SAST Tools
Initializes the core SAST module.
Modules:
| Name | Description |
|---|---|
cli |
Provides a factory for building command-line interfaces for SAST tools. |
graphics |
Provides classes for generating plots and visualizations from analysis results. |
parser |
Defines the core abstract classes for parsing SAST tool results. |
sast |
Defines the core abstract class and logic for SAST tool integrations. |
Provides a factory for building command-line interfaces for SAST tools.
This module contains the CLIFactory class, which simplifies the creation of
standardized typer CLI commands (analyze, benchmark, list, plot) for any
SAST integration.
CLIFactory(sast: SAST, custom_messages: dict)
Provide a factory to generate a standard set of CLI commands for a SAST tool.
Attributes:
| Name | Type | Description |
|---|---|---|
cli |
typer.Typer
|
The |
sast |
SAST
|
The SAST tool instance for which the CLI is being built. |
help_messages |
dict
|
A dictionary of help messages for the standard commands. |
Initialize the CLIFactory.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
|
SAST
|
An instance of the SAST tool's implementation class. |
required |
|
dict
|
A dictionary of custom help messages to override the defaults. |
required |
Methods:
| Name | Description |
|---|---|
build_cli |
Build and return the Typer CLI application for the SAST tool. |
add_main |
Add the main callback command to the CLI. |
add_install |
Add the 'install' command to the CLI. |
add_analyze |
Add the 'analyze' command to the CLI. |
add_benchmark |
Add the 'benchmark' command to the CLI. |
add_list |
Add the 'list' command to the CLI. |
add_plot |
Add the 'plot' command to the CLI. |
instance-attribute
help_messages = {
"main": f"{sast.name}",
"install": "List instruction to install missing requirements.",
"analyze": f"Analyze a project using {sast.name}.",
"benchmark": f"Benchmark a dataset using {sast.name}.",
"list": "List existing analysis results.",
"plot": "Generate plot for results visualization.",
}
Add the main callback command to the CLI.
This function sets up the main callback that runs when the SAST-specific command is invoked without a subcommand.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
|
str
|
The help string for the main command. |
''
|
Add the 'install' command to the CLI.
This command opens the tool's installation guide URL in a web browser.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
|
str
|
The help string for the command. |
''
|
Add the 'analyze' command to the CLI.
This command runs the SAST tool on the current directory.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
|
str
|
The help string for the command. |
''
|
Add the 'benchmark' command to the CLI.
This command runs the SAST tool against a specified dataset.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
|
str
|
The help string for the command. |
''
|
Add the 'list' command to the CLI.
This command lists all available analysis results for the SAST tool.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
|
str
|
The help string for the command. |
''
|
Provides classes for generating plots and visualizations from analysis results.
This module contains base and specific graphics classes that use Matplotlib to create visual representations of SAST analysis data, such as defect distributions and benchmark performance.
Graphics(sast: SAST, project_name: str)
Base class for generating graphics from SAST results.
Attributes:
| Name | Type | Description |
|---|---|---|
sast |
SAST
|
The SAST tool instance. |
output_dir |
Path
|
The directory containing the analysis results. |
color_mapping |
dict
|
A mapping of categories to colors for plotting. |
plot_functions |
list
|
A list of methods that generate plots. |
limit |
int
|
The maximum number of items to show in top-N plots. |
has_latex |
bool
|
True if a LaTeX installation is found. |
Initialize the Graphics object.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
|
SAST
|
The SAST tool instance. |
required |
|
str
|
The name of the project or dataset being visualized. |
required |
Methods:
| Name | Description |
|---|---|
export |
Generate, save, and optionally display all registered plots. |
Generate, save, and optionally display all registered plots.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
|
bool
|
If True, overwrite existing figure files. |
required |
|
bool
|
If True and LaTeX is available, export figures in PGF format. |
required |
|
bool
|
If True, open the generated figures using the default viewer. |
required |
ProjectGraphics(sast: SAST, project_name: str)
Bases: Graphics
Generate graphics for a single project analysis result.
Attributes:
| Name | Type | Description |
|---|---|---|
result |
AnalysisResult
|
The loaded analysis result data. |
Initialize the ProjectGraphics object.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
|
SAST
|
The SAST tool instance. |
required |
|
str
|
The name of the project. |
required |
Methods:
| Name | Description |
|---|---|
checker_to_category |
Map a checker name to its category. |
plot_overview |
Generate an overview plot with stats by files, checkers, and categories. |
FileDatasetGraphics(sast: SAST, dataset: FileDataset)
Bases: ProjectGraphics
Generate graphics for a file-based dataset benchmark result.
Attributes:
| Name | Type | Description |
|---|---|---|
dataset |
FileDataset
|
The dataset instance used for the benchmark. |
benchmark_data |
FileDatasetData
|
The validated benchmark data. |
Initialize the FileDatasetGraphics object.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
|
SAST
|
The SAST tool instance. |
required |
|
FileDataset
|
The file-based dataset that was benchmarked. |
required |
Methods:
| Name | Description |
|---|---|
plot_top_cwes |
Generate a plot showing the top predicted CWEs. |
GitRepoDatasetGraphics(sast: SAST, dataset: GitRepoDataset)
Bases: Graphics
Generate graphics for a Git repository-based dataset benchmark result.
Attributes:
| Name | Type | Description |
|---|---|---|
dataset |
GitRepoDataset
|
The dataset instance used for the benchmark. |
results |
list[AnalysisResult]
|
A list of loaded analysis results. |
benchmark_data |
GitRepoDatasetData
|
The validated benchmark data. |
Initialize the GitRepoDatasetGraphics object.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
|
SAST
|
The SAST tool instance. |
required |
|
GitRepoDataset
|
The Git repository-based dataset that was benchmarked. |
required |
Methods:
| Name | Description |
|---|---|
checker_to_category |
Map a checker name to its category. |
plot_overview |
Generate an overview plot classifying defects. |
plot_top_cwes |
Generate a plot showing the top predicted CWEs. |
plot_defects_per_loc |
Generate a scatter plot of defects found versus lines of code. |
plot_time_per_loc |
Generate a scatter plot of analysis time versus lines of code. |
Generate an overview plot classifying defects.
Returns:
| Type | Description |
|---|---|
Figure
|
A Matplotlib Figure object containing the plot. |
Generate a plot showing the top predicted CWEs.
Returns:
| Type | Description |
|---|---|
Figure
|
A Matplotlib Figure object containing the plot. |
Generate a scatter plot of defects found versus lines of code.
Returns:
| Type | Description |
|---|---|
Figure
|
A Matplotlib Figure object containing the plot. |
Defines the core abstract classes for parsing SAST tool results.
This module provides the Defect and AnalysisResult classes, which serve as
standardized data structures for holding information about vulnerabilities and
the overall analysis process. Each SAST integration must implement a concrete
subclass of AnalysisResult to parse its specific output format.
Defect(
file: Path,
checker: str,
category: str,
cwe: CWE,
message: str,
location: tuple[int] | None,
data: tuple[Any],
)
Represent a single defect or finding reported by a SAST tool.
Attributes:
| Name | Type | Description |
|---|---|---|
sast |
str
|
The name of the SAST tool that reported the defect. |
file |
Path
|
The path to the file where the defect was found. |
file_path |
str
|
The string representation of the file path. |
checker |
str
|
The name of the checker or rule that reported the defect. |
category |
str
|
The category of the checker (e.g., security, performance). |
cwe |
CWE
|
The CWE associated with the defect. |
message |
str
|
The description of the defect. |
location |
tuple[int, int] | None
|
A tuple with the start and end line numbers of the defect. |
data |
tuple[Any]
|
Raw data from the SAST tool for this defect. |
Initialize a Defect instance.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
|
Path
|
The file path of the defect. |
required |
|
str
|
The name of the rule/checker. |
required |
|
str
|
The category of the checker. |
required |
|
CWE
|
The CWE associated with the defect. |
required |
|
str
|
The description of the defect. |
required |
|
tuple[int] | None
|
A tuple with start and end line numbers of the defect, or None. |
required |
|
tuple[Any]
|
Raw data from the SAST tool for this defect. |
required |
Methods:
| Name | Description |
|---|---|
__repr__ |
Return a developer-friendly string representation of the Defect. |
AnalysisResult(
name: str,
source_path: Path,
lang: str,
files: list[str],
defects: list[Defect],
time: float,
loc: int,
data: tuple[Any],
)
Bases: ABC
Abstract base class for holding the parsed results of a SAST analysis.
