Menu
▾
▴
Re: [Mifos-developer] Application for GSOC 2017( Static Analysis of Apache Fineract )
|
From: Thisura P. <ttc...@gm...> - 2017-04-02 05:37:23
|
Hi Nikhil and Sendhoro, Thank you very much for the feedback. I will do the needful. On Sun, Apr 2, 2017 at 10:42 AM, <se...@si...> wrote: > Hi Thisura, > > Sounds great with additional comment from Nikhil! > > Regards > Sendoro > > > On 2017-04-01 15:29, Thisura Philips wrote: > > Hi Nikhil, > > > > I have created draft proposal at [1]. Sorry for waiting this late to > > give the draft. Kindly go through that and let me know any things need > > to be updated, if you have some time. Highly appreciate your > > suggestions to make it a better proposal. > > > > [1] > > https://docs.google.com/document/d/1q5Z1mWjoi8bTsV6pMzAXPlthmcYCT > BDE9Ee_bzRt95Q/edit?usp=sharing > > [27] > > > > Best Regards > > > > On Fri, Mar 31, 2017 at 12:47 AM, Thisura Philips > > <ttc...@gm...> wrote: > > > >> Hi Nikhil, > >> Understood the fact. I am really excited to start working on these. > >> Sorry about not bouncing back with the proceedings. Spent a little > >> bit time getting familiar with code. > >> I have sent few PRs and played with community app, debugged the code > >> to get my handson with OpenMF and Fineract. > >> Will be spending creating a proposal (as the closing date is coming) > >> and will get back to work after submitting the proposal. > >> Thanks again for your great help. > >> > >> Best Regards, > >> > >> On Sat, Mar 25, 2017 at 11:37 PM, Nikhil Pawar <nic...@gm...> > >> wrote: > >> > >> Hello Thisura, > >> > >> Good Work. Currently there are no tickets logged as nobody did > >> static analysis on the code. > >> Once you have the findings, you should prioritize them and do deeper > >> analysis. > >> In our case, findings in 5th point are of course of higher priority, > >> so we should take a second look at them and rule out in case of > >> false positive. Suppose you find them as true positive, you should > >> open a ticket and fix them. > >> > >> Regarding, your question of including sonarqube as build plugin,it > >> has already been done along with PMD and findbugs. > >> > >> Regards, > >> Nikhil > >> > >> ------------------------- > >> FROM: Thisura Philips <ttc...@gm...> > >> TO: "nic...@gm..." <nic...@gm...> > >> CC: Mifos Software Development > >> <mif...@li...> > >> SENT: Wednesday, 22 March 2017 1:57 PM > >> SUBJECT: Re: [Mifos-developer] Application for GSOC 2017( Static > >> Analysis of Apache Fineract ) > >> > >> Hi Nikhil, > >> > >> The summarized vulnerabilities are as follows. The fifth one seems > >> to be more or less false positive. We can surely improve the > >> reported vulnerabilities with the proposed solution. What do you > >> think? > >> > >> * > >> Mutable fields should not be "public static" > >> > >> * > >> MITRE, CWE-582 [1] - Array Declared Public, Final, and Static > >> * > >> MITRE, CWE-607 [2] - Public Static Final Field References Mutable > >> Object > >> > >> Solution - Make the respective members protected. If they are in a > >> class move them to a separate class and lower the visibility. > >> > >> * > >> "static final" arrays should be "private" > >> > >> * > >> MITRE, CWE-582 [1] - Array Declared Public, Final, and Static > >> * > >> MITRE, CWE-607 [2] - Public Static Final Field References Mutable > >> Object > >> > >> Solution - Make the array private > >> > >> * > >> Generic exceptions should never be thrown > >> > >> * > >> MITRE, CWE-397 [3] - Declaration of Throws for Generic Exception > >> > >> Solution - Define and throw a dedicated exception instead of using > >> a generic one. > >> > >> * > >> Throwable and Error should not be caught > >> > >> * > >> MITRE, CWE-396 [4] - Declaration of Catch for Generic Exception > >> * > >> CERT, ERR07-J [5] - Do not throw RuntimeException, Exception, or > >> Throwable > >> > >> Solution - Catch Exception instead of Throwable. > >> > >> * > >> Credentials should not be hard-coded > >> > >> * > >> MITRE, CWE-798 [6] - Use of Hard-coded Credentials > >> * > >> MITRE, CWE-259 [7] - Use of Hard-coded Password > >> * > >> SANS Top 25 [8] - Porous Defenses > >> * > >> OWASP Top Ten 2013 Category A2 [9] - Broken Authentication and > >> Session Management > >> * > >> Derived from FindSecBugs rule Hard Coded Password [10] > >> > >> Solution - Credentials should not be hard-coded. > >> Note: This is more or less false positive. We can reduce the time > >> frame of discovering the passwords by storing them in a char array > >> and cleaning them just after the use. > >> > >> * > >> "public static" fields should be constant > >> > >> * > >> MITRE, CWE-500 [11] - Public Static Field Not Marked Final > >> * > >> CERT OBJ10-J [12] - Do not use public static nonfinal variable > >> > >> Solution - Make the respective field final > >> > >> * > >> Throwable.printStackTrace should not be called > >> > >> Solution - Use a logger to log this exception. > >> > >> * > >> "enum" fields should not be publicly mutable > >> > >> Solution - Lower the visibility of the setter. Remove it > >> altogether. > >> > >> I am maintaining one doc for the summary [1]. Will update this > >> document with the results of other tools. Also will prepare an excel > >> sheet to track these with the PR fixing these issues. > >> > >> Is there a respective ticket to work on these at the moment? Kindly > >> let me know. > >> > >> [1] > >> > > https://docs.google.com/document/d/1TdwwHM2K1gMb6qILEX7gmzU8dVXcH > GBdh569aFJfB2U/edit?usp=sharing > >> [13] > >> > >> Thanks and regards. > >> > >> On Wed, Mar 22, 2017 at 11:46 AM, Nikhil Pawar <nic...@gm...> > >> wrote: > >> It's ok to continue the discussion regarding static analysis in > >> this thread. We generally create different thread for different > >> topic. > >> > >> Regards, > >> Nikhil > >> > >> Sent from Yahoo Mail on Android [14] > >> > >> On Tue, Mar 21, 2017 at 8:55 PM, Thisura Philips > >> <ttc...@gm...> wrote: > >> > >> Hi Nikihil, > >> Surely yes Nikhil. I wanted to give it a try and see, how it works > >> with zap. :). > >> Actually, in the first thought I had a doubt of having two > >> projects,for dynamic and static scanning. Then I realized that we > >> need two. > >> > >> I went through all of the 263 vulnerabilities and summarized them > >> according to the reported vulnerability. (That is where I realized > >> that we need two projects.) > >> > >> Shall I go ahead and start a thread for each of them, to discuss > >> about the severity and the solution (for some CWE and CERT has > >> suggested) or shall we start talking in one new thread. Still new to > >> the community so would like to know the best practice. > >> > >> On Tue, Mar 21, 2017 at 6:57 AM, Nikhil Pawar <nic...@gm...> > >> wrote: > >> > >> Hi Thisura, > >> > >> We have included rats and there was a discussion I remember wherein > >> PMD and findbugs were to be integrated. > >> I'll get back to you on this.I am not sure, how would that make your > >> job easy. > >> Scanning project part by part would be more easier I think. > >> I saw your email regarding pen testing, kindly note both are > >> different projects. > >> As far as static analysis is concerned, you are expected lot more > >> than just scanning your project. > >> > >> You would have to compare analysis from other tools as well. > >> We can help after you are done with your analysis whether you should > >> implement the change or not. () > >> > >> I would recommend you to choose your project which is closely > >> aligned to your skills and interests. > >> > >> Regards, > >> Nikhil > >> > >> ------------------------- > >> FROM: Thisura Philips <ttc...