htrgouvea / zarn Goto Github PK

At present, the main branch code still cannot output the line number correctly for the comment line。
Here is the test file I used, with the rules as default
test.zip

Hello, I read your source code, and conducted a test, found that when the variable is first user input, and then defined as a string, there will still be an error detection of the vulnerability, as follows:
sub main {
my $name = $ARGV[0];
my $name = "aasa";
system ("echo Hello World! $name");
}

I checked your source code and found that it is caused by find_first only looking at the first defined variable. （AST.PL）

I use the sample code in https://heitorgouvea.me/2023/03/19/static-security-analysis-tool-perl, this should report output zero flaw is flawed
code：
#!/usr/bin/perl

use 5.018;
use strict;
use warnings;

sub main {
my $name = "Zarn";

system ("echo Hello World! $name");

}

exit main();

The integration of unit testing is not merely a best practice but a crucial step toward ensuring the reliability and resilience of our codebase. By conducting targeted tests on individual components, we fortify our project against bugs, elevate code stability, and lay the foundation for seamless collaboration.

Unit testing offers early bug detection, instills confidence during refactoring, and serves as living documentation for our code. In our context, it translates to enhanced code quality, improved collaboration, and accelerated development.

To kickstart this process, let's identify critical components, select a fitting testing framework, craft comprehensive test cases, and seamlessly integrate tests into our CI/CD pipeline.

Currently ZARN's output is just plain text on the command line, this is very limiting.

There is a standard called SARIF (https://sarifweb.azurewebsites.net): "The Static Analysis Results Interchange Format (SARIF) is an industry standard format for the output of static analysis tools."

Using SARIF, it is possible to integrate the results with several other platforms, have more consistency in the results structure, etc. It is a great wish that ZARN has a "--sarif" option for outputs of this type.

Can static analysis of CVE-2022-41352 vulnerability be realized? The specific principle is that if pax program exists in the operating system, pax program is used; otherwise, cpio program is used to trigger the vulnerability，for example：
2. my($part, $tempdir, $archiver) = @_;
3. my $archiver_name = basename((split(' ',$archiver))[0]);
4. snmp_count("OpsDecBy\u${archiver_name}");
5. ll(4) && do_log(4,"Expanding archive %s, using %s",
6. $part->base_name,$archiver_name);
7. my $is_pax = $archiver_name =~ /^cpio/i ? 0 : 1;
Line 7 decides to use cpio or pax according to whether pax exists. I want to realize the detection of this feature code

Github has a Security feature called Security Alerts (https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning), one possibility is to integrate new tools and I think it's interesting to use ZARN for this.

The idea is: when zarn is run on a repository via Github Actions, the output will also be sent to Security Alerts if a vulnerability exists. In principle, the best strategy to do this is to simply send the SARIF result to the Github API: https://docs.github.com/en/rest/code-scanning/code-scanning?apiVersion=2022-11-28#upload-an-analysis-as-sarif-data

This task can only be done after: #11

Using an SCA (Software Composition Analysis) is super important for code integrity and application security. There is no SCA present in this repository yet, so I am opening this issue to plan this activity.

Reference: https://owasp.org/www-community/Component_Analysis

Currently, ZARN performs a pseudo analysis of the data flow, it tries to identify the presence of a variable and looks for the possibility of its value being changed by the user.

This is not the ideal way to implement a Data Flow. I'm opening this issue to discuss the possibility of a new way and also how to do this.

After implementing this data flow engine, I hope that it will be possible to do alias analysis and also Multiple files context analysis.

Problem: Currently the default ruleset includes many of the common keywords/commands that can be used to trigger an RCE attack, e.g. system, eval, exec, and qx. However, it does not provide a solution for executing a system command using the backtick syntax, e.g.

my $cmd = "ls -a $folder" # assume $folder is dynamic/user provided value; if unchecked, could result in RCE attack
my @results = `$cmd`

Is there a way to write a rule or add functionality to allow for zarn to identify and flag this kind of code?

Hi,

I was testing out this tool and works really well, its able to find the issues if the patterns from the rules config file are matched, but the line numbers that comes with the output don't match with the line number from the source code. This could be a bit frustrating for the developers/security analysts while going through the results. I am attaching the sample file that was tested and also the results that the tool gave as a zip file

Any fix regarding this would be great!

Thanks
zarn files.zip

XSS
SSTI
Web Socket -> Cross Hijacking

Currently ZARN works by searching for the presence of dangerous functions/that may present risks and trying to infer whether they are "reachable" through user input. But there are some categories of vulnerabilities/risks that occur through the absence of a code (or a combination of both factors), example: #14

It would be interesting to have an implementation of this feature.