Hello, Habr!
In its work, our company very often deals with various static code analysis tools (SAST). Out of the box, they all work average. Of course, it all depends on the project and the technologies used in it, as well as how well these technologies are covered by the rules of analysis. In my opinion, one of the most important criteria when choosing a SAST tool is the ability to customize it for the specifics of your applications, namely, write and change analysis rules, or, as they are often called, Custom Queries.
We most often use Checkmarx - a very interesting and powerful code analyzer. In this article, I will share my experience of writing analysis rules for it.
Table of contents
, Checkmarx. 2019 : «Hello, Checkmarx!». Checkmarx SAST .
, CxQL (Checkmarx Query Language) .
, , - . “ ”, , Checkmarx. . , , , . , , “ Custom Queries ” - . , !
, , . , .
( ). . . .
Preset Checkmarx CxAuditor. , Checkmarx. : .
CxAudit Checkmarx , . , , . , , .
“Executable” “Non-Executable” ( ). , , . , “Executable” UI, “Non-Executable” ( - ).
/ . , , , “Override“. , . “Preset Manager” . , , , .
Preset Manager “” , . , , , . , , , .
:
-
(Team) - .
-
,
““
, , , .
- (list2 - list1)
* (list1 * list2)
+ (list1 + list2)
& ( ) - (list1 & list2), (list1 * list2)
| ( ) - (list1 | list2)
: ^ && || % / , Checkmarx (, , , ..). , All. , searchMe, , , :
//
result = All;
// , “searchMe“
result = All.FindByName("searchMe");, , - ( groovy Android), :
result = AllMembers.All.FindByName("searchMe");Flow
, :
// second first.
// - (second) (first).
result = first.DataInfluencedBy(second);
// first second.
// - (first) (second).
result = first.DataInfluencingOn(second);/
, ( , ..), . , , LinePragma :
//
CxList methods = Find_Methods();
// scope
CxList scope = methods.FindByName("scope");
//
string current_filename = scope.GetFirstGraph().LinePragma.FileName;
// - ,
int current_line = scope.GetFirstGraph().LinePragma.Line;
//
//
CxList inFile = All.FindByFileName(current_filename);
//
CxList inLine = inFile.FindByPosition(current_line); , FileName , GetFirstGraph.
CxQL result, . , . , return- .
:
// foo
CxList libraries = All.FindByName("foo");, result - , :
// foo
CxList libraries = All.FindByName("foo");
// ,
result = libraries
//
result = All.FindByName("foo");Checkmarx . . , , :
//
CxList methods = Find_Methods();
// foo.
// false ,
result = methods.FindByShortName("foo", false);.
, , . , :
// -
CxList toLog = All.FindByShortName("log");
//
cxLog.WriteDebugMessage (“number of DOM elements =” + All.Count); , , . , - result , . , , result . , , .
- return . , , :
// -
CxList toLog = All.FindByShortName("log");
//
return toLog
//,
result = All.DataInfluencedBy(toLog), CxAudit ( ). , , Windows, BSOD , . , . :
Checkmarx 8.6:
// , ,
SELECT COUNT(*) FROM [CxDB].[dbo].LoggedinUser WHERE [ClientType] = 6;
// - , ,
DELETE FROM [CxDB].[dbo].LoggedinUser WHERE [ClientType] = 6;
Checkmarx 8.6:
// , ,
SELECT COUNT(*) FROM LoggedinUser WHERE (ClientType = 'Audit');
// - , ,
DELETE FROM [CxDB].[dbo].LoggedinUser WHERE (ClientType = 'Audit');. CxQL, , - .
, Custom Queries . , , , .
, :
: Flow , .
: , Checkmarx Flow , . ReduceFlow. Flow:
// Flow
result = result.ReduceFlow(CxList.ReduceFlowType.ReduceSmallFlow);
// Flow
result = result.ReduceFlow(CxList.ReduceFlowType.ReduceBigFlow);: ,
: Checkmarx , . , , . , :
General_privacy_violation_list
, :
//
result = base.General_privacy_violation_list();
// , . .
