{"id":13393218,"url":"https://github.com/nccgroup/sobelow","last_synced_at":"2025-04-29T23:41:59.153Z","repository":{"id":37677890,"uuid":"91115786","full_name":"nccgroup/sobelow","owner":"nccgroup","description":"Security-focused static analysis for the Phoenix Framework","archived":false,"fork":false,"pushed_at":"2024-08-20T20:05:42.000Z","size":1395,"stargazers_count":1684,"open_issues_count":29,"forks_count":95,"subscribers_count":41,"default_branch":"master","last_synced_at":"2024-10-29T11:16:15.192Z","etag":null,"topics":["elixir","phoenix-framework","security","static-analysis"],"latest_commit_sha":null,"homepage":"","language":"Elixir","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nccgroup.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-05-12T17:44:17.000Z","updated_at":"2024-10-26T16:05:31.000Z","dependencies_parsed_at":"2022-07-12T16:42:57.668Z","dependency_job_id":"c913b0b3-c11b-49af-94ca-da70c0f553c1","html_url":"https://github.com/nccgroup/sobelow","commit_stats":{"total_commits":556,"total_committers":37,"mean_commits":"15.027027027027026","dds":0.2553956834532374,"last_synced_commit":"b47ad2fbdda03894dfc4e72d635c52e9a6540832"},"previous_names":[],"tags_count":21,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nccgroup%2Fsobelow","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nccgroup%2Fsobelow/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nccgroup%2Fsobelow/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nccgroup%2Fsobelow/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nccgroup","download_url":"https://codeload.github.com/nccgroup/sobelow/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247927406,"owners_count":21019526,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["elixir","phoenix-framework","security","static-analysis"],"created_at":"2024-07-30T17:00:46.632Z","updated_at":"2025-04-08T21:18:17.078Z","avatar_url":"https://github.com/nccgroup.png","language":"Elixir","readme":"# Sobelow\n\n[![Module Version](https://img.shields.io/hexpm/v/sobelow.svg)](https://hex.pm/packages/sobelow)\n[![Hex Docs](https://img.shields.io/badge/hex-docs-lightgreen.svg)](https://hexdocs.pm/sobelow/)\n[![Total Download](https://img.shields.io/hexpm/dt/sobelow.svg)](https://hex.pm/packages/sobelow)\n[![License](https://img.shields.io/hexpm/l/sobelow.svg)](https://hex.pm/packages/sobelow)\n[![Last Updated](https://img.shields.io/github/last-commit/nccgroup/sobelow.svg)](https://github.com/nccgroup/sobelow/commits/master)\n\nSobelow is a security-focused static analysis tool for Elixir \u0026 the\nPhoenix framework. For security researchers, it is a useful\ntool for getting a quick view of points-of-interest. For\nproject maintainers, it can be used to prevent the introduction\nof a number of common vulnerabilities.\n\nCurrently Sobelow detects some types of the following\nsecurity issues:\n\n* Insecure configuration\n* Known-vulnerable Dependencies\n* Cross-Site Scripting\n* SQL injection\n* Command injection\n* Code execution\n* Denial of Service\n* Directory traversal\n* Unsafe serialization\n\nPotential vulnerabilities are flagged in different colors\naccording to confidence in their insecurity. High confidence is\nred, medium confidence is yellow, and low confidence is green.\n\nA finding is typically marked \"low confidence\" if it looks\nlike a function could be used insecurely, but it cannot\nreliably be determined if the function accepts user-supplied\ninput. i.e. **If a finding is marked green, it *may* be\ncritically insecure, but it will require greater manual\nvalidation.**\n\n**Note:** This project is in constant development, and\nadditional vulnerabilities will be flagged as time goes on.\nIf you encounter a bug, or would like to request additional\nfeatures or security checks, please open an issue!\n\n## Table of Contents\n- [Installation](#installation)\n  - [To Use](#to-use)\n- [Options](#options)\n- [Configuration Files](#configuration-files)\n- [False Positives](#false-positives)\n- [Modules](#modules)\n- [Umbrella Apps](#umbrella-apps)\n- [Updates](#updates)\n\n## Installation\n\nTo use Sobelow, you can add it to your application's dependencies.\n\n```elixir\ndef deps do\n  [\n    {:sobelow, \"~\u003e 0.13\", only: [:dev, :test], runtime: false}\n  ]\nend\n```\n\nYou can also install Sobelow globally by executing the following\nfrom the command line:\n\n    $ mix escript.install hex sobelow\n\nTo install from the master branch, rather than the latest release,\nthe following command can be used:\n\n    $ mix escript.install github nccgroup/sobelow\n\n### To Use\n\nAfter installation, the simplest way to scan a Phoenix project is to run the\nfollowing from the project root:\n\n    $ mix sobelow\n\n## Options\n\n**Note:** Any path arguments should be absolute paths, or\nrelative to the application root.\n\n  * `--root` or `-r` - Specify the application root directory.\n  Accepts a path argument, e.g. `../my_project`.\n\n  * `--verbose` or `-v` - Print code snippets and additional\n  finding details.\n\n  * `--ignore` or `-i` - Ignore given finding types. Accepts a\n  comma-separated list of module names, e.g. `XSS.Raw,Traversal`.\n\n  * `--ignore-files` - Ignore files. Accepts a comma-separated\n  list of file names, e.g. `config/prod.exs`.\n\n  * `--details` or `-d` - Get finding-type details. Accepts a\n  single module name, e.g. `Config.CSRF`.\n\n  * `--all-details` - Get details of all finding-types.\n\n  * `--private` - Skip update checks.\n\n  * `--router` - Specify router location. This only needs to be\n  used if the router location is non-standard. Accepts a path\n  argument, e.g. `my/strange/router.ex`.\n\n  * `--exit` - Return non-zero exit status at or above a confidence\n  threshold of `low`, `medium`, or `high`. Defaults to `false` which returns a zero exit status\n\n  * `--threshold` - Return findings at or above a confidence level\n  of `low` (default), `medium`, or `high`.\n\n  * `--format` or `-f` - Specify findings output format. Accepts a format,\n  e.g. `txt` or `json`.\n\n      Note that options such as `--verbose` will not work with the `json` format.\n      All `json` formatted findings contain a `type`, `file`, and `line` key.\n      Other keys may vary.\n\n  * `--quiet` - Return a single line indicating number of findings.\n  Otherwise, return no output if there are no findings.\n\n  * `--compact` - Minimal, single-line findings with output colorised\n    according to confidence.\n\n  * `--flycheck` - Minimal, single-line findings that are compatible\n    with flycheck-based tooling.\n\n  * `--save-config` - Generates a configuration file based on command\n  line options. See [Configuration Files](#configuration-files) for more\n  information.\n\n  * `--config` - Run Sobelow with configuration file. See [Configuration Files](#configuration-files)\n  for more information.\n\n  * `--mark-skip-all` - Mark all displayed findings as skippable.\n\n  * `--clear-skip` - Clear configuration created by `--mark-skip-all`.\n\n  * `--skip` - Ignore findings that have been marked for skipping. See [False Positives](#false-positives)\n  for more information.\n\n  * `--version` - Outputs the current version of Sobelow. This is useful for CI steps or integration with other tools like [Salus](https://github.com/coinbase/salus).\n\n## Configuration Files\nSobelow allows users to save frequently used options in a\nconfiguration file. For example, if you find yourself constantly\nrunning:\n\n    $ mix sobelow -i XSS.Raw,Traversal --verbose --exit Low\n\nYou can use the `--save-config` flag to create your `.sobelow-conf`\nconfig file:\n\n    $ mix sobelow -i XSS.Raw,Traversal --verbose --exit Low --save-config\n\nThis command will create the `.sobelow-conf` file at the root\nof your application. You can edit this file directly to make\nchanges.\n\nYou can also run the command without any options:\n\n    $ mix sobelow --save-config\n\nwhen you first start out using this package - the generated configuration file\nwill be populated with the default values for each option. (This helps in\nquickly incorporating this package into a pre-existing codebase.)\n\nNow if you want to run Sobelow with the saved configuration,\nyou can run Sobelow with the `--config` flag.\n\n    $ mix sobelow --config\n\n## False Positives\nSobelow favors over-reporting versus under-reporting. As such,\nyou may find a number of false positives in a typical scan.\nThese findings may be individually ignored by adding a\n`# sobelow_skip` comment, along with a list of modules, before\nthe function definition.\n\n```elixir\n# sobelow_skip [\"Traversal\"]\ndef vuln_func(...) do\n  ...\nend\n```\n\nWhen integrating Sobelow into a new project, there can be a\nlarge number of false positives. To mark all printed findings\nas false positives, run sobelow with the `--mark-skip-all` flag.\n\nOnce you have tagged the appropriate findings, run\nSobelow with the `--skip` flag.\n\n    $ mix sobelow --skip\n\nWhile `# sobelow_skip` comments can only mark function-level\nfindings (and so cannot be used to skip configuration issues),\nthe `--mark-skip-all` flag can be used to skip any finding\ntype.\n\n## Modules\nFindings categories are broken up into modules. These modules\ncan then be used to either ignore classes of findings (via the\n`ignore` and `skip` options) or to get vulnerability details (via the\n`details` option).\n\nThis list, and other helpful information, can be found on the\ncommand line:\n\n    $ mix help sobelow\n    \n## Umbrella Apps\n\nIn order to run Sobelow against all child apps within an umbrella app with a single command, you can add an alias for sobelow in your root `mix.exs` file:\n\n```elixir\ndefp aliases do\n  [\n    sobelow: [\"cmd mix sobelow\"]\n  ]\nend\n```\n\nIf you wish to use configuration files in an umbrella app, create a `.sobelow-conf` in each child application and use the `--config` flag.\n\n## Updates\nWhen scanning a project, Sobelow will occasionally check for\nupdates, and will print an alert if a new version is available.\nSobelow keeps track of the last update-check by creating a\n`.sobelow` file in the root of the scanned project.\n\nIf this functionality is not desired, the `--private` flag can\nbe used with the scan.\n","funding_links":[],"categories":["Tools","Elixir","Security","\u003ca id=\"7e840ca27f1ff222fd25bc61a79b07ba\"\u003e\u003c/a\u003e特定目标","Development","Static Analyzers","\u003ca id=\"88716f4591b1df2149c2b7778d15d04e\"\u003e\u003c/a\u003ePhoenix","Programming Languages"],"sub_categories":["Network vulnerability scanners","\u003ca id=\"88716f4591b1df2149c2b7778d15d04e\"\u003e\u003c/a\u003ePhoenix","Programming","Penetration Testing Report Templates","\u003ca id=\"0476f6b97e87176da0a0d7328f8747e7\"\u003e\u003c/a\u003eblog","Social Engineering Tools","Network Vulnerability Scanners"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnccgroup%2Fsobelow","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnccgroup%2Fsobelow","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnccgroup%2Fsobelow/lists"}