facebook/sapp facebook/sapp

  • Stars
    star
    122
  • Rank 281,451 (Top 6 %)
  • Language
    Python
  • License
    MIT License
  • Created over 3 years ago
  • Updated 3 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
facebook/sapp
github

facebook

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Post Processor for Facebook Static Analysis Tools.

lint tests pyre

SAPP

SAPP stands for Static Analysis Post Processor. SAPP takes the raw results of Pysa and Mariana Trench, and makes them explorable both through a command-line interface and a web UI.

SAPP is also available on GitHub Marketplace as a GitHub Action

Installation

To run SAPP, you will need Python 3.7 or later. SAPP can be installed through PyPI with pip install fb-sapp.

Getting Started

This guide assumes that you have results from a Pysa run saved in an ~/example directory. If you are new to Pysa, you can follow this tutorial to get started.

Processing the Results

The postprocessing will translate the raw output containing models for every analyzed function into a format that is more suitable for exploration.

[~/example]$ sapp --database-name sapp.db analyze taint-output.json

After the results have been processed we can now explore them through the UI and a command-line interface. We will briefly look at both of those methods here.

Web Interface

Start the web interface with

[~/example]$ sapp --database-name sapp.db server --source-directory=<WHERE YOUR CODE LIVES>

and visit http://localhost:13337 in your browser (note: the URL displayed in the code output currently will not work). You will be presented with a list of issues that provide access to example traces.

Command-Line Interface

The same information can be accessed through the command-line interface:

[~/example]$ sapp --database-name sapp.db explore

This will launch a custom IPython interface that is connected to the sqlite file. In this mode, you can dig into the issues that Pyre surfaces. Following is an example of how to use the various commands.

Start by listing all known issues:

==========================================================
Interactive issue exploration. Type 'help' for help.
==========================================================

[ run 1 ]
>>> issues
Issue 1
    Code: 5001
 Message: Possible shell injection Data from [UserControlled] source(s) may reach [RemoteCodeExecution] sink(s)
Callable: source.convert
 Sources: input
   Sinks: os.system
Location: source.py:9|22|32
Found 1 issues with run_id 1.

As expected, we have 1 issue. To select it:

[ run 1 ]
>>> issue 1
Set issue to 1.

Issue 1
    Code: 5001
 Message: Possible shell injection Data from [UserControlled] source(s) may reach [RemoteCodeExecution] sink(s)
Callable: source.convert
 Sources: input
   Sinks: os.system
Location: source.py:9|22|32

View how the data flows from source to sink:

[ run 1 > issue 1 > source.convert ]
>>> trace
     # βŽ‡  [callable]       [port]      [location]
     1    leaf             source      source.py:8|17|22
 --> 2    source.convert   root        source.py:9|22|32
     3    source.get_image formal(url) source.py:9|22|32
     4    leaf             sink        source.py:5|21|28

Move to the next callable:

[ run 1 > issue 1 > source.convert ]
>>> n
     # βŽ‡  [callable]       [port]      [location]
     1    leaf             source      source.py:8|17|22
     2    source.convert   root        source.py:9|22|32
 --> 3    source.get_image formal(url) source.py:9|22|32
     4    leaf             sink        source.py:5|21|28

Show the source code at that callable:

[ run 1 > issue 1 > source.get_image ]
>>> list
In source.convert [source.py:9|22|32]
     4      command = "wget -q https:{}".format(url)
     5      return os.system(command)
     6
     7  def convert() -> None:
     8      image_link = input("image link: ")
 --> 9      image = get_image(image_link)
                              ^^^^^^^^^^

Move to the next callable and show source code:

[ run 1 > issue 1 > source.get_image ]
>>> n
     # βŽ‡  [callable]       [port]      [location]
     1    leaf             source      source.py:8|17|22
     2    source.convert   root        source.py:9|22|32
     3    source.get_image formal(url) source.py:9|22|32
 --> 4    leaf             sink        source.py:5|21|28

[ run 1 > issue 1 > leaf ]
>>> list
In source.get_image [source.py:5|21|28]
     1  import os
     2
     3  def get_image(url: str) -> int:
     4      command = "wget -q https:{}".format(url)
 --> 5      return os.system(command)
                             ^^^^^^^
     6
     7  def convert() -> None:
     8      image_link = input("image link: ")
     9      image = get_image(image_link)

