tidy & update analysis results (#11)

* remove subtree

* move

* extraction of functions from reports

* clean up

* .

* .

* untrack irrelevant results

* add vulnerability information to analysis reports

* refacor, tests

* .

* refactor

* refactor 1

* refactor 2

* untrack yaml

* cleaned up results

* renaming

Author: vivi365

.gitignore

@@ -10,4 +10,6 @@ data/modules
 **/finish.json
 **/extraRules/
 
-ml
+ml
+
+compose.yaml

cmd/vulncompose/main.go

@@ -0,0 +1,57 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+
+	"github.com/ASSERT-KTH/go-cryptoapi/internal/compose"
+)
+
+func Usage() {
+	fmt.Println("Usage: ./vulncompose <vulnerability_json_file>")
+	fmt.Println("  Generates docker-compose file from vulnerability spec and analyses them by running `docker compose up`")
+}
+
+func main() {
+	if len(os.Args) != 2 {
+		Usage()
+		os.Exit(1)
+	}
+
+	vulnerabilityFilePath := os.Args[1]
+	if vulnerabilityFilePath == "" {
+		fmt.Println("Error: Vulnerability JSON file path is required")
+		Usage()
+		os.Exit(1)
+	}
+	if !strings.HasSuffix(vulnerabilityFilePath, ".json") {
+		fmt.Println("Error: Invalid file type. Please provide a JSON file.")
+		Usage()
+		os.Exit(1)
+	}
+
+	composeFilePath := filepath.Join("internal", "docker", "compose.yaml")
+	if err := compose.GenerateCompose(vulnerabilityFilePath, composeFilePath); err != nil {
+		fmt.Printf("Error generating compose file from %s:\n  %v\n", vulnerabilityFilePath, err)
+		os.Exit(1)
+	}
+
+	if err := os.Chdir("internal/docker"); err != nil {
+		fmt.Printf("Error changing to docker directory: %v\n", err)
+		os.Exit(1)
+	}
+
+	// Run docker compose command
+	dockerComposeCmd := exec.Command("docker", "compose", "up", "--build", "--remove-orphans")
+	dockerComposeCmd.Stdout = os.Stdout
+	dockerComposeCmd.Stderr = os.Stderr
+
+	if err := dockerComposeCmd.Run(); err != nil {
+		fmt.Printf("Error running docker compose: %v\n", err)
+		os.Exit(1)
+	}
+
+}

