Beefy Boxes and Bandwidth Generously Provided by pair Networks
XP is just a number
 
PerlMonks  

ZARN - security code analysis for perl

by Discipulus (Canon)
on Apr 03, 2023 at 08:15 UTC ( [id://11151431] : perlmeditation . print w/replies, xml ) Need Help??

Hello folks,

thanks to perl.social today I've stumbled upon this article about zarn: "a lightweight static code security analysis for Modern Perl Applications"

Did you used it? Did you use other similar tools for static analysis of your perl programs?

L*

There are no rules, there are no thumbs..
Reinvent the wheel, then learn The Wheel; may be one day you reinvent one of THE WHEELS.

Replies are listed 'Best First'.
Re: ZARN - security code analysis for perl
by kikuchiyo (Hermit) on Apr 03, 2023 at 13:15 UTC

    I've tried this Zarn on a non-trivial codebase at $work, and I'm sorry, but in its present form it is worse than useless.

    First, it only reports the file name and the purported "vulnerability", but no context, not even a line number.

    Second, it seems to flags most files, some even multiple times with "Path Traversal" or "Code Injection". It doesn't tell what these are, but looking at the default.yaml rules file (the only one that has actual content):

    - id: '0002' category: vuln name: Code Injection message: sample: - system - eval - exec - id: '0003' category: vuln name: Path Traversal message: sample: - open

    it appears that it flags every single occurrence of these keywords as a vulnerability, which is ridiculous. An open() with a known, static filename is not a path traversal vulnerability, nor is a block eval (to catch exceptions) a code injection.

Re: ZARN - security code analysis for perl
by eyepopslikeamosquito (Archbishop) on Apr 03, 2023 at 09:23 UTC

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlmeditation [id://11151431]
Approved by marto
Front-paged by marto
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (4)
As of 2024-02-24 21:36 GMT
Voting Booth?
My favourite way to spend a leap day ...











Results (23 votes). Check out past polls.