orange-cyberdefense / grepmarx Goto Github PK

A source code static analysis platform for AppSec enthusiasts.

License: MIT License

Python 100.00%

grepmarx's Introduction

Grepmarx - Application Security Platform

Grepmarx is a web application providing a single platform to quickly understand, analyze and identify vulnerabilities in possibly large and unknown code bases.

Features

SAST (Static Analysis Security Testing) capabilities:

Multiple languages support: C/C++, C#, Go, HTML, Java, Kotlin, JavaScript, TypeScript, OCaml, PHP, Python, Ruby, Bash, Rust, Scala, Solidity, Terraform, Swift
Multiple frameworks support: Spring, Laravel, Symfony, Django, Flask, Node.js, jQuery, Express, Angular...
1600+ existing analysis rules
Easily extend analysis rules using Semgrep syntax: https://semgrep.dev/editor
Manage rules in rule packs to tailor code scanning

SCA (Software Composition Analysis) capabilities:

Multiple package-dependency formats support: NPM, Maven, Gradle, Composer, pip, Gopkg, Gem, Cargo, NuPkg, CSProj, PubSpec, Cabal, Mix, Conan, Clojure, Docker, GitHub Actions, Jenkins HPI, Kubernetes
SBOM (Software Bill-of-Materials) generation (CycloneDX compliant)

Extra

Analysis workbench designed to efficiently browse scan results
Scan code that doesn't compile
Comprehensive LOC (Lines of Code) counter
Inspector: automatic application features discovery
... and a Dark Mode

Screenshots

Scan customization	Analysis workbench	Rule pack edition

Execution

Grepmarx is provided with a configuration to be executed in Docker and Gunicorn.

Docker execution

Make sure you have docker-composer installed on the system, and the docker daemon is running. The application can then be easily executed in a docker container. The steps:

Get the code

$ git clone https://github.com/Orange-Cyberdefense/grepmarx.git
$ cd grepmarx

Start the app in Docker

$ sudo docker-compose pull && sudo docker-compose build && sudo docker-compose up -d

Visit http://localhost:5000 in your browser. The app should be up & running.

Gunicorn

Gunicorn 'Green Unicorn' is a Python WSGI HTTP Server for UNIX. A supervisor configuration file is provided to start it along with the required Celery worker (used for security scans queuing).

Install using pip

$ pip install gunicorn supervisor

Start the app using gunicorn binary

$ supervisord -c supervisord.conf

Visit http://localhost:8001 in your browser. The app should be up & running.

Add rule repositories

In order to run a scan you will need to manually add at least one entry in Administration/Repository. Here are a few examples of Semgrep rule repositories which can be used:

https://github.com/semgrep/semgrep-rules: the standard library for Semgrep rules
https://github.com/trailofbits/semgrep-rules: Semgrep rules developed by Trail of Bits
https://github.com/Decurity/semgrep-smart-contracts: Semgrep rules that look for patterns of vulnerabilities in smart contracts
https://github.com/0xdea/semgrep-rules: Semgrep rules by 0xdea
https://github.com/mindedsecurity/semgrep-rules-android-security: Semgrep rules derived from the OWASP MASTG specifically for Android applications
https://github.com/akabe1/akabe1-semgrep-rules: collection of akabe1's custom Semgrep rules
https://github.com/s0rcy/semgrep-rules: Collection of s0rcy's personal Semgrep rules for security analysis and research

Make sure you agree & comply with the LICENSE file of the rules repositories you use!

At this stage, all you have to do is create Rules Packs according to your needs and then launch your scans.

Build from sources

Get the code

$ git clone https://github.com/Orange-Cyberdefense/grepmarx.git
$ cd grepmarx

Install virtualenv modules

$ virtualenv env
$ source env/bin/activate

Install Python modules

$ # SQLite Database (Development)
$ pip3 install -r requirements.txt
$ # OR with PostgreSQL connector (Production)
$ # pip install -r requirements-pgsql.txt

Install additionnal requirements

# Dependency scan requirements (cdxgen)
$ sudo apt install -y npm openjdk-17-jdk maven gradle golang composer
$ sudo npm install -g @cyclonedx/cdxgen
# Application Inspector dependencies
$ sudo apt install -y dotnet-runtime-8.0

Make sure nodejs version is >= 20.X, otherwise cdxgen will fail.

