archerysec v2.0.2 released: Open Source Vulnerability Assessment and Management
Archery is an opensource vulnerability assessment and management tool which helps developers and pentesters to perform scans and manage vulnerabilities. Archery uses popular opensource tools to perform comprehensive scanning for web applications and networks. It also performs web application dynamic authenticated scanning and covers the whole applications by using selenium. The developers can also utilize the tool for the implementation of their DevOps CI/CD environment.
Overview of the tool:
- Perform Web and Network Vulnerability Scanning using opensource tools.
- Correlates and Collaborate all raw scans data, shows them in a consolidated manner.
- Perform authenticated web scanning.
- Perform web application scanning using selenium.
- Vulnerability Management.
- Enable REST API’s for developers to perform scanning and Vulnerability Management.
- JIRA Ticketing System.
- Subdomain discovery and scanning.
- Periodic scans.
- Concurrent scans.
- Useful for DevOps teams for Vulnerability Management.
Changelog v2.0.2
🚀 Features and enhancements
- Multi-user role-based account Admin, Analyst and Viewer
- Remove Settings from non admin user (#508)
- Shift Left CICD Module (#507)
- Remove duplicate issue from SAST vuln list (#503)
- Updated findsecbugs parser (#501)
- New Functionality and Enhancement (#492)
- Added Connector Module for Scanners and Scanners Icon (#485)
🐛 Bug Fixes
- Fixed ZAP v2.11.1 xml report upload (#531)
- Issue #522 Login use variables in docker-compose.yml (#525)
- Removed safe filters From auto escape html due to security concern (#519)
- #509 fixed trivy 0.19.2 JSON output report parsing is not working (#510)
- #486 Fixed 🥇 ZAP Launch Scan : NameError: name ‘notify’ is not defined (#487)
- Null on Trivy reports (#473)
- updated setup.sh file that fix macOS installation issue (#469)
🧰 Maintenance
- Bump pillow from 8.3.2 to 9.0.0 (#530)
- Bump django from 3.1.13 to 3.1.14 (#524)
- Bump lxml from 4.6.3 to 4.6.5 (#521)
- Bump django from 3.1.12 to 3.1.13 (#505)
- Bump sqlparse from 0.4.1 to 0.4.2 (#500)
- Bump pillow from 8.2.0 to 8.3.2 (#496)
- #475 Restructured models and scanner pages (#484)
- Bump django from 3.1.8 to 3.1.12 (#481)
- [Snyk] Security upgrade django from 1.11.29 to 2.2.21 (#472)
- [Snyk] Security upgrade pillow from 6.2.2 to 8.2.0 (#476)
- [Snyk] Security upgrade django from 1.11.29 to 2.2.24 (#480)
- Bump urllib3 from 1.26.4 to 1.26.5 (#479)
🚩 Security
- Removed safe filters From auto escape html due to security concern (#519)
- [Snyk] Fix for 28 vulnerabilities (#515)
- [Snyk] Fix for 27 vulnerabilities (#495)
- Bump django from 3.1.8 to 3.1.12 (#481)
Requirement
- Python 3.6+ – Python 3.6 Download
- OpenVAS 8, 9
- OWASP ZAP 2.7.0
- Selenium Python Firefox Web driver
- SSLScan
- Nikto
- NMAP Vulners
OpenVAS
You can follow the instructions to install OpenVAS from Hacker Target
Note that, at this time, Archery generates a TCP connection towards the OpenVAS Manager (not the GSA): therefore, you need to update your OpenVAS Manager configuration to bind this port. Its default port (9390/tcp), but you can update this in your settings.
OWASP Zap
Also known as Zaproxy. Simply download and install the matching package for your distro from the official Github Page.
Systemd service file is available in the project.
Burp Scanner
Follow the instruction in order to enable Burp REST API. You can manage and trigger scans using Archery once REST API enabled.
Systemd service file is available in the project.
SSLScan
Simply install SSLScan from your package manager.
Nikto
Simply install Nikto from your package manager.
NMAP Vulners
Simply get the NSE file to the proper directory:
Installation
Documentation
Demo
Copyright (c) 2017, ArcherySec Maintainers, All rights reserved.