So that one may code in peace.
You can find the complete source code on GitHub. Aura is licensed under the GPL-3 license.
Everything can be customized via configuration or extended using plugins.
Find unknown vulnerabilities in your codebase by tracking the propagation of untrusted input in the data flow.
Tested on over 4Tb of compressed source code.
Aura is a static analysis framework for a Python source code that is able to detect errors, defects, vulnerabilites and patterns in your code. This is all done just by looking at your code without executing it! You can tune the framework by customizing a set of semantic rules that acts as patterns telling Aura what to look for. Of course this framework already comes with a rich set of default signatures that are ready to go!
While there are other tools with functionality that overlaps with Aura such as Bandit, dlint, semgrep etc. the focus of these alternatives is different which impacts the functionality and how they are being used. These alternatives are mainly intended to be used in a similar way to linters, integrated into IDEs, frequently run during the development which makes it important to minimize false positives and reporting with clear actionable explanations in ideal cases.
Aura on the other hand reports on behavior of the code, anomalies, and vulnerabilities with as much information as possible at the cost of false positive. There are a lot of things reported by aura that are not necessarily actionable by a user but they tell you a lot about the behavior of the code such as doing network communication, accessing sensitive files, or using mechanisms associated with obfuscation indicating a possible malicious code. By collecting this kind of data and aggregating it together, Aura can be compared in functionality to other security systems such as antivirus, IDS, or firewalls that are essentially doing the same analysis but on a different kind of data (network communication, running processes, etc).
Developers these days are now more at risk than ever before. It has been a common practice to develop by piecing together libraries that are not audited or using untrusted code snippets. We believe that there is a severe lack of tools that are designed to detect potentially malicious or vulnerable code that the developer may be using unknowingly. Development packages are distributed via repositories such as PyPI that is not audited, we aim to fill this gap by monitoring all uploaded source code to the package repository. While monitoring and analyzing the source code in public repositories, we collect a huge amount of data that we share back for free to fuel more research in this area.
Times have changed, developers are starting to become a more lucrative target for cyber threats.
We scan periodically all packages published on PyPI to gather research data and to look for anomalies and signs of a malicious code published in those packages. All data collected during the scan is publicly released free of charge for non-commercial use, unchanged, and in the same format that it was generated in.