Packages
sobelow
0.2.3
0.14.1
0.14.0
0.13.0
0.12.2
0.12.1
0.12.0
0.11.1
0.11.0
0.10.6
0.10.5
0.10.4
0.10.3
0.10.2
0.10.1
0.10.0
0.9.3
0.9.2
0.9.1
0.9.0
0.8.0
0.7.8
0.7.7
0.7.6
0.7.5
0.7.4
0.7.3
0.7.2
0.7.1
0.7.0
0.6.9
0.6.8
0.6.7
0.6.6
0.6.5
0.6.4
0.6.3
0.6.2
0.6.1
0.6.0
0.5.4
0.5.3
0.5.2
0.5.1
0.5.0
0.4.9
0.4.8
0.4.7
0.4.6
0.4.5
0.4.4
0.4.3
0.4.2
0.4.1
0.4.0
0.3.12
0.3.11
0.3.10
0.3.9
0.3.8
0.3.7
0.3.6
0.3.5
0.3.4
0.3.3
0.3.2
0.3.1
0.3.0
0.2.8
0.2.7
0.2.6
0.2.5
0.2.4
0.2.3
Security-focused static analysis for Elixir & the Phoenix framework
Current section
Files
Jump to
Current section
Files
README.md
# Sobelow
Sobelow is a security-focused static analysis tool for the
Phoenix framework. For security researchers, it is a useful
tool for getting a quick view of points-of-interest. For
project maintainers, it can be used to prevent introducing a
number of common vulnerabilities.
Currently Sobelow detects some types of the following
security issues:
* Insecure configuration
* Cross-Site Scripting
* SQL injection
* Command injection
* Directory traversal
* Unsafe serialization
Potential vulnerabilities are flagged in different colors
according to confidence in their insecurity. High confidence is
red, medium confidence is yellow, and low confidence is green.
A finding is typically marked "low confidence" if it looks
like a function could be used insecurely, but it cannot
reliably be determined if the function accepts user-supplied
input. That is to say, green findings are not secure, they
just require greater manual validation.
**Note:** This project is in constant development, and
additional vulnerabilities will be flagged as time goes on.
If you encounter a bug, or would like to request additional
features or security checks, please open an issue!
## Installation
To install Sobelow, you must have a working Elixir environment.
Then, execute the following from the command line:
$ mix archive.install https://github.com/nccgroup/sobelow/raw/master/sobelow.ez
## Use
The simplest way to scan a Phoenix project is to run the
following from the project root:
$ mix sobelow
## Options
* `--root -r` - Specify application root directory
* `--with-code -v` - Print vulnerable code snippets
* `--ignore -i` - Ignore modules
* `--details -d` - Get module details
* `--all-details` - Get all module details
* `--private` - Skip update checks
The `root` option takes a path argument:
$ mix sobelow --root ../my_project
The `with-code` option takes no arguments:
$ mix sobelow --with-code
The `ignore` option takes a comma-separated list of modules:
$ mix sobelow -i XSS.Raw,Traversal
The `details` option takes a single module:
$ mix sobelow -d Config.CSRF
## Modules
Findings categories are broken up into modules. These modules
can then be used to either ignore classes of findings (via the
`ignore` option) or to get vulnerability details (via the
`details` option).
The following is the current list of supported modules:
* XSS
* XSS.Raw
* XSS.SendResp
* SQL
* SQL.Inject
* Config
* Config.CSRF
* Config.HTTPS
* Config.Secrets
* Traversal
* Traversal.SendFile
* Traversal.FileModule
* Misc
* Misc.BinToTerm
* CI
* CI.System
* CI.OS
This list (and other helpful information), can also be found
on the command line:
$ mix help sobelow
## Updates
When scanning a project, Sobelow will occasionally check for
updates, and will print an alert if a new version is available.
Sobelow keeps track of the last update-check by creating a
`.sobelow` file in the root of the scanned project.
If this functionality is not desired, the `--private` flag can
be used with the scan.
$ mix sobelow --private