Search in sources :

Example 1 with Fingerprints

use of com.google.tsunami.plugins.fingerprinters.web.proto.Fingerprints in project tsunami-security-scanner-plugins by google.

the class ResourceFingerprintLoader method loadFingerprints.

@Override
public ImmutableMap<SoftwareIdentity, FingerprintData> loadFingerprints() throws IOException {
    Stopwatch loadTimeStopwatch = Stopwatch.createStarted();
    ResourceList fingerprintsResources = scanResult.getResourcesMatchingPattern(FINGERPRINTS_RESOURCE_PATTERN);
    ImmutableMap.Builder<SoftwareIdentity, FingerprintData> fingerprintsBuilder = ImmutableMap.builder();
    for (Resource resource : fingerprintsResources) {
        logger.atInfo().log("Loading fingerprints from resource %s.", resource.getPath());
        Fingerprints fingerprints = Fingerprints.parseFrom(resource.load());
        fingerprintsBuilder.put(fingerprints.getSoftwareIdentity(), FingerprintData.fromProto(fingerprints));
    }
    ImmutableMap<SoftwareIdentity, FingerprintData> fingerprints = fingerprintsBuilder.build();
    logger.atInfo().log("Finished loading %s web fingerprints data in %s.", fingerprints.size(), loadTimeStopwatch.stop());
    return fingerprints;
}
Also used : ResourceList(io.github.classgraph.ResourceList) Fingerprints(com.google.tsunami.plugins.fingerprinters.web.proto.Fingerprints) Stopwatch(com.google.common.base.Stopwatch) SoftwareIdentity(com.google.tsunami.plugins.fingerprinters.web.proto.SoftwareIdentity) Resource(io.github.classgraph.Resource) ImmutableMap(com.google.common.collect.ImmutableMap)

Example 2 with Fingerprints

use of com.google.tsunami.plugins.fingerprinters.web.proto.Fingerprints in project tsunami-security-scanner-plugins by google.

the class FingerprintUpdater method update.

/**
 * The updater performs the following tasks to update the fingerprint data for a given software:
 *
 * <ol>
 *   <li>The updater tries to crawl a live instance of the given software and identify interesting
 *       static files. Hashes are calculated for these files.
 *   <li>If present, the updater tries to identify potential static files from a local code
 *       repository. For each potential static file, the updater tries to query it on the live
 *       instance. If the static file is present, then hashes are calculated.
 *   <li>All the paths to the previously identified static files and their content hashes are
 *       added to the fingerprint database.
 * </ol>
 */
public void update() throws IOException {
    Fingerprints oldFingerprints = loadFingerprints();
    Map<String, Hash> fileHashes = Maps.newHashMap();
    ImmutableSetMultimap<String, Hash> hashesByCrawledPath = crawlLiveApp();
    for (String crawledPath : hashesByCrawledPath.keySet()) {
        ImmutableSet<Hash> uniqueHashes = hashesByCrawledPath.get(crawledPath);
        if (uniqueHashes.size() != 1) {
            throw new AssertionError(String.format("Same path %s but different hashes %s.", crawledPath, uniqueHashes));
        }
        fileHashes.put(crawledPath, uniqueHashes.iterator().next());
    }
    logger.atInfo().log("Crawler identified %s files. Moving on to check local static files.", fileHashes.size());
    fileHashes.putAll(checkLocalRepos(ImmutableSet.copyOf(fileHashes.keySet())));
    // Remove empty path if present, this is not useful for fingerprint detection.
    fileHashes.remove("");
    if (fileHashes.isEmpty()) {
        logger.atInfo().log("No new fingerprints found.");
    } else {
        logger.atInfo().log("# of new content hashes = %d", fileHashes.size());
        dumpToFile(updateFingerprints(fileHashes, oldFingerprints));
    }
}
Also used : Fingerprints(com.google.tsunami.plugins.fingerprinters.web.proto.Fingerprints) ContentHash(com.google.tsunami.plugins.fingerprinters.web.proto.ContentHash) Hash(com.google.tsunami.plugins.fingerprinters.web.proto.Hash)

Aggregations

Fingerprints (com.google.tsunami.plugins.fingerprinters.web.proto.Fingerprints)2 Stopwatch (com.google.common.base.Stopwatch)1 ImmutableMap (com.google.common.collect.ImmutableMap)1 ContentHash (com.google.tsunami.plugins.fingerprinters.web.proto.ContentHash)1 Hash (com.google.tsunami.plugins.fingerprinters.web.proto.Hash)1 SoftwareIdentity (com.google.tsunami.plugins.fingerprinters.web.proto.SoftwareIdentity)1 Resource (io.github.classgraph.Resource)1 ResourceList (io.github.classgraph.ResourceList)1