Metadata-Version: 2.1
Name: repelsec
Version: 0.3
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: nvdlib~=0.7.5
Requires-Dist: xmltodict~=0.13.0
Requires-Dist: pandas~=2.1.1
Requires-Dist: argparse~=1.4.0
Requires-Dist: setuptools~=69.0.2
Requires-Dist: repelsec~=0.1
Requires-Dist: fpdf~=1.7.2
Requires-Dist: PyPDF2~=3.0.1
Requires-Dist: requests~=2.31.0

# REPELSEC

## About the tool

A command-line tool allowing developers to find security vulnerabilities within a Java project. This is done through:

- A series of static analysis (SAST) tests that can be run against any first party code (.java, .jsp) to identify
  potential CWE vulnerabilities.
- Software composition analysis (SCA) that identifies any outdated dependencies within the pom.xml file and their
  associated
  CVE vulnerabilities.

## Installation

If your system has Python installed, open your preferred terminal and enter the following command.

`pip install repelsec`

To keep this tool up to date, run the following command on a scheduled basis.

`pip install repelsec --upgrade`

PyPi Package - https://pypi.org/project/repelsec

## Usage

Open a terminal within your IDE and enter the following command.

`repelsec [parameters] path/filename`

Available parameters include:

- `-c / --csv` - Export results to a CSV file
- `-p / --pdf` - Export results to a PDF Report
- `-t / --txt` - Export results to a TXT file
- `-b / --blank` - Hide results from printing to the terminal. Prevents shouldersurfing.
- `-e / --password <password>` - PDF Reports can be encrypted/password-protected with this option.
- `-o / --output_path <path>` - Specify path to output results to.

This information can also be viewed locally using the following command.

`repelsec --help`

## Examples

`repelsec -c vulnerable.java`

`repelsec -p -e StrongPassword123?! -o ~/Documents/Results pom.xml`

## CWE Tests

- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- CWE-111: Direct Use of Unsafe JNI
- CWE-190: Integer Overflow or Wraparound
- CWE-191: Integer Underflow (Wrap or Wraparound)
- CWE-209: Generation of Error Message Containing Sensitive Information
- CWE-246: J2EE Bad Practices: Direct Use of Sockets
- CWE-259: Use of Hard-coded Password
- CWE-321: Use of Hard-coded Cryptographic Key
- CWE-326: Inadequate Encryption Strength
- CWE-382: J2EE Bad Practices: Use of System.exit()
- CWE-395: Use of NullPointerException Catch to Detect NULL Pointer Dereference
- CWE-396: Declaration of Catch for Generic Exception
- CWE-397: Declaration of Throws for Generic Exception
- CWE-481: Assigning instead of Comparing
- CWE-491: Public cloneable() Method Without Final ('Object Hijack')
- CWE-493: Critical Public Variable Without Final Modifier
- CWE-500: Public Static Field Not Marked Final
- CWE-572: Call to Thread run() instead of start()
- CWE-582: Array Declared Public, Final, and Static
- CWE-583: finalize() Method Declared Public
- CWE-585: Empty Synchronized Block
- CWE-586: Explicit Call to Finalize()
- CWE-595: Comparison of Object References Instead of Object Contents
- CWE-766: Critical Data Element Declared Public
- CWE-798: Use of Hard-coded Credentials
