目录
- .githubFix eslint security vulnerability CVE-2025-505372个月前
- .llmsAdd CLAUDE.md and architecture.md for AI agent context25天前
- sappFix follow-redirects security vulnerability2天前
- scriptsFix error in publish pypi script12个月前
- stubsUpdate copyright headers from Facebook to Meta4年前
- .coveragercAdd `coverage` for measuring test coverage4年前
- .flake8Fix formatting errors1年前
- .gitignoresetup Pyre (#7)5年前
- .pyproject.tomlExclude running µsort on stubs3年前
- .pyre_configurationFix GitHub Actions pyre type check failures2个月前
- CODE_OF_CONDUCT.mdInitial commit5年前
- CONTRIBUTING.mdImprove project README.md and CONTRIBUTING.md documentation (#67)4年前
- LICENSEUpdate copyright headers from Facebook to Meta4年前
- MANIFEST.inInitial commit5年前
- README.mdAdd documentation for configuring partial flows8个月前
- __init__.pyUpdate copyright headers from Facebook to Meta4年前
- requirements-dev.txtAdd `coverage` for measuring test coverage4年前
- requirements.txtFix GitHub Actions pyre type check failures2个月前
- setup.cfgInitial commit5年前
- setup.pyUpgrade sapp open source version23天前
邀请码
SAPP
SAPP stands for Static Analysis Post Processor. SAPP takes the raw results of Pysa and Mariana Trench, and makes them explorable both through a command-line interface and a web UI.
SAPP is also available on GitHub Marketplace as a GitHub Action
Installation
To run SAPP, you will need Python 3.8 or later. SAPP can be installed through PyPI with
pip install fb-sapp.Getting Started
This guide assumes that you have results from a Pysa run saved in an
~/exampledirectory. If you are new to Pysa, you can follow this tutorial to get started.Processing the Results
The postprocessing will translate the raw output containing models for every analyzed function into a format that is more suitable for exploration.
After the results have been processed we can now explore them through the UI and a command-line interface. We will briefly look at both of those methods here.
Web Interface
Start the web interface with
and visit http://localhost:13337 in your browser (note: the URL displayed in the code output currently will not work). You will be presented with a list of issues that provide access to example traces.
Command-Line Interface
The same information can be accessed through the command-line interface:
This will launch a custom IPython interface that is connected to the sqlite file. In this mode, you can dig into the issues that Pyre surfaces. Following is an example of how to use the various commands.
Start by listing all known issues:
As expected, we have 1 issue. To select it:
View how the data flows from source to sink:
Move to the next callable:
Show the source code at that callable:
Move to the next callable and show source code:
Jump to the first callable and show source code:
Help
You can refer to the
helpcommand to get more information about available commands in the command-line interface.Terminology
A single SAPP database can keep track of more than just a single run. This opens up the possibility of reasoning about newly introduced issues in a codebase.
Every invocation of
will add a single run to the database. An issue can exist over multiple runs (we typically call the issue in a single run an instance). You can select a run from the web UI and look at all the instances of that run. You can also choose to only show the instances of issues that are newly introduced in this run in the filter menu.
Each instance consists of a data flow from a particular source kind (e.g. user-controlled input) into a callable (i.e. a function or method), and a data flow from that callable into a particular sink kind (e.g. RCE).
Note: the data can come from different sources of the same kind and flow into different sinks of the same kind. The traces view of a single instance represents a multitude of traces, not just a single trace.
Filters
SAPP filters are used to include/exclude which issues are shown to you by the issue properties you choose. Filters are useful to remove noise from the output from your static analysis tool, so you can focus on the particular properties of issues you care about.
SAPP functionality can be accessed through the web interface or a subcommand of
sapp filter.File Format
A filter is required to have a
nameand at least one other key, excludingdescription. Filters can be stored as JSON in the following format:You can find some example filters to reference in the pyre-check repo
Importing filters
You can import a filter from a file by running:
You can also import all filters within a directory by running:
Exporting filters
You can view a filter in a SAPP DB by running:
You can export a filter from a SAPP DB to a file by running:
Deleting filters
You can delete filters by name with:
Filtering list of issues
You can apply a filter to a list of issues by run number. For example, the following command will show you a list of issues after applying
example-filterto run1:You can also apply a list of filters to a single list of issues by run number. SAPP will apply each filter individually from the directory you specify to the list of issues and merge results into a single list of issues to show you. For example, the following command will show you a list of issues after applying every filter in
list_of_filtersto run1:SARIF Output
You can get the output of a filtered run in SARIF by first storing warning codes information from the static analysis tool in SAPP:
Then running
sapp filter issueswith--output-format=sarif:Development Environment Setup
Start by cloning the repo and setting up a virtual environment:
Run the flask server in debug mode:
Parse static analysis output and save to disk:
Installing dependencies for frontend:
To run SAPP with hot reloading of the Web UI, you need have the frontend and backend running simultaneously. In a production environment, the frontend application is compiled and served directly by the backend exposed on port
13337. But in a development environment, the frontend runs in port3000by default if thePORTenvironment variable is not set and the backend runs in port13337. You can indicate to SAPP to run in the development environment with thedebugflag.Run the flask server and react app in development mode:
Then visit
http://localhost:3000(orhttp://<HOST>:<PORT>if you have set theHOSTand/orPORTenvironment variable).Partial Flows
SAPP supports the concept of partial flows, which helps with triaging the issues more easily. In particular, supporting partial flows allows to filter out issues from the generic rules if they exist in the more specific one. When we have two rules, one of the form (
SourceA->SinkB), and a second one of the form (SourceA->TransformB->SinkC), we can associateSinkBandTransformB, and add breadcrumbs (such assome-feature) to all instances of theSourceA->SinkBrule when a correspondingSourceA->TransformB->SinkCrule exists. These breadcrumbs allow us to filter away these issues, improving triage SNR.SAPP supports partial flows by modifying the static analysis outputs (based on the configurations from those tools) before writing them into the database. To leverage this capability in SAPP, you can provide the following configurations in the metadata file from the static analysis outputs:
Now we explain the meaning of the above configurations:
full_issue_code: The rule code of the full issue, such asSourceA->TransformB->SinkCfrom the above example.partial_issue_code: The rule code of the partial issue, such asSourceA->SinkBfrom the above example.full_issue_transform: The transform of the full issue, such asTransformBfrom the above example.is_prefix_flow: Whether the partial flow is a prefix flow or a suffix flow. In the above example, since the partial issue is a prefix of the full issue, we set this field totrue.feature: The feature or breadcrumb to add to an issue, such assome-featurefrom the above example.License
SAPP is licensed under the MIT license.