CxList personalList = All.FindByShortNames(new List<string> {
"*securityToken*", "*sessionId*"}, false);
//
result.Add(personalList);:
: , .
Password_privacy_violation_list
CxList allStrings = All.FindByType("String");
allStrings.Add(All.FindByType(typeof(StringLiteral)));
allStrings.Add(Find_UnknownReference());
allStrings.Add(All.FindByType(typeof (Declarator)));
allStrings.Add(All.FindByType(typeof (MemberAccess)));
allStrings.Add(All.FindByType(typeof(EnumMemberDecl)));
allStrings.Add(Find_Methods().FindByShortName("get*"));
//
List < string > pswdIncludeList = new List<string>{"*password*", "*psw", "psw*", "pwd*", "*pwd", "*authKey*", "pass*", "cipher*", "*cipher", "pass", "adgangskode", "benutzerkennwort", "chiffre", "clave", "codewort", "contrasena", "contrasenya", "geheimcode", "geslo", "heslo", "jelszo", "kennwort", "losenord", "losung", "losungswort", "lozinka", "modpas", "motdepasse", "parol", "parola", "parole", "pasahitza", "pasfhocal", "passe", "passord", "passwort", "pasvorto", "paswoord", "salasana", "schluessel", "schluesselwort", "senha", "sifre", "wachtwoord", "wagwoord", "watchword", "zugangswort", "PAROLACHIAVE", "PAROLA CHIAVE", "PAROLECHIAVI", "PAROLE CHIAVI", "paroladordine", "verschluesselt", "sisma",
"pincode",
"pin"};
List < string > pswdExcludeList = new List<string>{"*pass", "*passable*", "*passage*", "*passenger*", "*passer*", "*passing*", "*passion*", "*passive*", "*passover*", "*passport*", "*passed*", "*compass*", "*bypass*", "pass-through", "passthru", "passthrough", "passbytes", "passcount", "passratio"};
CxList tempResult = allStrings.FindByShortNames(pswdIncludeList, false);
CxList toRemove = tempResult.FindByShortNames(pswdExcludeList, false);
tempResult -= toRemove;
tempResult.Add(allStrings.FindByShortName("pass", false));
foreach (CxList r in tempResult)
{
CSharpGraph g = r.data.GetByIndex(0) as CSharpGraph;
if(g != null && g.ShortName != null && g.ShortName.Length < 50)
{
result.Add(r);
}
}: , Checkmarx
: Checkmarx , . .
, - . , - . , Android - Timber Loggi. , , . Checkmarx .
, Timber :
package com.death.timberdemo;
import android.support.v7.app.AppCompatActivity;
import android.os.Bundle;
import timber.log.Timber;
public class MainActivity extends AppCompatActivity {
private static final String TAG = MainActivity.class.getSimpleName();
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
Timber.e("Error Message");
Timber.d("Debug Message");
Timber.tag("Some Different tag").e("And error message");
}
}Checkmarx, Timber, :
FindAndroidOutputs
//
result = base.Find_Android_Outputs();
// , Timber
CxList timber = All.FindByExactMemberAccess("Timber.*") +
All.FindByShortName("Timber").GetMembersOfTarget();
//
result.Add(timber);, Android:
FindAndroidLog_Outputs
//
result = base.Find_Android_Log_Outputs();
// , Timber
result.Add(
All.FindByExactMemberAccess("Timber.*") +
All.FindByShortName("Timber").GetMembersOfTarget()
);, Android- WorkManager , Checkmarx, getInputData:
FindAndroidRead
//
result = base.Find_Android_Read();
// getInputData, WorkManager
CxList getInputData = All.FindByShortName("getInputData");
//
result.Add(getInputData.GetMembersOfTarget());: plist iOS
: iOS .plist. , , , .
plist , , Checkmarx. , , - .
, backend:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>DeviceDictionary</key>
<dict>
<key>phone</key>
<string>iPhone 6s</string>
</dict>
<key>privatekey</key>
<string>MIICXAIBAAKBgQCqGKukO1De7zhZj6+</string>
</dict>
</plist>Checkmarx, , :
// plist,
CxList plist = Find_Plist_Elements();
//
CxList dictionarySettings = All.NewCxList();
// . .
