htrgouvea/zarn

ZARN

A lightweight static code security analysis for Modern Perl Applications

### 摘要 通过执行[静态分析](https://en.wikipedia.org/wiki/Static_program_analysis)，Zarn 能够识别潜在的漏洞：为此，每个文件都会使用 [AST 分析](https://en.wikipedia.org/wiki/Abstract_syntax_tree) 进行解析，以识别存在风险的 token，随后运行 [taint tracking](https://en.wikipedia.org/wiki/Taint_checking) 过程来确认其是否可利用，从而验证恶意攻击者是否能够攻击相关方法。 目前，Zarn 仅进行单文件上下文分析，这意味着它无法识别与当前分析文件无直接关联的漏洞。但在未来，我们计划实现 [call graph](https://en.wikipedia.org/wiki/Call_graph) 分析，以识别与当前分析文件无直接关联的漏洞。 您可以在以下链接阅读关于 Zarn 的完整文章：[面向现代 Perl 应用的轻量级静态安全分析工具。](https://heitorgouvea.me/2023/03/19/static-security-analysis-tool-perl) ### 下载和安装 ``` # 下载 $ git clone https://github.com/htrgouvea/zarn && cd zarn # 安装 libs 依赖 $ sudo cpanm --installdeps . ``` ### 使用示例 ``` $ perl zarn.pl --rules rules/quick-wins.yml --source ../nozaki --sarif report.sarif [warn] - FILE:../nozaki/lib/Functions/Helper.pm Potential: Timing Attack. [vuln] - FILE:../nozaki/lib/Engine/Orchestrator.pm Potential: Path Traversal. [vuln] - FILE:../nozaki/lib/Engine/Orchestrator.pm Potential: Path Traversal. [warn] - FILE:../nozaki/lib/Engine/FuzzerThread.pm Potential: Timing Attack. ``` ### 规则示例 ``` rules: - id: '0001' type: presence category: info name: Debug module enabled message: Debug modules can expose sensitive information and potentially create security vulnerabilities. sample: - Dumper - id: '0002' type: presence category: vuln name: Code Injection message: Occur when untrusted data is executed as code, allowing attackers to run arbitrary commands on the server. sample: - system - eval - exec - qx - id: '0003' type: presence category: vuln name: Path Traversal message: Occur when user input is not properly sanitized, allowing attackers to access files and directories outside of the intended directory structure. sample: - open - id: '0004' type: presence category: vuln name: Weak Criptography Algorithm message: Weak algorithms like MD5 are susceptible to various attacks and should be avoided in favor of stronger alternatives to ensure the security of sensitive data. sample: - md5 - id: '0005' type: presence category: vuln name: Weak Random Value Generator message: Weak random value generators can lead to predictable values, which can be exploited by attackers to bypass security controls. sample: - rand - id: '0006' type: absence category: warning name: Error Suppression message: Suppressing errors can make it difficult to identify and troubleshoot issues, potentially leading to security vulnerabilities. sample: - strict - warnings ``` ### Github Actions ``` name: ZARN SAST on: push: branches: [ "main" ] pull_request: branches: [ "main" ] schedule: - cron: "28 23 * * 1" jobs: zarn: name: Security Static Analysis with ZARN runs-on: ubuntu-20.04 steps: - name: Checkout code uses: actions/checkout@v4 - name: Perform Static Analysis uses: htrgouvea/zarn@0.0.9 - name: Send result to Github Security uses: github/codeql-action/upload-sarif@v3 with: sarif_file: result.sarif ``` ### 贡献 衷心 ♥ 欢迎您的贡献和建议。[请在此处查看贡献指南。](/.github/CONTRIBUTING.md) 请通过 [issues 页面](https://github.com/htrgouvea/zarn/issues) 报告 bug，对于安全问题，请查看此处的[安全政策。](/SECURITY.md) (✿ ◕‿◕) 本项目遵循此[风格指南：(https://github.com/htrgouvea/perl-style-guide)](https://github.com/htrgouvea/perl-style-guide)。 ### 许可证 本项目基于 [MIT 许可证](/LICENSE.md) 授权。

标签：Perl, XSS注入, 图数据库, 错误基检测, 静态代码分析