Pysa: An open source static analysis tool to detect and prevent security issues in Python code
Pysa: An open source static analysis tool to detect and prevent security issues in Python code Today, we are sharing details about Pysa, an open source static analysis tool we’ve built to detect and prevent security and privacy issues in Python code. Last year, we shared how we built Zoncolan, a static analysis tool that helps us analyze more than 100 million lines of Hack code and has helped engi
GitHub - semgrep/semgrep: Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
This repository contains the source code for Semgrep OSS (open-source software). Semgrep OSS is a fast, open-source, static analysis tool for searching code, finding bugs, and enforcing code standards at editor, commit, and CI time. Semgrep is a semantic grep for code: where grep "2" would only match the exact string 2, Semgrep would match x = 1; y = x + 1 when searching for 2. And it does this in
GitHub - microsoft/ApplicationInspector: A source code analyzer built for surfacing features of interest and other characteristics to answer the question 'What's in the code?' quickly using static analysis with a json based rules engine. Ideal for scannin
Microsoft Application Inspector is a software source code characterization tool that helps identify coding features of first or third party software components based on well-known library/API calls and is helpful in security and non-security use cases. It uses hundreds of rules and regex patterns to surface interesting characteristics of source code to aid in determining what the software is or wh
GitHub - praetorian-inc/gokart: A static analysis tool for securing Go code
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session. Dismiss alert
Instagram Server is entirely Python powered. Well, mostly. There’s also some Cython, and our dependencies include a fair amount of C++ code exposed to Python as C extensions. Our server app is a monolith, one big codebase of several million lines and a few thousand Django endpoints [1], all loaded up and served together. A few services have been split out of the monolith, but we don’t have any pla
GitHub - kaleidawave/ezno: A JavaScript compiler and TypeScript checker written in Rust with a focus on static analysis and runtime performance
What Ezno is A type checker for JavaScript usable through a CLI (with a LSP also in the works) A high level library that allows type checking to be added to other tools! Checks programs with guaranteed type safety (no runtime TypeErrors) (as long as definitions are sound) Types aimed at soundness and tracing for better static analysis A imperative type system that tracks and evaluates the side eff
GitHub - dsherret/ts-morph: TypeScript Compiler API wrapper for static analysis and programmatic code changes.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session. Dismiss alert
Zoncolan: How Facebook uses static analysis to detect and prevent security issues
Zoncolan: How Facebook uses static analysis to detect and prevent security issues Facebook’s web codebase currently contains more than 100 million lines of Hack code, and changes thousands of times per day. To handle the sheer volume of code, we build sophisticated systems that help our security engineers review code. Today, we are sharing the details of one of those tools, called Zoncolan, for th
UPM is our internal standalone library to perform static analysis of SQL code and enhance SQL authoring. UPM takes SQL code as input and represents it as a data structure called a semantic tree. Infrastructure teams at Meta leverage UPM to build SQL linters, catch user mistakes in SQL code, and perform data lineage analysis at scale. Executing SQL queries against our data warehouse is important to
Give PHP the love it deserves It’s easy to make great things in PHP, but bugs can creep in just as easily. Psalm is a free & open-source static analysis tool that helps you identify problems in your code, so you can sleep a little better. Psalm helps people maintain a wide variety of codebases – large and small, ancient and modern. On its strictest setting it can help you prevent almost all type-r
Different security issues are a common problem for open source packages archived to and delivered through software ecosystems. These often manifest themselves as software weaknesses that may lead to concrete software vulnerabilities. This paper examines various security issues in Python packages with static analysis. The dataset is based on a snapshot of all packages stored to the Python Package I
Improvements to static analysis in the GCC 14 compiler | Red Hat Developer
I work at Red Hat on GCC, the GNU Compiler Collection. For the last five releases of GCC, I've been working on -fanalyzer, a static analysis pass that tries to identify various problems at compile-time, rather than at runtime. It performs "symbolic execution" of C source code—effectively simulating the behavior of the code along the various possible paths of execution through it. This article summ
Try Red Hat products and technologies without setup or configuration fees for 30 days with this shared Openshift and Kubernetes cluster.
