Skip to content

Latest commit

 

History

History
54 lines (42 loc) · 2.93 KB

README.md

File metadata and controls

54 lines (42 loc) · 2.93 KB

CSC503-Project

Introduction

This is the repo of the term project done in CSC503: Computational Applied Logic at Fall, 2019. This project does a language agnostic semantic analysis of security smell detection in Python and Ansible languages. This is an extension to the original work done in Share but Beware: Security Smell in Python Gist - R. Rahman, A. Rahman, L. Williams; International Conference on Software, Maintenance and Evolution, 2019 and Security Smells in Infrastructure as Code Scripts, A. Rahman, R. Rahman, C. Parnin, L. Williams; Preprint - https://arxiv.org/abs/1907.07159.

Steps(If you want to completely start from the scratch):

  • install python3.7 in your system
  • install pipenv by using pip or package manager like brew or apt
  • in terminal, go to the project root directory
  • run pipenv install
  • in ymlPaths/openstack.txt, edit all the file locations. For example, if the absolute path of your project root is /home/jDoe/projects/CSC503-Project, then first line should look like this: /home/jDoe/projects/CSC503-Project/repo-openstack/openstack@ansible-role-container-registry/handlers/main.yml. Change all the other lines of file location in this manner.
  • run both the src/AnsibleSmellDetector.py and src/smellDetector.py
  • outputs will be in ./facts-ansible.pl and ./facts-python.pl
  • append the rules in those files from ./rules.pl

Instructions on running Query (If you only want to run prolog queries after downloading the repo)

Supported Queries

  • smellInAllFile(Lang, SmellName, Count, Files), this provides the occurence count of smell and corresponding file names for a specific smell and for all available files.
  • smellInAFile(Lang, FileName, SmellName, Count, Lines), it computes the occurence count of security smell and corresponding line numbers for a specific smell and specific file.
  • allSmellInAFile(Lang, FileName, Count, Lines), this provides the occurence count of all of the supported smells and corresponding line numbers for a specific file.

Python:

loading prolog files: swipl facts-python.pl query.pl

Query examples:

  • smellInAllFile(python, "hardcodedSecret", Count, Files).
  • smellInAFile(python, d449e502f432278f772bd672ec785d7c, "hardcodedSecret", Count, Lines).
  • allSmellInAFile(python, d449e502f432278f772bd672ec785d7c , Count, Lines).

Ansible:

loading prolog files: swipl facts-ansible.pl query.pl

Query examples:

  • smellInAllFile(ansible, "hardcodedSecret", Count, Files).
  • allSmellInAFile(ansible, home_rr_Workspace_CSC503__Project_repo__openstack_openstack__tripleo__quickstart_playbooks_quickstart_, Count, Lines).

Supported Smells

  • hardcodedSecret
  • sqlInjection
  • shellInjection
  • badFilePermission
  • debugInDeployment
  • emptyPassword
  • execUsed
  • noIntegrityCheck
  • noCertificateValidation
  • useOfHttpWithoutTLS
  • ignoreExceptBlock
  • hardcodedTmpDirectory
  • hardcodedBinding