cmd/vulnrunner/main.go

@@ -0,0 +1,146 @@
+[
+  {
+    "function_name": "AddBodyContentMD5Handler",
+    "file_path": "/analysis/repo/private/checksum/content_md5.go",
+    "line_number": 43,
+    "full_implementation": "func AddBodyContentMD5Handler(r *request.Request) {\n\t// if Content-MD5 header is already present, return\n\tif v := r.HTTPRequest.Header.Get(contentMD5Header); len(v) != 0 {\n\t\treturn\n\t}\n\n\t// if S3DisableContentMD5Validation flag is set, return\n\tif aws.BoolValue(r.Config.S3DisableContentMD5Validation) {\n\t\treturn\n\t}\n\n\t// if request is presigned, return\n\tif r.IsPresigned() {\n\t\treturn\n\t}\n\n\t// if body is not seekable, return\n\tif !aws.IsReaderSeekable(r.Body) {\n\t\tif r.Config.Logger != nil {\n\t\t\tr.Config.Logger.Log(fmt.Sprintf(\n\t\t\t\t\"Unable to compute Content-MD5 for unseekable body, S3.%s\",\n\t\t\t\tr.Operation.Name))\n\t\t}\n\t\treturn\n\t}\n\n\th := md5.New()\n\n\tif _, err := aws.CopySeekableBody(h, r.Body); err != nil {\n\t\tr.Error = awserr.New(\"ContentMD5\", \"failed to compute body MD5\", err)\n\t\treturn\n\t}\n\n\t// encode the md5 checksum in base64 and set the request header.\n\tv := base64.StdEncoding.EncodeToString(h.Sum(nil))\n\tr.HTTPRequest.Header.Set(contentMD5Header, v)\n}",
+    "vulnerability_info": {
+      "FuncName": "crypto/md5.New",
+      "Message": "MD5 - RFC 9155 - Deprecating MD5 Signature Hashes in TLS 1.2 and DTLS 1.2. Use MD5 in HMAC is Acceptable But Not Recommended",
+      "Slicing_Criteria": {
+        "SourceCode": "h := md5.New()",
+        "SourceFilename": "/analysis/repo/private/checksum/content_md5.go",
+        "SourceLineNum": 43,
+        "ParentFunction": "AddBodyContentMD5Handler (r *github.com/aws/aws-sdk-go/aws/request.Request)"
+      },
+      "Def_Use_Link": null,
+      "Predicate_Type": "Dangerous_Function"
+    }
+  },
+  {
+    "function_name": "signEncodedPolicy",
+    "file_path": "/analysis/repo/service/cloudfront/sign/policy.go",
+    "line_number": 200,
+    "full_implementation": "func signEncodedPolicy(randReader io.Reader, jsonPolicy []byte, privKey *rsa.PrivateKey) ([]byte, error) {\n\thash := sha1.New()\n\tif _, err := bytes.NewReader(jsonPolicy).WriteTo(hash); err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to calculate signing hash, %s\", err.Error())\n\t}\n\n\tsig, err := rsa.SignPKCS1v15(randReader, privKey, crypto.SHA1, hash.Sum(nil))\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to sign policy, %s\", err.Error())\n\t}\n\n\tb64Sig := make([]byte, base64.StdEncoding.EncodedLen(len(sig)))\n\tbase64.StdEncoding.Encode(b64Sig, sig)\n\treturn b64Sig, nil\n}",
+    "vulnerability_info": {
+      "FuncName": "crypto/sha1.New",
+      "Message": "RFC 9155 - Deprecating SHA-1 Signature Hashes in TLS 1.2 and DTLS 1.2. ",
+      "Slicing_Criteria": {
+        "SourceCode": "hash := sha1.New()",
+        "SourceFilename": "/analysis/repo/service/cloudfront/sign/policy.go",
+        "SourceLineNum": 200,
+        "ParentFunction": "signEncodedPolicy (randReader io.Reader, jsonPolicy []byte, privKey *crypto/rsa.PrivateKey) ([]byte, error)"
+      },
+      "Def_Use_Link": null,
+      "Predicate_Type": "Dangerous_Function"
+    }
+  },
+  {
+    "function_name": "signEncodedPolicy",
+    "file_path": "/analysis/repo/service/cloudfront/sign/policy.go",
+    "line_number": 205,
+    "full_implementation": "func signEncodedPolicy(randReader io.Reader, jsonPolicy []byte, privKey *rsa.PrivateKey) ([]byte, error) {\n\thash := sha1.New()\n\tif _, err := bytes.NewReader(jsonPolicy).WriteTo(hash); err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to calculate signing hash, %s\", err.Error())\n\t}\n\n\tsig, err := rsa.SignPKCS1v15(randReader, privKey, crypto.SHA1, hash.Sum(nil))\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to sign policy, %s\", err.Error())\n\t}\n\n\tb64Sig := make([]byte, base64.StdEncoding.EncodedLen(len(sig)))\n\tbase64.StdEncoding.Encode(b64Sig, sig)\n\treturn b64Sig, nil\n}",
+    "vulnerability_info": {
+      "FuncName": "crypto/rsa.SignPKCS1v15",
