Facebook Open Sourced Python Code Analysis “Pysa”
August 7, Facebook has open sourced the Python code static analysis tool “Pysa”.
Pysa is an acronym for Python Static Analyzer. It detects security code in Python code. Built on type checker for Python, Pysa is a static analyzer. Security issues are identified with Taint Analysis.
Pysa was originally developed to find security bugs in the codebase of “Instagram”, a social networking service owned by Facebook. Based on the algorithm of “Zoncolan”, a static analysis tool for Hack code also developed by Facebook, Pysa tracks the flow of data through a program to find cross-site scripting, remote code executions, SQL injections, and other data patterns.
For example, they have used Pysa to detect and disclose security issues on Python projects, such as CVE-2019-19775.
Facebook development team has open sourced Pysa along with definitions necessary for tracking down security issues. As they use Python server framework such as Django and Tornado for their products, they expect to quickly find security issues in projects that use these frameworks.
Pysa is available for download from the project page on GitHub. Python 3.6 or above, and watchman, a file watching service from Facebook, are required.