Home

Awesome

Note: DevAudit uses the OSS Index database, which has some rate limiting. If you notice you are hitting the limit please raise an issue. Authenticated users get a higher limit, and we am implementing authentication into DevAudit soon. Most non-authenticated users probably won't notice the limit for many use cases. It usually kicks in only in much larger projects or higher project volumes.

DevAudit: Development Auditing

Get the latest release from the releases page.

Screenshot of DevAudit package source audit

Screenshot of DevAudit Wheezy dpkg package source audit

Table of Contents

About

DevAudit is an open-source, cross-platform, multi-purpose security auditing tool targeted at developers and teams adopting DevOps and DevSecOps that detects security vulnerabilities at multiple levels of the solution stack. DevAudit provides a wide array of auditing capabilities that automate security practices and implementation of security auditing in the software development life-cycle. DevAudit can scan your operating system and application package dependencies, application and application server configurations, and application code, for potential vulnerabilities based on data aggregated by providers like OSS Index and Vulners from a wide array of sources and data feeds such as the National Vulnerability Database (NVD) CVE data feed, the Debian Security Advisories data feed, Drupal Security Advisories, and many others.

DevAudit helps developers address at least 4 of the OWASP Top 10 risks to web application development:

as well as risks classified by MITRE in the CWE dictionary such as CWE-2 Environment and CWE-200 Information Disclosure

Screenshot of DevAudit ASP.NET application audit As development progresses and its capabilities mature, DevAudit will be able to address the other risks on the OWASP Top 10 and CWE lists like Injection and XSS. With the focus on web and cloud and distributed multi-user applications, software development today is increasingly a complex affair with security issues and potential vulnerabilities arising at all levels of the stack developers rely on to deliver applications. The goal of DevAudit is to provide a platform for automating implementation of development security reviews and best practices at all levels of the solution stack from library package dependencies to application and server configuration to source code.

Features

Requirements

DevAudit is a .NET 4.6 application. To install locally on your machine you will need either the Microsoft .NET Framework 4.6 runtime on Windows, or Mono 4.4+ on Linux. .NET 4.6 should be already installed on most recent versions of Windows, if not then it is available as a Windows feature that can be turned on or installed from the Programs and Features control panel applet on consumer Windows, or from the Add Roles and Features option in Server Manager on server versions of Windows. For older versions of Windows, the .NET 4.6 installer from Microsoft can be found here.

On Linux the minimum version of Mono supported is 4.4. Although DevAudit runs on Mono 4 (with one known issue) it's recommended that Mono 5 be installed. Mono 5 brings many improvements to the build and runtime components of Mono that benefit DevAudit.

The existing Mono packages provided by your distro are probably not Mono 5 as yet, so you will have to install Mono packages manually to be able to use Mono 5. Installation instructions for the most recent packages provided by the Mono project for several major Linux distros are here. It is recommended you have the mono-devel package installed as this will reduce the chances of missing assemblies.

Alternatively on Linux you can use the DevAudit Docker image if you do not wish to install Mono and already have Docker installed on your machine.

Installation

DevAudit can be installed by the following methods:

Building from source on Linux

  1. Pre-requisites: Mono 4.4+ (Mono 5 recommended) and the mono-devel package which provides the compiler and other tools needed for building Mono apps. Your distro should have packages for at least Mono version 4.4 and above, otherwise manual installation instructions for the most recent packages provided by the Mono project for several major Linux distros are here

  2. Clone the DevAudit repository from https://github.com/OSSIndex/DevAudit.git

  3. Run the build.sh script in the root DevAudit directory. DevAudit should compile without any errors.

  4. Run ./devaudit --help and you should see the DevAudit version and help screen printed.

Note that NuGet on Linux may occasionally exit with Error: NameResolutionFailure which seems to be a transient problem contacting the servers that contain the NuGet packages. You should just run ./build.sh again until the build completes normally.

Building from source on Windows

  1. Pre-requisites: You must have one of:

  2. Clone the DevAudit repository from https://github.com/OSSIndex/DevAudit.git

  3. From a visual Studio 2015 or ,NETRun the build.cmd script in the root DevAudit directory. DevAudit should compile without any errors.

  4. Run ./devaudit --help and you should see the DevAudit version and help screen printed.

Installing from the release archive files on Windows on Linux

  1. Pre-requisites: You must have Mono 4.4+ on Linux or .NET 4.6 on Windows.

  2. Download the latest release archive file for Windows or Linux from the project releases page. Unpack this file to a directory.

  3. From the directory where you unpacked the release archive run devaudit --help on Windows or ./devaudit --help on Linux. You should see the version and help screen printed.

  4. (Optional) Add the DevAudit installation directory to your PATH environment variable

Installing using the MSI Installer on Windows

The MSI installer for a release can be found on the Github releases page.

