User:Abhishek136309/sandbox
Performing Static Application Security Testing Using SonarQube :
- What Is Static Application Security testing ?
SAST takes place very early in the software development life cycle (SDLC) as it does not require a working application and can take place without code being executed. It helps developers identify vulnerabilities in the initial stages of development and quickly resolve issues without breaking builds or passing on vulnerabilities to the final release of the application.
SAST tools give developers real-time feedback as they code, helping them fix issues before they pass the code to the next phase of the SDLC. This prevents security-related issues from being considered an afterthought. SAST tools also provide graphical representations of the issues found, from source to sink. These help you navigate the code easier. Some tools point out the exact location of vulnerabilities and highlight the risky code. Tools can also provide in-depth guidance on how to fix issues and the best place in the code to fix them, without requiring deep security domain expertise.
- What is SonarQube?
SonarQube is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells on 17 programming languages.
you can download SonarQube from sonarqube.org
1 ) Performing Static Application Security Testing Using SonarQube on DVWA ( Damn Vulnerable Web Application):
- Download DVWA source code from https://github.com/digininja/DVWA
- Open SonarQube Click on create project and add an project name like " DVWA Source code review "
- Go to With the configuration best suited for you in this we will go manually with GitHub Actions
- we have to Create GitHub Secrets in our repository containing DVWA source code
- Create a " sonar-project.properties " file in your repository and paste the content mentioned in below :
sonar.projectKey=DVWA-Source-code-review-
- Create or update your
.github/workflows/build.yml
and paste the content mentioned below::
" name: Build on:
push:
branches:
- master # or the name of your main branch
jobs
build:
name: Build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0
- uses: sonarsource/sonarqube-scan-action@master
env:
SONAR_TOKEN: ${{secrets.SONAR_TOKEN}}
SONAR_HOST_URL: ${{secrets.SONAR_HOST_URL}}
# If you wish to fail your job when the Quality Gate is red, uncomment the
# following lines. This would typically be used to fail a deployment.
# - uses: sonarsource/sonarqube-quality-gate-action@master
# timeout-minutes: 5
# env:
# SONAR_TOKEN: ${{secrets.SONAR_TOKEN}}
"
- Commit and push your code to start the analysis. Each new push you make on your main branch will trigger a new analysis in SonarQube
Observations:
SonarQube will give you detailed analysis report within 5 minutes which will help you to improve your code quality
The results of analysis will be as following:
- 58 Bugs
- 0 Vulnerabilities
- 59 Security Hotspots
- 404n Code Smells
- 10.6% Duplications
You can then see the details of bugs , code smells , etc. found by clicking on then
it will also shows suggestion about how you can improve your code and mitigate the bugs
ex:
$extent = 0; | ||||
1405 | ||||
1406 |
$remainder = $Excerpt['text']; | |||
1407 | ||||
1408 |
if (preg_match('/\[((?:[^][]++|(?R))*+)\]/', $remainder, $matches)) Rework this part of the regex to not match the empty string.
| |||
1409 |
{ | |||
1410 |
$Element['handler']['argument'] = $matches[1]; | |||
1411 | ||||
1412 |
$extent += strlen($matches[0]); | |||
1413 | ||||
1414 |
$remainder = substr($remainder, $extent); | |||
1415 |
} | |||
1416 |
else | |||
1417 |
{ |
2) Performing Static Application Security Testing Using SonarQube on Vulnerable web application:
- Download DVWA source code from https://github.com/OWASP/Vulnerable-Web-Application.git
- Open SonarQube Click on create project and add an project name like " Vulnerable web application Source code review "
- Go to With the configuration best suited for you in this we will go manually with GitHub Actions
- we have to Create GitHub Secrets in our repository containing Vulnerable web application source code
- Create a " sonar-project.properties " file in your repository and paste the content mentioned in below :
sonar.projectKey=Vulnerable-web-application-Source-code-review
- Create or update your
.github/workflows/build.yml
and paste the content mentioned above on DVWA steps - Commit and push your code to start the analysis. Each new push you make on your main branch will trigger a new analysis in SonarQube
Observations:
SonarQube will give you detailed analysis report within 5 minutes which will help you to improve your code quality
The results of analysis will be as following:
- 78 Bugs
- 5 Vulnerabilities
- 108 Code Smells
- 7.5% Duplications
You can then see the details of bugs , vulnerabilities, code smells , etc. found by clicking on then
it will also shows suggestion about how you can improve your code and mitigate the bugs
ex:
$username = "root";
25
$password = "";
26
$db = "1ccb8097d0e9ce9f154608be60224c7c";
27
28
// Create connection
29
$conn = new mysqli($servername, $username, $password,$db);
Add password protection to this database.
// Check connection
32
if ($conn->connect_error) {
33
die("Connection failed: " . $conn->connect_error);
34
}
35
//echo "Connected successfully";
36
if(isset($_POST["submit"])){
37
$number = $_POST['number'];
38
$query = "SELECT bookname,authorname FROM books WHERE number = $number"; //Int
3) Performing Static ApplicationSecurity Testing Using SonarQube on AndroGoat:
- Download DVWA source code from https://github.com/satishpatnayak/AndroGoat
- Open SonarQube Click on create project and add an project name like " AndroGoa Source code review "
- Go to With the configuration best suited for you in this we will go manually with GitHub Actions
- we have to Create GitHub Secrets in our repository containing Vulnerable web application source code
- Create a " sonar-project.properties " file in your repository and paste the content mentioned in below :
sonar.projectKey=Andro-Goat-Source-code-review
- Create or update your
.github/workflows/build.yml
and paste the content mentioned above on DVWA steps - Commit and push your code to start the analysis. Each new push you make on your main branch will trigger a new analysis in SonarQube
Observations:
SonarQube will give you detailed analysis report within 5 minutes which will help you to improve your code quality
The results of analysis will be as following:
- 1 Bugs
- 2 Vulnerabilities
- 52 Code Smells
- 0.0 % Duplications
You can then see the details of bugs , vulnerabilities, code smells , etc. found by clicking on then
it will also shows suggestion about how you can improve your code and mitigate the bugs
ex:
android:name=".InsecureStorageTempActivity" | ||||
44 |
android:label="@string/tempFile" /> | |||
45 |
<activity | |||
46 |
android:name=".AccessControlIssue1Activity" | |||
47 |
android:label="@string/activity" /> | |||
48 |
<activity Implement permissions on this exported component. | |||
49 |
android:name=".AccessControl1ViewActivity" | |||
50 |
android:label="@string/activity"> | |||
51 |
<intent-filter> | |||
52 |
<action android:name="android.intent.action.VIEW" /> | |||
53 |
<category android:name="android.intent.category.DEFAULT" /> | |||
54 |
<data | |||
55 |
android:host="vulnapp" | |||
56 |
android:scheme="androgoat" /> | |||
57 |
</intent-filter> |