From 12e05e026aa33b9c2ad6904072588f44e0ede35f Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Tue, 17 Sep 2024 15:44:06 +0530 Subject: [PATCH 1/2] Merge branch 'ESS-ENN-ESS-ENN' into main --- package-lock.json | 64 +++++++++---------- package.json | 4 +- rules/c/security/libxml2-audit-parser-c.yml | 25 ++++++++ rules/c/security/sizeof-this-c.yml | 13 ++++ .../cpp/security/libxml2-audit-parser-cpp.yml | 25 ++++++++ .../csharp/security/httponly-false-csharp.yml | 25 ++++++++ .../security/plaintext-http-link-html.yml | 14 ++++ .../java/security/cbc-padding-oracle-java.yml | 17 +++++ rules/java/security/cbc-padding-oracle.yml | 16 ----- .../cookie-secure-flag-false-java.yml | 14 ++++ .../java/security/des-is-deprecated-java.yml | 16 +++++ .../security/desede-is-deprecated-java.yml | 16 +++++ ...ry-external-general-entities-true-java.yml | 16 +++++ rules/java/security/ecb-cipher-java.yml | 17 +++++ rules/java/security/no-null-cipher-java.yml | 17 +++++ rules/java/security/rsa-no-padding-java.yml | 14 ++++ ...stem-setproperty-hardcoded-secret-java.yml | 22 +++++++ .../java/security/unencrypted-socket-java.yml | 16 +++++ rules/java/security/use-of-aes-ecb-java.yml | 22 +++++++ rules/java/security/use-of-blowfish-java.yml | 17 +++++ .../security/use-of-md5-digest-utils-java.yml | 13 ++++ rules/java/security/use-of-md5-java.yml | 20 ++++++ rules/java/security/use-of-rc2-java.yml | 13 ++++ rules/java/security/use-of-rc4-java.yml | 16 +++++ rules/java/security/use-of-sha1-java.yml | 20 ++++++ .../security/use-of-weak-rsa-key-java.yml | 16 +++++ rules/java/security/weak-ssl-context-java.yml | 22 +++++++ .../security/des-is-deprecated-kotlin.yml | 16 +++++ .../security/desede-is-deprecated-kotlin.yml | 16 +++++ .../kotlin/security/rsa-no-padding-kotlin.yml | 14 ++++ ...em-setproperty-hardcoded-secret-kotlin.yml | 22 +++++++ .../security/use-of-weak-rsa-key-kotlin.yml | 18 ++++++ .../security/reqwest-accept-invalid-rust.yml | 17 +++++ .../scala/security/rsa-padding-set-scala.yml | 18 ++++++ .../xmlinputfactory-dtd-enabled-scala.yml | 22 +++++++ .../security/insecure-biometrics-swift.yml | 19 ++++++ .../cbc-padding-oracle-java-snapshot.yml | 15 +++++ ...cookie-secure-flag-false-java-snapshot.yml | 9 +++ .../des-is-deprecated-java-snapshot.yml | 9 +++ .../des-is-deprecated-kotlin-snapshot.yml | 9 +++ .../desede-is-deprecated-java-snapshot.yml | 10 +++ .../desede-is-deprecated-kotlin-snapshot.yml | 10 +++ ...al-general-entities-true-java-snapshot.yml | 10 +++ .../ecb-cipher-java-snapshot.yml | 9 +++ .../httponly-false-csharp-snapshot.yml | 16 +++++ .../insecure-biometrics-swift-snapshot.yml | 9 +++ .../libxml2-audit-parser-c-snapshot.yml | 12 ++++ .../libxml2-audit-parser-cpp-snapshot.yml | 12 ++++ .../no-null-cipher-java-snapshot.yml | 18 ++++++ .../plaintext-http-link-html-snapshot.yml | 15 +++++ .../reqwest-accept-invalid-rust-snapshot.yml | 30 +++++++++ .../rsa-no-padding-java-snapshot.yml | 18 ++++++ .../rsa-no-padding-kotlin-snapshot.yml | 10 +++ .../rsa-padding-set-scala-snapshot.yml | 15 +++++ .../__snapshots__/sizeof-this-c-snapshot.yml | 9 +++ ...roperty-hardcoded-secret-java-snapshot.yml | 10 +++ ...perty-hardcoded-secret-kotlin-snapshot.yml | 10 +++ .../unencrypted-socket-java-snapshot.yml | 58 +++++++++++++++++ .../use-of-aes-ecb-java-snapshot.yml | 10 +++ .../use-of-blowfish-java-snapshot.yml | 16 +++++ .../use-of-md5-digest-utils-java-snapshot.yml | 9 +++ .../use-of-md5-java-snapshot.yml | 9 +++ .../use-of-rc2-java-snapshot.yml | 10 +++ .../use-of-rc4-java-snapshot.yml | 16 +++++ .../use-of-sha1-java-snapshot.yml | 10 +++ .../use-of-weak-rsa-key-java-snapshot.yml | 34 ++++++++++ .../use-of-weak-rsa-key-kotlin-snapshot.yml | 10 +++ .../weak-ssl-context-java-snapshot.yml | 37 +++++++++++ ...nputfactory-dtd-enabled-scala-snapshot.yml | 19 ++++++ tests/c/libxml2-audit-parser-c-test.yml | 8 +++ tests/c/sizeof-this-c-test.yml | 7 ++ tests/cpp/libxml2-audit-parser-cpp-test.yml | 8 +++ tests/csharp/httponly-false-csharp-test.yml | 11 ++++ tests/html/plaintext-http-link-html-test.yml | 15 +++++ tests/java/cbc-padding-oracle-java-test.yml | 7 ++ tests/java/cbc-padding-oracle-test.yml | 11 ---- .../cookie-secure-flag-false-java-test.yml | 10 +++ tests/java/des-is-deprecated-java-test.yml | 7 ++ tests/java/desede-is-deprecated-java-test.yml | 8 +++ ...ternal-general-entities-true-java-test.yml | 9 +++ tests/java/ecb-cipher-java-test.yml | 7 ++ tests/java/no-null-cipher-java-test.yml | 8 +++ tests/java/rsa-no-padding-java-test.yml | 8 +++ ...setproperty-hardcoded-secret-java-test.yml | 9 +++ tests/java/unencrypted-socket-java-test.yml | 23 +++++++ tests/java/use-of-aes-ecb-java-test.yml | 8 +++ tests/java/use-of-blowfish-java-test.yml | 9 +++ .../use-of-md5-digest-utils-java-test.yml | 9 +++ tests/java/use-of-md5-java-test.yml | 7 ++ tests/java/use-of-rc2-java-test.yml | 8 +++ tests/java/use-of-rc4-java-test.yml | 9 +++ tests/java/use-of-sha1-java-test.yml | 10 +++ tests/java/use-of-weak-rsa-key-java-test.yml | 18 ++++++ tests/java/weak-ssl-context-java-test.yml | 19 ++++++ .../kotlin/des-is-deprecated-kotlin-test.yml | 7 ++ .../desede-is-deprecated-kotlin-test.yml | 8 +++ tests/kotlin/rsa-no-padding-kotlin.yml | 8 +++ ...tproperty-hardcoded-secret-kotlin-test.yml | 9 +++ .../use-of-weak-rsa-key-kotlin-test.yml | 9 +++ .../rust/reqwest-accept-invalid-rust-test.yml | 13 ++++ tests/scala/rsa-padding-set-scala-test.yml | 9 +++ ...xmlinputfactory-dtd-enabled-scala-test.yml | 11 ++++ .../swift/insecure-biometrics-swift-test.yml | 7 ++ 103 files changed, 1448 insertions(+), 61 deletions(-) create mode 100644 rules/c/security/libxml2-audit-parser-c.yml create mode 100644 rules/c/security/sizeof-this-c.yml create mode 100644 rules/cpp/security/libxml2-audit-parser-cpp.yml create mode 100644 rules/csharp/security/httponly-false-csharp.yml create mode 100644 rules/html/security/plaintext-http-link-html.yml create mode 100644 rules/java/security/cbc-padding-oracle-java.yml delete mode 100644 rules/java/security/cbc-padding-oracle.yml create mode 100644 rules/java/security/cookie-secure-flag-false-java.yml create mode 100644 rules/java/security/des-is-deprecated-java.yml create mode 100644 rules/java/security/desede-is-deprecated-java.yml create mode 100644 rules/java/security/documentbuilderfactory-external-general-entities-true-java.yml create mode 100644 rules/java/security/ecb-cipher-java.yml create mode 100644 rules/java/security/no-null-cipher-java.yml create mode 100644 rules/java/security/rsa-no-padding-java.yml create mode 100644 rules/java/security/system-setproperty-hardcoded-secret-java.yml create mode 100644 rules/java/security/unencrypted-socket-java.yml create mode 100644 rules/java/security/use-of-aes-ecb-java.yml create mode 100644 rules/java/security/use-of-blowfish-java.yml create mode 100644 rules/java/security/use-of-md5-digest-utils-java.yml create mode 100644 rules/java/security/use-of-md5-java.yml create mode 100644 rules/java/security/use-of-rc2-java.yml create mode 100644 rules/java/security/use-of-rc4-java.yml create mode 100644 rules/java/security/use-of-sha1-java.yml create mode 100644 rules/java/security/use-of-weak-rsa-key-java.yml create mode 100644 rules/java/security/weak-ssl-context-java.yml create mode 100644 rules/kotlin/security/des-is-deprecated-kotlin.yml create mode 100644 rules/kotlin/security/desede-is-deprecated-kotlin.yml create mode 100644 rules/kotlin/security/rsa-no-padding-kotlin.yml create mode 100644 rules/kotlin/security/system-setproperty-hardcoded-secret-kotlin.yml create mode 100644 rules/kotlin/security/use-of-weak-rsa-key-kotlin.yml create mode 100644 rules/rust/security/reqwest-accept-invalid-rust.yml create mode 100644 rules/scala/security/rsa-padding-set-scala.yml create mode 100644 rules/scala/security/xmlinputfactory-dtd-enabled-scala.yml create mode 100644 rules/swift/security/insecure-biometrics-swift.yml create mode 100644 tests/__snapshots__/cbc-padding-oracle-java-snapshot.yml create mode 100644 tests/__snapshots__/cookie-secure-flag-false-java-snapshot.yml create mode 100644 tests/__snapshots__/des-is-deprecated-java-snapshot.yml create mode 100644 tests/__snapshots__/des-is-deprecated-kotlin-snapshot.yml create mode 100644 tests/__snapshots__/desede-is-deprecated-java-snapshot.yml create mode 100644 tests/__snapshots__/desede-is-deprecated-kotlin-snapshot.yml create mode 100644 tests/__snapshots__/documentbuilderfactory-external-general-entities-true-java-snapshot.yml create mode 100644 tests/__snapshots__/ecb-cipher-java-snapshot.yml create mode 100644 tests/__snapshots__/httponly-false-csharp-snapshot.yml create mode 100644 tests/__snapshots__/insecure-biometrics-swift-snapshot.yml