{"id":13842040,"url":"https://github.com/ariary/TrojanSourceFinder","last_synced_at":"2025-07-11T13:33:37.796Z","repository":{"id":46119392,"uuid":"424240848","full_name":"ariary/TrojanSourceFinder","owner":"ariary","description":"🔎    Help find Trojan Source vulnerability in code  👀 . Useful for code review in project with multiple collaborators (CI/CD)","archived":false,"fork":false,"pushed_at":"2023-12-06T07:46:53.000Z","size":2902,"stargazers_count":45,"open_issues_count":1,"forks_count":18,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-11-20T07:12:31.961Z","etag":null,"topics":["ci-cd","code-review","golang","scanner","security","trojan"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ariary.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-11-03T13:46:09.000Z","updated_at":"2024-08-12T20:17:46.000Z","dependencies_parsed_at":"2024-06-20T13:04:32.983Z","dependency_job_id":"05c8be52-7da2-4454-a4ff-1df3e13bbbb9","html_url":"https://github.com/ariary/TrojanSourceFinder","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2FTrojanSourceFinder","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2FTrojanSourceFinder/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2FTrojanSourceFinder/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2FTrojanSourceFinder/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ariary","download_url":"https://codeload.github.com/ariary/TrojanSourceFinder/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225729818,"owners_count":17515171,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ci-cd","code-review","golang","scanner","security","trojan"],"created_at":"2024-08-04T17:01:26.431Z","updated_at":"2024-11-21T12:30:48.623Z","avatar_url":"https://github.com/ariary.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"\u003ch1 align=\"center\"\u003eTrojanSourceFinder\u003c/h1\u003e\n\u003cdiv align=center\u003e\n\u003cimg src=https://github.com/ariary/TrojanSourceFinder/blob/main/img/tsf-logo2.png width=250\u003e\n\u003c/div\u003e\n\u003ch4 align=\"center\"\u003eTrojanSourceFinder helps developers detect \"Trojan Source\" vulnerability in source code.\u003c/h4\u003e\n\u003cp align=\"center\"\u003e\n  Trojan Source vulnerability allows an attacker to make malicious code appear innocent.\n  In general, the attacker tries to lure by passing his code off as a comment (visually). It is a serious threat because it concerns many languages. Projects with multiple \"untrusted\" sources could be concerned\n  \u003cbr\u003e\u003cbr\u003e\n  \u003cstrong\u003e\n    \u003ca href=\"https://github.com/ariary/TrojanSourceFinder#detect-trojan-source\"\u003eDetect evil 🔎\u003c/a\u003e\n    ·\n    \u003ca href=\"https://github.com/ariary/TrojanSourceFinder#visualize-trojan-source\"\u003eTrack evil 👀\u003c/a\u003e\n    ·\n    \u003ca href=\"https://github.com/ariary/TrojanSourceFinder/blob/main/TrojanSource.md\"\u003eTrojan Source ❓\u003c/a\u003e\n  \u003c/strong\u003e\n\u003c/p\u003e\n\n## Install\n### With `go`\n\n*\u003e Via `go install`*\n```shell\ngo install github.com/ariary/TrojanSourceFinder/cmd/tsfinder@latest\n```\nMake sure `$GOPATH` is in your `$PATH`\n\n*\u003e From source*\n```shell\ngit clone https://github.com/ariary/TrojanSourceFinder\ncd TrojanSourceFinder\nmake before.build\nmake build.tsfinder\n```\n\nIf the command `make build.tsfinder` failed, try:\n```shell\nenv GOOS=target-OS GOARCH=target-architecture\ngo build -o tsfinder cmd/main.go\n```\n\n### With `curl`\n*\u003e From release*\n\n```shell\ncurl -lO -L https://github.com/ariary/TrojanSourceFinder/releases/latest/download/tsfinder \u0026\u0026 chmod +x tsfinder\n```\n\n## Detect Trojan Source\n*\u003e Help the detection of Trojan source for manual code review or with CI/CD pipelines (Unicode bidirectional characaters)*\n\nTo detect Trojan source in file or directory *\\\u003cpath\\\u003e*:\n```shell\ntsfinder [path]\n```\n\n### Detect only in text file\n*\u003e Source code files are likely text files. Withdraw binaries for scan could help to rule out false positives*\n\n```shell\ntsfinder -t [path]\n```\nAdd `-v` help to see which file has been skipped by scan.\n\n### Go further *(Homoglyph)*\n\nTrojan Source is not new and isn't the only hazard. Another one is *\"Homoglyph\"*.(*[Kezako?](https://github.com/ariary/TrojanSourceFinder/blob/main/TrojanSource.md#homoglyph)*)\n\ntsfinder help detecting them with `homoglyph` command:\n```shell\ntsfinder homoglyph [filename] [flags]\n```\n\nYou could see if there is a sibling (ie word with same \"skeleton\") for the homographs found in `path` using the flag `--sibling`:\n```shell\ntsfinder homoglyph [filename] --sibling [path] \n```\n*Functionality under development, mainly depending on other project*\n\n## Visualize Trojan Source\n*\u003e Visualize how the code is really interpreted by machines/compiler*\n\n*tsfinder* is deliberately not very verbose. By default, it will only output if Trojan Source code has been detected. To have more verbosity and **visualize the dangerous line add the flag `-v`**.\n\nTo better see where Trojan Sources were, you could enable colored output with `-c` flag (also useful with directory scan):\n```shell\ntsfinder -c -v \u003cdirectory\u003e\n```\n\n## Demo\n\n![demo](https://github.com/ariary/TrojanSourceFinder/blob/main/img/tsfinder-demo-trojansource.gif)\n\n### Homoglyph\n\n![demo](https://github.com/ariary/TrojanSourceFinder/blob/main/img/tsfinder-demo-homoglyph.gif)\n\n## Alternative\n\nAs mentioned by `@ioah86` [here](https://www.reddit.com/r/cybersecurity/comments/qlh5j9/my_take_on_trojan_source/), trojan source could also been detected w/ a one liner using grep.\n\nThe big difference is the output format and the exit status code (`tsfinder` exit with status code `0` if no Trojan source has been found, `1` otherwise; the opposite  for `grep`)\n\nAlso, this one-liner does not resolve the homoglyph issue\n\n| Goal   |      `tsfinder`     |  `grep` one-liner |\n|:----------:|:-------------|:------|\n| Scan all files + show lines|  `tsfinder -v .` | `grep -arE $'(\\u2066\\|\\u2067\\|\\u2068\\|\\u202A\\|\\u202B\\|\\u202D\\|\\u202E\\|\\u202C\\|\\u2069\\|\\u200E\\|\\u200F\\|\\u061C\\|\\u2066\\|\\u2067\\|\\u2068)'` |\n| Scan only on human-readable files| `tsfinder -t .` | `grep -IrE $'(\\u2066\\|\\u2067\\|\\u2068\\|\\u202A\\|\\u202B\\|\\u202D\\|\\u202E\\|\\u202C\\|\\u2069\\|\\u200E\\|\\u200F\\|\\u061C\\|\\u2066\\|\\u2067\\|\\u2068)'`|\n|Exit with status code 1 if found|default|`[one-liner] \u0026\u0026 exit 1 \\|\\| exit 0`|\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fariary%2FTrojanSourceFinder","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fariary%2FTrojanSourceFinder","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fariary%2FTrojanSourceFinder/lists"}