new update to kunlun-m

.github/ISSUE_TEMPLATE.md

@@ -4,7 +4,7 @@
 |---|---|---|
 |System|`uname -a`||
 |Python|`python -V`||
-|Cobra|`python cobra.py`||
+|Cobra|`python kunlun.py`||
 
 ### Description
 

.travis.yml

@@ -7,6 +7,6 @@ install:
   - pip install -r requirements.txt
 script:
   - py.test
-  - coverage run --source=cobra -m pytest
+  - coverage run --source=core -m pytest
 after_success:
   - coveralls

Kunlun_M/asgi.py

@@ -0,0 +1,16 @@
+"""
+ASGI config for Kunlun_M project.
+
+It exposes the ASGI callable as a module-level variable named ``application``.
+
+For more information on this file, see
+https://docs.djangoproject.com/en/3.0/howto/deployment/asgi/
+"""
+
+import os
+
+from django.core.asgi import get_asgi_application
+
+os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'Kunlun_M.settings')
+
+application = get_asgi_application()

cobra/const.py → Kunlun_M/const.py

@@ -59,3 +59,24 @@
 }
 
 default_black_list = ['.crx_files', 'vendor']
+
+# base result class
+
+
+class VulnerabilityResult:
+    def __init__(self):
+        self.id = ''
+        self.file_path = None
+        self.analysis = ''
+        self.chain = ""
+
+        self.rule_name = ''
+        self.language = ''
+        self.line_number = None
+        self.code_content = None
+        self.commit_author = 'Unknown'
+
+    def convert_to_dict(self):
+        _dict = {}
+        _dict.update(self.__dict__)
+        return _dict

Kunlun_M/settings.py

@@ -0,0 +1,164 @@
+"""
+Django settings for Kunlun_M project.
+
+Generated by 'django-admin startproject' using Django 3.0.7.
+
+For more information on this file, see
+https://docs.djangoproject.com/en/3.0/topics/settings/
+
+For the full list of settings and their values, see
+https://docs.djangoproject.com/en/3.0/ref/settings/
+"""
+
+import os
+
+# Build paths inside the project like this: os.path.join(BASE_DIR, ...)
+BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+
+
+# Quick-start development settings - unsuitable for production
+# See https://docs.djangoproject.com/en/3.0/howto/deployment/checklist/
+
+# SECURITY WARNING: keep the secret key used in production secret!
+SECRET_KEY = 'z18-*z-=gvsv7v+uoh4=owxtnh%9v7uti=7%ahk()&on7%5cvq'
+
+# SECURITY WARNING: don't run with debug turned on in production!
+DEBUG = True
+
+ALLOWED_HOSTS = []
+
+
+# Application definition
+
+INSTALLED_APPS = [
+    'django.contrib.auth',
+    'django.contrib.contenttypes',
+    'django.contrib.sessions',
+    'django.contrib.messages',
+    'django.contrib.staticfiles',
+]
+
+MIDDLEWARE = [
+    'django.middleware.security.SecurityMiddleware',
+    'django.contrib.sessions.middleware.SessionMiddleware',
+    'django.middleware.common.CommonMiddleware',
+    'django.middleware.csrf.CsrfViewMiddleware',
+    'django.contrib.auth.middleware.AuthenticationMiddleware',
+    'django.contrib.messages.middleware.MessageMiddleware',
+    'django.middleware.clickjacking.XFrameOptionsMiddleware',
+]
+
+ROOT_URLCONF = 'Kunlun_M.urls'
+
+TEMPLATES = [
+    {
+        'BACKEND': 'django.template.backends.django.DjangoTemplates',
+        'DIRS': [os.path.join(BASE_DIR, 'templates')]
+        ,
+        'APP_DIRS': True,
+        'OPTIONS': {
+            'context_processors': [
+                'django.template.context_processors.debug',
+                'django.template.context_processors.request',
+                'django.contrib.auth.context_processors.auth',
+                'django.contrib.messages.context_processors.messages',
+            ],
+        },
+    },
+]
+
+WSGI_APPLICATION = 'Kunlun_M.wsgi.application'
+
+
+# Database
+# https://docs.djangoproject.com/en/3.0/ref/settings/#databases
+
+DATABASES = {
+    'default': {
+        'ENGINE': 'django.db.backends.sqlite3',
+        'NAME': os.path.join(BASE_DIR, 'db.sqlite3'),
+    }
+}
+
+
+# Password validation
+# https://docs.djangoproject.com/en/3.0/ref/settings/#auth-password-validators
+
+AUTH_PASSWORD_VALIDATORS = [
+    {
+        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
+    },
+    {
+        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
+    },
+    {
+        'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
+    },
+    {
+        'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
+    },
+]
+
+
+# Internationalization
+# https://docs.djangoproject.com/en/3.0/topics/i18n/
+
+LANGUAGE_CODE = 'en-us'
+
+TIME_ZONE = 'UTC'
+
+USE_I18N = True
+
+USE_L10N = True
+
+USE_TZ = True
+
+
+# Static files (CSS, JavaScript, Images)
+# https://docs.djangoproject.com/en/3.0/howto/static-files/
+
+STATIC_URL = '/static/'
+
+
+# templates
+# 占位
+
+
+# 全局变量配置
+
+project_directory = os.path.abspath(os.path.join(os.path.dirname(__file__), os.pardir))
+code_path = './tmp'
+if os.path.isdir(code_path) is not True:
+    os.mkdir(code_path)
+running_path = os.path.join(project_directory, code_path, 'running')
+if os.path.isdir(running_path) is not True:
+    os.mkdir(running_path)
+package_path = os.path.join(project_directory, code_path, 'package')
+if os.path.isdir(package_path) is not True:
+    os.mkdir(package_path)
+source_path = os.path.join(project_directory, code_path, 'git')
+
+if os.path.isdir(source_path) is not True:
+    os.mkdir(source_path)
+
+issue_path = os.path.join(project_directory, code_path, 'issue')
+if os.path.isdir(issue_path) is not True:
+    os.mkdir(issue_path)
+
+export_path = os.path.join(project_directory, code_path, 'export')
+if not os.path.exists(export_path):
+    os.mkdir(export_path)
+
+if os.path.isdir('./result') is not True:
+    os.mkdir('./result')
+default_result_path = os.path.join(project_directory, 'result/')
+
+issue_history_path = os.path.join(issue_path, 'history')
+cobra_main = os.path.join(project_directory, 'kunlun.py')
+core_path = os.path.join(project_directory, 'core')
+tests_path = os.path.join(project_directory, 'tests')
+examples_path = os.path.join(tests_path, 'examples')
+rules_path = os.path.join(project_directory, 'rules')
+config_path = os.path.join(project_directory, 'config')
+rule_path = os.path.join(project_directory, 'rule')
+

