Salus compiles a report while executing each scanner and before finishing, this report is output in one or multiple ways.
By default, Salus always prints the report to STDOUT. This can be turned off via the --quiet (-q) flag. Additionally, Salus can be configured to send reports to both the local file system or remote HTTP endpoints. See the configuration documentation for more detail.
Salus reports contain the following information:
- Report format version - important for report consumers to correctly determine how to parse the report.
- Data about the codebase it scanned.
- The configuration that Salus used during the scan.
- The outcome of each scanner it ran.
- Information about the repo that might be useful for further analysis (such as what dependencies it has).
- Errors that happened during Salus execution.
The report, structurally, is a Hash of the following form:
{
"version": <String, semantic version of this report format>,
"project_name": <String, comes from Salus configuration, typically used for identifying the codebase for this report>,
"custom_info": <String, comes from Salus configuration, used to pipe additional data from Salus runner to report consumer>,
"configuration": <Hash, exact configuration used while Salus executed>,
"scans": {
<String, scanner name>: <Boolean, true for pass, false for fail>
},
"info": {
<String, info type>: [
<String, info>
]
},
"errors": {
<String, error origin>: [
<String, error message>
]
}
}
While the report above is in JSON form, Salus reports can also be generated in YAML and text form.
Reports generated by scanning the rails/actioncable-examples@916910c repository.
Text from STDOUT:
#################### Salus Scan v1.0.0 for Project ####################
Brakeman => passed
BundleAudit => failed
STDOUT:
[
{
"type": "UnpatchedGem",
"name": "loofah",
"version": "2.0.3",
"cve": "CVE-2018-8048",
"url": "https://github.com/flavorjones/loofah/issues/144",
"advisory_title": "Loofah XSS Vulnerability",
"description": "Loofah allows non-whitelisted attributes to be present in sanitized\noutput when
input with specially-crafted HTML fragments.\n",
"cvss": null,
"osvdb": null,
"patched_versions": [
">= 2.2.1"
],
"unaffected_versions": [
]
},
...
PatternSearch => passed
RepoNotEmpty => passed
ReportRubyGems
overall => failed
YAML Form:
Long arrays have been shortened for brevity.
---
:project_name: Project
:scans:
Brakeman:
passed: true
BundleAudit:
passed: false
info:
unpatched_gem:
- :type: :UnpatchedGem
:name: loofah
:version: 2.0.3
:cve: CVE-2018-8048
:url: https://github.com/flavorjones/loofah/issues/144
:advisory_title: Loofah XSS Vulnerability
:description: |
Loofah allows non-whitelisted attributes to be present in sanitized
output when input with specially-crafted HTML fragments.
:cvss:
:osvdb:
:patched_versions:
- ">= 2.2.1"
:unaffected_versions: []
- :type: :UnpatchedGem
:name: sprockets
:version: 3.7.1
:cve: CVE-2018-3760
:url: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k
:advisory_title: Path Traversal in Sprockets
:description: |
Specially crafted requests can be used to access files that exist on
the filesystem that is outside an application's root directory, when the
Sprockets server is used in production.
All users running an affected release should either upgrade or use one of the work arounds immediately.
Workaround:
In Rails applications, work around this issue, set `config.assets.compile = false` and
`config.public_file_server.enabled = true` in an initializer and precompile the assets.
This work around will not be possible in all hosting environments and upgrading is advised.
:cvss:
:osvdb:
:patched_versions:
- "< 3.0.0, >= 2.12.5"
- "< 4.0.0, >= 3.7.2"
- ">= 4.0.0.beta8"
:unaffected_versions: []
PatternSearch:
passed: true
RepoNotEmpty:
passed: true
ReportRubyGems:
info:
dependency:
- :dependency_file: Gemfile
:type: ruby
:version:
- :dependency_file: Gemfile
:type: bundler
:version: !ruby/object:Gem::Version
version: 1.15.1
- :dependency_file: Gemfile.lock
:type: gem
:name: actioncable
:version: 5.1.1
:source: rubygems repository https://rubygems.org/ or installed locally
- :dependency_file: Gemfile.lock
:type: gem
:name: actionmailer
:version: 5.1.1
:source: rubygems repository https://rubygems.org/ or installed locally
overall:
passed: false
:info: {}
:errors: {}
:version: 1.0.0
:custom_info: ''
:configuration:
sources:
- file:///salus.yaml
active_scanners:
- Brakeman
- BundleAudit
- NPMAudit
- PatternSearch
- RepoNotEmpty
- ReportGoDep
- ReportNodeModules
- ReportPythonModules
- ReportRubyGems
enforced_scanners:
- RepoNotEmpty
- Brakeman
- BundleAudit
- NPMAudit
- PatternSearch
scanner_configs: {}
reports:
- uri: file://./repo/salus-report.txt
format: txt
- uri: file://./repo/salus-report.yaml
format: yaml
verbose: true
- uri: file://./repo/salus-report.json
format: json
verbose: trueJSON Form:
Long arrays have been shortened for brevity.
