🖌️
Product Process Documentation
  • Product Process Documentation
  • Definition of Done (DoD)
    • General checkpoints
      • Specific checkpoints by team
    • Important process: QA review & PO review
      • QA Review
      • PO Review
  • Work Items
    • Product Backlog Item (PBI)
    • Bug
      • Basic rules for creating a bug
      • How to report a Bug
    • Bugs Management
  • Code Standards
  • Different Test Levels
    • Unit Test
      • Frontend Unit Testing
        • What is a Unit Test?
        • How do I know if I am developing a good unit test?
        • AAA (Arrange, Act and Assert)
        • Overloaded test suits
        • Setup & Teardown
          • JEST Mocks
          • FakeTimers
        • Istanbul Annotations
        • C8 Annotations
        • JEST Runner (Debug unit tests with Jest)
    • Component Test
      • Frontend Component Testing
        • What is Component Testing?
        • Best practices
        • Bad practices
        • Setup
          • Sandbox
          • Mocks, Services and Providers
          • Test scenario
    • Integration Test
      • Frontend Integration Testing
        • What is a Integration Test?
        • AAA (Arrange, Act and Assert)
        • Best Practices
        • Bad practices
        • Setup & Teardown
        • How to create a scenario
          • Create the migrated app
          • Add to project
        • How to debug
        • Common problems
      • Testing Driven Development Guide and recommendations
    • Functional Test
    • Security Testing
      • Security Testing Tools
      • Frontend Security Testing
    • Performance testing
    • Best Practices
    • Test Documentation
  • Run test projects
    • General steps
    • Specific steps by team
  • DevOps
    • Pipelines
    • Builds
    • Specific information by team
    • Test plan
    • Service Hooks for Azure DevOps Notifications
      • Slack Notifications
      • Microsoft Teams Notifications
  • Dashboards
    • General
    • QA Dashboards
  • Release Process
    • General Steps
    • Specific steps by team
  • Migration Cells
    • Basics of testing process
  • Release process
  • References
Powered by GitBook
On this page
  • Static Application Security Testing Tools
  • SonarQube
  • Semgrep CLI
  • How to ignore false positives on SAST analysis
  • Software Composition Analysis Tools
  • NPM Audit

Was this helpful?

  1. Different Test Levels
  2. Security Testing

Security Testing Tools

PreviousSecurity TestingNextFrontend Security Testing

Last updated 1 year ago

Was this helpful?

This section will explain how to use some of the security tools used for security testing on the repositories.

Static Application Security Testing Tools

SonarQube

Work in progress...

Semgrep CLI

In order to use Semgrep CLI for SAST analysis there are some requirements:

  • Enable Windows Subsystem for Linux (WSL) and install a Linux distribution on Windows. This will help to install WSL and a Linux distribution, but also Ubuntu can be installed through the Microsoft Store.

  • Install Python 3 on WSL following the next steps:

    1. Update the Linux distribution executing sudo apt update && sudo apt upgrade

    2. Next, run python3 --version to check if python 3 is already installed. If it is not install then execute: sudo apt install python3

    3. In addition, it is required to install the package manager for Python called PIP, this can be achieved through: sudo apt install python3-pip.

  • Now, it is ready to install Semgrep CLI. For this, the next command can be executed: python3 -m pip install semgrep

Now, WSL is enabled with a Linux distribution and Semgrep is ready to be executed. To start the SAST analysis the next command can be executed:

semgrep --config=auto "PATH/TO/SRC" --output scans_results.xml --junit-xml

There will execute the default ruleset for all type of files scanned on the source path, the results will be exported as an junit xml file that can be added as an artifact to build pipelines.

In addition, custom rules can be added to the SAST scan performed through Semgrep using a yaml file, the file used on Frontend analysis for Typescript vulnerabilities is stored on WebMAPDemos repository, here can be found: Custom_Rules.yaml.

So to perform a SAST analysis with custom rules the next command should be executed.

// Semgrep allows to specify multiples rulesets through --config flag

semgrep --config=auto --config=custom_rules.yaml "PATH/TO/SRC" --output scan_results.xml --junit-xml

How to ignore false positives on SAST analysis

Sometimes the SAST analysis reports false positives or vulnerabilities even when fixed or marked as won't fix. So, to managed these cases, Semgrep has a mechanism, annotations and files to tell to the SAST analysis to exclude files, blocks of code and folders generally and by rule id.

 // Semgrep allows to ignore vulnerabilities on lines of code by using nosemgrep annotation:
 // Ignores generally on SAST analysis by any rule
 
 this.container.nativeElement.innerHTML = `vulnerability of XSS: ${pollutedValue}` // nosemgrep
 
 // Semgrep allows to ignore also by rule id
 
 this.container.nativeElement.innerHTML = `${pollutedValue}` // nosemgrep: ruleid

Moreover, Semgrep allows to ignore files and folder, it could be achieved by using the .semgrepignore file and the .gitignore file.

Software Composition Analysis Tools

NPM Audit

For npm audit, there is some requirement previous to execute the SCA analysis:

  1. Execute npm install so the node_modules folder is generated with all dependencies used on the project to be analyzed.

  2. Check the package-lock.json file has been generated.

Now the audit process is ready to be executed, to do so, the next command will help.

npm audit --production --json

It will generate a json file as a report containing all vulnerabilities found on production dependencies.

To include both production and dev dependencies just remove --production flag.

Semgrep allows to use custom rules through a yaml file. The format of the yaml file can be checked here:

For more information about ignoring files, folders or code blocks read the semgrep documentation.

Set the current npm registry to . npm set registry https://registry.npmjs.org/

guide
Semgrep Writing Rules
Ignoring Files, Folder and code
https://registry.npmjs.org/