• Stars
    star
    360
  • Rank 118,230 (Top 3 %)
  • Language
    C#
  • License
    BSD 3-Clause "New...
  • Created almost 9 years ago
  • Updated almost 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Open-source, cross-platform, multi-purpose security auditing tool

Note: DevAudit uses the OSS Index database, which has some rate limiting. If you notice you are hitting the limit please raise an issue. Authenticated users get a higher limit, and we am implementing authentication into DevAudit soon. Most non-authenticated users probably won't notice the limit for many use cases. It usually kicks in only in much larger projects or higher project volumes.

DevAudit: Development Auditing

Get the latest release from the releases page.

Screenshot of DevAudit package source audit

Screenshot of DevAudit Wheezy dpkg package source audit

Table of Contents

About

DevAudit is an open-source, cross-platform, multi-purpose security auditing tool targeted at developers and teams adopting DevOps and DevSecOps that detects security vulnerabilities at multiple levels of the solution stack. DevAudit provides a wide array of auditing capabilities that automate security practices and implementation of security auditing in the software development life-cycle. DevAudit can scan your operating system and application package dependencies, application and application server configurations, and application code, for potential vulnerabilities based on data aggregated by providers like OSS Index and Vulners from a wide array of sources and data feeds such as the National Vulnerability Database (NVD) CVE data feed, the Debian Security Advisories data feed, Drupal Security Advisories, and many others.

DevAudit helps developers address at least 4 of the OWASP Top 10 risks to web application development:

as well as risks classified by MITRE in the CWE dictionary such as CWE-2 Environment and CWE-200 Information Disclosure

Screenshot of DevAudit ASP.NET application audit As development progresses and its capabilities mature, DevAudit will be able to address the other risks on the OWASP Top 10 and CWE lists like Injection and XSS. With the focus on web and cloud and distributed multi-user applications, software development today is increasingly a complex affair with security issues and potential vulnerabilities arising at all levels of the stack developers rely on to deliver applications. The goal of DevAudit is to provide a platform for automating implementation of development security reviews and best practices at all levels of the solution stack from library package dependencies to application and server configuration to source code.

Features

  • Cross-platform with a Docker image also available. DevAudit runs on Windows and Linux with *BSD and Mac and ARM Linux support planned. Only an up-to-date version of .NET or Mono is required to run DevAudit. A DevAudit Docker image can also be pulled from Docker Hub and run without the need to install Mono.

  • CLI interface. DevAudit has a CLI interface with an option for non-interactive output and can be easily integrated into CI build pipelines or as post-build command-line tasks in developer IDEs. Work on integration of the core audit library into IDE GUIs has already begun with the Audit.Net Visual Studio extension.

  • Continuously updated vulnerabilties data. DevAudit uses backend data providers like OSS Index and Vulners which provide continuously updated vulnerabilities data compiled from a wide range of security data feeds and sources such as the NVD CVE feeds, Drupal Security Advisories, and so on. Support for additional vulnerability and package data providers like vFeed and Libraries.io will be added.

  • Audit operating system and development package dependencies. DevAudit audits Windows applications and packages installed via Windows MSI, Chocolatey, and OneGet, as well as Debian, Ubuntu, and CentOS Linux packages installed via Dpkg, RPM and YUM, for vulnerabilities reported for specific versions of the applications and packages. For development package dependencies and libraries DevAudit audits NuGet v2 dependencies for .NET, Yarn/NPM and Bower dependencies for nodejs, and Composer package dependencies for PHP. Support for other package managers for different languages is added regularly.

  • Audit application server configurations. DevAudit audits the server version and the server configuration for the OpenSSH sshd, Apache httpd, MySQL/MariaDB, PostgreSQL, and Nginx servers with many more coming. Configuration auditing is based on the Alpheus library and is done using full syntactic analysis of the server configuration files. Server configuration rules are stored in YAML text files and can be customized to the needs of developers. Support for many more servers and applications and types of analysis like database auditing is added regularly.

  • Audit application configurations. DevAudit audits Microsoft ASP.NET applications and detects vulnerabilities present in the application configuration. Application configuration rules are stored in YAML text files and can be customized to the needs of developers. Application configuration auditing for applications like Drupal and WordPress and DNN CMS is coming.

  • Audit application code by static analysis. DevAudit currently supports static analysis of .NET CIL bytecode. Analyzers reside in external script files and can be fully customized based on the needs of the developer. Support for C# source code analysis via Roslyn, PHP7 source code and many more languages and external static code analysis tools is coming.

