The practice of using QingScan, an aggregate code audit tool

1. Introduction

The author recently saw that many public QingScan were recommending the 061da80f7760d3 scanner platform, and I became curious. It took half an hour to build QingScan;

After setting up, I entered the console and looked at the function list of QingScan, and found that in addition to the black box scanning function introduced by the , there are actually many functions. I prefer the 161da80f776110 white box audit function inside, which integrates fortify , semgrep , Hippo webshell , kunlun-m , sonarqube , PHP dependency, Python dependency, java dependency scanning tool, so write

2. Function overview

After I installed QingScan, I entered the QingScan console, and the first thing I saw was the statistical graphs of black box scanning and white box auditing, and the navigation bar above.

2.1 Chart Analysis

Statistical charts are divided into two categories, as shown in the following figure:


As can be seen in the above figure,

The first category is the statistics of white-box audit results, which shows the proportion of high, medium and low vulnerabilities in the scan results, the results scanned by date, and the proportion of statistics by vulnerability classification.

The second category is the statistical results of host scanning, showing the proportion of ports scanned and the proportion of host ports, and the other should be the statistical results of components identified by ports.

2.2 Add items

According to the functions I am interested in, I clicked the white box audit on the navigation bar -> project list -> add a project, and a window for adding a project will pop up. After trying, I found that I only need to fill in the project name and address. Others are optional, as shown in the figure below


After filling in the information in the above figure, the result will be added to the project list, and you can see that a project has been added in the figure.

3. Analysis of results

3.1 Inside the project

After adding the project, you will find that the numbers corresponding to various tools have increased in the project list, as shown in the following figure


Move the mouse over the number position and you will see the scan completion time of the corresponding tool. Clicking the link will jump to the corresponding tool list, which will not be explained here.

3.2 Details page

I was thinking about the view button, and found that I entered the details page. On the details page, I can see some basic information of the project, as well as some scan results of various tools, as shown in the following figure

In the above figure, you can see that the basic information includes the information filled in when adding items, and the time in the tool dynamics refers to the time when various tools are scanned.

3.3 fortify scan results

Go to the bottom of the details page to see some of the scan results of fortify, as shown in the following figure


In the above figure, you can see that the information such as vulnerability type, hazard level, parameter pollution source, execution location, and audit status are displayed in the picture. The audit status is a drop-down component, and the audit operation can be performed directly.

3.3 semgrep scan results

Scroll the mouse under the details page, and you can also see the scan results of the project by semgrep, as shown in the following figure

It also displays information such as vulnerability type, hazard level, execution location, and audit status. The audit status is a drop-down component, and the audit operation can also be performed directly.

3.4 Dependency Scanning

4. Tool introduction

The following is a part of the introduction of QingScan that I copied over

4.1 Introduction

QingScan is an aggregate scanner. It does not produce security scanning functions, but acts as a porter of security scanning tools. When a target is added, QingScan will automatically call various scanners to scan the target and enter the scan results into Aggregate display in QingScan platform

• GitHub：https://github.com/78778443/QingScan
• Code cloud address: https://gitee.com/songboy/QingScan
• Detailed documentation: http://wiki.qingscan.songboy.site
• : 161da80f776371 https://space.bilibili.com/437273065
• Official website address: http://qingscan.songboy.site/

4.2 Online Demo

Online experience address: http://txy8g.songboy.site:8112/ Username: admin Password: admin

Note: The online experience address is a function demonstration and will not actually scan the target~

4.3 Range system

After installation, please do not scan targets without sufficient authorization. At the same time, in order to allow you to get started quickly, we have built some shooting range systems to authorize you to perform security scans:

1. http://txy8g.songboy.site:8888/home/index.php Easy Penetration Testing System Test

4.4 Contact us

Author: Tang Qingsong

WeChat: songboy8888

Date: January 9, 2022