C ecosystem analyzer plugin for AttackMap (libmicrohttpd, civetweb, mongoose; libcurl; OpenSSL/mbedTLS/libsodium; sqlite3/libpq/mysql/hiredis/mongoc).
Project description
attackmap-analyzer-c
C ecosystem analyzer for AttackMap.
C is more fragmented than language-specific ecosystems — there's no dominant web framework, and routing patterns vary widely. This analyzer captures what regex can reach reliably from common third-party libraries.
- Web frameworks — civetweb (
mg_set_request_handlerextracts routes), libmicrohttpd (MHD_start_daemonentrypoint), mongoose (mg_http_listenentrypoint +mg_http_match_uripseudo-routes), libonion (onion_url_addroutes) - HTTP clients (external calls) — libcurl (
curl_easy_setopt(handle, CURLOPT_URL, "...")URL string literals) - Databases — sqlite3 (
sqlite3_open*), libpq (PQconnectdb*,PQsetdbLogin), MySQL/MariaDB C client (mysql_real_connect,mariadb_real_connect), hiredis (redisConnect*), MongoDB C driver (mongoc_client_new) - Auth/crypto — OpenSSL (TLS context, EVP cipher, RAND), mbedTLS (SSL/X.509), libsodium (
crypto_pwhash,crypto_secretbox,crypto_aead_*), Argon2 reference impl (argon2id_hash_*), bcrypt-c, scrypt, JWT C libraries (jwt_encode,jwt_decode) - Secrets —
getenv,secure_getenv,getenv_swith secret-shaped names (*SECRET*,*TOKEN*,*KEY*,*PASSWORD*,*PASS*,*PWD*) - Service hints — project name from
CMakeLists.txt(project(NAME ...))
All emissions populate AttackMap's Signal v2 fields (line numbers + evidence snippets + confidence) so downstream insights can cite path/to/file.c:NN.
Install
pip install git+https://github.com/mlaify/attackmap-analyzer-c.git
The analyzer is auto-discovered by AttackMap via the attackmap.analyzers entry-point group.
Usage with AttackMap
# Auto-discovered when installed:
attackmap analyze /path/to/c/repo
# Or invoke explicitly:
attackmap analyze /path/to/c/repo --module c
Detection
detect() returns true when any .c or .h file is present in the tree, ignoring build/, .git/, _deps/, third_party/, vendor/, external/, .cache/, out/, and node_modules/. A CMakeLists.txt alongside .cpp files (and no .c files) is not claimed by this analyzer — that's the C++ analyzer's territory.
Coverage notes
- Marked experimental: regex-based extraction in C has more false positives than language-with-strict-imports analyzers. Keep the confidence-tier model in mind when consuming output (0.6 keyword sweeps vs. 0.85+ canonical function-name hits).
- Routes: civetweb / mongoose / libonion all expose path strings explicitly in their routing API; libmicrohttpd does not (single-callback dispatch on
url). For libmicrohttpd, only the entrypoint is captured — per-route URLs would need to be regexed out ofif (strcmp(url, "/x") == 0)patterns inside the answer-callback. - HTTP method on routes: the C web frameworks covered here don't statically declare HTTP methods at registration time (handlers branch on method internally), so all routes are emitted with method
ANY. - OpenSSL EVP / RAND signals are confidence 0.8 — they're broad indicators of crypto usage but not strong defensive signals on their own.
- Authorization / Bearer / api_key keyword matches are tier-0.6 (low confidence). They're useful as supporting evidence for an auth posture, not as load-bearing.
- Hardcoded
#define JWT_SECRET "abc..."macros are not extracted — too noisy.getenv("JWT_SECRET")is the canonical pattern we rely on.
License
MIT
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file attackmap_analyzer_c-0.1.0.tar.gz.
File metadata
- Download URL: attackmap_analyzer_c-0.1.0.tar.gz
- Upload date:
- Size: 12.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
06848f05cab604a15dfdbd33bb35131ec1fa1ab92a5f68477d801e5874d703ca
|
|
| MD5 |
3579b714ddd91628ea796be76c94bcc9
|
|
| BLAKE2b-256 |
28a59236014453ce338c4b4cfa4e4b60acaf4fcc60b6cf08eb305493d1c5499f
|
Provenance
The following attestation bundles were made for attackmap_analyzer_c-0.1.0.tar.gz:
Publisher:
release.yml on mlaify/attackmap-analyzer-c
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
attackmap_analyzer_c-0.1.0.tar.gz -
Subject digest:
06848f05cab604a15dfdbd33bb35131ec1fa1ab92a5f68477d801e5874d703ca - Sigstore transparency entry: 1955348626
- Sigstore integration time:
-
Permalink:
mlaify/attackmap-analyzer-c@fe7979b991759ebfa4eb33f3bdc474225acdb4fb -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/mlaify
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@fe7979b991759ebfa4eb33f3bdc474225acdb4fb -
Trigger Event:
push
-
Statement type:
File details
Details for the file attackmap_analyzer_c-0.1.0-py3-none-any.whl.
File metadata
- Download URL: attackmap_analyzer_c-0.1.0-py3-none-any.whl
- Upload date:
- Size: 9.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2ac68f571c6172490685c4dfbece634916c685481909fdac2b3c9464f2f9fc8f
|
|
| MD5 |
1e7e01b94bef6a7643fbad01c4c33353
|
|
| BLAKE2b-256 |
af2a09559ca8f1f7b3d77631f5cf80207c11d49ee8b4119554b846bed1d2ac77
|
Provenance
The following attestation bundles were made for attackmap_analyzer_c-0.1.0-py3-none-any.whl:
Publisher:
release.yml on mlaify/attackmap-analyzer-c
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
attackmap_analyzer_c-0.1.0-py3-none-any.whl -
Subject digest:
2ac68f571c6172490685c4dfbece634916c685481909fdac2b3c9464f2f9fc8f - Sigstore transparency entry: 1955348688
- Sigstore integration time:
-
Permalink:
mlaify/attackmap-analyzer-c@fe7979b991759ebfa4eb33f3bdc474225acdb4fb -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/mlaify
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@fe7979b991759ebfa4eb33f3bdc474225acdb4fb -
Trigger Event:
push
-
Statement type: