Static analysis of every C source file Mob actually compiles into
the app: Mob's own NIF shims (mob/android/jni/, mob/ios/), the
exqlite NIF wrapper (deps/exqlite/c_src/sqlite3_nif.c), and any
C the project itself ships.
Two tools, run in parallel:
semgrepwith the communityp/cruleset — catches unsafe API use, format-string bugs, memory-safety patterns, and a few CVE-derived rules.flawfinder— pattern-based audit with a long history; catches things semgrep doesn't (banned APIs, riskygets/strcpyuse).
What's deliberately excluded
deps/exqlite/c_src/sqlite3.c — SQLite's amalgamated source is
~9MB and ~250k LOC. It's battle-tested, ships in millions of
apps, and would generate thousands of low-value findings if scanned
with general C rules. SQLite-specific CVE coverage lives in the
:bundled_runtime layer (which fingerprints the version).
Soft-degradation
If either scanner is missing, the layer reports :tool_missing
rather than failing. Install with brew install semgrep flawfinder
on macOS.