Jump to the first callable and show source code:

[ run 1 > issue 1 > leaf ]
>>> jump 1
     # βŽ‡  [callable]       [port]      [location]
 --> 1    leaf             source      source.py:8|17|22
     2    source.convert   root        source.py:9|22|32
     3    source.get_image formal(url) source.py:9|22|32
     4    leaf             sink        source.py:5|21|28

[ run 1 > issue 1 > leaf ]
>>> list
In source.convert [source.py:8|17|22]
     3  def get_image(url: str) -> int:
     4      command = "wget -q https:{}".format(url)
     5      return os.system(command)
     6
     7  def convert() -> None:
 --> 8      image_link = input("image link: ")
                         ^^^^^
     9      image = get_image(image_link)

Help

You can refer to the help command to get more information about available commands in the command-line interface.

$ sapp --help
Usage: sapp [OPTIONS] COMMAND [ARGS]...

Options:
  -v, --verbosity LVL             Either CRITICAL, ERROR, WARNING, INFO or
                                  DEBUG
  -r, --repository DIRECTORY      Root of the repository (regardless of the
                                  directory analyzed)
  --database-name, --dbname FILE
  --database-engine, --database [sqlite|memory]
                                  database engine to use
  --tool [pysa|mariana-trench]    tool the data is coming from
  -h, --help                      Show this message and exit.

Commands:
  analyze  parse static analysis output and save to disk
  explore  interactive exploration of issues
  filter
  lint     Output DB models in a lint-friendly format
  server   backend flask server for exploration of issues
  update

Terminology

A single SAPP database can keep track of more than just a single run. This opens up the possibility of reasoning about newly introduced issues in a codebase.

Every invocation of

[~/example]$ sapp --database-name sapp.db analyze taint-output.json

will add a single run to the database. An issue can exist over multiple runs (we typically call the issue in a single run an instance). You can select a run from the web UI and look at all the instances of that run. You can also choose to only show the instances of issues that are newly introduced in this run in the filter menu.

Each instance consists of a data flow from a particular source kind (e.g. user-controlled input) into a callable (i.e. a function or method), and a data flow from that callable into a particular sink kind (e.g. RCE).

Note: the data can come from different sources of the same kind and flow into different sinks of the same kind. The traces view of a single instance represents a multitude of traces, not just a single trace.

Filters

SAPP filters are used to include/exclude which issues are shown to you by the issue properties you choose. Filters are useful to remove noise from the output from your static analysis tool, so you can focus on the particular properties of issues you care about.

SAPP functionality can be accessed through the web interface or a subcommand of sapp filter.

File Format

A filter is required to have a name and at least one other key, excluding description. Filters can be stored as JSON in the following format:

{
  "name": "Name of filter",
  "description": "Description for the filter",
  "features": [
    {
      "mode": "all of",
      "features": ["via:feature1", "feature2"]
    },
    {
      "mode": "any of",
      "features": ["always-via:feature3"]
    },
    {
      "mode": "none of",
      "features": ["type:feature5"]
    }
  ],
  "codes": [5005],
  "paths": ["filename.py"],
  "callables": ["main.function_name"],
  "traceLengthFromSources": [0, 3],
  "traceLengthToSinks": [0, 5],
  "is_new_issue": false
}

You can find some example filters to reference in the pyre-check repo

Importing filters

You can import a filter from a file by running:

[~/example]$ sapp --database-name sapp.db filter import filter-filename.json

You can also import all filters within a directory by running:

[~/example]$ sapp --database-name sapp.db filter import path/to/list_of_filters

Exporting filters

You can view a filter in a SAPP DB by running:

[~/example]$ sapp --database-name sapp.db filter export "filter name"

You can export a filter from a SAPP DB to a file by running:

[~/example]$ sapp --database-name sapp.db filter export "filter name" --output-path /path/to/filename.json

Deleting filters

You can delete filters by name with:

[~/example]$ sapp --database-name sapp.db filter delete "filter name 1" "filter name 2" "filter name 3"

Filtering list of issues

You can apply a filter to a list of issues by run number. For example, the following command will show you a list of issues after applying example-filter to run 1:

