Is it possible to use this tool for big projects like Prestashop etc?

[kstalega]

Hi,

I've tried your tool for scaning Prestashop, using this command:

php progpilot_v0.4.0.phar - ~/Documents/static-analysis/prestashop-1.7.2.4/

But the test lasted for over 24 hours and it did not end. What can I do to get rid of this problem?

Best regards,
KS

[eric-therond]

Hi
Maybe you could try the dev version :
https://github.com/designsecurity/progpilot/tree/master/builds

and when you do static analysis you have to know your targets very precisely :

• Progpilot itself should know a big CMS like prestashop (for example the functions that do validation of insecure data and the sinks) otherwise there will be a lot of false positives, I will look at this.
• In addition, you have to configure progpilot to exclude files that are not relevant to the analysis (like dependencies, ressources, images ect), in my case I have this exclude_files.json :

{
    "exclude_files":
    [
    ],
    "exclude_folders":
    [
        "/home/eric/dev/prestashop/vendor/",
        "/home/eric/dev/prestashop/localization/"
    ]
}

With the dev version and the previous configuration progpilot runs much faster :

real    10m58,886s
user    8m43,893s
sys     0m1,498s

Look also at the options of progpilot that provide configurable parameters to optimize time and memory of analysis.

Eric