@gm...> > >> TO: Nikhil Pawar <nic...@gm...> > >> CC: Mifos Software Development <mifos-developer@lists. > >> sourceforge.net> > >> SENT: Thursday, 16 March 2017 9:37 PM > >> SUBJECT: Re: [Mifos-developer] Application for GSOC 2017( Static > >> Analysis of Apache Fineract ) > >> > >> Hi Nikhil, > >> > >> I was able to scan the project using SonarQube 5.6 with the > >> SonarLint plugin you provided. I have scanned mifo dev branch and > >> pushed to my local repo.[1] I linked the SonarQube server and > >> SonarLint plugin and got the report. The generated report > >> "sonarlintreport.zip"[2] is attached below. > >> > >> I have used gradle sonar plugin. I think we can apply the plugin if > >> we are in the dev environment in graddle build. Let me know if we > >> do. I will create a pull request. > >> > >> However the security vulnerabilities reported by the sonarqube is > >> not seems to be with sonarlint generated report. (I have linked > >> sonarqube with sonarlint as mentioned in [4]) Therefore I saved the > >> sonarqube report html page and attached in [3]. I will find why it > >> doesn't work as expected. > >> > >> There are 263 vulnerabilities reported in the mifos branch. I am > >> currently going through each of them to see whether they are true. > >> Will give an update based on the findings. > >> > >> [1] https://github.com/ ThisuraThejith/incubator- > >> fineract/tree/devOMFSonar [15] > >> [2] https://drive.google.com/file/ d/0B6WV3fK5Tak7RXFyWk5QM3AtVEU > >> [16] > >> > >> [3] https://drive.google.com/ open?id= 0B6WV3fK5Tak7OHJENF9oZFE2X2c > >> [17] > >> [4] http://www.sonarlint.org/ commandline/ [18] > >> > >> Cheers! > >> Best Regards. > >> > >> On Wed, Mar 15, 2017 at 2:55 PM, Thisura Philips > >> <ttc...@gm...> wrote: > >> > >> Hi Nikhil, > >> > >> Thank you very much for the feedback. > >> > >> Yes sonar has ability to classify the findings based on OWASP or > >> CWE. Will do the necessary to scan code base for security > >> vulnerabilities. > >> I am planning to run ZAP which is related to the penetration test > >> project also. > >> > >> Will hang on to the good practice of having one commit in the PR. I > >> updated the PR with one commit. > >> > >> Thanks again for the valuable feedback. > >> > >> Best Regards. > >> > >> On Wed, Mar 15, 2017 at 10:35 AM, Nikhil Pawar <nic...@gm...> > >> wrote: > >> > >> ++ Mifos developers > >> > >> Hi Thisura, > >> > >> I saw your pull request and hence wanted to see your report. > >> SonarQube is heavy weight it has dedicated database to store all > >> your findings.I thought you are using sonarlint for command line. > >> This plugin is quite handy and it will generate html reports for you > >> without compromising on the version. > >> SonarLint for Command Line [18] > >> > >> SONARLINT FOR COMMAND LINE > >> > >> Yes, we do follow coding styles and standards. > >> Style is well defined and standard is open topic but community > >> mostly adheres to Java coding standards. > >> https://mifosforge.jira.com/wi ki/spaces/MIFOS/pages/4456933/ > >> Coding+Standards [19] > >> > >> For this project we are primarily focusing on the security issues > >> and not coding style issues. > >> The reason I wanted to see your report was to check if you have > >> caught any security vulnerability. > >> > >> Based on your findings, you did a good job and I appreciate your > >> hard work. > >> But unfortunately, we are more interested in finding security > >> issues. > >> As far as I remember, Sonar has ability to classify the findings if > >> it is OWASP or CWE.. > >> With this ability, you could take reference of CWE documentation. > >> For example, if sonar says it has found CWE-375, you should go > >> through the documentation of CWE-375, determine if it is security > >> issue(generally labelled as CERT in case of CWEs). Once you have > >> determined, it as security issue, open up a discussion with > >> community, let us know your findings and research and then go ahead > >> and fix it. > >> > >> Lastly when you submit a PR, you should have single commit.