// , , FindByMemberAccess - . , false, ,
dictionarySettings.Add(plist.FindByMemberAccess("privatekey", false));
dictionarySettings.Add(plist.FindByMemberAccess("privatetoken", false));
// - plist - "If statement"
CxList ifStatements = plist.FindByType(typeof(IfStmt));
// , -
result = dictionarySettings.FindByFathers(ifStatements);: XML
: Checkmarx XML , , . , , - . , - , .
:
//
result = All.FindXmlAttributesByNameAndValue("*.app", 8, “id”, "error- section", false, true); , All … , XML , - cxXPath. Android, HTTP :
// cxXPath
result = cxXPath.FindXmlAttributesByNameAndValue("*.xml", 8, "cleartextTrafficPermitted", "true", false, true);, , , , . , :
"*.xml"- ,8- id ,"cleartextTrafficPermitted"- xml"true"-false-true- , , case-insensitive
, , , Android, HTTP. , cleartextTrafficPermitted true:
<network-security-config>
<domain-config>
<domain includeSubdomains="true">example.com</domain>
<trust-anchors>
<certificates src="@raw/my_ca"/>
</trust-anchors>
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">secure.example.com</domain>
</domain-config>
</domain-config>
</network-security-config>: /
: , Android, , . , build.gradle , .
build.gradle, , . , , .
, , . apply 'com.android.library'.
build.gradle, :
apply plugin: 'com.android.application'
android {
compileSdkVersion 24
buildToolsVersion "24.0.2"
defaultConfig {
...
}
buildTypes {
release {
minifyEnabled true
...
}
}
}
dependencies {
...
} build.gradle , :
apply plugin: 'android-library'
dependencies {
compile 'com.android.support:support-v4:18.0.+'
}
android {
compileSdkVersion 14
buildToolsVersion '17.0.0'
...
}Checkmarx:
ProGuardObfuscationNotInUse
// release Gradle
CxList releaseMethod = Find_Gradle_Method("release");
// build.gradle
CxList gradleBuildObjects = Find_Gradle_Build_Objects();
// , "release" build.gradle
CxList methodInvokesUnderRelease = gradleBuildObjects.FindByType(typeof(MethodInvokeExpr)).GetByAncs(releaseMethod);
// gradle- "com.android.library" - ,
CxList android_library = gradleBuildObjects.FindByName("com.android.library");
//
List<string> libraries_path = new List<string> {};
// ""
foreach(CxList library in android_library)
{
//
string file_name_library = library.GetFirstGraph().LinePragma.FileName;
//
libraries_path.Add(file_name_library);
}
//
CxList minifyEnabled = methodInvokesUnderRelease.FindByShortName("minifyEnabled");
//
CxList minifyValue = gradleBuildObjects.GetParameters(minifyEnabled, 0);
//
CxList minifyValueTrue = minifyValue.FindByShortName("true");
// , :D
if (minifyValueTrue.Count == 0) {
minifyValue = minifyValue.FindByAbstractValue(abstractValue => abstractValue is TrueAbstractValue);
} else {
// - ,
minifyValue = minifyValueTrue;
}
//
if (minifyValue.Count == 0)
{
// buildTypes android
CxList tempResult = All.NewCxList();
CxList buildTypes = Find_Gradle_Method("buildTypes");
if (buildTypes.Count > 0) {
tempResult = buildTypes;
} else {
tempResult = Find_Gradle_Method("android");
}
// ,
foreach(CxList res in tempResult)
{
// , buildType android
string file_name_result = res.GetFirstGraph().LinePragma.FileName;
// "" -
if (libraries_path.Contains(file_name_result) == false){
result.Add(res);
}
}
}Android , , .
: ,
: , . , Checkmarx , . , , .
, , . , :
, , . , ,
, , . ,
, .
slick Scala, , Splicing Literal Values. , SQL- $, SQL-. , Prepared Statement Java. , SQL-, , , #$, (, ).
