Modules

ElevenPaths methods

class elevenpaths_auth.mASAPP_CI_auth(key, secret)[source]

This class contains the necessary authorized methods for working with the mASAPPs API. Inherited from the HttpSdk class it uses the X11PathsAuthentication authentication which performs safer requests. Without this request implementation the user wouldn’t be available to communicate with the mASAPPs API.

The initialization of this class needs two parameters obtained from mASAPP in the API Clients section. This parameters are:

mASAPP_CI_auth param Equivalent mASAPP value
key Client ID
secret Secret

For more information about HttpSdk: https://github.com/ivanprjcts/sdklib

get_auth_scan_by_hashPath(hashPath, workgroup=None)[source]
Parameters:
  • hashPath – The sha1 of the application whose scan the user wants to get
  • workgroup (String) – The workgroup where the user belongs to. (Not mandatory)
Returns:

The associated scan to the given hashPath.
get_auth_scans(workgroup=None)[source]
Parameters:workgroup (String) – The workgroup where the user belongs to. (Not mandatory)
Returns:The response to the authenticated request /scans to the mASAPP API, which returns a brief summary of all the apps contained in the user scans.
get_auth_workgroup()[source]
Returns:The response to the authenticated request /workgroups to the mASAPP API, which returns the mASAPPs workgroups which the user belongs to.
get_scan_result(scan_id, scan_date, app_key, lang, workgroup=None)[source]
Parameters:
  • scan_id (String) – The scan ID from the scan which the user wants to obtain the result.
  • scan_date (Date) – The date from the scan which the user wants to obtain the result.
  • app_key (String) – The key of the app which the user wants to obtain the result.
  • lang ("en", "es") – The language in which the user wants to get the analysis result.
  • workgroup (String) – The workgroup where the user belongs to. (Not mandatory)
Returns:

The response to the authenticated request /scanResults to the mASAPP API, which returns the result of the mASAPPs analysis for the scan with the scan_id, scan_date and app_key introduced, including vulnerabilities and behaviors among other things.
get_scan_summary(scan_id, workgroup=None)[source]
Parameters:
  • scan_id (String) – The scan ID from the scan which the user wants to obtain a summary.
  • workgroup (String) – The workgroup where the user belongs to. (Not mandatory)
Returns:

The response to the authenticated request /scanSummary to the mASAPP API, which returns a summary of the scan with the scan_id introduced.
post_auth_upload_app(allowTacyt, app_path, workgroup=None)[source]
Parameters:
  • allowTacyt (Boolean) – If the user wants to share the app with the Tacyt/mASAPP community or not.
  • app_path (String) – The absolute path to the application which the user wants to upload.
  • workgroup (String) – The workgroup where the user belongs to. (Not mandatory) (Not mandatory)
Returns:

The response to the authenticated request /upload to the mASAPP API, which returns the result of the uploading the app to mASAPP.

masappcli

masappstage

The file masappstage_stored_credentials.groovy from the current folder contains a standard stage for adding mASAPP CI to your Jenkins Pipeline.

HowTo:

  • You have to configure your Jenkins Pipeline for working with three variables:

    • mASAPP_CI : In this variable you will send the type of execution for your job.
    Possible values:
    • “riskscoring”: This execution analyse the application and throws an error if the maximum risk determined

    in MAXIMUM is surpassed. * “detailed riskscoring”: It executes a riskscoring analysis but including a detailed output where you can find the vulnerabilities and behaviors evidences, tittle, risk (only for vulnerabilities), impact (only for behaviors) and number of occurrences. * “standard”: This execution expects a JSON file where the maximum of vulnerabilities and behaviors are broken by severity. * “detailed standard”: It executes a standard analysis but including a detailed output where you can find the vulnerabilities and behaviors evidences, tittle, risk (only for vulnerabilities), impact (only for behaviors) and number of occurrences.

    • MASAPP_KEY and MASAPP_SECRET: In this variables you will add the key and secret of mASAPP API as Jenkins credentials.

    You can remove it and add them as masappcli params with -key and -secret. * MAXIMUM: The maximum value accepted in the execution. It depends on execution type:

    • “riskscoring” and “detailed riskscoring” expects a float number

    • “standard” and “detailed standard” expects a JSON file with the same format as the following example:

      ```json
      {
      “vulnerabilities”: {

      “critical”: 0, “high”: 2, “medium”: 5, “low”: 6

      }, “behaviorals”: {

      “critical”: 1, “high”: 4, “medium”: 5, “low”: 5

      }

      }

      ```

    • packageNameOrigin: the parameter returned by mASAPP named packageNameOrigin. It is only necessary when the job fails

    and masappcli requests this param, if not, leave it empty. It is not recommended to set a default value for this var

  • Replace [APPLICATION_PATH] by the path to your application or add it as a var.

  • Make particular fixes to your Pipeline like modifying the PATH or whatever.