  • Remote agentless auditing. DevAudit can connect to remote hosts via SSH with identical auditing features available in remote environments as in local environments. Only a valid SSH login is required to audit remote hosts and DevAudit running on Windows can connect to and audit Linux hosts over SSH. On Windows DevAudit can also remotely connect to and audit other Windows machines using WinRM.

  • Agentless Docker container auditing. DevAudit can audit running Docker containers from the Docker host with identical features available in container environments as in local environments.

  • GitHub repository auditing. DevAudit can connect directly to a project repository hosted on GitHub and perform package source and application configuration auditing.

  • PowerShell support. DevAudit can also be run inside the PowerShell system administration environment as cmdlets. Work on PowerShell support is paused at present but will resume in the near future with support for cross-platform Powershell both on Windows and Linux.

Requirements

DevAudit is a .NET 4.6 application. To install locally on your machine you will need either the Microsoft .NET Framework 4.6 runtime on Windows, or Mono 4.4+ on Linux. .NET 4.6 should be already installed on most recent versions of Windows, if not then it is available as a Windows feature that can be turned on or installed from the Programs and Features control panel applet on consumer Windows, or from the Add Roles and Features option in Server Manager on server versions of Windows. For older versions of Windows, the .NET 4.6 installer from Microsoft can be found here.

On Linux the minimum version of Mono supported is 4.4. Although DevAudit runs on Mono 4 (with one known issue) it's recommended that Mono 5 be installed. Mono 5 brings many improvements to the build and runtime components of Mono that benefit DevAudit.

The existing Mono packages provided by your distro are probably not Mono 5 as yet, so you will have to install Mono packages manually to be able to use Mono 5. Installation instructions for the most recent packages provided by the Mono project for several major Linux distros are here. It is recommended you have the mono-devel package installed as this will reduce the chances of missing assemblies.

Alternatively on Linux you can use the DevAudit Docker image if you do not wish to install Mono and already have Docker installed on your machine.

Installation

DevAudit can be installed by the following methods:

  • Building from source.
  • Using a binary release archive file downloaded from Github for Windows or Linux.
  • Using the release MSI installer downloaded from Github for Windows.
  • Using the Chocolatey package manager on Windows.
  • Pulling the ossindex/devaudit image from Docker Hub on Linux.

Building from source on Linux

  1. Pre-requisites: Mono 4.4+ (Mono 5 recommended) and the mono-devel package which provides the compiler and other tools needed for building Mono apps. Your distro should have packages for at least Mono version 4.4 and above, otherwise manual installation instructions for the most recent packages provided by the Mono project for several major Linux distros are here

  2. Clone the DevAudit repository from https://github.com/OSSIndex/DevAudit.git

  3. Run the build.sh script in the root DevAudit directory. DevAudit should compile without any errors.

  4. Run ./devaudit --help and you should see the DevAudit version and help screen printed.

Note that NuGet on Linux may occasionally exit with Error: NameResolutionFailure which seems to be a transient problem contacting the servers that contain the NuGet packages. You should just run ./build.sh again until the build completes normally.

Building from source on Windows

  1. Pre-requisites: You must have one of:

  2. Clone the DevAudit repository from https://github.com/OSSIndex/DevAudit.git

  3. From a visual Studio 2015 or ,NETRun the build.cmd script in the root DevAudit directory. DevAudit should compile without any errors.

  4. Run ./devaudit --help and you should see the DevAudit version and help screen printed.

Installing from the release archive files on Windows on Linux

  1. Pre-requisites: You must have Mono 4.4+ on Linux or .NET 4.6 on Windows.

  2. Download the latest release archive file for Windows or Linux from the project releases page. Unpack this file to a directory.

  3. From the directory where you unpacked the release archive run devaudit --help on Windows or ./devaudit --help on Linux. You should see the version and help screen printed.

  4. (Optional) Add the DevAudit installation directory to your PATH environment variable

Installing using the MSI Installer on Windows

The MSI installer for a release can be found on the Github releases page.

  1. Click on the releases link near the top of the page.
  2. Identify the release you would like to install.
  3. A "DevAudit.exe" link should be visible for each release that has a pre-built installer.
  4. Download the file and execute the installer. You will be guided through a simple installation.
  5. Open a new command prompt or PowerShell window in order to have DevAudit in path.
  6. Run DevAudit.

