Skip to content

Commit aa2c433

Browse files
ESS-ENNESS-ENN
authored
Pull request for 10 rules ESS-ENN (#5)
1 parent 1521a46 commit aa2c433

File tree

92 files changed

+1318
-27
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

92 files changed

+1318
-27
lines changed

rules/c/security/libxml2-audit-parser-c.yml

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
id: libxml2-audit-parser-c
2+
language: c
3+
severity: warning
4+
message: >-
5+
The libxml2 library is used to parse XML. When auditing such code, make
6+
sure that either the document being parsed is trusted or that the parsing
7+
options are safe to consume untrusted documents. In such case make sure
8+
DTD or XInclude documents cannot be loaded and there is no network access.
9+
note: >-
10+
[CWE-611] Improper Restriction of XML External Entity Reference.
11+
[REFERENCES]
12+
- https://owasp.org/Top10/A05_2021-Security_Misconfiguration
13+
rule:
14+
any:
15+
- pattern: xmlParseInNodeContext($CUR, $SRC, $DATALEN, $XML_OPTIONS, $LST)
16+
- pattern: xmlReadDoc($CUR, $SRC, $ENC, $XML_OPTIONS)
17+
- pattern: xmlReadFd($FD, $SRC, $ENC, $XML_OPTIONS)
18+
- pattern: xmlReadFile($SRC, $ENC, $XML_OPTIONS)
19+
- pattern: xmlReadIO($IO_READ, $IO_CLOSE, $IO_CTX, $SRC, $ENC, $XML_OPTIONS)
20+
- pattern: xmlReadMemory($SRC, $SIZE, $URL, $ENC, $XML_OPTIONS)
21+
- pattern: xmlCtxtReadDoc($CTX, $CUR, $SRC, $ENC, $XML_OPTIONS)
22+
- pattern: xmlCtxtReadFd($CTX, $FD, $SRC, $ENC, $XML_OPTIONS)
23+
- pattern: xmlCtxtReadFile($CTX, $SRC, $ENC, $XML_OPTIONS)
24+
- pattern: xmlCtxtReadIO($CTX, $IO_READ, $IO_CLOSE, $IO_CTX, $SRC, $ENC,$XML_OPTIONS)
25+
- pattern: xmlCtxtReadMemory($CTX, $SRC, $SIZE, $URL, $ENC, $XML_OPTIONS)

rules/c/security/sizeof-this-c.yml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
id: sizeof-this-c
2+
language: c
3+
severity: warning
4+
message: >-
5+
Do not use `sizeof(this)` to get the number of bytes of the object in
6+
memory. It returns the size of the pointer, not the size of the object.
7+
note: >-
8+
[CWE-467]: Use of sizeof() on a Pointer Type
9+
[REFERENCES]
10+
- https://wiki.sei.cmu.edu/confluence/display/c/ARR01-C.+Do+not+apply+the+sizeof+operator+to+a+pointer+when+taking+the+size+of+an+array
11+
rule:
12+
any:
13+
- pattern: "sizeof(this)"

rules/cpp/security/libxml2-audit-parser-cpp.yml

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
id: libxml2-audit-parser-cpp
2+
language: Cpp
3+
severity: warning
4+
message: >-
5+
The libxml2 library is used to parse XML. When auditing such code, make
6+
sure that either the document being parsed is trusted or that the parsing
7+
options are safe to consume untrusted documents. In such case make sure
8+
DTD or XInclude documents cannot be loaded and there is no network access.
9+
note: >-
10+
[CWE-611] Improper Restriction of XML External Entity Reference.
11+
[REFERENCES]
12+
- https://owasp.org/Top10/A05_2021-Security_Misconfiguration
13+
rule:
14+
any:
15+
- pattern: xmlParseInNodeContext($CUR, $SRC, $DATALEN, $XML_OPTIONS, $LST)
16+
- pattern: xmlReadDoc($CUR, $SRC, $ENC, $XML_OPTIONS)
17+
- pattern: xmlReadFd($FD, $SRC, $ENC, $XML_OPTIONS)
18+
- pattern: xmlReadFile($SRC, $ENC, $XML_OPTIONS)
19+
- pattern: xmlReadIO($IO_READ, $IO_CLOSE, $IO_CTX, $SRC, $ENC, $XML_OPTIONS)
20+
- pattern: xmlReadMemory($SRC, $SIZE, $URL, $ENC, $XML_OPTIONS)
21+
- pattern: xmlCtxtReadDoc($CTX, $CUR, $SRC, $ENC, $XML_OPTIONS)
22+
- pattern: xmlCtxtReadFd($CTX, $FD, $SRC, $ENC, $XML_OPTIONS)
23+
- pattern: xmlCtxtReadFile($CTX, $SRC, $ENC, $XML_OPTIONS)
24+
- pattern: xmlCtxtReadIO($CTX, $IO_READ, $IO_CLOSE, $IO_CTX, $SRC, $ENC,$XML_OPTIONS)
25+
- pattern: xmlCtxtReadMemory($CTX, $SRC, $SIZE, $URL, $ENC, $XML_OPTIONS)

