New Forge Security Requirement Tester

A couple of weeks ago, Ecosystem Security announced that we are launching and open sourcing a new tool called the Forge Security Requirement Tester (FSRT). FSRT expands our Ecoscanner platform to include Forge apps, and makes significant strides in our goal of validating that all apps are following our security requirements for cloud applications. To read the full blog post, check here!

Today, we are sharing FSRT. Learn about and implement FSRT here: GitHub - atlassian-labs/FSRT: A static analyzer for finding Forge app vulnerabilities

Implementing FSRT will help you validate that your app(s) are meeting our first security requirement, listed below:

  1. An application must authenticate and authorize every request on all endpoints exposed.

Starting today, we welcome our community to try this tool out on your Forge apps. We will begin scanning all Marketplace Forge apps ourselves in the next few weeks. As always, apps that miss security requirements will receive AMS tickets that are subject to our timeframes for resolution outlined in our Security Bug Fix Policy.

Thanks,
Josh

6 Likes

Hey @JoshuaWong

Are there any docs on what FSRT actually does under the hood to validate the “authenticate and authorize” requirement? I would like to understand what this scanner does without reading the Rust code.

It would be nice to have a high-level description of each implemented requirement that documents what’s being verified by the scanner to pass the requirement.

8 Likes

Hi @JoshuaWong ,

thank you for sharing this and your nice work.

Where can we create issues for problems with the FSRT?

The demo apps and some of our apps are verified easily but verifying one of our apps results in:

thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: Error { error: (Span { lo: BytePos(1197411), hi: BytePos(1197417), ctxt: #0 }, Unexpected { got: "string", expected: "jsx identifier" }) }', crates/fsrt/src/main.rs:145:18
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Thank you in advance

Thank you for sharing the tool!

I second what @BenjaminCJohn has posted, I get errors as well:

thread 'main' panicked at 'called `Option::unwrap()` on a `None` value', crates/forge_analyzer/src/engine.rs:107:13
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

2 Likes

You can create issues under our issue tracker: Issues · atlassian-labs/FSRT · GitHub.
Preferably with a backtrace and a Forge app-id(or source code but it’s fine if you can’t provide it).

Yeah, that’s totally fair. I’ve created a ticket for creating the docs here: Documentation on how the scanner works · Issue #2 · atlassian-labs/FSRT · GitHub, which will most likely be a super brief overview on https://developer.atlassian.com/platform/marketplace/ecoscanner/ that links to a markdown file in the repo for a more detailed explanation.

2 Likes