Pysa

The Python Static Analyzer Pysa performs taint analysis to identify potential security problems. Pysa traces data streams from their origin to their endpoint and identifies vulnerable code.

See also

• What Is Taint Analysis and Why Should I Care?

• How Pysa works

• Running Pysa

• Pysa Tutorial

Configuration

Pysa uses two file types for configuration:

• a taint.config file in JSON format, in which sources, sinks, features and rules are defined.

  {
    "comment": "UserControlled, Test, Demo sources are predefined. Same for Demo, Test and RemoteCodeExecution sinks",
    "sources": [],
    "sinks": [],
    "features": [],
    "rules": []
  }
  

• files with the extension .pysa in a directory configured with taint_models_path in your .pyre_configuration file.

You can find practical examples in the Pyre repository.

Use

Pyre can be called, for example with

$ $ pipenv run pyre analyze --save-results-to ./

The --save-results-to option stores detailed results in ./taint-output.json.

Pysa postprozessor

Installation

$ pipenv install fb-sapp

Use

1. Parsing the JSON file, for example with

   $ pipenv run sapp --database-name sapp.db analyze ./taint-output.json
   

   The results are stored in the local SQLite file sapp.db.

2. Exploring the problems with

   $ pipenv run sapp --database-name sapp.db explore
   

   This starts an IPython interface connected to the SQLite database:

   issues

   lists all issues

   issue 1

   selects the first issue

   trace

   shows the data flow from source to sink

   n

   jumps to the next call

   list

   shows the source code of the call

   jump 1

   jumps to the first call and shows the source code

Further commands can be found in the SAPP Command-Line Interface.