Pysa¶
The Python Static Analyzer Pysa performs taint analysis to identify potential security problems. Pysa traces data streams from their origin to their endpoint and identifies vulnerable code.
Configuration¶
Pysa uses two file types for configuration:
a
taint.config
file in JSON format, in whichsources
,sinks
,features
andrules
are defined.{ "comment": "UserControlled, Test, Demo sources are predefined. Same for Demo, Test and RemoteCodeExecution sinks", "sources": [], "sinks": [], "features": [], "rules": [] }
files with the extension
.pysa
in a directory configured withtaint_models_path
in your.pyre_configuration
file.
You can find practical examples in the Pyre repository.
Use¶
Pyre can be called, for example with
$ $ pipenv run pyre analyze --save-results-to ./
The --save-results-to
option stores detailed results in
./taint-output.json
.
Pysa postprozessor¶
Installation¶
$ pipenv install fb-sapp
Use¶
Parsing the JSON file, for example with
$ pipenv run sapp --database-name sapp.db analyze ./taint-output.json
The results are stored in the local SQLite file
sapp.db
.Exploring the problems with
$ pipenv run sapp --database-name sapp.db explore
This starts an IPython interface connected to the SQLite database:
issues
lists all issues
issue 1
selects the first issue
trace
shows the data flow from
source
tosink
n
jumps to the next call
list
shows the source code of the call
jump 1
jumps to the first call and shows the source code
Further commands can be found in the SAPP Command-Line Interface.