+      "Message": "RSA-PKCS1-v1_5 is deprecated, RSASSA-PSS is recommended, that is, \"SignPSS\"",
+      "Slicing_Criteria": {
+        "SourceCode": "sig, err := rsa.SignPKCS1v15(randReader, privKey, crypto.SHA1, hash.Sum(nil))",
+        "SourceFilename": "/analysis/repo/service/cloudfront/sign/policy.go",
+        "SourceLineNum": 205,
+        "ParentFunction": "signEncodedPolicy (randReader io.Reader, jsonPolicy []byte, privKey *crypto/rsa.PrivateKey) ([]byte, error)"
+      },
+      "Def_Use_Link": null,
+      "Predicate_Type": "Warning_Function"
+    }
+  },
+  {
+    "function_name": "LoadEncryptedPEMPrivKey",
+    "file_path": "/analysis/repo/service/cloudfront/sign/privkey.go",
+    "line_number": 45,
+    "full_implementation": "func LoadEncryptedPEMPrivKey(reader io.Reader, password []byte) (*rsa.PrivateKey, error) {\n\tblock, err := loadPem(reader)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tdecryptedBlock, err := x509.DecryptPEMBlock(block, password)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn x509.ParsePKCS1PrivateKey(decryptedBlock)\n}",
+    "vulnerability_info": {
+      "FuncName": "crypto/x509.DecryptPEMBlock",
+      "Message": "Deprecated: Legacy PEM encryption as specified in RFC 1423 is insecure by design. Since it does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext.",
+      "Slicing_Criteria": {
+        "SourceCode": "decryptedBlock, err := x509.DecryptPEMBlock(block, password)",
+        "SourceFilename": "/analysis/repo/service/cloudfront/sign/privkey.go",
+        "SourceLineNum": 45,
+        "ParentFunction": "LoadEncryptedPEMPrivKey (reader io.Reader, password []byte) (*crypto/rsa.PrivateKey, error)"
+      },
+      "Def_Use_Link": null,
+      "Predicate_Type": "Warning_Function"
+    }
+  },
+  {
+    "function_name": "computeBodyHashes",
+    "file_path": "/analysis/repo/service/s3/body_hash.go",
+    "line_number": 47,
+    "full_implementation": "func computeBodyHashes(r *request.Request) {\n\tif aws.BoolValue(r.Config.S3DisableContentMD5Validation) {\n\t\treturn\n\t}\n\tif r.IsPresigned() {\n\t\treturn\n\t}\n\tif r.Error != nil || !aws.IsReaderSeekable(r.Body) {\n\t\treturn\n\t}\n\n\tvar md5Hash, sha256Hash hash.Hash\n\thashers := make([]io.Writer, 0, 2)\n\n\t// Determine upfront which hashes can be set without overriding user\n\t// provide header data.\n\tif v := r.HTTPRequest.Header.Get(contentMD5Header); len(v) == 0 {\n\t\tmd5Hash = md5.New()\n\t\thashers = append(hashers, md5Hash)\n\t}\n\n\tif v := r.HTTPRequest.Header.Get(contentSha256Header); len(v) == 0 {\n\t\tsha256Hash = sha256.New()\n\t\thashers = append(hashers, sha256Hash)\n\t}\n\n\t// Create the destination writer based on the hashes that are not already\n\t// provided by the user.\n\tvar dst io.Writer\n\tswitch len(hashers) {\n\tcase 0:\n\t\treturn\n\tcase 1:\n\t\tdst = hashers[0]\n\tdefault:\n\t\tdst = io.MultiWriter(hashers...)\n\t}\n\n\tif _, err := aws.CopySeekableBody(dst, r.Body); err != nil {\n\t\tr.Error = awserr.New(\"BodyHashError\", \"failed to compute body hashes\", err)\n\t\treturn\n\t}\n\n\t// For the hashes created, set the associated headers that the user did not\n\t// already provide.\n\tif md5Hash != nil {\n\t\tsum := make([]byte, md5.Size)\n\t\tencoded := make([]byte, md5Base64EncLen)\n\n\t\tbase64.StdEncoding.Encode(encoded, md5Hash.Sum(sum[0:0]))\n\t\tr.HTTPRequest.Header[contentMD5Header] = []string{string(encoded)}\n\t}\n\n\tif sha256Hash != nil {\n\t\tencoded := make([]byte, sha256HexEncLen)\n\t\tsum := make([]byte, sha256.Size)\n\n\t\thex.Encode(encoded, sha256Hash.Sum(sum[0:0]))\n\t\tr.HTTPRequest.Header[contentSha256Header] = []string{string(encoded)}\n\t}\n}",
+    "vulnerability_info": {
+      "FuncName": "crypto/md5.New",
+      "Message": "MD5 - RFC 9155 - Deprecating MD5 Signature Hashes in TLS 1.2 and DTLS 1.2. Use MD5 in HMAC is Acceptable But Not Recommended",
+      "Slicing_Criteria": {
+        "SourceCode": "md5Hash = md5.New()",
+        "SourceFilename": "/analysis/repo/service/s3/body_hash.go",
+        "SourceLineNum": 47,
