GitHub - harekrishnarai/Damn-vulnerable-sca: Damn Vulnerable SCA Application

SCA Goat
Navigating SCA Vulnerabilities, Empowering Mastery

What is SCA-Goat?

SCAGoat is an application for Software Composition Analysis (SCA) that focuses on vulnerable and compromised JAR dependencies used in development code, providing users with hands-on learning opportunities to understand potential attack scenarios. It is designed to identify vulnerabilities that may arise from using vulnerable JAR files.

Presented at:

What All CVE Covered?

The CVEs covered under SCAGoat are primarily critical and high severity, which have a CVSS score of 9. This aid in understanding the vulnerable package being used and its potential for exploitation.

In addition, there is one compromised package, that lacks a CVE, but is malicious by nature and cannot be detected with traditional SCA scanners.

CVE	Package Name	Link
CVE-2023-42282	IP	https://nvd.nist.gov/vuln/detail/CVE-2023-42282
CVE-2017-1000427	Marked	https://nvd.nist.gov/vuln/detail/CVE-2017-1000427
CVE-2017-16114	Marked	markedjs/marked#926
CVE-2021-44228	log4j	https://nvd.nist.gov/vuln/detail/CVE-2021-44228
CVE-2020-9547	jackson-databind	https://nvd.nist.gov/vuln/detail/CVE-2020-9547
CVE-2021-33623	trim-newlines	https://nvd.nist.gov/vuln/detail/CVE-2021-33623
CVE-2020-13935	spring-websocket	https://nvd.nist.gov/vuln/detail/CVE-2020-13935
Malicious Package (No CVE)	xz-java	https://central.sonatype.com/artifact/io.github.xz-java/xz-java

Steps to run SCAGoat

Step 1. Clone the application

git clone https://github.com/harekrishnarai/Damn-vulnerable-sca.git

Step 2. Go to the Directory

cd Damn-vulnerable-sca

Step 3. Use the following docker commands to build the image for the dockerfile and run the image to access the application:

docker compose up

Step 4. Visit http://localhost:3000/ to access the nodejs application and http://localhost:8080 for Springboot for log4j

SCA Goat HomePage

What's Coming?

Our aim is to provide you with a better understanding of vulnerable packages and JAR dependencies so that you can gain hands-on experience. We will keep you updated with the latest CVEs. Stay tuned!

Tutorials to exploit the vulnerability:

Demo Videos	CVE Exploited
Demo 1	CVE-2023-42282
Demo 2	CVE-2017-16114
Demo 3	CVE-2021-44228
Demo 4	CVE-2020-9547
Demo 5	XZ-JAVA compromised

SCA Scan Reports

Want to contribute?

Awesome! The most basic way to show your support is to star the project or raise issues.

Contributors

Thanks to all the people who already contributed!
Prashant Venkatesh
Nandan Gupta
Hare Krishna Rai
Henrik Plate
Gaurav Joshi
Yoad Fekete

Name		Name	Last commit message	Last commit date
Latest commit History 87 Commits
.vscode		.vscode
backend		backend
static		static
templates		templates
.gitignore		.gitignore
CNAME		CNAME
Dockerfile-backend		Dockerfile-backend
Dockerfile-frontend		Dockerfile-frontend
README.md		README.md
docker-compose.yml		docker-compose.yml
index.js		index.js
package-lock.json		package-lock.json
package.json		package.json

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

What is SCA-Goat?

Presented at:

What All CVE Covered?

Steps to run SCAGoat

SCA Goat HomePage

What's Coming?

Tutorials to exploit the vulnerability:

SCA Scan Reports

Want to contribute?

Contributors

About

Releases

Packages

Contributors 6

Languages

harekrishnarai/Damn-vulnerable-sca

Folders and files

Latest commit

History

Repository files navigation

What is SCA-Goat?

Presented at:

What All CVE Covered?

Steps to run SCAGoat

SCA Goat HomePage

What's Coming?

Tutorials to exploit the vulnerability:

SCA Scan Reports

Want to contribute?

Contributors

About

Resources

Stars

Watchers

Forks

Releases

Packages 0

Contributors 6

Languages

Packages