YASA: Scalable Multi-Language Taint Analysis on the Unified AST at Ant Group
Yayi Wang, Shenao Wang, Jian Zhao, Shaosen Shi, Ting Li, Yan Cheng, Lizhong Bian, Kan Yu, Yanjie Zhao, Haoyu Wang
TL;DR
YASA addresses industrial-scale, multi-language static taint analysis by introducing a unified IR called UAST and a context-, path-, and field-sensitive point-to analysis. It combines language-agnostic semantics with language-specific handlers and a plugin-based taint checker to achieve high precision across Java, JavaScript, Python, and Go. On the xAST benchmark, YASA outperforms both single-language tools and multi-language frameworks, and in production at Ant Group it uncovered 314 taint paths with 92 confirmed 0-day vulnerabilities, 76 of which were patched. This demonstrates practical viability for securing large-scale polyglot software systems and highlights the framework’s extensibility and real-world impact.
Abstract
Modern enterprises increasingly adopt diverse technology stacks with various programming languages, posing significant challenges for static application security testing (SAST). Existing taint analysis tools are predominantly designed for single languages, requiring substantial engineering effort that scales with language diversity. While multi-language tools like CodeQL, Joern, and WALA attempt to address these challenges, they face limitations in intermediate representation design, analysis precision, and extensibility, which make them difficult to scale effectively for large-scale industrial applications at Ant Group. To bridge this gap, we present YASA (Yet Another Static Analyzer), a unified multi-language static taint analysis framework designed for industrial-scale deployment. Specifically, YASA introduces the Unified Abstract Syntax Tree (UAST) that provides a unified abstraction for compatibility across diverse programming languages. Building on the UAST, YASA performs point-to analysis and taint propagation, leveraging a unified semantic model to manage language-agnostic constructs, while incorporating language-specific semantic models to handle other unique language features. When compared to 6 single- and 2 multi-language static analyzers on an industry-standard benchmark, YASA consistently outperformed all baselines across Java, JavaScript, Python, and Go. In real-world deployment within Ant Group, YASA analyzed over 100 million lines of code across 7.3K internal applications. It identified 314 previously unknown taint paths, with 92 of them confirmed as 0-day vulnerabilities. All vulnerabilities were responsibly reported, with 76 already patched by internal development teams, demonstrating YASA's practical effectiveness for securing large-scale industrial software systems.