Kunlun_M/urls.py

@@ -0,0 +1,20 @@
+"""Kunlun_M URL Configuration
+
+The `urlpatterns` list routes URLs to views. For more information please see:
+    https://docs.djangoproject.com/en/3.0/topics/http/urls/
+Examples:
+Function views
+    1. Add an import:  from my_app import views
+    2. Add a URL to urlpatterns:  path('', views.home, name='home')
+Class-based views
+    1. Add an import:  from other_app.views import Home
+    2. Add a URL to urlpatterns:  path('', Home.as_view(), name='home')
+Including another URLconf
+    1. Import the include() function: from django.urls import include, path
+    2. Add a URL to urlpatterns:  path('blog/', include('blog.urls'))
+"""
+# from django.contrib import admin
+from django.urls import path
+
+urlpatterns = [
+]

Kunlun_M/wsgi.py

@@ -0,0 +1,16 @@
+"""
+WSGI config for Kunlun_M project.
+
+It exposes the WSGI callable as a module-level variable named ``application``.
+
+For more information on this file, see
+https://docs.djangoproject.com/en/3.0/howto/deployment/wsgi/
+"""
+
+import os
+
+from django.core.wsgi import get_wsgi_application
+
+os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'Kunlun_M.settings')
+
+application = get_wsgi_application()

README.md

@@ -1,19 +1,34 @@
+<big>**自Cobra-W 2.0版本起，Cobra-W正式更名为Kunlun-M(昆仑镜)，**</big>
+
 <big>**写在最前，Cobra-W就像手中的一把剑，这把剑好不好用是Cobra-W的事，如何使用是你的事，希望能有更多的人参与到Cobra-W的变化中来...**</big>
 
 **请使用python3.6+运行该工具，已停止维护python2.7环境**
 
-# Cobra-W
+# Kunlun-Mirror
 [![GitHub (pre-)release](https://img.shields.io/github/release/LoRexxar/Cobra-W/all.svg)](https://github.com/LoRexxar/Cobra-W/releases)
 [![license](https://img.shields.io/github/license/mashape/apistatus.svg?maxAge=2592000)](https://github.com/wufeifei/cobra/blob/master/LICENSE)
 [![Build Status](https://travis-ci.org/LoRexxar/Cobra-W.svg?branch=master)](https://travis-ci.org/LoRexxar/Cobra-W)
 ![](https://img.shields.io/badge/language-python3.6-orange.svg)
 
