Merge remote-tracking branch 'upstream/develop' into origin/develop

CHANGES.md

@@ -0,0 +1,28 @@
+Cobra Changelog
+===============
+
+Here you can see the full list of changes between each Cobra release.
+
+Version 2.0.0-alpha.2
+---------------------
+
+Released on Sep 06 2017
+
+- 修复上传非支持的后缀提示
+- 修复VirtualEnv环境下无法执行
+- 修复grep/find路径位置变动
+- 优化日志等级
+- 优化Docker下路径错误
+- 优化耗时计算
+- 其它细节优化和Bug修复
+
+Version 2.0.0-alpha.1
+---------------------
+
+Released on Sep 05 2017
+
+内测正式版本
+
+- 简化安装和使用成本
+- 增加CLI模式
+- 开源扫描规则

CONTRIBUTING.md

@@ -5,8 +5,9 @@
 仔细描述问题的复现步骤，并提供对应的运行环境信息（Python版本、系统版本）
 
 ## 提交代码
-- Fork项目，切换到`develop`分支开发，或新建分支`feature-xxx`
+- Fork项目，切换到`develop`分支开发
 - 按照PEP8格式
 - 所有代码都需要有对应的单元测试用例
 - 运行所有测试用例
-- 提交Pull Request
+- 提交Pull Request到`develop`分支
+- 等待测试稳定后合并到`master`分支

Dockerfile

@@ -0,0 +1,14 @@
+FROM ubuntu:xenial
+
+COPY . /code/
+WORKDIR /code
+
+RUN apt-get update && apt-get install -y python-pip curl \
+    && apt-get autoremove \
+    && apt-get clean \
+    && apt-get autoclean \
+    && pip install -r requirements.txt \
+    && cp config.template config
+
+EXPOSE 5000
+CMD ["python", "cobra.py", "-H", "0.0.0.0", "-P", "5000"]

README.md

@@ -4,7 +4,6 @@
 [![GitHub (pre-)release](https://img.shields.io/github/release/wufeifei/cobra/all.svg)](https://github.com/wufeifei/cobra/releases)
 [![license](https://img.shields.io/github/license/mashape/apistatus.svg?maxAge=2592000)](https://github.com/wufeifei/cobra/blob/master/LICENSE)
 
-当前版本非正式版本，正式版本正在做最后的内测中，建议等正式版本出来后再使用，敬请期待！
 [![asciicast](https://raw.githubusercontent.com/wufeifei/cobra/master/docs/report_03.jpg)](https://asciinema.org/a/132572)
 
 ## Introduction（介绍）

cobra.py

@@ -1,11 +1,13 @@
-#!/usr/bin/python
-
+#!/usr/bin/env python
 # -*- coding: utf-8 -*-
+
 import re
 import sys
 
 from cobra import main
 
+
 if __name__ == '__main__':
     sys.argv[0] = re.sub(r'(-script\.pyw?|\.exe)?$', '', sys.argv[0])
     sys.exit(main())
+

cobra/__init__.py

@@ -37,7 +37,7 @@
 def main():
     try:
         # arg parse
-        t1 = time.clock()
+        t1 = time.time()
         parser = argparse.ArgumentParser(prog=__title__, description=__introduction__, epilog=__epilog__, formatter_class=argparse.RawDescriptionHelpFormatter)
 
         parser_group_scan = parser.add_argument_group('Scan')
@@ -80,7 +80,7 @@ def main():
                 # API call CLI mode
                 a_sid = args.sid
             cli.start(args.target, args.format, args.output, args.special_rules, a_sid)
-        t2 = time.clock()
+        t2 = time.time()
         logger.info('[INIT] Done! Consume Time:{ct}s'.format(ct=t2 - t1))
     except Exception as e:
         err_msg = unhandled_exception_message()

cobra/__version__.py

@@ -7,7 +7,7 @@
 __issue_page__ = 'https://github.com/wufeifei/cobra/issues/new'
 __python_version__ = sys.version.split()[0]
 __platform__ = platform.platform()
-__version__ = '2.0.0-alpha'
+__version__ = '2.0.0-alpha.2'
 __author__ = 'Feei'
 __author_email__ = '[email protected]'
 __license__ = 'MIT License'
@@ -22,10 +22,10 @@
 
