To execute an analysis with the KHS, you need an Ant command on the file
bin\securityChecks.xmlThe KHS can be executed per source code language or multi-language, and you can choose between a “quality” and a “security” scan.
All following commands are run from the root of the KHS installation.
Per source code language or Multi-language
Per source code language
For this mode, only one static analysis is done for the programming language that is passed in a parameter.
Generic basic command
ant -f bin/securityChecks.xml run -Dlanguage=<source code language> -Dproject=<Application name> -Dpaths=<Path to source code directory>Example
ant -f bin/securityChecks.xml run -Dlanguage=vbnet -Dproject="VB Test App" -Dpaths="D:\Projects\Support\20240529 9297 FP VB.net\test"The correct names for the supported source code languages to use in the parameter “-Dlanguage” you can find in the file:
bin\LanguageInfo.propertiesOn the left of the “=” are the language names, on the right are the file extensions that are mapped to this language.
Multi-language
In this mode, the Scanner first performs a “discovery” phase, just like the KLA, using this file to map the source code file extensions to the source code languages:
bin\LanguageInfo.propertiesThis internally generates a list of source code languages that need to be scanned for, and then a static analysis is executed for every one of these languages. Each language step has its own output and log files. All this is done automatically.
Generic basic command
ant -f bin/securityChecks.xml run.multi -Dproject=<Application name> -Dpaths=<Path to source code directory>Example
ant -f bin/securityChecks.xml run.multi -Dproject="My Application" -Dpaths="D:\Projects\Support\20240529 9297 FP VB.net\test"
Executing a Quality or Security scan
There are 2 sets of rule definitions in the “rulesets” folder:
- qaking_<language>.xml: For the Quality scans. This is a more complete set of rules, comparable to a Kiuwan “Code Analysis” scan. For clients mostly interested in security, these rulesets give a lot of unwanted information.
- qaking_<language>_security.xml: For the Security scans. This is a more specialized ruleset, comparable to a Kiuwan “Code Security” scan.
By default, the Quality rulesets are used. If you specifically want to use the Security rulesets instead, you need to add this parameter to the Ant command to launch the Scanner:
-DcheckSecurity=trueExample
ant -f bin/securityChecks.xml run.multi -Dproject="My Application" -Dpaths="D:\Projects\Support\20240529 9297 FP VB.net\test" -DcheckSecurity=true
Optional parameters
All of the previous execution options have the following optional parameters for the Ant command:
Customer name
-Dcustomer=<Customer name>Example
ant -f bin/securityChecks.xml run.multi -Dcustomer=MyCompanyName -Dproject="My Application" -Dpaths="D:\Projects\Support\20240529 9297 FP VB.net\test"This places the output files in a subdirectory under the “out” folder, where the subdirectory name is <Customer name>. If this parameter is not used, the output files go to the default subfolder:
out\MYCUSTOMEREncoding
Character set encoding to use, like ISO-8859-1, or Cp1047. If this parameter is not used, the default encoding is used: UTF-8.
When source code files are in a specific encoding that is not UTF-8, you should always add the correct encoding to the Ant command to avoid unnecessary (parsing) errors.
-Dencoding=<encoding name>Example
ant -f bin/securityChecks.xml run.multi -Dencoding="ISO-8859-1" -Dproject="My Application" -Dpaths="D:\Projects\Support\20240529 9297 FP VB.net\test"
Logs and results
Overall Scanner logs: Parsing Errors
There is one generic Scanner log for the Static Analysis Engine errors and warnings. All errors and warnings for all scans are logged to this logfile:
logs\qaking.logThis is the place to look for details on:
- Parsing errors in any source code language, source code file, and scan. These are in the same format as the KLA parsing error detail logs.
Log files per scan
Scan result summary
This log can be found in:
out\<Customer name>\<Application name>.log
Example (with customer name):
out\MYCUSTOMER\MyApp.log
This log will show:
- Number of files and violations.
- Total processing time.
- Time percentages per rule/parsing.
- Violations per rule and a listing of all rules that were executed.
- The rules are listed by rule code.
