Hello folks,

thanks to perl.social today I've stumbled upon this article about zarn: "a lightweight static code security analysis for Modern Perl Applications"

Did you used it? Did you use other similar tools for static analysis of your perl programs?

L*

There are no rules, there are no thumbs..
Reinvent the wheel, then learn The Wheel; may be one day you reinvent one of THE WHEELS.

Replies are listed 'Best First'.
Re: ZARN - security code analysis for perl
by kikuchiyo (Hermit) on Apr 03, 2023 at 13:15 UTC

    I've tried this Zarn on a non-trivial codebase at $work, and I'm sorry, but in its present form it is worse than useless.

    First, it only reports the file name and the purported "vulnerability", but no context, not even a line number.

    Second, it seems to flags most files, some even multiple times with "Path Traversal" or "Code Injection". It doesn't tell what these are, but looking at the default.yaml rules file (the only one that has actual content):

      - id: '0002'
    category: vuln
    name: Code Injection
    message: 
    sample:
      - system
      - eval
      - exec
  - id: '0003'
    category: vuln
    name: Path Traversal
    message: 
    sample:
      - open

    [download]

    it appears that it flags every single occurrence of these keywords as a vulnerability, which is ridiculous. An open() with a known, static filename is not a path traversal vulnerability, nor is a block eval (to catch exceptions) a code injection.

[reply]
[d/l]
Re: ZARN - security code analysis for perl
by eyepopslikeamosquito (Archbishop) on Apr 03, 2023 at 09:23 UTC
[reply]

Back to Meditations