Analyses your Java and Python applications for open-source dependencies with known vulnerabilities, using both static analysis and testing to determine code context and usage for greater accuracy. https://sap.github.io/vulnerability-assessment-tool/
Branch: master
Clone or download
Naramsim Merge pull request #106 from SAP/doc_update_frontend_main_page
updating the documentation of the frontend main page to inser the inf…
Latest commit a3e432c Feb 16, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github Update main.workflow Feb 8, 2019
.travis Bump to version 3.0.14-SNAPSHOT Jan 17, 2019
cli-scanner Fixed @slow test Feb 8, 2019
docker feat(docker): add checks in run.sh Jan 31, 2019
docs updating the documentation of the frontend main page to inser the inf… Feb 15, 2019
frontend-apps Merge branch 'alerts-endpoint' of https://github.com/SAP/vulnerabilit… Feb 13, 2019
frontend-bugs Bump to version 3.0.14-SNAPSHOT Jan 17, 2019
frontend-patch-analyzer Bump to version 3.0.14-SNAPSHOT Jan 17, 2019
lang-java-init Bump to version 3.0.14-SNAPSHOT Jan 17, 2019
lang-java-reach-soot-init Bump to version 3.0.14-SNAPSHOT Jan 17, 2019
lang-java-reach-soot Updated docs wrt. Soot static analysis fwk Feb 8, 2019
lang-java-reach-wala Fixes #92 (error message if configured workspace does not exist) Feb 4, 2019
lang-java-reach Removed printStackTrace Feb 15, 2019
lang-java updated guava Feb 13, 2019
lang-python Fixed parsing of pip list json format with installer and location pro… Feb 15, 2019
lang Merge pull request #104 from SAP/report Feb 15, 2019
patch-analyzer Bump to version 3.0.14-SNAPSHOT Jan 17, 2019
patch-lib-analyzer Bump to version 3.0.14-SNAPSHOT Jan 17, 2019
plugin-gradle Bump to version 3.0.14-SNAPSHOT Jan 17, 2019
plugin-maven Prepare for Maven -T multi-threading Feb 4, 2019
repo-client Bump to version 3.0.14-SNAPSHOT Jan 17, 2019
rest-backend Update HubIntegrationController.java Feb 11, 2019
rest-lib-utils-init Bump to version 3.0.14-SNAPSHOT Jan 17, 2019
rest-lib-utils updated guava Feb 13, 2019
shared Prepare for Maven -T multi-threading Feb 4, 2019
.dockerignore feat(docker): generate jar inside proper folders Oct 17, 2018
.gitattributes chore: add link to license of gitattributes Oct 17, 2018
.gitignore chore: add Version.js to .gitignore Feb 5, 2019
.travis.yml refactor(travis): better comments Jan 21, 2019
CONTRIBUTING.md fix(docs): fix links/remove jsbin mentions Jan 9, 2019
LICENSE.txt Update LICENSE.txt Nov 6, 2018
NOTICE.txt Finally: Vulas goes open-source Oct 11, 2018
README.md Update README.md Feb 1, 2019
findbugs-exclude.xml Finally: Vulas goes open-source Oct 11, 2018
pom.xml Cosmetic changes and documentation Feb 8, 2019

README.md

Open-source vulnerability assessment tool License PRs Welcome Build Status

Discover, assess and mitigate known vulnerabilities in your Java and Python projects.

The open-source vulnerability assessment tool supports software development organizations in regards to the secure use of open-source components during application development. The tool analyzes Java and Python applications in order to

  • detect whether they depend on open-source components with known vulnerabilities,
  • collect evidence regarding the execution of vulnerable code in a given application context (through the combination of static and dynamic analysis techniques), and
  • support developers in the mitigation of such dependencies.

As such, it addresses the OWASP Top 10 security risk A9, Using Components with Known Vulnerabilities, which is often the root cause of data breaches [1].

In comparison to other tools, the detection is code-centric and usage-based, which allows for more accurate detection and assessment than tools relying on meta-data. It is a collection of client-side scan tools, RESTful microservices and rich OpenUI5 Web frontends.

Read more in our Docs

History

Originally developed by SAP Security Research [2][3], the tool has become the officially recommended open-source scan tool for Java applications at SAP. Since the beginning of 2017, it has been used to perform 20K+ scans of more than 600+ Java development projects.

