Packages
sobelow
0.12.1
0.14.1
0.14.0
0.13.0
0.12.2
0.12.1
0.12.0
0.11.1
0.11.0
0.10.6
0.10.5
0.10.4
0.10.3
0.10.2
0.10.1
0.10.0
0.9.3
0.9.2
0.9.1
0.9.0
0.8.0
0.7.8
0.7.7
0.7.6
0.7.5
0.7.4
0.7.3
0.7.2
0.7.1
0.7.0
0.6.9
0.6.8
0.6.7
0.6.6
0.6.5
0.6.4
0.6.3
0.6.2
0.6.1
0.6.0
0.5.4
0.5.3
0.5.2
0.5.1
0.5.0
0.4.9
0.4.8
0.4.7
0.4.6
0.4.5
0.4.4
0.4.3
0.4.2
0.4.1
0.4.0
0.3.12
0.3.11
0.3.10
0.3.9
0.3.8
0.3.7
0.3.6
0.3.5
0.3.4
0.3.3
0.3.2
0.3.1
0.3.0
0.2.8
0.2.7
0.2.6
0.2.5
0.2.4
0.2.3
Security-focused static analysis for Elixir & the Phoenix framework
Current section
Files
Jump to
Current section
Files
README.md
# Sobelow[](https://hex.pm/packages/sobelow)[](https://hexdocs.pm/sobelow/)[](https://hex.pm/packages/sobelow)[](https://hex.pm/packages/sobelow)[](https://github.com/nccgroup/sobelow/commits/master)Sobelow is a security-focused static analysis tool for Elixir & thePhoenix framework. For security researchers, it is a usefultool for getting a quick view of points-of-interest. Forproject maintainers, it can be used to prevent the introductionof a number of common vulnerabilities.Currently Sobelow detects some types of the followingsecurity issues:* Insecure configuration* Known-vulnerable Dependencies* Cross-Site Scripting* SQL injection* Command injection* Code execution* Denial of Service* Directory traversal* Unsafe serializationPotential vulnerabilities are flagged in different colorsaccording to confidence in their insecurity. High confidence isred, medium confidence is yellow, and low confidence is green.A finding is typically marked "low confidence" if it lookslike a function could be used insecurely, but it cannotreliably be determined if the function accepts user-suppliedinput. i.e. **If a finding is marked green, it *may* becritically insecure, but it will require greater manualvalidation.****Note:** This project is in constant development, andadditional vulnerabilities will be flagged as time goes on.If you encounter a bug, or would like to request additionalfeatures or security checks, please open an issue!## Table of Contents- [Installation](#installation) - [To Use](#to-use)- [Options](#options)- [Configuration Files](#configuration-files)- [False Positives](#false-positives)- [Modules](#modules)- [Umbrella Apps](#umbrella-apps)- [Updates](#updates)## InstallationTo use Sobelow, you can add it to your application's dependencies.```elixirdef deps do [ {:sobelow, "~> 0.12", only: [:dev, :test], runtime: false} ]end```You can also install Sobelow globally by executing the followingfrom the command line: $ mix escript.install hex sobelowTo install from the master branch, rather than the latest release,the following command can be used: $ mix escript.install github nccgroup/sobelow### To UseAfter installation, the simplest way to scan a Phoenix project is to run thefollowing from the project root: $ mix sobelow## Options**Note:** Any path arguments should be absolute paths, orrelative to the application root. * `--root` or `-r` - Specify the application root directory. Accepts a path argument, e.g. `../my_project`. * `--verbose` or `-v` - Print code snippets and additional finding details. * `--ignore` or `-i` - Ignore given finding types. Accepts a comma-separated list of module names, e.g. `XSS.Raw,Traversal`. * `--ignore-files` - Ignore files. Accepts a comma-separated list of file names, e.g. `config/prod.exs`. * `--details` or `-d` - Get finding-type details. Accepts a single module name, e.g. `Config.CSRF`. * `--all-details` - Get details of all finding-types. * `--private` - Skip update checks. * `--router` - Specify router location. This only needs to be used if the router location is non-standard. Accepts a path argument, e.g. `my/strange/router.ex`. * `--exit` - Return non-zero exit status at or above a confidence threshold of `low`, `medium`, or `high`. Defaults to `false` which returns a zero exit status * `--threshold` - Return findings at or above a confidence level of `low` (default), `medium`, or `high`. * `--format` or `-f` - Specify findings output format. Accepts a format, e.g. `txt` or `json`. Note that options such as `--verbose` will not work with the `json` format. All `json` formatted findings contain a `type`, `file`, and `line` key. Other keys may vary. * `--quiet` - Return a single line indicating number of findings. Otherwise, return no output if there are no findings. * `--compact` - Minimal, single-line findings with output colorised according to confidence. * `--flycheck` - Minimal, single-line findings that are compatible with flycheck-based tooling. * `--save-config` - Generates a configuration file based on command line options. See [Configuration Files](#configuration-files) for more information. * `--config` - Run Sobelow with configuration file. See [Configuration Files](#configuration-files) for more information. * `--mark-skip-all` - Mark all displayed findings as skippable. * `--clear-skip` - Clear configuration created by `--mark-skip-all`. * `--skip` - Ignore findings that have been marked for skipping. See [False Positives](#false-positives) for more information. * `--version` - Outputs the current version of Sobelow. This is useful for CI steps or integration with other tools like [Salus](https://github.com/coinbase/salus).## Configuration FilesSobelow allows users to save frequently used options in aconfiguration file. For example, if you find yourself constantlyrunning: $ mix sobelow -i XSS.Raw,Traversal --verbose --exit LowYou can use the `--save-config` flag to create your `.sobelow-conf`config file: $ mix sobelow -i XSS.Raw,Traversal --verbose --exit Low --save-configThis command will create the `.sobelow-conf` file at the rootof your application. You can edit this file directly to makechanges.You can also run the command without any options: $ mix sobelow --save-configwhen you first start out using this package - the generated configuration filewill be populated with the default values for each option. (This helps inquickly incorporating this package into a pre-existing codebase.)Now if you want to run Sobelow with the saved configuration,you can run Sobelow with the `--config` flag. $ mix sobelow --config## False PositivesSobelow favors over-reporting versus under-reporting. As such,you may find a number of false positives in a typical scan.These findings may be individually ignored by adding a`# sobelow_skip` comment, along with a list of modules, beforethe function definition.```elixir# sobelow_skip ["Traversal"]def vuln_func(...) do ...end```When integrating Sobelow into a new project, there can be alarge number of false positives. To mark all printed findingsas false positives, run sobelow with the `--mark-skip-all` flag.Once you have tagged the appropriate findings, runSobelow with the `--skip` flag. $ mix sobelow --skipWhile `# sobelow_skip` comments can only mark function-levelfindings (and so cannot be used to skip configuration issues),the `--mark-skip-all` flag can be used to skip any findingtype.## ModulesFindings categories are broken up into modules. These modulescan then be used to either ignore classes of findings (via the`ignore` and `skip` options) or to get vulnerability details (via the`details` option).This list, and other helpful information, can be found on thecommand line: $ mix help sobelow ## Umbrella AppsIn order to run Sobelow against all child apps within an umbrella app with a single command, you can add an alias for sobelow in your root `mix.exs` file:```elixirdefp aliases do [ sobelow: ["cmd mix sobelow"] ]end```If you wish to use configuration files in an umbrella app, create a `.sobelow-conf` in each child application and use the `--config` flag.## UpdatesWhen scanning a project, Sobelow will occasionally check forupdates, and will print an alert if a new version is available.Sobelow keeps track of the last update-check by creating a`.sobelow` file in the root of the scanned project.If this functionality is not desired, the `--private` flag canbe used with the scan.