Today, we’re going to talk about a new one in the world of application security baptized OASIS (Ollama Automated Security Intelligence Scanner).
You probably already know, but vulnerabilities in the code are like food mites in a kitchen: there are always more than what we think! And with the growing complexity of modern applications, locating these little animals becomes a real headache. This is whereOASIS Entering the scene, to help you see the reality of the code as it is really.
What makes Oasis interesting is first of all its use of the models present in Ollama To analyze your code. No more static rules that date from Mathusalem, now it is intelligent and contextual analysis!
And the tool is not satisfied with a single model of AI. It uses several models in parallel to analyze your code from different angles. This approach ensures more precise and complete detection of potential vulnerabilities. The models can include LLAMA2 and CODELLAMA, each providing their specific expertise.
And as time is money, its cache system stores the embeddings (vector representations) of your code for 7 days by default. These embeddings are thus saved in an Embeddings_cache.pkl file in the input directory, allowing repeated ultra-rapid analyzes.
Oasis then generates an organized and complete report structure: one file by model used, subfolders for each format (Markdown, PDF, HTML), detailed reports by type of vulnerability, executive summaries perfect for meetings.
Another powerful feature is the audit mode which allows you to analyze the distribution of the Embeddings in your code, thus offering a more in -depth overview of the safety patterns.
To use it, you will have to have Python> 3.7, Ollama installed and functional.
python3 -m pip install --user pipx
python3 -m pipx ensurepath
git clone https://github.com/psyray/oasis.git
cd oasis
pipx install --editable .
Then, for a simple analysis:
oasis /chemin/vers/votre/code
And for a personalized analysis:
oasis /chemin/vers/votre/code \ --cache-days 7 \ --threshold 0.5 \ --vulns xss,sqli \ --embed-model nomic-embed-text \ --models llama2,codellama \ --extensions .php,.js,.py \ --audit
Oasis covers a wide spectrum of vulnerabilities:
- Sqli : SQL injections
- Xss : Cross-site Scripting
- Input validation : Insufficient validation of entries
- Data Exposure : Exposure of sensitive data
- Management session : Session management problems
- Config : Configuration errors
- Logging : Logging of sensitive data
- Crypto : Incorrect use of cryptographic functions
To optimize your use of oasis, several recommended practices deserve to be implemented. First of all, it is essential to automate analyzes by integrating Oasis directly into your CI/CD pipeline, which allows continuous and early detection of anomalies. The optimization of the thresholds is also crucial so take the time to adjust the Threshold according to your specific needs and the desired level of sensitivity for your project.
The diversification of models is another important aspect of optimization. By combining different analysis models, you get a more complete and reliable coverage of your data.
And cache management should not be overlooked: regularly use the –Clear-Cache command to maintain optimal performance and avoid the accumulation of obsolete data.
Here, with that, even if it will not replace a good team of slopes, it will allow to automate intelligent safety checks on your code.
Source link
Subscribe to our email newsletter to get the latest posts delivered right to your email.
Comments