Sobelow is a security-focused static analysis tool for the Phoenix framework. For security researchers, it is a useful tool for getting a quick view of points-of-interest. For project maintainers, it can be used to prevent the introduction of a number of common vulnerabilities. Potential vulnerabilities are flagged in different colors according to confidence in their insecurity. High confidence is red, medium confidence is yellow, and low confidence is green. A finding is typically marked "low confidence" if it looks like a function could be used insecurely, but it cannot reliably be determined if the function accepts user-supplied input. That is to say, if a finding is marked green, it may be critically insecure, but it will require greater manual validation. This project is in constant development, and additional vulnerabilities will be flagged as time goes on. If you encounter a bug, or would like to request additional features or security checks, please open an issue!
Features
- Any path arguments should be absolute paths, or relative to the application root
- Sobelow favors over-reporting versus under-reporting
- Findings categories are broken up into modules
- You can install Sobelow globally
- To use Sobelow, you can add it to your application's dependencies
- Potential vulnerabilities are flagged in different colors according to confidence in their insecurity