A project for the Convergence Security Project 1 course
Overview
This project is a static analysis tool for Java and JavaScript, focused on detecting web application vulnerabilities such as XSS, and SQL Injection(SQLi).
It uses the tree-sitter parser for fast and accurate AST parsing and includes taint tracking, sanitizer detection, and sink analysis.
src/
js/
detectors/
taintAnalyzer.ts # Tracks tainted data flows (JS)
sanitizer.ts # Detects sanitizer functions (JS)
sinkDetector.ts # Detects dangerous sink usage (JS)
jsAnalyzer.ts # Main entry for JS analysis
java/
detectors/
taintAnalyzer.ts # Tracks tainted data flows (Java)
sanitizer.ts # Detects sanitizer functions (Java)
sinkDetector.ts # Detects dangerous sink usage (Java)
javaAnalyzer.ts # Main entry for Java analysis
common/
astUtils.ts # AST traversal, snippet extraction, etc.
functionCollector.ts # Collects function definitions for summaries
functionSummary.ts # Analyzes which params flow to sinks
types/
tree-sitter.d.ts # Custom TypeScript types for tree-sitter(for compatibility)
extension.ts # (If VSCode extension) main integration
TypeScript Compatibility Note
This project uses a custom types/tree-sitter.d.ts file to avoid TypeScript import/type errors for tree-sitter.
You can remove this file if upstream types become available.