Attributes:
| Name | Type | Description |
|---|---|---|
name |
str
|
The name of the analyzed project or dataset. |
source_path |
Path
|
The path to the analyzed source code. |
lang |
str
|
The primary programming language analyzed. |
files |
list[str]
|
A list of files that were analyzed. |
defects |
list[Defect]
|
A list of |
time |
float
|
The duration of the analysis in seconds. |
loc |
int
|
The number of lines of code analyzed. |
data |
tuple[Any]
|
Raw data from the SAST tool's output. |
Initialize an AnalysisResult instance.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
|
str
|
The name of the analyzed project/dataset. |
required |
|
Path
|
The path to the analyzed source code. |
required |
|
str
|
The programming language of the code. |
required |
|
list[str]
|
A list of analyzed files. |
required |
|
list[Defect]
|
A list of |
required |
|
float
|
The analysis duration in seconds. |
required |
|
int
|
The lines of code analyzed. |
required |
|
tuple[Any]
|
Raw data from the SAST tool's output. |
required |
Methods:
| Name | Description |
|---|---|
__repr__ |
Return a developer-friendly string representation of the AnalysisResult. |
load_from_output_dir |
Load and parse analysis results from a specified directory. |
load_from_output_dirs |
Load and parse analysis results from multiple directories. |
checker_to_category |
Get the category for a given checker name. |
stats_by_checkers |
Calculate statistics on defects, grouped by checker. |
stats_by_categories |
Calculate statistics on defects, grouped by category. |
stats_by_files |
Calculate statistics on defects, grouped by file. |
stats_by_cwes |
Calculate statistics on defects, grouped by CWE ID. |
__repr__() -> str
Return a developer-friendly string representation of the AnalysisResult.
Returns:
| Type | Description |
|---|---|
str
|
A string showing key metrics of the analysis. |
abstractmethod
classmethod
load_from_output_dir(output_dir: Path) -> Self
Load and parse analysis results from a specified directory.
This method must be implemented by subclasses to handle the specific output files of a SAST tool.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
|
Path
|
The directory containing the raw analysis output files. |
required |
Returns:
| Type | Description |
|---|---|
Self
|
An instance of the |
classmethod
load_from_output_dirs(output_dirs: list[str]) -> list[Self]
stats_by_checkers() -> dict
stats_by_categories() -> dict
stats_by_files() -> dict
Defines the core abstract class and logic for SAST tool integrations.
This module provides the SAST abstract base class, which outlines the
common interface for running a static analysis tool, saving its results, and
performing benchmarks against datasets.
Modules:
| Name | Description |
|---|---|
properties |
Define properties for SAST tool integrations. |
requirements |
Define requirements for SAST tools and their fulfillment status. |
Bases: ABC
Abstract base class for a SAST tool integration.
Subclasses of this abstract class must define various class attributes to configure the integration with a specific SAST tool.
Attributes:
| Name | Type | Description |
|---|---|---|
name |
str
|
The name of the SAST tool. |
supported_languages |
list[str]
|
A list of supported programming languages. |
supported_dataset_names |
list[str]
|
Names of compatible datasets. |
supported_datasets |
list[Dataset]
|
A list of supported dataset classes. |
properties |
SASTProperties
|
The properties of the SAST tool. |
requirements |
SASTRequirements
|
The requirements for the SAST tool. |
commands |
list[list[str]]
|
Command-line templates to be executed. |
environ |
dict[str, str]
|
Environment variables to set for commands. |
output_files |
list[tuple[Path, bool]]
|
Expected output files and whether they are required. |
parser |
type[AnalysisResult]
|
The parser class for the tool's results. |
color_mapping |
dict
|
A mapping of result categories to colors for plotting. |
install_help |
str | None
|
An optional string with installation help. |
output_dir |
Path
|
(Instance attribute) The base directory for storing analysis results. |
status |
str
|
(Instance attribute) The operational status ('full', 'partial', or 'none') determined by fulfilled requirements. |
missing |
list
|
(Instance attribute) A list of unfulfilled requirements for the tool. |
Initialize the SAST instance.
Set up the list of supported dataset objects based on the
supported_dataset_names class attribute and define the tool-specific
output directory.