[~/example]$ sapp --database-name sapp.db filter issues 1 example-filter.json

You can also apply a list of filters to a single list of issues by run number. SAPP will apply each filter individually from the directory you specify to the list of issues and merge results into a single list of issues to show you. For example, the following command will show you a list of issues after applying every filter in list_of_filters to run 1:

[~/example]$ sapp --database-name sapp.db filter issues 1 path/to/list_of_filters

SARIF Output

You can get the output of a filtered run in SARIF by first storing warning codes information from the static analysis tool in SAPP:

sapp --database-name sapp.db update warning-codes taint-metadata.json

Then running sapp filter issues with --output-format=sarif:

sapp --database-name sapp.db filter issues 1 path/to/list_of_filters --output-format sarif

Development Environment Setup

Start by cloning the repo and setting up a virtual environment:

$ git clone [email protected]:facebook/sapp.git && cd sapp
$ python3 -m venv ~/.venvs/sapp
$ source ~/.venvs/sapp/bin/activate
(sapp) $ pip3 install -r requirements.txt

Run the flask server in debug mode:

(sapp) $ python3 -m sapp.cli server --debug

Parse static analysis output and save to disk:

(sapp) $ python3 -m sapp.cli analyze taint-output.json

Installing dependencies for frontend:

(sapp) $ cd sapp/ui/frontend && npm install

To run SAPP with hot reloading of the Web UI, you need have the frontend and backend running simultaneously. In a production environment, the frontend application is compiled and served directly by the backend exposed on port 13337. But in a development environment, the frontend runs in port 3000 by default if the PORT environment variable is not set and the backend runs in port 13337. You can indicate to SAPP to run in the development environment with the debug flag.

Run the flask server and react app in development mode:

(sapp) $ python3 -m sapp.cli server --debug
(sapp) $ cd sapp/ui/frontend && npm run-script start

Then visit http://localhost:3000 (or http://<HOST>:<PORT> if you have set the HOST and/or PORT environment variable).

License

SAPP is licensed under the MIT license.

More Repositories

1

react

The library for web and native user interfaces.
JavaScript
221,340
star
2

react-native

A framework for building native applications using React
C++
115,446
star
3

create-react-app

Set up a modern web app by running one command.
JavaScript
101,534
star
4

docusaurus

Easy to maintain open source documentation websites.
TypeScript
52,724
star
5

jest

Delightful JavaScript Testing.
TypeScript
41,554
star
6

rocksdb

A library that provides an embeddable, persistent key-value store for fast storage.
C++
27,271
star
7

folly

An open-source C++ library developed and used at Facebook.
C++
26,731
star
8

flow

Adds static typing to JavaScript to improve developer productivity and code quality.
OCaml
22,040
star
9

zstd

Zstandard - Fast real-time compression algorithm
C
21,685
star
10

relay

Relay is a JavaScript framework for building data-driven React applications.
Rust
18,099
star
11

hhvm

A virtual machine for executing programs written in Hack.
C++
17,960
star
12

prophet

Tool for producing high quality forecasts for time series data that has multiple seasonality with linear or non-linear growth.
Python
17,624
star
13

fresco

An Android library for managing images and the memory they use.
Java
17,026
star
14

lexical

Lexical is an extensible text editor framework that provides excellent reliability, accessibility and performance.
TypeScript
16,985
star
15

yoga

Yoga is a cross-platform layout engine which implements Flexbox. Follow https://twitter.com/yogalayout for updates.
C++
16,729
star
16

infer

A static analyzer for Java, C, C++, and Objective-C
OCaml
14,599
star
17

flipper

A desktop debugging platform for mobile developers.
TypeScript
13,124
star
18

watchman

Watches files and records, or triggers actions, when they change.
C++
12,124
star
19

react-devtools

An extension that allows inspection of React component hierarchy in the Chrome and Firefox Developer Tools.
11,024
star
20

hermes

A JavaScript engine optimized for running React Native.
C++
9,167
star
21

chisel

Chisel is a collection of LLDB commands to assist debugging iOS apps.
Python
9,072
star
22

jscodeshift

A JavaScript codemod toolkit.
JavaScript
8,850
star
23

buck

A fast build system that encourages the creation of small, reusable modules over a variety of platforms and languages.
Java
8,568
star
24

