Pysa detection capabilities

# Pysa Bug
**Pre-submission checklist**
[✓] I've checked the list of [common issues](https://pyre-check.org/docs/pysa-quickstart/#common-issues) and mine does not appear

**Bug description**
Apologies, this is not exactly a bug, more a set of questions to better understand Pysa capabilities, don't hesitate to redirect us if necessary.

We are trying to use Pysa to detect vulnerabilities in several Python projects.
According to the tutorial and the documentation, Pysa is able to detect when there is a data flow from a source to a sink (which, eventually, was not caught by a sanitizer) and to report a location in the path between the source and the sink as the vulnerability location.

But is it possible to do more with Pysa, by defining dedicated rules?
For instance:
- be able to detect if a variable is present in a given procedure/statement
- be able to report a vulnerability if a sink is present but there is no data flow between the source and the sink (as opposed to the current behavior where there must be a data flow to report a vulnerability)
- be able to detect that there is a data flow between a source and the end of a procedure (instead of a sink) 

**Reproduction steps**
None

**Expected behavior**
For [CVE-2016-9243](https://nvd.nist.gov/vuln/detail/CVE-2016-9243), is it possible to detect in [‎src/cryptography/hazmat/primitives/kdf/hkdf.py](https://github.com/pyca/cryptography/commit/b924696b2e8731f39696584d12cceeb3aeb2d874#diff-7edd4f60a449f8808b56bfe22c957a24b68d2234f6ee24d3b00679108a810ff7L94) that the variable `self._algorithm.digest_size` was divided by 8? For instance, by detecting the presence of the character `8` at Line 94? 

For [CVE-2017-2809](https://nvd.nist.gov/vuln/detail/CVE-2017-2809), is it possible to detect in [ansible_vault/api.py](https://github.com/tomoh1r/ansible-vault/commit/3f8f659ef443ab870bb19f95d43543470168ae04) that `yaml.load` was called instead of `yaml.safe_load` at Line 18?

For [CVE-2016-9909](https://nvd.nist.gov/vuln/detail/CVE-2016-9909), is it possible to detect in [html5lib/serializer/htmlserializer.py](https://github.com/html5lib/html5lib-python/commit/9b8d8eb5afbc066b7fac9390f5ec75e5e8a7cab7#diff-9e4e724b6004f0a653e7416231ae2bc7c46eaa03cf5092dedffd0da674934261) that the variable `self.quote_attr_values` was not compared with the value `"legacy"`, as in the fix at Line 255?

For [CVE-2014-7143](https://nvd.nist.gov/vuln/detail/CVE-2014-7143), is it possible to detect in [twisted/web/client.py
](https://github.com/twisted/twisted/commit/3b5942252f5f3e45862a0e12b266ab29e243cc33) that the "source" `_trustRoot` should be present when the "sink" `optionsForClientTLS` is called (i.e., there is a vulnerability if `optionsForClientTLS` is called without `_trustRoot`)? 

Similarly, for [CVE-2012-2417](https://nvd.nist.gov/vuln/detail/CVE-2012-2417), is it possible to detect in [‎lib/Crypto/PublicKey/ElGamal.py](https://github.com/Legrandin/pycrypto/commit/9f912f13df99ad3421eff360d6a62d7dbec755c2) that the "source" `getPrime` should be reached before the "sink" `.isPrime` (i.e., there is a vulnerability if `getPrime` is called but not `.isPrime`)? 

**Logs**
None 

**Additional context**
None 


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Pysa detection capabilities #959

Pysa Bug

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development