Skip to content

LvMalware/zarn

This branch is 34 commits ahead of, 2 commits behind htrgouvea/zarn:main.

Folders and files

NameName
Last commit message
Last commit date

Latest commit

b5018cb · Jan 4, 2025
Dec 24, 2024
Jan 4, 2025
Jan 4, 2025
Oct 10, 2024
May 28, 2023
Jan 24, 2024
Oct 10, 2024
Oct 10, 2024
Jun 17, 2024
Jan 3, 2024
Jan 3, 2024
Jun 19, 2024
Nov 10, 2023
Jan 28, 2024
Oct 10, 2024
Oct 30, 2024

Repository files navigation

ZARN

A lightweight static code security analysis for Modern Perl Applications



Summary

Performing static analysis, Zarn is able to identify possible vulnerabilities: for this purpose, each file is parsed using AST analysis to recognize tokens that present risks and subsequently runs the taint tracking process to confirm that it is a whether exploitable or not, to validate whether a malicious agent is able to target the method in question.

Currently, Zarn do single file context analysis, which means that it is not able to identify vulnerabilities that are not directly related to the file being analyzed. But in the future, we plan to implement a call graph analysis to identify vulnerabilities that are not directly related to the file being analyzed.

You can read the full publication about Zarn at: a lightweight static security analysis tool for modern Perl Apps.


Download and install

# Download
$ git clone https://github.com/htrgouvea/zarn && cd zarn
    
# Install libs dependencies
$ sudo cpanm --installdeps .

Example of use

$ perl zarn.pl --rules rules/quick-wins.yml --source ../nozaki --sarif report.sarif

[warn] - FILE:../nozaki/lib/Functions/Helper.pm          Potential: Timing Attack.
[vuln] - FILE:../nozaki/lib/Engine/Orchestrator.pm       Potential: Path Traversal.
[vuln] - FILE:../nozaki/lib/Engine/Orchestrator.pm       Potential: Path Traversal.
[warn] - FILE:../nozaki/lib/Engine/FuzzerThread.pm       Potential: Timing Attack.

Rules example

rules:
  - id: '0001'
    category: info
    name: Debug module enabled
    message: Debug modules can expose sensitive information and potentially create security vulnerabilities.
    sample:
      - Dumper
  - id: '0002'
    category: vuln
    name: Code Injection
    message: Occur when untrusted data is executed as code, allowing attackers to run arbitrary commands on the server.
    sample:
      - system
      - eval
      - exec
      - qx
  - id: '0003'
    category: vuln
    name: Path Traversal
    message: Occur when user input is not properly sanitized, allowing attackers to access files and directories outside of the intended directory structure.
    sample:
      - open

Github Actions

name: ZARN SAST

on:
  push:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]
  schedule:
    - cron: "28 23 * * 1"

jobs:
  zarn:
    name: Security Static Analysis with ZARN
    runs-on: ubuntu-20.04
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
      
    - name: Perform Static Analysis
      uses: htrgouvea/[email protected]

    - name: Send result to Github Security
      uses: github/codeql-action/upload-sarif@v3
      with:
        sarif_file: result.sarif

Contribution

Your contributions and suggestions are heartily ♥ welcome. See here the contribution guidelines. Please, report bugs via issues page and for security issues, see here the security policy. (✿ ◕‿◕) This project follows this style guide: (https://github.com/htrgouvea/perl-style-guide).


License

This work is licensed under MIT License.

About

A lightweight static security analysis tool for modern Perl Apps

Resources

License

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Perl 94.7%
  • Makefile 4.4%
  • Dockerfile 0.9%