Callflow - Remediation Prioritization

Sonatype Labs
1

:warning: MIGRATION NOTICE :warning:
Starting with IQ version 152, this lab is available in the in-product CLI
Learn more here: Callflow in IQ CLI - Remediation Prioritization

Description:

Call flow analysis done correctly!

Are you wondering which vulnerability to fix first? This lab, developed in partnership with MuseDev, helps you answer that question.

We have thought a lot about how program execution analysis, or call flow analysis (CFA), can be used to influence prioritization of security vulnerabilities. Vulnerabilities in library code are associated with particular methods. CFA can help determine whether a vulnerable method may be callable from your application code. CFA should only be used as an indicator of what to fix first, please do not use CFA as justification to NOT fix a known vulnerable component or as an indicator of a false positive. This would simply be an incorrect justification.

1600×969 250 KB

We have determined there are 5 different use cases for setting priority on fixing security vulnerabilities identified from call graph analysis:

  • (1) Vulnerability exists in bill of materials
  • (2) Vulnerable method is probably not called
  • (3) Vulnerable component is not referenced from “My Code” or any known public entry point
  • (4) Vulnerable method can be called from “My Code” or any known public entry point
  • (5) Vulnerable method is reachable by user controlled data

With this lab, use case 1 and 4 are now covered. We are constantly improving the data for use case 4 and working towards use cases 2 and 3. Use case 5 is indirectly covered by use case 4 with the distinction that use case 5 is equivalent to use case 4 minus the dataflow (i.e. use case 5 is called vulnerable methods with dataflow). At this time, we are unsure if the performance trade-off is worth the value of solving use case 5.

Usage and Installation:

Download the archive in the downloads section.
Unpack the archive in a folder

Usage:
./evaluate.sh [options]
-i IQ_APP_ID
-n Namespace [,Namespace …] ( Ex: -n “sonatype” will match com.sonatype and sonatype.org)
JAR/Directory

options:
-s IQ_SERVER default: http://localhost:8070
-a IQ_USER:IQ_PASS default: prompted
-t IQ_STAGE default: build
-u CUSTOM_SOURCES default: ./custom-entrypoints.txt
-q IQ_CLI_JAR default: ./nexus-iq-cli-1.83.0-01.jar
-c CALLGRAPH_ANALYZER_JAR default: ./callgraph-analyzer-0.0.7.jar
-k (no argument, keeps CFA files) default: false
-y MY_SONATYPE_AUTH user:pass default: prompted
-i, Application ID for IQ, if the application does not exist one will be created for you
if you have enabled automatic application creation.
-n, Defines the codebase “My Code” that should be considered as an entry point.
-q, Path to the IQ CLI scanner jar file. 1.80.0-01 is provided in this release
-f, Outputs the .graphml file for the call graph.

Example:

./evaluate.sh -i axis2-webapp-1-5 -n org.apache.axis2 examples-benchmark/axis2-webapp-1.5

You will be prompted for your IQ server login AND your my.sonatype.com login.

What happens when I run this thing:

24 PM
24 PM2504×1616 684 KB

A sequence of events is orchestrated by the evaluate script.

  1. The application is scanned by IQ CLI and registered in your IQ server, if it does not exist
  2. A component label “Can_Be_Called” will be added to your system, if it does not exist
  3. The application’s security findings are retrieved from your IQ server
  4. The vulnerability signatures for those findings are requested from Sonatype
  5. Custom entry points are requested from Sonatype
  6. Call flow analysis is performed
  7. The application components that have call flow detected are assigned a Can_Be_Called label for that application in your IQ server
  8. The scanned application inside of your IQ server is triggered for policy re-evaluation

How can I see which findings have call flow in my IQ server:

Without adding a new policy, you can’t.

We have added a component label to the application components that had call flow detected. You will need to:

  1. Create a label: “Can_Be_Called”
  2. Create a policy that checks for the “Can_Be_Called” label.
  3. In my example, I had one policy with a threat level of 10 for any component that had call flow. My thoughts were, if they could be potentially exploited, those should be the highest priority no matter what the CVSS score on the vulnerability. You can configure policies however you see fit, but I caution against creating a mirror policy for each security policy as it quickly gets into policy explosion and more confusing for the consumer. You may also want to add an exclusion to your existing security policies so an issue won’t be reported twice. Below is a picture of my call flow policy and one example of adding an exclusion to an existing security policy. I added the exclusion to all my security policies.

