Security-focused static analysis for the Phoenix Framework.
Source: https://github.com/nccgroup/sobelow
Documentation: https://hexdocs.pm/sobelow
Twitter: @sobelow_scanner
credo
warningscredo
“Code Readability” adjustmentscredo
refactoring opportunities--details
/ -d
not displaying correct informationmix credo --strict
to projectmix test.all
alias:castore
and introduced :verify_none
to quiet warning and unblock escript usage, see #133 for more context on why this is necessary:castore
to remove upgrade path issues:verify_peer
to actually use CAStore and remove warning--version
CLI flag-v, --verbose
printing to not use the now deprecated Macro.to_string/2
--flycheck
output to align with expected format--out
flag--strict
flag, which throws compilation errors instead of suppressing them.The biggest change this version is GitHub action integration. See the action repo for more details.
--flycheck
flag, which reverses output of --compact
mix escript.install hex sobelow
.config
caseSobelow now stores --mark-skip-all
data in the “.sobelow-skips” file in the root of
you application.
If you have previously used this functionality, simply rename your “.sobelow” file “.sobelow-skips”.
Notes:
--mark-skip-all
Sobelow occasionally checks for updates. Historically, it has stored a timestamp in the root of your application in the .sobelow file. You’ve likely noticed, and maybe even added it to .gitignore.
However, with v0.9.0, Sobelow got some much needed improvement to the false positive management. This functionality also uses .sobelow, so you might not want to ignore the file anymore.
To address these changes, the update timestamp has been moved to a global config file inside ~/.sobelow. You also will no longer have an annoying .sobelow file to ignore if you aren’t managing false positives. Yay!
This should not be a breaking change. And, as always, you can opt-out of the update
check entirely using the --private
flag.
Notes:
--mark-skip-all
onlyHere’s an update with some small but important improvements!
Notes:
send_download
correctly flags aliased function callssend_download
now correctly flags piped functionsThis is another small update addressing an error you are unlikely to have run into!
Notes:
Recursive umbrella scans introduced a bug, and have been temporarily reverted.
The full release notes can be found below:
Sobelow has better support for managing false positives. Adding the --mark-skip-all
flag to any scan will now mark all displayed findings as skippable. For large or
complex projects with a high number of false positives, this should massively improve
the experience of integrating Sobelow into your CI/CD pipeline.
Below is a demo of this new feature where we take the following steps:
--ignore
the CSP finding to hide it from output, and add the --mark-skip-all
flag.--skip
flag to hide skipped findings.Metadata about skipped findings is stored in the .sobelow
file at the root of your
project. If you decide you no longer want to have your findings skipped, you can clear
this data with the --clear-skip
flag.
Less visible, but equally important, this update also comes with new CSRF checks, the ability to run Sobelow from the root of an umbrella app, bug fixes, and a handful of internal improvements!
NOTE You may need to uninstall previous versions of Sobelow for your update to succeed.
The full release notes can be found below:
--mark-skip-all
and --clear-skip
flagsThe output for Sobelow has been improved, and is now more consistent across findings. If
you are using the JSON output format, you will find that all findings now have three
common keys, type
, file
and line
. Some findings may have additional keys, but all
are guaranteed to have these three.
Line output has been changed across the board, and now points directly to vulnerable function calls, rather than to the containing function. Where appropriate, this information is preserved in an additional header. For example, in Sobelow v0.7.8, a directory traversal finding would look something like the following:
Traversal.FileModule: Directory Traversal in `File.read!` - High Confidence
File: lib/phoenix_internals_web/controllers/page_controller.ex - index:4
Variable: input
def(index(conn, %{"input" => input})) do
text(conn, File.read!(input))
end
This has been updated and improved for Sobelow v0.8.0.
Traversal.FileModule: Directory Traversal in `File.read!` - High Confidence
File: lib/phoenix_internals_web/controllers/page_controller.ex
Line: 5
Function: index:4
Variable: input
def(index(conn, %{"input" => input})) do
text(conn, File.read!(input))
end
The full release notes can be found below:
type
, file
, and line
keysSobelow now supports a --threshold
flag. This can be used to filter out low-confidence
findings, and may be especially useful in a CI pipeline. This flag accepts a threshold of
low (default), medium, or high, and will only show findings that meet or exceed that confidence
level. For example, to only see medium and high-confidence findings, run the following:
$ mix sobelow --threshold medium
Although this flag can be useful, be sure to continue validating low-confidence findings which may pose security issues.
This update also brings the first of several changes to scan outputs. In particular, finding module names are now included in the description, which should simplify the use of flags that take a module name as input.
Finally, the full update contents can be found below:
--threshold
flag