├── README.md
├── config
    ├── ca
    │   ├── server.crt
    │   └── server.key
    └── config.json
└── tools
    ├── doFernflower.sh
    └── fernflower.jar


/README.md:
--------------------------------------------------------------------------------
 1 | [![Tweet](https://img.shields.io/twitter/url/http/Hktalent3135773.svg?style=social)](https://twitter.com/intent/follow?screen_name=Hktalent3135773) [![Follow on Twitter](https://img.shields.io/twitter/follow/Hktalent3135773.svg?style=social&label=Follow)](https://twitter.com/intent/follow?screen_name=Hktalent3135773) [![GitHub Followers](https://img.shields.io/github/followers/hktalent.svg?style=social&label=Follow)](https://github.com/hktalent/)
 2 | # Ai(ChatGPT-4) Code Security Audit
 3 | 
 4 | 源码近期放出：https://github.com/hktalent/AiCSA
 5 | 
 6 | <img width="800" alt="image" src="https://user-images.githubusercontent.com/18223385/229501108-1c415db2-d455-40a4-9772-57af1c563532.png">
 7 | 
 8 | 
 9 | 
10 | # feature
11 | - 相同 jar、相同 java 文件，chatGPT ( GPT-4 ) 只执行一次，结果保留在索引库中,所以不用担心多次重复执行的问题
12 | - 免费的 chatGPT 限速20次/分钟，付费用户可以通过修改 config/config.json 调整频率
13 | - 文件大于 3500 字节自动拆分发送给 chatGPT,避免过长的文件导致 chatGPT 无法处理
14 | - 支持 若干个 openai api key，提高并发能力
15 | - 基于大数据索引存储结果
16 | - 提供 HTTP/2.0 HTTP/3.0 web 界面
17 | 
18 | # web UI
19 | <img width="715" alt="image" src="https://user-images.githubusercontent.com/18223385/229487667-acdfdfdb-6125-4806-9666-09ecd349e82a.png">
20 | 
21 | ```
22 | mkdir -p src config
23 | vi config/config.json
24 |  ./AiCSA  
25 |  
26 | open https://127.0.0.1:8080/indexes/
27 | ```
28 | 
29 | # How Test
30 | - 运行前，请先调整 ./tools/doFernflower.sh 文件，确保 java 是 11 或高版本
31 | - 确定 rt.jar 的路径，修改 ./tools/doFernflower.sh 文件中的 rt.jar 路径
32 | 
33 | ```
34 | find /Library/Java/JavaVirtualMachines -name "rt.jar"
35 | ```
36 | 
37 | out
38 | ```
39 | /Library/Java/JavaVirtualMachines/jdk1.8.0_181.jdk/Contents/Home/jre/lib/rt.jar
40 | /Library/Java/JavaVirtualMachines/jdk1.8.0_72.jdk/Contents/Home/jre/lib/rt.jar
41 | ```
42 | 
43 | ## config/config.json example
44 | LimitPerMinute: 建议 api key 个数 * 3
45 | ```
46 | {
47 |   "proxy": "socks5://127.0.0.1:7890",
48 |   "LimitPerMinute": 6,
49 |   "HttpPort": 8080,
50 |   "org": "org-xx",
51 |   "api_key": "sk-xxx,sk-xxx2",
52 |   "Prefix": "用中文问答，分析%s java代码存在哪些安全风险,如何验证、确认他们",
53 |   "CheckRpt": true
54 | }
55 | ```
56 | 
57 | # How build
58 | ```
59 | go get -u ./...
60 | go mod vendor
61 | go build -o AiCSA main.go
62 | ```
63 | 
64 | ## 反编译jar to java
65 | - 源码将自动保存在 src 目录中
66 | - 不同的 ja r会根据hash构建一个源码目录，避免多个jar的源码冲突
67 | 
68 | ```
69 | find $HOME/MyWork/vulScanPro/tools/weblogic/weblogic12.2.1.3 -type f -name "*.jar" | xargs -I {} ./tools/doFernflower.sh {}
70 | ls $HOME/MyWork/vulScanPro/tools/weblogic/weblogic12.2.1.3/coherence/lib/*.jar|xargs -I {} ./tools/doFernflower.sh {}
71 | ./tools/doFernflower.sh $HOME/MyWork/vulScanPro/tools/weblogic/weblogic12.2.1.3/coherence/lib/coherence.jar
72 | ```
73 | 
74 | # Tips
75 | - Mac OS 所有子目录图片转换为mp4
76 | ```
77 | brew install ffmpeg
78 | brew update && brew upgrade ffmpeg
79 | 
80 | find $HOME/Downloads/outImg -name '*.png' | sort | sed 's/.*/"&"/' | tr '\n' ' ' | xargs ffmpeg -r 30 -i - -c:v libx264 -pix_fmt yuv420p output.mp4
81 | ```
82 | 
83 | ## 💖Star
84 | [![Stargazers over time](https://starchart.cc/hktalent/AiCSA_pub.svg)](https://starchart.cc/hktalent/AiCSA_pub)
85 | 
86 | # Donation
87 | | Wechat Pay | AliPay | Paypal | BTC Pay |BCH Pay |
88 | | --- | --- | --- | --- | --- |
89 | |<img src=https://raw.githubusercontent.com/hktalent/myhktools/main/md/wc.png>|<img width=166 src=https://raw.githubusercontent.com/hktalent/myhktools/main/md/zfb.png>|[paypal](https://www.paypal.me/pwned2019) **miracletalent@gmail.com**|<img width=166 src=https://raw.githubusercontent.com/hktalent/myhktools/main/md/BTC.png>|<img width=166 src=https://raw.githubusercontent.com/hktalent/myhktools/main/md/BCH.jpg>|
90 | 
91 | 


