Vuln Reach is a library for developing tools that determine if a given vulnerability is reachable. Provided to the open source community by Phylum to help reduce false positives and increase signal-to-noise for software developers.
Vuln Reach is a static analysis library written in Rust that leverages tree-sitter for parsing.
It currently supports Javascript.
It builds an access graph of the source code of a package and its transitive dependencies, and then uses it to search for a path to a known vulnerable identifier node.
Add this to your Cargo.toml:
toml
[dependencies]
vuln-reach = { git = "https://github.com/phylum-dev/vuln-reach" }
Here's an example of how you can find out whether an identifier node in a package is reachable from another package.
```rust use vulnreach::javascript::package::reachability::VulnerableNode; use vulnreach::javascript::package::resolver::PackageResolver; use vulnreach::javascript::package::Package; use vulnreach::javascript::project::Project;
// Build a package resolver. let packageresolver = PackageResolver::builder() .withpackage("path-scurry", Package::fromtarballpath("./tarballs/path-scurry-1.6.1.tgz")) .withpackage("lru-cache", Package::fromtarballpath("./tarballs/lru-cache-7.14.1.tgz")) .withpackage("minipass", Package::fromtarballpath("./tarballs/minipass-4.0.2.tgz")) .build();
// Build a project from the package resolver. let project = Project::new(package_resolver);
// Define a target node. let vulnerable_node = VulnerableNode::new("lru-cache", "index.js", 1017, 17, 1017, 24);
// Compute the reachability graph. let reachability = project.reachability(&vulnerable_node);
// Find a path to the vulnerable node, starting from the given package. let path = reachability.find_path("path-scurry"); ```
To find out what the transitive dependencies for your project are, you can use Phylum!
For a more complete example of usage, check out the cli.
At the moment, the codebase is relatively tightly coupled to Javascript. Plans are underway to abstract the non-language-specific bits to be used by all languages.
Adding support for a new language requires the following steps:
- Add the relevant tree-sitter parser to build.rs.
- Create a module directory for your language in the top level of the vuln-reach package.
- Implement abstractions for the language's imports and exports.
- Implement the concept of access for your language -- this could be as simple as being equivalent to "function call" or as complex as necessary.
If you're interested in using vuln reach in a commercial project and need a different licensing agreement, please reach out to partnerships@phylum.io.
