Rationale
Tree-sitter is the core library used by Fluid Attacks' scanner. It is critical for reporting Static Application Security Testing (SAST) vulnerabilities to our clients.
The main reasons why we chose it over other alternatives are:
- It is Open source.
- It provides a low-level approach towards defining language syntaxes, which makes it highly flexible and capable of theoretically parsing any deterministic language.
- It is a very popular library for building SAST scanners.
- It has a big community that supports parsers for many languages, which greatly helps decreasing complexity.
- It can be used via Python.
- It allows us to implement our own parsers, increasing flexibility.
- Performance is one of its main concerns, which is one of ours as well as vulnerability scans must execute as fast as possible due to both costs and quick feedback.
Alternatives
The following alternatives were considered but not chosen for the following reasons:
Pyparsing
- It provides a high-level approach towards defining syntaxes, at the cost of reduced flexibility, which was much more important to us.
- It did not support as many built-in parsers.
- Its community was smaller.
Usage
We use Tree-sitter as a syntax parser for most of our supported languages.