I've tried this Zarn on a non-trivial codebase at $work, and I'm sorry, but in its present form it is worse than useless.

First, it only reports the file name and the purported "vulnerability", but no context, not even a line number.

Second, it seems to flags most files, some even multiple times with "Path Traversal" or "Code Injection". It doesn't tell what these are, but looking at the default.yaml rules file (the only one that has actual content):

  - id: '0002'
    category: vuln
    name: Code Injection
    message: 
    sample:
      - system
      - eval
      - exec
  - id: '0003'
    category: vuln
    name: Path Traversal
    message: 
    sample:
      - open

[download]

it appears that it flags every single occurrence of these keywords as a vulnerability, which is ridiculous. An open() with a known, static filename is not a path traversal vulnerability, nor is a block eval (to catch exceptions) a code injection.

In reply to Re: ZARN - security code analysis for perl by kikuchiyo
in thread ZARN - security code analysis for perl by Discipulus

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.