+        "ParentFunction": "computeBodyHashes (r *github.com/aws/aws-sdk-go/aws/request.Request)"
+      },
+      "Def_Use_Link": null,
+      "Predicate_Type": "Dangerous_Function"
+    }
+  },
+  {
+    "function_name": "newMD5ValidationReader",
+    "file_path": "/analysis/repo/service/s3/body_hash.go",
+    "line_number": 160,
+    "full_implementation": "func newMD5ValidationReader(reader io.ReadCloser, payloadLen int64) *md5ValidationReader {\n\th := md5.New()\n\treturn \u0026md5ValidationReader{\n\t\trawReader:  reader,\n\t\tpayload:    io.TeeReader(\u0026io.LimitedReader{R: reader, N: payloadLen}, h),\n\t\thash:       h,\n\t\tpayloadLen: payloadLen,\n\t}\n}",
+    "vulnerability_info": {
+      "FuncName": "crypto/md5.New",
+      "Message": "MD5 - RFC 9155 - Deprecating MD5 Signature Hashes in TLS 1.2 and DTLS 1.2. Use MD5 in HMAC is Acceptable But Not Recommended",
+      "Slicing_Criteria": {
+        "SourceCode": "h := md5.New()",
+        "SourceFilename": "/analysis/repo/service/s3/body_hash.go",
+        "SourceLineNum": 160,
+        "ParentFunction": "newMD5ValidationReader (reader io.ReadCloser, payloadLen int64) *github.com/aws/aws-sdk-go/service/s3.md5ValidationReader"
+      },
+      "Def_Use_Link": null,
+      "Predicate_Type": "Dangerous_Function"
+    }
+  },
+  {
+    "function_name": "computeKeyMD5",
+    "file_path": "/analysis/repo/service/s3/sse.go",
+    "line_number": 80,
+    "full_implementation": "func computeKeyMD5(keyHeader, keyMD5Header, key string, r *http.Request) {\n\tif len(key) == 0 {\n\t\t// Backwards compatiablity where user just set the header value instead\n\t\t// of using the API parameter, or setting the header value for an\n\t\t// operation without the parameters modeled.\n\t\tkey = r.Header.Get(keyHeader)\n\t\tif len(key) == 0 {\n\t\t\treturn\n\t\t}\n\n\t\t// In backwards compatiable, the header's value is not base64 encoded,\n\t\t// and needs to be encoded and updated by the SDK's customizations.\n\t\tb64Key := base64.StdEncoding.EncodeToString([]byte(key))\n\t\tr.Header.Set(keyHeader, b64Key)\n\t}\n\n\t// Only update Key's MD5 if not already set.\n\tif len(r.Header.Get(keyMD5Header)) == 0 {\n\t\tsum := md5.Sum([]byte(key))\n\t\tkeyMD5 := base64.StdEncoding.EncodeToString(sum[:])\n\t\tr.Header.Set(keyMD5Header, keyMD5)\n\t}\n}",
+    "vulnerability_info": {
+      "FuncName": "crypto/md5.Sum",
+      "Message": "MD5 - RFC 9155 - Deprecating MD5 Signature Hashes in TLS 1.2 and DTLS 1.2. Use MD5 in HMAC is Acceptable But Not Recommended",
+      "Slicing_Criteria": {
+        "SourceCode": "sum := md5.Sum([]byte(key))",
+        "SourceFilename": "/analysis/repo/service/s3/sse.go",
+        "SourceLineNum": 80,
+        "ParentFunction": "computeKeyMD5 (keyHeader string, keyMD5Header string, key string, r *net/http.Request)"
+      },
+      "Def_Use_Link": null,
+      "Predicate_Type": "Dangerous_Function"
+    }
+  },
+  {
+    "function_name": "checksumsMatch",
+    "file_path": "/analysis/repo/service/sqs/checksums.go",
+    "line_number": 102,
+    "full_implementation": "func checksumsMatch(body, expectedMD5 *string) error {\n\tif body == nil {\n\t\treturn errChecksumMissingBody\n\t} else if expectedMD5 == nil {\n\t\treturn errChecksumMissingMD5\n\t}\n\n\tmsum := md5.Sum([]byte(*body))\n\tsum := hex.EncodeToString(msum[:])\n\tif sum != *expectedMD5 {\n\t\treturn fmt.Errorf(\"expected MD5 checksum '%s', got '%s'\", *expectedMD5, sum)\n\t}\n\n\treturn nil\n}",
+    "vulnerability_info": {
+      "FuncName": "crypto/md5.Sum",
+      "Message": "MD5 - RFC 9155 - Deprecating MD5 Signature Hashes in TLS 1.2 and DTLS 1.2. Use MD5 in HMAC is Acceptable But Not Recommended",
+      "Slicing_Criteria": {
+        "SourceCode": "msum := md5.Sum([]byte(*body))",
+        "SourceFilename": "/analysis/repo/service/sqs/checksums.go",
+        "SourceLineNum": 102,
+        "ParentFunction": "checksumsMatch (body *string, expectedMD5 *string) error"
+      },
+      "Def_Use_Link": null,
+      "Predicate_Type": "Dangerous_Function"
+    }
+  }
+]

