[erlang-questions] Security scanning tools for Erlang?

Andrew Varner drew.varner@REDACTED
Thu Oct 27 09:46:21 CEST 2016

Static analysis of Erlang for security issues could be useful.

SQL and other database query language injection is still a problem in Erlang. Writing checks for each of the forks of each database driver is an added thrill. Shell injection from calls like os:cmd/1 and erlang:open_port/2 is possible. Erlang-specific denial of service attacks can leverage system limits on atoms or ETS tables. Flagging on *_to_atom/1 and recommending *_to_existing_atom/1 would be nice. Parsing user-provided URIs using http_uri:parse/1 or parse/2 without a validation function opens the atom table to exploitation, since these functions call list_to_atom/1 under the covers. Certain built-in libraries can be called in an unsafe fashion.  Functions in the ssl library could be called without options set for certificate revocation list (CRL) or could use verify_none. Erlang code can still fall victim to standard coding vulnerabilities like input sanitation, race conditions (e.g. temp files), etc.

You could probably implement rules to detect this in Elvis (https://github.com/inaka/elvis).

> On Oct 26, 2016, at 1:23 PM, Garry Hodgson <garry@REDACTED> wrote:
> We are using Erlang for some specialized components in a much larger system. That system now requires that all code must be scanned using an automated tool (e.g. HP's Fortify) that looks for security issues. Fortify does not handle Erlang, and has no plans to do so. Does anyone know of any commercial or Open Source security scanning tools for Erlang code?
> http://www8.hp.com/us/en/software-solutions/static-code-analysis-sast/index.html
> Thanks
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions

More information about the erlang-questions mailing list