create mode 100644 tests/__snapshots__/libxml2-audit-parser-c-snapshot.yml create mode 100644 tests/__snapshots__/libxml2-audit-parser-cpp-snapshot.yml create mode 100644 tests/__snapshots__/no-null-cipher-java-snapshot.yml create mode 100644 tests/__snapshots__/plaintext-http-link-html-snapshot.yml create mode 100644 tests/__snapshots__/reqwest-accept-invalid-rust-snapshot.yml create mode 100644 tests/__snapshots__/rsa-no-padding-java-snapshot.yml create mode 100644 tests/__snapshots__/rsa-no-padding-kotlin-snapshot.yml create mode 100644 tests/__snapshots__/rsa-padding-set-scala-snapshot.yml create mode 100644 tests/__snapshots__/sizeof-this-c-snapshot.yml create mode 100644 tests/__snapshots__/system-setproperty-hardcoded-secret-java-snapshot.yml create mode 100644 tests/__snapshots__/system-setproperty-hardcoded-secret-kotlin-snapshot.yml create mode 100644 tests/__snapshots__/unencrypted-socket-java-snapshot.yml create mode 100644 tests/__snapshots__/use-of-aes-ecb-java-snapshot.yml create mode 100644 tests/__snapshots__/use-of-blowfish-java-snapshot.yml create mode 100644 tests/__snapshots__/use-of-md5-digest-utils-java-snapshot.yml create mode 100644 tests/__snapshots__/use-of-md5-java-snapshot.yml create mode 100644 tests/__snapshots__/use-of-rc2-java-snapshot.yml create mode 100644 tests/__snapshots__/use-of-rc4-java-snapshot.yml create mode 100644 tests/__snapshots__/use-of-sha1-java-snapshot.yml create mode 100644 tests/__snapshots__/use-of-weak-rsa-key-java-snapshot.yml create mode 100644 tests/__snapshots__/use-of-weak-rsa-key-kotlin-snapshot.yml create mode 100644 tests/__snapshots__/weak-ssl-context-java-snapshot.yml create mode 100644 tests/__snapshots__/xmlinputfactory-dtd-enabled-scala-snapshot.yml create mode 100644 tests/c/libxml2-audit-parser-c-test.yml create mode 100644 tests/c/sizeof-this-c-test.yml create mode 100644 tests/cpp/libxml2-audit-parser-cpp-test.yml create mode 100644 tests/csharp/httponly-false-csharp-test.yml create mode 100644 tests/html/plaintext-http-link-html-test.yml create mode 100644 tests/java/cbc-padding-oracle-java-test.yml delete mode 100644 tests/java/cbc-padding-oracle-test.yml create mode 100644 tests/java/cookie-secure-flag-false-java-test.yml create mode 100644 tests/java/des-is-deprecated-java-test.yml create mode 100644 tests/java/desede-is-deprecated-java-test.yml create mode 100644 tests/java/documentbuilderfactory-external-general-entities-true-java-test.yml create mode 100644 tests/java/ecb-cipher-java-test.yml create mode 100644 tests/java/no-null-cipher-java-test.yml create mode 100644 tests/java/rsa-no-padding-java-test.yml create mode 100644 tests/java/system-setproperty-hardcoded-secret-java-test.yml create mode 100644 tests/java/unencrypted-socket-java-test.yml create mode 100644 tests/java/use-of-aes-ecb-java-test.yml create mode 100644 tests/java/use-of-blowfish-java-test.yml create mode 100644 tests/java/use-of-md5-digest-utils-java-test.yml create mode 100644 tests/java/use-of-md5-java-test.yml create mode 100644 tests/java/use-of-rc2-java-test.yml create mode 100644 tests/java/use-of-rc4-java-test.yml create mode 100644 tests/java/use-of-sha1-java-test.yml create mode 100644 tests/java/use-of-weak-rsa-key-java-test.yml create mode 100644 tests/java/weak-ssl-context-java-test.yml create mode 100644 tests/kotlin/des-is-deprecated-kotlin-test.yml create mode 100644 tests/kotlin/desede-is-deprecated-kotlin-test.yml create mode 100644 tests/kotlin/rsa-no-padding-kotlin.yml create mode 100644 tests/kotlin/system-setproperty-hardcoded-secret-kotlin-test.yml create mode 100644 tests/kotlin/use-of-weak-rsa-key-kotlin-test.yml create mode 100644 tests/rust/reqwest-accept-invalid-rust-test.yml create mode 100644 tests/scala/rsa-padding-set-scala-test.yml create mode 100644 tests/scala/xmlinputfactory-dtd-enabled-scala-test.yml create mode 100644 tests/swift/insecure-biometrics-swift-test.yml diff --git a/package-lock.json b/package-lock.json index e27fa3a8..3fc6cfdd 100644 --- a/package-lock.json +++ b/package-lock.json @@ -9,13 +9,13 @@ "version": "1.0.0", "license": "ISC", "devDependencies": { - "@ast-grep/cli": "^0.20.2" + "@ast-grep/cli": "^0.26.0" } }, "node_modules/@ast-grep/cli": { - "version": "0.20.2", - "resolved": "https://registry.npmjs.org/@ast-grep/cli/-/cli-0.20.2.tgz", - "integrity": "sha512-PhDdxSiyLTyZZ4udvKrthGPNDoNp1Euqfvql66eh5m4F+/PYjMwTPz/5lwYvHZpIr2MozZ1Jqm9W2btjwE3fnw==", + "version": "0.26.3", + "resolved": "https://registry.npmjs.org/@ast-grep/cli/-/cli-0.26.3.tgz", + "integrity": "sha512-5HiNeR4uuwVd01VqGW8J6v76PpmcEHG+1YzObXBGfr8XTV7zyYtx4KEVv7hi/PhTpeYylqsir0aRoPk1jlTjsA==", "dev": true, "hasInstallScript": true, "dependencies": { @@ -29,19 +29,19 @@ "node": ">= 12.0.0" }, "optionalDependencies": { - "@ast-grep/cli-darwin-arm64": "0.20.2", - "@ast-grep/cli-darwin-x64": "0.20.2", - "@ast-grep/cli-linux-arm64-gnu": "0.20.2", - "@ast-grep/cli-linux-x64-gnu": "0.20.2", - "@ast-grep/cli-win32-arm64-msvc": "0.20.2", - "@ast-grep/cli-win32-ia32-msvc": "0.20.2", - "@ast-grep/cli-win32-x64-msvc": "0.20.2" + "@ast-grep/cli-darwin-arm64": "0.26.3", + "@ast-grep/cli-darwin-x64": "0.26.3", + "@ast-grep/cli-linux-arm64-gnu": "0.26.3", + "@ast-grep/cli-linux-x64-gnu": "0.26.3", + "@ast-grep/cli-win32-arm64-msvc": "0.26.3", + "@ast-grep/cli-win32-ia32-msvc": "0.26.3", + "@ast-grep/cli-win32-x64-msvc": "0.26.3" } }, "node_modules/@ast-grep/cli-darwin-arm64": { - "version": "0.20.2", - "resolved": "https://registry.npmjs.org/@ast-grep/cli-darwin-arm64/-/cli-darwin-arm64-0.20.2.tgz", - "integrity": "sha512-gBjMyd42ajDzzRjVKMg81slI7Nkp+0BWIBcCa3ZD0jqf9yQ5I+lAHKkDuC31kzcXw6XF2SSlIICRn9mEQhr21w==", + "version": "0.26.3", + "resolved": "https://registry.npmjs.org/@ast-grep/cli-darwin-arm64/-/cli-darwin-arm64-0.26.3.tgz", + "integrity": "sha512-RM9g0sbcMfiNrxmHfMkfzkSNQFQrHQjcHYtHFnHFVj5uTJP6gXjQnUVLEJiB/glPDVRHCiMkSt/CY7WNaPcyew==", "cpu": [ "arm64" ], @@ -55,9 +55,9 @@ } }, "node_modules/@ast-grep/cli-darwin-x64": { - "version": "0.20.2", - "resolved": "https://registry.npmjs.org/@ast-grep/cli-darwin-x64/-/cli-darwin-x64-0.20.2.tgz", - "integrity": "sha512-sllsHYgRceB4dt1ncnIjVCO449/fewNt8eqcygmomOkdQzRR81UIcuR/ruIZdVti1rqNhMNKhE5mf+GUITA1GQ==", + "version": "0.26.3", + "resolved": "https://registry.npmjs.org/@ast-grep/cli-darwin-x64/-/cli-darwin-x64-0.26.3.tgz", + "integrity": "sha512-6ayT5opqNr57vJYyAUYgrF5oRLlCzZ/c8t+bcIdkxGcugnqbOcKmleoaC4v3R/wWTAjil6DR12NCOnoouR99lw==", "cpu": [ "x64" ], @@ -71,9 +71,9 @@ } }, "node_modules/@ast-grep/cli-linux-arm64-gnu": { - "version": "0.20.2", - "resolved": "https://registry.npmjs.org/@ast-grep/cli-linux-arm64-gnu/-/cli-linux-arm64-gnu-0.20.2.tgz", - "integrity": "sha512-7gm6ei4oiMA1u8BXbKBX6+daQhlmS1DqhliQdFmIrOJLv3oB5fBMIk3gn+0UMDthDHZIeoJn+ig2BOcfqaoyGg==", + "version": "0.26.3", + "resolved": "https://registry.npmjs.org/@ast-grep/cli-linux-arm64-gnu/-/cli-linux-arm64-gnu-0.26.3.tgz", + "integrity": "sha512-dTDbJqUgzkWxXjTJjeUJSAVgB7uL3M/34a8OoTB+VEZxGg2N/RSBSRinrTG4lIjeFk4OMJuM+2AppAjhaMTD+g==", "cpu": [ "arm64" ], @@ -87,9 +87,9 @@ } }, "node_modules/@ast-grep/cli-linux-x64-gnu": { - "version": "0.20.2", - "resolved": "https://registry.npmjs.org/@ast-grep/cli-linux-x64-gnu/-/cli-linux-x64-gnu-0.20.2.tgz", - "integrity": "sha512-mAd1msrGRmsk7omlqPhqEUiBjs4Q/C+xUBAIw2yX18g5Aq07zPc2KWwA2wGwaa9dBYr0gnZd1o9DiSrDeUJpEA==", + "version": "0.26.3", + "resolved": "https://registry.npmjs.org/@ast-grep/cli-linux-x64-gnu/-/cli-linux-x64-gnu-0.26.3.tgz", + "integrity": "sha512-V2s+xFXmLKRidoVY6GLZCbofSgPGNXJgJehzhV8JdCVJw7yasl+03x6YSusan8vDon+LWtxjrKe6KDgWOMPEkw==", "cpu": [ "x64" ], @@ -103,9 +103,9 @@ } }, "node_modules/@ast-grep/cli-win32-arm64-msvc": { - "version": "0.20.2", - "resolved": "https://registry.npmjs.org/@ast-grep/cli-win32-arm64-msvc/-/cli-win32-arm64-msvc-0.20.2.tgz", - "integrity": "sha512-VJEum6wD+jfkWR7mxT9DlXovY0SZMIlgvTx/3dmQAiEbk0NiKwit6kofKW3+smHQlVxdtznDSLfKcfll+WhEmA==", + "version": "0.26.3", + "resolved": "https://registry.npmjs.org/@ast-grep/cli-win32-arm64-msvc/-/cli-win32-arm64-msvc-0.26.3.tgz", + "integrity": "sha512-7FUCYHf6NonovqPSJ5dCEcI1cW8ipeX+jz+MTSLaI4lak2/FBkkYIjtRuRvpviUnjKHx0Ah7AmO6G1OGiKhzzg==", "cpu": [ "arm64" ], @@ -119,9 +119,9 @@ } }, "node_modules/@ast-grep/cli-win32-ia32-msvc": { - "version": "0.20.2", - "resolved": "https://registry.npmjs.org/@ast-grep/cli-win32-ia32-msvc/-/cli-win32-ia32-msvc-0.20.2.tgz", - "integrity": "sha512-d2hlxWVENNsRNN9XTiuxv6UhjbfMj8F+4D6D/Uyfyah35E3UejyNxf9K3NymoCOSdpp+YX2iiP9pW1aMQjurgw==", + "version": "0.26.3", + "resolved": "https://registry.npmjs.org/@ast-grep/cli-win32-ia32-msvc/-/cli-win32-ia32-msvc-0.26.3.tgz", + "integrity": "sha512-phMsiig9GzQBJQJ75wOh98ug8uptbonBkLAAlkpJ2RF0QVrCWG+MqgYBHpSpJiaM/uRJ7IlFclLFc8kpON5cVQ==", "cpu": [ "ia32" ], @@ -135,9 +135,9 @@ } }, "node_modules/@ast-grep/cli-win32-x64-msvc": { - "version": "0.20.2", - "resolved": "https://registry.npmjs.org/@ast-grep/cli-win32-x64-msvc/-/cli-win32-x64-msvc-0.20.2.tgz", - "integrity": "sha512-j25nRYCD1qItZYPagWMqQCwHt8MyEUEFYXMJnQDbieS5OwKz98ErC3TnlRa3XRWGEk/4tIldzTGNQlAGpQKMYQ==", + "version": "0.26.3", + "resolved": "https://registry.npmjs.org/@ast-grep/cli-win32-x64-msvc/-/cli-win32-x64-msvc-0.26.3.tgz", + "integrity": "sha512-gGX0AR4bpge4ITSD2I/6FaLtzeovujSVvkSSKTjI6PCZx6MMvJ3+8zcXEgwJSib7SliVquhabePjBpF4DLBC6g==", "cpu": [ "x64" ], diff --git a/package.json b/package.json index ee4c8bcc..bb3dd417 100644 --- a/package.json +++ b/package.json @@ -12,6 +12,6 @@ "author": "", "license": "ISC", "devDependencies": { - "@ast-grep/cli": "^0.20.2" + "@ast-grep/cli": "^0.26.0" } -} +} \ No newline at end of file diff --git a/rules/c/security/libxml2-audit-parser-c.yml b/rules/c/security/libxml2-audit-parser-c.yml new file mode 100644 index 00000000..81d9c7f2 --- /dev/null +++ b/rules/c/security/libxml2-audit-parser-c.yml @@ -0,0 +1,25 @@ +id: libxml2-audit-parser-c +language: c +severity: warning +message: >- + The libxml2 library is used to parse XML. When auditing such code, make + sure that either the document being parsed is trusted or that the parsing + options are safe to consume untrusted documents. In such case make sure + DTD or XInclude documents cannot be loaded and there is no network access. +note: >- + [CWE-611] Improper Restriction of XML External Entity Reference. + [REFERENCES] + - https://owasp.org/Top10/A05_2021-Security_Misconfiguration +rule: + any: + - pattern: xmlParseInNodeContext($CUR, $SRC, $DATALEN, $XML_OPTIONS, $LST) + - pattern: xmlReadDoc($CUR, $SRC, $ENC, $XML_OPTIONS) + - pattern: xmlReadFd($FD, $SRC, $ENC, $XML_OPTIONS) + - pattern: xmlReadFile($SRC, $ENC, $XML_OPTIONS) + - pattern: xmlReadIO($IO_READ, $IO_CLOSE, $IO_CTX, $SRC, $ENC, $XML_OPTIONS) + - pattern: xmlReadMemory($SRC, $SIZE, $URL, $ENC, $XML_OPTIONS) + - pattern: xmlCtxtReadDoc($CTX, $CUR, $SRC, $ENC, $XML_OPTIONS) + - pattern: xmlCtxtReadFd($CTX, $FD, $SRC, $ENC, $XML_OPTIONS) + - pattern: xmlCtxtReadFile($CTX, $SRC, $ENC, $XML_OPTIONS) + - pattern: xmlCtxtReadIO($CTX, $IO_READ, $IO_CLOSE, $IO_CTX, $SRC, $ENC,$XML_OPTIONS) + - pattern: xmlCtxtReadMemory($CTX, $SRC, $SIZE, $URL, $ENC, $XML_OPTIONS) diff --git a/rules/c/security/sizeof-this-c.yml b/rules/c/security/sizeof-this-c.yml new file mode 100644 index 00000000..bb024aa2 --- /dev/null +++ b/rules/c/security/sizeof-this-c.yml @@ -0,0 +1,13 @@ +id: sizeof-this-c +language: c +severity: warning +message: >- + Do not use `sizeof(this)` to get the number of bytes of the object in + memory. It returns the size of the pointer, not the size of the object. +note: >- + [CWE-467]: Use of sizeof() on a Pointer Type + [REFERENCES] + - https://wiki.sei.cmu.edu/confluence/display/c/ARR01-C.+Do+not+apply+the+sizeof+operator+to+a+pointer+when+taking+the+size+of+an+array +rule: + any: + - pattern: "sizeof(this)" diff --git a/rules/cpp/security/libxml2-audit-parser-cpp.yml b/rules/cpp/security/libxml2-audit-parser-cpp.yml new file mode 100644 index 00000000..84ee43f9 --- /dev/null +++ b/rules/cpp/security/libxml2-audit-parser-cpp.yml @@ -0,0 +1,25 @@ +id: libxml2-audit-parser-cpp +language: Cpp +severity: warning +message: >- + The libxml2 library is used to parse XML. When auditing such code, make + sure that either the document being parsed is trusted or that the parsing + options are safe to consume untrusted documents. In such case make sure + DTD or XInclude documents cannot be loaded and there is no network access. +note: >- + [CWE-611] Improper Restriction of XML External Entity Reference. + [REFERENCES] + - https://owasp.org/Top10/A05_2021-Security_Misconfiguration +rule: + any: + - pattern: xmlParseInNodeContext($CUR, $SRC, $DATALEN, $XML_OPTIONS, $LST) + - pattern: xmlReadDoc($CUR, $SRC, $ENC, $XML_OPTIONS) + - pattern: xmlReadFd($FD, $SRC, $ENC, $XML_OPTIONS) + - pattern: xmlReadFile($SRC, $ENC, $XML_OPTIONS) + - pattern: xmlReadIO($IO_READ, $IO_CLOSE, $IO_CTX, $SRC, $ENC, $XML_OPTIONS) + - pattern: xmlReadMemory($SRC, $SIZE, $URL, $ENC, $XML_OPTIONS) + - pattern: xmlCtxtReadDoc($CTX, $CUR, $SRC, $ENC, $XML_OPTIONS) + - pattern: xmlCtxtReadFd($CTX, $FD, $SRC, $ENC, $XML_OPTIONS) + - pattern: xmlCtxtReadFile($CTX, $SRC, $ENC, $XML_OPTIONS) + - pattern: xmlCtxtReadIO($CTX, $IO_READ, $IO_CLOSE, $IO_CTX, $SRC, $ENC,$XML_OPTIONS) + - pattern: xmlCtxtReadMemory($CTX, $SRC, $SIZE, $URL, $ENC, $XML_OPTIONS) diff --git a/rules/csharp/security/httponly-false-csharp.yml b/rules/csharp/security/httponly-false-csharp.yml new file mode 100644 index 00000000..f874ec84 --- /dev/null +++ b/rules/csharp/security/httponly-false-csharp.yml @@ -0,0 +1,25 @@ +id: httponly-false-csharp +language: csharp +severity: warning +message: >- + "Detected a cookie where the `HttpOnly` flag is either missing or + disabled. The `HttpOnly` cookie flag instructs the browser to forbid + client-side JavaScript to read the cookie. If JavaScript interaction is + required, you can ignore this finding. However, set the `HttpOnly` flag to + `true` in all other cases. If this wasn't intentional, it's recommended to + set the HttpOnly flag to true so the cookie will not be accessible through + client-side scripts or to use the Cookie Policy Middleware to globally set + the HttpOnly flag. You can then use the CookieOptions class when + instantiating the cookie, which inherits these settings and will require + future developers to have to explicitly override them on a case-by-case + basis if needed. This approach ensures cookies are secure by default." +note: >- + [CWE-1004] Sensitive Cookie Without 'HttpOnly' Flag" + [REFERENCES] + - https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware + - https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions + - https://owasp.org/Top10/A05_2021-Security_Misconfiguration +rule: + any: + - pattern: $BUILDER.Cookie.HttpOnly = false; + - pattern: $COOKIE.HttpOnly = false; diff --git a/rules/html/security/plaintext-http-link-html.yml b/rules/html/security/plaintext-http-link-html.yml new file mode 100644 index 00000000..0e0dbfb7 --- /dev/null +++ b/rules/html/security/plaintext-http-link-html.yml @@ -0,0 +1,14 @@ +id: plaintext-http-link-html +language: html +severity: warning +message: >- + "This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible." +note: >- + [CWE-319] Authentication Bypass by Primary Weakness + [REFERENCES] + - https://cwe.mitre.org/data/definitions/319.html +rule: + pattern: $C +constraints: + URL: + regex: ^['"`]?([Hh][Tt][Tt][Pp]://) diff --git a/rules/java/security/cbc-padding-oracle-java.yml b/rules/java/security/cbc-padding-oracle-java.yml new file mode 100644 index 00000000..78f11cef --- /dev/null +++ b/rules/java/security/cbc-padding-oracle-java.yml @@ -0,0 +1,17 @@ +id: cbc-padding-oracle-java +severity: warning +language: java +message: >- + Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A + malicious actor could discern the difference between plaintext with valid + or invalid padding. Further, CBC mode does not include any integrity + checks. Use 'AES/GCM/NoPadding' instead. +note: >- + [CWE-327] Use of a Broken or Risky Cryptographic Algorithm. + [REFERENCES] + - https://capec.mitre.org/data/definitions/463.html +rule: + pattern: Cipher.getInstance($MODE) +constraints: + MODE: + regex: ".