¶ WhiteBox source code Scanner
WhiteBox is tool for scanning source code of your projects.
It is combination of different source code scanner tools that work automatically in same time.
¶ First steps
First of all, you need to add asset to workspace. Supported Asset types are:
- Github repository link
- Archive with source code
¶ Ways for scan
For scanning your files Cryeye project can offer you 3 different ways:
- Whitebox service
- Multi Target audit project
- Singular Target audit project
¶ Difference
Whitebox service
This service will be deprecated and moved to Multi Target Audit projects.
Props:
- File tree & Code view
- Facts and findings review
- Reports
- Audit scope presets
Cons:
- Can not create custom audits scope
- Can not view original audits results
- No scheduller
- No notes or checklists
Multi Target audit project
Props:
- File tree & Code Viewer
- Customizable audits scope presets
- Detailed logs of each step
- Availability of original audits results
- Notes & Checklists
- Multi target scan
- Schedulled scans
Cons:
- Can not review findings as in Whitebox service - Comming soon
- No reports - Comming soon
Singular Target audit project
Props:
- Customizable audits scope
- Availability of original audits results
- Schedulled scans
- Notes, Checklists
- Reports
Cons:
- No File tree & Code viewer
- No presets
- Can not review findings as in Whitebox service
¶ Create Project and run scan
For example let's scan JavaScript vulnerable web application (vwa): https://github.com/cqr-cryeye-forks/vwa and select main branch master
All services can be added while adding asset
¶ Whitebox service
¶ Create project
- Select "Whitebox" in Asset services contol
- Choose prefered preset
- Select needed assets
- Click "Create and go to whitebox projects" from Assets Dashoboard by using service control
On whitebox page are listed all projects. You can filter them by target, selected preset, scan status and asset type
When analyzing will be finished, you will see Analyzing status as completed.
¶ Results view
Each project has control buttons.
- Blue arrow - see results
- Rescan - run analyze again
- Delete - remove project with all scans and data
When you click to see results if you have only 1 scan - you will be redirected to it's results. If more than one you can select that you need.
Results are adding during scan. so even if scan is still in progress - founeded data will be shown.
On the top of scan results you can review general scan info, such as time of scanning, total issues count, scan status, tools that were used, tools whose results were analyzed.
On scan page you can see file tree, code viewer and findings list
On Scan logs tab you can view logs and issues from audits and result parsing
¶ Multi Target audit project
Whitebox in multitarget projects is still developing. For future it is prefered way for scanning, but now you can not see processed results as in whitebox service.
¶ Create project
- Select "Multi target audit project" in Asset services contol
- Choose type
Whitebox
- Select assets that you want to scan - they will be added in one project
¶ Set up scan
Go to created project and click on Configure & Run.
Here you can select preset that you want.
After selecting preset you are able to view automatically selected audits. You can modify audits that will scan you targets.
¶ View results
Workflow works as in Simpe audit project type, but results view has one more tab.
Main tab provide file tree and code viwer. Facts currently are not supported. (but they will be added as soon as possible)
You can view audits results on Results tab.
On control tab you can view logs of each step - file tree generating, status of each audit, whitebox post processingg logs and issues.
¶ Singular Target audit project
This system is same as for scanning other asset types. You can not select presets or see custom result from whitebox. Just run selected audits and see theirs results. This project type is outdated so Multi target audit project is better option.
¶ Target types
WhiteBox now supported next asset types:
- Git repository
- Zip archive (Sources)
- Dockerfile
- Terraform
- AWS Cloidformation
- Ansible
- Helm
- Kubernetes
- Azure resource manager
- Smart Contract
- File
¶ Git repository
Repository must be public, because whitebox need access to it.
If you have different branches, you can select which you want to scan. Cryeye can parse different types of link:
- https://github.com/cqr-cryeye-forks/vwa - branch is not selected. (Do not reccomended, can be selected wrong branch during scan)
- https://github.com/cqr-cryeye-forks/vwa#master - specify branch using hashtag as separator.
- https://github.com/cqr-cryeye-forks/vwa/tree/master - specify branch as GitHub link to selected branch.
¶ Files
If your repository is private, or you don't have it at all, you can upload zip archive or other file for analyzing.
¶ Presets info
For scanning you can choose one or more presers, that are used in your sources.
Whitebox now supports next Program languages:
- Go
- Java
- JavaScript
- Kotlin
- PHP
- Python
- C#
- C++
- C language
- Ruby
- Rust
- Scala
- Leaks
- Git
- All in One - select all audits that can be analyzed for seening whitebox results. Code style audits will be skipped.
- Code Style Check
- Custom - You can sellect Audits that you want without reccomendation. Only in multi target audit projects
¶ Scanned files manager
File manager - list of all scanned files saving folders structure. If there are vulnerabilities in file - alert text has vulnerabilities will be shown.
When you want to see files inside some path, all previous folders will be shown above, as in usual explorer.
Also you can search files by name as in usual file explorer.
You will see file content when you click on a file name.
¶ File preview
Center field is file viewer. Here you can see data from file. Highlighted lines - lines with vulnerabilities.
If you don't like default theme - you can choose another one in menu above viewer - we have about 50 different themes:
¶ Facts
Whitebox has the same facts system as in audits page. It is on the rigth of the asset page.
First of all you can see general information and facts diagram by severity:
And under them list of all facts.
When you click on fact, you will see the issue in the file.
¶ Facts filters
You can filter facts by different parameters in this menu.
For example:
Number in brackets in file list shows issues count in file.
Also you can filter by tool name, or in advanced filters disable specific tool(s)
¶ Import facts
You have ability to save founded issues as PDF file.
Click Export PDF for generating report:
After a while you will see notification window (may be different, depending on your os) for saving file.
Click 'OK' and file will be saved on you device.
¶ Integrated tools
We hardly work on intergating more different tools. For this moment we use next tools for analyzing:
- Aura Security
- Awap
- Bandit
- Brakeman
- Bughound
- Bundler
- CheckMarx Kics
- CheckMarx Sast
- Checkov
- Confused
- DawnScanner
- Drek
- Dumpster Diver
- ESlint
- Flawfinder
- Fortify
- Go Kart
- Go Sec
- Graudit
- Hawkeye
- Horusec
- Insider
- Local PHP Security Checker
- NodeJS Scanner
- Php Cs
- PhpInsights
- PhpShellFinder
- ProgPilot
- PsecioParse
- Repo Scrapper
- Roslynator
- Sshgit
- Snyk
- VulnyCode
- SonarQube
- Whispers