A library for building tools to determine if vulnerabilities are reachable in a code base.

Overview

Vuln Reach Logo

GitHub Repo stars GitHub Discord


Overview

Vuln Reach is a library for developing tools that determine if a given vulnerability is reachable. Provided to the open source community by Phylum to help reduce false positives and increase signal-to-noise for software developers.

How does it work?

Vuln Reach is a static analysis library written in Rust that leverages tree-sitter for parsing. It currently supports Javascript.

It builds an access graph of the source code of a package and its transitive dependencies, and then uses it to search for a path to a known vulnerable identifier node.

Usage

Add this to your Cargo.toml:

[dependencies]
vuln-reach = { git = "https://github.com/phylum-dev/vuln-reach" }

Example

Here's an example of how you can find out whether an identifier node in a package is reachable from another package.

use vuln_reach::javascript::package::reachability::VulnerableNode;
use vuln_reach::javascript::package::resolver::PackageResolver;
use vuln_reach::javascript::package::Package;
use vuln_reach::javascript::project::Project;

// Build a package resolver.
let package_resolver = PackageResolver::builder()
  .with_package("path-scurry", Package::from_tarball_path("./tarballs/path-scurry-1.6.1.tgz"))
  .with_package("lru-cache", Package::from_tarball_path("./tarballs/lru-cache-7.14.1.tgz"))
  .with_package("minipass", Package::from_tarball_path("./tarballs/minipass-4.0.2.tgz"))
  .build();
  
// Build a project from the package resolver.
let project = Project::new(
  package_resolver,
  vec!["path-scurry", "lru-cache", "minipass"]
);

// Define a target node.
let vulnerable_node = VulnerableNode::new("lru-cache", "index.js", 1017, 24);

// Compute the reachability graph.
let reachability = project.reachability(&vulnerable_node);

// Find a path to the vulnerable node, starting from the given package.
let path = reachability.find_path("path-scurry");

To find out what the transitive dependencies for your project are, you can use Phylum!

For a more complete example of usage, check out the cli.

Contributing

How do you add support for additional languages?

At the moment, the codebase is relatively tightly coupled to Javascript. Plans are underway to abstract the non-language-specific bits to be used by all languages.

Adding support for a new language requires the following steps:

  • Add the relevant tree-sitter parser to build.rs.
  • Create a module directory for your language in the top level of the vuln-reach package.
  • Implement abstractions for the language's imports and exports.
  • Implement the concept of access for your language -- this could be as simple as being equivalent to "function call" or as complex as necessary.

Commercial Licensing

If you're interested in using vuln reach in a commercial project and need a different licensing agreement, please reach out to [email protected].

Comments
  • Simplify `ProjectReachability` API

    Simplify `ProjectReachability` API

    This PR simplifies the top-level client facing API.

    The requirement for using an iterator of vulnerable nodes in ProjectReachability is dropped, allowing the user to design their own iteration logic and simplifying the use case of checking against a single vulnerable node.

    opened by andreaphylum 0
  • Expose packages in `PackageResolver`

    Expose packages in `PackageResolver`

    Currently, the Project constructor requires users to specify the list of the packages that are available in the resolver, in addition to supplying the resolver itself. We should add support for enumerating packages in PackageResolver in order to remove the redundant argument passed to the Project::new constructor.

    let package_resolver = PackageResolver::builder()
      .with_package("path-scurry", Package::from_tarball_path("./tarballs/path-scurry-1.6.1.tgz"))
      .with_package("lru-cache", Package::from_tarball_path("./tarballs/lru-cache-7.14.1.tgz"))
      .with_package("minipass", Package::from_tarball_path("./tarballs/minipass-4.0.2.tgz"))
      .build();
      
    let project = Project::new(
      package_resolver,
      vec!["path-scurry", "lru-cache", "minipass"]
    );
    
    enhancement high priority 
    opened by andreaphylum 0
  • Improve documentation

    Improve documentation

    We should improve the crate's documentation so that the output of cargo doc makes it easy for library users to get started and figure out how to use it.

    documentation medium priority 
    opened by andreaphylum 0
  • Research (2023.8)

    Research (2023.8)

    This is the research ticket for the 2023.8 sprint.

    Current state

    • We can traverse the graph for a whole project (defined as a root package + its transitive dependencies), determine whether a node is reachable, and find a call path to it.
    • We have mostly stable serializable data structures for client usage.
    • We have acceptable test coverage.

    Work done in previous sprint

    • Completed the cross-package reachability graph traversal. The real world example chosen (@redis/client) succeeds in finding the chosen vulnerable node.
    • Refined the in-project graph traversal.
    • Developed side-effect accesses detection.
    • Built a small CLI (vuln-reach-cli).

    Work planned for the sprint

    • [ ] Finalize the serialization format and public facing API.
    • [ ] Assess whether, as a result of introducing side-effect access identification, reachability in the root package is extended to all of its identifiers and not just its exports.

    Work planned for future sprints

    • Build a comprehensive benchmark with meaningful metrics to assess whether the model is performing as desired.
    • Research the statistical distribution of vulnerabilities to assess the usefulness of the model (i.e. in % how many vulnerabilities show up as reachable/unreachable)
    • Research ways of assessing whether vulnerabilities are definitely unreachable.
    • Performance benchmark: filesystem/network access is anticipated to be a bottleneck.
    research 
    opened by andreaphylum 0
  • Improve test coverage

    Improve test coverage

    We currently have test coverage for most features, but very small test fixtures.

