Question 1

How does vuln-regex-detector compare to safe-regex for finding ReDoS vulnerabilities?

Accepted Answer

vuln-regex-detector offers higher precision due to its validation stage that tests evil inputs in the target language, reducing false positives, while safe-regex is simpler but may have more false alarms. However, vuln-regex-detector has setup overhead and potential false negatives, whereas safe-regex is lighter but less thorough.

Question 2

How to integrate vuln-regex-detector into a CI/CD pipeline?

Accepted Answer

Use the provided scripts in the bin directory to run scans as part of your build process. For containerized environments, build the Docker image and execute it with volume mounts for project code. Configure caching to avoid redundant analysis and speed up checks in automated workflows.

Question 3

What programming languages does vuln-regex-detector support?

Accepted Answer

It supports static regex extraction from multiple languages, as detailed in the extraction README, but the exact list isn't specified—contributors can add new languages via the provided instructions. Validation is language-specific, ensuring accuracy for each supported language.

Question 4

Can vuln-regex-detector detect vulnerabilities in JavaScript regexes?

Accepted Answer

Yes, if JavaScript is among the supported languages for extraction and validation. The tool statically extracts regexes from source code and validates them in the target language, though you should check the extraction README for current language support and contribute if needed.

Question 5

How accurate is vuln-regex-detector compared to manual security reviews?

Accepted Answer

It prioritizes precision with no false positives due to validation, but may miss vulnerabilities from dynamic regexes or detector limitations, leading to false negatives. Manual reviews can catch more context-specific issues but are time-consuming and error-prone.

Question 6

Does vuln-regex-detector work on Windows without Docker?

Accepted Answer

No, direct configuration only supports Ubuntu; for Windows, you must use Docker as described in the README to run the tool in a containerized environment, which adds setup complexity but ensures compatibility.

Question 7

How to add support for a new language in vuln-regex-detector?

Accepted Answer

Follow the instructions in the extraction and validation READMEs: create a new extractor to statically identify regexes and a validator to test evil inputs in that language. Contributions are welcome via GitHub issues and pull requests after discussion.

vuln-regex-detector

What is vuln-regex-detector?

Overview

Use Cases

Best For

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions