Exakat is a tool for analyzing, reporting and assessing PHP code source efficiently and systematically. Exakat processes PHP 5.2 to 7.4 and 8.0 code, as well as reporting on security, performance, code quality, migration.–Exakat docs
Static analysis of code is a great tool to use whether for unit testing or in this case security vulnerabilities and malware infestations. Security and malware may fall into the same “family” of concerns, in terms of programming they are two distinct issues and need to be treated as such. Security vulnerabilities ( see previous article on OWASP Top 10 ) deal with analyising a codebase for unused methods, insecure databases, SQL injections, XSS opportunities etc.. Malware detection looks at the codebase for unintended code that has been maliciously injected without the developers knowledge.
Exakat takes a three tier’d approach to code analysis. First an AST (Abstract Syntax Tree) is created from the codebase. The AST is a representation of every construct within the source code and how they are syntactically related. Next Exakat takes this tree and traverses it looking for broken and unused relationships, documented security flaws and overall statistical data on the code. Finally, Exakat produces useful charts and data for your team to review in order to improve the codebase.
In order to use Exakat some requirements are needed.
Basic requirements :
- exakat.phar, the main code.
- Gremlin server : exakat uses this graph database and the Gremlin 3 traversal language. Currently, only Gremlin Server is supported, with the tinkergraph and neo4j storage engine. Version 3.4.x is the recommended version, while version 3.3.x are still supported. Gremlin version 3.2.* are unsupported.
- Java 8.x. Java 9.x/10.x will be supported later. Java 7.x was used, but is not actively supported.
- PHP 7.4 to run. PHP 7.4 is recommended, PHP 7.2 or later are possible. This version requires the PHP extensions curl, hash, phar, sqlite3, tokenizer, mbstring and json.
Optional requirements :
- PHP 5.2 to 8.0-dev for analysis purposes. Those versions only require the ext/tokenizer extension.
- VCS (Version Control Software), such as Git, SVN, bazaar, Mercurial. They all are optional, though git is recommended.
- Archives, such as zip, tgz, tbz2 may also be opened with optional helpers (See Installation guide for optional tools).
OS requirements : Exakat has beed tested on OSX, Debian and Ubuntu (up to 20.04). Exakat should work on Linux distributions, may be with little work. Exakat hasn’t been tested on Windows at all.
For installation, curl or wget, and zip are needed.