njsscan
0.4.3
NJSSCAN是一種靜態應用程序測試(SAST)工具,可以使用Libsast和語法意識的Semantic Semantic Code Pattern搜索工具SEMGREP中的簡單模式匹配器在Node.js應用程序中找到不安全的代碼模式。
製成
OPSECX Node.js安全:五處和開發-NJS
pip install njsscan
需要Python 3.7+,僅支持Mac和Linux
$ njsscan
usage: njsscan [-h] [--json] [--sarif] [--sonarqube] [--html] [-o OUTPUT] [-c CONFIG] [--missing-controls] [-w] [-v] [path ...]
positional arguments:
path Path can be file(s) or directories with source code
optional arguments:
-h, --help show this help message and exit
--json set output format as JSON
--sarif set output format as SARIF 2.1.0
--sonarqube set output format compatible with SonarQube
--html set output format as HTML
-o OUTPUT, --output OUTPUT
output filename to save the result
-c CONFIG, --config CONFIG
Location to .njsscan config file
--missing-controls enable missing security controls check
-w, --exit-warning non zero exit code on warning
-v, --version show njsscan version$ njsscan test.js
- Pattern Match ████████████████████████████████████████████████████████████ 1
- Semantic Grep ███████████████████████████ 160
njsscan: v0.1.9 | Ajin Abraham | opensecurity.in
╒═════════════╤═══════════════════════════════════════════════════════════════════════════════════════════════╕
│ RULE ID │ express_xss │
├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ OWASP │ A1: Injection │
├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ CWE │ CWE-79: Improper Neutralization of Input During Web Page Generation ( ' Cross-site Scripting ' ) │
├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ DESCRIPTION │ Untrusted User Input in Response will result in Reflected Cross Site Scripting Vulnerability. │
├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ SEVERITY │ ERROR │
├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ FILES │ ╒════════════════╤═══════════════════════════════════════════════╕ │
│ │ │ File │ test.js │ │
│ │ ├────────────────┼───────────────────────────────────────────────┤ │
│ │ │ Match Position │ 5 - 46 │ │
│ │ ├────────────────┼───────────────────────────────────────────────┤ │
│ │ │ Line Number(s) │ 7: 8 │ │
│ │ ├────────────────┼───────────────────────────────────────────────┤ │
│ │ │ Match String │ const { name } = req.query ; │ │
│ │ │ │ res.send( ' <h1> Hello : ' + name + " </h1> " ) │ │
│ │ ╘════════════════╧═══════════════════════════════════════════════╛ │
╘═════════════╧═══════════════════════════════════════════════════════════════════════════════════════════════╛NODEJSSCAN建立在NJSSCAN之上,提供了完整的漏洞管理用戶界面以及其他漂亮的集成。
請參閱Nodejsscan
> >> from njsscan . njsscan import NJSScan
> >> node_source = '/node_source/true_positives/sqli_node.js'
> >> scanner = NJSScan ([ node_source ], json = True , check_controls = False )
> >> scanner . scan ()
{
'templates' : {},
'nodejs' : {
'node_sqli_injection' : {
'files' : [{
'file_path' : '/node_source/true_positives/sqli_node.js' ,
'match_position' : ( 1 , 24 ),
'match_lines' : ( 4 , 11 ),
'match_string' : 'var employeeId = req.foo; n n var sql = "SELECT * FROM trn_employee WHERE employee_id = " + employeeId; n n n n connection.query(sql, function (error, results, fields) { n n if (error) { n n throw error; n n } n n console.log(results);'
}],
'metadata' : {
'owasp' : 'A1: Injection' ,
'cwe' : "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" ,
'description' : 'Untrusted input concatinated with raw SQL query can result in SQL Injection.' ,
'severity' : 'ERROR'
}
}
},
'errors' : []
}源代碼目錄根中的一個.njsscan文件允許您配置NJSSCAN。您也可以使用--config參數使用自定義.njsscan文件。
---
- nodejs-extensions :
- .js
template-extensions :
- .new
- .hbs
- ' '
ignore-filenames :
- skip.js
ignore-paths :
- __MACOSX
- skip_dir
- node_modules
ignore-extensions :
- .jsx
ignore-rules :
- regex_injection_dos
- pug_jade_template
severity-filter :
- WARNING
- ERROR 您可以通過添加註釋// njsscan-ignore: rule_id1, rule_id2到觸發發現的行中。
例子:
app . get ( '/some/redirect' , function ( req , res ) {
var target = req . param ( "target" ) ;
res . redirect ( target ) ; // njsscan-ignore: express_open_redirect
} ) ; 您可以在CI/CD或DevSecops管道中啟用NJSSCAN。
將以下內容添加到文件.github/workflows/njsscan.yml中。
name : njsscan
on :
push :
branches : [ master, main ]
pull_request :
branches : [ master, main ]
jobs :
njsscan :
runs-on : ubuntu-latest
name : njsscan check
steps :
- name : Checkout the code
uses : actions/[email protected]
- uses : actions/[email protected]
with :
python-version : ' 3.12 '
- name : nodejsscan scan
id : njsscan
uses : ajinabraham/njsscan-action@master
with :
args : ' . '示例:dvna具有NJSSCAN GITHUB動作
將以下內容添加到文件.github/workflows/njsscan_sarif.yml中。
name : njsscan sarif
on :
push :
branches : [ master, main ]
pull_request :
branches : [ master, main ]
jobs :
njsscan :
runs-on : ubuntu-latest
name : njsscan code scanning
steps :
- name : Checkout the code
uses : actions/[email protected]
- uses : actions/[email protected]
with :
python-version : ' 3.12 '
- name : nodejsscan scan
id : njsscan
uses : ajinabraham/njsscan-action@master
with :
args : ' . --sarif --output results.sarif || true '
- name : Upload njsscan report
uses : github/codeql-action/upload-sarif@v3
with :
sarif_file : results.sarif 
將以下內容添加到文件.gitlab-ci.yml中。
stages :
- test
njsscan :
image : python
before_script :
- pip3 install --upgrade njsscan
script :
- njsscan .示例:帶有NJSSCAN GITLAB的DVNA
將以下內容添加到文件.travis.yml中。
language : python
install :
- pip3 install --upgrade njsscan
script :
- njsscan . 將以下內容添加到文件.circleci/config.yaml
version : 2.1
jobs :
njsscan :
docker :
- image : cimg/python:3.9.6
steps :
- checkout
- run :
name : Install njsscan
command : pip install --upgrade njsscan
- run :
name : njsscan check
command : njsscan . docker pull opensecurity/njsscan
docker run -v /path-to-source-dir:/src opensecurity/njsscan /src docker build -t njsscan .
docker run -v /path-to-source-dir:/src njsscan /src
