As an application security expert I use Atom to read source code. I would like to be able to have a plugin with features that will help me identify vulnerabilities.
-
Add annotations to the source code: Select a few lines of code, right click, "Add annotation", text box appears, user types comments on the source code, clicks "Save". All annotations can be seen in a tab. If the code has annotations then it is highlighted differently (change background color)
-
The plugin implements methods for searching for XSS, SQL injection, etc. The plugin adds a menu that will give the user the option to find all types of vulnerabilities or just a specific type. When the user clicks on the option a search result (similar to the one from Ctrl+Shift+f) appears. The search shows the matching line and (+/-)5 lines of context. When the user clicks on a match, the source code file is opened and the match highlighted. The user should have a quick way to review the search results using keyboard shortcuts: Ctrl++ means:
needs manual review, Ctrl+- means:false positive. The false positives are removed from the vulnerability search. Both tags are shown when the user reads a specific file. -
The vulnerability search should look similar to visual code grep
-
Vulnerability search should be based on:
- Regular expressions
- Results of calling other tools: retire.js, brakeman, etc.
-
If supported by atom (through other plugins) it would be nice to be able to obtain a call-graph for a function. The call graph would ideally be clickable to browse to the function definitions.
- Using an IDE like Idea would most likely make the tool "Java only".
- Extensible and light
- Usability
- Keyboard shortcuts everywhere
- Vulnerability search, annotated code, etc. should be visually appealing
An automated tool to identify web application vulnerabilities.
https://github.com/CoastalHacking/corvus-annotations