*/CBC/PKCS5Padding" diff --git a/rules/java/security/cbc-padding-oracle.yml b/rules/java/security/cbc-padding-oracle.yml deleted file mode 100644 index 0cb62145..00000000 --- a/rules/java/security/cbc-padding-oracle.yml +++ /dev/null @@ -1,16 +0,0 @@ -id: cbd-padding-oracle -severity: warning -language: java -message: >- - Using CBC with PKCS5Padding is susceptible to padding oracle attacks. - Use a secure mode of operation like GCM or CCM instead. -note: >- - [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm - [OWASP A03:2017]: Sensitive Data Exposure - [OWASP A02:2021]: Cryptographic Failures - [REFERENCES] - - https://capec.mitre.org/data/definitions/463.html - - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes - - https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY -rule: - pattern: Cipher.getInstance("AES/CBC/PKCS5Padding") \ No newline at end of file diff --git a/rules/java/security/cookie-secure-flag-false-java.yml b/rules/java/security/cookie-secure-flag-false-java.yml new file mode 100644 index 00000000..cd5418f4 --- /dev/null +++ b/rules/java/security/cookie-secure-flag-false-java.yml @@ -0,0 +1,14 @@ +id: cookie-secure-flag-false-java +language: java +severity: warning +message: >- + A cookie was detected without setting the 'secure' flag. The 'secure' + flag for cookies prevents the client from transmitting the cookie over + insecure channels such as HTTP. Set the 'secure' flag by calling + '$COOKIE.setSecure(true);'. +note: >- + [CWE-614] Sensitive Cookie in HTTPS Session Without 'Secure' Attribute. + [REFERENCES] + - https://owasp.org/www-community/controls/SecureCookieAttribute +rule: + pattern: $COOKIE.setSecure(false); diff --git a/rules/java/security/des-is-deprecated-java.yml b/rules/java/security/des-is-deprecated-java.yml new file mode 100644 index 00000000..8ce1895b --- /dev/null +++ b/rules/java/security/des-is-deprecated-java.yml @@ -0,0 +1,16 @@ +id: des-is-deprecated-java +severity: warning +language: java +message: >- + DES is considered deprecated. AES is the recommended cipher. Upgrade to + use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard + for more information. +note: >- + [CWE-326] Inadequate Encryption Strength. + [REFERENCES] + - https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard +rule: + pattern: $CIPHER.getInstance($SAS) +constraints: + SAS: + regex: "DES" diff --git a/rules/java/security/desede-is-deprecated-java.yml b/rules/java/security/desede-is-deprecated-java.yml new file mode 100644 index 00000000..6db7b4c9 --- /dev/null +++ b/rules/java/security/desede-is-deprecated-java.yml @@ -0,0 +1,16 @@ +id: desede-is-deprecated-java +language: java +severity: warning +message: >- + Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES. +note: >- + [CWE-326]: Inadequate Encryption Strength + [OWASP A03:2017]: Sensitive Data Exposure + [OWASP A02:2021]: Cryptographic Failures + [REFERENCES] + - https://find-sec-bugs.github.io/bugs.htm#TDES_USAGE + - https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA +rule: + any: + - pattern: $CIPHER.getInstance("=~/DESede.*/") + - pattern: $CRYPTO.KeyGenerator.getInstance("DES") diff --git a/rules/java/security/documentbuilderfactory-external-general-entities-true-java.yml b/rules/java/security/documentbuilderfactory-external-general-entities-true-java.yml new file mode 100644 index 00000000..6599fe87 --- /dev/null +++ b/rules/java/security/documentbuilderfactory-external-general-entities-true-java.yml @@ -0,0 +1,16 @@ +id: documentbuilderfactory-external-general-entities-true-java +language: java +severity: warning +message: >- + External entities are allowed for $DBFACTORY. This is vulnerable to XML + external entity attacks. Disable this by setting the feature + "http://xml.org/sax/features/external-general-entities" to false. +note: >- + [CWE-798]: Use of Hard-coded Credentials + [OWASP A07:2021]: Identification and Authentication Failures + [REFERENCES] + - https://blog.sonarsource.com/secure-xml-processor +rule: + pattern: + $DBFACTORY.setFeature("http://xml.org/sax/features/external-general-entities", + true); diff --git a/rules/java/security/ecb-cipher-java.yml b/rules/java/security/ecb-cipher-java.yml new file mode 100644 index 00000000..1ab3a112 --- /dev/null +++ b/rules/java/security/ecb-cipher-java.yml @@ -0,0 +1,17 @@ +id: ecb-cipher-java +severity: warning +language: java +message: >- + Cipher in ECB mode is detected. ECB mode produces the same output for + the same input each time which allows an attacker to intercept and replay + the data. Further, ECB mode does not provide any integrity checking. See + https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY. +note: >- + [CWE-327] Use of a Broken or Risky Cryptographic Algorithm. + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures +rule: + pattern: Cipher $VAR = $CIPHER.getInstance($MODE); +constraints: + MODE: + regex: .*ECB.* diff --git a/rules/java/security/no-null-cipher-java.yml b/rules/java/security/no-null-cipher-java.yml new file mode 100644 index 00000000..b5eee11a --- /dev/null +++ b/rules/java/security/no-null-cipher-java.yml @@ -0,0 +1,17 @@ +id: no-null-cipher-java +severity: warning +language: java +message: >- + NullCipher was detected. This will not encrypt anything; the cipher + text will be the same as the plain text. Use a valid, secure cipher: + Cipher.getInstance("AES/CBC/PKCS7PADDING"). See + https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions + for more information. +note: >- + [CWE-327] Use of a Broken or Risky Cryptographic Algorithm. + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures +rule: + any: + - pattern: new NullCipher($$$) + - pattern: new javax.crypto.NullCipher($$$) diff --git a/rules/java/security/rsa-no-padding-java.yml b/rules/java/security/rsa-no-padding-java.yml new file mode 100644 index 00000000..c9466216 --- /dev/null +++ b/rules/java/security/rsa-no-padding-java.yml @@ -0,0 +1,14 @@ +id: rsa-no-padding-java +severity: warning +language: java +message: >- + Using RSA without OAEP mode weakens the encryption. +note: >- + [CWE-326] Inadequate Encryption Strength + [REFERENCES] + - https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/ +rule: + pattern: $YST.getInstance($MODE) +constraints: + MODE: + regex: "RSA/[Nn][Oo][Nn][Ee]/NoPadding" diff --git a/rules/java/security/system-setproperty-hardcoded-secret-java.yml b/rules/java/security/system-setproperty-hardcoded-secret-java.yml new file mode 100644 index 00000000..537a16a3 --- /dev/null +++ b/rules/java/security/system-setproperty-hardcoded-secret-java.yml @@ -0,0 +1,22 @@ +id: system-setproperty-hardcoded-secret-java +language: java +severity: warning +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. Use + environment variables to securely provide credentials and other secrets or + retrieve them from a secure vault or Hardware Security Module (HSM). +note: >- + [CWE-798]: Use of Hard-coded Credentials + [OWASP A07:2021]: Identification and Authentication Failures + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html +rule: + all: + - any: + - pattern: System.setProperty("javax.net.ssl.keyStorePassword", $PWD); + - pattern: System.setProperty("javax.net.ssl.trustStorePassword", $PWD); +constraints: + PWD: + regex: '^"' diff --git a/rules/java/security/unencrypted-socket-java.yml b/rules/java/security/unencrypted-socket-java.yml new file mode 100644 index 00000000..2b8540a5 --- /dev/null +++ b/rules/java/security/unencrypted-socket-java.yml @@ -0,0 +1,16 @@ +id: unencrypted-socket-java +language: java +severity: info +message: >- + "Detected use of a Java socket that is not encrypted. As a result, the + traffic could be read by an attacker intercepting the network traffic. Use + an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' + instead." +note: >- + [CWE-319] Cleartext Transmission of Sensitive Information + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures +rule: + any: + - pattern: new ServerSocket($$$) + - pattern: new Socket($$$) diff --git a/rules/java/security/use-of-aes-ecb-java.yml b/rules/java/security/use-of-aes-ecb-java.yml new file mode 100644 index 00000000..9e28e0b2 --- /dev/null +++ b/rules/java/security/use-of-aes-ecb-java.yml @@ -0,0 +1,22 @@ +id: use-of-aes-ecb-java +language: java +severity: warning +message: >- + Use of AES with ECB mode detected. ECB doesn't provide message + confidentiality and is not semantically secure so should not be used. + Instead, use a strong, secure cipher: + Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See + https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions + for more information. +note: >- + [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm + [OWASP A03:2017]: Sensitive Data Exposure + [OWASP A02:2021]: Cryptographic Failures + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html +rule: + pattern: $CIPHER.getInstance($MATCHES) +constraints: + MATCHES: + regex: ".*AES/ECB/.