The tool approach is best described in the following scientific papers, please cite these if you use the tool for your research work:

Features

In the following a couple of example features:

  • Detection of vulnerable code is realized by discovering method signatures in Java archives and comparing their source and byte code with the vulnerable and fixed version (as known from the fix commit). As such, the detection is more accurate than for approaches based on meta-data (less false-positives and false-negatives). In particular, it is robust against rebundling, a very common practice in the Java ecosystem.
  • Assessment of vulnerable dependencies by application developers and security experts is supported by information about the potential and actual execution of vulnerable code. This information is based on call graph analysis and trace information collected during JUnit and integration tests. Going down to the granularity of single methods, application developers are presented with the potential and actual call stack from application code till vulnerable code.
  • The addition of new vulnerabilities to the knowledge base does not require the re-scan of applications. In other words, right after an addition to the knowledge base, it is immediately known whether previously scanned applications are affected or not.
  • Mitigation proposals consider the reachable share of dependencies, i.e., the set of methods that can be potentially reached from application code union the actual executions observed during tests. This information is used to compute several metrics aiming to let developers chose the best non-vulnerable replacement of a vulnerable dependency (best in regards to non-breaking and with least regression likelihood).
  • Individual findings can be exempted if developers come to the conclusion that a vulnerability cannot be exploited in a given application-context. This information can be maintained in an auditable fashion (incl. timestamp and author information) and typically prevents build exceptions during CI/CD pipelines.
  • Organization-internal CERTs can query for all applications affected by a given vulnerability. This feature supports, for instance, larger development organizations with many software applications developed by distributed and de-central development units.

Visit the Wiki in order to get a better understanding of the various features and the Web frontends.

Requirements

The open-source vulnerability assessment tool has a distributed architecture composed of a couple of Spring Boot microservices, two Web frontends and a number of client-side scanners/plugins, which perform the actual analysis of application and dependency code on build systems or developer workstations.

You need Docker

  • to build all artifacts and
  • operate the various server-side components.

You need the Java 8 JRE and the following to run the various client-side scanners/plugins:

  • Maven 3.3+ for the analysis of Maven projects using the plugin-maven,
  • Python 3 as well as the packages pip, virtualenv and setuptools (pip install <name>) for the analysis of Python applications using the cli-scanner, and
  • Gradle 4 for the analysis of Gradle projects using the plugin-gradle.

Download and Installation: Try it out!

For your convenience, you can use Docker to build and run the open-source vulnerability assessment tool on your own in a few easy steps. Detailed instructions are available here.

Configuration

Even though the default configuration works out of the box, you may want to configure the various components to adapt the tool to your needs and organization. See below for a some examples and refer to the Wiki for detailed configuration instructions.

The client-side scan tools (plugin-maven, plugin-gradle, cli-scanner) can be configured to integrate and align with organization-specific development and security policies. For instance, it is configurable whether build exceptions are thrown as soon as dependencies with vulnerable code exist, or only if the execution of such vulnerable code is observed during JUnit or integration tests.

The microservices and Web frontends can be configured to integrate with an organization-specific build and development infrastructure. For instance, private Nexus or PyPI repositories can be configured to provide information about non-public components.

The tool was originally built to manage publicly known vulnerabilities in open-source components, however, the knowledge base can also (in parallel) comprise non-public vulnerabilities. This possibility is particularly useful for larger development organizations with many internal re-use components. As for open-source components, thanks to the integration with private Nexus and PyPI repositories, the tool can suggest the latest non-vulnerable version of such internal re-use components.

Limitations

Important: Due to the current lack of an authentication and authorization mechanism, it is NOT recommended to run the Web frontends and server-side microservices on systems accessible from the Internet.

Other limitations:

  • Static and dynamic analyses are not implemented for Python
  • Static analysis for Java is only supported until Java 8
  • Java 9 multi-release archives are not supported (classes below META-INF/versions are simply ignored)

Known Issues

The list of current issues is available here

How to obtain support

Use the following link to Stack Overflow to search for FAQs or to request help.

Bug reports shall be submitted as GitHub issues, please refer to the next section for more details.

Contributing

Our aim is to build a lively community, hence, we welcome any exchange and collaboration with individuals and organizations interested in the use, support and extension of the open-source vulnerability assessment tool.

Please read this document to read more about your options:

  • Help Others on Stack Overflow
  • Report Bugs as GitHub issues
  • Analyze Bugs
  • Contribute Code (fixes and features)
  • Contribute to the Vulnerability Knowledge Base: The fuel driving the open-source vulnerability assessment tool is its vulnerability database. We plan to use a dedicated GitHub repository to organize the sharing and joint maintenance of information about publicly known vulnerabilities in open-source components. In the majority of the cases, such information essentially consists of a bug identifier and references to one or more commits (created by the developers of the vulnerable component in order to fix the vulnerability).

To-Do (upcoming changes)

The following is a subset of pending feature requests:

  • Static and dynamic analysis for Python
  • Support of JavaScript (client- and server-side)
  • UI dashboards for workspaces

License

Copyright (c) 2018 SAP SE or an SAP affiliate company. All rights reserved.

This project is licensed under the Apache Software License, v.2 except as noted otherwise in the LICENSE file.

References

[1] https://snyk.io/blog/owasp-top-10-breaches/

[2] https://www.sap.com/documents/2017/08/f2895a6e-ca7c-0010-82c7-eda71af511fa.html

[3] https://scholar.google.com/citations?user=FOEVZyYAAAAJ&hl=en