:
// - ,
val table = "coffees"
sql"select * from #$table where name = $name".as[Coffee].headOptionCheckmarx Splicing Literal Values #$, SQL- :
//
CxList imports = All.FindByType(typeof(Import));
// , slick
CxList slick = imports.FindByShortName("slick");
// , ,
// -
bool not_empty_list = false;
foreach (CxList r in slick)
{
// , , slick
not_empty_list = true;
}
if (not_empty_list) {
// , SQL-
CxList sql = All.FindByShortName("sql");
sql.Add(All.FindByShortName("sqlu"));
// ,
CxList data_sql = All.DataInfluencingOn(sql);
// ,
// RegExp ,
CxList find_possible_inj = data_sql.FindByRegex(@"\#\$", true, true, true);
// ,
result = find_possible_inj.FindByType(typeof(BinaryExpr));
}: Open-Source
: Open-Source ( OSA), . . - , . SAST OSA, , , , .
, , JavaScript, . , , , lodash template *set.
JS :
/**
* Template example
*/
'use strict';
var _ = require("./node_modules/lodash.js");
// Use the "interpolate" delimiter to create a compiled template.
var compiled = _.template('hello <%= js %>!');
console.log(compiled({ 'js': 'lodash' }));
// => 'hello lodash!'
// Use the internal `print` function in "evaluate" delimiters.
var compiled = _.template('<% print("hello " + js); %>!');
console.log(compiled({ 'js': 'lodash' }));
// => 'hello lodash!'html:
<!DOCTYPE html>
<html>
<head>
<title>Lodash Tutorial</title>
<script src="./node_modules/lodash.js"></script>
<script type="text/javascript">
// Lodash chunking array
nums = [1, 2, 3, 4, 5, 6, 7, 8, 9];
let c1 = _.template('<% print("hello " + js); %>!');
console.log(c1);
let c2 = _.template('<% print("hello " + js); %>!');
console.log(c2);
</script>
</head>
<body></body>
</html>, :
// : lodash (,
CxList lodash_strings = Find_String_Literal().FindByShortName("*lodash*");
// :
CxList data_on_lodash = All.InfluencedBy(lodash_strings);
//
List<string> vulnerable_methods = new List<string> {"template", "*set"};
// , ,
CxList vulnerableMethods = All.FindByShortNames(vulnerable_methods).FindByType(typeof(MethodInvokeExpr));
// :
CxList vulnFlow = All.InfluencedBy(vulnerableMethods);
// -
result = vulnFlow * data_on_lodash;
// ,
List<string> lodash_result_path = new List<string> {};
foreach(CxList lodash_result in result)
{
//
string file_name = lodash_result.GetFirstGraph().LinePragma.FileName;
lodash_result_path.Add(file_name);
}
// html ,
// , , , lodash
List<string> lodash_path = new List<string> {};
foreach(CxList string_lodash in lodash_strings)
{
string file_name = string_lodash.GetFirstGraph().LinePragma.FileName;
lodash_path.Add(file_name);
}
// , , / lodash
foreach(CxList method in vulnerableMethods)
{
string file_name_method = method.GetFirstGraph().LinePragma.FileName;
if (lodash_path.Contains(file_name_method) == true && lodash_result_path.Contains(file_name_method) == false){
result.Add(method);
}
}
// UknownReferences "" ,
result = result.ReduceFlow(CxList.ReduceFlowType.ReduceSmallFlow) - result.FindByType(typeof(UnknownReference));:
: , , SSL-Pinning. - . , :
//
CxList find_certs = All.FindByShortNames(new List<string> {"*.der", "*.cer", "*.pem", "*.key"}, false);
// ,
CxList data_used_certs = All.DataInfluencedBy(find_certs);
// - ,
//
CxList methods = All.FindByMemberAccess("*.getAssets");
//
result = methods * data_used_certs;:
: , . , , . CxQL :
// ,
CxList strings = base.Find_Strings();
// . "qwerty12345"
result = strings.FindByShortName("qwerty12345");, , Checkmarx . , , - .
, , Checkmarx. Github, , , CxQL, - , . , contributors are welcome!
!