Marvin-static-Analyzer icon indicating copy to clipboard operation
Marvin-static-Analyzer copied to clipboard

Published 20 hours ago verified publisher icon programa-stic

AttributeError: 'ClassDefItem' object has no attribute 'XREFfrom'

Open cnscyy opened this issue 8 years ago • 6 comments

When I run this project, the envirnment is OK! Linux OS: Ubuntu 16.4 All the dependencies is install, and I can run this project using python manage.py runserver. When I upload a file to analyze, it still can analyze the permission, components and vulnerabilities. It seems that everyting is OK when look at the webpage. But there is an error in background. It is: Traceback (most recent call last): File "/home/yuanyang/sda4/Marvin-static-Analyzer/SSLAnalyzer.py", line 93, in get_javab64_xref _xref = _class.XREFfrom AttributeError: 'ClassDefItem' object has no attribute 'XREFfrom'

I want to know what problem is of this?

cnscyy avatar Dec 06 '16 08:12 cnscyy

It looks like Androguard was looking at a method and couldn't figure out where it was called from. (The name comes from "cross reference" and "from"). Does the static analysis fail, as in showing 0 vulnerabilities?

Cheers, Juan

2016-12-06 5:52 GMT-03:00 cnscyy [email protected]:

When I run this project, the envirnment is OK! Linux OS: Ubuntu 16.4 All the dependencies is install, and I can run this project using python manage.py runserver. When I upload a file to analyze, it still can analyze the permission, components and vulnerabilities. It seems that everyting is OK when look at the webpage. But there is an error in background. It is: Traceback (most recent call last): File "/home/yuanyang/sda4/Marvin-static-Analyzer/SSLAnalyzer.py", line 93, in get_javab64_xref _xref = _class.XREFfrom AttributeError: 'ClassDefItem' object has no attribute 'XREFfrom'

I want to know what problem is of this?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/programa-stic/Marvin-static-Analyzer/issues/4, or mute the thread https://github.com/notifications/unsubscribe-auth/AIB9qt5eJXkINnotzqxm-vdAzPuAKn9Qks5rFSI3gaJpZM4LFKRE .

jheguia avatar Dec 06 '16 15:12 jheguia

The static analysis still work well. It can analysis the vulnerabilities. image1 image2

cnscyy avatar Dec 07 '16 05:12 cnscyy

Thank you for your answer! I look at the vulnerabilities, I want to know how the severity is judged. Is there some standard of severity? The number of the severity, the bigger the more dangerous? Or just the opposite? Thanks a lot

cnscyy avatar Dec 07 '16 10:12 cnscyy

Hi! Severity goes from 1 to 9, with 9 being the most dangerous. It is assigned by vulnerability type.

Cheers, Juan

2016-12-07 7:17 GMT-03:00 cnscyy [email protected]:

Thank you for your answer! I look at the vulnerabilities, I want to know how the severity is judged. Is there some standard of severity? The number of the severity, the bigger the more dangerous? Or just the opposite? Thanks a lot

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/programa-stic/Marvin-static-Analyzer/issues/4#issuecomment-265409222, or mute the thread https://github.com/notifications/unsubscribe-auth/AIB9qm3bETCyjELOV3-al6cElGd-gwPhks5rFofDgaJpZM4LFKRE .

jheguia avatar Dec 07 '16 15:12 jheguia

Hello! Thanks a lot. I find some problem in this project on github.

  1. Severity goes from 2 to 10 in the setting.py STATIC_VULN_TYPES = { "UNPROTECTED_EXPORTED_ACTIVITY" : "2", "UNPROTECTED_EXPORTED_SERVICE" : "4", "UNPROTECTED_EXPORTED_PROVIDER" : "7", "UNPROTECTED_EXPORTED_RECEIVER" : "4", "NON_SIGNATURE_PROTECTED_EXPORTED_ACTIVITY" : "2", "NON_SIGNATURE_PROTECTED_EXPORTED_SERVICE" : "4", "NON_SIGNATURE_PROTECTED_EXPORTED_PROVIDER" : "7", "NON_SIGNATURE_PROTECTED_EXPORTED_RECEIVER" : "4", "JAVASCRIPTINTERFACE" : "7", "FRAGMENT_INJECTION" : "4", "APPLICATION_DEBUGGABLE" : "5", "APPLICATION_BACKUP" : "5" , "PHONEGAP_JS_INJECTION" : "8", "PHONEGAP_CVE_3500_URL" : "8", "PHONEGAP_CVE_3500_ERRORURL" : "8", "PHONEGAP_CVE_3501" : "8", "PHONEGAP_WHITELIST_BYPASS_REGEX" : "4", "PHONEGAP_CVE_3500_REMOTE" : "10", "PHONEGAP_DEBUG_LOGGING" : "5", "PHONEGAP_NO_WHITELIST" : "5", "REDIS" : "10", "VUNGLE" : "8", "SSL_CUSTOM_TRUSTMANAGER" : "9", "SSL_CUSTOM_HOSTNAMEVERIFIER" : "9", "SSL_ALLOWALL_HOSTNAMEVERIFIER" : "9", "SSL_INSECURE_SOCKET_FACTORY" : "9", "SSL_WEBVIEW_ERROR" : "9", "WEBVIEW_FILE_SCHEME" : "6", "CRYPTOGRAPHY" : "7", "INSECURE_STORAGE_WORLD_READABLE/WRITEABLE" : "5", "ACTIVITY_HIJACKING" : "2", "BROADCASTRECEIVER_HIJACKING" : "5", "SERVICE_HIJACKING" : "7", "UNPROTECTED_DYNAMICALLY_REGISTERED_RECEIVER" : "2" , "STICKY_BROADCAST_INTENT" : "5", "AUTOCOMPLETE_PASSWORD_INPUT" : "8", "WEBVIEW_SAVED_PASSWORD" : "8", "INSECURE_RUNTIME_EXEC_COMMAND" : "10", "INSECURE_PATHCLASSLOADER": "10", "PROVIDER_PATH_TRAVERSAL": "8", "BAAS_PARSE" : "5", "BAAS_AWS" : "5", "BAAS_CLOUDMINE": "5", "BAAS_AZURE" : "5", "BOLTS" : "7"}
  2. The vulnerability SURREPTITIOUS_SHARING is not in the settings.py, but is analyzed in SurreptitiousSharingAnalyzer.py
  3. some vulnerabilities in the SAAFError.py, but SAAFError.py is not Referenced in MarvinStaticAnalyzer.py. there are two code statement in the MarvinStaticAnalyzer.py is written off: #moved to SAAF analyzer #final_report.update( JavascriptInterfaceAnalyzer(vm,dx,cm).check_javascript_interface() )

