Skip to main content

C ecosystem analyzer plugin for AttackMap (libmicrohttpd, civetweb, mongoose; libcurl; OpenSSL/mbedTLS/libsodium; sqlite3/libpq/mysql/hiredis/mongoc).

Project description

attackmap-analyzer-c

C ecosystem analyzer for AttackMap.

C is more fragmented than language-specific ecosystems — there's no dominant web framework, and routing patterns vary widely. This analyzer captures what regex can reach reliably from common third-party libraries.

  • Web frameworks — civetweb (mg_set_request_handler extracts routes), libmicrohttpd (MHD_start_daemon entrypoint), mongoose (mg_http_listen entrypoint + mg_http_match_uri pseudo-routes), libonion (onion_url_add routes)
  • HTTP clients (external calls) — libcurl (curl_easy_setopt(handle, CURLOPT_URL, "...") URL string literals)
  • Databases — sqlite3 (sqlite3_open*), libpq (PQconnectdb*, PQsetdbLogin), MySQL/MariaDB C client (mysql_real_connect, mariadb_real_connect), hiredis (redisConnect*), MongoDB C driver (mongoc_client_new)
  • Auth/crypto — OpenSSL (TLS context, EVP cipher, RAND), mbedTLS (SSL/X.509), libsodium (crypto_pwhash, crypto_secretbox, crypto_aead_*), Argon2 reference impl (argon2id_hash_*), bcrypt-c, scrypt, JWT C libraries (jwt_encode, jwt_decode)
  • Secretsgetenv, secure_getenv, getenv_s with secret-shaped names (*SECRET*, *TOKEN*, *KEY*, *PASSWORD*, *PASS*, *PWD*)
  • Service hints — project name from CMakeLists.txt (project(NAME ...))

All emissions populate AttackMap's Signal v2 fields (line numbers + evidence snippets + confidence) so downstream insights can cite path/to/file.c:NN.

Install

pip install git+https://github.com/mlaify/attackmap-analyzer-c.git

The analyzer is auto-discovered by AttackMap via the attackmap.analyzers entry-point group.

Usage with AttackMap

# Auto-discovered when installed:
attackmap analyze /path/to/c/repo

# Or invoke explicitly:
attackmap analyze /path/to/c/repo --module c

Detection

detect() returns true when any .c or .h file is present in the tree, ignoring build/, .git/, _deps/, third_party/, vendor/, external/, .cache/, out/, and node_modules/. A CMakeLists.txt alongside .cpp files (and no .c files) is not claimed by this analyzer — that's the C++ analyzer's territory.

Coverage notes

  • Marked experimental: regex-based extraction in C has more false positives than language-with-strict-imports analyzers. Keep the confidence-tier model in mind when consuming output (0.6 keyword sweeps vs. 0.85+ canonical function-name hits).
  • Routes: civetweb / mongoose / libonion all expose path strings explicitly in their routing API; libmicrohttpd does not (single-callback dispatch on url). For libmicrohttpd, only the entrypoint is captured — per-route URLs would need to be regexed out of if (strcmp(url, "/x") == 0) patterns inside the answer-callback.
  • HTTP method on routes: the C web frameworks covered here don't statically declare HTTP methods at registration time (handlers branch on method internally), so all routes are emitted with method ANY.
  • OpenSSL EVP / RAND signals are confidence 0.8 — they're broad indicators of crypto usage but not strong defensive signals on their own.
  • Authorization / Bearer / api_key keyword matches are tier-0.6 (low confidence). They're useful as supporting evidence for an auth posture, not as load-bearing.
  • Hardcoded #define JWT_SECRET "abc..." macros are not extracted — too noisy. getenv("JWT_SECRET") is the canonical pattern we rely on.

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

attackmap_analyzer_c-0.1.0.tar.gz (12.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

attackmap_analyzer_c-0.1.0-py3-none-any.whl (9.6 kB view details)

Uploaded Python 3

File details

Details for the file attackmap_analyzer_c-0.1.0.tar.gz.

File metadata

  • Download URL: attackmap_analyzer_c-0.1.0.tar.gz
  • Upload date:
  • Size: 12.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for attackmap_analyzer_c-0.1.0.tar.gz
Algorithm Hash digest
SHA256 06848f05cab604a15dfdbd33bb35131ec1fa1ab92a5f68477d801e5874d703ca
MD5 3579b714ddd91628ea796be76c94bcc9
BLAKE2b-256 28a59236014453ce338c4b4cfa4e4b60acaf4fcc60b6cf08eb305493d1c5499f

See more details on using hashes here.

Provenance

The following attestation bundles were made for attackmap_analyzer_c-0.1.0.tar.gz:

Publisher: release.yml on mlaify/attackmap-analyzer-c

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file attackmap_analyzer_c-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for attackmap_analyzer_c-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 2ac68f571c6172490685c4dfbece634916c685481909fdac2b3c9464f2f9fc8f
MD5 1e7e01b94bef6a7643fbad01c4c33353
BLAKE2b-256 af2a09559ca8f1f7b3d77631f5cf80207c11d49ee8b4119554b846bed1d2ac77

See more details on using hashes here.

Provenance

The following attestation bundles were made for attackmap_analyzer_c-0.1.0-py3-none-any.whl:

Publisher: release.yml on mlaify/attackmap-analyzer-c

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page