Code Tampering Scanner

Table of Contents

  1. Purpose

  2. Handling Results

  3. Quick Start

  4. Usage

  5. Configuration

  6. Detectors

Purpose

A Code Tampering flaw is a security vulnerability that occurs when an attacker is able to perform an unauthorized malicious modification of the code of a program or system in a way that allows them to gain unauthorized access or control.

This type of attack can be carried out by exploiting weaknesses in the software development process, such as poor source code management or a lack of security testing. Code tampering can also be used to introduce malicious code into a system, such as malware or backdoors, which can be used to steal sensitive information or disrupt operations.

The Code Tampering Scanner is a tool that checks the commits of the software project under analysis, and reports "changes in critical files" according to critical files rules currently active for the policy assigned to the project. Detected flaws could be uploaded to Xygeni platform for consolidation and for enabling response actions.

Handling findings

For reviewing the Code Tampering flaws in commits, both commit hash and author are include in the report. Also, the specific files in the commits which are raising the flaw are specified.

Quick Start

For detecting Code Tampering flaws found in software project with sources in current directory, the command:

xygeni codetamper -n MyProject --upload

uploads the result to Xygeni platform.

Code Tampering scanner can be launched in two different ways:

1.- By its own specific command ( xygeni codetamper [options] )

2.- By the general command ( xygeni scan --run="codetamper" [options] )

For exporting the most important Code Tampering flaws to CSV for review, or importing the findings into another tool:

xygeni codetamper -n MyProject --detectors critical \
            --format csv --output MyProject.codetamper.csv

Usage

For a full reference of all the available option, you can issue :

xygeni codetamper --help

The most important properties are:

  • Name of the project, -n or --name.

  • Input, either a directory (-d|--dir) or a repository (-repo|--repository). If none given, the local current directory is assumed.

  • Upload results to the service, --upload. By default, results are not uploaded.

  • Output file (-o or --output) and format (-f or --format). If not output file (or stdout / - are used), the standard output is used. Use --format=none for no output.

  • The detectors to run could be tailored with the --detectors / --skip-detectors options. A common use-case is to consider only issues with high or critical severity with --detectors=high.

  • The available operations are:

    • --since=<since>: Scan since the given commit hash. By default, 'last' value is used to continue the analysis from the last previously analyzed commit (See Note).

    • --last: Scan ONLY the last commit.

    • --all: Scan all commits in git history.

When the Code Tampering scanner uploads its results it stores in our server the last analyzed commit hash.

This feature allows to perform a faster analysis on successive executions since it avoids reanalyzing the same commits over and over, centering the attention in the most recent findings.

Remind that the default analysis operation mode is since last commit.

Configuration options:
  -c, --conf=<config>        Configuration file (default: xygeni.codetamper.
                               yml).
      --[no-]conf-download   Download scanner config? (default: true}
      --detectors=<detectors>
                             Comma-separated list of IDs for detectors to run,
                               PRIORITY or 'all'
      --skip-detectors=<skipDetectors>
                             Comma-separated list of IDs for detectors to
                               ignore, or PRIORITY

PreviousAnomaly Detection's DetectorsNextCode Tampering Scanner Configuration

Last updated