9 min read
CandyShop is a database of vulnerability scanning tool results. It is available to cybersecurity professionals only.
(25 members now)
CandyShop is a devsecops project for cybersecurity professionals to access the most popular vulnerability scanning tool results to compare and understand the capabilities.
Test Beds: OWASP JuiceShop, Broken Crystals, Altoro Mutual, Vulnerable Flask App
Scanning Tools: semgrep, CodeQL, nodejsscan, Nuclei, OWASP ZAP, Dependabot, Dependency Check, Trivy, Grype
| Tool Name | Type | Duration | Critical | High | Medium | Low |
|---|---|---|---|---|---|---|
| nodejsscan | SAST | 1:50 minutes | 0 | 2 | 0 | 0 |
| semgrep | SAST | 2:24 minutes | 0 | 2 | 42 | 0 |
| CodeQL | SAST | 0:20 minutes | 19 | 148 | 18 | 0 |
| Nuclei | DAST | 1:09 minutes | 0 | 0 | 0 | 1 |
| OWASP ZAP | DAST | 6:59 minutes | 0 | 0 | 32 | 32 |
| Dependabot | SCA | 0:01 minutes | 0 | 1 | 3 | 0 |
| Dependency Check | SCA | 3:18 minutes | 0 | 0 | 0 | 0 |
| Trivy | Container Security | 1:24 minutes | 8 | 15 | 16 | 11 |
| Grype | Container Security | 1:50 minutes | 25 | 57 | 77 | 2 |
| Tool Name | Type | Duration | Critical | High | Medium | Low |
|---|---|---|---|---|---|---|
| semgrep | SAST | 0:28 minutes | 0 | 0 | 239 | 0 |
| CodeQL | SAST | 0:20 minutes | 4 | 11 | 37 | 0 |
| Nuclei | DAST | 1:09 minutes | 0 | 0 | 1 | 0 |
| OWASP ZAP | DAST | 6:59 minutes | 0 | 1 | 112 | 136 |
| Dependabot | SCA | 0:21 minutes | 4 | 16 | 6 | 2 |
| Dependency Check | SCA | 9:15 minutes | 4 | 30 | 23 | 2 |
| Trivy | Container Security | 3:06 minutes | 45 | 458 | 443 | 1144 |
| Grype | Container Security | 2:56 minutes | 48 | 478 | 445 | 386 |
| Tool Name | Type | Duration | Critical | High | Medium | Low |
|---|---|---|---|---|---|---|
| semgrep | SAST | 0:27 minutes | 0 | 9 | 2 | 0 |
| CodeQL | SAST | 0:20 minutes | 0 | 5 | 10 | 0 |
| Nuclei | DAST | 1:57 minutes | 0 | 0 | 0 | 0 |
| OWASP ZAP | DAST | 16:15 minutes | 0 | 23 | 82 | 126 |
| Dependabot | SCA | 0:20 minutes | 0 | 0 | 0 | 0 |
| Dependency Check | SCA | 3:30 minutes | 0 | 0 | 11 | 2 |
| Trivy | Container Security | 0:55 minutes | 95 | 295 | 300 | 362 |
| Grype | Container Security | 0:54 minutes | 112 | 304 | 286 | 190 |
It is one of the most popular OWASP projects since It was created in 2014 by Björn Kimminich. It is written in Node.js, Express and Angular.
Known Vulnerabilities:
It is one of the newest intentionally vulnerable web applications developed and maintained by Bright Security.
Known Vulnerabilities:
It is a vulnerable J2EE banking application developed in 2008 and still maintained by HCL Technology.
It is a vulnerable Flask Web App developed by Anil Yelkin.
Semgrep is a fast, open-source, static analysis tool for modern languages.
Gosec is a SAST tool for applications developed in Go.
Brakeman is a free vulnerability scanner (SAST) for your Ruby on Rails applications.
Bandit is a free vulnerability scanner (SAST) for your Python applications.
Find Security Bugs is the SpotBugs plugin for security audits of Java web applications
Security Code Scan analyzes .NET and .NET Core projects in a background (IntelliSense) or during a build.
Gitleaks is a SAST tool for detecting and preventing hardcoded secrets like passwords, API keys, and tokens in git repos.
ESLint is a static code analysis tool for identifying problematic patterns found in JavaScript code.
NodeJsScan is a static security code scanner for Node.js applications.
Find security vulnerabilities in your PHP codebase with Psalm, a free and open-source tool created by Vimeo.
CodeQL is the code analysis engine developed by GitHub to automate security checks.
OWASP ZAP is the world's most widely used dynamic web app scanner. Free and open source.
Nuclei is one of the best and free open-source DAST (Dynamic Application Security Testing) tool.
OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
A tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index
Automated dependency updates built into GitHub
Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets.
A vulnerability scanner for container images and filesystems.
appsecsanta.com is part of CNT Friends Oy registered in Finland. Company No: 2993839-3 | © 2019-2022. All rights reserved.
6 Responses
You wrote:
> “Nuclei is one of the best and free open-source DAST (Dynamic Application Security Testing) tool.”
… while Nuclei consistently had little-to-no findings in any of your tests. Does that suggest that Nuclei actually isn't that good? Or that ZAP is registering an incredible amount of false positives?
Tess, I would rather say both of them is really good in their own use cases.
OWASP Zap in the market since 2015 and has a lot of features to offer a better user experience for authentication or session handling. It is designed for more general use cases. However, the team behind Nuclei is coming with a bounty hunter background (at the very top level) and it is there to be sharp and accurate.
So OWASP Zap may check more issues from a coverage point of view (informational or best practices) and have a better user experience for beginners. And, It may generate more false positives.
In Nuclei, you choose what checks to happen or create your own template to automate and when it finds an issue it means you catch a fish.
About the comment/question on nuclei, actually, I don't see or consider nuclei as DAST scanner, and rather it's more of a vulnerability scanner for known vulnerabilities and misconfigurations, and we can see the same in the result section.
Nuclei don't find anything in OWASP JuiceShop as it doesn't have any template for it and on the side, someone can write templates to detect all the known vulnerabilities in it.
Whereas in DAST, the aim is to find unknown vulnerabilities, and ZAP or Burp Active Scan will be the right choice of project to use.
Thanks, Sandeep for a great explanation. I wanted to include Nuclei in CandyShop project as it is one of my favorite appsec tool and DAST is the most relevant one in my categories 🙂
Are the figures in the stats before or after false-positive triage?
These figures before false-positive triage.