Principal Investigator: Davin McCall
Parfait is a static code analysis tool from Oracle Labs that finds vulnerabilities in web applications written in C/C++, Java, and Python. The focus is on vulnerabilities that matter, with most based on the CWE Top 25 and OWASP Top 10 list, including:
- Memory safety issues: Buffer overflow, use-after-free, null pointer dereference, use of uninitialized memory
- Injections: SQL injection, Command injection, LDAP injection, XML injection, XPath injection, XQuery injection
- XML External Entities (XXE), XML Entity Expansion (XEE)
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Header manipulation
- Path traversal
- Unvalidated redirects and forwards
- Weak crypto: weak encryption, weak cryptographic hash, weak cryptographic signature, and more.
How it works
Parfait is built on top of a static analysis framework supporting shared analysis across multiple source code languages.
As with many similar projects, scalability for large codebases is a major challenge. The highly dynamic and decoupled nature of web applications is another challenge for static analysis.
The Parfait Labs project builds on Parfait, investigating techniques that will enable us to support different languages (such as Python), frameworks, and libraries so as to improve the accuracy and performance of the analysis. We are also exploring modular and incremental analysis in order to be able to provide timely feedback to the developer.