- Details about these rules can be found up in the files in the “rulesets” folder of the Scanner installation.
Example
Analysis Finished. 32 violations found.42 files analyzed. Final Results
Total time in parsing + processing rules: 1.45 s
OPT.PHP.AssignObjectsInInstantiation0;0 ms 0.000% :0 violations
OPT.PHP.AvoidConcatInEcho0;0 ms 0.000% :0 violations
...
OPT.PHP.AssignNullInFunctionCall32;155 ms 10.727% :1 violations
_parsing_32;256 ms 17.716%
Output files per scan
There are two output files, per scan and per language. Both give a list of violations, on files/line numbers/rules. Both are in XML format, but have a different organization and detail level. These files can be found at:
out\<Customer name>\<Application name>_<language>.xmlout\<Customer name>\<Application name>_<language>.xml.issuesExample (with customer name)
out\MYCUSTOMER\MyApp_csharp.xmlout\MYCUSTOMER\MyApp_csharp.xml.issuesResults for “Tainting Propagation” rules
The “Tainting Propagation” type of rules gives in Kiuwan Code Security the specific data for the data traversal paths, in text data and in graphical form.
Test case: In two files of the public domain project “Webgoat _Legacy” show vulnerabilities for rule OPT_JAVA_SEC_JAVA_CommandInjectionRule.
In the output files of the KHS
There are two output files to show these details. In this example:
- The .xml file
out\MYCUSTOMER\WebGoat_1_java.xmlThis shows only the source and sink nodes, the details of the propagation path nodes are not here. (Only relevant lines):
<Issue>
<IssueTypeId>OPT_JAVA_SEC_JAVA_CommandInjectionRule</IssueTypeId>
<Files>
<SourceFile>
<File>src\\main\\java\\org\\owasp\\webgoat\\util\\Exec.java</File>
<Line>107</Line>
<StackDumps>
<StackDump>
<Frame>
<FrameId>0</FrameId>
<SourceFile>src\\main\\java\\org\\owasp\\webgoat\\util\\Exec.java</SourceFile>
<SourceLine>107</SourceLine>
<Comment></Comment>
</Frame>
<Frame>
<FrameId>1</FrameId>
<SourceFile>src\\main\\java\\org\\owasp\\webgoat\\lessons\\Challenge2Screen.java</SourceFile>
<SourceLine>646</SourceLine>
<Comment>Start taint trace</Comment>
</Frame>
</StackDump>
</StackDumps>
</Issue>- The .xml issues file
This file shows the complete path with propagation nodes and the data path, as Kiuwan Code Security does. Example (Only relevant lines):
<Issue id='1890' check='OPT.JAVA.SEC_JAVA.CommandInjectionRule' severity='critical' security='true'>
<Location fileId='151' path='src/main/java/org/owasp/webgoat/util/Exec.java' line='107'/>
<Code> child = Runtime.getRuntime().exec(command);</Code>
<Frames>
<Frame id='1' kind='source' category='user_input' resource='web'>
<Location fileId='23' path='src/main/java/org/owasp/webgoat/lessons/Challenge2Screen.java' line='646'/>
<Code>protocol = s.getParser().getRawParameter(PROTOCOL, "tcp")</Code>
</Frame>
<Frame id='2' kind='propagation' category='command_injection' resource='environment'>
<Location fileId='23' path='src/main/java/org/owasp/webgoat/lessons/Challenge2Screen.java' line='660'/>
<Code>er = Exec.execSimple(cmd);</Code>
</Frame>
<Frame id='3' kind='propagation' category='command_injection' resource='environment'>
<Location fileId='151' path='src/main/java/org/owasp/webgoat/util/Exec.java' line='444'/>
<Code> return (execOptions(command, "", 0, 0, false));</Code>
</Frame>
<Frame id='4' kind='sink' category='command_injection' resource='environment'>
<Location fileId='151' path='src/main/java/org/owasp/webgoat/util/Exec.java' line='107'/>
<Code> child = Runtime.getRuntime().exec(command);</Code>
</Frame>
</Frames>
</Issue>