*" diff --git a/rules/java/security/use-of-blowfish-java.yml b/rules/java/security/use-of-blowfish-java.yml new file mode 100644 index 00000000..512745a2 --- /dev/null +++ b/rules/java/security/use-of-blowfish-java.yml @@ -0,0 +1,17 @@ +id: use-of-blowfish-java +language: java +severity: info +message: >- + Use of Blowfish was detected. Blowfish uses a 64-bit block size + that makes it vulnerable to birthday attacks, and is therefore considered + non-compliant. Instead, use a strong, secure cipher: + Cipher.getInstance("AES/CBC/PKCS7PADDING"). See + https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions + for more information. +note: >- + [CWE-327] Use of a Broken or Risky Cryptographic Algorithm + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html +rule: + pattern: $CIPHER.getInstance("Blowfish") diff --git a/rules/java/security/use-of-md5-digest-utils-java.yml b/rules/java/security/use-of-md5-digest-utils-java.yml new file mode 100644 index 00000000..77778a46 --- /dev/null +++ b/rules/java/security/use-of-md5-digest-utils-java.yml @@ -0,0 +1,13 @@ +id: use-of-md5-digest-utils-java +language: java +severity: warning +message: >- + 'Detected MD5 hash algorithm which is considered insecure. MD5 is not + collision resistant and is therefore not suitable as a cryptographic + signature. Use HMAC instead.' +note: >- + [CWE-328] Use of Weak Hash + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures +rule: + pattern: DigestUtils.getMd5Digest($$$).digest($$$) diff --git a/rules/java/security/use-of-md5-java.yml b/rules/java/security/use-of-md5-java.yml new file mode 100644 index 00000000..a7835c21 --- /dev/null +++ b/rules/java/security/use-of-md5-java.yml @@ -0,0 +1,20 @@ +id: use-of-md5-java +severity: warning +language: java +message: >- + Detected MD5 hash algorithm which is considered insecure. MD5 is not + collision resistant and is therefore not suitable as a cryptographic + signature. Use HMAC instead. +note: >- + [CWE-328] Use of Weak Hash. + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures +rule: + any: + - pattern: java.security.MessageDigest.getInstance($ALGO) + - pattern: java.security.MessageDigest.getInstance($ALGO, $$$) + - pattern: MessageDigest.getInstance($ALGO) + - pattern: MessageDigest.getInstance($ALGO, $$$) +constraints: + ALGO: + regex: "MD5" diff --git a/rules/java/security/use-of-rc2-java.yml b/rules/java/security/use-of-rc2-java.yml new file mode 100644 index 00000000..ad7a2401 --- /dev/null +++ b/rules/java/security/use-of-rc2-java.yml @@ -0,0 +1,13 @@ +id: use-of-rc2-java +language: java +severity: warning +message: >- + Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and + is therefore considered non-compliant. Instead, use a strong, secure. +note: >- + [CWE-327] Use of a Broken or Risky Cryptographic Algorithm. + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html +rule: + pattern: $CIPHER.getInstance("RC2") diff --git a/rules/java/security/use-of-rc4-java.yml b/rules/java/security/use-of-rc4-java.yml new file mode 100644 index 00000000..2356d208 --- /dev/null +++ b/rules/java/security/use-of-rc4-java.yml @@ -0,0 +1,16 @@ +id: use-of-rc4-java +language: java +severity: warning +message: >- + 'Use of RC4 was detected. RC4 is vulnerable to several attacks, + including stream cipher attacks and bit flipping attacks. Instead, use a + strong, secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). See + https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions + for more information.' +note: >- + [CWE-327] Use of a Broken or Risky Cryptographic Algorithm + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html +rule: + pattern: $CIPHER.getInstance("RC4") diff --git a/rules/java/security/use-of-sha1-java.yml b/rules/java/security/use-of-sha1-java.yml new file mode 100644 index 00000000..1c24f3e3 --- /dev/null +++ b/rules/java/security/use-of-sha1-java.yml @@ -0,0 +1,20 @@ +id: use-of-sha1-java +language: java +severity: warning +message: >- + Detected SHA1 hash algorithm which is considered insecure. SHA1 is not + collision resistant and is therefore not suitable as a cryptographic + signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 + for other hash function applications. +note: >- + [CWE-328] Use of Weak Hash. + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures +rule: + any: + - pattern: $DU.getSha1Digest().digest($$$) + - pattern: MessageDigest.getInstance($ALGO) + - pattern: java.security.MessageDigest.getInstance($ALGO,$$$) +constraints: + ALGO: + regex: "SHA1|SHA-1" diff --git a/rules/java/security/use-of-weak-rsa-key-java.yml b/rules/java/security/use-of-weak-rsa-key-java.yml new file mode 100644 index 00000000..8f7c96aa --- /dev/null +++ b/rules/java/security/use-of-weak-rsa-key-java.yml @@ -0,0 +1,16 @@ +id: use-of-weak-rsa-key-java +language: java +severity: warning +message: >- + RSA keys should be at least 2048 bits based on NIST recommendation. +note: >- + [CWE-326] Inadequate Encryption Strength. + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms +rule: + pattern: | + $KEY.initialize($AST) +follows: KeyPairGenerator $KEY = $G.getInstance("RSA"); +constraints: + AST: + regex: '^(-?(0|[1-9][0-9]?|[1-9][0-9]{2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|0|-[1-9][0-9]*|-[1-9][0-9]{2,}|-1[0-9]{3}|-20[0-3][0-9]|-204[0-7])$' diff --git a/rules/java/security/weak-ssl-context-java.yml b/rules/java/security/weak-ssl-context-java.yml new file mode 100644 index 00000000..411ca262 --- /dev/null +++ b/rules/java/security/weak-ssl-context-java.yml @@ -0,0 +1,22 @@ +id: weak-ssl-context-java +language: java +severity: warning +message: >- + 'An insecure SSL context was detected. TLS versions 1.0, 1.1, and all + SSL versions are considered weak encryption and are deprecated. Use + SSLContext.getInstance("TLSv1.2") for the best security.' +note: >- + [CWE-326] Inadequate Encryption Strength + [REFERENCES] + - https://tools.ietf.org/html/rfc7568 + - https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html +rule: + all: + - pattern: SSLContext.getInstance($CONTEXT) + - not: + pattern: SSLContext.getInstance("TLSv1.3") + - not: + pattern: SSLContext.getInstance("TLSv1.2") +constraints: + CONTEXT: + regex: (TLS|SSL) diff --git a/rules/kotlin/security/des-is-deprecated-kotlin.yml b/rules/kotlin/security/des-is-deprecated-kotlin.yml new file mode 100644 index 00000000..377e3ed5 --- /dev/null +++ b/rules/kotlin/security/des-is-deprecated-kotlin.yml @@ -0,0 +1,16 @@ +id: des-is-deprecated-kotlin +severity: warning +language: kotlin +message: >- + DES is considered deprecated. AES is the recommended cipher. Upgrade to + use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard + for more information. +note: >- + [CWE-326] Inadequate Encryption Strength. + [REFERENCES] + - https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard +rule: + pattern: $CIPHER.getInstance($SAS) +constraints: + SAS: + regex: "DES" diff --git a/rules/kotlin/security/desede-is-deprecated-kotlin.yml b/rules/kotlin/security/desede-is-deprecated-kotlin.yml new file mode 100644 index 00000000..f0a7351a --- /dev/null +++ b/rules/kotlin/security/desede-is-deprecated-kotlin.yml @@ -0,0 +1,16 @@ +id: desede-is-deprecated-kotlin +language: kotlin +severity: warning +message: >- + Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES. +note: >- + [CWE-326]: Inadequate Encryption Strength + [OWASP A03:2017]: Sensitive Data Exposure + [OWASP A02:2021]: Cryptographic Failures + [REFERENCES] + - https://find-sec-bugs.github.io/bugs.htm#TDES_USAGE + - https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA +rule: + any: + - pattern: $CIPHER.getInstance("=~/DESede.*/") + - pattern: $CRYPTO.KeyGenerator.getInstance("DES") diff --git a/rules/kotlin/security/rsa-no-padding-kotlin.yml b/rules/kotlin/security/rsa-no-padding-kotlin.yml new file mode 100644 index 00000000..49e07e7b --- /dev/null +++ b/rules/kotlin/security/rsa-no-padding-kotlin.yml @@ -0,0 +1,14 @@ +id: rsa-no-padding-kotlin +severity: warning +language: kotlin +message: >- + Using RSA without OAEP mode weakens the encryption. +note: >- + [CWE-326] Inadequate Encryption Strength + [REFERENCES] + - https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/ +rule: + pattern: $YST.getInstance($MODE) +constraints: + MODE: + regex: "RSA/[Nn][Oo][Nn][Ee]/NoPadding" diff --git a/rules/kotlin/security/system-setproperty-hardcoded-secret-kotlin.yml b/rules/kotlin/security/system-setproperty-hardcoded-secret-kotlin.yml new file mode 100644 index 00000000..06635555 --- /dev/null +++ b/rules/kotlin/security/system-setproperty-hardcoded-secret-kotlin.yml @@ -0,0 +1,22 @@ +id: system-setproperty-hardcoded-secret-kotlin +language: kotlin +severity: warning +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. Use + environment variables to securely provide credentials and other secrets or + retrieve them from a secure vault or Hardware Security Module (HSM). +note: >- + [CWE-798]: Use of Hard-coded Credentials + [OWASP A07:2021]: Identification and Authentication Failures + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html +rule: + all: + - any: + - pattern: System.setProperty("javax.net.ssl.keyStorePassword", $PWD); + - pattern: System.setProperty("javax.net.ssl.trustStorePassword", $PWD); +constraints: + PWD: + regex: '^"' diff --git a/rules/kotlin/security/use-of-weak-rsa-key-kotlin.yml b/rules/kotlin/security/use-of-weak-rsa-key-kotlin.yml new file mode 100644 index 00000000..1620ce16 --- /dev/null +++ b/rules/kotlin/security/use-of-weak-rsa-key-kotlin.yml @@ -0,0 +1,18 @@ +id: use-of-weak-rsa-key-kotlin +language: kotlin +severity: warning +message: >- + RSA keys should be at least 2048 bits based on NIST recommendation +note: >- + [CWE-326]: Inadequate Encryption Strength + [OWASP A03:2017]: Sensitive Data Exposure + [OWASP A02:2021]: Cryptographic Failures + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms +rule: + pattern: | + $KEY.initialize($BITS) +follows: KEY = $G.getInstance("RSA"); +constraints: + BITS: + regex: '^(-?