qzmjef 发表于 2024-11-3 12:39:40

DakshSCRA:一款功能强大的源代码安全审计工具

   <h1 style="color: black; text-align: left; margin-bottom: 10px;">关于DakshSCRA</h1>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">DakshSCRA是一款功能强大的源代码安全审计工具,该工具旨在<span style="color: black;">提高</span>源代码安全审计的效率,并为广大代码安全审计人员<span style="color: black;">供给</span>一种结构良好且组织有序的代码审计<span style="color: black;">办法</span>。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">DakshSCRA会对<span style="color: black;">目的</span>代码进行仔细审查,<span style="color: black;">而后</span>将潜在的安全问题进行标记,并敦促分析人员对已标记的潜在安全问题进行调查和确认。<span style="color: black;">倘若</span>将所有的潜在问题都标记为Bug的话,会<span style="color: black;">增多</span>误报率,<span style="color: black;">同期</span><span style="color: black;">亦</span>会消耗掉审计人员<span style="color: black;">海量</span>宝贵的时间和资源。DakshSCRA不会对所有潜在的问题都标记为Bug,<span style="color: black;">同期</span><span style="color: black;">亦</span>减少了审计人员在处理误报方面要花费的时间,从而促进更<span style="color: black;">有效</span>的代码审查过程。</p>
    <h1 style="color: black; text-align: left; margin-bottom: 10px;">功能特性</h1>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">1、识别源代码中审计人员感兴趣的部分:鼓励重点调查和确认,而不是不加区别地将所有内容标记为Bug;</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2、确定文件路径中感兴趣的部分:识别文件路径中的模式,以确定要查看的<span style="color: black;">关联</span>部分;</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">3、软件级别的数据侦查以识别所<span style="color: black;">运用</span>的技术:识别项目技术,使代码审查人员能够<span style="color: black;">根据</span>适当的规则进行精确的扫描;</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">4、代码审查的自动化科学工作量估算:<span style="color: black;">供给</span>一种可<span style="color: black;">测绘</span>的<span style="color: black;">办法</span>来估算代码审查过程所需的工作量;</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">5、<span style="color: black;">运用</span>特定于平台的规则以<span style="color: black;">查询</span>感兴趣的部分;</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">6、支持为任何新语言或现有语言扩展或添加新规则;</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">7、支持生成文本格式、HTML和PDF格式的报告以供审计人员查看和<span style="color: black;">检测</span>;</p>
    <h1 style="color: black; text-align: left; margin-bottom: 10px;">工具安装</h1>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">因为</span>该工具基于Python 3<span style="color: black;">研发</span>,<span style="color: black;">因此呢</span><span style="color: black;">咱们</span><span style="color: black;">首要</span>需要在本地设备上安装并配置好Python 3环境。接下来,广大<span style="color: black;">科研</span>人员<span style="color: black;">能够</span>直接<span style="color: black;">运用</span>下列命令将该项目源码克隆至本地:</p>git <span style="color: black;">clone</span> https:<span style="color: black;">//github.com/coffeeandsecurity/DakshSCRA.git</span>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">而后</span>安装virtualenv:</p>$ pip install virtualenv<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">运用</span>virtualenv搭建一个虚拟环境:</p>$ virtualenv -p python3 {name-of-<span style="color: black;">virtual</span>-env}

    例如: virtualenv -p python3 venv<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">激活刚才创建的虚拟环境:</p>$ <span style="color: black;">source</span> {name-of-virtual-env}/bin/activate

    例如: <span style="color: black;">source</span>venv/bin/activate<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">运行了激活命令之后,你将会看到终端窗口提示符变为如下所示:</p>(venv) $<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">配置完成后,在虚拟环境中运行下列命令安装该工具所需的其他依赖组件:</p><span style="color: black;">pip</span> <span style="color: black;">install</span> <span style="color: black;">-r</span> <span style="color: black;">requirements</span><span style="color: black;">.txt</span>
    <h1 style="color: black; text-align: left; margin-bottom: 10px;">工具<span style="color: black;">运用</span></h1>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">下列命令<span style="color: black;">能够</span>直接查看工具的<span style="color: black;">帮忙</span>选项:</p><span style="color: black;">pip</span> <span style="color: black;">install</span> <span style="color: black;">-r</span> <span style="color: black;">requirements</span><span style="color: black;">.txt</span><span style="color: black;">usage</span>: dakshscra.py [-h] [-r RULE_FILE] [-f FILE_TYPES] [-v] [-t TARGET_DIR] [-l {R,RF}] [-recon] [-estimate]

    <span style="color: black;">

      <span style="color: black;">options:

            <span style="color: black;">-h, --help 查看工具<span style="color: black;">帮忙</span>信息和退出</span>

            <span style="color: black;">-r RULE_FILE 指定平台专用的规则名<span style="color: black;">叫作</span></span>

            <span style="color: black;">-f FILE_TYPES 指定要扫描的文件类型</span>

            <span style="color: black;">-v 指定Verbose模式等级 {-v, -vv, -vvv}</span>

            <span style="color: black;">-t TARGET_DIR 指定<span style="color: black;">目的</span>目录路径</span>

            <span style="color: black;">-l {R,RF}, --list {R,RF} 枚举规则和文件类型</span>

            <span style="color: black;">-recon 检测<span style="color: black;">目的</span>代码使用的平台、框架和编程语言</span>

            <span style="color: black;">-estimate <span style="color: black;">评定</span>代码审计工作量</span></span></span>
    <h1 style="color: black; text-align: left; margin-bottom: 10px;">工具<span style="color: black;">运用</span>样例</h1>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">-f是一个可选项,<span style="color: black;">倘若</span>不指定,工具默认会<span style="color: black;">运用</span><span style="color: black;">选取</span>的规则扫描对应的文件类型:</p>dakshsca.py -r php -t /source_dir_path<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">能够</span><span style="color: black;">运用</span> -f选项覆盖默认设置,并制定其他的文件类型:</p>dakshsca.py -r php -f dotnet -t /path_to_source_dir

    dakshsca.py -r php -f custom -t /path_to_source_dir<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">-recon和-r选项<span style="color: black;">一块</span><span style="color: black;">运用</span>,则执行数据侦查和基于规则的扫描:</p>dakshsca.py -recon -r php -t /path_to_source_dir<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">倘若</span>只<span style="color: black;">运用</span>了-recon但<span style="color: black;">无</span>-r选项的话,则只执行数据侦查:</p>dakshsca.py -recon -t /path_to_source_dir<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">-v<span style="color: black;">表率</span>开启Verbose模式,该选项是默认选项,-vvv将执行所有的规则检测及结果:</p>dakshsca.py -r php -vv -t /path_to_source_dir<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">支持的RULE_FILE:</p>dotnet、java、php、python、javascript<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">支持的FILE_TYPES:</p>dotnet、java、php、python、javascript、custom、allfiles<h1 style="color: black; text-align: left; margin-bottom: 10px;">报告生成</h1>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">HTML报告路径:</p>DakshSCRA/reports/html/report.html<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">PDF报告路径:</p>DakshSCRA/reports/html/report.pdf<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">数据侦查报告路径:</p>DakshSCRA/reports/text/recon.txt<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">识别模式文本报告:</p>DakshSCRA/reports/text/areas_of_interest.txt<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">项目文件识别报告:</p>DakshSCRA/reports/text/filepaths_aoi.txt

    DakshSCRA/runtime/filepaths.txt<h1 style="color: black; text-align: left; margin-bottom: 10px;">许可证协议</h1>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">本项目的<span style="color: black;">研发</span>与发布遵循GPL-3.0开源许可证协议。</p>
    <h1 style="color: black; text-align: left; margin-bottom: 10px;">项目<span style="color: black;">位置</span></h1>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">DakshSCRA</strong>:https://github.com/coffeeandsecurity/DakshSCRA</p>




nykek5i 发表于 2024-11-7 08:36:41

seo常来的论坛,希望我的网站快点收录。
页: [1]
查看完整版本: DakshSCRA:一款功能强大的源代码安全审计工具