(it is a > >> community standard) > >> Even I did the same mistake when I had submitted my first PR :) . > >> > >> Let me know, if you have further queries. > >> > >> Regards, > >> Nikhil > >> > >> ------------------------- > >> FROM: Thisura Philips <ttc...@gm...> > >> TO: Nikhil Pawar <nic...@gm...> > >> CC: "mifos-developer@lists. sourceforge.net" <mifos-developer@lists. > >> sourceforge.net> > >> > >> SENT: Monday, 13 March 2017 2:41 PM > >> SUBJECT: Re: [Mifos-developer] Application for GSOC 2017( Static > >> Analysis of Apache Fineract ) > >> > >> Hi Nikhil, > >> I used sonarqube 6.2 with sonar lint idea plugin to scan the > >> project. The PR at [1] is based on that. > >> > >> How ever, I couldn't find a plugin which could support sonarqube 6.2 > >> to generate a PDF report. > >> > >> There-fore I used sonarqube 4.5.7 along with the plugin at [2]. Here > >> are the PDF reports for the apache incubator-fineract and mifos > >> developer branches. > >> > >> BTW, can you please have a look at PR [1] [20] and let me know > >> whether the changes done are important and how can we further > >> improve the code. > >> > >> [1] https://github.com/apache/ incubator-fineract/pull/307 [20] > >> [2] https://github.com/ SonarQubeCommunity/sonar-pdf- report/ [21] > >> > >> Thanks and regards > >> > >> On Sat, Mar 11, 2017 at 4:55 AM, Nikhil Pawar <nic...@gm...> > >> wrote: > >> > >> Hey Thomas, > >> > >> Can you send me your sonar report. > >> What did you use-SonarQube or Sonarlint? > >> > >> Regards, > >> Nikhil > >> > >> ------------------------- > >> FROM: Thisura Philips <ttc...@gm...> > >> TO: Nikhil Pawar <nic...@gm...> > >> CC: "mifos-developer@lists. sourceforge.net" <mifos-developer@lists. > >> sourceforge.net> > >> SENT: Thursday, 9 March 2017 7:12 AM > >> SUBJECT: Re: [Mifos-developer] Application for GSOC 2017( Static > >> Analysis of Apache Fineract ) > >> > >> Hi Nikhil, > >> I ran sonar against apache fineract and resolved reported issues in > >> org.apache.fineract. accounting module.issues > >> PR is sent at [1]. I have few problems. > >> > >> 1. Have we overrided the toString() for strings. (Which I think is > >> no need.) > >> 2. Do we have inhouse coding convention to have one line conditional > >> clauses () (I raised this in the thread "Coding convention for > >> conditional clauses") > >> > >> [1] https://github.com/apache/ incubator-fineract/pull/307 [20] > >> > >> On Fri, Mar 3, 2017 at 12:05 AM, Thisura Philips > >> <ttc...@gm...> wrote: > >> > >> Hi Nikhil, > >> > >> Thank you very much for the invaluable tip. > >> > >> Ofcourse now I am playing with the code base and currently running > >> sonarqube. Was thinking to run LAPSE as well. But with you tip > >> thought of doing it with TOIF, since I haven't use TOIF before. Will > >> get back with an update of results. > >> > >> BTW, I am willing to fix some issues and be more familiar with code > >> base. > >> > >> Thanks & Regards > >> > >> On Thu, Mar 2, 2017 at 11:41 PM, Nikhil Pawar <nic...@gm...