data/analysis/cve/vulnerabilties_conservative/github.com-aws-aws-sdk-go-65-1/gopher_analysis_with_samples.json

@@ -51,10 +51,10 @@
 		"FuncName": "crypto/md5.New",
 		"Message": "MD5 - RFC 9155 - Deprecating MD5 Signature Hashes in TLS 1.2 and DTLS 1.2. Use MD5 in HMAC is Acceptable But Not Recommended",
 		"Slicing_Criteria": {
-			"SourceCode": "h := md5.New()",
+			"SourceCode": "md5Hash = md5.New()",
 			"SourceFilename": "/analysis/repo/service/s3/body_hash.go",
-			"SourceLineNum": 160,
-			"ParentFunction": "newMD5ValidationReader (reader io.ReadCloser, payloadLen int64) *github.com/aws/aws-sdk-go/service/s3.md5ValidationReader"
+			"SourceLineNum": 47,
+			"ParentFunction": "computeBodyHashes (r *github.com/aws/aws-sdk-go/aws/request.Request)"
 		},
 		"Def_Use_Link": null,
 		"Predicate_Type": "Dangerous_Function"
@@ -63,10 +63,10 @@
 		"FuncName": "crypto/md5.New",
 		"Message": "MD5 - RFC 9155 - Deprecating MD5 Signature Hashes in TLS 1.2 and DTLS 1.2. Use MD5 in HMAC is Acceptable But Not Recommended",
 		"Slicing_Criteria": {
-			"SourceCode": "md5Hash = md5.New()",
+			"SourceCode": "h := md5.New()",
 			"SourceFilename": "/analysis/repo/service/s3/body_hash.go",
-			"SourceLineNum": 47,
-			"ParentFunction": "computeBodyHashes (r *github.com/aws/aws-sdk-go/aws/request.Request)"
+			"SourceLineNum": 160,
+			"ParentFunction": "newMD5ValidationReader (reader io.ReadCloser, payloadLen int64) *github.com/aws/aws-sdk-go/service/s3.md5ValidationReader"
 		},
 		"Def_Use_Link": null,
 		"Predicate_Type": "Dangerous_Function"

data/analysis/cve/vulnerabilties_conservative/github.com-aws-aws-sdk-go-65-1/results.json

@@ -3,9 +3,13 @@
   "package": "github.com/aws/aws-sdk-go/service/s3/s3crypto",
   "go_version": "1.11",
   "vul_name": "Use of a Broken or Risky Cryptographic Algorithm",
+  "references": [
+    "https://github.com/aws/aws-sdk-go/pull/3403",
+    "https://github.com/sophieschmieg/exploits/tree/master/aws_s3_crypto_poc"
+  ],
   "publish": "Introduced: 12 Aug 2020",
-  "cwe": "",
-  "cve": "",
+  "cwe": "CWE-327",
+  "cve": "CVE-2020-8912",
   "summary": "github.com/aws/aws-sdk-go/service/s3/s3crypto is an AWS SDK for the Go programming language.\nAffected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm. A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation. It is recommended to update your SDK to V2 or later, and re-encrypt your files.",
   "level": "medium",
   "score": "4.1",

data/analysis/cve/vulnerabilties_conservative/github.com-aws-aws-sdk-go-65-1/vulnerability_info.json

@@ -51,10 +51,10 @@
 		"FuncName": "crypto/md5.New",
 		"Message": "MD5 - RFC 9155 - Deprecating MD5 Signature Hashes in TLS 1.2 and DTLS 1.2. Use MD5 in HMAC is Acceptable But Not Recommended",
 		"Slicing_Criteria": {
-			"SourceCode": "md5Hash = md5.New()",
+			"SourceCode": "h := md5.New()",
 			"SourceFilename": "/analysis/repo/service/s3/body_hash.go",
-			"SourceLineNum": 47,
-			"ParentFunction": "computeBodyHashes (r *github.com/aws/aws-sdk-go/aws/request.Request)"
+			"SourceLineNum": 160,
+			"ParentFunction": "newMD5ValidationReader (reader io.ReadCloser, payloadLen int64) *github.com/aws/aws-sdk-go/service/s3.md5ValidationReader"
 		},
 		"Def_Use_Link": null,
 		"Predicate_Type": "Dangerous_Function"
@@ -63,10 +63,10 @@
 		"FuncName": "crypto/md5.New",
 		"Message": "MD5 - RFC 9155 - Deprecating MD5 Signature Hashes in TLS 1.2 and DTLS 1.2. Use MD5 in HMAC is Acceptable But Not Recommended",
 		"Slicing_Criteria": {
-			"SourceCode": "h := md5.New()",
+			"SourceCode": "md5Hash = md5.New()",
 			"SourceFilename": "/analysis/repo/service/s3/body_hash.go",
-			"SourceLineNum": 160,
-			"ParentFunction": "newMD5ValidationReader (reader io.ReadCloser, payloadLen int64) *github.com/aws/aws-sdk-go/service/s3.md5ValidationReader"
+			"SourceLineNum": 47,
+			"ParentFunction": "computeBodyHashes (r *github.com/aws/aws-sdk-go/aws/request.Request)"
 		},
 		"Def_Use_Link": null,
 		"Predicate_Type": "Dangerous_Function"