macula_security_scanner (macula v0.20.5)

View Source

Macula Security Scanner

Static analysis engine for scanning BEAM files: - Detects dangerous BIF usage (os:cmd, open_port, etc.) - Identifies undeclared capabilities - Detects NIF loading attempts - Calculates security score

All functions are stateless.

Summary

Types

scan_result/0
warning/0

Functions

calculate_score(Result)

Calculate security score based on scan results

get_dangerous_bifs()

Get list of dangerous BIFs

scan_beam_archive(Archive)

Scan a gzipped BEAM archive

scan_beam_files(BeamFiles)

Scan a list of {ModuleName, BeamBinary} tuples

scan_manifest(Manifest)

Scan a manifest for security issues

Types

scan_result/0

-type scan_result() ::
          #{dangerous_bifs :=
                [#{module := atom(),
                   function := atom(),
                   arity := non_neg_integer(),
                   locations := [term()]}],
            undeclared_capabilities := [term()],
            nif_usage := [#{module := atom(), nif_lib := binary()}],
            warnings := [warning()],
            score := 0..100}.

warning/0

-type warning() ::
          #{severity := low | medium | high | critical,
            type := atom(),
            message := binary(),
            location => term()}.

Functions

calculate_score(Result)

-spec calculate_score(scan_result()) -> 0..100.

Calculate security score based on scan results

get_dangerous_bifs()

-spec get_dangerous_bifs() -> [{atom(), atom(), non_neg_integer()}].

Get list of dangerous BIFs

scan_beam_archive(Archive)

-spec scan_beam_archive(Archive :: binary()) -> {ok, scan_result()} | {error, term()}.

Scan a gzipped BEAM archive

scan_beam_files(BeamFiles)

-spec scan_beam_files([{atom(), binary()}]) -> {ok, scan_result()} | {error, term()}.

Scan a list of {ModuleName, BeamBinary} tuples

scan_manifest(Manifest)

-spec scan_manifest(Manifest :: map()) -> {ok, [warning()]} | {error, term()}.

Scan a manifest for security issues