Installing using Chocolatey on Windows

DevAudit is also available on Chocolatey.

  1. Install Chocolatey.
  2. Open an admin console or PowerShell window.
  3. Type choco install devaudit
  4. Run DevAudit.

Installing using Docker on Linux

Pull the Devaudit image from Docker Hub: docker pull ossindex/devaudit. The image tagged ossindex/devaudit:latest (which is the default image that is downloaded) is built from the most recent release while ossindex/devaudit:unstable is built on the master branch of the source code and contains the newest additions albeit with less testing.

Concepts

Audit Target

Represents a logical group of auditing functions. DevAudit currently supports the following audit targets:

  • Package Source. A package source manages application and library dependencies using a package manager. Package managers install, remove or update applications and library dependencies for an operating system like Debian Linux, or for a development language or framework like .NET or nodejs. Examples of package sources are dpkg, yum, Chocolatey, Composer, and Bower. DevAudit audits the names and versions of installed packages against vulnerabilities reported for specific versions of those packages.
  • Application. An application like Drupal or a custom application built using a framework like ASP.NET. DevAudit audits applications and application modules and plugins against vulnerabilities reported for specific versions of application binaries and modules and plugins. DevAudit can also audit application configurations for known vulnerabilities, and perform static analysis on application code looking for known weaknesses.
  • Application Server. Application servers provide continuously running services or daemons like a web or database server for other applications to use, or for users to access services like authentication. Examples of application servers are the OpenSSH sshd and Apache httpd servers. DevAudit can audit application server binaries, modules and plugins against vulnerabilities reported for specific versions as well as audit server configurations for known server configuration vulnerabilities and weaknesses.

Audit Environment

Represents a logical environment where audits against audit targets are executed. Audit environments abstract the I/O and command executions required for an audit and allow identical functions to be performed against audit targets on whatever physical or network location the target's files and executables are located. The follwing environments are currently supported :

  • Local. This is the default audit environment where audits are executed on the local machine.
  • SSH. Audits are executed on a remote host connected over SSH. It is not necessary to have DevAudit installed on the remote host.
  • WinRM. Audits are executed on a remote Windows host connected over WinRM. It is not necessary to have DevAudit installed on the remote host.
  • Docker. Audits are executed on a running Docker container. It is not necessary to have DevAudit installed on the container image.
  • GitHub. Audits are executed on a GitHub project repository's file-system directly. It is not necessary to checkout or download the project locally to perform the audit.

Audit Options

These are different options that can be enabled for the audit. You can specify options that apply to the DevAudit program for example, to run in non-interactive mode, as well as options that apply to the target e.g if you set the AppDevMode option for auditing ASP.NET applications to true then certain audit rules will not be enabled.

Basic Usage

The CLI is the primary interface to the DevAudit program and is suitable both for interactive use and for non-interactive use in scheduled tasks, shell scripts, CI build pipelines and post-build tasks in developer IDEs. The basic DevAudit CLI syntax is:

devaudit TARGET [ENVIRONMENT] | [OPTIONS]

where TARGET specifies the audit target ENVIRONMENT specifies the audit environment and OPTIONS specifies the options for the audit target and environment. There are 2 ways to specify options: program options and general audit options that apply to more than one target can be specified directly on the command-line as parameters . Target-specific options can be specified with the -o options using the format: -o OPTION1=VALUE1,OPTION2=VALUE2,.... with commas delimiting each option key-value pair.

If you are piping or redirecting the program output to a file then you should always use the -n --non-interactive option to disable any interactive user interface features and animations.

When specifying file paths, an @ prefix before a path indicates to DevAudit that this path is relative to the root directory of the audit target e.g if you specify: -r c:\myproject -b @bin\Debug\app2.exe DevAudit considers the path to the binary file as c:\myproject\bin\Debug\app2.exe.

Audit Targets

Package Sources

  • msi Do a package audit of the Windows Installer MSI package source on Windows machines.

  • npm Do a package audit of the NPM package.json.

  • choco Do a package audit of packages installed by the Choco package manager.

  • oneget Do a package audit of the system OneGet package source on Windows.

  • nuget Do a package audit of a NuGet v2 package source. You must specify the location of the NuGet packages.config file you wish to audit using the -f or --file option otherwise the current directory will be searched for this file.

  • bower Do a package audit of a Bower package source. You must specify the location of the Bower packages.json file you wish to audit using the -f or --file option otherwise the current directory will be searched for this file.

