Metastatic.Analysis.Security (Metastatic v0.10.4)

View Source

Security vulnerability detection at the MetaAST level.

Identifies common security vulnerabilities by pattern matching on function calls and literals. Works across all supported languages by operating on the unified MetaAST representation.

Detected Vulnerabilities

  • Injection attacks - SQL injection, command injection, code injection
  • Unsafe deserialization - pickle.loads, eval, exec
  • Hardcoded secrets - API keys, passwords in literals
  • Weak cryptography - MD5, SHA1, weak random
  • Path traversal - Unchecked file operations
  • Insecure protocols - HTTP URLs

Usage

alias Metastatic.{Document, Analysis.Security}

# Analyze for security vulnerabilities
ast = {:function_call, [name: "eval"], [{:variable, [], "user_input"}]}
doc = Document.new(ast, :python)
{:ok, result} = Security.analyze(doc)

result.has_vulnerabilities?   # => true
result.total_vulnerabilities  # => 1

Examples

# No vulnerabilities
iex> ast = {:binary_op, [category: :arithmetic, operator: :+], [{:literal, [subtype: :integer], 1}, {:literal, [subtype: :integer], 2}]}
iex> doc = Metastatic.Document.new(ast, :python)
iex> {:ok, result} = Metastatic.Analysis.Security.analyze(doc)
iex> result.has_vulnerabilities?
false

# Unsafe eval detected
iex> ast = {:function_call, [name: "eval"], [{:literal, [subtype: :string], "1+1"}]}
iex> doc = Metastatic.Document.new(ast, :python)
iex> {:ok, result} = Metastatic.Analysis.Security.analyze(doc)
iex> result.has_vulnerabilities?
true
iex> [vuln | _] = result.vulnerabilities
iex> vuln.category
:unsafe_deserialization

Summary

Functions

analyze(language_or_doc, source_or_ast_or_opts \\ [], opts \\ [])

Analyzes a document for security vulnerabilities.

analyze!(language_or_doc, source_or_ast_or_opts \\ [], opts \\ [])

Analyzes a document for security vulnerabilities.

Functions

analyze(language_or_doc, source_or_ast_or_opts \\ [], opts \\ [])

@spec analyze(Metastatic.language(), term(), keyword()) ::
  {:ok, map()} | {:error, term()}

Analyzes a document for security vulnerabilities.

Returns {:ok, result} where result is a Metastatic.Analysis.Security.Result struct.

Options

  • :categories - List of vulnerability categories to check (default: all)
  • :min_severity - Minimum severity to report (default: :low)

Examples

iex> ast = {:literal, [subtype: :integer], 42}
iex> doc = Metastatic.Document.new(ast, :elixir)
iex> {:ok, result} = Metastatic.Analysis.Security.analyze(doc)
iex> result.has_vulnerabilities?
false

analyze!(language_or_doc, source_or_ast_or_opts \\ [], opts \\ [])

@spec analyze!(Metastatic.language(), term(), keyword()) :: map()

Analyzes a document for security vulnerabilities.

Returns {:ok, result} where result is a Metastatic.Analysis.Security.Result struct.

Options

  • :categories - List of vulnerability categories to check (default: all)
  • :min_severity - Minimum severity to report (default: :low)

Examples

iex> ast = {:literal, [subtype: :integer], 42}
iex> doc = Metastatic.Document.new(ast, :elixir)
iex> {:ok, result} = Metastatic.Analysis.Security.analyze(doc)
iex> result.has_vulnerabilities?
false

Unlike not-banged version, this one either returns a result or raises