Skip to content

Commit

Permalink
init
Browse files Browse the repository at this point in the history
  • Loading branch information
RedRaysTeam committed Aug 26, 2024
1 parent 90169ec commit c34e4bf
Show file tree
Hide file tree
Showing 74 changed files with 502 additions and 268 deletions.
25 changes: 25 additions & 0 deletions .flake8
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
[flake8]
# Increase the max line length to 120 characters
max-line-length = 120

# Ignore specific errors/warnings:
# E501: Line too long
# W291: Trailing whitespace
# E128: Continuation line under-indented for visual indent
# E126: Continuation line over-indented for hanging indent
# E127: Continuation line over-indented for visual indent
# W503: Line break occurred before a binary operator
# E266: Too many leading '#' for block comment
ignore = E501, W291, E128, E126, E127, W503, E266, W605, C901, E303

# Exclude some directories from checking
exclude =
.git,
__pycache__,
build,
dist,
.venv


# Maximum allowed complexity for functions
max-complexity = 10
120 changes: 73 additions & 47 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
@@ -1,53 +1,79 @@
stages:
- lint
- test
- build
- deploy
name: CI/CD Pipeline

variables:
PIP_CACHE_DIR: "$CI_PROJECT_DIR/.pip-cache"
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]

cache:
paths:
- .pip-cache/
jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: 3.9
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install flake8
- name: Lint with flake8
run: flake8 .

lint:
stage: lint
image: python:3.9
before_script:
- pip install flake8
script:
- flake8 .

test:
stage: test
image: python:3.9
before_script:
- pip install -r requirements.txt
- pip install pytest pytest-cov
script:
- pytest tests/ --cov=./ --cov-report=xml
artifacts:
reports:
coverage_report:
coverage_format: cobertura
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: 3.9
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt
pip install pytest pytest-cov
- name: List directory contents
run: ls -R
- name: Run tests
run: |
export PYTHONPATH=$PYTHONPATH:$(pwd)
pytest tests/ -v --cov=./ --cov-report=xml
- name: Upload coverage report
uses: actions/upload-artifact@v2
with:
name: coverage-report
path: coverage.xml

build:
stage: build
image: python:3.9
script:
- pip install pyinstaller
- pyinstaller --onefile main.py
artifacts:
paths:
- dist/main
build:
runs-on: ubuntu-latest
needs: [lint, test]
steps:
- uses: actions/checkout@v2
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: 3.9
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install pyinstaller
- name: Build executable
run: pyinstaller --onefile main.py
- name: Upload artifact
uses: actions/upload-artifact@v2
with:
name: abap-code-scanner
path: dist/main

deploy:
stage: deploy
image: python:3.9
script:
- echo "Deploying application..."
# Add your deployment steps here
only:
- main # This job will only run on the main branch
deploy:
runs-on: ubuntu-latest
needs: build
if: github.ref == 'refs/heads/main'
steps:
- name: Deploy application
run: |
echo "Deploying application..."
# Add your deployment steps here
128 changes: 128 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
# ABAP Code Scanner Framework

## Overview

The ABAP Code Scanner Framework is a powerful tool designed to analyze ABAP (Advanced Business Application Programming) code for potential security vulnerabilities, code quality issues, and best practice violations. This framework provides a flexible and extensible way to scan ABAP code and generate comprehensive reports on various aspects of code security and quality.

## Features

- Multiple security checks including:
- Cross-Site Scripting (XSS) vulnerabilities
- Directory Traversal vulnerabilities
- Hardcoded credentials
- Weak cryptographic algorithms
- And many more...
- Customizable and extensible architecture
- Command-line interface for easy integration into CI/CD pipelines
- Detailed reporting in XLSX format
- Configurable scan settings

## Upcoming Feature: Dataflow Analysis

We are excited to announce that we are working on implementing a dataflow analysis feature. This enhancement will significantly improve the accuracy and depth of our security scans.

### What is Dataflow Analysis?

Dataflow analysis is a technique used to track how data moves through an application. In the context of security, it helps identify how potentially tainted data (e.g., user inputs) propagates through the system and whether it reaches sensitive sinks (e.g., database queries, output functions) without proper sanitization.

### Planned Functionality

Our dataflow analysis will:

- Track parameters and their contents from the beginning of functions, reports, forms, includes, or other ABAP structures.
- Follow the data as it flows through the code, monitoring transformations and assignments.
- Identify potential injection points where tainted data might be used unsafely.
- Provide more accurate and context-aware vulnerability detection.