  • composer Do a package audit of a Composer package source. You must specify the location of the Composer composer.json file you wish to audit using the -f or --file option otherwise the current directory will be searched for this file.

  • dpkg Do a package audit of the system dpkg package source on Debian Linux and derivatives.

  • rpm Do a package audit of the system RPM package source on RedHat Linux and derivatives.

  • yum Do a package audit of the system Yum package source on RedHat Linux and derivatives.

For every package source the following general audit options can be used:

  • -f --file Specify the location of the package manager configuration file if needed. The NuGet, Bower and Composer package sources require this option.

  • --list-packages Only list the packages in the package source scanned by DevAudit.

  • --list-artifacts Only list the artifacts found on OSS Index for packages scanned by DevAudit.

Package sources tagged [Experimental] are only available in the master branch of the source code and may have limited back-end OSS Index support. However you can always list the packages scanned and artifacts available on OSS Index using the list-packages and list-artifacts options.

Applications

  • aspnet Do an application audit on a ASP.NET application. The relevant options are:

    • -r --root-directory Specify the root directory of the application. This is just the top-level application directory that contains files like Global.asax and Web.config.
    • -b --application-binary Specify the application binary. The is the .NET assembly that contains the application's .NET bytecode. This file is usually a .DLL and located in the bin sub-folder of the ASP.NET application root directory.
    • --config-file or -o AppConfig=configuration-file Specifies the ASP.NET application configuration file. This file is usually named Web.config and located in the application root directory. You can override the default @Web.config value with this option.
    • -o AppDevMode=enabled Specifies that application development mode should be enabled for the audit. This mode can be used when auditing an application that is under development. Certain configuration rules that are tagged as disabled for AppDevMode (e.g running the application in ASP.NET debug mode) will not be enabled during the audit.
  • netfx Do an application audit on a .NET application. The relevant options are:

    • -r --root-directory Specify the root directory of the application. This is just the top-level application directory that contains files like App.config.
    • -b --application-binary Specify the application binary. The is the .NET assembly that contains the application's .NET bytecode. This file is usually a .DLL and located in the bin sub-folder of the ASP.NET application root directory.
    • --config-file or -o AppConfig=configuration-file Specifies the .NET application configuration file. This file is usually named App.config and located in the application root directory. You can override the default @App.config value with this option.
    • -o GendarmeRules=RuleLibrary Specifies that the Gendarme static analyzer should enabled for the audit with rules from the specified rules library used. For example: devaudit netfx -r /home/allisterb/vbot-debian/vbot.core -b @bin/Debug/vbot.core.dll --skip-packages-audit -o GendarmeRules=Gendarme.Rules.Naming will run the Gendarme static analyzer on the vbot.core.dll assembly using rules from Gendarme.Rules.Naming library. The complete list of rules libraries is (taken from the Gendarme wiki):
  • drupal7 Do an application audit on a Drupal 7 application.

    • -r --root-directory Specify the root directory of the application. This is just the top-level directory of your Drupal 7 install.
  • drupal8 Do an application audit on a Drupal 8 application.

    • -r --root-directory Specify the root directory of the application. This is just the top-level directory of your Drupal 8 install.

All applications also support the following common options for auditing the application modules or plugins:

  • --list-packages Only list the application plugins or modules scanned by DevAudit.

  • --list-artifacts Only list the artifacts found on OSS Index for application plugins and modules scanned by DevAudit.

  • --skip-packages-audit Only do an appplication configuration or code analysis audit and skip the packages audit.

Application Servers

  • sshd Do an application server audit on an OpenSSH sshd-compatible server.

  • httpd Do an application server audit on an Apache httpd-compatible server.

  • mysql Do an application server audit on a MySQL-compatible server (like MariaDB or Oracle MySQL.)

  • nginx Do an application server audit on a Nginx server.

  • pgsql Do an application server audit on a PostgreSQL server.

This is an example command line for an application server audit: ./devaudit httpd -i httpd-2.2 -r /usr/local/apache2/ --config-file @conf/httpd.conf -b @bin/httpd which audits an Apache Httpd server running on a Docker container named httpd-2.2.

The following are audit options common to all application servers:

  • -r --root-directory Specifies the root directory of the server. This is just the top-level of your server filesystem and defaults to / unless you want a different server root.
  • --config-file Specifies the server configuration file. e.g in the above audit the Apache configuration file is located at /usr/local/apache2/conf/httpd.conf. If you don't specify the configuration file DevAudit will attempt to auto-detect the configuration file for the server selected.
  • -b --application-binary Specifies the server binary. e.g in the above audit the Apache binary is located at /usr/local/apache2/bin/httpd. If you don't specify the binary path DevAudit will attempt to auto-detect the server binary for the server selected.

Application servers also support the following common options for auditing the server modules or plugins:

  • --list-packages Only list the application plugins or modules scanned by DevAudit.

  • --list-artifacts Only list the artifacts found on OSS Index for application plugins and modules scanned by DevAudit.

  • --skip-packages-audit Only do a server configuration audit and skip the packages audit.

Environments

There are currently 5 audit environment supported: local, remote hosts over SSH, remote hosts over WinRM, Docker containers, and GitHub. Local environments are used by default when no other environment options are specified.

SSH

The SSH environment allows audits to be performed on any remote hosts accessible over SSH without requiring DevAudit to be installed on the remote host. SSH environments are cross-platform: you can connect to a Linux remote host from a Windows machine running DevAudit. An SSH environment is created by the following options:-s SERVER [--ssh-port PORT] -u USER [-k KEYFILE] [-p | --password-text PASSWORD]

-s SERVER Specifies the remote host or IP to connect to via SSH.

-u USER Specifies the user to login to the server with.

--ssh-port PORT Specifies the port on the remote host to connect to. The default is 22.

-k KEYFILE Specifies the OpenSSH compatible private key file to use to connect to the remote server. Currently only RSA or DSA keys in files in the PEM format are supported.

-p Provide a prompt with local echo disabled for interactive entry of the server password or key file passphrase.

--password-text PASSWORD Specify the user password or key file passphrase as plaintext on the command-line. Note that on Linux when your password contains special characters you should use enclose the text on the command-line using single-quotes like 'MyPa<ss' to avoid the shell interpreting the special characters.

WinRM

The WinRM environment allows audits to be performed on any remote Windows hosts accessible over WinRM without requiring DevAudit to be installed on the remote host. WinRM environments are currently only available on Windows machines running DevAudit. A WinRM environment is created by the following options:-w IP -u USER [-p | --password-text PASSWORD]

-w IP Specifies the remote IP to connect to via WinRM.

-u USER Specifies the user to login to the server with.

-p Provide a prompt with local echo disabled for interactive entry of the server password or key file passphrase.

--password-text PASSWORD Specify the server password or key file passphrase as plaintext on the command-line.

Docker

This section discusses how to audit Docker images using DevAudit installed on the local machine. For running DevAudit as a containerized Docker app see the section below on Docker Usage.

A Docker audit environment is specified by the following option: -i CONTAINER_NAME | -i CONTAINER_ID

Screenshot of DevAudit auditing a Docker container CONTAINER_(NAME|ID) Specifes the name or id of a running Docker container to connect to. The container must be already running as DevAudit does not know how to start the container with the name or the state you require.

GitHub

The GitHub audit environment allows audits to be performed directly on a GitHub project repository. A GitHub environment is created by the -g option: -g "Owner=OWNER,Name=NAME,Branch=BRANCH"

OWNER Specifies the owner of the project

NAME Specifies the name of the project

PATH Specifies the branch of the project to connect to

You can use the -r, --config-file, and -f options as usual to specify the path to file-system files and directories required for the audit. e.g the following commad: devaudit aspnet -g "Owner=Dnnsoftware,Name=Dnn.Platforn,Branch=Release/9.0.2" -r /Website --config-file @web.config will do an ASP.NET audit on this repository https://github.com/dnnsoftware/Dnn.Platform/ using the /Website source folder as the root directory and the web.config file as the ASP.NET configuration file. Note that filenames are case-sensitive in most environments.

Screenshot of a GitHub project audit

Program Options

-n --non-interactive Run DevAudit in non-interactive mode with all interactive features and animations of the CLI disabled. This mode is necessary for running DevAudit in shell scripts for instance otherwise errors will occure when DevAudit attempts to use interactive console features.

-d --debug Run DevAudit in debug mode. This will print a variety of informational and diagnostic messages. This mode is used for troubleshooting DevAudit errors and bugs.

