Does the hex package sobelow implements OWASP?

Does anyone know if the library sobelow ( implements OWASP (Open Web Application Security Project) (

1 Like

Hi Daveed! Sobelow checks for a number of top 10 OWASP vulnerabilities. However, it does not check for things like access control or authentication vulnerabilities, which will vary greatly from app to app.

1 Like

Hi Griffin! Thanks that helps a lot - I checked OWASP top 10 2017 and mapped this way:

TOP 10 from OWASP (

A1 Injection flaws, such as SQL, NoSQL, OS, and LDAP injection
A2 Broken Authentication
A3 Sensitive Data Exposure
A4 External Entities (XXE)
A5 Broken Access Control
A6 Security Misconfiguration
A7 Cross-Site Scripting (XSS)
A8 Insecure Deserialization
A9 Components with Known Vulnerabilities
A10 Insufficient Logging & Monitoring

From your package sobelow (

[A6] Insecure configuration
[A9] Known-vulnerable Dependencies
[A7] Cross-Site Scripting
[A1] SQL injection
[A1] Command injection
[A4] Denial of Service
[A5] Directory traversal
[A8] Unsafe serialization