We’re hosting a meetup in SF on Feb 10 and we’d love to see you there!
We’ll discuss a program analysis tool we’re developing called sgrep. It’s a multi-lingual semantic “grep-style” tool for writing AST and dataflow-aware queries on source code (for Python, Java, Go, C, and JS). The original author, Yoann Padioleau, worked on the tool for Facebook and is now fulltime with us at r2c.
sgrep is the query system underpinning Bento, a free open-source program analysis toolkit that finds bugs using custom analysis we’ve written and OSS code checks. Bento is ideal for security researchers, product security engineers, and developers who want to find complex code patterns without extensive knowledge of ASTs or advanced program analysis concepts.
For example, find subprocess calls with shell=True in Python using the query subprocess.open(..., shell=True). This will even find snippets like import subprocess as s; s.open(f‘rm {args}’, shell=True). Or find hardcoded credentials using the query boto3.client(..., aws_secret_access_key=”...”, aws_access_key_id=”...” ).
The meetup is at 5:30PM on Monday, Feb 10 at 21 South Park Street in San Francisco. Feel free to attend or forward to interested friends!
Register here: https://www.eventbrite.com/e/detect-complex-code-patterns-using-semantic-grep-tickets-91167980885
|
|
|
|