(0|[1-9][0-9]?|[1-9][0-9]{2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|0|-[1-9][0-9]*|-[1-9][0-9]{2,}|-1[0-9]{3}|-20[0-3][0-9]|-204[0-7])$' diff --git a/rules/rust/security/reqwest-accept-invalid-rust.yml b/rules/rust/security/reqwest-accept-invalid-rust.yml new file mode 100644 index 00000000..27fc9d8b --- /dev/null +++ b/rules/rust/security/reqwest-accept-invalid-rust.yml @@ -0,0 +1,17 @@ +id: reqwest-accept-invalid-rust +language: rust +severity: warning +message: >- + Dangerously accepting invalid TLS +note: >- + [CWE-295]: Improper Certificate + [REFERENCES] + - https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_hostnames + - https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_certs +rule: + any: + - pattern: $CLIENT.danger_accept_invalid_hostnames(true) + - pattern: $CLIENT.danger_accept_invalid_certs(true) +constraints: + CLIENT: + regex: '^reqwest::Client::builder\(\)' diff --git a/rules/scala/security/rsa-padding-set-scala.yml b/rules/scala/security/rsa-padding-set-scala.yml new file mode 100644 index 00000000..b4601500 --- /dev/null +++ b/rules/scala/security/rsa-padding-set-scala.yml @@ -0,0 +1,18 @@ +id: rsa-padding-set-scala +language: scala +severity: warning +message: >- + Usage of RSA without OAEP (Optimal Asymmetric Encryption Padding) may + weaken encryption. This could lead to sensitive data exposure. Instead, + use RSA with `OAEPWithMD5AndMGF1Padding` instead. + +note: >- + [CWE-780] Use of RSA Algorithm without OAEP + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures +rule: + any: + - pattern: $CIPHER.getInstance($MODE) +constraints: + MODE: + regex: ".*RSA/.*/NoPadding.*" diff --git a/rules/scala/security/xmlinputfactory-dtd-enabled-scala.yml b/rules/scala/security/xmlinputfactory-dtd-enabled-scala.yml new file mode 100644 index 00000000..732fddc9 --- /dev/null +++ b/rules/scala/security/xmlinputfactory-dtd-enabled-scala.yml @@ -0,0 +1,22 @@ +id: xmlinputfactory-dtd-enabled-scala +language: scala +severity: warning +message: >- + XMLInputFactory being instantiated without calling the setProperty + functions that are generally used for disabling entity processing. User + controlled data in XML Document builder can result in XML Internal Entity + Processing vulnerabilities like the disclosure of confidential data, + denial of service, Server Side Request Forgery (SSRF), port scanning. Make + sure to disable entity processing functionality. +note: >- + [CWE-611] Improper Restriction of XML External Entity. + [REFERENCES] + - https://owasp.org/Top10/A05_2021-Security_Misconfiguration +rule: + any: + - pattern: XMLInputFactory.newFactory($$$) + - pattern: XMLInputFactory.newInstance($$$) + - pattern: new XMLInputFactory($$$) +precedes: + not: + pattern: $XMLFACTORY.setProperty(javax.xml.stream.isSupportingExternalEntities, false) diff --git a/rules/swift/security/insecure-biometrics-swift.yml b/rules/swift/security/insecure-biometrics-swift.yml new file mode 100644 index 00000000..8ea5a821 --- /dev/null +++ b/rules/swift/security/insecure-biometrics-swift.yml @@ -0,0 +1,19 @@ +id: insecure-biometrics-swift +language: swift +severity: info +message: >- + The application was observed to leverage biometrics via Local + Authentication, which returns a simple boolean result for authentication. + This design is subject to bypass with runtime tampering tools such as + Frida, Substrate, and others. Although this is limited to rooted + (jailbroken) devices, consider implementing biometric authentication the + reliable way - via Keychain Services. +note: >- + [CWE-305] Authentication Bypass by Primary Weakness + [REFERENCES] + - https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication + - https://shirazkhan030.medium.com/biometric-authentication-in-ios-6c53c54f17df +rule: + any: + - pattern: LAContext.evaluatePolicy + - pattern: $X.evaluatePolicy diff --git a/tests/__snapshots__/cbc-padding-oracle-java-snapshot.yml b/tests/__snapshots__/cbc-padding-oracle-java-snapshot.yml new file mode 100644 index 00000000..12d32ee1 --- /dev/null +++ b/tests/__snapshots__/cbc-padding-oracle-java-snapshot.yml @@ -0,0 +1,15 @@ +id: cbc-padding-oracle-java +snapshots: + Cipher.getInstance("AES/CBC/PKCS5Padding");: + labels: + - source: Cipher.getInstance("AES/CBC/PKCS5Padding") + style: primary + start: 0 + end: 42 + ? | + Cipher.getInstance("AES/CBC/PKCS5Padding"); + : labels: + - source: Cipher.getInstance("AES/CBC/PKCS5Padding") + style: primary + start: 0 + end: 42 diff --git a/tests/__snapshots__/cookie-secure-flag-false-java-snapshot.yml b/tests/__snapshots__/cookie-secure-flag-false-java-snapshot.yml new file mode 100644 index 00000000..b4c1bec6 --- /dev/null +++ b/tests/__snapshots__/cookie-secure-flag-false-java-snapshot.yml @@ -0,0 +1,9 @@ +id: cookie-secure-flag-false-java +snapshots: + ? | + cookie.setSecure(false); + : labels: + - source: cookie.setSecure(false); + style: primary + start: 0 + end: 24 diff --git a/tests/__snapshots__/des-is-deprecated-java-snapshot.yml b/tests/__snapshots__/des-is-deprecated-java-snapshot.yml new file mode 100644 index 00000000..35070ef2 --- /dev/null +++ b/tests/__snapshots__/des-is-deprecated-java-snapshot.yml @@ -0,0 +1,9 @@ +id: des-is-deprecated-java +snapshots: + ? | + Cipher.getInstance("DES/ECB/PKCS5Padding"); + : labels: + - source: Cipher.getInstance("DES/ECB/PKCS5Padding") + style: primary + start: 0 + end: 42 diff --git a/tests/__snapshots__/des-is-deprecated-kotlin-snapshot.yml b/tests/__snapshots__/des-is-deprecated-kotlin-snapshot.yml new file mode 100644 index 00000000..ebce9bbf --- /dev/null +++ b/tests/__snapshots__/des-is-deprecated-kotlin-snapshot.yml @@ -0,0 +1,9 @@ +id: des-is-deprecated-kotlin +snapshots: + ? | + Cipher.getInstance("DES/ECB/PKCS5Padding"); + : labels: + - source: Cipher.getInstance("DES/ECB/PKCS5Padding") + style: primary + start: 0 + end: 42 diff --git a/tests/__snapshots__/desede-is-deprecated-java-snapshot.yml b/tests/__snapshots__/desede-is-deprecated-java-snapshot.yml new file mode 100644 index 00000000..1b0bc359 --- /dev/null +++ b/tests/__snapshots__/desede-is-deprecated-java-snapshot.yml @@ -0,0 +1,10 @@ +id: desede-is-deprecated-java +snapshots: + ? | + Cipher.getInstance("DESede/ECB/PKCS5Padding"); + javax.crypto.KeyGenerator.getInstance("DES") + : labels: + - source: javax.crypto.KeyGenerator.getInstance("DES") + style: primary + start: 47 + end: 91 diff --git a/tests/__snapshots__/desede-is-deprecated-kotlin-snapshot.yml b/tests/__snapshots__/desede-is-deprecated-kotlin-snapshot.yml new file mode 100644 index 00000000..7eb1119d --- /dev/null +++ b/tests/__snapshots__/desede-is-deprecated-kotlin-snapshot.yml @@ -0,0 +1,10 @@ +id: desede-is-deprecated-kotlin +snapshots: + ? | + Cipher.getInstance("DESede/ECB/PKCS5Padding"); + javax.crypto.KeyGenerator.getInstance("DES") + : labels: + - source: javax.crypto.KeyGenerator.getInstance("DES") + style: primary + start: 47 + end: 91 diff --git a/tests/__snapshots__/documentbuilderfactory-external-general-entities-true-java-snapshot.yml b/tests/__snapshots__/documentbuilderfactory-external-general-entities-true-java-snapshot.yml new file mode 100644 index 00000000..238311e7 --- /dev/null +++ b/tests/__snapshots__/documentbuilderfactory-external-general-entities-true-java-snapshot.yml @@ -0,0 +1,10 @@ +id: documentbuilderfactory-external-general-entities-true-java +snapshots: + ? | + dbf.setFeature("http://xml.org/sax/features/external-general-entities" , true); + spf.setFeature("http://xml.org/sax/features/external-general-entities" , true); + : labels: + - source: dbf.setFeature("http://xml.org/sax/features/external-general-entities" , true); + style: primary + start: 0 + end: 79 diff --git a/tests/__snapshots__/ecb-cipher-java-snapshot.yml b/tests/__snapshots__/ecb-cipher-java-snapshot.yml new file mode 100644 index 00000000..a9c76fd2 --- /dev/null +++ b/tests/__snapshots__/ecb-cipher-java-snapshot.yml @@ -0,0 +1,9 @@ +id: ecb-cipher-java +snapshots: + ? | + Cipher c = Cipher.getInstance("AES/ECB/NoPadding"); + : labels: + - source: Cipher c = Cipher.getInstance("AES/ECB/NoPadding"); + style: primary + start: 0 + end: 51 diff --git a/tests/__snapshots__/httponly-false-csharp-snapshot.yml b/tests/__snapshots__/httponly-false-csharp-snapshot.yml new file mode 100644 index 00000000..4ec18734 --- /dev/null +++ b/tests/__snapshots__/httponly-false-csharp-snapshot.yml @@ -0,0 +1,16 @@ +id: httponly-false-csharp +snapshots: + ? | + myHttpOnlyCookie.HttpOnly = false; + : labels: + - source: myHttpOnlyCookie.HttpOnly = false; + style: primary + start: 0 + end: 34 + ? | + options.Cookie.HttpOnly = false; + : labels: + - source: options.Cookie.HttpOnly = false; + style: primary + start: 0 + end: 32 diff --git a/tests/__snapshots__/insecure-biometrics-swift-snapshot.yml b/tests/__snapshots__/insecure-biometrics-swift-snapshot.yml new file mode 100644 index 00000000..2e7ddc4c --- /dev/null +++ b/tests/__snapshots__/insecure-biometrics-swift-snapshot.yml @@ -0,0 +1,9 @@ +id: insecure-biometrics-swift +snapshots: + ? | + context.