SUPER 0.2.0 released!
As promised, here we have SUPER 0.2.0 after 6 weeks since the 0.1.0 release. SUPER 0.2.0 is our second release, and it makes a big step forward in analysis report customization. The main characteristic of this release is the new templating system, that will enable users total customization of reports. We will in fact create a better template for future releases. The templating system will be explained in the templates section of this release announcement. As an extra, we made a MacOS X package so that you can easily install SUPER on Macs.
But first, lets talk about the new CLI:
USAGE: super [FLAGS] [OPTIONS] <package> FLAGS: --bench Show benchmarks for the analysis --force If you'd like to force the auditor to do everything from the beginning -h, --help Prints help information --open Open the report in a browser once it is complete -q, --quiet If you'd like a zen auditor that won't output anything in stdout -a, --test-all Test all .apk files in the downloads directory -V, --version Prints version information -v, --verbose If you'd like the auditor to talk more than necessary OPTIONS: --apktool <apktool> Path to the apktool file --dex2jar <dex2jar> Where to store the jar files --dist <dist> Folder where distribution files will be extracted --downloads <downloads> Folder where the downloads are stored --jd-cmd <jd-cmd> Path to the jd-cmd file --results <results> Folder where to store the results --rules <rules> Path to a JSON rules file --template <template> Path to a results template file -t, --threads <threads> Number of threads to use ARGS: <package> The package string of the application to test
As you can see, the CLI has been completely redesigned to enable further customization of the
analysis. Users can now specify most of the configuration options that would be in the
config.toml file as command arguments. This can be great for software that could require specific
automation of analysis for each batch or application, we need to remember that this software is
intended to be used for massive analysis.
We have also added a
--test-all flag that does not require a
<package> to be specified, since
it will search for all applications in the downloads folder and analyze all of them. This was a
port of a small shell script we had that we were using many times, and now it’s done in the core of
SUPER, which makes it multi-platform and really fast. About that downloads folder, it’s no longer
required to have an actual downloads named folder, and .apk files can be in any place (by
default, the current directory). We now also support relative paths to .apk files too.
Another useful option we have added is the
--open option. This option will open the HTML report
in your usual browser once it’s finished. It could be a pain in the ass to search for it in the
In the report generation we have added vulnerable line highlighting, which makes it easier to spot
issues, and we also improved some
exported attributes searching, which, BTW,
still requires improvements.
We have of course made a ton of under-the-hood improvements with a total of 106 commits from 7 contributors. We want to specially thank all the help we have received from the community, with contributions from @pocket7878, @VoltBit, @b52, @nxnfufunezn and @atk. This version has seen 95 changed files with 3,506 lines added and 1,800 lines deleted. It has been a real challenge that raises the total LOC of the project to 12,070.
Complete changelog can be read here.
The big rework for this release has been the new templating system. Now templates are stored in
their own folder in the templates folder (that will be in a different place depending on the OS
and can be configured via
config.toml). For example, the default template, super is stored in
templates/super. Templates are written in Handlebars, and we offer some helpers
that we’ll explain next. A template must have at least
files. Other .hbs files in the template root directory can be used with template inclusion, the
same way super template does with its vulnerability template. To include it, we use
We have added some cool helpers to make the HTML code generation easier:
line_numbers: Given a vulnerability renders a list of the relevant lines in the vulnerability. Callers can add a second parameter, a line separator, that will separate lines. By default it’s
all_lines: It does the same as above but creates a list for all the lines in the given code snippet, starting from 1. Useful for code representation. As before, it has a line separator that defaults to
all_code: Renders the given code with an specific format for each line, and accepts an optional line separator that defaults to
<code id="code-line-"><span class="line_body"></span></code>
html_code: Renders the code for the given vulnerability. It also accepts a line separator as an optional second argument (again, it defaults to
<br>). Each line is rendered as-is if it’s not vulnerable, or with this format if it is:
<code class="vulnerable_line "><span class="line_body"></span></code>
Where the criticity is one of critical, high, medium, low or warning.
report_index: Generates the index number for the given vulnerability. It requires a second argument that would be the index of the vulnerability (can be obtained with the
@indexvariable in an
eachblock), and the length of the list of this vulnerability criticality. For example, for the third critical vulnerability in a report that contains 240 critical vulnerabilities it will render C003. The list length can be obtained with variables that we will explain next.
generate_menu: Generates the menu from the given menu object. It will generate an structure like this:
<ul> <li> <a href="#" title=""><img src="../img/folder-icon.png"></a> <ul> </ul> <a href="" title=""><img src="../img/-icon.png"></a> <li> </ul>
There are also some variables available for each template. For the main
report.hbs template, we
have added the following variables:
super_version: Version of the SUPER application (in this case 0.2.0).
now: Object representation of the report generation time. (Chech
now_rfc2822: RFC 2822 date and time representation, something like
Tue, 1 Jul 2003 10:52:37 +0200.
now_rfc3339: RFC 3339 date and time representation, something like
app_package: The package name of the application (such as
app_version: The application version as string (could be anything the application shows to the user).
app_version_number: The application version number. (More info).
app_fingerprint: The fingerprint of the application. It has three fields,
md5, with the Md5 hash of the .apk file,
sha1with the SHA-1 hash and
sha256with the SHA-256 hash.
certificate: Information about the certificate of the application, currently empty.
app_min_sdk: Minimum SDK number of the application.
app_target_sdk: Target SDK number of the application.
total_vulnerabilities: The total number of potential vulnerabilities.
criticals: The list of critical vulnerabilities.
criticals_len: The number of critical vulnerabilities.
highs: The list of high criticality vulnerabilities.
highs_len: The number of high criticality vulnerabilities.
mediums: The list of medium criticality vulnerabilities.
mediums_len: The number of medium criticality vulnerabilities.
lows: The list of low criticality vulnerabilities.
lows_len: The number of low criticality vulnerabilities.
warnings: The list of warnings.
warnings_len: The number of warnings.
menu: The menu object to use to generate the source tree menu.
path: The path of the code file.
code: The actual code of the file.
back_path: A series of
../that reference the root of the report (where the
index.htmlfile will be).
You can download the package for your distribution at the downloads page.