Features on Delvelin

November 12, 2024

Table of Contents

1. Security-Oriented Focus
   • Vulnerability Detection
   • Coming Soon Features
2. Industry Standards and Vulnerability Scoring
3. Flexible Integration
4. Reports
   • HTML Report
   • Console Report

1. Security-Oriented Focus

• Delveline excels as a security analysis tool, offering the ability to detect vulnerabilities such as:
  • Non-thread-safe data structures (e.g., HashMap, ArrayList, StringBuilder, etc) in multi-threading scenarios.
  • Hardcoded sensitive data like API tokens, passwords, private keys, etc.
  • Command Injection.
  • SQL Injection.
  • XSS vulnerabilities.
  • Weak Cryptographic such as MD5 or SHA-1 are considered vulnerable because they can be easily cracked..
  • Dependency Vulnerability Detection (OSV.dev).

  OSV.dev, backed by Google, provides an extensive database for detecting known vulnerabilities (CVEs) in dependencies and libraries used in your project. This enables Delveline to identify outdated or vulnerable dependencies more effectively.

• Coming soon (open contribution)
  • Insecure Http connection : Because unencrypted HTTP connections for sensitive data communication can cause data to be leaked or intercepted by third parties.
  • Reflection Class Vulnerability: Reflection can cause vulnerabilities if it allows access or modification of sensitive classes and methods without adequate controls.
  • Insecure Deserialization

2. Industry Standards and Vulnerability Scoring

We leverage:

• CWE (Common Weakness Enumeration): A global standard for identifying and categorizing vulnerabilities.
• CVSS (Common Vulnerability Scoring System): A framework for scoring the severity of vulnerabilities.
• OSV (Open Source Vulnerabilities): A comprehensive database for open-source vulnerability information.
• ISO/IEC 27001 Alignment: Supporting security awareness and risk management practices aligned with global information security standards.

Disclaimer: Delveline may not identify all vulnerabilities but serves as a powerful first step in securing your codebase.

3. Flexible integration

• Delveline can be installed as a Gradle plugin or used as a Java/Kotlin library.

4. Report

4.1. HTML Report

This is the report page when you choose html as the output format in the usual way:

If you are using the Delvelin library

Delvelin()
    .setOutputFormat(OutputFileFormat.HTML)
    .setAutoLaunchBrowser(true) // for HTML format
    // .setAllowedExtensions(".kt") // by default we allow .java, .kt, .gradle, .kts and .xml.
    .scan()

or if you are using the Delvelin Gradle Plugin

delvelin {
    outputFileFormat = 'HTML'
}

The Delveline vulnerability report, as shown in this example, offers several key strengths that make it an efficient tool for developers to identify and address code vulnerabilities. Here are its main advantages:

1. Comprehensive Detail
   • Vulnerability Categorization: The report organizes vulnerabilities into clear categories (e.g., Non-thread-safe Data Structures, Hardcoded Sensitive Data, etc.), making it easier to prioritize fixes.
   • Descriptions and Explanations: Each vulnerability is explained concisely, enabling developers to understand the root cause without requiring additional research.
2. Industry Standard References
   • CWE (Common Weakness Enumeration): Each vulnerability is mapped to a CWE code, providing context based on global standards.
   • CVSS Scoring: The report includes severity ratings based on the CVSS framework, allowing developers to focus on the most critical issues first.
3. Informative Report Format
   • Tabular Presentation: Information is organized into an easy-to-read table with columns like vulnerability type, code location, severity, and recommendations.
   • Code Location Navigation: Vulnerabilities include details such as file names and line numbers, enabling developers to directly access the problematic code.
4. Integration with Modern Detection Frameworks
   • OSV.dev Integration: The report detects dependency vulnerabilities by referencing the OSV.dev database, simplifying the process of updating vulnerable libraries.
5. Practical Remediation Suggestions
   • The report not only highlights vulnerabilities but also provides actionable recommendations, speeding up mitigation without requiring deep expertise on specific issues.
6. Visualization and Exportable Formats
   • Summary Visuals: The report may include charts (e.g., pie or bar charts) to provide an overview of the project’s security status.
7. Realistic Disclaimer
   • The report includes a reminder that the scan may not detect every possible vulnerability, encouraging developers to take additional security measures. This demonstrates transparency and responsibility in tool usage.

This report strikes a balance between in-depth analysis and user-friendliness, making it an ideal tool for developers and security teams.

4.2. Console Report

While the console report is a report that appears on the terminal or console when you choose LOG as the output format in the usual way: If you are using the Delvelin library

Delvelin()
    .setOutputFormat(OutputFileFormat.LOG)
    // .setAllowedExtensions(".java") // by default we allow .java, .kt, .gradle, .kts and .xml.
    .scan()

or if you are using the Delvelin Gradle Plugin

delvelin {
    outputFileFormat = 'LOG'
}

This is what the console report looks like:

Or are you interested in watching this video.

The console log report generated by Delvelin offers several key advantages:

1. IDE Integration with IntelliJ:
   • The report provides clickable links that directly navigate to the exact location of the vulnerability in the source code within IntelliJ IDEA. This feature significantly streamlines the debugging and remediation process for developers.
2. Detailed Context:
   • Each issue is categorized with a CWE (Common Weakness Enumeration) code, making it easier to understand the type of vulnerability and its implications.
   • The specific file path and line number are displayed, ensuring pinpoint accuracy in identifying where the issue lies.
3. Actionable Warnings:
   • The report includes concise messages that describe the vulnerability and its potential impact, such as hardcoded secrets or non-adherence to coding standards.
   • Suggestions like using coroutines instead of threads in Kotlin are included, offering practical advice to address the issue.
4. Comprehensive Information:
   • Vulnerabilities tied to dependencies, such as Apache Log4j or Google Guava, include details about the affected versions and links to relevant CVEs (Common Vulnerabilities and Exposures) for further investigation.
5. Multiple Formats for Issues:
   • The tool identifies vulnerabilities not only in source code but also in XML configuration files, showcasing its versatility.
6. Real-Time Feedback:
   • Developers can immediately review and act upon the findings without needing to export or analyze external reports.
7. Standardized Reporting:
   • By aligning with CWE codes, Delvelin ensures that its findings are standardized and align with global security practices, making it easier for teams to prioritize and address issues.

This format enhances productivity, clarity, and compliance with secure coding standards, making Delvelin an invaluable tool for developers focused on improving their code’s quality and security.