README
¶
Horusec Engine
Table of contents
1. About
2. Usage
2.1. Why does this engine help me?
2.2. Examples
3. Documentation
4. Issues
5. Contributing
6. License
7. Community
About
This repository contains the standalone SAST engine used by Horusec. By now we only have a pattern matching rule implementation, but a semantic analysis is already is being planned.
This is an internal repository of the Horusec CLI, so we don't guarantee compatibility between versions.
What is a SAST tool?
A Static Application Security Testing tool is an automated scanner for security issues in your source code. The main goal is to identify, as soon as possible in your development lifecycle, any possible threat to your infrastructure and your user's data. SAST tools don't actually find vulnerabilities because the tool never executes the program being analyzed, therefore, you still have to keep testing your applications with more traditional pen testing and any other tests that you can execute.
Usage
To use this implementation will be needed to create a new engine instance informing the goroutines pool size and the slice of the extensions that should be analyzed. After the analysis is finished, a slice of findings will be returned.
1. Goroutines Pool
The pool size informed during instantiation will directly affect memory usage and analysis time. The larger the pool, the shorter the analysis time, but the greater the amount of memory required.
2. Rule
Contains all the data needed to identify and report a vulnerability. All rules are defined by a generic interface with
a Run function. The idea is that we have several specific implementations of rules, like the one we currently have in
the text package, but each one with it own specific strategy.
3. Finding
It contains all the possible vulnerabilities found after the analysis, it also has the necessary data to identify and treat the vulnerability.
Example
eng := engine.NewEngine(10, ".java")
rules := []engine.Rule{
&text.Rule{
Metadata: engine.Metadata{
ID: "HORUSEC-EXAMPLE-1",
Name: "Hello World",
Description: "This is a example of the engine usage",
Severity: "HIGH",
Confidence: "HIGH",
},
Type: text.OrMatch,
Expressions: []*regexp.Regexp{
regexp.MustCompile(`System\.out\.println\("Hello World"\);`),
},
},
...
}
findings, err := eng.Run(context.Background(), "path-to-analyze", rules...)
if err != nil {
return err
}
for _, finding := range findings {
// do something
}
Documentation
For more information about Horusec, please check out the documentation.
Issues
To open or track an issue for this project, in order to better coordinate your discussions, we recommend that you use the Issues tab in the main Horusec repository.
Contributing
If you want to contribute to this repository, access our Contributing Guide.
Developer Certificate of Origin - DCO
This is a security layer for the project and for the developers. It is mandatory.
Follow one of these two methods to add DCO to your commits:
1. Command line Follow the steps: Step 1: Configure your local git environment adding the same name and e-mail configured at your GitHub account. It helps to sign commits manually during reviews and suggestions.
git config --global user.name “Name”
git config --global user.email “email@domain.com.br”
Step 2: Add the Signed-off-by line with the '-s' flag in the git commit command:
$ git commit -s -m "This is my commit message"
2. GitHub website You can also manually sign your commits during GitHub reviews and suggestions, follow the steps below:
Step 1: When the commit changes box opens, manually type or paste your signature in the comment box, see the example:
Signed-off-by: Name < e-mail address >
For this method, your name and e-mail must be the same registered on your GitHub account.
License
Community
Do you have any question about Horusec? Let's chat in our forum.
This project exists thanks to all the contributors. You rock! ❤️🚀
Documentation
¶
Index ¶
Constants ¶
const AcceptAnyExtension string = "*"
AcceptAnyExtension can be passed as extensions argument in NewEngine to accept any extension
Variables ¶
This section is empty.
Functions ¶
func SetLogLevel ¶ added in v0.3.0
func SetLogLevel(level string)
SetLogLevel used to set the engine log level
Types ¶
type Engine ¶ added in v1.0.0
type Engine struct {
// contains filtered or unexported fields
}
Engine contains all the engine necessary data
func NewEngine ¶ added in v1.0.0
NewEngine creates a new engine instance with all necessary data. extensions argument represents which extension the engine should apply the rules poolSize represents the number of go routines to open (Default is 10)
func (*Engine) Run ¶ added in v1.0.0
Run walks through projectPath and runs the method Rule.Run in a pool of goroutines if an error is found when executes Rule.Run method it cancels current running go routines and return valid findings and the error nolint:funlen,gocyclo // necessary complexity, breaking this function will lead to an even more complex code
type Finding ¶
type Finding struct {
ID string
Name string
Severity string
CodeSample string
Confidence string
Description string
SourceLocation Location
}
Finding represents a possible vulnerability found by the engine, it contains all information necessary to detect and correct the vulnerability
Source Files
Directories