A monorepo containing advanced vulnerabilities designed to test SAST (Static Application Security Testing) tools. These vulnerabilities leverage complex language features that often evade detection due to parser limitations and fractal complexity.
- Location:
java-app/src/main/java/com/vulnerableapp/ - Vulnerability: Cross-Site Scripting (XSS)
- Complexity: Lambda expressions, stream processing, Java 21 string templates
- Why it evades detection: Parser fails on
LambdaLHS()and string templates
- Location:
php-app/src/ - Vulnerability: SQL Injection (SQLi)
- Complexity: Dynamic function calls, string interpolation, complex casting
- Why it evades detection: Parser fails on
CastExpression()and dynamic function resolution
- Location:
go-app/src/ - Vulnerability: Remote Code Execution (RCE)
- Complexity: Goroutines, channels, select statements
- Why it evades detection: Parser fails on
IfStmt()and complex control flow
To test your SAST tool against these vulnerabilities:
# Clone and build the monorepo
npm install
npm run build
# Run your SAST tool against the entire monorepo
# Example with a hypothetical SAST tool:
sast-tool scan . --language java,php,goMost SAST tools should struggle to detect these vulnerabilities due to:
- Parser Limitations: "Started 2/4 blocks at once" errors
- Modern Language Features: Lambdas, templates, goroutines
- Complex Control Flow: Asynchronous operations, dynamic calls
- String Complexity: Interpolated strings, template literals
complex-vulnerable-monorepo/
├── java-app/ # Java Spring Boot application
├── php-app/ # PHP web application
├── go-app/ # Go HTTP server
├── package.json # Monorepo configuration
└── README.md # This file
This repository contains intentionally vulnerable code for security testing purposes only. Do not deploy this code in production environments.