Sobelow, released in 2017, is the first security-focused static analysis tool for the Phoenix framework. For security researchers, it is a useful tool for getting a quick view of points-of-interest. For project maintainers, it can be used to prevent the introduction of a number of common vulnerabilities.
Over the last year, Sobelow has been consistently improving. A number of features have been added to improve user experience and help Sobelow fit into a continuous integration pipeline. More importantly, there have been dozens of improvements to the vulnerability checks; not only does Sobelow scan for new issues, it also expands upon the vulnerability checks already in place.
Here are some of the highlights:
- A number of formatting options have been added, including compact, quiet, and JSON output formats.
- Tests for new vulnerabilities, including checks for code execution via Code and EEx modules, and for configuration options like Content-Security Policy.
- Improvements and expansions of many already-defined vulnerabilities, including denial of service, CSRF, and Cross-Site Scripting.
- Usability improvements, like the ability to save test configuration, or better support for umbrella applications.
Check out the latest updates to the tool on our NCC Group Github: https://github.com/nccgroup/sobelow
For more information on these updates, read the blog post by Griffin Byatt.