> > >> wrote: > >> > >> Hello Thisura, > >> > >> Welcome to Mifos community. Happy to know that you want to > >> contribute to Open Source and you are starting with us. > >> > >> When it comes to security, there is no tool which will give you > >> total coverage. Also the results of different tool might not overlap > >> for same piece of code. Combining output of multiple open source > >> tools can potentially out perform the best licensed version in > >> market. Hence we were thinking of using TOIF-total output > >> integration framework. For details regarding our thoughts of static > >> analysis please refer to the following link: > >> https://mifosforge.jira.com/wi ki/display/projects/Static+Ana > >> lysis+of+Apache+Fineract+Proje ct-+A+GSOC+project+idea [22] > >> > >> Apart from knowing static analysis tools, you should have some > >> degree of understanding of our code base to effectively analyse it . > >> Thus it would be really helpful, if you could resolve some bugs and > >> provide fix for the same. > >> > >> Regards, > >> Nikhil > >> > >> Sent from Yahoo Mail on Android [14] > >> > >> On Wed, Mar 1, 2017 at 1:08 PM, Thisura Philips > >> <ttc...@gm...> wrote: > >> > >> Hi all, > >> > >> I am a second year undergrad from Sri Lanka Institute of Information > >> Technology. I am interested in contributing to opensource world and > >> seeking a opportunity to start the carrier with GSOC 2017. > >> > >> I have a special interest in computer and software security. I have > >> used tools like Jlint, Findbugs, Sonarqube for code analyzing. While > >> those tools are good to analyze coding best practices, I would > >> prefer using OWASP LIPSE for Java based security analysis. If > >> possible Veracode, Fortify (Static and dynamic) are better options, > >> which cost a bit. :) > >> > >> I got an opportunity to work with veracode and fortify tools as well > >> in a part time project. I ran code scanning against a java code and > >> analyzed the reported vulnerabilities to check whether they are > >> real. > >> > >> I am familiar with common attacks like buffer overflow, parameter > >> tampering,URL tampering,header manipulation,cookie poisoning,SQL > >> Injection,cross-site Scripting (XSS), cross site request forgery, > >> HTTP response splitting,command injection,path traversal,XPath > >> Injection,XML Injection (external entity attackck (XXE)),LDAP > >> Injection. > >> > >> Also I am familiar with bad coding styles and practices which cause > >> security vulnerabilities such as storing passwords in Strings (using > >> hardcoded credentials), not closing database connections, not > >> encoding user inputs properly, use of broken and risky algorithms > >> such as MD-5 which get caught in fortify and veracode scan most of > >> the times. > >> > >> And yes I am familiar with the respective resolutions also. :D > >> I have experience in coding with good security coding practices. I > >> took initiative in OpenMRS [1] [23] to check their vulnerabilities > >> and fix some of them [2] [24]. > >> > >> I would like to contribute to this project to start the opensource > >> carrier. As the first step step I have started to scan Apache > >> fineract project with OWASP LIPSE. I would highly appreciate your > >> thoughts and guidance along with this. > >> > >> [1] https://talk.openmrs.org/t /using-owasp-lapse-and-zap-for > >> -security-analysis/4257 [23] > >> [2] https://github.com/openmrs /openmrs-core/pull/1643/ [24] > >> > >> -- > >> > >> T.T.C Philips (BSc.Eng (Undergrad)) > >> Computer Science and Engineering, > >> Sri Lanka Institute of Information Technology(SLIIT) > >> > >> ------------------------------ ------------------------------ > >> ------------------ > >> Check out the vibrant tech community on one of the world's most > >> engaging tech sites, SlashDot.org! http://sdm.link/ slashdot [25] > >> Mifos-developer mailing list > >> mif...