ansede-static

v2.3.2 suspicious
7.0
High Risk

AST-based SAST for Python and JavaScript — detects IDOR, auth bypass, and ownership flaws that Bandit misses.

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits significant risks due to its network and obfuscation practices, which could potentially be leveraged for malicious activities. Although there is no concrete evidence of malicious intent, the package should be treated with caution.

  • High network risk due to unclear usage
  • High obfuscation risk from the use of eval()
Per-check LLM notes
  • Network: The use of network calls without clear documentation or purpose may indicate potential data exfiltration or C2 communication.
  • Shell: Execution of shell commands can be risky if not properly sanitized, suggesting possible execution of arbitrary code which could be exploited.
  • Obfuscation: The use of `eval()` with dynamic content suggests potential code injection risks, indicating a high obfuscation risk.
  • Credentials: The presence of comments about file path traversal does not directly indicate credential harvesting but could be used for such purposes, hence a moderate risk.
  • Metadata: The author has only one package, which might indicate a new or less active account, raising some suspicion but not conclusive evidence of malice.

📦 Package Quality Overall: Medium (5.6/10)

◈ Medium Test Suite 6.0

Partial test coverage signals detected

  • Test runner config found: pyproject.toml
◈ Medium Documentation 7.0

Some documentation present

  • Documentation URL: "Documentation" -> https://github.com/mattybellx/Ansede#readme
  • Detailed PyPI description (4005 chars)
○ Low Contributing Guide 4.0

No contributing guide or governance files found

  • Development Status classifier >= Beta
◈ Medium Type Annotations 5.0

Partial type annotation coverage

  • 701 type-annotated function signatures detected in source
◈ Medium Multiple Contributors 6.0

Limited contributor diversity

  • 2 unique contributor(s) across 100 commits in mattybellx/Ansede
  • Two distinct contributors found

🔬 Heuristic Checks

Outbound Network Calls score 6.0

Found 4 network call pattern(s)

  • loat = 10.0) -> str: with urllib.request.urlopen(url, timeout=timeout) as response: return re
  • quests.post": "CWE-918", "urllib.request.urlopen": "CWE-918", "urllib.urlopen": "CWE-918", #
  • ad).encode("utf-8") req = urllib.request.Request( url, data=body, headers={"C
  • , ) try: with urllib.request.urlopen(req, timeout=timeout) as resp: raw = res
Code Obfuscation score 10.0

Found 6 obfuscation pattern(s)

  • d_trace(trace, "sink", "sink `eval()`", line=call.line) findings.append(_make_finding(
  • =f"CWE-95: Code injection via eval() at line {call.line}", description=(
  • cription=( f"`eval()` is called with dynamic content at L{call.line}: `{call.ra
  • suggestion="Remove `eval()`. Parse data with `JSON.parse()` or use a safe expression
  • f"This is equivalent to `eval()` and turns strings into executable code." ),
  • arguments are evaluated like `eval()`." ), suggestion="Pass a function
Shell / Subprocess Execution score 10.0

Found 5 shell execution pattern(s)

  • {"pattern": "os.system($VAR)"}, {"pattern": "os.popen($VAR)"},
  • {"pattern": "os.popen($VAR)"}, {"pattern": "subprocess.call($VAR,
  • {"pattern": "os.popen($VAR)"}, ]}, ], "message": "Shel
  • y: diff_out = subprocess.check_output( ["git", "diff", "--name-status", "HEAD"
  • untracked_out = subprocess.check_output( ["git", "ls-files", "--others", "--excl
Credential Harvesting score 2.5

Found 1 credential access pattern(s)

  • can use sequences like `../../etc/passwd` to read or write files outside the intended directory. **
Typosquatting

No typosquatting candidates detected

Registered Email Domain

No author email provided

Suspicious Page Links

All external links appear legitimate

Git Repository History

Repository mattybellx/Ansede appears legitimate

Maintainer History score 2.0

1 maintainer concern(s) found

  • Author "Matty Bell" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with ansede-static 
Develop a web application named 'SecureCodeAnalyzer' using Flask (for Python) or Express.js (for JavaScript), which integrates the 'ansede-static' package to analyze code snippets submitted by users for security vulnerabilities such as Insecure Direct Object References (IDOR), authentication bypasses, and ownership flaws. This tool will help developers identify potential security issues early in their development cycle, ensuring that their applications are more secure before deployment.

The application should have the following features:
1. A simple user interface where users can input code snippets written in Python or JavaScript.
2. An upload feature allowing users to upload files containing code snippets.
3. Upon submission, the application should use 'ansede-static' to scan the provided code for security vulnerabilities.
4. The results of the analysis should be displayed in a clear and understandable format, highlighting any detected issues along with brief explanations and recommendations on how to fix them.
5. Implement a feature that allows users to save their analyzed code snippets along with the results for future reference.
6. Optionally, include a feature that provides users with additional resources or links to learn more about the identified vulnerabilities and best practices for securing their code.

To utilize 'ansede-static', you will need to install it via pip (for Python) or npm (for JavaScript). Once installed, integrate its scanning capabilities into your application's backend logic so that it can process the submitted code snippets and generate reports based on the findings. Ensure that the integration is seamless and that the application handles different types of code inputs effectively.

💬 Discussion Feed

Leave a comment

No discussion yet. Be the first to share your thoughts!