GitHub - SourceCode-AI/aura: Python source code auditing and static analysis on a large scale
Aura is a static analysis framework developed as a response to the ever-increasing threat of malicious packages and vulnerable code published on PyPI. Project goals: provide an automated monitoring system over uploaded packages to PyPI, alert on anomalies that can either indicate an ongoing attack or vulnerabilities in the code enable an organization to conduct automated security audits of the sou
静的解析の育て方 / How to make your static analysis strong
#PHPerKaigi 2020 での発表資料です。 https://fortee.jp/phperkaigi-2020/proposal/8f41e23f-69ef-4f93-8625-db64be39248f
Semgrep CodeFind and fix issues that matter in your code (SAST)
The state of static analysis in the GCC 12 compiler | Red Hat Developer
Building a static analyzer into the C compiler offers several advantages over having a separate tool, because the analyzer can track what the compiler and assembler are doing intimately. As a Red Hat employee, I work on GCC, the GNU Compiler Collection. Our static analyzer is still experimental but is making big strides in interesting areas, including a taint mode and an understanding of assembly-
Go Conference 2021 Autumn のセッションで使用した資料です。 - セッションの詳細: https://gocon.jp/2021autumn/sessions/go-static-analysis/ - 発表者: https://twitter.com/d_tutuz 資料に誤りがあればtwitterでご連絡ください。
Early Access Program for Qodana, a New Static Analysis and Quality Management Tool by JetBrains, Is Open | The PhpStorm Blog
Early Access Program for Qodana, a New Static Analysis and Quality Management Tool by JetBrains, Is Open “We must run as fast as we can, just to stay in place” – Lewis Carroll Qodana is a new product from JetBrains that brings the “smarts” of JetBrains IDEs directly into your CI Pipeline. PhpStorm and our other JetBrains IDEs are renowned for their ability to understand your code. They can track d
TL;DR: Semgrep has achieved remarkably fast scan times by prioritizing speed using methods like taint summaries and tree matching in OCaml. In addition, Semgrep’s design as a tool that searches for syntax makes it fast due to designs like purely textual single-file analysis, partial parsing, and optimizations like skipping files that cannot produce matches. Program analysis is an extremely interes
GitHub - microsoft/monitors4codegen: Code and Data artifact for NeurIPS 2023 paper - "Monitor-Guided Decoding of Code LMs with Static Analysis of Repository Context". `multispy` is a lsp client library in Python intended to be used to build applications a
Datasets: PragmaticCode and DotPrompts Evaluation scripts: Scripts to evaluate LMs by taking as input inferences (code generated by the model) for examples in DotPrompts and producing score@k scores for the metrics reported in the paper: Compilation Rate (CR), Next-Identifier Match (NIM), Identifier-Sequence Match (ISM) and Prefix Match (PM). Inference Results over DotPrompts: Generated code for e
We want to take a deeper dive into CloudFormation stacks. CloudFormation stacks are a great tool for developers to provision AWS resource in a structured, repeatable way. *We want to take a deeper dive into CloudFormation stacks. CloudFormation stacks are a great tool for developers to provision AWS resource in a structured, repeatable way that also has the added benefit of making updates and tear
Mosca - Manual Static Analysis Tool To Find Bugs - Darknet
Darknet - Hacking Tools, Hacker News & Cyber Security Darknet is your best source for the latest hacking tools, hacker news, cyber security best practices, ethical hacking & pen-testing. Mosca is a manual static analysis tool written in C designed to find bugs in the code before it is compiled, much like a grep unix command. There are various ‘egg’ modules which contain patterns to scan for, it ca
GitHub - paulthewalton/acf-stubs: ⛔️ ABANDONED ⛔️ Based on/copied from giacocorsiglia/wordpress-stubs. Advanced Custom Fields function, class, and global variable declaration stubs for easier static analysis.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session. Dismiss alert
Static analysis updates in GCC 11 | Red Hat Developer
I work at Red Hat on the GNU Compiler Collection (GCC). In GCC 10, I added the new -fanalyzer option, a static analysis pass for identifying various problems at compile-time, rather than at runtime. The initial implementation was aimed at early adopters, who found a few bugs, including a security vulnerability: CVE-2020-1967. Bernd Edlinger, who discovered the issue, had to wade through many false
This article brought to you by LWN subscribersSubscribers to LWN.net made this article — and everything that surrounds it — possible. If you appreciate our content, please buy a subscription and make the next set of articles possible. One of the features of the Clang/LLVM compiler that has been rather lacking for GCC may finally be getting filled in. In a mid-November post to the gcc-patches maili
CACM Web Account Membership in ACM includes a subscription to Communications of the ACM (CACM), the computing industry's most trusted source for staying connected to the world of advanced computing. Sign In Sign Up GitHub, a code-hosting website built atop the Git version-control system, hosts hundreds of millions of repositories of code uploaded by more than 65 million developers. The Semantic Co
GitHub - stackrox/kube-linter: KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.