rules/csharp/security/httponly-false-csharp.yml

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
id: httponly-false-csharp
2+
language: csharp
3+
severity: warning
4+
message: >-
5+
"Detected a cookie where the `HttpOnly` flag is either missing or
6+
disabled. The `HttpOnly` cookie flag instructs the browser to forbid
7+
client-side JavaScript to read the cookie. If JavaScript interaction is
8+
required, you can ignore this finding. However, set the `HttpOnly` flag to
9+
`true` in all other cases. If this wasn't intentional, it's recommended to
10+
set the HttpOnly flag to true so the cookie will not be accessible through
11+
client-side scripts or to use the Cookie Policy Middleware to globally set
12+
the HttpOnly flag. You can then use the CookieOptions class when
13+
instantiating the cookie, which inherits these settings and will require
14+
future developers to have to explicitly override them on a case-by-case
15+
basis if needed. This approach ensures cookies are secure by default."
16+
note: >-
17+
[CWE-1004] Sensitive Cookie Without 'HttpOnly' Flag"
18+
[REFERENCES]
19+
- https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware
20+
- https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions
21+
- https://owasp.org/Top10/A05_2021-Security_Misconfiguration
22+
rule:
23+
any:
24+
- pattern: $BUILDER.Cookie.HttpOnly = false;
25+
- pattern: $COOKIE.HttpOnly = false;

rules/html/security/plaintext-http-link-html.yml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
id: plaintext-http-link-html
2+
language: html
3+
severity: warning
4+
message: >-
5+
"This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible."
6+
note: >-
7+
[CWE-319] Authentication Bypass by Primary Weakness
8+
[REFERENCES]
9+
- https://cwe.mitre.org/data/definitions/319.html
10+
rule:
11+
pattern: <a $$$ href=$URL>$C</a>
12+
constraints:
13+
URL:
14+
regex: ^['"`]?([Hh][Tt][Tt][Pp]://)

rules/java/security/cbc-padding-oracle-java.yml

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
id: cbc-padding-oracle-java
2+
severity: warning
3+
language: java
4+
message: >-
5+
Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A
6+
malicious actor could discern the difference between plaintext with valid
7+
or invalid padding. Further, CBC mode does not include any integrity
8+
checks. Use 'AES/GCM/NoPadding' instead.
9+
note: >-
10+
[CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
11+
[REFERENCES]
12+
- https://capec.mitre.org/data/definitions/463.html
13+
rule:
14+
pattern: Cipher.getInstance($MODE)
15+
constraints:
16+
MODE:
17+
regex: ".*/CBC/PKCS5Padding"

rules/java/security/cbc-padding-oracle.yml

Lines changed: 0 additions & 16 deletions
This file was deleted.

rules/java/security/des-is-deprecated-java.yml

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
id: des-is-deprecated-java
2+
severity: warning
3+
language: java
4+
message: >-
5+
DES is considered deprecated. AES is the recommended cipher. Upgrade to
6+
use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard
7+
for more information.
8+
note: >-
9+
[CWE-326] Inadequate Encryption Strength.
10+
[REFERENCES]
11+
- https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard
12+
rule:
13+
pattern: $CIPHER.getInstance($SAS)
14+
constraints:
15+
SAS:
16+
regex: "DES"

rules/java/security/desede-is-deprecated-java.yml

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
id: desede-is-deprecated-java
2+
language: java
3+
severity: warning
4+
message: >-
5+
Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES.
6+
note: >-
7+
[CWE-326]: Inadequate Encryption Strength
8+
[OWASP A03:2017]: Sensitive Data Exposure
9+
[OWASP A02:2021]: Cryptographic Failures
10+
[REFERENCES]
11+
- https://find-sec-bugs.github.io/bugs.htm#TDES_USAGE
12+
- https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA
13+
rule:
14+
any:
15+
- pattern: $CIPHER.getInstance("=~/DESede.*/")
16+
- pattern: $CRYPTO.KeyGenerator.getInstance("DES")

