OWASP iGNITA

OWASP iGNITA

To overcome the above mentioned problems, It is a fine game plan to build an own standalone analyser to detect vulnerabilities where the OWASP iGNITA Scanner will be independent from tools such as OWASP SonarQube, which will make the Framework more light and easy to set up, and users won’t be restricted to the API provided by the sonarqube or other scanners of such. Also creating a plugin for IDE’s which will be a faster way to detect vulnerabilities. And dockerize the Framework so the set up time will be minimal and less hectic. This plugin will also be proposed to be integrated into DevSecOps toolchain; github/jenkins/owasp appsec pipelines. Additionally a developer guide will be written with guidelines, templates and other titles for future collaborators.

Requirement which satisfy the Important Selection Criteria

Vulnerabilities it can detect (out of the OWASP Top Ten?) - Focused on top Ten Can it be integrated into the developer’s IDE? - Plugin is proposed to be developed How hard is it to set up/use? - Dockerizing for easy setup Can it be run continuously and automatically? - Will be tested and added to pipeline in github

Features of the Analyzer

  • The analyzer will initially focus on JAVA language
  • Analyzer will be built to detect owasp top 10 vulnerabilities such as,
    • Injection
    • Broken Authentication
    • Sensitive Data Exposure
    • XEE
    • Broken Access Control
    • Security Misconfig
    • Cross site Scripting
    • Insecure deserialization

Project Information

  • Incubator Project

Audience

  • Builder
  • Breaker
  • Defender

OWASP-iGNITA

Static application security testing environment with SAST scanner and plugins

Code Repository

Security Policy

Supported Versions

Use this section to tell people about which versions of your project are currently being supported with security updates.

Version Supported
5.1.x :white_check_mark:
5.0.x :x:
4.0.x :white_check_mark:
< 4.0 :x:

Reporting a Vulnerability

Use this section to tell people how to report a vulnerability.

Tell them where to go, how often they can expect to get an update on a reported vulnerability, what to expect if the vulnerability is accepted or declined, etc.

Project Overview

Building a Standalone Scanner and staging the results to detect OWASP TOP 10 Vulnerabilities and building plugins for IDE’s and Continuous Integration

Project Proposal

As the increase of software development, billions of lines of code is being produced but the quality of the code is menacing thereby the vulnerability of applications are threatening, even though there are many tools to monitor applications for vulnerabilities it’s always too late. One of the solutions to this is to analyse and fix these vulnerable code while development, but there are only few tools available for scanning the code vulnerabilities. OWASP iGNITA is a fine example for such a tool, but because of many third party dependencies, setting up the framework for testing is time consuming and a bit disorderd.

Proposed Strategy

To overcome the above mentioned problems, It is a fine game plan to build an own standalone analyser to detect vulnerabilities where the OWASP iGNITA Scanner will be independent from tools such as OWASP SonarQube, which will make the Framework more light and easy to set up, and users won’t be restricted to the API provided by the sonarqube or other scanners of such. Also creating a plugin for IDE’s which will be a faster way to detect vulnerabilities. And dockerize the Framework so the set up time will be minimal and less hectic. This plugin will also be proposed to be integrated into DevSecOps toolchain; github/jenkins/owasp appsec pipelines. Additionally a developer guide will be written with guidelines, templates and other titles for future collaborators.

Requirement which satisfy the Important Selection Criteria,

  • Vulnerabilities it can detect (out of the OWASP Top Ten?) - Focused on top Ten
  • Can it be integrated into the developer’s IDE? - Plugin is proposed to be developed
  • How hard is it to set up/use? - Dockerizing for easy setup
  • Can it be run continuously and automatically? - Will be tested and added to pipeline in github

Architecture High level architecture diagram

Features of the Analyzer

  • The analyzer will initially focus on JAVA language
  • Analyzer will be built to detect owasp top 10 vulnerabilities such as,
    • Injection
    • Broken Authentication
    • Sensitive Data Exposure
    • XEE
    • Broken Access Control
    • Security Misconfig
    • Cross site Scripting
    • Insecure deserialization

