【🔔】互联网资料/工具,安全性未知,需要自行研判安全性。
sastsweep是一款旨在大规模识别开源代码库中的漏洞的工具。它可以收集和过滤关键存储库指标,例如受欢迎程度和项目规模,从而实现有针对性的漏洞研究。它使用 semgrep 自动检测潜在漏洞并提供简化的 HTML 报告,使研究人员能够快速深入到代码库的受影响部分。
示例
-
• Oneliner 用于抓取每个 HackerOne 开源目标并在其上运行 semgrep
bbscope h1 -b -u '<HACKERONE_USERNAME>'-t '<HACKERONE_TOKEN>'-o tdu | grep -E 'https?://github.com/[A-Za-z0-9-]{1,}/[A-Za-z0-9-]{1,}'-o | sastsweep -threads 10-desc -stars -files
-
• 使用github-search.py 从 github 搜索中抓取 Flask 应用程序,并过滤具有 500-3000 颗星的存储库。显示星数、存储库描述和文件数。
python3 github-search.py --token '<GITHUB TOKEN>'--query '"import Flask" AND ".route("'| sastsweep -stars -desc -files -filter-stars 500-3000
-
• 扫描单个存储库,显示星级数、安全问题数以及上次提交日期
sastsweep -repo https://github.com/chebuya/SASTsweep-stars -security-issues -last-commit
-
• 扫描目标列表,显示星星数量、语言构成、分叉数量和贡献者数量。筛选上次提交日期在 2024/01/01 之后、星数少于 5000 且安全问题为 0 的存储库
sastsweep -repos targets.txt -stars -lang -forks -contributors -filter-last-commit 2024/01/01--filter-stars -5000-filter-security-issues 0
安装
Linux 是目前唯一受支持和测试的平台 sastsweep需要 go >= 1.23 才能成功安装。运行以下命令安装sastsweep
go install github.com/chebuya/sastsweep/cmd/sastsweep@latest
用法
sastsweep -h
这将显示该工具的帮助。这是它支持的所有交换机。
Usage of ./sastsweep:
-branch
Display the default branch of a repository
-commits
Display the number of commits to the repository
-config-path string
Path to semgrep.conf file
-contributors
Display the number of contributors in a repository
-debug
Enable debug messages
-desc
Display repo description
-files
Display number of files in repo
-filter-commits string
Filter the number of commits to the repository (500-700,-300,500-,3000)
-filter-contributors string
Filter the number of contributors in a repository (500-700,-300,500-,3000)
-filter-files string
Filter number of files in repo (500-700,-300,500-,3000)
-filter-first-commit string
Filter the date of the first commit to the repository (yyyy/mm/dd-yyyy/mm/dd,-yyyy/mm/dd, yyyy/mm/dd-, yyyy/mm/dd)
-filter-forks string
Filter the number of forks of repository (500-700,-300,500-,3000)
-filter-issues string
Filter the number of issues in a repository (500-700,-300,500-,3000)
-filter-last-commit string
Filter the date of the last commit to the repository (yyyy/mm/dd-yyyy/mm/dd,-yyyy/mm/dd, yyyy/mm/dd-, yyyy/mm/dd)
-filter-last-release string
Filter the date of the latest release (yyyy/mm/dd-yyyy/mm/dd,-yyyy/mm/dd, yyyy/mm/dd-, yyyy/mm/dd)
-filter-pull-requests string
Filter the number of pull requests in a repository (500-700,-300,500-,3000)
-filter-security-issues string
Filter the number of security issues in the repository (500-700,-300,500-,3000)
-filter-stars string
Filter repos stars in output (500-700,-300,500-,3000)
-filter-watchers string
Filter the number of watchers in a repository (500-700,-300,500-,3000)
-fireprox string
Use fireprox for reasons... relates to rate limiting on a certain platform (ex: https://abcdefghi.execute-api.us-east-1.amazonaws.com/fireprox/)
-first-commit
Display the date of the first commit to the repository
-forks
Display the number of forks of repository
-full-desc
Display the full repo description
-github1s
Generate links for the web-based vscode browser at github1s.com rather than github.com
-issues
Display the number of issues in a repository
-lang
DisplayGitHub repo language
-last-commit
Display the date of the last commit to the repository
-last-release
Display the date of the latest release
-no-emoji
Disable this if you are a boring person (or use a weird terminal)
-no-semgrep
Do not perform a semgrep scan on the repos
-out-dir string
Directory to clone repositories to
-pull-requests
Display the number of pull requests in a repository
-raw-links
Print raw links for semgrep report rather than hyperlink with name, good if you want to save output
-repo string
GitHub repository to scan
-repo-link
Display the link associated with the repository
-repos string
File of GitHub repositories to scan
-save-repo
Save the cloned repository
-security-issues
Display the number of security issues in the repository
-semgrep-path string
Custom path to the semgrep binary
-stars
Display repos stars in output
-threads int
Number of threads to start (default 3)
-topics
DisplayGitHub repo topics
-watchers
Display the number of watchers in a repository
参考
-
1. 【semgrem】:https://github.com/semgrep/semgrep
-
2. 【httpx】:https://github.com/projectdiscovery/httpx
原文始发于微信公众号(埋藏酱油瓶):【开源工具】- SASTSweep 大规模识别开源代码库中漏洞
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论