diff --git a/lib/sobelow/config/csp.ex b/lib/sobelow/config/csp.ex index 1acffcd3..c37dde7b 100644 --- a/lib/sobelow/config/csp.ex +++ b/lib/sobelow/config/csp.ex @@ -118,6 +118,7 @@ defmodule Sobelow.Config.CSP do file_header = "File: #{finding.filename}" pipeline_header = "Pipeline: #{finding.fun_name}" line_header = "Line: #{finding.vuln_line_no}" + fingerprint_header = "Fingerprint: #{finding.fingerprint}" case Sobelow.format() do "json" -> @@ -125,7 +126,8 @@ defmodule Sobelow.Config.CSP do type: finding.type, file: finding.filename, pipeline: finding.fun_name, - line: finding.vuln_line_no + line: finding.vuln_line_no, + fingerprint: finding.fingerprint ] Sobelow.log_finding(json_finding, finding) @@ -135,7 +137,7 @@ defmodule Sobelow.Config.CSP do Print.print_custom_finding_metadata( finding, - [file_header, pipeline_header, line_header] + [file_header, pipeline_header, line_header, fingerprint_header] ) "compact" -> diff --git a/lib/sobelow/config/csrf.ex b/lib/sobelow/config/csrf.ex index c5f2aa81..b8e97d77 100644 --- a/lib/sobelow/config/csrf.ex +++ b/lib/sobelow/config/csrf.ex @@ -54,6 +54,7 @@ defmodule Sobelow.Config.CSRF do file_header = "File: #{finding.filename}" pipeline_header = "Pipeline: #{finding.fun_name}" line_header = "Line: #{finding.vuln_line_no}" + fingerprint_header = "Fingerprint: #{finding.fingerprint}" case Sobelow.format() do "json" -> @@ -61,7 +62,8 @@ defmodule Sobelow.Config.CSRF do type: finding.type, file: finding.filename, pipeline: finding.fun_name, - line: finding.vuln_line_no + line: finding.vuln_line_no, + fingerprint: finding.fingerprint ] Sobelow.log_finding(json_finding, finding) @@ -71,7 +73,7 @@ defmodule Sobelow.Config.CSRF do Print.print_custom_finding_metadata( finding, - [file_header, pipeline_header, line_header] + [file_header, pipeline_header, line_header, fingerprint_header] ) "compact" -> diff --git a/lib/sobelow/config/csrf_route.ex b/lib/sobelow/config/csrf_route.ex index 19831dc9..7dfc2004 100644 --- a/lib/sobelow/config/csrf_route.ex +++ b/lib/sobelow/config/csrf_route.ex @@ -83,6 +83,7 @@ defmodule Sobelow.Config.CSRFRoute do file_header = "File: #{finding.filename}" action_header = "Action: #{finding.fun_name}" line_header = "Line: #{finding.vuln_line_no}" + fingerprint_header = "Fingerprint: #{finding.fingerprint}" case Sobelow.format() do "json" -> @@ -90,7 +91,8 @@ defmodule Sobelow.Config.CSRFRoute do type: finding.type, file: finding.filename, route: finding.fun_name, - line: finding.vuln_line_no + line: finding.vuln_line_no, + fingerprint: finding.fingerprint ] Sobelow.log_finding(json_finding, finding) @@ -100,7 +102,7 @@ defmodule Sobelow.Config.CSRFRoute do Print.print_custom_finding_metadata( finding, - [file_header, action_header, line_header] + [file_header, action_header, line_header, fingerprint_header] ) "compact" -> diff --git a/lib/sobelow/config/cswh.ex b/lib/sobelow/config/cswh.ex index ec3c24aa..65e01f0c 100644 --- a/lib/sobelow/config/cswh.ex +++ b/lib/sobelow/config/cswh.ex @@ -67,13 +67,15 @@ defmodule Sobelow.Config.CSWH do file_header = "File: #{finding.filename}" line_header = "Line: #{finding.vuln_line_no}" + fingerprint_header = "Fingerprint: #{finding.fingerprint}" case Sobelow.format() do "json" -> json_finding = [ type: finding.type, file: finding.filename, - line: finding.vuln_line_no + line: finding.vuln_line_no, + fingerprint: finding.fingerprint ] Sobelow.log_finding(json_finding, finding) @@ -83,7 +85,7 @@ defmodule Sobelow.Config.CSWH do Print.print_custom_finding_metadata( finding, - [file_header, line_header] + [file_header, line_header, fingerprint_header] ) "compact" -> diff --git a/lib/sobelow/config/headers.ex b/lib/sobelow/config/headers.ex index 62bf447a..449a2389 100644 --- a/lib/sobelow/config/headers.ex +++ b/lib/sobelow/config/headers.ex @@ -52,6 +52,7 @@ defmodule Sobelow.Config.Headers do file_header = "File: #{finding.filename}" pipeline_header = "Pipeline: #{finding.fun_name}" line_header = "Line: #{finding.vuln_line_no}" + fingerprint_header = "Fingerprint: #{finding.fingerprint}" case Sobelow.format() do "json" -> @@ -59,7 +60,8 @@ defmodule Sobelow.Config.Headers do type: finding.type, file: finding.filename, pipeline: finding.fun_name, - line: finding.vuln_line_no + line: finding.vuln_line_no, + fingerprint: finding.fingerprint ] Sobelow.log_finding(json_finding, finding) @@ -69,7 +71,7 @@ defmodule Sobelow.Config.Headers do Print.print_custom_finding_metadata( finding, - [file_header, pipeline_header, line_header] + [file_header, pipeline_header, line_header, fingerprint_header] ) "compact" -> diff --git a/lib/sobelow/config/hsts.ex b/lib/sobelow/config/hsts.ex index 103c4bae..cd0d2cc7 100644 --- a/lib/sobelow/config/hsts.ex +++ b/lib/sobelow/config/hsts.ex @@ -49,12 +49,15 @@ defmodule Sobelow.Config.HSTS do } |> Finding.fetch_fingerprint() + fingerprint_header = "Fingerprint: #{finding.fingerprint}" + case Sobelow.format() do "json" -> json_finding = [ type: finding.type, file: finding.filename, - line: finding.vuln_line_no + line: finding.vuln_line_no, + fingerprint: finding.fingerprint ] Sobelow.log_finding(json_finding, finding) @@ -62,7 +65,7 @@ defmodule Sobelow.Config.HSTS do "txt" -> Sobelow.log_finding(finding) - Print.print_custom_finding_metadata(finding, []) + Print.print_custom_finding_metadata(finding, [fingerprint_header]) "compact" -> Print.log_compact_finding(finding) diff --git a/lib/sobelow/config/https.ex b/lib/sobelow/config/https.ex index 457aaed6..6d709692 100644 --- a/lib/sobelow/config/https.ex +++ b/lib/sobelow/config/https.ex @@ -51,12 +51,15 @@ defmodule Sobelow.Config.HTTPS do } |> Finding.fetch_fingerprint() + fingerprint_header = "Fingerprint: #{finding.fingerprint}" + case Sobelow.format() do "json" -> json_finding = [ type: finding.type, file: finding.filename, - line: finding.vuln_line_no + line: finding.vuln_line_no, + fingerprint: finding.fingerprint ] Sobelow.log_finding(json_finding, finding) @@ -64,7 +67,7 @@ defmodule Sobelow.Config.HTTPS do "txt" -> Sobelow.log_finding(finding) - Print.print_custom_finding_metadata(finding, []) + Print.print_custom_finding_metadata(finding, [fingerprint_header]) "compact" -> Print.log_compact_finding(finding) diff --git a/lib/sobelow/config/secrets.ex b/lib/sobelow/config/secrets.ex index aaa06f4a..c2db71ec 100644 --- a/lib/sobelow/config/secrets.ex +++ b/lib/sobelow/config/secrets.ex @@ -80,6 +80,7 @@ defmodule Sobelow.Config.Secrets do file_header = "File: #{finding.filename}" line_header = "Line: #{finding.vuln_line_no}" key_header = "Key: #{key}" + fingerprint_header = "Fingerprint: #{finding.fingerprint}" case Sobelow.get_env(:format) do "json" -> @@ -87,7 +88,8 @@ defmodule Sobelow.Config.Secrets do type: finding.type, file: finding.filename, line: finding.vuln_line_no, - key: key + key: key, + fingerprint: finding.fingerprint ] Sobelow.log_finding(json_finding, finding) @@ -98,7 +100,8 @@ defmodule Sobelow.Config.Secrets do Print.print_custom_finding_metadata(finding, [ file_header, line_header, - key_header + key_header, + fingerprint_header ]) "compact" -> diff --git a/lib/sobelow/print.ex b/lib/sobelow/print.ex index 6d8d501a..250a6ac1 100644 --- a/lib/sobelow/print.ex +++ b/lib/sobelow/print.ex @@ -36,6 +36,7 @@ defmodule Sobelow.Print do IO.puts(finding_line(finding.vuln_line_no)) maybe_print_finding_fun_metadata(finding.fun_name, finding.fun_line_no) IO.puts(finding_variable(finding.vuln_variable)) + IO.puts(finding_fingerprint(finding)) maybe_print_code(finding.fun_source, finding.vuln_source) IO.puts(finding_break()) end @@ -103,7 +104,8 @@ defmodule Sobelow.Print do type: finding.type, file: finding.filename, line: finding.vuln_line_no, - variable: finding.vuln_variable + variable: finding.vuln_variable, + fingerprint: finding.fingerprint ] Sobelow.log_finding(json_finding, finding) @@ -163,6 +165,10 @@ defmodule Sobelow.Print do "\n-----------------------------------------------\n" end + def finding_fingerprint(%Finding{} = finding) do + "Fingerprint: #{finding.fingerprint}" + end + def maybe_print_code(fun, finding) do if Sobelow.get_env(:verbose), do: print_code(fun, finding) end diff --git a/lib/sobelow/vuln.ex b/lib/sobelow/vuln.ex index 9bade761..f5ed7a19 100644 --- a/lib/sobelow/vuln.ex +++ b/lib/sobelow/vuln.ex @@ -55,6 +55,8 @@ defmodule Sobelow.Vuln do } |> Finding.fetch_fingerprint() + fingerprint_header = "Fingerprint: #{finding.fingerprint}" + case Sobelow.format() do "json" -> json_finding = [ @@ -62,7 +64,8 @@ defmodule Sobelow.Vuln do details: detail, file: finding.filename, cve: cve, - line: 0 + line: 0, + fingerprint: finding.fingerprint ] Sobelow.log_finding(json_finding, finding) @@ -73,7 +76,8 @@ defmodule Sobelow.Vuln do Print.print_custom_finding_metadata(finding, [ "Details: #{detail}", "File: #{finding.filename}", - "CVE: #{cve}" + "CVE: #{cve}", + fingerprint_header ]) "compact" -> diff --git a/lib/sobelow/xss/raw.ex b/lib/sobelow/xss/raw.ex index 151d115b..2e59d363 100644 --- a/lib/sobelow/xss/raw.ex +++ b/lib/sobelow/xss/raw.ex @@ -125,6 +125,8 @@ defmodule Sobelow.XSS.Raw do } |> Finding.fetch_fingerprint() + fingerprint_header = "Fingerprint: #{finding.fingerprint}" + case Sobelow.format() do "json" -> json_finding = [ @@ -132,7 +134,8 @@ defmodule Sobelow.XSS.Raw do file: finding.filename, variable: "#{finding.vuln_variable}", template: "#{t_name}", - line: finding.vuln_line_no + line: finding.vuln_line_no, + fingerprint: finding.fingerprint ] Sobelow.log_finding(json_finding, finding) @@ -144,7 +147,8 @@ defmodule Sobelow.XSS.Raw do Print.finding_file_name(filename), Print.finding_line(finding.vuln_source), Print.finding_fun_metadata(fun_name, line_no), - "Template: #{t_name} - #{var}" + "Template: #{t_name} - #{var}", + fingerprint_header ]) "compact" -> diff --git a/test/print_test.exs b/test/print_test.exs index e8f1ee0e..0513cdfa 100644 --- a/test/print_test.exs +++ b/test/print_test.exs @@ -25,6 +25,8 @@ defmodule SobelowTest.PrintTest do CodeModule.run(ast, @metafile) end - assert capture_io(run_test) =~ "Code Execution in `Code.eval_string` - Medium Confidence" + output = capture_io(run_test) + assert output =~ "Code Execution in `Code.eval_string` - Medium Confidence" + assert output =~ "Fingerprint: 4B5AA54E7C16D1D9876E9118B84CB6CE" end end