1412×1508 126 KB

1302×1600 205 KB

Why is Java the only language supported:

This lab is intended to understand how program analysis can help you prioritize remediation. Given the nature of static and runtime program analysis, it is difficult if not impossible to determine there is no risk in the identified vulnerable component. Please share your insights on the thread below, take our survey, or send comments to bmayhew@sonatype.com if you wish your comments to remain private. We encourage you to have a discussion on the thread below.

QUESTIONS:

  • How does this type of analysis help you prioritize your work?
  • How did you set up your policies?
  • Did you perform an immediate action based on these results?
  • What other data would you like to see from this analysis?
  • Was the analysis time acceptable?
  • How would you integrate this into your environment?
  • In order to improve (add) known entry points, would you be willing to share the non proprietary entry points found in your application analysis? This would consist of reflective and framework (spring, struts, rest, …) entry points. (Note: See statement in warnings/caveats section)

SURVEY:

Your feedback is important and will help justify the productization of a feature like this. Please take 3-4 minutes to complete our survey:

Download:

:warning: Access to this Lab has been integrated into the Nexus IQ CLI.
See Callflow in IQ CLI - Remediation Prioritization

WARNINGS/CAVEATS:

This is a LAB and may change without warning. The callgraph_analyser is being updated constantly, so please check back often. If you add yourself as a topic watcher you will know when updates occur.

The vulnerability signatures are NOT up to date with our current security research AND the returned signatures are rate limited.

You may see incomplete results due to rate limiting from the signature server.

To improve future program analysis and to help discover open source (non-proprietary code) application entry points due to reflection and frameworks, this lab will upload a small subset of your non-proprietary program execution flow to Sonatype. This information is not associated with your application or your organization and is used to analyze potential entry point signatures that are outside of your code base.

Help

For questions or help, reply to this thread. Please do not submit company confidential information.

1 Like
2
3
4

Hi All. Evaluating Callflow and trying to run it and every time I get the following response :

:: Evaluating application
[INFO] Validating IQ Server version http://<<NEXUS_IQ_URL>>/…
[INFO] Validating application ID <> with the IQ Server http://<<NEXUS_IQ_URL>>/…
[ERROR] The input path ‘/callflow/remediation-prioritizer’ does not exist.
2020/08/05 15:56:39 error: could not perform Nexus IQ evaluation: error running command: exit status 1
trace: path: /bin/java args: [“java” “-jar” “./nexus-iq-cli-1.91.0-01.jar” “-s” “http://<<NEXUS_IQ_URL>>/” “-a” “<>:<>” “-t” “build” “-i” “<>” “-r” “/tmp/cfa586390608/iq-results.json” “”]

I have verified that the IQ application I am using does exist and that the username and password I am using for IQ are valid (admin role credentials). Looking at the error, it says that the ‘/callflow/remediation-prioritizer’ path does not exist, but that is the folder that I am executing the command from. What could be causing this? Should I be on the server that IQ is running on, or is there some other parameter that I need to set.

5

Hi there Michael! Can you post the command-line arguments you used? (equally sanitized is of course fine)

6

./evaluate.sh -s http://<<NEXUS_IQ_URL>>/ -i IQ-APPLICATION -n com.fasterxml.jackson.core

I input IQ crednetials and my sonatype credentails and I get what you see above. I have tried it with sudo as well with the same result.

7

Michael,

You need to specify an archive (jar, war, ear, zip, tarball, etc) or a directory with the application to scan as the last argument of that call.

./evaluate.sh -s http://<<NEXUS_IQ_URL>>/ -i IQ-APPLICATION -n com.fasterxml.jackson.core <APPLICATION_FILE_OR_DIRECTORY>
8

Got it going, but I have a different issue now :
Scan ID: cd32d5cc8b20498782f0f5e947a8505a
2020/08/18 09:37:30 error: could not create signatures file: could not get signatures payload: unable to retrieve Nexus IQ Application Report: could not retrieve policy report: could not get policy report at URL api/v2/applications/transunionservice/reports/cd32d5cc8b20498782f0f5e947a8505a/policy: 404 Not Found

9

Michael,

Is your IQ instance behind an HTTP/S proxy and/or are you using self-signed certificates?

