analyzers

package
v1.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 9, 2023 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Overview

Package analyzers implements individual security scanners for Go and a generic analyzer based on recursive taint propagation

Index

Constants

View Source
const RECOMMENDED_KEYLEN = 2048

Variables

View Source
var CommandInjectionAnalyzer = &analysis.Analyzer{
	Name:     "command_injection",
	Doc:      "reports when command injection can occur",
	Run:      cmdInjectionRun,
	Requires: []*analysis.Analyzer{buildssa.Analyzer},
}

CommandInjectionAnalyzer constructs Sinks from a set of functions known to be vulnerable to command injection, converts all variables to SSA form to construct a call graph and performs recursive taint analysis to search for input sources of user-controllable data

View Source
var PathTraversalAnalyzer = &analysis.Analyzer{
	Name:     "path_traversal",
	Doc:      "reports when path traversal can occur",
	Run:      traversalRun,
	Requires: []*analysis.Analyzer{buildssa.Analyzer},
}

PathTraversalAnalyzer constructs Sinks from a set of functions known to be vulnerable to path injection all variables are converted to SSA form and a call graph is constructed recursive taint analysis is then used to search from a given Sink up the callgraph for Sources of user-controllable data

View Source
var RsaKeylenAnalyzer = &analysis.Analyzer{
	Name:     "rsa_keylen",
	Doc:      "reports when rsa keys are too short",
	Run:      rsaRun,
	Requires: []*analysis.Analyzer{buildssa.Analyzer},
}

RSAKeyLenAnalyzer is used to resolve constant values used for RSA key generation in order to more accurately detect use of an insecure RSA key length constructed all variables are converted to SSA form and a call graph is constructed recursive analysis is then used to resolve variables used as a key length to a final constant value at the callsite

View Source
var SQLInjectionAnalyzer = &analysis.Analyzer{
	Name:     "sql_injection",
	Doc:      "reports when SQL injection can occur",
	Run:      sqlRun,
	Requires: []*analysis.Analyzer{buildssa.Analyzer},
}

SQLInjectionAnalyzer constructs Sinks from a set of functions known to be vulnerable to SQL injection all variables are converted to SSA form and a call graph is constructed recursive taint analysis is then used to search from a given Sink up the callgraph for Sources of user-controllable data

View Source
var SSRFAnalyzer = &analysis.Analyzer{
	Name:     "SSRF",
	Doc:      "reports when SSRF vulnerabilities can occur",
	Run:      ssrfRun,
	Requires: []*analysis.Analyzer{buildssa.Analyzer},
}

SSRF Analyzer constructs Sinks from a set of functions known to be vulnerable to Server Side Request Forgery, converts all variables to SSA form to construct a call graph and performs recursive taint analysis to search for input sources of user-controllable data

Functions

func EvalConst

func EvalConst(expr ssa.Value, cg util.CallGraph) (*ssa.Const, bool)

EvalConst attempts to take a value, and simplify it down to a single constant it returns a tuple of (the constant, whether or not it successfully simplified)

func FilterResults

func FilterResults(unfilteredResults []util.Finding, parent_dir string) ([]util.Finding, error)

func LoadGenericAnalyzers

func LoadGenericAnalyzers() []*analysis.Analyzer

LoadGenericAnalyzers creates generic taint analyzers from custom Sources and Sinks defined in analyzers.yaml converts all variables to SSA form to construct a call graph and performs recursive taint analysis to search for input sources of user-controllable data

func OutputResults

func OutputResults(results []util.Finding, success bool) error

func Scan

func Scan(args []string) ([]util.Finding, error)

Types

This section is empty.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL