View Source Code Scans

introduction

Introduction

There are three popular security tools for ensuring the security of Phoenix applications:

  1. Sobelow, for static analysis of source code for vulnerabilities, https://github.com/nccgroup/sobelow
  2. deps.audit, to scan a project's dependencies for vulnerabilities, https://github.com/mirego/mix_audit
  3. hex.audit, to scan for dependencies that have been marked as retired, https://hexdocs.pm/hex/Mix.Tasks.Hex.Audit.html

It may seem straightforward to integrate these tools into your existing CI/CD pipeline, but consider the following questions:

  1. When was the last time the scan ran successfully?
  2. Do you have a record of when all these scans happened?
  3. Did the numbers of vulnerabilities increase or decrease compared to the previous scans?
  4. How do you view the findings of the most recent scan? Of a scan from 3 months ago?

With the Paraxial.io agent version 2.2.0, you now have access to the command:

mix paraxial.scan

This will run Sobelow, deps.audit, and hex.audit on your application, then upload the results to the Paraxial.io backend:

scan

1-create-your-site-add-the-paraxial-io-agent

1. Create your site, add the Paraxial.io agent

In the Paraxial.io web interface, create a site for each environment you want to perform scans in. These are typically dev, test, or prod. For this tutorial, we use dev. In the "Site Settings" page, get your Site API key.

In your Phoenix app, open config/dev.exs and add:

config :paraxial,
  paraxial_api_key: System.get_env("PARAXIAL_API_KEY"),
  paraxial_url: "https://app.paraxial.io",

Add the Paraxial.io agent as a config in mix.exs:

{:paraxial, "~> 2.2.0"}

2-install-sobelow

2. Install Sobelow

While it's not necessary to install Sobelow, having it installed will allow you to flag specific findings as false positives. You can read more about how to flag false positives here - https://github.com/nccgroup/sobelow#false-positives

{:sobelow, "~> 0.11.1"}

3-test-the-install

3. Test the install

Run mix deps.get to install the Paraxial.io agent. To see if the install was successful, run:

mix paraxial.scan

If the agent is installed correctly, and your site's API key is correct, you should see the following output:

19:36:42.184 [info]  [Paraxial] API key found, scan results will be uploaded
[Paraxial] Scan findings: %Paraxial.Scan{
  api_key: "REDACTED",
  findings: [
    %Paraxial.Finding{
    ...

4-view-the-scan-results

4. View the scan results

The scan task will run Sobelow, deps.audit, and hex.audit on your project, and print the results in the terminal. Go to your site in app.paraxial.io to see the scan results, and a history of previous scans.

umbrella-applications

Umbrella Applications

To use mix paraxial.scan with your Umbrella application, you must update the aliases functions in the top level mix.exs file to include:

defp aliases do
  [
    sobelow: ["cmd mix sobelow"]
  ]
end

This is to run Sobelow against all child applications.