A static analysis tool for finding common Forge vulnerabilities.
Usage: fsrt [OPTIONS] [DIRS]...
Arguments:
[DIRS]... The directory to scan. Assumes there is a `manifest.yaml` file in the top level directory, and that the source code is located in `src/`
Options:
-d, --debug
--dump-ir <DUMP_IR> Dump the IR for the specified function.
-dt, --dump-dt <DUMP_DOM_TREE> Dump the Dominator Tree for the specified app
-f, --function <FUNCTION> A specific function to scan. Must be an entrypoint specified in `manifest.yml`
-h, --help Print help information
-V, --version Print version information
--check-permissions Runs the permission checker
--graphql-schema-path <LOCATION> Uses the graphql schema in location; othwerwise selects ~/.config dir
You will need to install Rust to compile FSRT
. You can install Rust
through Rustup or through your distro's package manager. You will also
need Cargo, which comes by default with most Rust toolchains
.1
latest stable release, and adding the toolchain
Installing from source:
git clone https://github.com/atlassian-labs/FSRT.git
cd FSRT
cargo install --path crates/fsrt
or alternatively:
cargo install --git https://github.com/atlassian-labs/FSRT
To run the test suite:
cargo test
There are also two sample vulnerable Forge apps for testing. In the future these will be added to the test-suite, but
until then you can test fsrt
by manually invoking:
fsrt ./test-apps/jira-damn-vulnerable-forge-app
Testing with a GraphQl Schema:
cargo test --features graphql_schema
Contributions to FSRT are welcome! Please see CONTRIBUTING.md for details.
Copyright (c) 2022 Atlassian and others.
FSRT is dual licensed under the MIT and Apache 2.0 licenses.
See LICENSE-APACHE and LICENSE-MIT for details.
Footnotes
-
Cargo is technically not required if you want to download every dependency, invoke
rustc
, and link everything manually. However, I wouldn't recommend doing this unless you're extremely bored. ↩