A Redis server is required to queue security scans. Install the redis package with your favorite distro package manager, then:

$ redis-server

Set the FLASK_APP environment variable

$ export FLASK_APP=run.py
$ # Set up the DEBUG environment
$ # export FLASK_ENV=development

Start the celery worker process

$ celery -A app.celery_worker.celery worker --pool=prefork --loglevel=info --detach

Start the application (development mode)

$ # --host=0.0.0.0 - expose the app on all network interfaces (default 127.0.0.1)
$ # --port=5000    - specify the app port (default 5000)  
$ flask run --host=0.0.0.0 --port=5000

Access grepmarx in browser: http://127.0.0.1:5000/

Credits & Links

The web application dashboard is based on AdminLTE Flask
SAST code scanning is powered by the semgrep engine
SBOM generation is done with the great CycloneDX cdxgen, and SCA is performed using the awesome OWASP dep-scan
LOC counting is handled by scc
Features discovery is done using Application Inspector

Grepmarx - Provided by Orange Cyberdefense.

grepmarx's People

Contributors

Stargazers

Watchers

grepmarx's Issues

Launch Scan issue

I found an error when i click on Launch Scan, there is a server error:

Traceback (most recent call last): File "/usr/local/lib/python3.11/site-packages/flask_login/utils.py", line 277, in decorated_view return current_app.ensure_sync(func)(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/grepmarx/app/analysis/routes.py", line 99, in scans_launch import_rules(project.analysis, project_rules_path) File "/opt/grepmarx/app/analysis/util.py", line 350, in import_rules c_rule.repository.name AttributeError: 'NoneType' object has no attribute 'name'

This is exactly where it crashes:

for c_rule_pack in analysis.rule_packs: for c_rule in c_rule_pack.rules: src = os.path.join(RULES_PATH, c_rule.file_path) dst = os.path.join( rule_folder, c_rule.repository.name + "_" + c_rule.category + "." + c_rule.title + next(iter(RULE_EXTENSIONS)), )

Because the c_rule.repository.name is None. Probably a default value could solve this? Maybe it's something different, The projects i'm trying to analyze are zip-files, not repositories. IDK

Thanks for your attention!! :)

Scan Status is Error

The scan showed an error in the status. May I know why? Or I want to know how to check the log. grepmarx is installed as docker.

Erro In install - Supervisor

I'm trying to climb the docker but this is error.
I already performed the installation of the supervisor on my kali linux and yet returns this error from the image

No such file or directory: 'data/rules/Semgrep-Rules/contrib/dlint/dlint-equivalent.yaml'

I'm running the latest version of GrepMarx with Docker.
After creating a new project and pressing the "New analysis" button, I get the following message in the browser:

Internal Server Error
The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.

while, in the console logs, I get the following messages:

grepmarx-1  | [2024-03-28 13:55:54 +0000] [19] [DEBUG] POST /analysis/scans/launch
grepmarx-1  | [2024-03-28 13:55:54,526] ERROR in app: Exception on /analysis/scans/launch [POST]
grepmarx-1  | Traceback (most recent call last):
grepmarx-1  |   File "/usr/local/lib/python3.11/site-packages/flask/app.py", line 2073, in wsgi_app
grepmarx-1  |     response = self.full_dispatch_request()
grepmarx-1  |                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
grepmarx-1  |   File "/usr/local/lib/python3.11/site-packages/flask/app.py", line 1518, in full_dispatch_request
grepmarx-1  |     rv = self.handle_user_exception(e)
grepmarx-1  |          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
grepmarx-1  |   File "/usr/local/lib/python3.11/site-packages/flask/app.py", line 1516, in full_dispatch_request
grepmarx-1  |     rv = self.dispatch_request()
grepmarx-1  |          ^^^^^^^^^^^^^^^^^^^^^^^
grepmarx-1  |   File "/usr/local/lib/python3.11/site-packages/flask/app.py", line 1502, in dispatch_request
grepmarx-1  |     return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args)
grepmarx-1  |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
grepmarx-1  |   File "/usr/local/lib/python3.11/site-packages/flask_login/utils.py", line 277, in decorated_view
grepmarx-1  |     return current_app.ensure_sync(func)(*args, **kwargs)
grepmarx-1  |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
grepmarx-1  |   File "/opt/grepmarx/app/analysis/routes.py", line 99, in scans_launch
grepmarx-1  |     import_rules(project.analysis, project_rules_path)
grepmarx-1  |   File "/opt/grepmarx/app/analysis/util.py", line 356, in import_rules
grepmarx-1  |     copyfile(src, dst)
grepmarx-1  |   File "/usr/local/lib/python3.11/shutil.py", line 256, in copyfile
grepmarx-1  |     with open(src, 'rb') as fsrc:
grepmarx-1  |          ^^^^^^^^^^^^^^^
grepmarx-1  | FileNotFoundError: [Errno 2] No such file or directory: 'data/rules/Semgrep-Rules/contrib/dlint/dlint-equivalent.yaml'

Thanks! :)

Feature requests | Rule Packs

Hello,

Hope all is well - i want to ask for a feature to be added to the rule pack. Is it possible to have the analysis rules be auto selected when the applicable languages are toggled? Meaning if I select generic from Applicable Languages, the tool automatically checks-in all the generic rules in the Select analysis rules. Also is it possible to have a more granular search box where I can apply filters to what languages I want in the analysis rules.?

Thank you for your help!