README
¶
This document is also available in Portuguese.
Insider is the OSS CLI project from the Insider Application Security Team for the community.
Insider is focused on covering the OWASP Top 10, to make source code analysis to find vulnerabilities right in the source code, focused on a agile and easy to implement software inside your DevOps pipeline.
We currently support the following technologies: Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C#, and Javascript (Node.js).
There is a Github Action that permits you protect your repository with Insider, free, easy to integrate and frictionless. It is the most easy way to protect your code directly on your repository. Take a look - Insider-Action
Installation
You can install Insider using precompiled binaries or from source.
Precompiled binaries
We have precompiled binaries for Linux, Windows and macOS operational systems that you can find here.
Have fun! 🚀
Usage
insider is the CLI project from the Insider Application Security Team for the community
Usage:
-exclude value
Patterns to exclude directory or files to analyze. Can be used multiple times
-jobs int
Number of analysis to execute in parallel (default 4)
-no-html
Skips the report generation in the HTML format
-no-json
Skips the report generation in the JSON format
-quiet
No output logs of execution
-security float
Set the Security level, values between 0 and 100 (default 0)
-target string
Specify where to look for files to run the specific ruleset
-tech string
Specify which technology ruleset to load
-v Enable verbose output
-version
Show version and quit with exit code 0
Supported technologies:
android
java
ios
javascript
csharp
Example of use:
# Run JavaScript analysis on specific directoty
insider -tech javascript -target <directory>
# Run Android analysis on specific directoty and ignore html and json report
insider -tech android -target <directory> -no-html -no-json
# Run Java analysis on specific directoty with a base security value to fail
insider -tech java -target <directory> -security 20
# Run JavaScript analysis on specific directoty and exclude node_modules and test files
insider -tech javascript -target <directory> -exclude tests/* -exclude node_modules/*
Example
# Check the correct release for your environment
$ wget https://github.com/insidersec/insider/releases/download/2.1.0/insider_2.1.0_linux_x86_64.tar.gz
$ tar -xf insider_2.1.0_linux_x86_64.tar.gz
$ chmod +x insider
$ ./insider --tech javascript --target <projectfolder>
Docker
You can also run insider in a container. You only need to mount the target into a volume:
$ docker run --rm -v $(pwd):/target-project insidersec/insider -tech <tech> -target /target-project
Demo
Contribution
- Your contributions and suggestions are heartily ♥ welcome. See here the contribution guidelines. Please, report bugs via issues page. See here the security policy for report security issues. (✿ ◕‿◕)
Building from source
To build Insider from source you'll need at least Go version 1.13 working.
$ go get github.com/insidersec/insider/cmd/insider
License
- This work is licensed under MIT.
Documentation
¶
Index ¶
- Constants
- type ATS
- type ATSDomain
- type Advisory
- type AdvisoryMetadata
- type Analyzer
- type AndroidAnalyzer
- type ApplicationInfo
- type AuditResult
- type BroadcastReceiver
- type CsharpAnalyzer
- type Engine
- type IOSAnalyzer
- type IntentAction
- type IntentCategory
- type IntentFilter
- type JavaAnalyzer
