FSRT - Forge Security Requirements Tester

A static analysis tool for finding common Forge vulnerabilities.

Usage

Usage: fsrt [OPTIONS] [DIRS]...

Arguments:
  [DIRS]...  The directory to scan. Assumes there is a `manifest.ya?ml` file in the top level directory, and that the source code is located in `src/`

  Options:
    -d, --debug
        --dump-ir <DUMP_IR> Dump the IR for the specified function.
    -dt, --dump-dt <DUMP_DOM_TREE> Dump the Dominator Tree for the specified app
    -f, --function <FUNCTION>  A specific function to scan. Must be an entrypoint specified in `manifest.yml`
    -h, --help                 Print help information
    -V, --version              Print version information

Installation

You will need to install Rust to compile FSRT. You can install Rust through Rustup or through your distro's package manager. You will also need Cargo, which comes by default with most Rust toolchains.¹ latest stable release, and adding the toolchain

Installing from source:

git clone https://github.com/atlassian-labs/FSRT.git
cd FSRT
cargo install --path crates/fsrt

or alternatively:

cargo install --git https://github.com/atlassian-labs/FSRT

Tests

To run the test suite:

cargo test

There are also two sample vulnerable Forge apps for testing. In the future these will be added to the test-suite, but until then you can test fsrt by manually invoking:

fsrt ./test-apps/jira-damn-vulnerable-forge-app

Contributions

Contributions to FSRT are welcome! Please see CONTRIBUTING.md for details.

License

Copyright (c) 2022 Atlassian and others.

FSRT is dual licensed under the MIT and Apache 2.0 licenses.

See LICENSE-APACHE and LICENSE-MIT for details.

Footnotes

1. Cargo is technically not required if you want to download every dependency, invoke rustc, and link everything manually. However, I wouldn't recommend doing this unless you're extremely bored. ↩