Webmaster Security
Static code security scanner & analyser
Submitted by expdb2019, 15-02-2019, 05:05 PM, Thread ID: 121494
Thread Closed
15-02-2019, 05:05 PM
#1 Project
Cobra (Cobra) is a tool which is located in the static code security analysis, the goal is to find out the source code in the existence of security risks or vulnerabilities.
Application scenarios
1 vulnerabilities before the appearance (detection)
We will be common on the Internet vulnerabilities combing Cobra detection rules to the vulnerability was found before the white hat will scan the risk and solve, to nip in the bud.
Example: early detection of the code in the presence of high-risk files (.Tar.gz/.rar/.bak/.swp), you can avoid high-risk files are downloaded.
2 vulnerabilities in the (scan)
When the enterprise receives the vulnerability of the white hat submitted, the enterprise will fix the vulnerability in the first time, and can be added to the scan rules to detect all the project whether there is a similar vulnerability by Cobra.
Cases: the emergence of the ImageMagick vulnerabilities can be through Cobra set rules scanning a quick scan of all the historical project. Within a few minutes will be able to know enterprise dozens of projects which useful to ImageMagick components, which loopholes, which can be immune.
3 after the vulnerability appears (limit)
When the enterprise fixes vulnerabilities, you can set the repair / validation rules to limit after all submitted to the code is required to repair / validation rules, otherwise not on the line, to reduce the possibility of the same vulnerability again.
pic
![[Image: report_01.jpg]](https://raw.githubusercontent.com/whaleshark-team/cobra/master/docs/report_01.jpg)
Refer:
Documents: http://cobra.feei.cn/
code: https://github.com/WhaleShark-Team/cobra
Cobra (Cobra) is a tool which is located in the static code security analysis, the goal is to find out the source code in the existence of security risks or vulnerabilities.
Application scenarios
1 vulnerabilities before the appearance (detection)
We will be common on the Internet vulnerabilities combing Cobra detection rules to the vulnerability was found before the white hat will scan the risk and solve, to nip in the bud.
Example: early detection of the code in the presence of high-risk files (.Tar.gz/.rar/.bak/.swp), you can avoid high-risk files are downloaded.
2 vulnerabilities in the (scan)
When the enterprise receives the vulnerability of the white hat submitted, the enterprise will fix the vulnerability in the first time, and can be added to the scan rules to detect all the project whether there is a similar vulnerability by Cobra.
Cases: the emergence of the ImageMagick vulnerabilities can be through Cobra set rules scanning a quick scan of all the historical project. Within a few minutes will be able to know enterprise dozens of projects which useful to ImageMagick components, which loopholes, which can be immune.
3 after the vulnerability appears (limit)
When the enterprise fixes vulnerabilities, you can set the repair / validation rules to limit after all submitted to the code is required to repair / validation rules, otherwise not on the line, to reduce the possibility of the same vulnerability again.
pic
Refer:
Documents: http://cobra.feei.cn/
code: https://github.com/WhaleShark-Team/cobra
RE: Static code security scanner & analyser
15-02-2019, 05:20 PM
#2 RE: Static code security scanner & analyser
RE: Static code security scanner & analyser
21-02-2019, 09:32 PM
#4 RE: Static code security scanner & analyser
14-03-2019, 03:53 PM
#5 RE: Static code security scanner & analyser
21-05-2019, 07:25 AM
#6 RE: Static code security scanner & analyser
08-06-2019, 10:13 PM
#7 Users browsing this thread: 1 Guest(s)