I used rips for many years to help with auditing source code. Lets face it, anytime you can automate a mundane task such as source code auditing, you free up time for other things to be done…..plus if you have ever stared at source code for 14+ hours straight reading line by line by line ….. you know how well automation helps save your vision.
Anyways, today I found a new project at github and wanted to document how I set it up. One thing to keep in mind is that this is a relatively new project, and with any new project of this size and scope … we can generally expect a few things …. lots of development changes and false positives. Even with this being known, I still love the direction the project is already moving … so lets begin.
First, you need to install composer. I installed it globally but you can also do it locally if you do not have admin rights.
[codesyntax lang=”bash”]
$ curl -sS https://getcomposer.org/installer | php $ sudo cp composer.phar /usr/local/bin/composer $ which composer $ mkdir -p ~/.composer/vendor/bin
[/codesyntax]
Next, get parse:
[codesyntax lang=”bash”]
git clone https://github.com/psecio/parse.git cd ../ mkdir -p psecio/parse rsync -av parse/ psecio/parse/ composer global require psecio/parse
[/codesyntax]
Next add the required path to .bashrc file:
[codesyntax lang=”bash”]
export PATH=$PATH:~/.composer/vendor/bin
[/codesyntax]
Source the .bashrc file to make it active:
[codesyntax lang=”bash”]
source ~/.bashrc
[/codesyntax]
Now you should be able to do an audit using default values (just specify the path to your code):
[codesyntax lang=”bash”]
psecio-parse scan /path/to/my/project
[/codesyntax]
View Help on scanning:
[codesyntax lang=”bash”]
psecio-parse help scan
[/codesyntax]
I generally trim the rules down to cut down on the noise:
[codesyntax lang=”bash”]
psecio-parse scan --whitelist-rules PregReplaceWithEvalModifier,SessionRegenerateId,EchoWithFileGetContents,SystemFunctions,MysqlRealEscapeString,ExitOrDie,EvalFunction,GlobalsUse /path/to/code
[/codesyntax]
An example screenshot:
Leave a Reply
You must be logged in to post a comment.