{
"project_name": "Project",
"scans": {
"Brakeman": {
"passed": true
},
"BundleAudit": {
"passed": false,
"info": {
"unpatched_gem": [
{
"type": "UnpatchedGem",
"name": "loofah",
"version": "2.0.3",
"cve": "CVE-2018-8048",
"url": "https://github.com/flavorjones/loofah/issues/144",
"advisory_title": "Loofah XSS Vulnerability",
"description": "Loofah allows non-whitelisted attributes to be present in sanitized\noutput when input with specially-crafted HTML fragments.\n",
"cvss": null,
"osvdb": null,
"patched_versions": [
">= 2.2.1"
],
"unaffected_versions": [
]
},
{
"type": "UnpatchedGem",
"name": "sprockets",
"version": "3.7.1",
"cve": "CVE-2018-3760",
"url": "https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k",
"advisory_title": "Path Traversal in Sprockets",
"description": "Specially crafted requests can be used to access files that exist on\nthe filesystem that is outside an application's root directory, when the\nSprockets server is used in production.\n\nAll users running an affected release should either upgrade or use one of the work arounds immediately.\n\nWorkaround:\nIn Rails applications, work around this issue, set `config.assets.compile = false` and\n`config.public_file_server.enabled = true` in an initializer and precompile the assets.\n\n This work around will not be possible in all hosting environments and upgrading is advised.\n",
"cvss": null,
"osvdb": null,
"patched_versions": [
"< 3.0.0, >= 2.12.5",
"< 4.0.0, >= 3.7.2",
">= 4.0.0.beta8"
],
"unaffected_versions": [
]
}
]
}
},
"PatternSearch": {
"passed": true
},
"RepoNotEmpty": {
"passed": true
},
"ReportRubyGems": {
"info": {
"dependency": [
{
"dependency_file": "Gemfile",
"type": "ruby",
"version": null
},
{
"dependency_file": "Gemfile",
"type": "bundler",
"version": "1.15.1"
},
{
"dependency_file": "Gemfile.lock",
"type": "gem",
"name": "actioncable",
"version": "5.1.1",
"source": "rubygems repository https://rubygems.org/ or installed locally"
},
{
"dependency_file": "Gemfile.lock",
"type": "gem",
"name": "actionmailer",
"version": "5.1.1",
"source": "rubygems repository https://rubygems.org/ or installed locally"
}
]
}
},
"overall": {
"passed": false
}
},
"info": {
},
"errors": {
},
"version": "1.0.0",
"custom_info": "",
"configuration": {
"sources": [
"file:///salus.yaml"
],
"active_scanners": [
"Brakeman",
"BundleAudit",
"NPMAudit",
"PatternSearch",
"RepoNotEmpty",
"ReportGoDep",
"ReportNodeModules",
"ReportPythonModules",
"ReportRubyGems"
],
"enforced_scanners": [
"RepoNotEmpty",
"Brakeman",
"BundleAudit",
"NPMAudit",
"PatternSearch"
],
"scanner_configs": {
},
"reports": [
{
"uri": "file://./repo/salus-report.txt",
"format": "txt"
},
{
"uri": "file://./repo/salus-report.yaml",
"format": "yaml",
"verbose": true
},
{
"uri": "file://./repo/salus-report.json",
"format": "json",
"verbose": true
}
]
}
}Reports generated by scanning the coinbase/traffic_jam@2b90aa5 ruby gem repo.
Text from STDOUT:
#################### Salus Scan v1.0.0 for Project ####################
PatternSearch => passed
RepoNotEmpty => passed
overall => passed
==================== Salus Errors ====================
Salus - [{:type=>"NoMethodError", :message=>"undefined method `versions' for nil:NilClass", :location=>"/home/lib/salus/scanners/report_ruby_gems.rb:43:in `record_dependencies_from_gemfile'"}]
YAML form verbose
---
:project_name: Project
:scans:
PatternSearch:
passed: true
RepoNotEmpty:
passed: true
overall:
passed: true
:info: {}
:errors:
Salus:
- :type: NoMethodError
:message: undefined method `versions' for nil:NilClass
:location: "/home/lib/salus/scanners/report_ruby_gems.rb:43:in `record_dependencies_from_gemfile'"
:version: 1.0.0
:custom_info: ''
:configuration:
sources:
- file:///salus.yaml
active_scanners:
- Brakeman
- BundleAudit
- NPMAudit
- PatternSearch
- RepoNotEmpty
- ReportGoDep
- ReportNodeModules
- ReportPythonModules
- ReportRubyGems
enforced_scanners:
- RepoNotEmpty
- Brakeman
- BundleAudit
- NPMAudit
- PatternSearch
scanner_configs: {}
reports:
- uri: file://./repo/salus-report.yaml
format: yaml
verbose: true
- uri: file://./repo/salus-report.json
format: json
verbose: trueJSON form verbose
{
"project_name": "Project",
"scans": {
"PatternSearch": {
"passed": true
},
"RepoNotEmpty": {
"passed": true
},
"overall": {
"passed": true
}
},
"info": {
},
"errors": {
"Salus": [
{
"type": "NoMethodError",
"message": "undefined method `versions' for nil:NilClass",
"location": "/home/lib/salus/scanners/report_ruby_gems.rb:43:in `record_dependencies_from_gemfile'"
}
]
},
"version": "1.0.0",
"custom_info": "",
"configuration": {
"sources": [
"file:///salus.yaml"
],
"active_scanners": [
"Brakeman",
"BundleAudit",
"NPMAudit",
"PatternSearch",
"RepoNotEmpty",
"ReportGoDep",
"ReportNodeModules",
"ReportPythonModules",
"ReportRubyGems"
],
"enforced_scanners": [
"RepoNotEmpty",
"Brakeman",
"BundleAudit",
"NPMAudit",
"PatternSearch"
],
"scanner_configs": {
},
"reports": [
{
"uri": "file://./repo/salus-report.yaml",
"format": "yaml",
"verbose": true
},
{
"uri": "file://./repo/salus-report.json",
"format": "json",
"verbose": true
}
]
}
}