package-analysis icon indicating copy to clipboard operation
package-analysis copied to clipboard
verified publisher icon ossf

add urls (http+https) to json report

Open jossef opened this issue 3 years ago • 1 comments

It is highly valuable to include URLs audited as part of the analysis in the JSON report. For example (see URLs field):

{
  "Package": {
    "Name": "package-name",
    "Version": "1.2.3",
    "Ecosystem": "npm"
  },
  "CreatedTimestamp": 1674062447,
  "Analysis": {
    "install": {
      "Status": "",
      "Stdout": "...",
      "Stderr": "...",
      "Files": [],
      "Sockets": [],
      "Commands": [],
      "DNS": [],
      "URLs": [
        "http://2oqwmc7o04ssmcdi4e6wn79ys2vnkh.burpcollaborator.net/",
        "https://raw.githubusercontent.com/Gauravbhatia1211/experiment/main/exps.sh"
      ],
    }
  }
}

How to deal with HTTPS traffic?

Had a great chat with @oliverchang, @calebbrown, and @alik-kold. Suggesting adding a MITM-TLS component and routing the TLS traffic through a transparent proxy component able to audit the URLs, body, headers, and more valuable information:

@alik-kold built a working POC with the following architecture (this is the original):

  • adding sslsplit to the analysis container
  • configuring the sandbox container so HTTP + HTTPS traffic will be routed through sslsplit
  • installed the self-signed generated root CA certificate globally on the sandbox container 2023-01-19 package-analysis create issues - Page 1 (1)

We started working on this feature. let us know WDYT 🙏

jossef avatar Jan 19 '23 10:01 jossef

This sounds awesome! Very keen to see it in action :D

We might need to think about how to add that extra data (e.g. headers, request / response body, etc) in the JSON - if we want it.

maxfisher-g avatar Jan 20 '23 04:01 maxfisher-g