I know it's a simple question, I already did the code analysis, but I didn't understand how to access Horusec-Manager, is it your central server or a web server that is installed on the local machine?

Environment:

• Horusec version (use horusec version): 1.8.0
• Operating System: Kali

- What I did Where a tool provides an identifier for the rule being violated, add that identifier to RuleId

- How to verify it Create an output which depends upon the RuleId field, such as the SARIF type

- Description for the changelog Add rule IDs for supported tools

Signed-off-by: Anthony Turner [email protected]

What I did

Added SARIF-compatible output structures as an output option in the same vein as SonarQube

How to verify it

Use -o sarif as an option with Horusec to output a SARIF report

- Description for the changelog Adds SARIF output support

Want to note that this is not necessarily complete; there are several things which just don't exist in Horusec right now. For example, I notice not all of the engine modules have RuleIDs populated, and there is other metadata (such as URL) which need to have a lookup table or some other place to pull them from. This might mean authoring a .csv file to track the metadata or maybe embedding it into code somehow is better.

Hopefully this at least helps get the conversation started.

• See also #937

Alterei as seguintes variáveis ::

REACT_APP_HORUSEC_ENDPOINT_API="https://sec.meuend.com.br:8000" REACT_APP_HORUSEC_ENDPOINT_ANALYTIC="https://sec.meuend.com.br:8005" REACT_APP_HORUSEC_ENDPOINT_ACCOUNT="https://sec.meuend.com.br:8003" REACT_APP_HORUSEC_ENDPOINT_AUTH="https://sec.meuend.com.br:8006":

O resultado após novo 'make install é não conseguir logar na página:

Environment:

• Horusec version (use horusec version): v1.8.0
• Operating System: Ubuntu 20.04
• Others: Existe algum outro item que necessita de ajustes nos parâmetros ??

What happened:

I used with my laravel(php) project, and the tool said that my password is hardcoded, but is a validation rule

What you expected to happen: That this not happens How to reproduce it (as minimally and precisely as possible): Create a laravel project, and a validation rule with password is required.

Anything else we need to know?: The error and the file

Environment:

• Horusec version (use horusec version): 1.10.1
• Operating System: ubuntu 20.04
• Network plugin / Tool and version (if this is a network-related / tool bug): laravel (php) 8.0
• Others:

What happened: I am running Horusec in a pipeline using Docker. I have a Python script that receives the desired parameters and configurations, runs the scan, and shows the results. Two weeks ago it was working fine, but I ran it again yesterday and some issues appeared. First, it returned an error saying "open: /tmp is a directory". I just create a new branch and without any change in the code, the scanner started to work but currently, it is not taking my config-file.json

How to reproduce it (as minimally and precisely as possible): This is how I am building the command structure in my Python code:

def GetStartHorusecCMD(imageName, reportName, outputFormat, configFilePath):  
    command =("docker run -v /var/run/docker.sock:/var/run/docker.sock -v $(pwd):/src "+imageName+
            ":latest horusec start -p /src -P $(pwd) --config-file-path "+configFilePath+" -o "+outputFormat)  
    if outputFormat != 'text':
            command = command + " -O /src/Horusec/"+ reportName
   return command 

And the variables that I am passing in my pipeline (running in an Ubuntu environment in GitHub) are:

imageName: "horuszup/horusec-cli" 
reportName: "Horusec-21-10-07"
outputFormat: 'json'
configFilePath: '/src/Horusec/horusec-config.json'

Anything else we need to know?: This is my project structure:

Configurations showed using the --log-level=debug flag:

Environment:

• Horusec version (use horusec version): We are downloading the latest version from Docker
• Operating System: Ubuntu-latest (GitHub pipeline environment)
• Network plugin / Tool and version (if this is a network-related / tool bug): N/A
• Others:

**horusec-manager inicializa com a página em branco **:

** Após executados os passos abaixo conforme orientação para instalação local o horusec manager carrega com página em branco

• git clone https://github.com/ZupIT/horusec.git
• make install**:

Anything else we need to know?:

Environment:

