Static Application Security Testing using Bearer CLI -Your code from Vulnerable to Virtually Invincible
Our Software Engineering team at Intelliconnect Technologies had a mission statement to comply writing secured code with ease. Our teams wanted linter like tools to warn about security vulnerabilities and risks within the developer environment.
While researching for options keeping in view our companies “Developer Automation” approach to empower teams, I came across this reddit post with recommendations from the OWASP top 10 list. The list is quite comprehensive and from experience its quite easy to miss out on some of the mentioned best practices while programming. Our search for a static application security testing or SAST tool built around to scan these vulnerabilities led us to Bearer CLI.
Bearer CLI is an open source SAST tool that can be used to scan the source code for potential vulnerabilities. As of now Bearer CLI is only available for Linux and Mac based systems.
This article outlines how to setup Bearer CLI on windows using WSL; and then use it to scan our code for potential security vulnerabilities. As of now Bearer CLI supports JavaScript, TypeScript, Ruby, Java, PHP, Go and Python.
Step 1. Setting up Linux in the WSL
Installing Linux is relatively straight forward in WSL. But first of all you need WSL installed on your windows device. You can look up “WSL” in the Microsoft store or use this link.
Once WSL has been setup, you can install a Linux distro of your liking next. We will be using Ubuntu 22.04.3 LTS. The steps to install it is also similar to WSL, search “Ubuntu” in Microsoft store or use this link.
To check whether WSL and Ubuntu have been installed correctly, open command prompt and run this command (I prefer to use PowerShell because of autocomplete)
> wsl -l
As you can see the output will now show the available Linux distributions. It seems that our installation for Ubuntu was successful.
Step 2. Installation of Bearer CLI
To boot into our newly added Linux sub system, run this command
> wsl -d ubuntu-22.04Note: Upon launching the Linux distribution for the first time, you may be prompted to perform some initial setup tasks. This could include setting up a username and password, of which password will be required in the future.
Sometimes WSL fails to locate the Ubuntu subsystem which we downloaded earlier, and it might show an error message as:
Failed to attach disk 'C:\Users\...' to WSL2: The system cannot find the path specified.
Error code: Wsl/Service/CreateInstance/MountVhd/ERROR_FILE_NOT_FOUNDTo resolve this, run this command below:
> wsl --installNow for installing Bearer CLI, run these commands below one by one
$ sudo apt-get install apt-transport-https
$ echo "deb [trusted=yes] https://apt.fury.io/bearer/ /" | sudo tee -a /etc/apt/sources.list.d/fury.list
$ sudo apt-get update
$ sudo apt-get install bearerTo check if Bearer has been installed successfully, use this command below
$ bearer
Step 3. Scanning the source code of the project
For this article we will be using the juice-shop project, which is probably the most popular project used to demonstrate the OWASP security vulnerabilities.
To begin you’ll need to clone the project in the directory of your choosing
> git clone https://github.com/juice-shop/juice-shop
> cd juice-shopIf you have cloned the juice-shop project in one of your windows directory, then you will need to start the Ubuntu sub system in the WSL before proceeding for a scan.
To do so, use the command below:
> wsl -d ubuntu-22.04Since the scan for the entire project might take a bit too long, we can even perform the bearer scan upon any particular module of our choosing.
For now let’s scan the src directory located within the frontend folder
$ bearer scan frontend/srcDepending upon your device it might take a few minutes to generate the security report, once done the output might look something like:
You can examine the security report and make changes to resolve the vulnerabilities. For the findings which are false positive, you can run the command $ bearer ignore add <id>
Below each of the findings in the security report, there is a link which redirects a user to the Bearer CLI docs that can be used to learn more about the exact vulnerability which was found. For example this is the link from screenshot above. In addition the exact line of code and the path to the module is also a part of the security report.
There are several configurations to the scan and the report can also be generated in different formats, the instructions can be found here.
While this might not be the silver bullet to prevent all attacks from bad actors, ensuring code integrity as per the best practices is definitely the first step towards making any software more secure.
References:
- https://owasp.org/www-project-top-ten/
- https://owasp.org/www-community/Source_Code_Analysis_Tools
- https://docs.bearer.com/guides/configure-scan/
- https://owasp.org/www-project-code-review-guide/
About Intelliconnect
We at Intelliconnect we work with leaders who have ambitious plans to grow their businesses. Our custom solutions
1. Enable autonomous decision-making, reducing and ultimately eliminating the need for human intervention.
2. Provide signals & insights that enable swift action.
3. Empower teams with real-time information for strategic and operational decision-making, driving the development of a data-driven culture.4. Are personalized for the role and easy & seamless to use ie efforts by the user are zero or minimumConnect with us at solutions@intelliconnectq.com
