsse2.usefipsprovider=true $CLI_CONFIG_OPTS $APPSCAN_OPTS -cp "$APPSCAN_INSTALL_DIR/lib/*" com.ibm.appscan.cli.common.Launcher "$APPSCAN_INSTALL_DIR" "$@"

Line 142 in appscan.sh:


140 - else
141 -         "$JAVACMD" -Xmx8g -Dcom.ibm.jsse2.usefipsprovider=true $CLI_CONFIG_OPTS $APPSCAN_OPTS -cp "$APPSCAN_INSTALL_DIR/lib/*" com.ibm.appscan.cli.common.Launcher "$APPSCAN_INSTALL_DIR" "$@"
142 - fi

Dockerfile

FROM alpine:3
COPY index.sh /usr/bin/index.sh
RUN chmod +x /usr/bin/index.sh

RUN ls /

RUN cd /home && /usr/bin/index.sh
RUN env

index.sh

#! /bin/sh
set -x

apk --no-cache add ca-certificates wget
wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub
wget https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.28-r0/glibc-2.28-r0.apk
apk add glibc-2.28-r0.apk

apk add --no-cache bash zlib zlib-dev curl libgcc libstdc++ unzip

curl -o appscan.zip https://cloud.appscan.com/api/SCX/StaticAnalyzer/SAClientUtil?os=linux
unzip appscan.zip
rm -rf appscan.zip
find / -name libc.musl-x86_64.so.1
cp /lib/libc.musl-x86_64.so.1 /lib/libz.so.1 /home/SAClientUtil.8.0.1445/jre/lib/
env

export PATH=$PATH:/home/SAClientUtil.8.0.1445/bin:/home/SAClientUtil.8.0.1445/jre/bin
#export JAVA_HOME=/home/SAClientUtil.8.0.1445/jre/
appscan.sh version

The error is given when I try to issue the simple appscan.sh version. how can i proceed?

Additional parameter to generate Delta report only with more than zero findings

IFA delta analysis (parameter "-n") is used to find the diff. between latest and baseline assessment. Output file name can be specified using "-f" to generate delta assessment.

Is there a way (additional argument perhaps) to generate Delta assessment ONLY if there are new findings (i.e. more than zero new findings). Because currently it generates delta report no matter new findings exist or not and with zero findings it generates an empty report.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.