I used rips for many years to help with auditing source code. Lets face it, anytime you can automate a mundane task such as source code auditing, you free up time for other things to be done…..plus if you have ever stared at source code for 14+ hours straight reading line by line by line ….. you know how well automation helps save your vision.
Anyways, today I found a new project at github and wanted to document how I set it up. One thing to keep in mind is that this is a relatively new project, and with any new project of this size and scope … we can generally expect a few things …. lots of development changes and false positives. Even with this being known, I still love the direction the project is already moving … so lets begin.
First, you need to install composer. I installed it globally but you can also do it locally if you do not have admin rights.
$ curl -sS https://getcomposer.org/installer | php $ sudo cp composer.phar /usr/local/bin/composer $ which composer $ mkdir -p ~/.composer/vendor/bin
Next, get parse:
git clone https://github.com/psecio/parse.git cd ../ mkdir -p psecio/parse rsync -av parse/ psecio/parse/ composer global require psecio/parse
Next add the required path to .bashrc file:
Source the .bashrc file to make it active:
Now you should be able to do an audit using default values (just specify the path to your code):
psecio-parse scan /path/to/my/project
View Help on scanning:
psecio-parse help scan
I generally trim the rules down to cut down on the noise:
psecio-parse scan --whitelist-rules PregReplaceWithEvalModifier,SessionRegenerateId,EchoWithFileGetContents,SystemFunctions,MysqlRealEscapeString,ExitOrDie,EvalFunction,GlobalsUse /path/to/code
An example screenshot: