What is Sobelow?
Sobelow is a security-focused static analysis tool for the Phoenix framework. For security researchers, it is a useful tool for getting a quick view of points-of-interest. For project maintainers, it can be used to prevent introducing a number of common vulnerabilities.
Currently Sobelow detects some types of the following security issues:
- Insecure configuration
- Known-vulnerable Dependencies
- Cross-Site Scripting
- SQL injection
- Command injection
- Denial of Service
- Directory traversal
- Unsafe serialization
Potential vulnerabilities are flagged in different colors according to confidence in their insecurity. High confidence is red, medium confidence is yellow, and low confidence is green.
A finding is typically marked "low confidence" if it looks like a function could be used insecurely, but it cannot reliably be determined if the function accepts user-supplied input. That is to say, green findings are not secure, they just require greater manual validation.
Note: This project is in constant development, and additional vulnerabilities will be flagged as time goes on.
Learn more at GitHub.
What's new in version 0.5.3?
- Checks for additional vulnerable dependencies
- Checks for an additional XSS vector
--quietflags for people who want less output
- Bug fixes and improvements!
Install the latest update with
mix archive.install hex sobelow