Just ran sobelow on my big giant work project, it found only one thing:
HTTPS Not Enabled - High Confidence
However we run it behind nginx that does have https enabled, so eh, need a way to disable it. ^.^
Also, got this warning at the bottom of the scan:
$ mix sobelow
##############################################
# #
# Running Sobelow - v0.2.3 #
# Created by Griffin Byatt - @griffinbyatt #
# NCC Group - https://nccgroup.trust #
# #
##############################################
HTTPS Not Enabled - High Confidence
-----------------------------------------------
warning: an expression is always required on the right side of ->. Please provide a value after ->
nofile:119
... SCAN COMPLETE ...
Iām still working on the best way to flag issues as false positives or do-not-report, but hopefully that will be a solved problem soon. In the meantime, Config issues are fortunately pretty easy to ignore without unintended consequences:
$ mix sobelow -i Config.HTTPS
I believe that is a warning from your project, which is getting dumped into the scan output. It can be a fairly annoying issue on projects that generate a large number of warnings, so itās at the top of my list of things to try and mitigate.
It doesnāt seem to be a major issue for you, since you donāt have a large number of warnings or findings, but something Iāve done is > findings into a gitignored file, which shouldnāt contain any of the warnings.
I donāt want to recommend this practice generally since a small mistake could mean commiting a list of vulnerabilities or otherwise private information, but thatās what Iāve been doing until I figure out a better solution.
nofile though? I just rebuilt it and did not see it in its normal build output (there are a few warnings, mostly scope stuff because case leaks variable stupidity due to macros, and it did not seem to show any of those, though it may not have done a fresh recompile?).
I think that nofile has something to do with the application environment not being loaded. When Iāve gotten warnings about nofile:39, Iāve been able to match it against errors in whatever_controller.ex:39.
I forgot to mention: @OvermindDL1, this update should make the warnings a bit less annoying. Sobelow will now output warnings at the beginning of a scan so that it doesnāt clutter findings.
I was also able to verify that the warnings are a result of warnings in the codebase being scanned. The erlang internals of Code.string_to_quoted call warn, which canāt (I believe) be suppressed. But at least now they wonāt be obtrusive!
And nofile is the default filename given for warnings generated by string_to_quoted, and can be overridden by passing the optional filename argument. As of now, Iām just leaving nofile as-is, but may update this in the future.
@griffinbyatt Thanks a ton for writing up this tool! This was very much needed. I was able to use the previous version and found a few issues. However, after I have upgraded to the latest version of Sobelow, I am running into the following error.
@raags90 Thanks for reporting! Iāve needed to handle the file discovery a bit more gracefully. I pushed a small update that should tell you where the error is originating ā could you install with mix archive.install https://github.com/nccgroup/sobelow/raw/feature/sobelow.ez? It will tell you the file itās having an issue with.
Also, have you already installed with the new installation method? IE:
I sent you a message so we can get it hashed-out off thread, it might just be something non-standard in your setup. In the meantime, I just pushed an update to Hex which should enable the scan to run normally despite errors, and just print a message for you indicating that it had trouble reading the file.
update
I pushed another, more comprehensive update for file discovery. This should fix your error, as well as a related path error. Let me know if you have any problems going forward!
Thanks a bunch @griffinbyatt for the prompt help. The latest update works perfectly !! Also, there was an issue with my setup as well ( ). Look forward to investigating the results !!
Just pushed a new update! Install with mix archive.install hex sobelow.
This is a pretty big one. There are bug fixes and additional checks that should flag more XSS, and SQL injection. You can also now suppress false-positives on a per-function basis. For example:
@sobelow_skip ["Traversal"]
def vuln_func(...) do
...
end
Sobelow will now stop flagging this function for traversal findings.
As always, feedback and error reports are very appreciated.
By 1.0.0 there will be some sort of config! For now, Iām prioritizing getting all the options figured out and security checks in place, so that even if itās not always the most convenient, itās still the most usable.
Iāve released a couple updates over the last week.
Sobelow will now do a better job of handling non-standard Phoenix applications. For the most part, if you say something is a Phoenix app, Sobelow will do itās best to scan it, but will print helpful error messages in case you made a mistake. This makes it easier to scan each part of an umbrella application.
For people integrating with CI pipelines, there is a new exit flag. The exit option accepts a confidence threshold (low, medium, or high), and will return a non-zero exit status for findings above that threshold.
For example: mix sobelow --exit Medium will have a non-zero exit status for medium and high confidence findings.
Other than that, bug fixes should continue to improve the quality of reports
The way that Brakeman handles that is to provide you with an interactive mode that will let you determine whether or not to ignore a particular warning signature. That creates a brakeman.ignore file that can be loaded as part of your build process (with a note on why it can be ignored).
Once you audit and either fix / ignore items from the initial round of issues than a CI process will only let you know about the new vulnerabilities and thatās the real goal I think.
). Look forward to investigating the results !!
