Skip to content

A library for building tools to determine if vulnerabilities are reachable in a code base.

License

Notifications You must be signed in to change notification settings

phylum-dev/vuln-reach

Repository files navigation

Vuln Reach Logo

GitHub Repo stars GitHub Discord


Overview

Vuln Reach is a library for developing tools that determine if a given vulnerability is reachable. Provided to the open source community by Phylum to help reduce false positives and increase signal-to-noise for software developers.

How does it work?

Vuln Reach is a static analysis library written in Rust that leverages tree-sitter for parsing. It currently supports Javascript.

It builds an access graph of the source code of a package and its transitive dependencies, and then uses it to search for a path to a known vulnerable identifier node.

Usage

Add this to your Cargo.toml:

[dependencies]
vuln-reach = { git = "https://github.com/phylum-dev/vuln-reach" }

Example

Here's an example of how you can find out whether an identifier node in a package is reachable from another package.

use vuln_reach::javascript::package::reachability::VulnerableNode;
use vuln_reach::javascript::package::resolver::PackageResolver;
use vuln_reach::javascript::package::Package;
use vuln_reach::javascript::project::Project;

// Build a package resolver.
let package_resolver = PackageResolver::builder()
  .with_package("path-scurry", Package::from_tarball_path("./tarballs/path-scurry-1.6.1.tgz"))
  .with_package("lru-cache", Package::from_tarball_path("./tarballs/lru-cache-7.14.1.tgz"))
  .with_package("minipass", Package::from_tarball_path("./tarballs/minipass-4.0.2.tgz"))
  .build();
  
// Build a project from the package resolver.
let project = Project::new(package_resolver);

// Define a target node (rows/columns are zero-indexed).
let vulnerable_node = VulnerableNode::new("lru-cache", "index.js", 1017, 17, 1017, 24);

// Compute the reachability graph.
let reachability = project.reachability(&vulnerable_node);

// Find a path to the vulnerable node, starting from the given package.
let path = reachability.find_path("path-scurry");

To find out what the transitive dependencies for your project are, you can use Phylum!

For a more complete example of usage, check out the cli.

Contributing

How do you add support for additional languages?

At the moment, the codebase is relatively tightly coupled to Javascript. Plans are underway to abstract the non-language-specific bits to be used by all languages.

Adding support for a new language requires the following steps:

  • Add the relevant tree-sitter parser to build.rs.
  • Create a module directory for your language in the top level of the vuln-reach package.
  • Implement abstractions for the language's imports and exports.
  • Implement the concept of access for your language -- this could be as simple as being equivalent to "function call" or as complex as necessary.

Commercial Licensing

If you're interested in using vuln reach in a commercial project and need a different licensing agreement, please reach out to [email protected].

About

A library for building tools to determine if vulnerabilities are reachable in a code base.

Topics

Resources

License

Code of conduct

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •