Checkers need support for analyzers to enhance their analysis. While a checker can identify vulnerable patterns based on code patterns, additional analysis may sometimes be required to accurately filter out false positives.
For example, analysis for hardcoded tokens in code will require an entropy analyzer.
This is a valid vulnerable pattern that should be detected by globstar
a = some_function(token="hqd#18ey283y28wdbbcwbd1ueh1ue2h")
However, using only regex based matching will also detect false positives like this
a = some_function(token="fake_token_as_placeholder")
An entropy analyzer will help differentiate between them more effectively. Here’s an overview of how the workflow might look after integrating the analyzer feature.
language: py
name: hardcoded-tokens
message: Look for hardcoded tokens
category: security
pattern: |
(assignment
left: (identifier)
right: (call
function: (identifier) @func_name
arguments: (argument_list
(keyword_argument:
name: (identifier)
value: (string
(string_start)
(string_content) @token_val
(string_end))))
(#match? @token_val "^[A-Za-z0-9/+=]+$")) @hardcoded-tokens
analyzers: |
entropy @token_val
description: |
Do not provide hardcoded token values in functions.
Checkers need support for analyzers to enhance their analysis. While a checker can identify vulnerable patterns based on code patterns, additional analysis may sometimes be required to accurately filter out false positives.
For example, analysis for hardcoded tokens in code will require an entropy analyzer.
This is a valid vulnerable pattern that should be detected by globstar
However, using only regex based matching will also detect false positives like this
An entropy analyzer will help differentiate between them more effectively. Here’s an overview of how the workflow might look after integrating the analyzer feature.