MCP HubMCP Hub
スキル一覧に戻る

Static Vulnerability Analysis

macaugh
更新日 Today
129 閲覧
2
2
GitHubで表示
開発general

について

このスキルは、ソースコードを実行せずに静的解析を行うことで、セキュリティ上の欠陥を特定します。自動的なパターンマッチングと手動でのコードレビューを組み合わせ、メモリ安全性の問題や論理的な欠陥などの問題を発見します。C/C++、Java、Python、JavaScript、PHPなどの言語において、ソースコードが利用可能な場合、動的テストの前、またはセキュリティコードレビュー中にご利用ください。

クイックインストール

Claude Code

推奨
プラグインコマンド推奨
/plugin add https://github.com/macaugh/super-rouge-hunter-skills
Git クローン代替
git clone https://github.com/macaugh/super-rouge-hunter-skills.git ~/.claude/skills/Static Vulnerability Analysis

このコマンドをClaude Codeにコピー&ペーストしてスキルをインストールします

ドキュメント

Static Vulnerability Analysis

Overview

Static analysis examines source code without executing it, identifying security vulnerabilities through pattern matching, data flow analysis, and manual code review. This technique is essential for finding logic flaws, authentication bypasses, and subtle vulnerabilities that automated tools might miss.

Core principle: Combine automated tools with manual review. Tools find patterns; humans find logic flaws.

Common Vulnerability Patterns

Memory Safety Issues (C/C++)

// Buffer Overflow
char buffer[256];
strcpy(buffer, user_input);  // ❌ Unsafe
strncpy(buffer, user_input, sizeof(buffer)-1);  // ✓ Safer

// Integer Overflow
size_t alloc = user_count * item_size;  // ❌ Can overflow
void *ptr = malloc(alloc);

// Use After Free
free(ptr);
ptr->field = value;  // ❌ Use after free

// Double Free
free(ptr);
free(ptr);  // ❌ Double free

Injection Vulnerabilities

# SQL Injection
query = f"SELECT * FROM users WHERE name = '{user_input}'"  # ❌
cursor.execute(query)

# Safe: Parameterized queries
cursor.execute("SELECT * FROM users WHERE name = ?", (user_input,))  # ✓

# Command Injection
os.system(f"ping {user_input}")  # ❌

# Safe: Use subprocess with list
subprocess.run(["ping", user_input])  # ✓

# Path Traversal
filepath = f"/data/{user_filename}"  # ❌ ../../../etc/passwd
open(filepath, 'r')

# Safe: Validate and use os.path.join with validation

Authentication and Authorization

# Broken Authentication
if username == "admin" and password == config.ADMIN_PASSWORD:  # ❌ Timing attack
    grant_access()

# Better: Use constant-time comparison
import hmac
if hmac.compare_digest(username, "admin") and \
   hmac.compare_digest(password, config.ADMIN_PASSWORD):
    grant_access()

# Authorization Bypass
def get_user_data(user_id):
    # ❌ No authorization check
    return database.get_user(user_id)

# Better: Check authorization
def get_user_data(user_id):
    if current_user.id != user_id and not current_user.is_admin:
        raise UnauthorizedException()
    return database.get_user(user_id)

Automated Tools

# Semgrep - Pattern-based analysis
semgrep --config=auto /path/to/source

# Bandit - Python security linter
bandit -r /path/to/python/code

# ESLint with security plugins - JavaScript
eslint --plugin security /path/to/js

# Brakeman - Ruby on Rails
brakeman /path/to/rails/app

# FindSecBugs - Java
# SpotBugs with FindSecBugs plugin

# SonarQube - Multi-language
sonar-scanner

Manual Review Checklist

  • Input validation on all user-controlled data
  • Authentication mechanisms (session management, password storage)
  • Authorization checks (IDOR, privilege escalation)
  • Cryptographic implementations (weak algorithms, hardcoded keys)
  • Error handling (information disclosure)
  • Business logic flaws
  • Race conditions and time-of-check-time-of-use
  • Sensitive data exposure (logs, error messages)

Data Flow Analysis

# Trace tainted data from source to sink
# SOURCE: User input
# SINK: Dangerous operation

# Example:
user_input = request.GET['file']  # SOURCE
# ... no validation ...
content = open(user_input).read()  # SINK

# Finding: Path traversal vulnerability
# No validation between source and sink

Integration with Other Skills

  • skills/analysis/zero-day-hunting - Comprehensive vulnerability research
  • skills/exploitation/exploit-dev-workflow - Exploitation of found vulnerabilities
  • skills/documentation/* - Document findings

GitHub リポジトリ

macaugh/super-rouge-hunter-skills
パス: skills/analysis/static-vuln-analysis

関連スキル

algorithmic-art

メタ

This Claude Skill creates original algorithmic art using p5.js with seeded randomness and interactive parameters. It generates .md files for algorithmic philosophies, plus .html and .js files for interactive generative art implementations. Use it when developers need to create flow fields, particle systems, or other computational art while avoiding copyright issues.

スキルを見る

subagent-driven-development

開発

This skill executes implementation plans by dispatching a fresh subagent for each independent task, with code review between tasks. It enables fast iteration while maintaining quality gates through this review process. Use it when working on mostly independent tasks within the same session to ensure continuous progress with built-in quality checks.

スキルを見る

executing-plans

デザイン

Use the executing-plans skill when you have a complete implementation plan to execute in controlled batches with review checkpoints. It loads and critically reviews the plan, then executes tasks in small batches (default 3 tasks) while reporting progress between each batch for architect review. This ensures systematic implementation with built-in quality control checkpoints.

スキルを見る

cost-optimization

その他

This Claude Skill helps developers optimize cloud costs through resource rightsizing, tagging strategies, and spending analysis. It provides a framework for reducing cloud expenses and implementing cost governance across AWS, Azure, and GCP. Use it when you need to analyze infrastructure costs, right-size resources, or meet budget constraints.

スキルを見る