variant-analysis
Variant Analysis
When to Use
- A vulnerability was found and you need to check for similar patterns elsewhere
- A security advisory describes a bug class and you need to assess exposure
- Generalizing a specific bug fix into a broader detection rule
- Systematic sweep after a security incident to find related issues
- Building detection queries from a known vulnerability exemplar
When NOT to Use
- Initial discovery of novel vulnerability classes (use fuzzing or audit)
- Exact-match searching for a known CVE (just grep for the affected function)
- Runtime detection (use WAF or RASP)
Variant Analysis Workflow
1. Understand the Original Bug
- What is the root cause? (missing check, wrong type, logic error)
- What makes it exploitable? (untrusted input reaches vulnerable code)
- What is the minimal pattern that captures the essence?
2. Generalize the Pattern
- Abstract away specific variable names and values
- Identify the structural pattern (e.g., "unchecked cast after deserialization")
- Consider language-specific variations of the same concept
3. Search for Variants
# Grep for structural patterns
grep -rn "cast.*deserialize\|fromJson.*\.(int\|long)" --include="*.java" .
# Semgrep for semantic patterns
semgrep --config /path/to/variant-rule.yaml .
# CodeQL for deep data flow variants
codeql database analyze db variant-query.ql
4. Triage Results
- Confirm each match is actually reachable with untrusted input
- Assess exploitability (is there a viable attack path?)
- Prioritize by severity and exposure
5. Create Persistent Detection
- Write Semgrep/CodeQL rules to catch future instances
- Add to CI pipeline to prevent regressions
- Document the variant class for team awareness
Generalization Strategies
| Original Bug | Generalized Pattern |
|---|---|
SQL injection in getUserById |
Any string concatenation in SQL query methods |
XSS in renderComment |
Any user input in HTML template without escaping |
Path traversal in downloadFile |
Any user input in filesystem path construction |
Buffer overflow in parseHeader |
Any unbounded copy from network input |
Missing auth check in /api/admin |
Any route handler without auth middleware |
Tools for Variant Analysis
| Tool | Strength | Best For |
|---|---|---|
| Semgrep | Fast pattern matching | Single-file structural variants |
| CodeQL | Deep data flow | Cross-function/file variants |
| grep/ripgrep | Quick text search | Simple string pattern variants |
| AST-grep | Structural code search | Language-aware structural matching |
Anti-Patterns
| Mistake | Problem |
|---|---|
| Only searching exact strings | Misses renamed or refactored variants |
| Ignoring different languages | Same bug class can exist in JS, Python, Go, etc. |
| Stopping at first match | Variant analysis requires exhaustive search |
| Not creating detection rules | Same variant will reappear in new code |
More from elizaos/eliza
nano-pdf
Edits PDF files using natural-language instructions via the nano-pdf CLI. Supports modifying text, changing titles, fixing typos, and updating content on specific pages. Use when the user wants to edit a PDF, modify PDF content, update PDF text, fix a typo in a PDF, change a PDF title, or rewrite part of a PDF page.
30wacli
Send WhatsApp messages to other people or search/sync WhatsApp history via the wacli CLI (not for normal user chats). Use when the user asks to send a WhatsApp message, text someone on WhatsApp, search WhatsApp chat history, sync WhatsApp conversations, backfill message history, or forward a file via WhatsApp to a third party.
27nano-banana-pro
Generate or edit images via Gemini 3 Pro Image (Nano Banana Pro). Use when the user asks to create an image, generate a picture, produce AI-generated artwork, edit a photo, compose multiple images, or upscale an image to higher resolution. Supports text-to-image generation, single-image editing, and multi-image composition using the Gemini API.
27obsidian
Work with Obsidian vaults (plain Markdown notes) and automate via obsidian-cli. Use when the user asks about notes, vault management, PKM, knowledge base organization, wikilinks, or personal knowledge management in Obsidian.
25session-logs
Search and analyze session logs (older/parent conversations) stored as JSONL files using jq and rg. Use when the user asks about prior chats, previous conversations, conversation history, what was said before, session costs, token usage, or tool usage breakdown across past sessions.
24discord
Use when you need to control Discord from Otto via the discord tool: send messages, react, post or upload stickers, upload emojis, run polls, manage threads/pins/search, create/edit/delete channels and categories, fetch permissions or member/role/channel info, set bot presence/activity, or handle moderation actions in Discord DMs or channels.
24