 Cobra is a static code analysis system that automates the detecting vulnerabilities and security issue.""".format(version=__version__)
 __epilog__ = """Usage:
-  {m} -t {td}
-  {m} -t {td} -r cvi-190001,cvi-190002
-  {m} -t {td} -f json -o /tmp/report.json 
-  {m} -t {tg} -f json -o [email protected] 
-  {m} -t {tg} -f json -o http://push.to.com/api 
-  sudo {m} -H 127.0.0.1 -P 80
-""".format(m='./cobra.py', td='tests/vulnerabilities', tg='https://github.com/ethicalhack3r/DVWA')
+  python {m} -t {td}
+  python {m} -t {td} -r cvi-190001,cvi-190002
+  python {m} -t {td} -f json -o /tmp/report.json 
+  python {m} -t {tg} -f json -o [email protected] 
+  python {m} -t {tg} -f json -o http://push.to.com/api 
+  sudo python {m} -H 127.0.0.1 -P 80
+""".format(m='cobra.py', td='tests/vulnerabilities', tg='https://github.com/ethicalhack3r/DVWA')

cobra/api.py

@@ -42,6 +42,8 @@
 
 q = queue.Queue()
 app = Flask(__name__, static_folder='templates/asset')
+running_host = '0.0.0.0'
+running_port = 5000
 
 
 def producer(task):
@@ -204,7 +206,7 @@ def post():
             code, result = 1001, {'sid': a_sid}
             return {'code': code, 'result': result}
         else:
-            return {'code': 1002, 'msg': "This extension can't support!"}
+            return {'code': 1002, 'result': "This extension can't support!"}
 
 
 class ResultData(Resource):
@@ -309,7 +311,8 @@ def summary():
         return render_template(template_name_or_list='index.html',
                                key=key)
 
-    status_url = request.url_root + 'api/status'
+    status_url = 'http://{host}:{port}/api/status'.format(host=running_host, port=running_port)
+    logger.critical(status_url)
     post_data = {
         'key': key,
         'sid': a_sid,
@@ -481,6 +484,9 @@ def start(host, port, debug):
         i.start()
 
     try:
+        global running_port, running_host
+        running_host = host if host != '0.0.0.0' else '127.0.0.1'
+        running_port = port
         app.run(debug=debug, host=host, port=int(port), threaded=True, processes=1)
     except socket.error as v:
         if v.errno == errno.EACCES:

cobra/cve_parse.py → cobra/cve.py

@@ -1,9 +1,10 @@
 # -*- coding: utf-8 -*-
+
 """
-    cobra
-    ~~~~~
+    CVE
+    ~~~
 
-    Implements cobra main
+    Implements CVE Rules Parser
 
     :author:    BlBana <[email protected]>
     :homepage:  https://github.com/wufeifei/cobra
@@ -377,7 +378,6 @@ def parse_math(cve_path, cve_id, cve_level, module_, target_directory):
     mr = VulnerabilityResult()
     module_name, module_version = module_.split(':')
     cvi = cve_path.lower().split('cvi-')[1][:6]
-    rule_name = '引用了存在漏洞的三方组件'
     if cve_level == 'LOW':
         cve_level = 2
 
@@ -404,11 +404,12 @@ def parse_math(cve_path, cve_id, cve_level, module_, target_directory):
 
     else:
         mr.file_path = 'unkown'
-    mr.language = cve_id
+    mr.language = '*'
     mr.id = cvi
-    mr.rule_name = rule_name
+    mr.rule_name = cve_id
     mr.level = cve_level
     mr.line_number = 1
+    mr.analysis = 'Dependencies Matched(依赖匹配)'
     mr.code_content = module_name + ':' + module_version
     mr.solution = """
         三方依赖**""" + module_name + """:""" + module_version + """**存在CVE漏洞，CVE漏洞编号为: **""" + cve_id + """**

cobra/dependencies.py

@@ -1,10 +1,10 @@
 # -*- coding: utf-8 -*-
 
 """
-    cobra
-    ~~~~~
+    dependencies
+    ~~~~~~~~~~~~
 
-    Implements cobra main
+    Implements Dependencies Check
 
     :author:    BlBana <[email protected]>
     :homepage:  https://github.com/wufeifei/cobra