Share
## https://sploitus.com/exploit?id=725BD184-BC44-56DB-922B-DED296747B36
# Exploit Chain Generator

> **Turn Noise into Signal: Correlate SCA & SAST Findings to Uncover Real Attack Paths.**

The **Exploit Chain Generator** is an advanced security prototype that bridges the gap between **Software Composition Analysis (SCA)** and **Static Application Security Testing (SAST)**. 

By analyzing dependency vulnerabilities (from **Grype**) and code-level weaknesses (from **Semgrep**), it constructs "Exploit Chains"β€”validated attack paths that show not just *what* is vulnerable, but *how* it might be exploited in your specific codebase.

---

## πŸš€ Key Features

*   **πŸ”— Intelligent Correlation**: Uses heuristic analysis to link vulnerable libraries (e.g., Log4j) with specific code usages (e.g., `logger.info()`), distinguishing actual threats from dormant dependencies.
*   **πŸ“Š Risk Scoring Engine**: Prioritizes findings using a composite score of CVSS, EPSS (Exploit Prediction Scoring System), CISA KEV status, and code context.
*   **πŸ§ͺ Automated PoC Generation**: Automatically generates Python Proof-of-Concept scripts for high-confidence chains to help red teams and developers validate risks.
*   **πŸ–₯️ Modern Web Interface**: A clean React-based UI to upload reports, visualize attack chains, and inspect generated PoC code.
*   **βœ… Zero-False-Positive Handling**: Gracefully handles clean reports ("No vulnerabilities found") with clear user feedback.
*   **🐳 Dockerized Deployment**: Full container support for instant setup.

---

## πŸ› οΈ How It Works

The system operates on a 4-stage pipeline:

1.  **Ingestion**: Parses `.xlsx` reports from **Grype** (dependencies) and **Semgrep** (code). It handles missing columns and empty states gracefully.
2.  **Scoring**:
    *   **Dependencies**: Scored based on CVSS + EPSS boost + CISA KEV (Known Exploited Vulnerabilities) override.
    *   **Code**: Scored based on Severity and Critical CWE presence (e.g., Deserialization, SQLi).
3.  **Chain Building**: A graph-based engine (`networkx`) links nodes if:
    *   **Direct Match**: The package name appears in the code warning.
    *   **Context Match**: Heuristics match vulnerability types (e.g., "Deserialization") with relevant library usage (e.g., "Jackson", "SnakeYAML").
4.  **Reporting**: Generates a JSON summary for the UI and downloadable Python PoC scripts for validation.

---

## ⚑ Quick Start (Docker)

The easiest way to run the application is using Docker Compose.

### Prerequisites
*   Docker & Docker Compose installed.

### Steps
1.  **Clone the repository**:
    ```bash
    git clone 
    cd exploit-chain-generator
    ```

2.  **Start the services**:
    ```bash
    docker-compose up --build -d
    ```

3.  **Access the Application**:
    *   **Frontend (UI)**: [http://localhost](http://localhost) (or port 80)
    *   **Backend (API)**: [http://localhost:5001](http://localhost:5001)

---

## πŸ”§ Manual Setup (Development)

If you prefer to run the services locally without Docker:

### 1. Backend (Python/Flask)
```bash
# Create and activate virtual environment
python3 -m venv venv
source venv/bin/activate

# Install dependencies
pip install -r requirements.txt

# Run the server
python server.py
```
*Server runs on port 5001.*

### 2. Frontend (React/Vite)
```bash
cd frontend

# Install dependencies
npm install

# Run the dev server
npm run dev
```
*Frontend runs on http://localhost:5173 (proxies API requests to 5001).*

---

## πŸ“– Usage Guide

1.  **Prepare Reports**:
    *   Run **Grype** on your project and export as Excel (or use the sample generator).
    *   Run **Semgrep** on your source code and export as Excel.
2.  **Upload**:
    *   Go to the Web UI.
    *   Drag & drop your Grype `.xlsx` and Semgrep `.xlsx` files into the respective zones.
3.  **Analyze**:
    *   Click **"Generate Exploit Paths"**.
4.  **Review Results**:
    *   **Chains Found**: View the list of high-risk paths.
    *   **Details**: Click on a chain to see the specific file, line number, and reasoning.
    *   **PoC**: Click "View PoC" to copy the generated Python exploit script.
    *   **Clean Reports**: If no vulnerabilities are found, a green success banner will appear.

---

## πŸ“‚ Project Structure

```
exploit-chain-generator/
β”œβ”€β”€ docker-compose.yml       # Container orchestration
β”œβ”€β”€ main.py                  # CLI Entry point (Legacy/Script mode)
β”œβ”€β”€ server.py                # Flask API Backend
β”œβ”€β”€ requirements.txt         # Python dependencies
β”œβ”€β”€ src/                     # Core Logic
β”‚   β”œβ”€β”€ chain_builder.py     # Graph & linking logic
β”‚   β”œβ”€β”€ ingestor.py          # Excel parsing & normalization
β”‚   β”œβ”€β”€ scoring.py           # Risk calculation engine
β”‚   └── generate_sample_data.py # Test data generator
β”œβ”€β”€ frontend/                # React Application
β”‚   β”œβ”€β”€ src/                 # UI Components
β”‚   β”œβ”€β”€ Dockerfile.frontend  # Nginx container for UI
β”‚   └── vite.config.js       # Build config
└── output/                  # Generated artifacts (CLI mode)
```

---

## ⚠️ Input Data format

The ingestor expects standard Excel outputs, but attempts to normalize column names.
*   **Grype**: `Vulnerability ID`, `Package Name`, `Severity`, `CVSS Score`
*   **Semgrep**: `Check ID`, `File Path`, `Message`, `Start Line`

*Note: If you are testing, you can generate valid dummy data by running `python src/generate_sample_data.py`.*

---

## 🀝 Contributing

Contributions are welcome! Please fork the repository and submit a pull request for:
*   New heuristic rules in `src/chain_builder.py`.
*   Support for additional scanners (Trivy, Snyk, SonarQube).
*   UI enhancements.

---

## πŸ“„ License

This project is licensed under the MIT License.