+```
+ _   __            _                      ___  ___
+| | / /           | |                     |  \/  |
+| |/ / _   _ _ __ | |    _   _ _ __ ______| .  . |
+|    \| | | | '_ \| |   | | | | '_ \______| |\/| |
+| |\  \ |_| | | | | |___| |_| | | | |     | |  | |
+\_| \_/\__,_|_| |_\_____/\__,_|_| |_|     \_|  |_/
+```
+
 ## Introduction
 Cobra是一款**源代码安全审计**工具，支持检测多种开发语言源代码中的**大部分显著**的安全问题和漏洞。
 [https://github.com/wufeifei/cobra](https://github.com/wufeifei/cobra)
 
 Cobra-W是从Cobra2.0发展而来的分支，将工具重心从尽可能的发现威胁转变为提高发现漏洞的准确率以及精度。
+[https://github.com/LoRexxar/Cobra-W/tree/cobra-w](https://github.com/LoRexxar/Cobra-W/tree/cobra-w)
 
+Kunlun-Mirror是从Cobra-W2.0发展而来，在经历了痛苦的维护改进原工具之后，昆仑镜将工具的发展重心放在安全研究员的使用上，将会围绕工具化使用不断改进使用体验。
+
+目前工具主要支持**php、javascript**的语义分析，以及**chrome ext, solidity**的基础扫描.
 
 ## 特点
 
@@ -23,14 +38,17 @@ Cobra-W是从Cobra2.0发展而来的分支，将工具重心从尽可能的发
 - 多种语言支持。
 - 开源python实现，更易于二次开发。
 
-
 与Cobra相比：
 - 深度重写AST，大幅度减少漏洞误报率。
-- 提供更易于从代码层面定制审计思路的规则书写方式，更易于白帽子使用，易于拓展。
 - 底层api重写，支持windows、linux等多平台。
 - 多层语义解析、函数回溯，secret机制，新增多种机制应用于语义分析。
 - 新增javascript语义分析，用于扫描包含js相关代码。
 
+与Cobra-W相比(todo):
+- 深度优化AST分析流程，使其更符合QL的概念，便于下一阶段的优化。
+- 深度优化辅助审计的流程，使其更符合人类安全研究员审计辅助的习惯。
+- 深度重构代码结构，使其更符合可拓展，可优化的开源理念。
+
 ## TODO
 - <del>改写grep以及find，提供更好的底层支持</del>
 - <del>去除不符合白帽子审计习惯的部分模式以及相关冗余代码</del>
@@ -48,41 +66,17 @@ Cobra-W是从Cobra2.0发展而来的分支，将工具重心从尽可能的发
     - 添加区分前端js与nodejs功能，并为node_js添加专门的扫描
     - 未知语法待解析
 - 完成关于java的静态分析
+- 完善AST分析的路径记录以及分析流程，使其更符合QL的概念
+- 添加Sqlite3作为灵活数据库用于记录以及管理扫描任务以及结果
+- 重构tamper部分，使其更符合人类的配置文件思路
+- 添加cli模式，使其更符合日常使用的工具逻辑
+- 重构rule模式，使其更符合可扩展，可编辑的概念
 
 ## 更新日志
 
 [changelog.md](./docs/changelog.md)
 
 
-# README
-
-```
-cobra-w
-├─cobra
-│  ├─core_engine
-│  └─internal_defines
-├─docs
-├─logs
-├─result
-├─rules
-│  └─php
-├─tests
-   ├─ast
-   │  └─test
-   ├─examples
-   └─vulnerabilities
-```
-
-- cobra: 核心代码目录
-    - core_engine 核心语义分析代码
-    - internal_defines 部分内置变量
-- docs: cobra-W文档目录
-- logs: 扫描log储存位置
-- result: 扫描结果储存位置（默认为.csv）
-- rules: 规则目录
-- tests： 测试代码目录
-
-
 ## 安装
 
 首先需要安装依赖
@@ -92,7 +86,7 @@ pip install -r requirements.txt
 
 然后扫描测试样例查看结果
 ```
-python cobra.py -t ./tests/vulnerabilities/
+python kunlun.py -t ./tests/vulnerabilities/
 ```
 ## 开发文档