Skip to content

proposal.md

Latest commit

 

History

History
49 lines (41 loc) · 3.09 KB

proposal.md

File metadata and controls

49 lines (41 loc) · 3.09 KB

Proposal for Static Analyzer

Introduction

This project aims to build a static analyzer that automatically detects common security issues in Go code. Our tool will focus on identifying insecure code patterns, such as hardcoded credentials, usage of insecure HTTP URLs, and potential command injection vulnerabilities.

Problem Statement

As part of our engineering team, we identified a need for improved security practices in our Go codebase. Many security vulnerabilities arise from simple mistakes like hardcoded credentials or insecure URL usage. Without proper detection, these vulnerabilities can lead to data breaches and compromise system integrity. Our goal is to create a tool that helps engineers automatically identify these problems before code is deployed.

Solution

The proposed solution is a static analysis tool that scans Go code repositories for known insecure patterns. The tool will:

  1. Clone Go repositories to be analyzed.
  2. Use static analysis techniques to parse and inspect code files.
  3. Detect insecure patterns such as hardcoded credentials, insecure HTTP URLs, and command injection.
  4. Output detailed reports listing the vulnerabilities found.

Key Features

  • Cloning Repositories: Automatically fetches the latest 10 repositories from a specified GitHub user or organization.
  • Code Parsing and Analysis: Leverages the Go ast package to parse code files and inspect the abstract syntax tree.
  • Pattern Detection: Identifies insecure patterns through specific checks:
    • Hardcoded credentials: Looks for suspicious patterns in string literals.
    • Insecure HTTP URLs: Flags HTTP URLs in network requests.
    • Command injection: Flags the usage of functions that execute shell commands.

Implementation Plan

  1. Repository Cloning: Develop a module to clone GitHub repositories using the GitHub API.
  2. Code Parsing: Use Go's ast and token packages to parse Go files.
  3. Pattern Detection: Implement logic to identify specific patterns in the code.
  4. Output Reporting: Generate human-readable reports for each identified issue.
  5. Testing: Ensure the analyzer accurately identifies vulnerabilities by testing it against compromised repositories.

Deliverables

  1. A command-line tool named static-analyzer.
  2. A final report listing the findings across analyzed repositories.
  3. A test repository with known vulnerabilities to validate the analyzer.

Conclusion

This static analyzer will empower engineers to improve the security of their Go code by providing automated checks for common vulnerabilities. By proactively identifying issues, our tool will help minimize security risks, contributing to safer and more reliable applications.

Project Tracker

  • Builds, installs and executes successfully
  • B or higher on Go Report Card
  • Incorporates an external API or package
  • Persists data in a file or a database
  • README contains description
  • README contains screenshot OR install instructions
  • README contains example of how to use the program
  • 2 or more table-driven tests
  • 1 or more benchmark tests
  • All tests pass