stylex

StyleX is the styling system for ambitious user interfaces.
JavaScript
7,988
star
25

proxygen

A collection of C++ HTTP libraries including an easy to use HTTP server.
C++
7,978
star
26

facebook-ios-sdk

Used to integrate the Facebook Platform with your iOS & tvOS apps.
Swift
7,644
star
27

litho

A declarative framework for building efficient UIs on Android.
Java
7,633
star
28

pyre-check

Performant type-checking for python.
OCaml
6,620
star
29

facebook-android-sdk

Used to integrate Android apps with Facebook Platform.
Kotlin
6,020
star
30

redex

A bytecode optimizer for Android apps
C++
5,951
star
31

componentkit

A React-inspired view framework for iOS.
Objective-C++
5,740
star
32

sapling

A Scalable, User-Friendly Source Control System.
Rust
5,635
star
33

fishhook

A library that enables dynamically rebinding symbols in Mach-O binaries running on iOS.
C
5,061
star
34

PathPicker

PathPicker accepts a wide range of input -- output from git commands, grep results, searches -- pretty much anything. After parsing the input, PathPicker presents you with a nice UI to select which files you're interested in. After that you can open them in your favorite editor or execute arbitrary commands.
Python
5,033
star
35

metro

πŸš‡ The JavaScript bundler for React Native
JavaScript
4,996
star
36

prop-types

Runtime type checking for React props and similar objects
JavaScript
4,427
star
37

idb

idb is a flexible command line interface for automating iOS simulators and devices
Objective-C
4,356
star
38

Haxl

A Haskell library that simplifies access to remote data, such as databases or web-based services.
Haskell
4,220
star
39

FBRetainCycleDetector

iOS library to help detecting retain cycles in runtime.
Objective-C++
4,178
star
40

memlab

A framework for finding JavaScript memory leaks and analyzing heap snapshots
TypeScript
4,088
star
41

duckling

Language, engine, and tooling for expressing, testing, and evaluating composable language rules on input strings.
Haskell
3,995
star
42

fbt

A JavaScript Internationalization Framework
JavaScript
3,836
star
43

regenerator

Source transformer enabling ECMAScript 6 generator functions in JavaScript-of-today.
JavaScript
3,795
star
44

mcrouter

Mcrouter is a memcached protocol router for scaling memcached deployments.
C++
3,186
star
45

buck2

Build system, successor to Buck
Rust
3,177
star
46

wangle

Wangle is a framework providing a set of common client/server abstractions for building services in a consistent, modular, and composable way.
C++
3,016
star
47

wdt

Warp speed Data Transfer (WDT) is an embeddedable library (and command line tool) aiming to transfer data between 2 systems as fast as possible over multiple TCP paths.
C++
2,827
star
48

igl

Intermediate Graphics Library (IGL) is a cross-platform library that commands the GPU. It provides a single low-level cross-platform interface on top of various graphics APIs (e.g. OpenGL, Metal and Vulkan).
C++
2,674
star
49

fbthrift

Facebook's branch of Apache Thrift, including a new C++ server.
C++
2,513
star
50

mysql-5.6

Facebook's branch of the Oracle MySQL database. This includes MyRocks.
C++
2,423
star
51

Ax

Adaptive Experimentation Platform
Python
2,226
star
52

jsx

The JSX specification is a XML-like syntax extension to ECMAScript.
HTML
1,941
star
53

fbjs

A collection of utility libraries used by other Meta JS projects.
JavaScript
1,939
star
54

react-native-website

The React Native website and docs
JavaScript
1,875
star
55

screenshot-tests-for-android

Generate fast deterministic screenshots during Android instrumentation tests
Java
1,727
star
56

idx

Library for accessing arbitrarily nested, possibly nullable properties on a JavaScript object.
JavaScript
1,687
star
57

TextLayoutBuilder

An Android library that allows you to build text layouts more easily.
Java
1,464
star
58

mvfst

An implementation of the QUIC transport protocol.
C++
1,384
star
59

SoLoader

Native code loader for Android
Java
1,269
star
60

facebook-python-business-sdk

Python SDK for Meta Marketing APIs
Python
1,211
star
61

ThreatExchange

Trust & Safety tools for working together to fight digital harms.
C++
1,092
star
62

mariana-trench

A security focused static analysis tool for Android and Java applications.
C++
1,022
star
63

CacheLib

Pluggable in-process caching engine to build and scale high performance services
C++
1,018
star
64

fatal

Fatal is a library for fast prototyping software in modern C++. It provides facilities to enhance the expressive power of C++. The library is heavily based on template meta-programming, while keeping the complexity under-the-hood.
C++
993
star
65

transform360

Transform360 is an equirectangular to cubemap transform for 360 video.
C
991
star
66

openr

Distributed platform for building autonomic network functions.
C++
879
star
67

fboss

Facebook Open Switching System Software for controlling network switches.
C++
842
star
68

facebook-php-business-sdk

PHP SDK for Meta Marketing API
PHP
787
star
69

ktfmt

A program that reformats Kotlin source code to comply with the common community standard for Kotlin code conventions.
Kotlin
776
star
70

winterfell

A STARK prover and verifier for arbitrary computations
Rust
691
star
71

pyre2

Python wrapper for RE2
C++
629
star
72

openbmc

OpenBMC is an open software framework to build a complete Linux image for a Board Management Controller (BMC).
C
607
star
73

SPARTA

SPARTA is a library of software components specially designed for building high-performance static analyzers based on the theory of Abstract Interpretation.
C++
604
star
74

chef-cookbooks

Open source chef cookbooks.
Ruby
561
star
75

IT-CPE

Meta's Client Platform Engineering tools. Some of the tools we have written to help manage our fleet of client systems.
Ruby
553
star
76

time

Meta's Time libraries
Go
471
star
77

facebook-nodejs-business-sdk

Node.js SDK for Meta Marketing APIs
JavaScript
464
star
78

facebook-sdk-for-unity

The facebook sdk for unity.
C#
461
star
79

lexical-ios

Lexical iOS is an extensible text editor framework that integrates the APIs and philosophies from Lexical Web with a Swift API built on top of TextKit.
Swift
446
star
80

Rapid

The OpenStreetMap editor driven by open data, AI, and supercharged features
JavaScript
425
star
81

FAI-PEP

Facebook AI Performance Evaluation Platform
Python
379
star
82

facebook-java-business-sdk

Java SDK for Meta Marketing APIs
Java
374
star
83

chef-utils

Utilities related to Chef
Ruby
287
star
84

opaque-ke

An implementation of the OPAQUE password-authenticated key exchange protocol
Rust
262
star
85

dns

Collection of Meta's DNS Libraries
Go
251
star
86

facebook360_dep

Facebook360 Depth Estimation Pipeline - https://facebook.github.io/facebook360_dep
HTML
238
star
87

akd

An implementation of an auditable key directory
Rust
207
star
88

tac_plus

A Tacacs+ Daemon tested on Linux (CentOS) to run AAA via TACACS+ Protocol via IPv4 and IPv6.
C
205
star
89

facebook-ruby-business-sdk

Ruby SDK for Meta Marketing API
Ruby
200
star
90

dotslash

Simplified executable deployment
Rust
165
star
91

usort

Safe, minimal import sorting for Python projects.
Python
161
star
92

grocery-delivery

The Grocery Delivery utility for managing cookbook uploads to distributed Chef backends.
Ruby
151
star
93

taste-tester

Software to manage a chef-zero instance and use it to test changes on production servers.
Ruby
144
star
94

TestSlide

A Python test framework
Python
139
star
95

homebrew-fb

OS X Homebrew formulas to install Meta open source software
Ruby
122
star
96

squangle

SQuangLe is a C++ API for accessing MySQL servers
C++
119
star
97

threat-research

Welcome to the Meta Threat Research Indicator Repository, a dedicated resource for the sharing of Indicators of Compromise (IOCs) and other threat indicators with the external research community
Python
115
star
98

ocamlrep

Sets of libraries and tools to write applications and libraries mixing OCaml and Rust. These libraries will help keeping your types and data structures synchronized, and enable seamless exchange between OCaml and Rust
Rust
97
star
99

bpfilter

BPF-based packet filtering framework
C
79
star
100

facebook-business-sdk-codegen

Codegen project for our business SDKs
PHP
74
star