There are a couple of Free and Open Source (FOSS) projects I have developed for private of professional purposes. You can find some of them on my GitLab and GitHub profiles. In addition, this page also includes FOSS contributions and FOSS related activities in which I have been involved.

Personal Projects

Below is a collection of FOSS projects I have been working on some of which are hopefully useful to the community.


  • vulninfo generates language bindings (for Go and Ruby) from the Common Weakness Enumeration (CWE) ontology, which is the de-facto standard to classify weaknesses in software and hardware. vulninfo provides the CWE ontology as an in-memory graph database so that relations between CWE classes and other vulnerability classification systems can be easily extracted.

Compiler Engineering and Language Design

  • Lingo is a micro-language framework to design your LISP-based Domain Specific Languages (DSLs) in Go. The idea of Lingo is to provide a simple extensible framework to build your own LISP-based micro-custom-DSLs that is easily embeddable into your application in Go. A corresponding tutorial can be found here.

  • inmemantlr makes it possible to use ANTLR, a popular parser generator in the JVM world, as a library for JVM-based languages by compiling generated code in memory and loading it afterwards. It also includes some utility functions to directly interact with the parse tree provided by ANTLR.

IDE Integrations

Constraint Solving

  • smtlibv2-grammar is an ANTLR v4 grammar for the SMT-LIB language (SMT-LIB Standard: Version 2.6).

  • autorex is a project that translates a Finite State Machine (FSM) back into its regular expression representation by means of the state-elimination algorithm. The library can be used in conjunction with dk.brics library which is very popular in the JVM world. It has been proven to be useful for string constraint solving where constraint can be solved by applying automata operations; the resulting FSM can then be translated back to a corresponding regular expression string.

  • prex is an approximate regular expression matcher that uses the branch and bounds method. prex determines the matching distance between a string s and a regular expression r, i.e. how many insertions, deletions and substitutions on s are at least required (minimum cost) such that the resulting string s’ is acceptable by r.

  • regex2smtlib is a tool for generating constraints in SMT-LIB format from Perl compatible regular expressions strings.

  • ctrans is a basic contraint transformation library to translate predicate logic into conjunctive or disjunctive normal forms using fixed point iteration.

Automation and CI/CD

  • sourcewarp is a record-and-replay tool for benchmarking/testing CI/CD tools and platforms.

  • bumper is a tool that helps with version management by automatically tagging and incrementing versions on a Git repository using the semver specification in a CI/CD context.

  • latexci is a tool that can be used to automatically compile and generate diff PDFs between LaTeX documents which are made available as artifacts.

  • semver_dialects is a Ruby gem for generic semantic version matcher that supports different semantic version dialects and is based on linear interval arithmetic. An in-depth explanation about the approach can be found here.


External Contributions

Below is a list of FOSS projects I contributed to.

Static Analysis

  1. gosec is a static analysis tool that detects security issues in Go code. This PR adds Common Weakness Enumeration (CWE) rule mappings to the GoSec rules.
  2. bandit is a static analysis tool that detects security issues in Python code. This PR adds Common Weakness Enumeration (CWE) rule mappings to the bandit rules.
  3. MagpieBridge is a generic Language Server written in Java. This PR makes the supported languages configurable.

Google Summer of Code

  1. Google Summer of Code 2022 project co-mentor for the project A benchmarking framework for SAST
  2. Google Summer of Code 2021 project mentor for the project Write vulnerability detection rules for SAST