User:Abhishek136309/sandbox

From Wikipedia, the free encyclopedia

Performing Static Application Security Testing Using SonarQube :

  • What Is Static Application Security testing ?

SAST takes place very early in the software development life cycle (SDLC) as it does not require a working application and can take place without code being executed. It helps developers identify vulnerabilities in the initial stages of development and quickly resolve issues without breaking builds or passing on vulnerabilities to the final release of the application.

SAST tools give developers real-time feedback as they code, helping them fix issues before they pass the code to the next phase of the SDLC. This prevents security-related issues from being considered an afterthought. SAST tools also provide graphical representations of the issues found, from source to sink. These help you navigate the code easier. Some tools point out the exact location of vulnerabilities and highlight the risky code. Tools can also provide in-depth guidance on how to fix issues and the best place in the code to fix them, without requiring deep security domain expertise.

  • What is SonarQube?

SonarQube is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells on 17 programming languages.

you can download SonarQube from sonarqube.org

1 ) Performing Static Application Security Testing Using SonarQube on DVWA ( Damn Vulnerable Web Application):

  • Download DVWA source code from https://github.com/digininja/DVWA
  • Open SonarQube Click on create project and add an project name like " DVWA Source code review "
  • Go to With the configuration best suited for you in this we will go manually with GitHub Actions
  • we have to Create GitHub Secrets in our repository containing DVWA source code
  • Create a " sonar-project.properties " file in your repository and paste the content mentioned in below :

sonar.projectKey=DVWA-Source-code-review-

  • Create or update your .github/workflows/build.ymland paste the content mentioned below::
 " name: Build on:

  push:
    branches:
      - master # or the name of your main branch
 jobs

  build:
    name: Build
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
        with:
          fetch-depth: 0
      - uses: sonarsource/sonarqube-scan-action@master
        env:
          SONAR_TOKEN: ${{secrets.SONAR_TOKEN}}
          SONAR_HOST_URL: ${{secrets.SONAR_HOST_URL}}
      # If you wish to fail your job when the Quality Gate is red, uncomment the
      # following lines. This would typically be used to fail a deployment.
      # - uses: sonarsource/sonarqube-quality-gate-action@master
      #   timeout-minutes: 5
      #   env:
      #     SONAR_TOKEN: ${{secrets.SONAR_TOKEN}}
"
  • Commit and push your code to start the analysis. Each new push you make on your main branch will trigger a new analysis in SonarQube


Observations:

SonarQube will give you detailed analysis report within 5 minutes which will help you to improve your code quality

The results of analysis will be as following:

  • 58 Bugs
  • 0 Vulnerabilities
  • 59 Security Hotspots
  • 404n Code Smells
  • 10.6% Duplications


You can then see the details of bugs , code smells , etc. found by clicking on then

it will also shows suggestion about how you can improve your code and mitigate the bugs

ex: 

 $extent = 0;
1405
1406 
        $remainder = $Excerpt['text'];
1407
1408 
        if (preg_match('/\[((?:[^][]++|(?R))*+)\]/', $remainder, $matches))

Rework this part of the regex to not match the empty string.


1409 
        {
1410 
            $Element['handler']['argument'] = $matches[1];
1411
1412 
            $extent += strlen($matches[0]);
1413
1414 
            $remainder = substr($remainder, $extent);
1415 
        }
1416 
        else
1417 
        {

2) Performing Static Application Security Testing Using SonarQube on Vulnerable web application:

  • Download DVWA source code from https://github.com/OWASP/Vulnerable-Web-Application.git
  • Open SonarQube Click on create project and add an project name like " Vulnerable web application Source code review "
  • Go to With the configuration best suited for you in this we will go manually with GitHub Actions
  • we have to Create GitHub Secrets in our repository containing Vulnerable web application source code
  • Create a " sonar-project.properties " file in your repository and paste the content mentioned in below :

sonar.projectKey=Vulnerable-web-application-Source-code-review

  • Create or update your .github/workflows/build.ymland paste the content mentioned above on DVWA steps
  • Commit and push your code to start the analysis. Each new push you make on your main branch will trigger a new analysis in SonarQube


Observations:

SonarQube will give you detailed analysis report within 5 minutes which will help you to improve your code quality

The results of analysis will be as following:

  • 78 Bugs
  • 5 Vulnerabilities
  • 108 Code Smells
  • 7.5% Duplications


You can then see the details of bugs , vulnerabilities, code smells , etc. found by clicking on then

it will also shows suggestion about how you can improve your code and mitigate the bugs

ex: 

$username = "root";

25 

	$password = "";

26 

	$db = "1ccb8097d0e9ce9f154608be60224c7c";

27

28 

	// Create connection

29 

	$conn = new mysqli($servername, $username, $password,$db);

Add password protection to this database. 

	// Check connection

32 

	if ($conn->connect_error) {

33 

	    die("Connection failed: " . $conn->connect_error);

34 

	}

35 

	//echo "Connected successfully";

36 

	if(isset($_POST["submit"])){

37 

		$number = $_POST['number'];

38 

		$query = "SELECT bookname,authorname FROM books WHERE number = $number"; //Int


3) Performing Static ApplicationSecurity Testing Using SonarQube on AndroGoat:

  • Download DVWA source code from https://github.com/satishpatnayak/AndroGoat
  • Open SonarQube Click on create project and add an project name like " AndroGoa Source code review "
  • Go to With the configuration best suited for you in this we will go manually with GitHub Actions
  • we have to Create GitHub Secrets in our repository containing Vulnerable web application source code
  • Create a " sonar-project.properties " file in your repository and paste the content mentioned in below :

sonar.projectKey=Andro-Goat-Source-code-review

  • Create or update your .github/workflows/build.ymland paste the content mentioned above on DVWA steps
  • Commit and push your code to start the analysis. Each new push you make on your main branch will trigger a new analysis in SonarQube


Observations:

SonarQube will give you detailed analysis report within 5 minutes which will help you to improve your code quality

The results of analysis will be as following:

  • 1 Bugs
  • 2 Vulnerabilities
  • 52 Code Smells
  • 0.0 % Duplications

You can then see the details of bugs , vulnerabilities, code smells , etc. found by clicking on then

it will also shows suggestion about how you can improve your code and mitigate the bugs

ex: 

  android:name=".InsecureStorageTempActivity"
44 
            android:label="@string/tempFile" />
45 
        <activity
46 
            android:name=".AccessControlIssue1Activity"
47 
            android:label="@string/activity" />
48 
        <activity

Implement permissions on this exported component.

49 
            android:name=".AccessControl1ViewActivity"
50 
            android:label="@string/activity">
51 
            <intent-filter>
52 
                <action android:name="android.intent.action.VIEW" />
53 
                <category android:name="android.intent.category.DEFAULT" />
54 
                <data
55 
                    android:host="vulnapp"
56 
                    android:scheme="androgoat" />
57 
            </intent-filter>
Retrieved from "https://en.wikipedia.org/w/index.php?title=User:Abhishek136309/sandbox&oldid=1099578021"