  1. Click on the releases link near the top of the page.
  2. Identify the release you would like to install.
  3. A "DevAudit.exe" link should be visible for each release that has a pre-built installer.
  4. Download the file and execute the installer. You will be guided through a simple installation.
  5. Open a new command prompt or PowerShell window in order to have DevAudit in path.
  6. Run DevAudit.

Installing using Chocolatey on Windows

DevAudit is also available on Chocolatey.

  1. Install Chocolatey.
  2. Open an admin console or PowerShell window.
  3. Type choco install devaudit
  4. Run DevAudit.

Installing using Docker on Linux

Pull the Devaudit image from Docker Hub: docker pull ossindex/devaudit. The image tagged ossindex/devaudit:latest (which is the default image that is downloaded) is built from the most recent release while ossindex/devaudit:unstable is built on the master branch of the source code and contains the newest additions albeit with less testing.

Concepts

Audit Target

Represents a logical group of auditing functions. DevAudit currently supports the following audit targets:

Audit Environment

Represents a logical environment where audits against audit targets are executed. Audit environments abstract the I/O and command executions required for an audit and allow identical functions to be performed against audit targets on whatever physical or network location the target's files and executables are located. The follwing environments are currently supported :

Audit Options

These are different options that can be enabled for the audit. You can specify options that apply to the DevAudit program for example, to run in non-interactive mode, as well as options that apply to the target e.g if you set the AppDevMode option for auditing ASP.NET applications to true then certain audit rules will not be enabled.

Basic Usage

The CLI is the primary interface to the DevAudit program and is suitable both for interactive use and for non-interactive use in scheduled tasks, shell scripts, CI build pipelines and post-build tasks in developer IDEs. The basic DevAudit CLI syntax is:

devaudit TARGET [ENVIRONMENT] | [OPTIONS]

where TARGET specifies the audit target ENVIRONMENT specifies the audit environment and OPTIONS specifies the options for the audit target and environment. There are 2 ways to specify options: program options and general audit options that apply to more than one target can be specified directly on the command-line as parameters . Target-specific options can be specified with the -o options using the format: -o OPTION1=VALUE1,OPTION2=VALUE2,.... with commas delimiting each option key-value pair.

If you are piping or redirecting the program output to a file then you should always use the -n --non-interactive option to disable any interactive user interface features and animations.

When specifying file paths, an @ prefix before a path indicates to DevAudit that this path is relative to the root directory of the audit target e.g if you specify: -r c:\myproject -b @bin\Debug\app2.exe DevAudit considers the path to the binary file as c:\myproject\bin\Debug\app2.exe.

Audit Targets

Package Sources

For every package source the following general audit options can be used:

Package sources tagged [Experimental] are only available in the master branch of the source code and may have limited back-end OSS Index support. However you can always list the packages scanned and artifacts available on OSS Index using the list-packages and list-artifacts options.

Applications

All applications also support the following common options for auditing the application modules or plugins:

Application Servers

This is an example command line for an application server audit: ./devaudit httpd -i httpd-2.2 -r /usr/local/apache2/ --config-file @conf/httpd.conf -b @bin/httpd which audits an Apache Httpd server running on a Docker container named httpd-2.2.

The following are audit options common to all application servers:

Application servers also support the following common options for auditing the server modules or plugins:

Environments

There are currently 5 audit environment supported: local, remote hosts over SSH, remote hosts over WinRM, Docker containers, and GitHub. Local environments are used by default when no other environment options are specified.

SSH

The SSH environment allows audits to be performed on any remote hosts accessible over SSH without requiring DevAudit to be installed on the remote host. SSH environments are cross-platform: you can connect to a Linux remote host from a Windows machine running DevAudit. An SSH environment is created by the following options:-s SERVER [--ssh-port PORT] -u USER [-k KEYFILE] [-p | --password-text PASSWORD]

-s SERVER Specifies the remote host or IP to connect to via SSH.

-u USER Specifies the user to login to the server with.

--ssh-port PORT Specifies the port on the remote host to connect to. The default is 22.

-k KEYFILE Specifies the OpenSSH compatible private key file to use to connect to the remote server. Currently only RSA or DSA keys in files in the PEM format are supported.

-p Provide a prompt with local echo disabled for interactive entry of the server password or key file passphrase.

--password-text PASSWORD Specify the user password or key file passphrase as plaintext on the command-line. Note that on Linux when your password contains special characters you should use enclose the text on the command-line using single-quotes like 'MyPa<ss' to avoid the shell interpreting the special characters.

WinRM

The WinRM environment allows audits to be performed on any remote Windows hosts accessible over WinRM without requiring DevAudit to be installed on the remote host. WinRM environments are currently only available on Windows machines running DevAudit. A WinRM environment is created by the following options:-w IP -u USER [-p | --password-text PASSWORD]

-w IP Specifies the remote IP to connect to via WinRM.

-u USER Specifies the user to login to the server with.

