Documentation ¶
Overview ¶
Package analyzers implements individual security scanners for Go and a generic analyzer based on recursive taint propagation
Index ¶
- Constants
- Variables
- func EvalConst(expr ssa.Value, cg util.CallGraph) (*ssa.Const, bool)
- func FilterResults(unfilteredResults []util.Finding, parent_dir string) ([]util.Finding, error)
- func LoadGenericAnalyzers() []*analysis.Analyzer
- func OutputResults(results []util.Finding, success bool) error
- func Scan(args []string) ([]util.Finding, error)
Constants ¶
const RECOMMENDED_KEYLEN = 2048
Variables ¶
var Analyzers = []*analysis.Analyzer{ RsaKeylenAnalyzer, PathTraversalAnalyzer, SQLInjectionAnalyzer, CommandInjectionAnalyzer, SSRFAnalyzer, }
var CommandInjectionAnalyzer = &analysis.Analyzer{ Name: "command_injection", Doc: "reports when command injection can occur", Run: cmdInjectionRun, Requires: []*analysis.Analyzer{buildssa.Analyzer}, }
CommandInjectionAnalyzer constructs Sinks from a set of functions known to be vulnerable to command injection, converts all variables to SSA form to construct a call graph and performs recursive taint analysis to search for input sources of user-controllable data
var PathTraversalAnalyzer = &analysis.Analyzer{ Name: "path_traversal", Doc: "reports when path traversal can occur", Run: traversalRun, Requires: []*analysis.Analyzer{buildssa.Analyzer}, }
PathTraversalAnalyzer constructs Sinks from a set of functions known to be vulnerable to path injection all variables are converted to SSA form and a call graph is constructed recursive taint analysis is then used to search from a given Sink up the callgraph for Sources of user-controllable data
var RsaKeylenAnalyzer = &analysis.Analyzer{ Name: "rsa_keylen", Doc: "reports when rsa keys are too short", Run: rsaRun, Requires: []*analysis.Analyzer{buildssa.Analyzer}, }
RSAKeyLenAnalyzer is used to resolve constant values used for RSA key generation in order to more accurately detect use of an insecure RSA key length constructed all variables are converted to SSA form and a call graph is constructed recursive analysis is then used to resolve variables used as a key length to a final constant value at the callsite
var SQLInjectionAnalyzer = &analysis.Analyzer{ Name: "sql_injection", Doc: "reports when SQL injection can occur", Run: sqlRun, Requires: []*analysis.Analyzer{buildssa.Analyzer}, }
SQLInjectionAnalyzer constructs Sinks from a set of functions known to be vulnerable to SQL injection all variables are converted to SSA form and a call graph is constructed recursive taint analysis is then used to search from a given Sink up the callgraph for Sources of user-controllable data
var SSRFAnalyzer = &analysis.Analyzer{ Name: "SSRF", Doc: "reports when SSRF vulnerabilities can occur", Run: ssrfRun, Requires: []*analysis.Analyzer{buildssa.Analyzer}, }
SSRF Analyzer constructs Sinks from a set of functions known to be vulnerable to Server Side Request Forgery, converts all variables to SSA form to construct a call graph and performs recursive taint analysis to search for input sources of user-controllable data
Functions ¶
func EvalConst ¶
EvalConst attempts to take a value, and simplify it down to a single constant it returns a tuple of (the constant, whether or not it successfully simplified)
func FilterResults ¶
func LoadGenericAnalyzers ¶
LoadGenericAnalyzers creates generic taint analyzers from custom Sources and Sinks defined in analyzers.yaml converts all variables to SSA form to construct a call graph and performs recursive taint analysis to search for input sources of user-controllable data
Types ¶
This section is empty.