Logo

Sobelow

Security-focused static analysis for the Phoenix Framework.

Source: https://github.com/nccgroup/sobelow
Documentation: https://hexdocs.pm/sobelow
Twitter: @sobelow_scanner

Changelog

v0.8.0

The output for Sobelow has been improved, and is now more consistent across findings. If you are using the JSON output format, you will find that all findings now have three common keys, type, file and line. Some findings may have additional keys, but all are guaranteed to have these three.

Line output has been changed across the board, and now points directly to vulnerable function calls, rather than to the containing function. Where appropriate, this information is preserved in an additional header. For example, in Sobelow v0.7.8, a directory traversal finding would look something like the following:

Traversal.FileModule: Directory Traversal in `File.read!` - High Confidence
File: lib/phoenix_internals_web/controllers/page_controller.ex - index:4
Variable: input


def(index(conn, %{"input" => input})) do
  text(conn, File.read!(input))
end

This has been updated and improved for Sobelow v0.8.0.

Traversal.FileModule: Directory Traversal in `File.read!` - High Confidence
File: lib/phoenix_internals_web/controllers/page_controller.ex
Line: 5
Function: index:4
Variable: input


def(index(conn, %{"input" => input})) do
  text(conn, File.read!(input))
end

The full release notes can be found below:

  • Enhancements
    • Improve output consistency
      • All JSON findings contain type, file, and line keys
      • “Line” output now refers directly to the vulnerable line
      • Default output headers have been normalized

v0.7.8

Sobelow now supports a --threshold flag. This can be used to filter out low-confidence findings, and may be especially useful in a CI pipeline. This flag accepts a threshold of low (default), medium, or high, and will only show findings that meet or exceed that confidence level. For example, to only see medium and high-confidence findings, run the following:

$ mix sobelow --threshold medium

Although this flag can be useful, be sure to continue validating low-confidence findings which may pose security issues.

This update also brings the first of several changes to scan outputs. In particular, finding module names are now included in the description, which should simplify the use of flags that take a module name as input.

Finally, the full update contents can be found below:

  • Enhancements
    • Add --threshold flag
    • Add module names to finding output
  • Deprecations
    • File/Path check has been deprecated
  • Bug Fixes
    • Fix inaccurate CSRF details