You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/8-cicd.livemd
+12-7Lines changed: 12 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -27,17 +27,22 @@ This module will cover over some of the automated processes you may see in a CI/
27
27
Built in Elixir, for Elixir, by NCC Group - this tool will try to determine whether your codebase has a number of web vulnerabilities as well as the insecurites outlined in [Module 5 - Elixir Security](./5-elixir.livemd).
28
28
29
29
### <spanstyle="color:blue;">Example</span>
30
+
Install Sobelow and add it to your application dependicies or install it by following the instructions https://hexdocs.pm/sobelow/readme.html
30
31
31
-
https://hexdocs.pm/sobelow/readme.html
32
32
[Sobelow](https://sobelow.io/)
33
-
There are a number of security issues published
34
-
Common Weakness Enumeration (CWE) - [CWE's](https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html)
35
-
OWASP Top 10 [OWASP Top 10](https://owasp.org/www-project-top-ten/)
36
-
to start. Scanning tools like Sobelow map code patterns that may contain weakness that match these issues and report them back to developers/users.
37
-
Depending on the tool, one or more of the issues listed may be supported/discoverable and tools by programming language.
38
33
34
+
Scan your project by running the following at a terminal in your project's root directory
35
+
```
36
+
$ mix sobelow
37
+
38
+
```
39
+
As a vulnerabilities scanner there are multiple categories of vulnerabilities sobelow is capable of discovering/reporting on.
40
+
41
+
For instance, there are a number of security issues published on the Common Weakness Enumeration (CWE) site - [CWE's](https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html) and on OWASP Top 10 [OWASP Top 10](https://owasp.org/www-project-top-ten/).
42
+
43
+
Scanning tools like Sobelow map code patterns that may contain weakness that match these issues and report them back to developers/users.
39
44
40
-
For example, let's say you are interested in Injection Vulnerabilities. There are several types of injection. Referring to the CWE list, we see that #17 CWE-77 is for Command Injection, #25 CWE-94 is Code Injection, and #3 CWE-89 is SQL Injection. If we look at the Owasp Top 10 for 2021, A03:2021-Injection is third on the list. Sobelow has the capability to detect these types of attacks.
45
+
Let's say you are interested in Injection Vulnerabilities. There are several types of injection. Referring to the CWE list, we see that #17 CWE-77 is for Command Injection, #25 CWE-94 is Code Injection, and #3 CWE-89 is SQL Injection. If we look at the Owasp Top 10 for 2021, A03:2021-Injection is third on the list. Sobelow has the capability to detect these types of attacks.
41
46
42
47
Injection issues are places in an application where a malicious actor can send commands, queries, that get processed as authorized code, to trigger the application into performing an unauthorized action.
0 commit comments