KubeLinter analyzes Kubernetes YAML files and Helm charts, and checks them against a variety of best practices, with a focus on production readiness and security. KubeLinter runs sensible default checks, designed to give you useful information about your Kubernetes YAML files and Helm charts. This is to help teams check early and often for security misconfigurations and DevOps best practices. Some
効果的な静的解析の CI導入パターンを求めて / Great static analysis with CI
PHP Conference Japan 2020 での発表資料です。 https://phpcon.php.gr.jp/2020/ https://fortee.jp/phpcon-2020/proposal/e0fba818-b475-452d-9bae-b7eb6c80b889 ref. 静的解析の育て方: https://speakerdeck.com/oogfranz/how-to-make-your-static-analysis-strong Using Feedback Loops to Boost Development Lifecycles: https://www.agileconnection.com/article/using-feedback-loops-boost-development-lifecycles Psalm: https://psalm.dev/
Semgrep CodeFind and fix issues that matter in your code (SAST)
Static Analysis Results Interchange Format (SARIF) Version 2.0
Static Analysis Results Interchange Format (SARIF) Version 2.0 Committee Specification Draft 02 / Public Review Draft 02 27 May 2019 This version: https://docs.oasis-open.org/sarif/sarif/v2.0/csprd02/sarif-v2.0-csprd02.docx (Authoritative) https://docs.oasis-open.org/sarif/sarif/v2.0/csprd02/sarif-v2.0-csprd02.html https://docs.oasis-open.org/sarif/sarif/v2.0/csprd02/sarif-v2.0-csprd02.pdf Previou
September 16, 2021 Volume 19, issue 4 PDF Queue Focus Static Analysis: An Introduction The fundamental challenge of software engineering is one of complexity. Patrick Thomson The relationship between source code, computers, and people is complex. Though most code exists to be run on a computer, its purpose is not limited to that. It is also intended to be read and understood. The complexity of mod
Automating Scott Meyers' recommendations, cleaning up #include directives, analyzing dependencies... This article is a user guide to a static analysis tool for C++ code. Among other things, the tool can clean up #include lists, highlight violations of C++ best practices, and analyze dependencies within the code base. It can also implement many of its suggestions by editing the code. The article al
CodeQL zero to hero part 1: the fundamentals of static analysis for vulnerability research
SecurityCodeQL zero to hero part 1: the fundamentals of static analysis for vulnerability researchLearn more about static analysis and how to use it for security research! In this blog post series, we will take a closer look at static analysis concepts, present GitHub’s static analysis tool CodeQL, and teach you how to leverage static analysis for security research by writing custom CodeQL queries
GitHub - gqlgo/gqlanalysis: gqlanalysis makes easy to develop static analysis tools for GraphQL in Go.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session. Dismiss alert
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く
Static Analysis at Scale: An Instagram Story
Enabling static analysis of SQL queries at Meta
Psalm - a static analysis tool for PHP
A Large-Scale Security-Oriented Static Analysis of Python Packages in PyPI
Static analysis in GCC 10 | Red Hat Developer
Semgrep: a static analysis journey
Starting static analysis with Go
Need for speed: static analysis version
CLOUDFORMATION STATIC ANALYSIS
A static-analysis framework for GCC [LWN.net]
Static Analysis at GitHub – Communications of the ACM
Python static analysis comparison: Bandit vs Semgrep
Static Analysis: An Introduction - ACM Queue
A Static Analysis Tool for C++