@li... rge.net > >> Unsubscribe or change settings at: > >> Mifos-developer Info Page [26] > >> > >> MIFOS-DEVELOPER INFO PAGE > > > > -- > > > > T.T.C Philips (BSc.Eng (Undergrad)) > > Computer Science and Engineering, > > Sri Lanka Institute of Information Technology(SLIIT) > > > > -- > > > > T.T.C Philips (BSc.Eng (Undergrad)) > > Computer Science and Engineering, > > Sri Lanka Institute of Information Technology(SLIIT) > > > > -- > > > > T.T.C Philips (BSc.Eng (Undergrad)) > > Computer Science and Engineering, > > Sri Lanka Institute of Information Technology(SLIIT) > > > > -- > > > > T.T.C Philips (BSc.Eng (Undergrad)) > > Computer Science and Engineering, > > Sri Lanka Institute of Information Technology(SLIIT) > > > > -- > > > > T.T.C Philips (BSc.Eng (Undergrad)) > > Computer Science and Engineering, > > Sri Lanka Institute of Information Technology(SLIIT) > > > > -- > > > > T.T.C Philips (BSc.Eng (Undergrad)) > > Computer Science and Engineering, > > Sri Lanka Institute of Information Technology(SLIIT) > > > > -- > > > > T.T.C Philips (BSc.Eng (Undergrad)) > > Computer Science and Engineering, > > Sri Lanka Institute of Information Technology(SLIIT) > > > > -- > > > > T.T.C Philips (BSc.Eng (Undergrad)) > > Computer Science and Engineering, > > Sri Lanka Institute of Information Technology(SLIIT) > > > > -- > > > > T.T.C Philips (BSc.Eng (Undergrad)) > > Computer Science and Engineering, > > Sri Lanka Institute of Information Technology(SLIIT) > > > > > > > > Links: > > ------ > > [1] http://cwe.mitre.org/data/definitions/582.html > > [2] http://cwe.mitre.org/data/definitions/607.html > > [3] http://cwe.mitre.org/data/definitions/397.html > > [4] http://cwe.mitre.org/data/definitions/396.html > > [5] https://www.securecoding.cert.org/confluence/x/BoB3AQ > > [6] http://cwe.mitre.org/data/definitions/798 > > [7] http://cwe.mitre.org/data/definitions/259 > > [8] http://www.sans.org/top25-software-errors/ > > [9] > > https://www.owasp.org/index.php/Top_10_2013-A2-Broken_ > Authentication_and_Session_Management > > [10] > > http://h3xstream.github.io/find-sec-bugs/bugs.htm#HARD_CODE_PASSWORD > > [11] http://cwe.mitre.org/data/definitions/500.html > > [12] https://www.securecoding.cert.org/confluence/x/QQBqAQ > > [13] > > https://docs.google.com/document/d/1TdwwHM2K1gMb6qILEX7gmzU8dVXcH > GBdh569aFJfB2U/edit?usp=sharing > > [14] https://overview.mail.yahoo.com/mobile/?.src=Android > > [15] > > https://github.com/ThisuraThejith/incubator-fineract/tree/devOMFSonar > > [16] https://drive.google.com/file/d/0B6WV3fK5Tak7RXFyWk5QM3AtVEU > > [17] https://drive.google.com/open?id=0B6WV3fK5Tak7OHJENF9oZFE2X2c > > [18] http://www.sonarlint.org/commandline/ > > [19] > > https://mifosforge.jira.com/wiki/spaces/MIFOS/pages/ > 4456933/Coding+Standards > > [20] https://github.com/apache/incubator-fineract/pull/307 > > [21] https://github.com/SonarQubeCommunity/sonar-pdf-report/ > > [22] > > https://mifosforge.jira.com/wiki/display/projects/Static+ > Analysis+of+Apache+Fineract+Project-+A+GSOC+project+idea > > [23] > > https://talk.openmrs.org/t/using-owasp-lapse-and-zap-for- > security-analysis/4257 > > [24] https://github.com/openmrs/openmrs-core/pull/1643/ > > [25] http://sdm.link/slashdot > > [26] https://lists.sourceforge.net/lists/listinfo/mifos-developer > > [27] > > https://docs.google.com/document/d/1q5Z1mWjoi8bTsV6pMzAXPlthmcYCT > BDE9Ee_bzRt95Q/edit?usp=sharing > > > > ------------------------------------------------------------ > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > > Mifos-developer mailing list > > mif...@li... > > Unsubscribe or change settings at: > > https://lists.sourceforge.net/lists/listinfo/mifos-developer > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > Mifos-developer mailing list > mif...@li... > Unsubscribe or change settings at: > https://lists.sourceforge.net/lists/listinfo/mifos-developer -- T.T.C Philips (BSc.Eng (Undergrad)) Computer Science and Engineering, Sri Lanka Institute of Information Technology(SLIIT) |