- type JavaScriptAnalyzer
- type Manifest
- type ManifestActivity
- type NPM
- type NPMAdvisoryPayload
- type NPMDependency
- type NpmAdvisory
- type POM
- type POMDependencies
- type PackageJSON
- type Permission
- type Plist
- type PlistPermission
- type SDKInfo
- type Service
- type TechAnalyzer
Constants ¶
const ( // UnknownStatus is the default status for a Manifest permission UnknownStatus string = "Desconhecido" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ATS ¶
type ATS struct {
AllowArbitraryLoads bool `json:"arbitraryLoads"` // NSAllowsArbitraryLoads
ExceptionDomains []ATSDomain `json:"exceptionDomains"` // NSExceptionDomains
}
ATS holds data about rules in the ATS section
type ATSDomain ¶
type ATSDomain struct {
Name string `json:"name"`
RequiresFowardSecrecy bool `json:"requiresFowardSecrecy"` // NSExceptionRequiresForwardSecrecy
IncludesSubdomains bool `json:"includesSubdomains"` // NSIncludesSubdomains
AllowsInsecureHTTPLoads bool `json:"allowInsecureHTTPLoads"` // NSTemporaryExceptionAllowsInsecureHTTPLoads
}
ATSDomain is a domain put in the exceptions settings for App Transport Security
type Advisory ¶
type Advisory struct {
ID int `json:"id"`
Metadata AdvisoryMetadata `json:"metadata"`
// Module info
ModuleName string `json:"module_name"`
PatchedVersions string `json:"patched_versions"`
VulnerableVersions string `json:"vulnerable_versions"`
// Vulnerability info
ReferenceURL string `json:"url"`
CVEs []string `json:"cves"`
CWE string `json:"cwe"`
Title string `json:"title"`
Severity string `json:"severity"`
Overview string `json:"overview"`
References string `json:"references"`
Recomendation string `json:"recommendation"`
}
Advisory holds data about the advisories section
type AdvisoryMetadata ¶
type AdvisoryMetadata struct {
ModuleType string `json:"module_type"`
Exploitability int `json:"exploitability"`
}
AdvisoryMetadata self-explained
type Analyzer ¶
type Analyzer struct {
// contains filtered or unexported fields
}
func NewAnalyzer ¶
func NewAnalyzer(engine Engine, tech TechAnalyzer, logger *log.Logger) *Analyzer
type AndroidAnalyzer ¶
type AndroidAnalyzer struct {
// contains filtered or unexported fields
}
func NewAndroidAnalyzer ¶
func NewAndroidAnalyzer(logger *log.Logger) AndroidAnalyzer
type ApplicationInfo ¶
type ApplicationInfo struct {
Activities []ManifestActivity `xml:"activity"`
BroadcastReceivers []BroadcastReceiver `xml:"receiver"`
Services []Service `xml:"service"`
}
ApplicationInfo holds app data from AndroidManifest.xml
type AuditResult ¶
type BroadcastReceiver ¶
type BroadcastReceiver struct {
Name string `xml:"name,attr"`
}
BroadcastReceiver holds data about a broadcast receiver entry in AndroidManifest.xml
type CsharpAnalyzer ¶
type CsharpAnalyzer struct {
}
func NewCsharpAnalyzer ¶
func NewCsharpAnalyzer() CsharpAnalyzer
type IOSAnalyzer ¶
type IOSAnalyzer struct {
// contains filtered or unexported fields
}
func NewIosAnalyzer ¶
func NewIosAnalyzer(logger *log.Logger) IOSAnalyzer
type IntentAction ¶
type IntentAction struct {
Name string `xml:"name,attr"`
}
IntentAction represents a Action for the Android Activity.
type IntentCategory ¶
type IntentCategory struct {
Name string `xml:"name,attr"`
}
IntentCategory holds data about the Activity category.
type IntentFilter ¶
type IntentFilter struct {
Actions []IntentAction `xml:"action"`
Categories IntentCategory `xml:"category"`
}
IntentFilter holds metadata about the `intention-filter` tag for the given Activity.