--------------------------------------------------------------------------------
/config/ca/server.crt:
--------------------------------------------------------------------------------
 1 | -----BEGIN CERTIFICATE-----
 2 | MIIEHjCCAoagAwIBAgIQfgmp3dWDievJrXCOfOtWWzANBgkqhkiG9w0BAQsFADBb
 3 | MR4wHAYDVQQKExVta2NlcnQgZGV2ZWxvcG1lbnQgQ0ExGDAWBgNVBAsMDzUxcHdu
 4 | QDEyMy5sb2NhbDEfMB0GA1UEAwwWbWtjZXJ0IDUxcHduQDEyMy5sb2NhbDAeFw0y
 5 | MjExMDMwNTQ5MjZaFw0yNTAyMDMwNTQ5MjZaMEMxJzAlBgNVBAoTHm1rY2VydCBk
 6 | ZXZlbG9wbWVudCBjZXJ0aWZpY2F0ZTEYMBYGA1UECwwPNTFwd25AMTIzLmxvY2Fs
 7 | MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApE/9Clmh7YE0NCKGGQAM
 8 | jV1GXqlJfewpGI0obIBuVoqmt2cOTun7JaPhb4KuDEunREQTU8DzSncbLvD8z3aT
 9 | nDE0wStOhyi0oazRTuBQwoR+ILTGSa2gzGQCIBYGfA0G5qtKQz5pWgjoz79tr5gI
10 | DMsORMKYuwrXKiZd8CvzOy7i5d4GygoNYu8Eic1BKqLAdHkik65aJcpJgZDGPyTl
11 | +cIBcoEJrebSd+WogG7SSUe+9hmF7rtxIq6Dj6cPfjbRqCXlXZ9DDj95cFPGc7aG
12 | vDCREeiq7L4dhdocUffv6pyxmTUXuAwTk39JeLP5UkburISpHdrQU/FQ7y4pgIlq
13 | UQIDAQABo3YwdDAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEw
14 | HwYDVR0jBBgwFoAUhaCEJ+jtqBlId8qkJCImD6D1HZkwLAYDVR0RBCUwI4IJbG9j
15 | YWxob3N0hwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3DQEBCwUAA4IB
16 | gQAAAD9ueHOj68QCWi0kk3+kXcMAGuQtiqxrPfNI/gskbCdOyJJc78o/zOYSkcOJ
17 | 3KOgfxlX6OTjnLXM5o5Rf6pcFpzmAOCBdXj1EGlcusP9J9pgzqrx3pVhw1Tu1iYM
18 | lef+1fF6c0R8Z4X65TmdbAXPW83+1LVn6rEqW8fzIK7nEnR39Q8xF8hLkSSA1wGJ
19 | 2MWzhfS0gkRu4eMJ9MShiUisGywGuvi0Q0sWrNZMwF/tCdfxeHriQAnxpx8E9Irg
20 | 3YxFmq+YBsMAfHbrWqAs5TFU99fJ+jQkDQxKKCcjgVUyyhu+AUL+mMh/znDrjz9X
21 | Py3hIqW8t5VNqomda/errd0Zv8DLpznUfmMJmG3iQuq5p9GQbXU4xVQN2MHfck5i
22 | 74F9MFONnlnS0XCOL4YMiPRq3hgF+EnM0gnCd5u8RwDhHe7KqTiHzHdZ2RlOWTgr
23 | YYKIibMm/AO15MXNwDkA2+ey7QQsQu7n6bXOIS8eSXfpxY0IWitek981AHQDCLco
24 | Cks=
25 | -----END CERTIFICATE-----
26 | 