Methods:
| Name | Description |
|---|---|
render_command |
Render a command template by replacing placeholders with values. |
run_analysis |
Run the SAST analysis on a given project directory. |
save_results |
Save the results of a SAST analysis. |
analyze_files |
Analyze a dataset composed of individual files. |
analyze_repos |
Analyze a dataset composed of Git repositories. |
list_results |
List the names of available analysis results. |
instance-attribute
property
Render a command template by replacing placeholders with values.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
|
list[str]
|
The command template as a list of strings. |
required |
|
dict[str, str]
|
A dictionary of placeholders to their replacement values. |
required |
Returns:
| Type | Description |
|---|---|
list[str]
|
The rendered command as a list of strings. |
run_analysis(
lang: str,
project_dir: Path,
output_dir: Path,
**kwargs: Any,
) -> None
Run the SAST analysis on a given project directory.
Execute the tool's commands, time the analysis, calculate LoC, and save the results.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
|
str
|
The programming language of the project. |
required |
|
Path
|
The path to the project's source code. |
required |
|
Path
|
The path to save the analysis results. |
required |
|
Any
|
Additional tool-specific arguments. |
{}
|
save_results(
project_dir: Path, output_dir: Path, extra: dict
) -> None
Save the results of a SAST analysis.
Copy the tool's output files and save any extra metadata to the result directory.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
|
Path
|
The directory where the analysis was run. |
required |
|
Path
|
The directory where results should be saved. |
required |
|
dict
|
A dictionary of extra metadata to save as JSON. |
required |
Analyze a dataset composed of individual files.
Set up a temporary directory, save the dataset files, run the analysis, and clean up.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
|
FileDataset
|
The |
required |
|
bool
|
If True, overwrite existing results for this dataset. |
False
|
|
bool
|
If True, run analysis on a sample of two random files for testing purposes. |
False
|
Analyze a dataset composed of Git repositories.
Iterate through each repository in the dataset, clone it, check out the specified commit, run the analysis, and save the results.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
|
GitRepoDataset
|
The |
required |
|
bool
|
If True, re-analyze repositories with existing results. |
False
|
|
bool
|
If True, run analysis on a sample of two small random repositories for testing purposes. |
False
|
list_results(
project: bool = False,
dataset: bool = False,
limit: int | None = None,
) -> list[str]
List the names of available analysis results.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
|
bool
|
If True, include results from local project analyses. |
False
|
|
bool
|
If True, include results from dataset benchmarks. |
False
|
|
int | None
|
An optional limit on the number of results to return. |
None
|
Returns:
| Type | Description |
|---|---|
list[str]
|
A sorted list of result directory names. |
Bases: SAST
Represent a SAST tool that requires a pre-built project.
Methods:
| Name | Description |
|---|---|
analyze_files |
Analyze a pre-built file-based dataset. |
analyze_files(
dataset: PrebuiltFileDataset,
overwrite: bool = False,
testing: bool = False,
) -> None
Analyze a pre-built file-based dataset.
Check if the dataset has been built. If not, provide build instructions. Otherwise, run the analysis on the pre-built files.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
|
PrebuiltFileDataset
|
The |
required |
|
bool
|
If True, overwrite existing results for this dataset. |
False
|
|
bool
|
If True, run analysis on a sample of two random files for testing. |
False
|
Define properties for SAST tool integrations.
Represent properties of a SAST tool.
Initialize a SASTProperties instance.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
|
bool
|
A boolean indicating if the tool is free to use. |
required |
|
bool
|
A boolean indicating if the tool can run without an internet connection. |
required |
Attributes:
| Name | Type | Description |
|---|---|---|
free |
|
|
offline |
|
Define requirements for SAST tools and their fulfillment status.
SASTRequirement(
name: str,
instruction: str | None = None,
url: str | None = None,
doc: bool = False,
)
Bases: ABC
Represent a single requirement for a SAST tool to be functional.
Initialize a SASTRequirement instance.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
|
str
|
The name of the requirement. |
required |
|
str | None
|
A short instruction on how to download the requirement. |
None
|
|
str | None
|
A URL for more detailed instructions. |
None
|
|
bool
|
A flag indicating if the instruction is available in the documentaton. |
False
|
Methods:
| Name | Description |
|---|---|
is_fulfilled |
Check if the requirement is met. |
__repr__ |
Return a developer-friendly string representation of the requirement. |
Attributes:
| Name | Type | Description |
|---|---|---|
name |
|
|
instruction |
|
|
url |
|
|
doc |
|
DownloadableRequirement(
name: str,
instruction: str | None = None,
url: str | None = None,
doc: bool = False,
)
Bases: SASTRequirement
Represent a SAST requirement that can be downloaded automatically.