• Horusec version (use horusec version): 1.6.1
• Operating System: Ubuntu 20.04.1 kernel 5.4.0-1029-aws
• Others: docker-compose 1.25.0 , docker 20.10.1

What happened: I install the web manager in another host i am trying run a analysis and sent it, but the analysis dont show in web manager How to reproduce it (as minimally and precisely as possible): install horusec manager in another host. Run a analisis and put the flag -u whit the ip where manager are located and the token Web manager dont show the analisys Anything else we need to know?: How to know what is the error, because, the anlysis dont show if the conection was succesfull Environment:

• Horusec version : V2.0
• Operating System: kali linux
• Network plugin / Tool and version (if this is a network-related / tool bug):
• Others: instalation whit docker and docker compose

What would you like to be added: Rule IDs to quickly differentiate flagged items on engines other than HorusecEngine.

Why is this needed: If we are adding RuleId elsewhere (as in SARIF or JSON), having content to populate that field will be necessary.

I created an example of what I'm thinking here: https://github.com/anthturner/horusec/commit/71f2b4939ceccca0fe4b59949785cb5c5d892d77

I'll be happy to continue building it out if the community thinks this is the right approach.

What happened: Eu estou tentando subir a stack em um servidor, aqui utilizo o traefik como proxy reverso, adicionei as labels do meu proxy reverso e subi a stack utilizando docker-compose -f deployments/docker-compose.yaml e tudo ocorreu sem erros, mas ao logar no manager, o mesmo não consegue autenticar com a api e o auth.

Gostaria de entender como alterar os endereços de comunicação entre os containers, visto que via console vi que está chamando em localhost (127.0.0.1:8006)

Environment:

• Horusec version (use horusec version): latest
• Operating System:
• Ubuntu server 20.04
• Network plugin / Tool and version (if this is a network-related / tool bug): traefik as reverse proxy

DEPENDS ON

• https://github.com/ZupIT/horusec/pull/508
• https://github.com/ZupIT/horusec-devkit/pull/61

- What I did

Added Checkov as a HCL analyzer, which provides larger coverage than Tfsec. Current implementation ignores docker and secrets vulnerability, and only shows terraform vulnerabilities. Closes #507

- How to verify it

Run horusec with terraform enabled, without ignoring checkov. This repository https://github.com/bridgecrewio/terragoat can be used to scan on, with known vulnerabilities

- Description for the changelog

• Added Checkov as HCL analyzer

What happened: Flawfinder failed to run

What you expected to happen: flawfinder should be running

How to reproduce it (as minimally and precisely as possible): Install horusec and run it (tested on Linux and MacOS)

Anything else we need to know?:

error log:

ERRO[0052] {HORUSEC_CLI} Error while running tool Flawfinder: record on line 14: wrong number of fields 

Environment:

• Horusec version (use horusec version): v2.8.0
• Operating System: Ubuntu + MacOS
• Network plugin / Tool and version (if this is a network-related / tool bug): n/a
• Others:

What would you like to be added: Hi, I am performing an evaluation study on Java SAST tools, and I noticed that Horusec is better than other tools like Spotbugs(with FindSecurityBugs) when running on our dataset.

• However, we found that Horusec cannot support to scan vulnerabilities related to CWE-682 and CWE-697. which is an interesting point to us. So, we want to inquire developers that why these types are not supported? We infer that it is because that these types are overlapping with other CWE classes, but we are not sure.

• Another concern is that we found that the time performance of Horusec is better than Semgrep although Semgrep is one of the tools integrated within it. Is there any optimization technology related architecture?

We will appreciate it if you could kindly explain this point of view.

The current docker-compose setup requires the external network to access other components such as config, login, etc.. Is it possible to route those requests to the internal network

How to reproduce it (as minimally and precisely as possible): The browser tries to connect to config endpoint over a public IP, is it possible to route those requests on the internal host network (container -> container)?

Environment:

• Horusec version (use horusec version): v2.8.0
• Operating System: Ubuntu 20.04.5 LTS (Focal Fossa)

This PR contains the following updates:

| Package | Type | Update | Change | |---|---|---|---| | alpine | final | patch | 3.16.0 -> 3.16.3 |

Configuration

📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

• [ ] If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

With the release of k8s 1.2 they will end the support for docker runtime. Horusec relies on the underlying docker socket (/var/run/docker.sock). Are there there any plans for moving to any other runtime(containerd)?