Docker Usage

DevAudit also ships as a Docker containerized app which allows users on Linux to run DevAudit without the need to install Mono and build from source. To pull the DevAudit Docker image from Docker Hub:

docker pull ossindex/devaudit[:label]

The current images are about 131 MB compressed. By default the image labelled latest is pulled which is the most recent release of the program. An unstable image is also available which tracks the master branch of the source code. To run DevAudit as a containerized app:

docker run -i -t ossindex/devaudit TARGET [ENVIRONMENT] | [OPTIONS]

The -i and -t Docker options are necessary for running DevAudit interactively. If you don't specify these options then you must run DevAudit in non-interactive mode by using the DevAudit option -n.

You must mount any directories on the Docker host machine that DevAudit needs to access on the DevAudit Docker container using the Docker -v option. If you mount your local root directory at a mount point named /hostroot on the Docker image then DevAudit can access files and directories on your local machine using the same local paths. For example:

docker run -i -t -v /:/hostroot:ro ossindex/devaudit netfx -r /home/allisterb/vbot-debian/vbot.core

will allow the DevAudit Docker container to audit the local directory /home/allisterb/vbot-debian/vbot.core. You must mount your local root in this way to audit other Docker containers from the DevAudit container e.g.

docker run -i -t -v /:/hostroot:ro ossindex/devaudit mysql -i myapp1 -r / --config-file /etc/my.cnf --skip-packages-audit

will run a MySQL audit on a Docker container named myapp1 from the ossindex/devaudit container.

If you do not need to mount your entire root directory then you can mount just the directory needed for the audit. For example:

docker run -i -t -v /home/allisterb/vbot-debian/vbot.core:/vbot:ro ossindex/devaudit netfx -r /vbot -b @bin/Debug/vbot.core.dll

will mount read-only the /home/allisterb/vbot-debian/vbot.core directory as /vbot on the DevAudit container which allows DevAudit to access it as the audit root directory for a netfx application audit at /vbot.

If you wish to use private key files on the local Docker host for an audit over SSH, you can mount your directory that contains the needed key file and then tell DevAudit to use that file path e.g.

docker -i -t -v /home/allisterb/.ssh:/ssh:ro run ossindex/devaudit dpkg -s localhost -u allisterb -p -k /ssh/mykey.key

will mount the directory containing key files at /ssh and allow the DevAudit container to use them.

Note that it's currently not possible for the Docker container to audit operating system package sources like dpkg or rpm or application servers like OpenSSH sshd on the local Docker host without mounting your local root directory at /hostroot as described above. DevAudit must chroot into your local root directory from the Docker container when running executables like dpkg or server binaries like sshd and httpd. You must also mount your local root as described above to audit other Docker containers from the DevAudit container as DevAudit also needs to chroot into your local root to execute local Docker commands to communicate with your other containers.

For running audits over SSH from the DevAudit container it is not necessary to mount the local root at /hostroot.

Troubleshooting

If you encounter a bug or other issue with DevAudit there are a couple of things you can enable to help us resolve it:

  • Use the -d option to enable debugging output. Diagnostic information will be emitted during the audit run.
  • On Linux use the DEVAUDIT_TRACE variable to enable tracing program execution. The value of this variable must be in the format for Mono tracing e.g you can set DEVAUDIT_TRACE=N:DevAudit.AuditLibrary to trace all the calls made to the audit library duing an audit.

Known Issues

  • On Windows you must use the -n --non-interactive program option when piping or redirecting program output to a file otherwise a crash will result. This behaviour may be changed in the future to make non-interactive mode the default.
  • There appears to be an issue using the Windows console app ConEmu and the Cygwin builds of the OpenSSH client when SSHing into remote Linux hosts to run Mono apps. If you run DevAudit this way you may notice strange sequences appearing sometimes at the end of console output. You may also have problems during keyboard interactive entry like entering passwords for SSH audits where the wrong password appears to be sent. If you are having problems entering passwords for SSH audits using ConEmu when working remotely, try holding the backspace key for a second or two to clear the input buffer before entering your password.

More Repositories

1

nancy

A tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index
Go
560
star
2

search-maven-org

TypeScript
478
star
3

auditjs

Audits an NPM package.json file to identify known vulnerabilities.
TypeScript
223
star
4

nexus-repository-composer

Composer support for the Nexus Repository Manager (work in progress!)
Java
215
star
5

nexus-repository-import-scripts

A few scripts for importing artifacts into Nexus Repository
Shell
200
star
6

jake

Check your Python environments for vulnerable Open Source packages with OSS Index or Sonatype Nexus Lifecycle.
Python
111
star
7

nexus-repository-apt

A Nexus Repository 3 plugin that allows usage of apt repositories
Java
105
star
8

nexus-repository-helm

At the Helm, Helm Yeah, v k8s
Java
97
star
9

nexus-scripting-examples

Sample scripts that use NXRM's scripting interface
HTML
85
star
10

scan-gradle-plugin

Gradle plugin that scans the dependencies of a Gradle project using Sonatype platforms: OSS Index and Nexus IQ Server.
Java
77
star
11

nexus-repository-cargo

Nexus Repository Cargo Format
Java
69
star
12

ahab

ahab is a tool to check for vulnerabilities in your apt, apk, or yum powered operating systems, powered by Sonatype OSS Index.
Go
66
star
13

repo-diff

Compare the contents of your hosted and proxy repositories for coordinate collisions
Python
60
star
14

audit.net

Identify known vulnerabilities in .net nuget dependencies
C#
55
star
15

gonexus

Go API for provisioning and interacting with Sonatype's Nexus Repository Manager and Nexus IQ Server
Go
44
star
16

helm-nexus-push

A plugin for helm that will push a chart to a Nexus Hosted Repository
Shell
43
star
17

nexus-repository-apk

Java
42
star
18

ossindex-gradle-plugin

Dependency audit plugin for gradle
Java
40
star
19

oysteR

Create purls from the filtered sands of your dependencies, powered by OSS Index
R
40
star
20

nexus-blobstore-google-cloud

Nexus Repository Manager Blobstore backed by Google Cloud Storage
Java
39
star
21

nexus-repository-conan

Conan the Barbarian, C packaging, fun times
Java
39
star
22

docker-nginx-nexus-repository

This is a template for deploying Nexus Repository Manager behind an NGINX reverse proxy.
Shell
36
star
23

nexus-repo-github-action

Nexus Repository for GitHub Actions
Dockerfile
36
star
24

nexus-repository-installer

Installer for Nexus Repository Manager 3
Dockerfile
32
star
25

nexus-repository-r

R, v data science, much functional programming, doge
Java
31
star
26

cargo-pants

Rust
28
star
27

cheque

Audit C/C++ projects (make, cmake, command line, etc.)
Go
23
star
28

nexus-cli

A Go based CLI for the Nexus platform
Go
22
star
29

nexus-repository-cpan

Much regex, v perl, super excite
Java
22
star
30

nexus-repository-p2

V Eclipse, hella P2, much OSGi
Java
21
star
31

iq-config-as-code

Python
20
star
32

nexus-iq-chrome-extension

Chrome extension for use with Sonatype Nexus Lifecycle - IQ server
CSS
20
star
33

copy-modules-webpack-plugin

A Webpack plugin which copies module sources to a separate directory
JavaScript
18
star
34

vscode-iq-plugin

Visual Studio Code plugin for Nexus IQ
TypeScript
18
star
35

nexusiq-successmetrics

An application for retrieving and viewing success metrics from Sonatype Nexus IQ
Java
15
star
36

chelsea

Dependency vulnerability auditor for Ruby
Ruby
14
star
37

bach

Dependency vulnerability auditor for PHP
PHP
14
star
38

nexus-repository-puppet

Java
13
star
39

nexus-blobstore-azure-cloud

Nexus Repository Manager Blobstore backed by Azure Blob Cloud Storage
Java
13
star
40

nexus-repository-terraform

12
star
41

nancy-github-action

Sonatype Nancy for GitHub Actions
Shell
11
star
42

iq-success-metrics2

10
star
43

nexus-format-archetype

Archetype for creating Nexus format plugin
Java
10
star
44

nexus-repository-vgo

Experimental repo for a vgo proxy and maybe more
Java
10
star
45

iq-fortify-parser

Deprecated Sonatype IQ Fortify SSC Community Integration 18.x to 20.x (replaced by Partner Integration version 4.x)
Java
10
star
46

iq-github-action

Sonatype Lifecycle GitHub Action
Shell
9
star
47

nexus-iq-server-installer

Installer for Nexus IQ Server
Dockerfile
9
star
48

nexus-repository-elpa

Java
9
star
49

deployment-reference-architecture

References for deploying Nexus products.
Mustache
9
star
50

nexus-repository-microsoft-symbol-server

Java
8
star
51

cs-auth-proxy

SAML SSO for Sonatype Nexus IQ
Shell
8
star
52

nexus-kubernetes-openshift

A Plugin for Sonatype Nexus to allow for automatic provisioning via K8s/OpenShift ConfigMaps and Secrets
Groovy
7
star
53