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: "Authenticate to the application" + : labels: + - source: context.evaluatePolicy + style: primary + start: 0 + end: 22 diff --git a/tests/__snapshots__/libxml2-audit-parser-c-snapshot.yml b/tests/__snapshots__/libxml2-audit-parser-c-snapshot.yml new file mode 100644 index 00000000..60994812 --- /dev/null +++ b/tests/__snapshots__/libxml2-audit-parser-c-snapshot.yml @@ -0,0 +1,12 @@ +id: libxml2-audit-parser-c +snapshots: + ? | + xmlParseInNodeContext(cur_node->parent, xml_filtered.c_str(), + (int)xml_filtered.length(), 0, &pNewNode); + : labels: + - source: |- + xmlParseInNodeContext(cur_node->parent, xml_filtered.c_str(), + (int)xml_filtered.length(), 0, &pNewNode) + style: primary + start: 0 + end: 103 diff --git a/tests/__snapshots__/libxml2-audit-parser-cpp-snapshot.yml b/tests/__snapshots__/libxml2-audit-parser-cpp-snapshot.yml new file mode 100644 index 00000000..6d424b83 --- /dev/null +++ b/tests/__snapshots__/libxml2-audit-parser-cpp-snapshot.yml @@ -0,0 +1,12 @@ +id: libxml2-audit-parser-cpp +snapshots: + ? | + xmlParseInNodeContext(cur_node->parent, xml_filtered.c_str(), + (int)xml_filtered.length(), 0, &pNewNode); + : labels: + - source: |- + xmlParseInNodeContext(cur_node->parent, xml_filtered.c_str(), + (int)xml_filtered.length(), 0, &pNewNode) + style: primary + start: 0 + end: 103 diff --git a/tests/__snapshots__/no-null-cipher-java-snapshot.yml b/tests/__snapshots__/no-null-cipher-java-snapshot.yml new file mode 100644 index 00000000..a926152d --- /dev/null +++ b/tests/__snapshots__/no-null-cipher-java-snapshot.yml @@ -0,0 +1,18 @@ +id: no-null-cipher-java +snapshots: + ? |- + Cipher doNothingCihper = new NullCipher(); + new javax.crypto.NullCipher(); + : labels: + - source: new NullCipher() + style: primary + start: 25 + end: 41 + ? | + Cipher doNothingCihper = new NullCipher(); + new javax.crypto.NullCipher(); + : labels: + - source: new NullCipher() + style: primary + start: 25 + end: 41 diff --git a/tests/__snapshots__/plaintext-http-link-html-snapshot.yml b/tests/__snapshots__/plaintext-http-link-html-snapshot.yml new file mode 100644 index 00000000..98516a80 --- /dev/null +++ b/tests/__snapshots__/plaintext-http-link-html-snapshot.yml @@ -0,0 +1,15 @@ +id: plaintext-http-link-html +snapshots: + ? | + Astgrep + Astgrep + Astgrep + Astgrep + Astgrep + Astgrep + Astgrep + : labels: + - source: Astgrep + style: primary + start: 0 + end: 40 diff --git a/tests/__snapshots__/reqwest-accept-invalid-rust-snapshot.yml b/tests/__snapshots__/reqwest-accept-invalid-rust-snapshot.yml new file mode 100644 index 00000000..cb1eeac4 --- /dev/null +++ b/tests/__snapshots__/reqwest-accept-invalid-rust-snapshot.yml @@ -0,0 +1,30 @@ +id: reqwest-accept-invalid-rust +snapshots: + ? | + reqwest::Client::builder().danger_accept_invalid_certs(true) + : labels: + - source: reqwest::Client::builder().danger_accept_invalid_certs(true) + style: primary + start: 0 + end: 60 + ? | + reqwest::Client::builder().danger_accept_invalid_hostnames(true) + : labels: + - source: reqwest::Client::builder().danger_accept_invalid_hostnames(true) + style: primary + start: 0 + end: 64 + ? | + reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_certs(true) + : labels: + - source: reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_certs(true) + style: primary + start: 0 + end: 104 + ? | + reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_hostnames(true) + : labels: + - source: reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_hostnames(true) + style: primary + start: 0 + end: 108 diff --git a/tests/__snapshots__/rsa-no-padding-java-snapshot.yml b/tests/__snapshots__/rsa-no-padding-java-snapshot.yml new file mode 100644 index 00000000..80e65e5d --- /dev/null +++ b/tests/__snapshots__/rsa-no-padding-java-snapshot.yml @@ -0,0 +1,18 @@ +id: rsa-no-padding-java +snapshots: + ? |- + Cipher.getInstance("RSA/None/NoPadding"); + Cipher.getInstance("RSA/NONE/NoPadding"); + : labels: + - source: Cipher.getInstance("RSA/None/NoPadding") + style: primary + start: 0 + end: 40 + ? | + Cipher.getInstance("RSA/None/NoPadding"); + Cipher.getInstance("RSA/NONE/NoPadding"); + : labels: + - source: Cipher.getInstance("RSA/None/NoPadding") + style: primary + start: 0 + end: 40 diff --git a/tests/__snapshots__/rsa-no-padding-kotlin-snapshot.yml b/tests/__snapshots__/rsa-no-padding-kotlin-snapshot.yml new file mode 100644 index 00000000..4507882d --- /dev/null +++ b/tests/__snapshots__/rsa-no-padding-kotlin-snapshot.yml @@ -0,0 +1,10 @@ +id: rsa-no-padding-kotlin +snapshots: + ? | + Cipher.getInstance("RSA/None/NoPadding"); + Cipher.getInstance("RSA/NONE/NoPadding"); + : labels: + - source: Cipher.getInstance("RSA/None/NoPadding") + style: primary + start: 0 + end: 40 diff --git a/tests/__snapshots__/rsa-padding-set-scala-snapshot.yml b/tests/__snapshots__/rsa-padding-set-scala-snapshot.yml new file mode 100644 index 00000000..1274abe0 --- /dev/null +++ b/tests/__snapshots__/rsa-padding-set-scala-snapshot.yml @@ -0,0 +1,15 @@ +id: rsa-padding-set-scala +snapshots: + Cipher.getInstance("RSA/ECB/NoPadding"): + labels: + - source: Cipher.getInstance("RSA/ECB/NoPadding") + style: primary + start: 0 + end: 39 + ? | + Cipher.getInstance("RSA/ECB/NoPadding") + : labels: + - source: Cipher.getInstance("RSA/ECB/NoPadding") + style: primary + start: 0 + end: 39 diff --git a/tests/__snapshots__/sizeof-this-c-snapshot.yml b/tests/__snapshots__/sizeof-this-c-snapshot.yml new file mode 100644 index 00000000..e8db9995 --- /dev/null +++ b/tests/__snapshots__/sizeof-this-c-snapshot.yml @@ -0,0 +1,9 @@ +id: sizeof-this-c +snapshots: + ? | + return sizeof(this); + : labels: + - source: sizeof(this) + style: primary + start: 7 + end: 19 diff --git a/tests/__snapshots__/system-setproperty-hardcoded-secret-java-snapshot.yml b/tests/__snapshots__/system-setproperty-hardcoded-secret-java-snapshot.yml new file mode 100644 index 00000000..9130101a --- /dev/null +++ b/tests/__snapshots__/system-setproperty-hardcoded-secret-java-snapshot.yml @@ -0,0 +1,10 @@ +id: system-setproperty-hardcoded-secret-java +snapshots: + ? | + System.setProperty("javax.net.ssl.keyStorePassword", "password"); + System.setProperty("javax.net.ssl.trustStorePassword", "password"); + : labels: + - source: System.setProperty("javax.net.ssl.keyStorePassword", "password"); + style: primary + start: 0 + end: 65 diff --git a/tests/__snapshots__/system-setproperty-hardcoded-secret-kotlin-snapshot.yml b/tests/__snapshots__/system-setproperty-hardcoded-secret-kotlin-snapshot.yml new file mode 100644 index 00000000..0d421bce --- /dev/null +++ b/tests/__snapshots__/system-setproperty-hardcoded-secret-kotlin-snapshot.yml @@ -0,0 +1,10 @@ +id: system-setproperty-hardcoded-secret-kotlin +snapshots: + ? | + System.setProperty("javax.net.ssl.keyStorePassword", "password"); + System.setProperty("javax.net.ssl.trustStorePassword", "password"); + : labels: + - source: System.setProperty("javax.net.ssl.keyStorePassword", "password") + style: primary + start: 0 + end: 64 diff --git a/tests/__snapshots__/unencrypted-socket-java-snapshot.yml b/tests/__snapshots__/unencrypted-socket-java-snapshot.yml new file mode 100644 index 00000000..e0becd2b --- /dev/null +++ b/tests/__snapshots__/unencrypted-socket-java-snapshot.yml @@ -0,0 +1,58 @@ +id: unencrypted-socket-java +snapshots: + ? | + ServerSocket ssoc = new ServerSocket(1234); + : labels: + - source: new ServerSocket(1234) + style: primary + start: 20 + end: 42 + ? | + ServerSocket ssoc1 = new ServerSocket(); + : labels: + - source: new ServerSocket() + style: primary + start: 21 + end: 39 + ? | + ServerSocket ssoc2 = new ServerSocket(1234, 10); + : labels: + - source: new ServerSocket(1234, 10) + style: primary + start: 21 + end: 47 + ? | + ServerSocket ssoc3 = new ServerSocket(1234, 