-p Provide a prompt with local echo disabled for interactive entry of the server password or key file passphrase.

--password-text PASSWORD Specify the server password or key file passphrase as plaintext on the command-line.

Docker

This section discusses how to audit Docker images using DevAudit installed on the local machine. For running DevAudit as a containerized Docker app see the section below on Docker Usage.

A Docker audit environment is specified by the following option: -i CONTAINER_NAME | -i CONTAINER_ID

Screenshot of DevAudit auditing a Docker container CONTAINER_(NAME|ID) Specifes the name or id of a running Docker container to connect to. The container must be already running as DevAudit does not know how to start the container with the name or the state you require.

GitHub

The GitHub audit environment allows audits to be performed directly on a GitHub project repository. A GitHub environment is created by the -g option: -g "Owner=OWNER,Name=NAME,Branch=BRANCH"

OWNER Specifies the owner of the project

NAME Specifies the name of the project

PATH Specifies the branch of the project to connect to

You can use the -r, --config-file, and -f options as usual to specify the path to file-system files and directories required for the audit. e.g the following commad: devaudit aspnet -g "Owner=Dnnsoftware,Name=Dnn.Platforn,Branch=Release/9.0.2" -r /Website --config-file @web.config will do an ASP.NET audit on this repository https://github.com/dnnsoftware/Dnn.Platform/ using the /Website source folder as the root directory and the web.config file as the ASP.NET configuration file. Note that filenames are case-sensitive in most environments.

Screenshot of a GitHub project audit

Program Options

-n --non-interactive Run DevAudit in non-interactive mode with all interactive features and animations of the CLI disabled. This mode is necessary for running DevAudit in shell scripts for instance otherwise errors will occure when DevAudit attempts to use interactive console features.

-d --debug Run DevAudit in debug mode. This will print a variety of informational and diagnostic messages. This mode is used for troubleshooting DevAudit errors and bugs.

Docker Usage

DevAudit also ships as a Docker containerized app which allows users on Linux to run DevAudit without the need to install Mono and build from source. To pull the DevAudit Docker image from Docker Hub:

docker pull ossindex/devaudit[:label]

The current images are about 131 MB compressed. By default the image labelled latest is pulled which is the most recent release of the program. An unstable image is also available which tracks the master branch of the source code. To run DevAudit as a containerized app:

docker run -i -t ossindex/devaudit TARGET [ENVIRONMENT] | [OPTIONS]

The -i and -t Docker options are necessary for running DevAudit interactively. If you don't specify these options then you must run DevAudit in non-interactive mode by using the DevAudit option -n.

You must mount any directories on the Docker host machine that DevAudit needs to access on the DevAudit Docker container using the Docker -v option. If you mount your local root directory at a mount point named /hostroot on the Docker image then DevAudit can access files and directories on your local machine using the same local paths. For example:

docker run -i -t -v /:/hostroot:ro ossindex/devaudit netfx -r /home/allisterb/vbot-debian/vbot.core

will allow the DevAudit Docker container to audit the local directory /home/allisterb/vbot-debian/vbot.core. You must mount your local root in this way to audit other Docker containers from the DevAudit container e.g.

docker run -i -t -v /:/hostroot:ro ossindex/devaudit mysql -i myapp1 -r / --config-file /etc/my.cnf --skip-packages-audit

will run a MySQL audit on a Docker container named myapp1 from the ossindex/devaudit container.

If you do not need to mount your entire root directory then you can mount just the directory needed for the audit. For example:

docker run -i -t -v /home/allisterb/vbot-debian/vbot.core:/vbot:ro ossindex/devaudit netfx -r /vbot -b @bin/Debug/vbot.core.dll

will mount read-only the /home/allisterb/vbot-debian/vbot.core directory as /vbot on the DevAudit container which allows DevAudit to access it as the audit root directory for a netfx application audit at /vbot.

If you wish to use private key files on the local Docker host for an audit over SSH, you can mount your directory that contains the needed key file and then tell DevAudit to use that file path e.g.

docker -i -t -v /home/allisterb/.ssh:/ssh:ro run ossindex/devaudit dpkg -s localhost -u allisterb -p -k /ssh/mykey.key

will mount the directory containing key files at /ssh and allow the DevAudit container to use them.

Note that it's currently not possible for the Docker container to audit operating system package sources like dpkg or rpm or application servers like OpenSSH sshd on the local Docker host without mounting your local root directory at /hostroot as described above. DevAudit must chroot into your local root directory from the Docker container when running executables like dpkg or server binaries like sshd and httpd. You must also mount your local root as described above to audit other Docker containers from the DevAudit container as DevAudit also needs to chroot into your local root to execute local Docker commands to communicate with your other containers.

For running audits over SSH from the DevAudit container it is not necessary to mount the local root at /hostroot.

Troubleshooting

If you encounter a bug or other issue with DevAudit there are a couple of things you can enable to help us resolve it:

Known Issues