Initialize a DownloadableRequirement instance.
Sets a standard instruction message on how to download the requirement using the CLI.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
|
str
|
The name of the requirement. |
required |
|
str | None
|
A short instruction on how to download the requirement. |
None
|
|
str | None
|
A URL for more detailed instructions. |
None
|
|
bool
|
A flag indicating if the instruction is available in the documentaton. |
False
|
Methods:
| Name | Description |
|---|---|
download |
Download the requirement. |
Bases: SASTRequirement
Represent a configuration file requirement for a SAST tool.
Initialize a Config instance.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
|
str
|
The name of the requirement. |
required |
|
str | None
|
A short instruction on how to download the requirement. |
None
|
|
str | None
|
A URL for more detailed instructions. |
None
|
|
bool
|
A flag indicating if the instruction is available in the documentaton. |
False
|
Methods:
| Name | Description |
|---|---|
is_fulfilled |
Check if the configuration file exists for the given SAST tool. |
Bases: SASTRequirement
Represent a binary executable requirement for a SAST tool.
Initialize a Binary instance.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
|
str
|
The name of the requirement. |
required |
|
str | None
|
A short instruction on how to download the requirement. |
None
|
|
str | None
|
A URL for more detailed instructions. |
None
|
|
bool
|
A flag indicating if the instruction is available in the documentaton. |
False
|
Methods:
| Name | Description |
|---|---|
is_fulfilled |
Check if the binary is available in the system's PATH. |
GitRepo(
name: str,
repo_url: str,
license: str,
license_url: str,
instruction: str | None = None,
url: str | None = None,
doc: bool = False,
)
Bases: DownloadableRequirement
Represent a Git repository requirement that can be downloaded.
Initialize a GitRepo requirement instance.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
|
str
|
The name of the requirement. |
required |
|
str
|
The URL of the Git repository to clone. |
required |
|
str
|
The license of the repository. |
required |
|
str
|
A URL for the repository's license. |
required |
|
str | None
|
A short instruction on how to download the requirement. |
None
|
|
str | None
|
A URL for more detailed instructions. |
None
|
|
bool
|
A flag indicating if the instruction is available in the documentaton. |
False
|
Methods:
| Name | Description |
|---|---|
is_fulfilled |
Check if the Git repository has been cloned. |
download |
Prompt for license agreement and clone the Git repository. |
Attributes:
| Name | Type | Description |
|---|---|---|
repo_url |
|
|
license |
|
|
license_url |
|
|
directory |
|
File(
name: str,
parent_dir: Path,
file_url: str,
license: str,
license_url: str,
instruction: str | None = None,
url: str | None = None,
doc: bool = False,
)
Bases: DownloadableRequirement
Represent a file requirement that can be downloaded.
Initialize a File requirement instance.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
|
str
|
The name of the requirement. |
required |
|
Path
|
The directory where the file should be saved. |
required |
|
str
|
The URL to download the file from. |
required |
|
str
|
The license of the file. |
required |
|
str
|
A URL for the file's license. |
required |
|
str | None
|
A short instruction on how to download the requirement. |
None
|
|
str | None
|
A URL for more detailed instructions. |
None
|
|
bool
|
A flag indicating if the instruction is available in the documentaton. |
False
|
Methods:
| Name | Description |
|---|---|
is_fulfilled |
Check if the file has been downloaded. |
download |
Prompt for license agreement and download the file. |
Attributes:
| Name | Type | Description |
|---|---|---|
parent_dir |
|
|
file_url |
|
|
license |
|
|
license_url |
|
SASTRequirements(
full_reqs: list[SASTRequirement],
partial_reqs: list[SASTRequirement],
)
Manage the requirements for a SAST tool and determine its operational status.
Initialize a SASTRequirements instance.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
|
list[SASTRequirement]
|
A list of requirements for full functionality. |
required |
|
list[SASTRequirement]
|
A list of requirements for partial functionality. |
required |
Methods:
| Name | Description |
|---|---|
get_status |
Determine the operational status (full, partial, none) based on fulfilled requirements. |
get_missing |
Get a list of all unfulfilled requirements. |
Attributes:
| Name | Type | Description |
|---|---|---|
name |
|
|
full |
|
|
partial |
|
|
all |
|
Determine the operational status (full, partial, none) based on fulfilled requirements.