rules/java/security/ecb-cipher-java.yml

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
id: ecb-cipher-java
2+
severity: warning
3+
language: java
4+
message: >-
5+
Cipher in ECB mode is detected. ECB mode produces the same output for
6+
the same input each time which allows an attacker to intercept and replay
7+
the data. Further, ECB mode does not provide any integrity checking. See
8+
https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.
9+
note: >-
10+
[CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
11+
[REFERENCES]
12+
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
13+
rule:
14+
pattern: Cipher $VAR = $CIPHER.getInstance($MODE);
15+
constraints:
16+
MODE:
17+
regex: .*ECB.*

rules/java/security/no-null-cipher-java.yml

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
id: no-null-cipher-java
2+
severity: warning
3+
language: java
4+
message: >-
5+
NullCipher was detected. This will not encrypt anything; the cipher
6+
text will be the same as the plain text. Use a valid, secure cipher:
7+
Cipher.getInstance("AES/CBC/PKCS7PADDING"). See
8+
https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions
9+
for more information.
10+
note: >-
11+
[CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
12+
[REFERENCES]
13+
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
14+
rule:
15+
any:
16+
- pattern: new NullCipher($$$)
17+
- pattern: new javax.crypto.NullCipher($$$)

rules/java/security/rsa-no-padding-java.yml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
id: rsa-no-padding-java
2+
severity: warning
3+
language: java
4+
message: >-
5+
Using RSA without OAEP mode weakens the encryption.
6+
note: >-
7+
[CWE-326] Inadequate Encryption Strength
8+
[REFERENCES]
9+
- https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/
10+
rule:
11+
pattern: $YST.getInstance($MODE)
12+
constraints:
13+
MODE:
14+
regex: "RSA/[Nn][Oo][Nn][Ee]/NoPadding"

rules/java/security/system-setproperty-hardcoded-secret-java.yml

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
id: system-setproperty-hardcoded-secret-java
2+
language: java
3+
severity: warning
4+
message: >-
5+
A secret is hard-coded in the application. Secrets stored in source
6+
code, such as credentials, identifiers, and other types of sensitive data,
7+
can be leaked and used by internal or external malicious actors. Use
8+
environment variables to securely provide credentials and other secrets or
9+
retrieve them from a secure vault or Hardware Security Module (HSM).
10+
note: >-
11+
[CWE-798]: Use of Hard-coded Credentials
12+
[OWASP A07:2021]: Identification and Authentication Failures
13+
[REFERENCES]
14+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
15+
rule:
16+
all:
17+
- any:
18+
- pattern: System.setProperty("javax.net.ssl.keyStorePassword", $PWD);
19+
- pattern: System.setProperty("javax.net.ssl.trustStorePassword", $PWD);
20+
constraints:
21+
PWD:
22+
regex: '^"'

rules/java/security/unencrypted-socket-java.yml

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
id: unencrypted-socket-java
2+
language: java
3+
severity: info
4+
message: >-
5+
"Detected use of a Java socket that is not encrypted. As a result, the
6+
traffic could be read by an attacker intercepting the network traffic. Use
7+
an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory'
8+
instead."
9+
note: >-
10+
[CWE-319] Cleartext Transmission of Sensitive Information
11+
[REFERENCES]
12+
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
13+
rule:
14+
any:
15+
- pattern: new ServerSocket($$$)
16+
- pattern: new Socket($$$)

rules/java/security/use-of-aes-ecb-java.yml

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
id: use-of-aes-ecb-java
2+
language: java
3+
severity: warning
4+
message: >-
5+
Use of AES with ECB mode detected. ECB doesn't provide message
6+
confidentiality and is not semantically secure so should not be used.
7+
Instead, use a strong, secure cipher:
8+
Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See
9+
https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions
10+
for more information.
11+
note: >-
12+
[CWE-327]: Use of a Broken or Risky Cryptographic Algorithm
13+
[OWASP A03:2017]: Sensitive Data Exposure
14+
[OWASP A02:2021]: Cryptographic Failures
15+
[REFERENCES]
16+
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
17+
- https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
18+
rule:
19+
pattern: $CIPHER.getInstance($MATCHES)
20+
constraints:
21+
MATCHES:
22+
regex: ".*AES/ECB/.*"