--------------------------------------------------------------------------------
/config/ca/server.key:
--------------------------------------------------------------------------------
 1 | -----BEGIN PRIVATE KEY-----
 2 | MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCkT/0KWaHtgTQ0
 3 | IoYZAAyNXUZeqUl97CkYjShsgG5Wiqa3Zw5O6fslo+Fvgq4MS6dERBNTwPNKdxsu
 4 | 8PzPdpOcMTTBK06HKLShrNFO4FDChH4gtMZJraDMZAIgFgZ8DQbmq0pDPmlaCOjP
 5 | v22vmAgMyw5Ewpi7CtcqJl3wK/M7LuLl3gbKCg1i7wSJzUEqosB0eSKTrlolykmB
 6 | kMY/JOX5wgFygQmt5tJ35aiAbtJJR772GYXuu3EiroOPpw9+NtGoJeVdn0MOP3lw
 7 | U8Zztoa8MJER6Krsvh2F2hxR9+/qnLGZNRe4DBOTf0l4s/lSRu6shKkd2tBT8VDv
 8 | LimAiWpRAgMBAAECggEAUmVKHsaTzOXdp8coN6EuqjT79LwvflXOxeEDRGWi7wLY
 9 | V1/2bNwodNeZVLHTVZcaacE5b+ZyGgVgPEncfKyZmNmT+soctupSqkBfNY6G8QQ/
10 | u2briEbpO5Vq+2wQFGTz8Pg0ZUQG0H9nP8Ze2o8CemfY3+I1dJYbD6fts2JWtnYe
11 | z7WMoQjU9GFZYviRtAz/wOZvJ/NwnDqCzw4f6xLDP6SfeIgVIGNWp/rXpP20zw0q
12 | z2ieSiypj6SlS4sOk6wgs3/vK1sF0KYXcEKcIfhebKYsRN3xJI1vpXKys2Tfn3xH
13 | f8cT5etVFQ743irXTagGfxEh+xm+GfyqAZXA6YFzgQKBgQDSN/0RUKbJhuQz0MIn
14 | v43mEBoYoFOc6Gaa+xlWU66rD1xkmxtfJ9WtiXR19h9ix1Y0q9CUUvnBPA6SbSAn
15 | Jadiz+tMJrLlxFnRNvErYsZMMuK/E+PXXg78J54nzQEl0fb2e2P6NiMWgksrMDdv
16 | VrJKK4cmmVpVCWjYcV13mtxeIwKBgQDIGKgnZsZNmk+Bq7EzfkkLo6M2tQRM8kXG
17 | 4RGeVkDGXP/q4o4w0Gh1W3xq4GQsWsrzgjgi0UOm9Lj0f6BhAJv8rpiNaTJGg6KK
18 | Yw9Ay3tRbhkHv58zwYvTcufDXaUhToWFTg/HKK1zt29WBGguT1cqTnQncFgnIjEx
19 | 9jbgRGFK+wKBgQCiilnpNnQPpHX0Pniw5SKhfVfALM8ZpnQXZwl7Py7x4umsfGWY
20 | mKNWD871mn1AEiLsjOC0nsewCnC19RyESE/5TgyAD/gJQl20L4gf5LqwljPOTGHB
21 | 1188xqE54v/9LzCF+ngeMhfFQq8+UIS8WMt4H9nbFX3L/H+Nw3HileHIAwKBgHAC
22 | TW7w+yTJsqP1xlX65Uzcpyqineus2x5/MuudgNkJikCj3dC5eR/ovHbfcXPaxy0U
23 | wfPLjMFS0I4dO1vRiYAjBEZ0kq4iVcR9uzYcMcXdialqvOWt/GW7Nr2IGD3SxK9g
24 | iTiFLsNN9ccC5Ia35yVJkX/aRZ5yZ3N+Ti2wWX4tAoGBALxqbln818k9UtaGXwXx
25 | cHuueF/diqm/pscvA5lmRxndahr8ML03a215XI1oANdKJ7fcYSX+Hu3dylBqXDSw
26 | /OQcQ075ynysO5/zE1hJMMqI+xbSwukGec4/9bYxqj0HfknfZ4drD0/RT+zl7R3i
27 | O2jw/3lEXOJFdsCdDmaAusAA
28 | -----END PRIVATE KEY-----
29 | 


--------------------------------------------------------------------------------
/config/config.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "proxy": "socks5://127.0.0.1:7890",
 3 |   "LimitPerMinute": 20,
 4 |   "thread": 64,
 5 |   "HttpPort": 8080,
 6 |   "org": "org-xxx",
 7 |   "api_key": "sk-xx",
 8 |   "Prefix": "用中文问答，分析java代码存在哪些安全风险、易受到攻击的脆弱代码,如何验证、确认他们",
 9 |   "CheckRpt": true
10 | }


--------------------------------------------------------------------------------
/tools/doFernflower.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | Java11="/usr/local/Cellar/openjdk@11/11.0.16.1/libexec/openjdk.jdk/Contents/Home/bin/java"
 4 | RtJar="/Library/Java/JavaVirtualMachines/openjdk-8.jdk/Contents/Home/jre/lib/rt.jar"
 5 | 
 6 | # 当前bashwenj目录
 7 | szCurFile=$(basename "$1")
 8 | # 运行本bash的当前目录
 9 | szCurDir=$(dirname "$(readlink -f "$0")")
10 | # 生成src目录，避免不同jar冲突
11 | srcDir=$(md5sum "$1"|sed 's/ .*//g')
12 | srcDir1="${szCurDir}/../src/${srcDir}"
13 | if [ -d "${srcDir1}" ]; then
14 |     echo "${srcDir1} already exists! Exiting script..."
15 |     exit 1
16 | fi
17 | 
18 | 
19 | mkdir -p "${srcDir1}"
20 | ${Java11} -jar ${szCurDir}/fernflower.jar -din=1 -hdc=0 -dgs=1 -rsy=1 -lit=1 "$1" -e=${RtJar} "${srcDir1}"
21 | 
22 | cd ${srcDir1}
23 | unzip -o "${szCurFile}"
24 | rm -rf "${szCurFile}"
25 | 


--------------------------------------------------------------------------------
/tools/fernflower.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hktalent/AiCSA_pub/9c5c5d32b2b7bbe59119dd6de8ba67339c9e89d1/tools/fernflower.jar


--------------------------------------------------------------------------------