Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Documentation on how the scanner works #2

Open
jwong101 opened this issue Nov 17, 2022 · 1 comment
Open

Documentation on how the scanner works #2

jwong101 opened this issue Nov 17, 2022 · 1 comment
Assignees
@jwong101
Labels
documentation Improvements or additions to documentation

Comments

@jwong101
Copy link
Contributor

No description provided.

@jwong101 jwong101 added the documentation Improvements or additions to documentation label Nov 17, 2022
@jwong101 jwong101 self-assigned this Nov 17, 2022
@clouless
Copy link

clouless commented Mar 14, 2023
edited
Loading

Is there any news on documentation? I cannot really figure out how to run the scanner from the top README.
Would be great if we could get a more detailed documentation on how to run it.
thx

Ok for my app I get this result, which seems great:

{
  "vulns": [],
  "scanner": "FSRT",
  "started_at": "2023-03-14T22:25:18.147297Z",
  "ended_at": "2023-03-14T22:25:18.147299Z",
  "scanned": [
    ""
  ],
  "errors": false
}

And your demo app provides this result:

{
  "vulns": [
    {
      "check_name": "Custom-Check-Authorization-12526530318979110750",
      "description": "Authorization bypass detected through glance in \"./test-apps/jira-damn-vulnerable-forge-app/src/index.jsx\".",
      "recommendation": "Use the authorize API _https://developer.atlassian.com/platform/forge/runtime-reference/authorize-api/_ or manually authorize the user via the product REST APIs.",
      "proof": "Unauthorized API call via asApp() found via glance -> fetchIssueSummary -> SecureGlance",
      "severity": "High",
      "app_key": "",
      "app_name": "",
      "date": "2023-03-14"
    }
  ],
  "scanner": "FSRT",
  "started_at": "2023-03-14T22:26:42.757408Z",
  "ended_at": "2023-03-14T22:26:42.757445Z",
  "scanned": [
    ""
  ],
  "errors": false
}

So I assume the correct output of an OK app is errors: false AND vulns: [].
I want to implement this as GitHub Actions during my build of the app and need to know if this JSON format is stable.

Also stable releases would be helpful to run a specific version of the scanner.

Here is my GitHub Actions implementation that fails my test run if there are errors or vulnerabilities, for anyone who stumbles upon this issue:

workflow.yml

name: build
on: [push]
jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: 16.x
      - uses: actions-rs/toolchain@v1 #rust with cargo
        with:
          toolchain: stable
      - run: cargo install --git https://github.com/atlassian-labs/FSRT
        working-directory: packages/backend
      - run: fsrt ./ > fsrt-scanner-result.json
        working-directory: packages/backend
      - run: cat ./fsrt-scanner-result.json
        working-directory: packages/backend
      - run: node ./assert-fsrt-results.js

I wrote a simple assert-fsrt-results.js file in nodejs to assert the JSON test Results:

const results = require('./fsrt-scanner-result.json');
if (results.errors !== false) {
    console.log( "FSRT has errors!");
    process.exit(2);
}
if (results.vulns.length > 0) {
    console.log( "FSRT has vulnerabilities!");
    process.exit(2);
}
console.log("FRST no errors and no vulnerabilities");

It would be great to get a precompiled version of FSRT in form of a GitHub action runner ...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jwong101 jwong101

Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@clouless @jwong101