Open
Description
homepage_url
https://github.com/AppThreat/atom
contact_email
code_view_url
https://github.com/AppThreat/atom
spdx_license_expression
Apache-2.0
description
Atom (⚛)
Atom is a novel intermediate representation for applications and a standalone tool powered by the chen library. The intermediate representation (a network with nodes and links) is optimized for operations typically used for application analytics and machine learning, including slicing and vectoring.
Our vision is to make atom useful for many use cases such as:
- Supply-chain analysis: Generate evidence of external library usage including the flow of data from sources to sinks. Atom is used by OWASP cdxgen to improve the precision and comprehensiveness of the generated CycloneDX document.
- Vulnerability analysis: Describe vulnerabilities with evidence of affected symbols, call paths, and data-flows. Enable variant and reachability analysis at scale.
- Exploit prediction: Predict exploits using precise representations of vulnerabilities, libraries, and applications.
- Threat-model and attack vectors generation: Generate precise threat models and attack vectors for applications at scale.
- Application context detection: Generate context useful for summarization and risk-profile generation (e.g. services, endpoints, and data attributes).
- Mind-maps for applications: Automate summarization of large and complex applications as a developer tool.
and more.
primary_languages
Scala, Python
short_term_roadmap
- Enhance atom-tools to showcase more possibilities with atom slices.
- Add JRuby and Scala frontend
long_term_roadmap
- Add dotnet frontend
- Implement context-aware slicing
proprietary_data
- Yes, the tool depends on proprietary data sources
commercial_features
- Yes, the tool has a commercial version with different/additional features
capabilities
- Identifiers - Use Package-URL (PURL) identifiers
- Identifiers - Use SPDX license expressions
- Scanning - Analyze package manifests and lockfiles
- Scanning - Analyze package files
- Scanning - Scan for copyright
- Scanning - Scan for license
- Scanning - Analyze source code
- Scanning - Analyze containers
- Scanning - Analyze installed system packages (linux distros)
- Scanning - Analyze installed application packages
- Scanning - Other analysis
- Packages - Inventory packages
- Packages - Inventory packages dependencies
- Packages - Resolve dependencies
- Packages - Navigate or display dependency graph
- Compliance - Generate CycloneDX SBOMs
- Compliance - Generate SPDX SBOMs
- Compliance - Validate CycloneDX SBOM
- Compliance - Validate SPDX SBOMs
- Compliance - Generate CycloneDX VEX
- Compliance - Generate CSAF VEX
- Compliance - Generate OpenVex
- Compliance - Generate other compliance documents
- Policies - Define and check license policies
- Policies - Define and check security policies
- Policies - Define and check other policies
- Data - Database of Package metadata
- Data - Database of Package dependency relationships
- Data - Database of License obligations
- Data - Database of Licenses
- Data - Database of Vulnerabilities
- License - Help triage license issues
- License - Generate license credit and attribution notices
- License - Generate source code redistribution lists
- Vulnerabilities - Detect vulnerable code in packages
- Vulnerabilities - Find known vulnerabilities for package
- Vulnerabilities - Determine reachable vulnerabilities
- Vulnerabilities - Help triage vulnerabilities
- Binaries - Analyze binaries
- Binaries - Analyze ELF binaries
- Binaries - Analyze Windows binaries
- Binaries - Analyze firmware binaries
- Binaries - Analyze Other binaries
- Matching - Match source code
- Matching - Match binary code
- Tracing - Trace code execution
- Tracing - Trace build
- Code Security - Analyze code statically (SAST/linting)
- Code Security - Analyze code dynamically (DAST)
- Download - Source package
- Download - Source repositories
- Download - Binary package
- Deployment - Deployable as containers (Docker/OCI/k8s/etc)
- Deployment - Deployable in CI/CD pipelines
- Deployment - Deployable as a library
- Run - Run as a command line tool
- Run - Run as a web application
- Run - Run as an API service
other_capabilities
- Roll-out-your-own SAST tool with data-flow analysis
- Extract http endpoints in openapi format
- Export code semantic context in graphml format