variant-analysis

# Variant Analysis When you find a bug, the same mistake almost certainly exists elsewhere. Variant analysis systematically hunts for siblings of a known vulnerability. ## Process ### Step 1: Characterize the Original Bug Before searching, understand what makes this bug a bug: ``` ORIGINAL BUG: File: src/api/users.ts:42 Type: Missing input validation Pattern: req.params.id used directly in DB query without sanitization Root cause: Developer assumed framework sanitizes params Trigger: Untrusted input reaches database query ``` Extract the **abstract pattern** -- not the specific code, but the class of mistake: - Missing validation at a trust boundary - Incorrect error handling in auth path - Race condition between check and use - Hardcoded secret in source - SQL injection via string concatenation ### Step 2: Generate Search Queries For each bug class, create multiple search strategies: #### Grep/Ripgrep (Fast, broad) ```bash # Example: SQL injection via concatenation rg "query\(.*\+.*\)" --type ts rg "execute\(.*\$\{" --type ts rg "\.raw\(.*\+" --type ts # Example: Missing auth middleware rg "router\.(get|post|put|delete)\(" --type ts -l | \ xargs rg -L "authenticate|authorize|requireAuth" # Example: Hardcoded secrets rg "(password|secret|key|token)\s*[=:]\s*['\"][^'\"]{8,}" --type ts ``` #### Semgrep (AST-aware, precise) ```yaml # Example: SQL injection rules: - id: sql-injection-concatenation patterns: - pattern: $DB.query($X + ...) ...