is there some different in the project from your project?

cnscyy avatar Dec 08 '16 15:12 cnscyy

Hi! settings.py was not committed yet, I've uploaded it now.

Thanks, Juan

2016-12-08 12:44 GMT-03:00 cnscyy [email protected]:

Hello! Thanks a lot. I find some problem in this project on github.

  1. Severity goes from 2 to 10 in the setting.py STATIC_VULN_TYPES = { "UNPROTECTED_EXPORTED_ACTIVITY" : "2", "UNPROTECTED_EXPORTED_SERVICE" : "4", "UNPROTECTED_EXPORTED_PROVIDER" : "7", "UNPROTECTED_EXPORTED_RECEIVER" : "4", "NON_SIGNATURE_PROTECTED_EXPORTED_ACTIVITY" : "2", "NON_SIGNATURE_PROTECTED_EXPORTED_SERVICE" : "4", "NON_SIGNATURE_PROTECTED_EXPORTED_PROVIDER" : "7", "NON_SIGNATURE_PROTECTED_EXPORTED_RECEIVER" : "4", "JAVASCRIPTINTERFACE" : "7", "FRAGMENT_INJECTION" : "4", "APPLICATION_DEBUGGABLE" : "5", "APPLICATION_BACKUP" : "5" , "PHONEGAP_JS_INJECTION" : "8", "PHONEGAP_CVE_3500_URL" : "8", "PHONEGAP_CVE_3500_ERRORURL" : "8", "PHONEGAP_CVE_3501" : "8", "PHONEGAP_WHITELIST_BYPASS_REGEX" : "4", "PHONEGAP_CVE_3500_REMOTE" : "10", "PHONEGAP_DEBUG_LOGGING" : "5", "PHONEGAP_NO_WHITELIST" : "5", "REDIS" : "10", "VUNGLE" : "8", "SSL_CUSTOM_TRUSTMANAGER" : "9", "SSL_CUSTOM_HOSTNAMEVERIFIER" : "9", "SSL_ALLOWALL_HOSTNAMEVERIFIER" : "9", "SSL_INSECURE_SOCKET_FACTORY" : "9", "SSL_WEBVIEW_ERROR" : "9", "WEBVIEW_FILE_SCHEME" : "6", "CRYPTOGRAPHY" : "7", "INSECURE_STORAGE_WORLD_READABLE/WRITEABLE" : "5", "ACTIVITY_HIJACKING" : "2", "BROADCASTRECEIVER_HIJACKING" : "5", "SERVICE_HIJACKING" : "7", "UNPROTECTED_DYNAMICALLY_REGISTERED_RECEIVER" : "2" , "STICKY_BROADCAST_INTENT" : "5", "AUTOCOMPLETE_PASSWORD_INPUT" : "8", "WEBVIEW_SAVED_PASSWORD" : "8", "INSECURE_RUNTIME_EXEC_COMMAND" : "10", "INSECURE_PATHCLASSLOADER": "10", "PROVIDER_PATH_TRAVERSAL": "8", "BAAS_PARSE" : "5", "BAAS_AWS" : "5", "BAAS_CLOUDMINE": "5", "BAAS_AZURE" : "5", "BOLTS" : "7"}
  2. The vulnerability SURREPTITIOUS_SHARING is not in the settings.py, but is analyzed in SurreptitiousSharingAnalyzer.py
  3. some vulnerabilities in the SAAFError.py, but SAAFError.py is not Referenced in MarvinStaticAnalyzer.py. there are two code statement in the MarvinStaticAnalyzer.py is written off: #moved to SAAF analyzer #final_report.update( JavascriptInterfaceAnalyzer( vm,dx,cm).check_javascript_interface() )

is there some different in the project from your project?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/programa-stic/Marvin-static-Analyzer/issues/4#issuecomment-265772169, or mute the thread https://github.com/notifications/unsubscribe-auth/AIB9qpjb2rWyWxRNXyupmjwKAget4ZB3ks5rGCXYgaJpZM4LFKRE .

jheguia avatar Dec 12 '16 16:12 jheguia