rules/java/security/use-of-blowfish-java.yml

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
id: use-of-blowfish-java
2+
language: java
3+
severity: info
4+
message: >-
5+
Use of Blowfish was detected. Blowfish uses a 64-bit block size
6+
that makes it vulnerable to birthday attacks, and is therefore considered
7+
non-compliant. Instead, use a strong, secure cipher:
8+
Cipher.getInstance("AES/CBC/PKCS7PADDING"). See
9+
https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions
10+
for more information.
11+
note: >-
12+
[CWE-327] Use of a Broken or Risky Cryptographic Algorithm
13+
[REFERENCES]
14+
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
15+
- https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
16+
rule:
17+
pattern: $CIPHER.getInstance("Blowfish")

rules/java/security/use-of-md5-digest-utils-java.yml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
id: use-of-md5-digest-utils-java
2+
language: java
3+
severity: warning
4+
message: >-
5+
'Detected MD5 hash algorithm which is considered insecure. MD5 is not
6+
collision resistant and is therefore not suitable as a cryptographic
7+
signature. Use HMAC instead.'
8+
note: >-
9+
[CWE-328] Use of Weak Hash
10+
[REFERENCES]
11+
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
12+
rule:
13+
pattern: DigestUtils.getMd5Digest($$$).digest($$$)

rules/java/security/use-of-md5-java.yml

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
id: use-of-md5-java
2+
severity: warning
3+
language: java
4+
message: >-
5+
Detected MD5 hash algorithm which is considered insecure. MD5 is not
6+
collision resistant and is therefore not suitable as a cryptographic
7+
signature. Use HMAC instead.
8+
note: >-
9+
[CWE-328] Use of Weak Hash.
10+
[REFERENCES]
11+
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
12+
rule:
13+
any:
14+
- pattern: java.security.MessageDigest.getInstance($ALGO)
15+
- pattern: java.security.MessageDigest.getInstance($ALGO, $$$)
16+
- pattern: MessageDigest.getInstance($ALGO)
17+
- pattern: MessageDigest.getInstance($ALGO, $$$)
18+
constraints:
19+
ALGO:
20+
regex: "MD5"

rules/java/security/use-of-rc4-java.yml

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
id: use-of-rc4-java
2+
language: java
3+
severity: warning
4+
message: >-
5+
'Use of RC4 was detected. RC4 is vulnerable to several attacks,
6+
including stream cipher attacks and bit flipping attacks. Instead, use a
7+
strong, secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). See
8+
https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions
9+
for more information.'
10+
note: >-
11+
[CWE-327] Use of a Broken or Risky Cryptographic Algorithm
12+
[REFERENCES]
13+
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
14+
- https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
15+
rule:
16+
pattern: $CIPHER.getInstance("RC4")

rules/java/security/use-of-sha1-java.yml

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
id: use-of-sha1-java
2+
language: java
3+
severity: warning
4+
message: >-
5+
Detected SHA1 hash algorithm which is considered insecure. SHA1 is not
6+
collision resistant and is therefore not suitable as a cryptographic
7+
signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512
8+
for other hash function applications.
9+
note: >-
10+
[CWE-328] Use of Weak Hash.
11+
[REFERENCES]
12+
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
13+
rule:
14+
any:
15+
- pattern: $DU.getSha1Digest().digest($$$)
16+
- pattern: MessageDigest.getInstance($ALGO)
17+
- pattern: java.security.MessageDigest.getInstance($ALGO,$$$)
18+
constraints:
19+
ALGO:
20+
regex: "SHA1|SHA-1"

rules/java/security/use-of-weak-rsa-key-java.yml

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
id: use-of-weak-rsa-key-java
2+
language: java
3+
severity: warning
4+
message: >-
5+
RSA keys should be at least 2048 bits based on NIST recommendation.
6+
note: >-
7+
[CWE-326] Inadequate Encryption Strength.
8+
[REFERENCES]
9+
- https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms
10+
rule:
11+
pattern: |
12+
$KEY.initialize($AST)
13+
follows: KeyPairGenerator $KEY = $G.getInstance("RSA");
14+
constraints:
15+
AST:
16+
regex: '^(-?(0|[1-9][0-9]?|[1-9][0-9]{2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|0|-[1-9][0-9]*|-[1-9][0-9]{2,}|-1[0-9]{3}|-20[0-3][0-9]|-204[0-7])$'

0 commit comments

Comments
 (0)