DongTai v1.15.1 releases: open-source passive interactive security testing (IAST) product

DongTai

DongTai IAST is an open-source passive interactive security testing (IAST) product. It uses dynamic hooks and taint tracking algorithms to achieve universal vulnerability detection and multiples request associated with vulnerability detection (including but not limited to unauthorized vulnerabilities, overpower vulnerabilities), Third-party component vulnerability detection, etc. Currently, applications in Java and Python are supported for vulnerability detection.

Architecture

DongTai IAST has multiple basic services, including DongTai-web, DongTai-webapi, DongTai-openapi, DongTai-engine, agent, DongTai-deploy, DongTai-Base-Image and DongTai-Plugin-IDEA:

• DongTai-web is the product page of DongTai, which is used to handle the interaction between users and cave states.
• DongTai-webapi is responsible for handling user-related operations.
• DongTai-openapi is used to process the registration/heartbeat/call method/third-party component/error log data reported by agent, issue hook strategy, issue probe control commands, etc.
• DongTai-engine analyzes whether there are vulnerabilities in HTTP/HTTPS/RPC requests according to the calling method data and taint tracking algorithm, and is also responsible for other related timing tasks.
• the agent is a probe module of DongTai, including data collection terminals in different programming languages, used to collect data during application runtime and report to the DongTai-OpenAPI service.
• DongTai-deploy is used for the deployment of DongTai IAST, including docker-compose single-node deployment, Kubernetes cluster deployment, etc. If you want a deployment plan, you can add features or contribute to the deployment plan.
• DongTai-Base-Image contains the basic services that DongTai depends on runtime, including MySql, Redis.
• DongTai-Plugin-IDEA is the IDEA plug-in corresponding to the Java probe. You can run the Java probe directly through the plug-in and detect the vulnerabilities directly in IDEA.

Scenario

The usage scenarios of “DongTai IAST” include but are not limited to:

• Embed the DevSecOps process to realize automatic detection of application vulnerabilities/third-party component combing/third-party component vulnerability detection.
• Common vulnerability mining for open source software/open source components.
• Security testing before release, etc.

Changelog v1.15.1

• feat: add 1.14.0 by @tscuite in #1745
• v1.14.0 by @tscuite in #1746
• Beta by @tscuite in #1747
• v1.14.0 by @tscuite in #1748
• v1.14.0 by @tscuite in #1750
• Beta by @tscuite in #1751
• fix: remove print by @st1020 in #1739
• pref: use group celery tasks in sca bulk handler by @st1020 in #1749
• feat: add session engine by @st1020 in #1753
• pref: improve app vul list pref by @st1020 in #1742
• feat: set session expiry by @st1020 in #1755
• feat: remove outdate code by @st1020 in #1754
• fix: app vul list error by @st1020 in #1756
• feat: add failed login count by @st1020 in #1757
• feat: update ci by @tscuite in #1760
• fix: login error by @st1020 in #1761
• feat: new patch implementation by @st1020 in #1759
• feat: add login lock status by @st1020 in #1762
• build(deps): bump uwsgi from 2.0.21 to 2.0.22 by @dependabot in #1764
• feat: modify project summary api day_num field by @st1020 in #1763
• feat: method pool save by @st1020 in #1766
• feat: reduce memory usage in vul scan. by @Bidaya0 in #1767
• feat: modify vul save logic by @st1020 in #1768
• fix: vul method pool error by @st1020 in #1769
• feat: add has vul method pool field by @st1020 in #1771
• fix: iast_vulnerability table migration by @st1020 in #1772
• feat: package focus by @st1020 in #1773
• feat: focus package priority by @st1020 in #1775
• feat: add custom tag by @Bidaya0 in #1777
• feat: change hook strategy length limit. by @Bidaya0 in #1778
• Feat/add new topo table by @Bidaya0 in #1779
• deps: add pandas dependance by @st1020 in #1781
• feat: custom max page size by @st1020 in #1782
• feat: modify notify by @st1020 in #1783
• refactor: vul details api parse_graph by @st1020 in #1784
• feat: update ci by @tscuite in #1785
• feat: add replay header by @st1020 in #1786
• feat: update ci by @tscuite in #1787
• feat: update ci by @tscuite in #1788
• feat: update ci by @tscuite in #1790
• feat: update ci by @tscuite in #1791
• feat: modify hook strategy update logic by @st1020 in #1789
• feat: update ci by @tscuite in #1792
• feat: update ci by @tscuite in #1793
• feat: update ci by @tscuite in #1794
• Feat/add project token by @Bidaya0 in #1797
• feat: heartbeat use celery task by @st1020 in #1795
• fix: save vul did not save uri by @st1020 in #1796
• feat: add project token by @Bidaya0 in #1798
• feat: add new migration by @Bidaya0 in #1799
• fix: memory reduce. by @Bidaya0 in #1780
• dep: add new migration by @Bidaya0 in #1800
• fix: modify rule value by @st1020 in #1801
• fix: set language by @st1020 in #1802
• fix: modify rule value by @st1020 in #1803
• deps: add more itertools by @Bidaya0 in #1804
• feat/project token p2 by @Bidaya0 in #1805
• feat/remove no risk level by @Bidaya0 in #1806
• feat/project token p2 by @Bidaya0 in #1807
• feat/api route is cover. by @Bidaya0 in #1809
• fix: heartbeat task error by @st1020 in #1808
• feat: sensitive info rule add system type by @st1020 in #1811
• fix: heartbeat task error by @st1020 in #1810
• fix: vul status const error by @st1020 in #1813
• fix: change to directed graph. by @Bidaya0 in #1812
• Feat/add constrain in vec by @Bidaya0 in #1814
• Feat/add doc by @Bidaya0 in #1815
• feat: update new strategy. by @Bidaya0 in #1816
• fix:project_agent_download_token by @Bidaya0 in #1817
• feat: update new strategy. by @Bidaya0 in #1818
• feat: update new strategy. by @Bidaya0 in #1819
• v1.15.0 by @tscuite in #1820
• Beta by @tscuite in #1821
• v1.15.0 by @tscuite in #1822
• v1.15.0 by @tscuite in #1823
• Beta by @tscuite in #1824
• feat: update ci by @tscuite in #1825
• v1.15.0 by @tscuite in #1826
• Beta by @tscuite in #1827
• fix: load hook strategy by @st1020 in #1828
• feat: sensitive info pattern use text by @st1020 in #1829
• fix: agent download. by @Bidaya0 in #1830
• fix: patch by @st1020 in #1831
• feat: add new permission. by @Bidaya0 in #1832
• feat: add new permission. by @Bidaya0 in #1833
• fix: load hook strategy by @st1020 in #1834
• fix: modify sensitive info rule status by @st1020 in #1835
• fix: patch log by @st1020 in #1836
• pref: sensitive info rule list by @st1020 in #1837
• Feat/1.15.0 develop by @Bidaya0 in #1843
• Beta by @Bidaya0 in #1844

Install & Use

Copyright (C) 2021 HXSecurity