Skip to content

A static analyzer for finding Forge app vulnerabilities

License

Apache-2.0, MIT licenses found

Licenses found

Apache-2.0
LICENSE-APACHE
MIT
LICENSE-MIT
Notifications You must be signed in to change notification settings

atlassian-labs/FSRT

FSRT - Forge Security Requirements Tester

Apache license MIT license PRs Welcome

A static analysis tool for finding common Forge vulnerabilities.

Usage

Usage: fsrt [OPTIONS] [DIRS]...

Arguments:
  [DIRS]...  The directory to scan. Assumes there is a `manifest.yaml` file in the top level directory, and that the source code is located in `src/`

  Options:
    -d, --debug
        --dump-ir <DUMP_IR>           Dump the IR for the specified function.
    -dt, --dump-dt <DUMP_DOM_TREE>    Dump the Dominator Tree for the specified app
    -f, --function <FUNCTION>         A specific function to scan. Must be an entrypoint specified in `manifest.yml`
    -h, --help                        Print help information
    -V, --version                     Print version information
    --check-permissions               Runs the permission checker
    --graphql-schema-path <LOCATION>  Uses the graphql schema in location; othwerwise selects ~/.config dir  

Installation

You will need to install Rust to compile FSRT. You can install Rust through Rustup or through your distro's package manager. You will also need Cargo, which comes by default with most Rust toolchains.1 latest stable release, and adding the toolchain

Installing from source:

git clone https://github.com/atlassian-labs/FSRT.git
cd FSRT
cargo install --path crates/fsrt

or alternatively:

cargo install --git https://github.com/atlassian-labs/FSRT

Tests

To run the test suite:

cargo test

There are also two sample vulnerable Forge apps for testing. In the future these will be added to the test-suite, but until then you can test fsrt by manually invoking:

fsrt ./test-apps/jira-damn-vulnerable-forge-app

Testing with a GraphQl Schema:

cargo test --features graphql_schema

Contributions

Contributions to FSRT are welcome! Please see CONTRIBUTING.md for details.

License

Copyright (c) 2022 Atlassian and others.

FSRT is dual licensed under the MIT and Apache 2.0 licenses.

See LICENSE-APACHE and LICENSE-MIT for details.

With �� from Atlassian

Footnotes

  1. Cargo is technically not required if you want to download every dependency, invoke rustc, and link everything manually. However, I wouldn't recommend doing this unless you're extremely bored.

About

A static analyzer for finding Forge app vulnerabilities

Topics

Resources

License

Apache-2.0, MIT licenses found

Licenses found

Apache-2.0
LICENSE-APACHE
MIT
LICENSE-MIT

Code of conduct

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published