Scanning Code
Scanning Code¶
Collected Static Analysis Links
grype¶
>>> grype dir:/home/generalzero/docker/
✔ Vulnerability DB [updated]
✔ Indexed /home/generalzero/docker
✔ Cataloged packages [738 packages]
✔ Scanning image... [4 vulnerabilities]
├── 1 critical, 2 high, 1 medium, 0 low, 0 negligible
└── 4 fixed
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
got 9.6.0 11.8.5 npm GHSA-pfrx-2q88-qq97 Medium
http-cache-semantics 4.1.0 4.1.1 npm GHSA-rc47-6667-2j5j High
json5 2.2.1 2.2.2 npm GHSA-9c47-m6qq-7p4h High
simple-git 3.15.1 3.16.0 npm GHSA-9w5j-4mwv-2wj8 Critical
Syntax Parsers¶
Lightweight static analysis for many languages. Find and block bug variants with patterns that look like source code.
Parsing, analyzing, and comparing source code across many languages
SonarQube
Source Code Checking¶
Javascript:
A Static Code Analysis Tool for JavaScript
Java:
Source code static analyzer tool designed to spot security issues in Java applications.
graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility grep.
Ruby:
A static analysis security vulnerability scanner for Ruby on Rails applications
Smart Contracts:
An open source smart contract platform
Static Analyzer for Solidity
Manticore is a symbolic execution tool for analysis of smart contracts and binaries.
PHP:
PHP Static Analysis Tool - discover bugs in your code without running it!
Psalm is a static analysis tool that’s designed to improve large PHP codebases by identifying both obvious and hard-to-spot bugs.
Phan is a static analyzer for PHP. Phan prefers to avoid false-positives and attempts to prove incorrectness rather than correctness.
Dependency Checking¶
Identify and Track third party components and their vulnerabilities
DotNet:
Scanning DotNet modules for known vulns
Javascript:
Scanning JS modules for known vulns
Detect JS Lib versions
Python:
A collection of models, views, middlewares, and forms to help secure a Django project.
Checks Python Dependencies for Vulnerabilities
Findings Classification¶
Local Copy of searchable CVEs
OWASP Application Security Verification Standard
Grepable¶
https://littlemaninmyhead.wordpress.com/2017/04/22/top-10-developer-crypto-mistakes/
https://btlr.dev/posts/how-to-find-vulnerabilities-in-code-bad-words/