Skip to content

Latest commit

 

History

History
74 lines (50 loc) · 3.59 KB

README.md

File metadata and controls

74 lines (50 loc) · 3.59 KB

Vuln Reach Logo

GitHub Repo stars GitHub Discord


Overview

Vuln Reach is a library for developing tools that determine if a given vulnerability is reachable. Provided to the open source community by Phylum to help reduce false positives and increase signal-to-noise for software developers.

How does it work?

Vuln Reach is a static analysis library written in Rust that leverages tree-sitter for parsing. It currently supports Javascript.

It builds an access graph of the source code of a package and its transitive dependencies, and then uses it to search for a path to a known vulnerable identifier node.

Usage

Add this to your Cargo.toml:

[dependencies]
vuln-reach = { git = "https://github.com/phylum-dev/vuln-reach" }

Example

Here's an example of how you can find out whether an identifier node in a package is reachable from another package.

use vuln_reach::javascript::package::reachability::VulnerableNode;
use vuln_reach::javascript::package::resolver::PackageResolver;
use vuln_reach::javascript::package::Package;
use vuln_reach::javascript::project::Project;

// Build a package resolver.
let package_resolver = PackageResolver::builder()
  .with_package("path-scurry", Package::from_tarball_path("./tarballs/path-scurry-1.6.1.tgz"))
  .with_package("lru-cache", Package::from_tarball_path("./tarballs/lru-cache-7.14.1.tgz"))
  .with_package("minipass", Package::from_tarball_path("./tarballs/minipass-4.0.2.tgz"))
  .build();
  
// Build a project from the package resolver.
let project = Project::new(package_resolver);

// Define a target node (rows/columns are zero-indexed).
let vulnerable_node = VulnerableNode::new("lru-cache", "index.js", 1017, 17, 1017, 24);

// Compute the reachability graph.
let reachability = project.reachability(&vulnerable_node);

// Find a path to the vulnerable node, starting from the given package.
let path = reachability.find_path("path-scurry");

To find out what the transitive dependencies for your project are, you can use Phylum!

For a more complete example of usage, check out the cli.

Contributing

How do you add support for additional languages?

At the moment, the codebase is relatively tightly coupled to Javascript. Plans are underway to abstract the non-language-specific bits to be used by all languages.

Adding support for a new language requires the following steps:

  • Add the relevant tree-sitter parser to build.rs.
  • Create a module directory for your language in the top level of the vuln-reach package.
  • Implement abstractions for the language's imports and exports.
  • Implement the concept of access for your language -- this could be as simple as being equivalent to "function call" or as complex as necessary.

Commercial Licensing

If you're interested in using vuln reach in a commercial project and need a different licensing agreement, please reach out to [email protected].