Sobelow - Uncover vulnerabilities in your Phoenix projects

Tags: #<Tag:0x00007f11490b1600> #<Tag:0x00007f11490b1358>


Just ran sobelow on my big giant work project, it found only one thing:

HTTPS Not Enabled - High Confidence

However we run it behind nginx that does have https enabled, so eh, need a way to disable it. ^.^

Also, got this warning at the bottom of the scan:

$ mix sobelow
#                                            #
#          Running Sobelow - v0.2.3          #
#  Created by Griffin Byatt - @griffinbyatt  #
#     NCC Group -     #
#                                            #

HTTPS Not Enabled - High Confidence


warning: an expression is always required on the right side of ->. Please provide a value after ->


What’s with the nofile bit?


Glad nothing serious turned up :slight_smile:

I’m still working on the best way to flag issues as false positives or do-not-report, but hopefully that will be a solved problem soon. In the meantime, Config issues are fortunately pretty easy to ignore without unintended consequences:

$ mix sobelow -i Config.HTTPS

I believe that is a warning from your project, which is getting dumped into the scan output. It can be a fairly annoying issue on projects that generate a large number of warnings, so it’s at the top of my list of things to try and mitigate.

It doesn’t seem to be a major issue for you, since you don’t have a large number of warnings or findings, but something I’ve done is > findings into a gitignored file, which shouldn’t contain any of the warnings.

I don’t want to recommend this practice generally since a small mistake could mean commiting a list of vulnerabilities or otherwise private information, but that’s what I’ve been doing until I figure out a better solution.


nofile though? I just rebuilt it and did not see it in its normal build output (there are a few warnings, mostly scope stuff because case leaks variable stupidity due to macros, and it did not seem to show any of those, though it may not have done a fresh recompile?).


I think that nofile has something to do with the application environment not being loaded. When I’ve gotten warnings about nofile:39, I’ve been able to match it against errors in whatever_controller.ex:39.


Just released another minor update, with a focus on refactoring.

Changes include:

  • Flag for an additional SQL injection vector
  • Small addition to XSS checks
  • Minor bug fixes and refactoring

Upcoming updates will continue to expand upon finding categories already in place, and (perhaps more importantly!) refactoring the codebase.

If you want (or need) to install an older version, you can do so with mix archive.install hex sobelow 0.2.4.


I forgot to mention: @OvermindDL1, this update should make the warnings a bit less annoying. Sobelow will now output warnings at the beginning of a scan so that it doesn’t clutter findings. :slight_smile:

I was also able to verify that the warnings are a result of warnings in the codebase being scanned. The erlang internals of Code.string_to_quoted call warn, which can’t (I believe) be suppressed. But at least now they won’t be obtrusive!

And nofile is the default filename given for warnings generated by string_to_quoted, and can be overridden by passing the optional filename argument. As of now, I’m just leaving nofile as-is, but may update this in the future.


That it does, nice!

Could probably hook the logger to prevent it, a filter or so, but meh.

Also no biggie but would be nice. :slight_smile:

No further warning from my project yet though, keep those tests coming, I want you to find things I’m doing wrong! :smiley:


@griffinbyatt Thanks a ton for writing up this tool! This was very much needed. I was able to use the previous version and found a few issues. However, after I have upgraded to the latest version of Sobelow, I am running into the following error.

It is throwing a match error [:enoent - seems like it can’t access a file/resource]. Any thoughts or suggestions?


@raags90 Thanks for reporting! I’ve needed to handle the file discovery a bit more gracefully. I pushed a small update that should tell you where the error is originating – could you install with mix archive.install It will tell you the file it’s having an issue with.

Also, have you already installed with the new installation method? IE:

mix archive.install hex sobelow


Yes @griffinbyatt, I am using the new installation method. After installing your quick update, I noticed that the error was ERROR Reading: /lib/.


I sent you a message so we can get it hashed-out off thread, it might just be something non-standard in your setup. In the meantime, I just pushed an update to Hex which should enable the scan to run normally despite errors, and just print a message for you indicating that it had trouble reading the file.


I pushed another, more comprehensive update for file discovery. This should fix your error, as well as a related path error. Let me know if you have any problems going forward!


Thanks a bunch @griffinbyatt for the prompt help. The latest update works perfectly !! :slight_smile: Also, there was an issue with my setup as well ( :unamused: ). Look forward to investigating the results !!


Awesome, glad it’s working now! :smiley:


Just pushed a new update! Install with mix archive.install hex sobelow.

This is a pretty big one. There are bug fixes and additional checks that should flag more XSS, and SQL injection. You can also now suppress false-positives on a per-function basis. For example:

@sobelow_skip ["Traversal"]
def vuln_func(...) do

Sobelow will now stop flagging this function for traversal findings.

As always, feedback and error reports are very appreciated.


Whoo, cool. :slight_smile:

Now how do I mark this as ‘to skip’? ^.^

HTTPS Not Enabled - High Confidence


The config checks are a bit different, since they are one-offs already. You’ll still need to use the --ignore flag for those.

$ mix sobelow -i Config.HTTPS

I should’ve included that in the initial comment :stuck_out_tongue:


Aww, no way to decorate the config files themselves with @sobelow_skip things? :slight_smile:
Or have a config file just for sobelow for global ignores like that? :slight_smile:


Not yet :frowning:

By 1.0.0 there will be some sort of config! For now, I’m prioritizing getting all the options figured out and security checks in place, so that even if it’s not always the most convenient, it’s still the most usable.


I’ve released a couple updates over the last week.

Sobelow will now do a better job of handling non-standard Phoenix applications. For the most part, if you say something is a Phoenix app, Sobelow will do it’s best to scan it, but will print helpful error messages in case you made a mistake. This makes it easier to scan each part of an umbrella application.

For people integrating with CI pipelines, there is a new exit flag. The exit option accepts a confidence threshold (low, medium, or high), and will return a non-zero exit status for findings above that threshold.

For example: mix sobelow --exit Medium will have a non-zero exit status for medium and high confidence findings.

Other than that, bug fixes should continue to improve the quality of reports :slight_smile:


The way that Brakeman handles that is to provide you with an interactive mode that will let you determine whether or not to ignore a particular warning signature. That creates a brakeman.ignore file that can be loaded as part of your build process (with a note on why it can be ignored).

Once you audit and either fix / ignore items from the initial round of issues than a CI process will only let you know about the new vulnerabilities and that’s the real goal I think.