safedep/vet
1
0
Fork 0
mirror of https://github.com/safedep/vet.git synced 2025-12-10 00:22:08 -06:00
Code Issues Packages Projects Releases 68 Wiki Activity
vet/pkg/code/code.go
abhisek e6f6288701
feat: Code analysis framework infra 
feat: Building code graph

Refactor to support import processing

Handle relative import name fixup

Add docs for code analysis framework

Update docs to include additional examples

feat: Function call graph

Update code graph to link function decl and calls

Include call node in function calls

feat: Flatten vulnerabilities in CSV reporter

refactor: Maintain separation of concerns for code analysis framework

refactor: Separate storage entities in its own package

feat: Add callback support in code graph builder

docs: Fix code analysis framework docs
Signed-off-by: abhisek <abhisek.datta@gmail.com>
2024-07-11 15:09:11 +05:30

32 lines
1.5 KiB
Go
Raw Blame History

package code
// Things that we can do
// 1. Prune unused direct dependencies based on code usage
// 2. Find places in 1P code where a vulnerable library is imported
// 3. Find places in 1P code where a call to a vulnerable function is made
// 4. Find path from 1P code to a vulnerable function in direct or transitive dependencies
// 5. Find path from 1P code to a vulnerable library in direct or transitive dependencies
// Primitives that we need
// 1. Source code parsing
// 2. Import resolution to local 1P code or imported files in 3P code
// 3. Graph datastructure to represent a function call graph across 1P and 3P code
// 4. Graph datastructure to represent a file import graph across 1P and 3P code
//
// Source code parsing should provide
// 1. Enumerate imported 3P code
// 2. Enumerate functions in the source code
// 3. Enumerate function calls to 1P or 3P code
//
// Code Property Graph (CPG), stitching 1P and 3P code
// into a queryable graph datastructure for analyzers having
//
// Future enhancements should include ability to enrich function nodes
// with meta information such as contributors, last modified time, use-case tags etc.
// CONCEPTS used in building the framework
// 1. Source: Used to represent a mechanism to find and enumerate source files
// 2. Language: Used to represent the domain of programming languages
// 3. Node: Used to represent an in-memory representation of a node in an AST / CST
// 4. Entity: Used to represent a node that can be persisted in a property graph (analysis and query domain)
Reference in New Issue View Git Blame Copy Permalink