gosec icon indicating copy to clipboard operation
gosec copied to clipboard

Published 20 hours ago verified publisher icon securego

Write a package for data flow analysis

Open ccojocar opened this issue 6 years ago • 7 comments

Summary

Write a package which implements various primitives for data flow analysis. This package can be used by the rules to perform taint analysis, or other security checks.

godoctor/analysis has already some data flow analysis on which can be built as a starting point.

I will be very interested to get more suggestions for you. What do you think are the basic requirements?

cc @gcmurphy @coredefend

ccojocar avatar Mar 13 '18 09:03 ccojocar

Very excited to see this package in a discussion. Here are some basic requirements:

  • check for variable modified before reaching sink. a light check here that would help rate the severity
  • once a vuln is identified, it might make sense to trace the path from sink back to the source to validate the finding and thereby reduce false positive rate
  • some parameter values might be constructed with a combination of static string and user input. it might make sense to provide a feature that can identify this. For example, with file inclusion bugs, if the ../ sequence is appended to a hardcoded string (e.g, "test" + userInput -> "test../blah.txt"), there might no be vuln there.

I'll think more thru this and provide some basic requirements.

wileystar avatar Mar 13 '18 18:03 wileystar

I think @dominikh has looked at data flow analysis for staticcheck.

dgryski avatar Mar 13 '18 21:03 dgryski

Think this makes a lot of sense and I've wanted to explore this for a while. We may be able to leverage some functionality from here as well:

"golang.org/x/tools/go/callgraph" "golang.org/x/tools/go/loader" "golang.org/x/tools/go/pointer" "golang.org/x/tools/go/ssa" "golang.org/x/tools/go/ssa/ssautil"

gcmurphy avatar Mar 14 '18 00:03 gcmurphy

I believe using also the SSA representation in addition to AST, it would make such an analysis achievable.
Some pointers:

  • https://golang-ssaview.herokuapp.com/
  • https://github.com/golang/tools/blob/master/go/ssa/ssautil/load.go
  • https://blog.trailofbits.com/2020/05/22/emerging-talent-winternship-2020-highlights/ (See Go SSA based scanner)

ccojocar avatar Jun 19 '20 07:06 ccojocar

SSA refers to: https://pkg.go.dev/golang.org/x/tools/go/ssa.

Jeeppler avatar Nov 25 '21 17:11 Jeeppler

Hi! Is there anyone working on this issue now? If not, I'd like to contribute to this. Maybe I can start from improving the taint analysis using dataflow analysis with go SSA?

yunwei37 avatar May 06 '22 16:05 yunwei37

@yunwei37 Please feel free to work on this, this will be a really valuable contribution. If you have any questions, don't hesitate to raise them here. Thanks!

ccojocar avatar May 06 '22 17:05 ccojocar

gosec supports now Analysers and SSA code representation.

ccojocar avatar Oct 18 '23 13:10 ccojocar