SecurityBot

This is a Github bot to make security testing even more automated and easily accessible. This project is a part of the CSC-510 Software Engineering course at NC State,

Team Members

• Jitin Kumar (jkumar3)
• Palak Agrawal (pagrawa2)
• Sachin Ahuja (sahuja3)
• Tanmay Goel (tgoel)

Bot Design

The detailed design document can be found at Design page.

Bot Milestone

Documentation for BOT Milestone

The detailed document containing description about the application flow, the design patterns, mocking and selenium testing can be found in BOT page.

Instructions to Run the Application

Our complete application is divided into two parts: Server Hosted Bot Application and Local Bot Application. The server hosted bot listens to GitHub events and extracts detail about these events. When a local bot polls to the server bot it delegates the event to local instance. Local instance then runs the penetration testing and returns the set of vulnerabilities as a result to server bot. The server bot raises an issue, comments on push and pull requests, or sends an email depending upon the type of event it received from the GitHUb.

Instruction to set up the Server Bot

Server bot is already deployed on heroku. You can test it live on heroku.

Instruction to set up Local Bot

1. Clone the PatientsApp repository from github.

2. Build setup

• Install Ant, Tomcat and and Jenkins
• Browse to Tomcat directory -> conf -> tomcat-users.xml and add in tomcat-users:
• <user username="deployer" password="deployer" roles="manager-script" />
• Login into Jenkins and create a new item named PatientsApp
• Select Git in source code management and give local repo path
• Leave the branch as master
• Select With Ant in build environment
• I Build, select Ant version
• In Post-Build Actions, add credentials as 'deployer', 'deployer'
• Click save and apply

3. After performing the above steps, make the changes in the conf.json to change the tomcat URL of patient app in repo, Jenkins URL, path at which PatientsApp is cloned as repo_path, the zap url, jenkins path to jenkins-cli.jar.

Instructions to install SNYK

Follow the following steps to install SNYK:

1. Run the command "npm install -g snyk"

2. Got to SNYK and create your account. Click on MyAccount tab on the top right and copy your API token

3. Using the API token above run the following command: "snyk auth <YOUR_TOKEN_HERE>"

In the last step replace your token in place of <YOUR_TOKEN_HERE>. Performing the above three steps will successfully install and authenticate SNYK.

Deployment milestone

We have created ansible playbook for deploying our bot server and a local instance:

Deployment of Local Instance

1. To deploy local instance bot add the following environment variables to the ansible server:

   • zap_key : It contains the ZAP key
   • snyk_api_token : It is Snyk API token for authentication
   • bot_git : Link for ".git" file for Security Bot
   • patients_git: Link for ".git" file for PatientsApp

2. After setting the above environment variables run this ansible playbook

Deployment of Server BOT

1. To deploy the server instance, add the following environment variables to your ansible server

   • ROBOCOP_GMAIL_USERNAME: Gmail username from which robocop reports will be sent
   • ROBOCOP_GMAIL_PASSWORD: Password for the above Gmail username
   • ROBOCOP_PRIVATE_KEY: The private key generated by github to identify requests coming from robocop. For Script Testing, this can be any rsa key value where newlines are replaced by '\n' charachter. For actual deployment, this needs to be generated from github.
   • DATABASE_PASSWORD: The password that you want to set for the mysql server.

2. After setting the above environment variable run this ansible playbook

Final Report

The final report is available here. A short screencast explaining the motivation and features of our bot can be found on YouTube.