This feature will enable the framework to:
- Reduce false positives by understanding the context and transformations of data.
- Detect complex vulnerabilities that simple pattern matching might miss.
- Offer more detailed and actionable reports on potential security issues.

We're working hard to integrate this feature and will update the framework once it's ready. Stay tuned for updates!

## Prerequisites

- Python 3.9 or higher
- pip (Python package installer)

## Installation

1. Clone the repository:
```
git clone https://github.com/yourusername/AbapCodeScannerFramework.git
cd AbapCodeScannerFramework
```

2. Install the required dependencies:
```
pip install -r requirements.txt
```

## Usage

To run the ABAP Code Scanner:

```
python main.py path/to/abap/code
```

Optional arguments:
- `-c`, `--config`: Path to the configuration file (default: config.yml)

## Configuration

The scanner can be configured using a YAML file. By default, it looks for `config.yml` in the project root. You can specify a different configuration file using the `-c` or `--config` option.

Example configuration:

```yaml
checks:
- CheckCrossSiteScripting
- CheckSQLInjection
- CheckDirectoryTraversal

file_extensions:
- .abap
- .txt

exclude_patterns:
- "**/test/**"
```
## Adding New Checks
To add a new security check:
1. Create a new Python file in the `checks` directory.
2. Define a class that inherits from a base check class.
3. Implement the required methods, including the main `run` method.
4. Add the new check to the configuration file.

## Running Tests

To run the test suite:

On Windows:
```
run_tests.bat
```

On Unix-like systems:
```
./run_tests.sh
```

## Contributing

Contributions to the ABAP Code Scanner Framework are welcome! Please feel free to submit pull requests, create issues or spread the word.

## License

This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

## Acknowledgments

- Thanks to all contributors who have helped to improve this framework.
- Special thanks to the ABAP community for their invaluable resources and documentation.

6 changes: 3 additions & 3 deletions checks/CheckAbapOutgoingFtpConn.py
Original file line number Diff line number Diff line change
@@ -1,16 +1,17 @@
# checks/check_abap_outgoing_ftp_conn.py

import re
from dataclasses import dataclass
from typing import List


@dataclass
class CheckResult:
line_number: int
line_content: str


class CheckAbapOutgoingFtpConn:
title = "Outgoing FTP Connection"
confidence = "Definitive"
severity = "Low"
vulnerability_type = "Unencrypted Communications"

Expand All @@ -26,4 +27,3 @@ def run(self, file_content: str) -> List[CheckResult]:
line_number = file_content[:match.start()].count('\n') + 1
return [CheckResult(line_number, match.group().strip())]
return []

2 changes: 0 additions & 2 deletions checks/CheckBrokenAuthCheck.py
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
# checks/check_broken_auth_check.py

import re
from dataclasses import dataclass
from typing import List
Expand Down
2 changes: 2 additions & 0 deletions checks/CheckCallTransformation.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,13 @@
from dataclasses import dataclass
from typing import List


@dataclass
class CheckResult:
line_number: int
line_content: str


class CheckCallTransformation:
title = "XML Injection via \"CALL TRANSFORMATION\""
severity = "High"
Expand Down
6 changes: 3 additions & 3 deletions checks/CheckCrossSiteScripting.py
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
# checks/CheckCrossSiteScripting.py

import re
from dataclasses import dataclass
from typing import List, Dict


@dataclass
class CheckResult:
line_number: int
line_content: str


class CheckCrossSiteScripting:
title = "Potential Cross-Site Scripting vulnerability"
severity = "High"
Expand Down Expand Up @@ -60,4 +60,4 @@ def run(self, file_content: str) -> List[CheckResult]:
results.append(CheckResult(i, line.strip()))
break # Stop searching after finding the first vulnerability in the line

return results
return results
4 changes: 2 additions & 2 deletions checks/CheckDangerousAbapCommands.py
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
# checks/check_dangerous_abap_commands.py

import re
from dataclasses import dataclass
from typing import List


@dataclass
class CheckResult:
line_number: int
line_content: str


class CheckDangerousAbapCommands:
title = "Dangerous ABAP statements"
severity = "Medium"
Expand Down
2 changes: 2 additions & 0 deletions checks/CheckDeleteDynpro.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,13 @@
from dataclasses import dataclass
from typing import List


@dataclass
class CheckResult:
line_number: int
line_content: str


class CheckDeleteDynpro:
title = "Critical actions via deleting a screen"
severity = "High"
Expand Down
Loading

0 comments on commit c34e4bf

Please sign in to comment.