A static analysis tool for finding common Forge vulnerabilities.
Usage: fsrt [OPTIONS] [DIRS]...
Arguments:
[DIRS]... The directory to scan. Assumes there is a `manifest.ya?ml` file in the top level directory, and that the source code is located in `src/`
Options:
-d, --debug
--callgraph Dump a graphviz formatted callgraph
--cfg Dump a graphviz formatted control flow graph of the function specified in `--function`
-f, --function <FUNCTION> A specific function to scan. Must be an entrypoint specified in `manifest.yml`
-h, --help Print help information
-V, --version Print version information
You will need to install Rust to compile FSRT
. You can install Rust
through Rustup or through your distro's package manager. You will also
need Cargo, which comes by default with most Rust toolchains
.1
latest stable release, and adding the toolchain
Installing from source:
git clone https://github.com/atlassian-labs/FSRT.git
cd FSRT
cargo install --path crates/fsrt
or alternatively:
cargo install --git https://github.com/atlassian-labs/FSRT
To run the test suite:
cargo test
There are also two sample vulnerable Forge apps for testing. In the future these will be added to the test-suite, but
until then you can test fsrt
by manually invoking:
fsrt ./test-apps/jira-damn-vulnerable-forge-app
Contributions to FSRT are welcome! Please see CONTRIBUTING.md for details.
Copyright (c) 2022 Atlassian and others.
FSRT is dual licensed under the MIT and Apache 2.0 licenses.
See LICENSE-APACHE and LICENSE-MIT for details.
Footnotes
-
Cargo is technically not required if you want to download every dependency, invoke
rustc
, and link everything manually. However, I wouldn't recommend doing this unless you're extremely bored. ↩