Thanks in advance!

What happened: I'm running Horusec using the command docker run --rm -v "/var/run/docker.sock:/var/run/docker.sock" -v "/home/myuser/repos/my_python_project:/src/horusec" --network host horuszup/horusec-cli:latest horusec start -p /src/horusec -P /home/myuser/repos/my_python_project -s INFO,LOW --enable-owasp-dependency-check --enable-git-history --enable-commit-author --config-file-path '/src/horusec/horusec-config.json' -o sonarqube -O /src/horusec/sonar-out.json

My horusec-config.json has the following content:

{
  "horusecCliFilesOrPathsToIgnore": [
    "tests/**"
  ]
}

My sonar-out.json comes with this content:

{
  "issues": [
    {
      "type": "VULNERABILITY",
      "ruleId": "HorusecEngine",
      "engineId": "horusec",
      "severity": "BLOCKER",
      "effortMinutes": 0,
      "primaryLocation": {
        "message": "(1/1) * Possible vulnerability detected: Password found in a hardcoded URL\nA password was found in a hardcoded URL, this can lead to not only the leak of this password but also a failure point to some more sophisticated CSRF and SSRF attacks. Check CWE-352 (https://cwe.mitre.org/data/definitions/352.html) and CWE-918 (https://cwe.mitre.org/data/definitions/918.html) for more details.",
        "filePath": "tests/unit/infrastructure/mysql/test_mysql.py",
        "textRange": {
          "startLine": 72,
          "startColumn": 27
        }
      }
    },
    {
      "type": "VULNERABILITY",
      "ruleId": "GitLeaks",
      "engineId": "horusec",
      "severity": "BLOCKER",
      "effortMinutes": 0,
      "primaryLocation": {
        "message": "(1/1) * Possible vulnerability detected: Hardcoded Credential",
        "filePath": "tests/infrastructure/mysql/test_mysql.py",
        "textRange": {
          "startLine": 72,
          "startColumn": 29
        }
      }
    }
  ]
}

What you expected to happen: The sonar-out.json report should come empty, since both vulnerabilities are in files whose paths match the expression passed in the horusecCliFilesOrPathsToIgnore variable in horusec-config.json file.

How to reproduce it (as minimally and precisely as possible): Create a file that has a vulnerability and place it in a directory. Add to the horusec-config.json file the variable horusecCliFilesOrPathsToIgnore, and add to this variable an expression that has a directory that is one of the parents of the directory that contains the file you created, followed by the wildcard /**, so the expression matches the file you created. Run horusec using a command that is equivalent to the one I mentioned in the "What happened" section. The output recorded in sonar-format should contain the vulnerability that was supposed to be ignored.

Anything else we need to know?:

• The second vulnerability ("ruleId": "GitLeaks") is present only in Git history, because the file has been moved to another path (the one of the first vulnerability).

• If I change tests/** to **/tests/**, Horusec runs normally and the first vulnerability ("ruleId": "HorusecEngine") does not appear in the sonar report, but the second one still does. As far as I can tell, **/tests/** is not a valid expression.

Environment:

• Horusec version (use horusec version):

Version: v2.8.0 Git commit: df32c1ce03d2de748cecb76cff383f2851e198c3 Built: Wed Jun 08 13:57:08 2022 Distribution: normal

• Operating System:

docker run horuszup/horusec-cli:latest cat /etc/os-release provides the following output:

NAME="Alpine Linux" ID=alpine VERSION_ID=3.15.0 PRETTY_NAME="Alpine Linux v3.15" HOME_URL="https://alpinelinux.org/" BUG_REPORT_URL="https://bugs.alpinelinux.org/"

I'm running Docker over (lsb_release -a output): Distributor ID: Ubuntu Description: Ubuntu 20.04.5 LTS Release: 20.04 Codename: focal

• Network plugin / Tool and version (if this is a network-related / tool bug):
• Others: