This section will explain how to use some of the security tools used for security testing on the repositories.

Static Application Security Testing Tools

SonarQube

Work in progress...

Semgrep CLI

In order to use Semgrep CLI for SAST analysis there are some requirements:

• Enable Windows Subsystem for Linux (WSL) and install a Linux distribution on Windows. This guide will help to install WSL and a Linux distribution, but also Ubuntu can be installed through the Microsoft Store.

• Install Python 3 on WSL following the next steps:

  1. Update the Linux distribution executing sudo apt update && sudo apt upgrade

  2. Next, run python3 --version to check if python 3 is already installed. If it is not install then execute: sudo apt install python3

  3. In addition, it is required to install the package manager for Python called PIP, this can be achieved through: sudo apt install python3-pip.

• Now, it is ready to install Semgrep CLI. For this, the next command can be executed: python3 -m pip install semgrep

Now, WSL is enabled with a Linux distribution and Semgrep is ready to be executed. To start the SAST analysis the next command can be executed:

semgrep --config=auto "PATH/TO/SRC" --output scans_results.xml --junit-xml

There will execute the default ruleset for all type of files scanned on the source path, the results will be exported as an junit xml file that can be added as an artifact to build pipelines.

In addition, custom rules can be added to the SAST scan performed through Semgrep using a yaml file, the file used on Frontend analysis for Typescript vulnerabilities is stored on WebMAPDemos repository, here can be found: Custom_Rules.yaml.

So to perform a SAST analysis with custom rules the next command should be executed.

// Semgrep allows to specify multiples rulesets through --config flag

semgrep --config=auto --config=custom_rules.yaml "PATH/TO/SRC" --output scan_results.xml --junit-xml

How to ignore false positives on SAST analysis

Sometimes the SAST analysis reports false positives or vulnerabilities even when fixed or marked as won't fix. So, to managed these cases, Semgrep has a mechanism, annotations and files to tell to the SAST analysis to exclude files, blocks of code and folders generally and by rule id.

 // Semgrep allows to ignore vulnerabilities on lines of code by using nosemgrep annotation:
 // Ignores generally on SAST analysis by any rule
 
 this.container.nativeElement.innerHTML = `vulnerability of XSS: ${pollutedValue}` // nosemgrep
 
 // Semgrep allows to ignore also by rule id
 
 this.container.nativeElement.innerHTML = `${pollutedValue}` // nosemgrep: ruleid

Moreover, Semgrep allows to ignore files and folder, it could be achieved by using the .semgrepignore file and the .gitignore file.

For more information about ignoring files, folders or code blocks read the semgrep Ignoring Files, Folder and code documentation.

Software Composition Analysis Tools

NPM Audit

For npm audit, there is some requirement previous to execute the SCA analysis:

1. Execute npm install so the node_modules folder is generated with all dependencies used on the project to be analyzed.

2. Check the package-lock.json file has been generated.

3. Set the current npm registry to https://registry.npmjs.org/. npm set registry https://registry.npmjs.org/

Now the audit process is ready to be executed, to do so, the next command will help.

npm audit --production --json

It will generate a json file as a report containing all vulnerabilities found on production dependencies.