¶ Bughound
https://github.com/cqr-cryeye-forks/Bughound
Bughound is an open-source static code analysis tool that analyzes your code and sends the results to Elasticsearch and Kibana to get useful insights about the potential vulnerabilities in your code.
Bughound has its own Elasticsearch and Kibana Docker image that is preconfigured with dashboards to give you a strong visualization for the findings.
¶ Specification
Bughound can analyze PHP and JAVA code for now, and it contains a group of unsafe functions for these languages.
Users can detect various types of vulnerabilities such as:
- Command Injection.
- XXE.
- Unsafe Deserialization.
¶ How it works
First of all, Bughound will build a list of all the files inside your project based on the extension of the files you want to audit, then it will read each file and try to find any pre-defined unsafe functions for your project's language.
The analysis phase depends on pre-configured regex and some custom text matching to detect the potential vulnerabilities, so again, you need to do the manual analysis so you can check if these findings are exploitable.
¶ License
This project is licensed under the GPL-3.0 License - see the LICENSE file for details