Source code Review / SAST Tools
Guidance and & Lists of tools
Multi-Language Tools
There is a free package to review PRs.
It's an Open Source tool.
Supported Languages
Category | Languages |
---|---|
GA | C# · Go · Java · JavaScript · JSX · JSON · PHP · Python · Ruby · Scala · Terraform · TypeScript · TSX |
Beta | Kotlin · Rust |
Experimental | Bash · C · C++ · Clojure · Dart · Dockerfile · Elixir · HTML · Julia · Jsonnet · Lisp · |
Quick Start
You can also use the semgrep VSCode Extension to get the findings inside VSCode.
There is an installable free version.
Quick Start
CodeQL
There is an installable free version but according to the license you can only use free codeQL version in Open Source projects.
Install
Quick Start - Prepare the database
The first thing you need to do is to prepare the database (create the code tree) so later the queries are run over it.
You can allow codeql to automatically identify the language of the repo and create the database
This will usually trigger and error saying that more than one language was specified (or automatically detected). Check the next options to fix this!
You can do this manually indicating the repo and the language (list of languages)
If your repo is using more than 1 language, you can also create 1 DB per language indicating each language.
You can also allow
codeql
to identify all the languages for you and create a DB per language. You need to give it a GITHUB_TOKEN.
Quick Start - Analyze the code
Now it's finally time to analyze the code
Remember that if you used several languages, a DB per language would have been crated in the path you specified.
Quick Start - Scripted
You can visualize the findings in https://microsoft.github.io/sarif-web-component/ or using VSCode extension SARIF viewer.
You can also use the VSCode extension to get the findings inside VSCode. You will still need to create a database manually, but then you can select any files and click on Right Click
-> CodeQL: Run Queries in Selected Files
There is an installable free version.
Quick Start
You can also use the snyk VSCode Extension to get findings inside VSCode.
It's Open Source, but looks unmaintained.
Supported Languages
Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C#, and Javascript (Node.js).
Quick Start
Free for public repos.
NodeJS
yarn
pnpm
nodejsscan: Static security code scanner (SAST) for Node.js applications powered by libsast and semgrep.
RetireJS: The goal of Retire.js is to help you detect the use of JS-library versions with known vulnerabilities.
Electron
electronegativity: It's a tool to identify misconfigurations and security anti-patterns in Electron-based applications.
Python
Bandit: Bandit is a tool designed to find common security issues in Python code. To do this Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files it generates a report.
safety: Safety checks Python dependencies for known security vulnerabilities and suggests the proper remediations for vulnerabilities detected. Safety can be run on developer machines, in CI/CD pipelines and on production systems.
Pyt: Unmaintained.
.NET
RUST
Java
Task | Command |
---|---|
Execute Jar | java -jar [jar] |
Unzip Jar | unzip -d [output directory] [jar] |
Create Jar | jar -cmf META-INF/MANIFEST.MF [output jar] * |
Base64 SHA256 | sha256sum [file] | cut -d' ' -f1 | xxd -r -p | base64 |
Remove Signing | rm META-INF/.SF META-INF/.RSA META-INF/*.DSA |
Delete from Jar | zip -d [jar] [file to remove] |
Decompile class | procyon -o . [path to class] |
Decompile Jar | procyon -jar [jar] -o [output directory] |
Compile class | javac [path to .java file] |
Go
PHP
Wordpress Plugins
https://www.pluginvulnerabilities.com/plugin-security-checker/
Solidity
JavaScript
Discovery
Burp:
Spider and discover content
Sitemap > filter
Sitemap > right-click domain > Engagement tools > Find scripts
waybackurls <domain> |grep -i "\.js" |sort -u
Static Analysis
Unminimize/Beautify/Prettify
See some of the tools mentioned in 'Deobfuscate/Unpack' below as well.
Deobfuscate/Unpack
Note: It may not be possible to fully deobfuscate.
Find and use .map files:
If the .map files are exposed, they can be used to easily deobfuscate.
Commonly, foo.js.map maps to foo.js. Manually look for them.
Use JS Miner to look for them.
Ensure active scan is conducted.
Read 'Tips/Notes'
If found, use Maximize to deobfuscate.
Without .map files, try JSnice:
References: http://jsnice.org/ & https://www.npmjs.com/package/jsnice
Tips:
If using jsnice.org, click on the options button next to the "Nicify JavaScript" button, and de-select "Infer types" to reduce cluttering the code with comments.
Ensure you do not leave any empty lines before the script, as it may affect the deobfuscation process and give inaccurate results.
For some more modern alternatives to JSNice, you might like to look at the following:
https://github.com/pionxzh/wakaru
Javascript decompiler, unpacker and unminify toolkit Wakaru is the Javascript decompiler for modern frontend. It brings back the original code from a bundled and transpiled source.
https://github.com/j4k0xb/webcrack
Deobfuscate obfuscator.io, unminify and unpack bundled javascript
https://github.com/jehna/humanify
Un-minify Javascript code using ChatGPT This tool uses large language modeles (like ChatGPT & llama2) and other tools to un-minify Javascript code. Note that LLMs don't perform any structural changes – they only provide hints to rename variables and functions. The heavy lifting is done by Babel on AST level to ensure code stays 1-1 equivalent.
https://thejunkland.com/blog/using-llms-to-reverse-javascript-minification.html
Using LLMs to reverse JavaScript variable name minification
Use
console.log()
;Find the return value at the end and change it to
console.log(<packerReturnVariable>);
so the deobfuscated js is printed instead of being executing.Then, paste the modified (and still obfuscated) js into https://jsconsole.com/ to see the deobfuscated js logged to the console.
Finally, paste the deobfuscated output into https://prettier.io/playground/ to beautify it for analysis.
Note: If you are still seeing packed (but different) js, it may be recursively packed. Repeat the process.
References
Tools
Less Used References
Last updated