wSAST Code Analyzer

Flexible static code analysis framework for consultants and developers.


Frequently asked questions; expect this to be updated regularly.

Is wSAST a commercial product?
My plan is to make wSAST free for use while in alpha/beta development; there is a lot of work yet to be completed to add support for other major languages, in addition to adding further dataflow/SAST checks. Once wSAST is in first major release it is likely that I will charge a low yearly fee for use to help fund further research and development.
What languages does wSAST support?
At present wSAST has fairly complete support only for Java; support for C is about 95% complete. Support for Python, C++, C# and Go will most likely follow.
What is WSIL?
wSAST converts all code to an intermediate language called WSIL, against which analysis is performed. The main reason for this is to enable code analysis and dataflow to be performed across multiple languages seamlessly; checks performed by dataflow analysis are performed against the WSIL syntax tree. WSIL is described by the EBNF grammar located here.
WSIL code can be written and imported directly into wSAST, enabling bridging code to be written to augment analysis (for example to fill in for missing classes and methods).
How do I write new rules?
The easiest way is to use the Common Rules Engine XML configuration format which can describe sources and sinks from function calls, variable/class member read/write, and formatted data. To implement more convoluted rules it is necessary to implement the appropriate interfaces in a .NET assembly. For more information please review the development guide under the approprate support section.
Can I use ChatGPT to generate rules?
ChatGPT can be used to generate rules for the XML format used by the Common Rules Engine and is a very powerful method of adding checks for yet unsupported frameworks. Please see the Common Rules Engine documentation here for more information. ChatGPT can probably be used to generate WSIL code to fill in the gaps for missing code too; this is yet TBD.

Dataflow Analysis

Explorer the Dataflow Analyzer which forms the core capability of wSAST.

Learn more

Static Analysis

Learn more about the Static Analysis capabilities.

Learn more

Code Graphing

Discover the powerful code graphing capabilities which can aid you in code exploration.

Learn more

Code Searching

See how code searching can help you quickly determine possible paths to exploitation.

Learn more