Static Application Security Testing (SAST) and Software Composition Analysis (SCA)

Static Application Security Testing (SAST) and Software Composition Analysis (SCA) are two popular software security testing techniques used by developers and security teams to identify vulnerabilities and risks in software applications.

SAST involves analyzing source code or binary files to identify security vulnerabilities and coding errors that could lead to security issues. It provides an automated way to identify potential security vulnerabilities in an application's source code before it is deployed. SAST tools can detect issues such as SQL injection, cross-site scripting, and buffer overflows.

SCA, on the other hand, involves analyzing third-party and open-source components used in an application to identify vulnerabilities and risks. It provides an automated way to identify known vulnerabilities and license compliance issues in third-party components, libraries, and frameworks used in an application.

Both SAST and SCA have their own set of tools and techniques. For instance, SAST tools include Fortify, SonarQube, and Checkmarx, among others, while SCA tools include Black Duck, WhiteSource, and Sonatype, among others.

How to use on Prancer

Step 1 - Create the scan through the PAC Wizard

Once the PAC file has been created, add this information to your PAC .yaml file as follows


AppCodeAnalysis:

  SASTScan: true
  SCAScan: true
  IncrementalScan: true
  GitConnector: git_sca_VulnerableApp
Type of Scan Explanation
SASTScan Results from Static Application Security Testing (post code analysis).
SCAScan Results from Software Composition Analysis (library dependency checks).
IncrementalScan An incremental scan selectively tests newly developed or recently modified code for vulnerabilities.
It identifies which parts of the application have been changed or added by comparing the current state of the codebase
to its state at the time of the previous scan.

The following table outlines the type of scan settings in our Prancer PAC feature. The value of each type of scan can be set to true or false. If set to true, the corresponding scan is enabled; if set to false, the scan is disabled. Whatever type of scan best fits your criteria for your code analysis, you can set these values in your PAC Config file.

Type of Scan Setting
SASTScan true or false
SCAScan true or false
IncrementalScan true or false

Git connector

Step 1 - Follow the steps for creating a Git connector

  • In "gitProvider" section, put the link to the branch of your repository

This is an example of how your Git connector should be when doing SAST & SCA

{
  "branchName": "master",
  "companyName": "prancer",
  "fileType": "structure",
  "gitProvider": "https://github.com/SasanLabs/VulnerableApp.git",
  "httpsAccessToken": "Token",
  "private": true,
  "type": "filesystem"
}

Step 2 - Start the pentest once all is completed.

This is an example .yaml file for SAST&SCA 

Collection: azure_pac
AppCodeAnalysis:
  SASTScan: true
  SCAScan: true
  IncrementalScan: true
  GitConnector: git_sca_inspector
ConnectionName: azure_pac_connector
CloudType: azure
ApplicationName: azure sca py inspector
RiskLevel: standard
RiskProfit: Medium
Compliance:
- CIS
- CSA-CCM
ApplicationType: WebScan
Schedule: onetime
Target: https://ctflearn.com
Tags:
  Cloud: azure
WebScan:
  AjaxSpider: false
Scanner:
  Cloud:
    Platform:
      Azure:
        ContainerInstance:
          AfterRun: delete
          NewContainerInstance:
            External:
              SubscriptionId: a6941677-4c37-42fb-960c-dad8f25060a3
              ResourceGp: shahin-test
              Region: westus
              ContainerGroupName: prancer-scanner-group
              ContainerName: prancer-pentest-instance
              ResourceName: prancer-instances-inspector
AuthenticationMethod: noAuthentication
# All the addons ID listed on link https://www.zaproxy.org/addons.
AddOns:
#  - accessControl
#  - ascanrulesAlpha

Prancer Code Analysis CLI Usage Guide

Follow these steps to use the Prancer Code Analysis Command Line Interface (CLI):

Step 1 - Fetch the Latest Docker Image of prancer/prancer-pca.

To obtain the most up-to-date Docker image of prancer/prancer-pca, follow this command:

docker pull prancer/prancer-pca:latest

Step 2 - Create a docker.env file and set the following environment variables:

Environment Variable Description
CUSTOMER Should be in the format "prancer-" as the tenant URL.
ACCESSTOKEN Access token generated from the Prancer portal.
ENVIRONMENT Deployment environment. Valid values are: dev, qa, prod. Default is prod.
CONFIGID PAC configuration ID as in the Inventory Management.
DIRPATH Full path where the source code exists.
RULE The path to the rules to be used for analysis. Check the list of valid values for RULE below.
GITURL Git repository URL to clone the source code.
BRANCHNAME Branch name on the git repository.
GITSECRET Secret value to clone the git repository.

  • Either (DIRPATH) or (GITURL, BRANCHNAME, and GITSECRET) are required.

  • Valid Rules: apex, bash, c, clojure, contrib, csharp, dockerfile, elixir, fingerprints, generic, go, html, java, javascript, json, kotlin, ocaml, php, problem-based-packs, python, ruby, rust, scala, solidity, swift, terraform, typescript, yaml.

Step 3 - Initiate Appcode Analysis

2.1 Run Appcode Analysis against local source code

  • Run Appcode Analysis against a local source code in a directory.

  • Set the DIRPATH path in the docker.env file and launch the Docker image with this command, ensuring you mount your local repository directory into the Docker container:

docker.env

CUSTOMER=prancer-comapanyname
ACCESSTOKEN=5cd5a27e4f1c4f7f9a3587dr5a70eac0
ENVIRONMENT=prod
CONFIGID=652d44a8ef58f22d23b6cee3
RULE=python
DIRPATH=/path/to/repo
  • Run in daemon mode
docker run -d --rm --name prancer-pca -v /path/to/repo:/path/to/repo --env-file docker.env prancer/prancer-pca:latest
  • Check the logs:
docker logs -f prancer-pca
  • Run in foreground mode
docker run --rm --name prancer-pca -v /path/to/repo:/path/to/repo --env-file docker.env prancer/prancer-pca:latest

2.2 Run Appcode Analysis against an internal git repository

  • Run Appcode Analysis on a internal git repository by cloning it using the GITURL, BRANCH and GITSECRET provided as environment variables.

  • Set the GITURL, BRANCHNAME, and GITSECRET parameters in the docker.env file and launch the Docker image with this command:

docker.env

CUSTOMER=prancer-comapanyname
ACCESSTOKEN=5cd5a27e4f1c4f7f9a3587dr5a70eac0
ENVIRONMENT=prod
CONFIGID=652d44a8ef58f22d23b6cee3
RULE=python
GITURL=http://192.168.2.1:9000/organization/repository-name.git
BRANCHNAME=main
GITSECRET=ghp_RpMyae0********************
  • Run in daemon mode
docker run -d --rm --name prancer-pca --env-file docker.env prancer/prancer-pca:latest
  • Check the logs:
docker logs -f prancer-pca
  • Run in foreground mode
docker run --rm --name prancer-pca --env-file docker.env prancer/prancer-pca:latest