HP Fortify Security Scanner and Clojure
503 views
Skip to first unread message
ryan medlin
Oct 21, 2015, 4:41:21 PM10/21/15
to Clojure
A customer requires that we scan our clojure projects with this tool:
They must get some meaningful report from this.
So I thought, well why don't I compile and then decompile the class files and then scan those to at least give them something.
However when I do that I get a TON of high security issues in multiple dependencies (ring, clojure.core)
Here is the most prevalent:
/* */ package nio;
/* */
/* */ import clojure.lang.AFunction;
/* */ import clojure.lang.IFn;
/* */ import clojure.lang.RT;
/* */ import clojure.lang.Var;
/* */ import java.nio.Buffer;
/* */ import java.nio.ByteBuffer;
/* */
/* */ public final class core$fn__1869 extends AFunction
/* */ {
/* 284 */ public static final Var const__0 = (Var)RT.var("clojure.core", "make-array");
/* */
/* */ public Object invoke(Object x)
/* */ {
/* 297 */ x = null; Object x = ((ByteBuffer)x).duplicate();
/* 298 */ Object array = ((IFn)const__0.getRawRoot()).invoke(Byte.TYPE, Integer.valueOf(((Buffer)x).remaining()));
/* 299 */ x = null; ((ByteBuffer)x).get((byte[])array); array = null; return array;
/* */ }
/* */ }
Decompiler:
Id the decompiler somehow generating code with these security issues and the actual bytecode does not have them maybe?
I have no idea how to move forward with this. We have to "check a box" for them in corporate speak yet there is no clear path to run a dependable security scan against the codebase.
Yes I realize this is silly to demand running this tool.
Any other tools out there that might be able to scan Clojure code like this?
Andrey Antukh
Oct 21, 2015, 4:56:43 PM10/21/15
to clo...@googlegroups.com
--
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to clo...@googlegroups.com
Note that posts from new members are moderated - please be patient with your first post.
To unsubscribe from this group, send email to
clojure+u...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
---
You received this message because you are subscribed to the Google Groups "Clojure" group.
To unsubscribe from this group and stop receiving emails from it, send an email to clojure+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Alex Miller
Oct 21, 2015, 6:14:31 PM10/21/15
to Clojure
In general, Clojure code cannot be decompiled from .class to .java as the Clojure generated bytecode does things that cannot be represented in Java. The particular issue below looks like the local-clearing code. It is possible to turn that off during compilation, however there are likely other things as well that cannot be decompiled satisfactorily.
FindBugs works directly from bytecode (not source code) so might be more amenable for this kind of analysis. There is a sonar plugin (https://github.com/zmsp/sonar-clojure) which uses Eastwood and Kibit that might also be useful.
FYI, Clojure is registered in CVE with id CVE-2015-4653 (although there are no reports registered yet). I gather that it is useful to create at least one such thing to make it searchable and I have that on my todo list (although it's not a high priority).
Alex
Didier
Apr 2, 2020, 6:33:50 PM4/2/20
to Clojure
Reviving an old topic here, does anyone know of a Clojure 1.10 compatible security analysis tool? I too thought of just decompiling the .class to Java. It also appears Fortify can run on bytecode only, so I might give that a try if I can't find anything else.
Regards
Alex Miller
Apr 2, 2020, 8:45:03 PM4/2/20
to Clojure
Most Clojure classes cannot be decompiled to Java (locals clearing is all over it and has no Java equivalent, just as one problem, there are others).
Some people have tried this with Fortify and other bytecode oriented scanners but I don't know of anyone that's gotten any results that were useful.
Reply all
Reply to author
Forward
0 new messages