type JavaAnalyzer ¶
type JavaAnalyzer struct {
// contains filtered or unexported fields
}
func NewJavaAnalyzer ¶
func NewJavaAnalyzer(logger *log.Logger) JavaAnalyzer
type JavaScriptAnalyzer ¶
type JavaScriptAnalyzer struct {
// contains filtered or unexported fields
}
func NewJavaScriptAnalyzer ¶
func NewJavaScriptAnalyzer(npm NPM, logger *log.Logger) JavaScriptAnalyzer
type Manifest ¶
type Manifest struct {
PackageName string `xml:"package,attr"`
Permissions []Permission `xml:"uses-permission"`
SDKInfo SDKInfo `xml:"uses-sdk"`
Application ApplicationInfo `xml:"application"`
VersionName string `xml:"versionName,attr"`
VersionCode string `xml:"versionCode,attr"`
}
Manifest holds all the data about the AndroidManifest file
type ManifestActivity ¶
type ManifestActivity struct {
Name string `xml:"name,attr"`
IntentFilter IntentFilter `xml:"intent-filter"`
}
ManifestActivity holds data from the `activities` tag in the AndroidManifest.xml file
type NPM ¶
type NPM interface {
AuditLibraries(PackageJSON) (AuditResult, error)
}
type NPMAdvisoryPayload ¶
type NPMAdvisoryPayload struct {
Name string `json:"name"`
Version string `json:"version"`
RequiredLibraries map[string]string `json:"requires"`
Dependencies map[string]NPMDependency `json:"dependencies"`
}
NPMAdvisoryPayload holds a DTO for sending Library information to the NPM Advisory API
type NPMDependency ¶
type NPMDependency struct {
Version string `json:"version"`
}
NPMDependency is a DTO for dependencies sent over to NPM's API
type NpmAdvisory ¶
type NpmAdvisory struct {
// contains filtered or unexported fields
}
func NewNPMAdvisory ¶
func NewNPMAdvisory(url, userAgent string, timeout time.Duration) NpmAdvisory
func (NpmAdvisory) AuditLibraries ¶
func (npm NpmAdvisory) AuditLibraries(pkgJSON PackageJSON) (AuditResult, error)
AuditLibraries gets the information from NPM Advisory API for the given pkgJSON
type POM ¶
type POM struct {
Name string `xml:"name"`
Version string `xml:"version"`
GroupID string `xml:"groupId"`
PackagingMode string `xml:"packaging"`
ArtifactID string `xml:"artifactId"`
Description string `xml:"description"`
Dependencies []POMDependencies `xml:"dependencies>dependency"`
}
POM or the Project Object Model is the fundamental unit on a Maven based project.
type POMDependencies ¶
type POMDependencies struct {
GroupID string `xml:"groupId"`
ArtifactID string `xml:"artifactId"`
Version string `xml:"version"`
}
POMDependencies holds data about external objects of a POM project
type PackageJSON ¶
type PackageJSON struct {
// General information
Name string `json:"name"`
Version string `json:"version"`
IsPrivate bool `json:"private"`
License string `json:"license"`
// Metadata about the root package
SupportedOSs []string `json:"os"`
SupportedCPUArchitectures []string `json:"cpu"`
SupportedEngines map[string]string `json:"engines"`
Keywords []string `json:"keywords"`
// Main information that we are looking for :D
Dependencies map[string]string `json:"dependencies"`
}
type Permission ¶
type Permission struct {
Name string `xml:"name,attr"`
}
Permission is a AndroidManifest permission entry
type Plist ¶
type Plist struct {
Compiler string `json:"compiler"` // DTCompiler
PlatformName string `json:"platformName"` // DTPlatformName
PlatformBuild string `json:"platformBuild"` // DTPlatformBuild
PlatformVersion string `json:"platformVersion"` // DTPlatformVersion
XCodeVersion string `json:"xcodeVersion"` // DTXcode
XCodeBuild string `json:"xcodeBuildNumber"` // DTXcodeBuild
SDKName string `json:"sdkName"` // DTSDKName
SDKBuild string `json:"DTSDKBuild"` // DTSDKBuild
BundleName string `json:"bundleName"` // CFBundleName
BundleVersion string `json:"bundleVersion"` // CFBundleVersion
ExecutableName string `json:"executableName"` // CFBundleExecutable
DisplayName string `json:"displayName"` // CFBundleDisplayName
AppIdentifier string `json:"appIdentifier"` // CFBundleIdentifier
PackageType string `json:"packageType"` // CFBundlePackageType
MinimumOSVersion string `json:"minOSVersion"` // MinimumOSVersion
Permissions []PlistPermission `json:"permissions"` // NS*UsageDescription section
ATS ATS `json:"ats"` // NSAppTransportSecurity section
SupportedPlatforms []string `json:"supportedPlatforms"` // CFBundleSupportedPlatforms section
}
Plist structure holds data in the Property List
type PlistPermission ¶
PlistPermission holds data about how the app will use certain permissions
type SDKInfo ¶
type SDKInfo struct {
MinimumSDKVersion string `xml:"minSdkVersion,attr"`
TargetSDKVersion string `xml:"targetSdkVersion,attr"`
MaximumSDKVersion string `xml:"maxSdkVersion,attr"`
}
SDKInfo is the AndroidManifest informative entry
Source Files
Directories