wSAST Code Analyzer

Flexible static code analysis framework for consultants and developers.

Code Graphing

In addition to dataflow and static analysis for the purpose of automating the discovery of code vulnerabilities and anti-patterns, wSAST also offers a powerful graphing capability. The graphing feature is designed to assist with code comprehension and should prove especially useful early during a code assessment.


graph       Create graphviz DOT output from knowledge
    graph  [...]
                  - classes, calls, local, ast
        [--filter=]     - comma separated regex of KDB entries (multiple means OR, ! prefix means AND NOT)
        [--inclusive]   - include only filtered types as destinations from matches
        [--highlight=]  - comma separated regex (multiple means OR, ! prefix meant AND NOT)
        [--entrypoints] - highlight entrypoints
        [--filename=]   - output file (in project directory)
        [--tokens]      - print tokens in graph labels (only: local)
        [--locs]        - print code filename and line/column info (only: ast)

Graphs generated by wSAST can be constrained by a series of regex filters, limiting the areas of code graphed to only those of specific interest. Multiple regex combines multiple inclusive searches, and a ! prefix excludes all results with the following regex. Flags can also be specified to dictate whether regex limitations are only applies to origin points (i.e. the start node in a graph) or to every node included. Highlighting of both entrypoints and of specific paths by regex can also be performed.

Call Graphs

The graph at the top of this page illustrates a function call graph (not replicated below due to size). This graph contains no constraints on output, graphing the entire application (a small paint application). The boxes in red are unresolved function references for which no code was provided, and the black boxes represent resolved code.

Entrypoints can be fairly clearly observed, but would be highlighted explicitly if the --entrypoints flag had been provided. Filters and highlights can be applied as earlier described.

Class Graphs

wSAST is able to generate graphs of class relationships. These graphs map each class to every other class to which it contains a type reference. The graph below is produced by the command graph classes --filter=!unresolved:.* --highlight=.*?Main.* which generates references only between resolved classes (i.e. ones for which the code has been provided) and highlighting any classes with "Main" somewhere in the type path:

Local Control Flow Graphs

wSAST is capable of graphing its understanding of local control flows (i.e. those inside specific functions or blocks of code). These graphs are not generally much use in assisting a review and are more valuable as debugging aids when developing custom sources and sinks, or when adding new language support.

A simple function: The associated local control flow graph:
 


@Override
public void paintComponent(Graphics g) {
	super.paintComponent(g);
	g.drawRect(10, 10, 50, 50);
	Graphics2D g2 = (Graphics2D) g;

	int width = this.getWidth();
	int height = this.getHeight();
	if (width != prevWidth || height != prevHeight) {
		BufferedImage tmp = bufferImage;
		bufferImage = (BufferedImage) this.createImage(width, height);
		bufferGraphics = (Graphics2D) bufferImage.getGraphics();
		bufferGraphics.drawImage(tmp, null, 0, 0);
		tmp = null;
		prevWidth = width;
		prevHeight = height;
	}

	g2.drawImage(bufferImage, null, 0, 0);
	if (drawInfo.clickState) {
		if (drawInfo.type == DrawType.Pen) paintShape(bufferGraphics);
		else if (drawInfo.dragState) paintShape(g);
	}
}















AST Graphs

wSAST is capable of generating AST graphs for code represented using its internal WSIL language tree structure. The ASTs generated can optionally include the relevant filename and line of code, and any associated token values. This representation - similarly to the local graph representation, is especially useful for debugging sources and sinks during development and language plugins.

A simple function:


private class ToolPanel02Handler03 implements ActionListener {
	public void actionPerformed(ActionEvent e) {
		paintInfo.type = DrawType.Select;
		JInternalFrame[] frms = desktop.getAllFrames();
		for (JInternalFrame f : frms) {
			f.getGlassPane().setVisible(false);
		}
	}
}

The corresponding WSIL AST graph:

Dataflow Analysis

Explorer the Dataflow Analyzer which forms the core capability of wSAST.

Learn more

Static Analysis

Learn more about the Static Analysis capabilities.

Learn more

Code Graphing

Discover the powerful code graphing capabilities which can aid you in code exploration.

Learn more

Code Searching

See how code searching can help you quickly determine possible paths to exploitation.

Learn more