Timeline

Milestone Tasks Reporting Week Date Status
1 - Analysis          
1.1 Analysis on other scanners which are currently support OWASP TOP 10 None 1 15/05/20 COMPLETED
1.2 Analysis on the software architecture of similar scanners Review architecture with mentor 1 20/05/20 COMPLETED
1.3 Analysis on plugins Review development strategy with mentor 2 25/05/20 COMPLETED
1.4 Plan the detectors which will be built in GSOC period Discuss with mentor 2 30/05/20 COMPLETED
2 - Development          
2.1 Setting up environment None 3 01/06/20 COMPLETED
2.2 Creating vulnerable samples None 5 15/06/20 COMPLETED
2.3 Writing test classes Mentor Review 5 23/06/20 COMPLETED
2.4 Configuring the detectors None 7 05/07/20 COMPLETED
2.5 Creating Detector classes Mentor Review 8 10/07/20 COMPLETED
2.6 Integrating into the Dashboard None 9 20/07/20 COMPLETED
2.7 Modifying the scanner for the plugin structure Mentor Review 10 25/07/20 COMPLETED
2.8 Modifying for scanner to be added to multiple pipelines Mentor Review 10 30/07/20 COMPLETED
3 - Testing          
3.1 Writing test cases Mentor Review 11 02/08/20 COMPLETED
3.2 Testing detectors with sample code Mentor Review 12 09/08/20 COMPLETED
3.3 Testing detectors for each developed vulnerability in know test set None 13 11/08/20 COMPLETED
3.4 Testing with integrated dashboard Mentor Review 13 14/08/20 COMPLETED
3.5 Testing the plugin None 14 16/08/20 COMPLETED
4 - Deployment          
4.1 Dockerizing the application with integrated scanner Mentor Test 14 18/08/20 IN-PROGRESS
4.2 Deploying Docker Image None 14 19/08/20 IN-PROGRESS
5 - Documentation          
5.1 Documenting the Analyzer Mentor Review 14 21/08/20 NOT STARTED
5.2 Documenting the Plugin Mentor Review 14 22/08/20 NOT STARTED
5.3 Writing the Developer Guide Mentor Review 14 23/08/20 NOT STARTED

Project Team & Organization

  • Azzeddine Ramrami: Project Leader
  • Azhar Aahmad: Project Leader and back-end developper

User Guide

Installation

Pre-requisites

Software

  • NodeJS (required)
  • Angular (required)
  • SonarQube (required)
  • Sonar-scanner (required)
  • Mongodb (required)
  • Git (required)

Installing pre-requisites

NodeJS:
https://nodejs.org/en/download/

Angular:
https://angular.io/

SonarQube:
https://www.sonarqube.org/downloads/

Sonar-Scanner:
https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/

Mongodb:
https://www.mongodb.com/download-center/community

Procedure for installing

Step 1 :

Get the resource file from github

Clone the project : $ git clone https://github.com/azharanees/OWASP-iGNITA.git

Or

Download the project from: https://owasp.org/www-project-ignita/

Step 2:

Start the mongodb server and make sure it’s running on port : 28017

Step 3:

Start the sonarqube server on port : 9000

Step 4:

Make sure sonar-scanner is installed and add included in the environment variables

Step 5:

Make sure sonar-scanner is installed and included in the environment variables

Step 6:

Goto the cloned repository folder and change directory to “api” cd api when you are inside the directory run : npm install which will install the required dependencies

Step 6:

After successfully executing npm install start the node server using npm start.

Step 7:

Change the directory to the gui folder from the root directory. cd gui from the root directory

Step 8:

when you are inside the gui directory use npm install to install all the relevant dependencies.

Step 9:

After completing the installation use ng serve or npm start to run the Angular App.

Step 10:

After the angular app successfully compiled open your browser and goto your localhost:4200

Step 11:

Use the below credentials to login to the dashboard

username : admin 
password : test1234

Guide to use the dashboard


Example

Put whatever you like here: news, screenshots, features, supporters, or remove this file and don’t use tabs at all.