rastray 0.15.0

Blazing-fast static analysis CLI for security, dependency, and performance audits.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71

# DVWA

[`github.com/digininja/DVWA`](https://github.com/digininja/DVWA) — the classic PHP / "Damn Vulnerable Web App."

## Results

| tool            | findings | wall-clock |
|-----------------|---------:|-----------:|
| rastray         |        5 |     0.34 s |
| semgrep         |       45 |    27.9 s  |
| gitleaks        |        5 |     2.1 s  |
| bandit          |   *N/A*  ||
| gosec           |   *N/A*  ||
| eslint-security |   *N/A*  ||

## What rastray fires on

| code           | count | what it catches |
|----------------|------:|------------------|
| `RSTR-INJ-003` |     5 | PHP `eval` |

## Honest observation: DVWA is essentially-indirect

rastray ships PHP-aware rules for SQL injection, command exec,
echo / print of request input, include / require LFI, and file
API LFI:

- [`RSTR-INJ-006`](../rules/RSTR-INJ-006.md) — SQLi via superglobal in the query
- [`RSTR-INJ-007`](../rules/RSTR-INJ-007.md) — command exec on superglobal
- [`RSTR-XSS-006`](../rules/RSTR-XSS-006.md) — echo / print of superglobal
- [`RSTR-PTH-005`](../rules/RSTR-PTH-005.md) — include / require from superglobal
- [`RSTR-PTH-006`](../rules/RSTR-PTH-006.md) — file API on superglobal

None of them fire on DVWA. DVWA's pedagogical style assigns the
superglobal to a local first, then uses the local — a single
indirection that rastray deliberately does not chase (the same
one-step taint scope every other rastray rule uses). For example,
DVWA's SQLi-low source reads:

```php
$id = $_REQUEST['id'];
$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query);
```

rastray flags neither line in isolation — there's no superglobal in
the `mysqli_query` call, no concatenation in the assignment. The
two-line idiom is below the rule's threshold by design.

The same five PHP rules fire correctly on the **direct** pattern
common in real PHP code:

```php
$rows = mysqli_query($db, "SELECT * FROM u WHERE id = " . $_GET['id']);
exec("ping " . $_POST['host']);
echo $_GET['name'];
include $_REQUEST['page'] . ".php";
$x = file_get_contents($_GET['url']);
```

Semgrep's `p/owasp-top-ten` registry includes PHP rules that span
the assign-then-use boundary, which is why it reports 45 on DVWA.
For codebases that match DVWA's idiom rather than rastray's
direct-sink scope, Semgrep is the better fit; for codebases where
the superglobal appears in the sink, rastray is faster.

## Reproduce

```powershell
powershell -File scripts/benchmarks/run.ps1 -Target dvwa
```