    We should improve coverage by building fake but sizable projects and test features against those.

    enhancement medium priority 
    opened by andreaphylum 0
  • Implement discovery for `Project`

    Implement discovery for `Project`

    We currently need to manually supply the source of the analyzed packages to the Project object.

    We should devise a system to automate the discovery of packages in a variety of conditions.

    See also #5.

    enhancement needs triage 
    opened by andreaphylum 0
  • Improve

    Improve "access" concept

    The find_accessor method is responsible for determining what qualifies as an "access", and is the main driver of the statistical measurement errors of the reachability model.

    On an ongoing basis, we should keep evaluating whether the concept of "access" that we use yields not enough, just right, or too many reachability paths.

    enhancement research implementation detail 
    opened by andreaphylum 0
Audit Cargo.lock files for dependencies with security vulnerabilities

RustSec Crates ?? ??️ ?? The RustSec Advisory Database is a repository of security advisories filed against Rust crates published via crates.io. The a

RustSec 1.2k Jan 5, 2023
Rust-verification-tools - RVT is a collection of tools/libraries to support both static and dynamic verification of Rust programs.

Rust verification tools This is a collection of tools/libraries to support both static and dynamic verification of Rust programs. We see static verifi

null 253 Dec 31, 2022
Rust library for building and running BPF/eBPF modules

RedBPF A Rust eBPF toolchain. Overview The redbpf project is a collection of tools and libraries to build eBPF programs using Rust. It includes: redbp

foniod 1.5k Jan 1, 2023
Secure sandboxing system for untrusted code execution

Godbox Secure sandboxing system for untrusted code execution. It uses isolate which uses specific functionnalities of the Linux kernel, thus godbox no

Nathanael Demacon 19 Dec 14, 2022
A cryptographically verifiable code review system for the cargo (Rust) package manager.

image credit cargo-crev A cryptographically verifiable code review system for the cargo (Rust) package manager. Introduction Crev is a language and ec

crev - Code REView system 1.8k Jan 5, 2023
How-to: Sanitize your Rust code!

rust-san How-to: Sanitize your Rust code! Intro How to use the sanitizers? Examples AddressSanitizer Out of bounds access Use after free LeakSanitizer

Jorge Aparicio 359 Dec 22, 2022
Breaking your Rust code for fun and profit

Breaking your Rust code for fun & profit this is an architecture-preview, not all components are there This is a mutation testing framework for Rust c

null 542 Jan 4, 2023
Using fibers to run in-memory code in a different and stealthy way.

Description A fiber is a unit of execution that must be manually scheduled by the application rather than rely on the priority-based scheduling mechan

Kurosh Dabbagh Escalante 121 Apr 20, 2023
CVEs for the Rust standard library

Rust CVE Preface This is a list of CVEs for unsound APIs in the Rust standard library. These bugs break Rust's memory safety guarantee and lead to sec

Yechan Bae 26 Dec 4, 2022
unfuck is a utility and library for deobfuscating obfuscated Python 2.7 bytecode

unfuck is a utility and library for deobfuscating obfuscated Python 2.7 bytecode. It is essentially a reimplementation of the Python VM with taint tracking.

Lander Brandt 171 Dec 14, 2022
Rust library for developing safe canisters.

IC Kit This library provides an alternative to ic-cdk that can help developers write canisters and unit test them in their Rust code. Install Add this

Psychedelic 26 Nov 28, 2022
Advanced Fuzzing Library - Slot your Fuzzer together in Rust! Scales across cores and machines. For Windows, Android, MacOS, Linux, no_std, ...

LibAFL, the fuzzer library. Advanced Fuzzing Library - Slot your own fuzzers together and extend their features using Rust. LibAFL is written and main

Advanced Fuzzing League ++ 1.2k Jan 6, 2023
Xori is an automation-ready disassembly and static analysis library for PE32, 32+ and shellcode

Xori - Custom disassembly framework Xori is an automation-ready disassembly and static analysis library that consumes shellcode or PE binaries and pro

ENDGAME 712 Nov 28, 2022
QuickCheck bug hunting in Rust standard library data structures

BugHunt, Rust This project is aiming to provide "stateful" QuickCheck models for Rust's standard library. That is, we build up a random list of operat

Brian L. Troutwine 161 Dec 15, 2022
Mundane is a Rust cryptography library backed by BoringSSL that is difficult to misuse, ergonomic, and performant (in that order).

Mundane Mundane is a Rust cryptography library backed by BoringSSL that is difficult to misuse, ergonomic, and performant (in that order). Issues and

Google 1.1k Jan 3, 2023
Cross-platform async library for system information fetching 🦀

heim Cross-platform library for system information fetching heim is an ongoing attempt to create the best tool for system information fetching (ex., C

null 782 Jan 2, 2023
A simple rust library for working with ZIP archives

rust-zip A simple rust library to read and write Zip archives, which is also my pet project for learning Rust. At the moment you can list the files in

Jorge Gorbe Moya 11 Aug 6, 2022
Memory hacking library for windows.

Memory hacking library for windows.

sy1ntexx 40 Jan 3, 2023
An attempt to rewrite lite-client for TON Blockchain in Rust using ton-labs-adnl library.

An attempt to rewrite lite-client for TON Blockchain in Rust using ton-labs-adnl library.

TonStack 4 Nov 9, 2022