Sobelow is a security-focused static analysis tool for the Phoenix framework. For security researchers, it is a useful tool for getting a quick view of points-of-interest. For project maintainers, it can be used to prevent introducing a number of common vulnerabilities.
Currently Sobelow detects some types of the following security issues:
+ Insecure configuration
+ Known-vulnerable Dependencies
+ Cross-Site Scripting
+ SQL injection
+ Command injection
+ Denial of Service
+ Directory traversal
+ Unsafe serialization
Potential vulnerabilities are flagged in different colors according to confidence in their insecurity. High confidence is red, medium confidence is yellow, and low confidence is green.
A finding is typically marked “low confidence” if it looks like a function could be used insecurely, but it cannot reliably be determined if the function accepts user-supplied input. That is to say, green findings are not secure, they just require greater manual validation.
Note: This project is in constant development, and additional vulnerabilities will be flagged as time goes on. If you encounter a bug, or would like to request additional features or security checks, please open an issue!
+ Elixir Language v1.4 or Higher
Use and Installation:
mix archive.install hex sobelow
mix archive.install github nccgroup/sobelow
mix help sobelow