Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add urls (http+https) to json report #585

Open
jossef opened this issue Jan 19, 2023 · 1 comment · May be fixed by #681
Open

add urls (http+https) to json report #585

jossef opened this issue Jan 19, 2023 · 1 comment · May be fixed by #681
Labels
dynamic analysis Issues specific to the implementation of Dynamic Analysis enhancement New feature or request

Comments

@jossef
Copy link

jossef commented Jan 19, 2023

It is highly valuable to include URLs audited as part of the analysis in the JSON report. For example (see URLs field):

{
  "Package": {
    "Name": "package-name",
    "Version": "1.2.3",
    "Ecosystem": "npm"
  },
  "CreatedTimestamp": 1674062447,
  "Analysis": {
    "install": {
      "Status": "",
      "Stdout": "...",
      "Stderr": "...",
      "Files": [],
      "Sockets": [],
      "Commands": [],
      "DNS": [],
      "URLs": [
        "http://2oqwmc7o04ssmcdi4e6wn79ys2vnkh.burpcollaborator.net/",
        "https://raw.githubusercontent.com/Gauravbhatia1211/experiment/main/exps.sh"
      ],
    }
  }
}

How to deal with HTTPS traffic?

Had a great chat with @oliverchang, @calebbrown, and @Alik-Kold. Suggesting adding a MITM-TLS component and routing the TLS traffic through a transparent proxy component able to audit the URLs, body, headers, and more valuable information:

@Alik-Kold built a working POC with the following architecture (this is the original):

  • adding sslsplit to the analysis container
  • configuring the sandbox container so HTTP + HTTPS traffic will be routed through sslsplit
  • installed the self-signed generated root CA certificate globally on the sandbox container
    2023-01-19 package-analysis create issues - Page 1 (1)

We started working on this feature. let us know WDYT 🙏
@jossef jossef mentioned this issue Jan 19, 2023
Open
@maxfisher-g
Copy link
Contributor

This sounds awesome! Very keen to see it in action :D

We might need to think about how to add that extra data (e.g. headers, request / response body, etc) in the JSON - if we want it.

@maxfisher-g maxfisher-g added enhancement New feature or request dynamic analysis Issues specific to the implementation of Dynamic Analysis labels Jan 20, 2023
Alik-Kold added a commit to Alik-Kold/package-analysis that referenced this issue Mar 7, 2023
@Alik-Kold
feat: add urls (http+https) to json report
c30198f 
closes ossf#585
@Alik-Kold Alik-Kold linked a pull request Mar 7, 2023 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dynamic analysis Issues specific to the implementation of Dynamic Analysis enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add urls (http+https) to json report Alik-Kold/package-analysis
2 participants
@jossef @maxfisher-g