10

We are getting an issue similar to Michael above.

:: Fetching signatures
2021/03/02 12:52:21 error: could not create signatures file: could not get signatures payload: signatures http request failed: Post “https://cfa.sonatype.com/v1/signatures”:: read tcp X.X.X.X:50851-> X.X.X.X:443: wsarecv: An existing connection was forcibly closed by the remote host.

Is the application making a GET request here? or posting data?

11

Ben,

hi there! the error chaining is confusing there, but it is POSTing the signatures it identified to the /signatures endpoint of cfa.sonatype.com so that the service hosted there can respond with the lookup results.

12

Hi all!

I just tried it and I am also getting the same error. We are using Nexus IQ Server 103. I’ve seen that the nexus-iq cli that comes with Callflow - Remediation Prioritization is version 91. Is there any solution to the problem or any scheduled update coming soon?

[INFO] Fingerprinting completed in 21 seconds for 142 archives, 38140 total files
[INFO] Could not discover git repository url via automation
[INFO] Waiting for policy evaluation to complete...
[INFO] Assigned scan ID b26d5641fe684b73bcc271c3adf4944c
[INFO] Policy evaluation completed in 16 seconds.
[INFO]
[INFO]
[INFO]
[INFO]
[INFO] *********************************************************************************************
[INFO] Policy Action: None
[INFO] Stage: build
[INFO] Number of components affected: 11 critical, 9 severe, 2 moderate
[INFO] Number of open policy violations: 28 critical, 26 severe, 3 moderate
[INFO] Number of grandfathered policy violations: 0
[INFO] The detailed report can be viewed online at http://localhost:8070/ui/links/application/Test-App1/report/b26d5641fe684b73bcc271c3adf4944c
[INFO] *********************************************************************************************
:: Fetching signatures
2021/04/29 04:14:06 error: could not create signatures file: could not get signatures payload: could not get Nexus IQ license fingerprint: unexpected end of JSON input

This is the cli command executed on a RHEL Linux server (got rid of password and project name:

$ ./evaluate.sh -i Test-App1 -a user:<pass> -t build -n commons ../project
13

Is http://cfa.sonatype.com/ the endpoint that the server should be reaching out to? If so, it seems this server is down.

14

Hi there Sven! Thanks for reaching out. The error here is related to the step in which it retrieves the license details from your IQ instance. Unfortunately, the error is not descriptive enough. Would you be able to download version 0.24.5 (newly added to this page) which attempts to dig into the error chain more?

1 Like
15

HI Andres! Thanks for the follow up. The problem was that I was using the service account that we created for the Jenkins integration and this account had no permission for the Nexus IQ license. With the admin account it is working. Thanks for your help!
Which permissions would need to be assigned to the role so that the Callflow Analyser is working?

16

Sven,

Excellent! This particular call is using a private API to retrieve your license details. As such, only a user with System Administrator role can access it.

17

Hi, is the callflow service is still working ? I tried it running it and I got this error

2022/03/24 21:10:50 error: could not create signatures file: could not get signatures payload: http error status: 503 Service Unavailable

18

Hi @marquos.zaki . The callflow lab is something we continue to make available to customers. Apologies for missing this message, we have folks looking into it and will provide an update next week.

1 Like
19

Hello there, @marquos.zaki! Very sorry about the interruption. There was a mixup, but the callflow backend service has been restored. Give it another go and let us know how it works out.

1 Like
20

Hi @andres @jwhitehouse , it works now but I wasn’t succesfful in getting results

This is the error I got, with no other logs

2022/05/11 03:54:52 error: could not run CFA analyzer: error running command: exit status 1
trace: path: /bin/java args: [“java” “-jar” “callgraph-analyzer-0.0.15.jar” “-r” “0” “-a” “0_CFA” “-f” “-n” “namespace” “-m” “/tmp/cfa854382311/vulnerableMethods.json” “-c” “./custom-entrypoints.txt” “-o” “/tmp/cfa854382311” “//path.jar”]