I used rips for many years to help with auditing source code. Lets face it, anytime you can automate a mundane task such as source code auditing, you free up time for other things to be done…..plus if you have ever stared at source code for 14+ hours straight reading line by line by line ….. you know how well automation helps save your vision.
Anyways, today I found a new project at github and wanted to document how I set it up. One thing to keep in mind is that this is a relatively new project, and with any new project of this size and scope … we can generally expect a few things …. lots of development changes and false positives. Even with this being known, I still love the direction the project is already moving … so lets begin.
First, you need to install composer. I installed it globally but you can also do it locally if you do not have admin rights.
$ curl -sS https://getcomposer.org/installer | php
$ sudo cp composer.phar /usr/local/bin/composer
$ which composer
$ mkdir -p ~/.composer/vendor/binNext, get parse:
git clone https://github.com/psecio/parse.git
cd ../
mkdir -p psecio/parse
rsync -av parse/ psecio/parse/
composer global require psecio/parseNext add the required path to .bashrc file:
export PATH=$PATH:~/.composer/vendor/binSource the .bashrc file to make it active:
source ~/.bashrcNow you should be able to do an audit using default values (just specify the path to your code):
psecio-parse scan /path/to/my/projectView Help on scanning:
psecio-parse help scanI generally trim the rules down to cut down on the noise:
psecio-parse scan --whitelist-rules PregReplaceWithEvalModifier,SessionRegenerateId,EchoWithFileGetContents,SystemFunctions,MysqlRealEscapeString,ExitOrDie,EvalFunction,GlobalsUse /path/to/codeAn example screenshot:
Screenshot of psecio-parse scan