Git Product home page Git Product logo

falco's Introduction

Falco: 3rd party code security intelligence for software maintainers

What is falco?

Falco is a simple tool to search the NIST NVD and report latent security bugs in 3rd party software packages in your projects. By placing falco in your build or QA process, you can be alerted when new security defects are reported. You could make falco part of your architectural review process as you evaluate component choices.

Falco Dependencies

Falco depends on the nvdsqlite3, a sqlite loader of the NIST NVD vulnerability database. You must pip install nvdsqlite3 and pystache. Then update the cvedb database and then point falco at runtime at the up-to-date database in order to have an effective vulnerability intelligence feature in your software workflow.

Thanks and shout outs:

Jan Schaumann, twitter for https://github.com/jschauma/nvd2sqlite3 NJ Ouchn, vfeed database, awesome tool!

Use this command to install and update the NVD database: $ ./falco -u

Also use the same update command periodically. The cvedb database must be updated periodically in order to implement the notion that you are getting current threat knowledge.

Setup for first use from the falco directory:

$ ./falco -u

If you find falco useful, please give a shoutout to us, and the great folks who build and maintain toolswatch cve database that helped use get the project started.

No free lunch

Users of falco are responsible for making sure the package names, and versions supplied to falco are current with the project being evaluated. There is no sophistication built into falco to survey your code for 3rd party dependencies.There are commercial products which can do this and so much more. Falco users must obtain and manage their own configuration management data for their project.

Recently, Jeremy Long, of OWASP dependency-check gave me a heads up regarding other FOSS projects that also provide 3rd party code dependency security checks. See the list below for some other 3rd party code dependency check apps.

Open source 3rd party software dependency apps

Commercial products that do dependency checks

Why falco

We wrote the tool because (at the time we looked) there were no accessible tools for developers and project maintainers to easily find known security vulnerabilities in software they use as part of a project. Falco is bare-bones simple, and implements a basic software security check mandated by many security maturity models such as the one in OWASP: https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities, OpenSAMM - http://www.opensamm.org/, or BSIMM - http://www.bsimm.com/online/governance/cp/

Falco is not a code scanner

Falco does not test the software, it simply looks to see that the package and version you tell it are in a vulnerability database. If a package and version are in the vulnerability database, you could have a vulnerability in software you depend upon. You need to respond to by validating that vulnerability assertion, and then update the package as needed. Other ways to discover known exiting vulnerabilities are through code scanning tools (mentioned above) network security scanners like OpenVAS or Nessus (often used by commercial customers) and using code analysis tools like HP Fortify or Coverity.

Do 3rd party code threat intelligence

If you are developing a security lifecycle for your project, then managing 3rd party code security bugs is just a small part of a very baseline behavior. We wish you luck and hope that falco helps in your journey.

Mark Menkhus, RedCup working group [email protected]

July 11, 2014

All rights reserved.

(c) Copyright 2015 Falconry Concepts LLC.

License

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Falco help

usage: falco [-h] [-b] [-c] [-C [CVE]] [-d [CVEDB_DATABASE]] [-f [PACKAGELISTFILE]] [-i [ITEMS_REPORTED]] [-n [PACKAGE_NAME]] [-o [OUTPUTFILE]] [-t [TYPE]] [-m [MINIMUM_DATE]] [-u] [-v [PACKAGE_VERSION]] [-V]

Checks command line or, a file list of software programs for known security defects documented in the National Vulnerability Database. Matches a project name and version name to CPE URIs in the NVD database. Uses the Copyright 2013, nvd2sqlite3 app, thanks to: Jan Schaumann for https://github.com/jschauma/nvd2sqlite3

optional arguments: -h, --help show this help message and exit -b, --build_environment for use in build environments, return fail if items found -c, --config update database and setup for use. Do this after manually downloading a new database -C [CVE], --CVE [CVE] display a CVE entry -d [CVEDB_DATABASE], --cvedb_database [CVEDB_DATABASE] location of the cvedb sqlite database -f [PACKAGELISTFILE], --packagelistfile [PACKAGELISTFILE] file where the list of packages to evaluate is stored -i [ITEMS_REPORTED], --items_reported [ITEMS_REPORTED] number of items reported for NVD/CVE matches -n [PACKAGE_NAME], --package_name [PACKAGE_NAME] package name to search for -o [OUTPUTFILE], --outputfile [OUTPUTFILE] name of output file -t [TYPE], --type [TYPE] format of output, options are text, html, json -m [MINIMUM_DATE], --minimum_date [MINIMUM_DATE] the minimum date we look for in the database for matches, default is the beginning of the data. format is like 2003-11-17 -u, --update download database. Do this about once a week -v [PACKAGE_VERSION], --package_version [PACKAGE_VERSION] package version to look for -V, --Version report the version of falco and exit

Usage Examples

Assumes cvedb is in the /var/db directory

Example 1, check a package named 'python' version '2.7.3' for vulnerabilities in the NVD database

$ ./falco -n python -v 2.7.3

One Item being checked
*** Potential security defect found in python:2.7.3
CVE: CVE-2013-7040
CVSS Score: 4.3
CPE id: cpe:/a:python:python:2.7.3
Published on: 2014-05-19T10:55:09.987-04:00
Summary Description: Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.

Example 2, using falco in build situations

Assume the feed database is in the /var/db subdirectory. Check a package named 'python' version '2.7.3' for vulnerabilities in the NVD database and if any are found, return a non zero return value. Placing this in a makefile will cause make to exit when a vulnerability matches.

$ ./falco -d /var/db/cvedb -b -n python -v 2.7.3 -o falcolog  
$ echo $?  
1  
$  

Example 3, falco in a makefile, using the -b (break the build) flag

Makefile:

# this will FAIL make because this version 1.14.7 bash is found in the NVD
# database.
# Solution is twofold: to update bash to most recent code, and
# to change the # make entry to reflect that new version number:
bash.build.out:
./falco.py -b -n bash -v 1.14.7 -d /var/db/cvedb > bash.build.out
clean:
rm bash.build.out

Execution

$ make  
./falco -b -n bash  -v 1.14.7 -d /var/db/cvedb -o bash.build.out  
make: *** [bash.build.out] Error 1  

Explanation

-b cause falco to return fail if any there are CVE findings returned from searching NVD for the package and version.

Suggested action

File a bug in the bug tracker, change the makefile, remove -b, and when the bug is fixed, update the makefile again to reflect the latest package number and reinstate the -b

Dependencies

  1. update the /var/db/cvedb for initial use, using falco -u

  2. Note it would be a good idea to put this "falco -u" in a cron job, since falco counts on using updated NVD data to see when new vulnerabilities exist. This database is updated every few weeks.

bug reports

send bug reports to [email protected]

falco's People

Contributors

menkhus avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar

falco's Issues

add -o, output file

add a -o option
    add to options processing
    add to documentation
        add output file option to output processing in all non debug print statement
    add to readme
    add to unit tests

-u Update mechanism is brittle, does not work with -d database path

While putting the falco database update in a cronjob (falco -u;falco -c), I saw that the vfeed.db tar file was created in $home. The work around is to use some shell scripting with the vfeed cli features to get the database to be placed where you want to keep it. Moreover, there are two problems:
the update logic requires falco -u; falco -c (should be just one command)
the -u feature does not see or use the -d database path, so the update uses the default current working directory

Analysis:
-u uses the vfeed.vFeedUpdate() logic, and this needs needs to accept a parameter for the database path.
-c should be subsumed into the -u logic.

Leverage the vfeed classes

Hi there,

Very cool project and happy that you are relying on vFeed.

I checked your code and noticed that you are re-writing some queries that already exists. In fact, you can leverage vfeed class and import functions you need.

See doc here >> https://github.com/toolswatch/vFeed/wiki/%5B2%5D-Usage

And a sample how to call vfeed class from your python script >> https://github.com/toolswatch/vFeed/blob/master/vfeed_calls_samples.py

Anyways; i will try your tool. It sounds nice ;)

@toolswatch

Database Update

Whenever I try to update the database it returns "broken pipe" error and deletes installed XML's which contains cve information year by year.
Note: The main problem is at load.sh nvd2sqlite(command not found).I installed all the dependencies to the working platform.

problem with nonascii codec into pipe

$ falco -V
falco version: 0.6.2

$ falco -n apple -i 4000 | more
check_item_in_database: 'ascii' codec can't encode character u'\xe9' in position 907334: ordinal not in range(128)

worklist file processing

SERIOUS - the testlist.txt file in the test directory is not
processed correctly. It appears that the apache and oscar entries
are not checked. To reproduce the bug:
cd test; ../falco -d ../vfeed.db -f testlist.txt

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.