nexus-repository-conda

Java
7
star
54

iq-success-metrics

Python
7
star
55

intentionally-vulnerable-golang-project

This is a project we created that has dependencies with vulnerabilities, for us to test out nancy
Shell
7
star
56

nexus-iq-webhook-reference-implementation

A reference implementation for consuming webhooks via serverless.
JavaScript
7
star
57

nexus-development-guides

7
star
58

iq-webhook-listener

Shell
6
star
59

cyclonedx-sbom-examples

This repo has example CycloneDx xml formatted SBOMs for popular components across multiple ecosystems. Also, instructions for building and generating the sboms in the readme. If you add or update components, commit back up to the repo.
Java
6
star
60

nexus-platform-reference

Docker-compose project for demo's / testing / training
HTML
5
star
61

nexus-ci-examples

CI example builds and Sonatype Lifecycle analysis for different languages
Groovy
5
star
62

iq-api-examples

Repository for API example scripts for IQ Server.
Python
5
star
63

nexus-webhook-publish

A lil Golang app that takes Nexus Repo webhooks and uses them to publish components to other repos such as npmjs
Go
4
star
64

go-sona-types

Common utility packages for working with OSS Index, Nexus IQ Server, CycloneDX sboms or getting a....user-agent
Go
4
star
65

docker-nancy

nancy wrapped up as a Docker image for execution in a pipeline or via an alias in a terminal
Dockerfile
4
star
66

circleci-maven-release-orb

3
star
67

nexus-repository-cabal

Java
3
star
68

nexus-repository-chef

Java
3
star
69

circleci-nancy-orb

A CircleCI orb for using Nancy to scan your Golang projects
Go
3
star
70

hazelcast-swarm

Docker swarm discovery plugin for hazelcast
Java
3
star
71

terraform-provider-sonatyperepo

Terraform Provider for configuring Sonatype Nexus Repository Manager
Go
2
star
72

homebrew-nancy-tap

Ruby
2
star
73

hashbrowns

Go
2
star
74

DevAudit-Chocolatey-package

Chocolatey package configuration for DevAudit
PowerShell
2
star
75

devsecops-community-survey

The question set used for the DevSecOps Community Survey
2
star
76

circleci-nexus-orb

2
star
77

sonatype-platform-browser-extension

The Sonatype Platform Browser Extension
TypeScript
2
star
78

sonatype-field-workshop

Examples and docs for Sonatype field workshops
Java
2
star
79

nexus-hipchat-notifier

HipChat Connect Addon to notify a chat room when a component or asset is cached in a Nexus Repository
JavaScript
2
star
80

nexus-monitoring

Shell
2
star
81

nexus-lifecycle-gitlab

Creates image to use as a GitLab runner to perform Lifecycle Evaluations
Shell
2
star
82

the-cla

Sonatype's CLA bot - affectionally known as Paul Botsco
Go
2
star
83

nexus-repository-labrat2

Another place to test things, likely to be removed soon.
Java
2
star
84

terraform-provider-sonatypeiq

Terraform Provider for configuring Sonatype IQ Server
Go
2
star
85

nexus-iq-api-client

Generated API Clients for Nexus IQ Server
Python
2
star
86

nexus-community-it-support

Library that offers support for booting NXRM + community plugin for integration testing
Java
2
star
87

iq-fortify-ssc-integration

Integration service to pass data from IQ to SSC (deprecated in favor of iq-fortify-parser)
Java
2
star
88

codetocloud-workshop

JavaScript
1
star
89

nexus-repository-labrat

Test of custom Nexus Format, created using the Nexus Format Archetype
Java
1
star
90

speedbump

Swift
1
star
91

ossindex-python

Python library for querying OSS Index
Python
1
star
92

nexus-iq-api-client-go

Generated API Client in Go for Sonatype IQ Server
Shell
1
star
93

nexus-groovy-scripts

A collection of groovy scripts for Nexus Repository Manager 3
1
star
94

js-sona-types

Like go-sona-types, but for Javascript!
TypeScript
1
star
95

log4j-hackapp

Hackable applicaiton
Java
1
star
96

example-auditjs-repo

1
star
97

example-ahab-repo

Dockerfile
1
star
98

nexus-it-script-client

Java
1
star
99

jake-github-action

Sonatype Jake for GitHub Actions
Dockerfile
1
star
100

commercial-contributions

1
star