duo-labs / narrow Goto Github PK

Consider an "import only" mode that takes in a target import and tries to see if that's used anywhere. While less precise, it's less vulnerable to language difficulties like functors and lambdas which may still make it useful in many cases.

Think about how to add support for new languages. Ideally this shouldn't require tons of re-work and we should be able to re-use part of what we have.

We could even consider relying fully on other systems to do parts of the pipeline. e.g. semgrep can dump ASTs for many languages. Control flow graph generation is extra tricky and I haven't yet seen a single mechanism for doing this across languages.

If you tell a human to determine whether a vulnerable function is being used they'll almost certainly do the data flow backwards: start by grepping for the vulnerable function, find it in code, and go backwards looking for function calls to the definition.

Is there anything we can gleam for narrow here? Generally humans are using IDEs that already do function reference detection, which are usually forward-propogating analyses, so perhaps not. Still, in theory doing this would reduce how much we have to analyze. Right now we may recurse through imports / function calls in dependencies we don't care about at all.

Include different narrower policies so users can configure how they want output data modified (if at all). Some options:
In general:

  Option to treat "unknowns" (e.g. no patch available for analysis) as "predicted as relevant" (conservative)

    
  Option to treat "unknowns" as "predicated as NOT relevant" (noise reduction)

For the error code:

  Exit code equals how many vulns were predicted to affect the project

    
  Exit code equals how many vulns were not predicted to affect the project

    
  Always return 0

For the krefst output data:

  Increase CVSS for each vuln if predicted to affect the project

    
  Reduce CVSS for each vuln if predicted to not affected the project

For the CycloneDX output data (severities):

  Add new vuln rating (a Narrow rating) with CVSS score increased if vuln is predicted to affect the project

    
  Add new vuln rating (a Narrow rating) with CVSS score decreased if vuln is predicted to not affect the project

For the CycloneDX output data (analysis):

  Assign exploitable for each vuln predicted to affect the project

    
  Assign not_affected (and justification set to code_not_reachable) for each vuln predicted to not affect the project

    
  Assign in-triage if unknown

Add support for .pxi files in CFG generation. Relevant for finding vulns in lxml, for example.

Determine if https://pyre-check.org/docs/pysa-basics/ can help with control flow graph generation.

It supports partial type checking and can do some control flows. It does, however, say "It does not see the source of your dependencies." so this may not totally help us since this is a key need.

Consider adding support for type inference to improve reachability accuracy.