10, InetAddress.getByAddress(address)); + : labels: + - source: new ServerSocket(1234, 10, InetAddress.getByAddress(address)) + style: primary + start: 21 + end: 82 + ? | + Socket soc = new Socket("www.google.com", 80); + : labels: + - source: new Socket("www.google.com", 80) + style: primary + start: 13 + end: 45 + ? | + Socket soc1 = new Socket("www.google.com", 80, true); + : labels: + - source: new Socket("www.google.com", 80, true) + style: primary + start: 14 + end: 52 + ? | + Socket soc2 = new Socket("www.google.com", 80, InetAddress.getByAddress(address), 13337); + : labels: + - source: new Socket("www.google.com", 80, InetAddress.getByAddress(address), 13337) + style: primary + start: 14 + end: 88 + ? | + Socket soc3 = new Socket(InetAddress.getByAddress(remoteAddress), 80); + : labels: + - source: new Socket(InetAddress.getByAddress(remoteAddress), 80) + style: primary + start: 14 + end: 69 diff --git a/tests/__snapshots__/use-of-aes-ecb-java-snapshot.yml b/tests/__snapshots__/use-of-aes-ecb-java-snapshot.yml new file mode 100644 index 00000000..6c8a701c --- /dev/null +++ b/tests/__snapshots__/use-of-aes-ecb-java-snapshot.yml @@ -0,0 +1,10 @@ +id: use-of-aes-ecb-java +snapshots: + ? | + Cipher.getInstance("AES/ECB/NoPadding") + Cipher.getInstance("AES/ECB/PKCS5Padding") + : labels: + - source: Cipher.getInstance("AES/ECB/NoPadding") + style: primary + start: 0 + end: 39 diff --git a/tests/__snapshots__/use-of-blowfish-java-snapshot.yml b/tests/__snapshots__/use-of-blowfish-java-snapshot.yml new file mode 100644 index 00000000..cc54e7fb --- /dev/null +++ b/tests/__snapshots__/use-of-blowfish-java-snapshot.yml @@ -0,0 +1,16 @@ +id: use-of-blowfish-java +snapshots: + ? | + Cipher.getInstance("Blowfish"); + : labels: + - source: Cipher.getInstance("Blowfish") + style: primary + start: 0 + end: 30 + ? | + useCipher(Cipher.getInstance("Blowfish")); + : labels: + - source: Cipher.getInstance("Blowfish") + style: primary + start: 10 + end: 40 diff --git a/tests/__snapshots__/use-of-md5-digest-utils-java-snapshot.yml b/tests/__snapshots__/use-of-md5-digest-utils-java-snapshot.yml new file mode 100644 index 00000000..fe41e08d --- /dev/null +++ b/tests/__snapshots__/use-of-md5-digest-utils-java-snapshot.yml @@ -0,0 +1,9 @@ +id: use-of-md5-digest-utils-java +snapshots: + ? | + byte[] hashValue = DigestUtils.getMd5Digest().digest(password.getBytes()); + : labels: + - source: DigestUtils.getMd5Digest().digest(password.getBytes()) + style: primary + start: 19 + end: 73 diff --git a/tests/__snapshots__/use-of-md5-java-snapshot.yml b/tests/__snapshots__/use-of-md5-java-snapshot.yml new file mode 100644 index 00000000..6f6c27ae --- /dev/null +++ b/tests/__snapshots__/use-of-md5-java-snapshot.yml @@ -0,0 +1,9 @@ +id: use-of-md5-java +snapshots: + ? | + MessageDigest md5Digest = MessageDigest.getInstance("MD5"); + : labels: + - source: MessageDigest.getInstance("MD5") + style: primary + start: 26 + end: 58 diff --git a/tests/__snapshots__/use-of-rc2-java-snapshot.yml b/tests/__snapshots__/use-of-rc2-java-snapshot.yml new file mode 100644 index 00000000..7ac4199f --- /dev/null +++ b/tests/__snapshots__/use-of-rc2-java-snapshot.yml @@ -0,0 +1,10 @@ +id: use-of-rc2-java +snapshots: + ? | + useCipher(Cipher.getInstance("RC2")); + Cipher.getInstance("RC2"); + : labels: + - source: Cipher.getInstance("RC2") + style: primary + start: 10 + end: 35 diff --git a/tests/__snapshots__/use-of-rc4-java-snapshot.yml b/tests/__snapshots__/use-of-rc4-java-snapshot.yml new file mode 100644 index 00000000..cbf4423c --- /dev/null +++ b/tests/__snapshots__/use-of-rc4-java-snapshot.yml @@ -0,0 +1,16 @@ +id: use-of-rc4-java +snapshots: + ? | + Cipher.getInstance("RC4"); + : labels: + - source: Cipher.getInstance("RC4") + style: primary + start: 0 + end: 25 + ? | + useCipher(Cipher.getInstance("RC4")); + : labels: + - source: Cipher.getInstance("RC4") + style: primary + start: 10 + end: 35 diff --git a/tests/__snapshots__/use-of-sha1-java-snapshot.yml b/tests/__snapshots__/use-of-sha1-java-snapshot.yml new file mode 100644 index 00000000..444fe5b3 --- /dev/null +++ b/tests/__snapshots__/use-of-sha1-java-snapshot.yml @@ -0,0 +1,10 @@ +id: use-of-sha1-java +snapshots: + ? | + java.security.MessageDigest md = java.security.MessageDigest.getInstance("SHA1", "SUN"); + DigestUtils.getSha1Digest().digest(password.getBytes()); + : labels: + - source: java.security.MessageDigest.getInstance("SHA1", "SUN") + style: primary + start: 33 + end: 87 diff --git a/tests/__snapshots__/use-of-weak-rsa-key-java-snapshot.yml b/tests/__snapshots__/use-of-weak-rsa-key-java-snapshot.yml new file mode 100644 index 00000000..bb83308a --- /dev/null +++ b/tests/__snapshots__/use-of-weak-rsa-key-java-snapshot.yml @@ -0,0 +1,34 @@ +id: use-of-weak-rsa-key-java +snapshots: + ? | + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyGen.initialize(-512); + : labels: + - source: keyGen.initialize(-512) + style: primary + start: 63 + end: 86 + ? | + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyGen.initialize(512); + : labels: + - source: keyGen.initialize(512) + style: primary + start: 63 + end: 85 + ? | + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyGen.initialize(512.0); + : labels: + - source: keyGen.initialize(512.0) + style: primary + start: 63 + end: 87 + ? | + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyGen.initialize(512.09); + : labels: + - source: keyGen.initialize(512.09) + style: primary + start: 63 + end: 88 diff --git a/tests/__snapshots__/use-of-weak-rsa-key-kotlin-snapshot.yml b/tests/__snapshots__/use-of-weak-rsa-key-kotlin-snapshot.yml new file mode 100644 index 00000000..5c7fe552 --- /dev/null +++ b/tests/__snapshots__/use-of-weak-rsa-key-kotlin-snapshot.yml @@ -0,0 +1,10 @@ +id: use-of-weak-rsa-key-kotlin +snapshots: + ? | + KeyPairGenerator.getInstance("RSA") + keyGen.initialize(-5.12); + : labels: + - source: keyGen.initialize(-5.12) + style: primary + start: 36 + end: 60 diff --git a/tests/__snapshots__/weak-ssl-context-java-snapshot.yml b/tests/__snapshots__/weak-ssl-context-java-snapshot.yml new file mode 100644 index 00000000..ca21f566 --- /dev/null +++ b/tests/__snapshots__/weak-ssl-context-java-snapshot.yml @@ -0,0 +1,37 @@ +id: weak-ssl-context-java +snapshots: + ? | + SSLContext ctx = SSLContext.getInstance("SSL"); + : labels: + - source: SSLContext.getInstance("SSL") + style: primary + start: 17 + end: 46 + ? | + SSLContext ctx = SSLContext.getInstance("SSLv3"); + : labels: + - source: SSLContext.getInstance("SSLv3") + style: primary + start: 17 + end: 48 + ? | + SSLContext ctx = SSLContext.getInstance("TLS"); + : labels: + - source: SSLContext.getInstance("TLS") + style: primary + start: 17 + end: 46 + ? | + SSLContext ctx = SSLContext.getInstance("TLSv1"); + : labels: + - source: SSLContext.getInstance("TLSv1") + style: primary + start: 17 + end: 48 + ? | + SSLContext ctx = SSLContext.getInstance("TLSv1.1"); + : labels: + - source: SSLContext.getInstance("TLSv1.1") + style: primary + start: 17 + end: 50 diff --git a/tests/__snapshots__/xmlinputfactory-dtd-enabled-scala-snapshot.yml b/tests/__snapshots__/xmlinputfactory-dtd-enabled-scala-snapshot.yml new file mode 100644 index 00000000..ed6503fc --- /dev/null +++ b/tests/__snapshots__/xmlinputfactory-dtd-enabled-scala-snapshot.yml @@ -0,0 +1,19 @@ +id: xmlinputfactory-dtd-enabled-scala +snapshots: + ? |- + val factory = XMLInputFactory.newFactory() + val fileReader = new FileReader(file) + : labels: + - source: XMLInputFactory.newFactory() + style: primary + start: 14 + end: 42 + ? |- + val factory = XMLInputFactory.newFactory() + val fileReader = new FileReader(file) + val fileReader = new FileReader(file) + : labels: + - source: XMLInputFactory.newFactory() + style: primary + start: 14 + end: 42 diff --git a/tests/c/libxml2-audit-parser-c-test.yml b/tests/c/libxml2-audit-parser-c-test.yml new file mode 100644 index 00000000..d5fca034 --- /dev/null +++ b/tests/c/libxml2-audit-parser-c-test.yml @@ -0,0 +1,8 @@ +id: libxml2-audit-parser-c +valid: + - | + xmlCtxtReadMemory(); +invalid: + - | + xmlParseInNodeContext(cur_node->parent, xml_filtered.c_str(), + (int)xml_filtered.length(), 0, &pNewNode); diff --git a/tests/c/sizeof-this-c-test.yml b/tests/c/sizeof-this-c-test.yml new file mode 100644 index 00000000..f9be53fb --- /dev/null +++ b/tests/c/sizeof-this-c-test.yml @@ -0,0 +1,7 @@ +id: sizeof-this-c +valid: + - | + return sizeof(*this); +invalid: + - | + return sizeof(this); diff --git a/tests/cpp/libxml2-audit-parser-cpp-test.yml b/tests/cpp/libxml2-audit-parser-cpp-test.yml new file mode 100644 index 00000000..f09ad2bd --- /dev/null +++ b/tests/cpp/libxml2-audit-parser-cpp-test.yml @@ -0,0 +1,8 @@ +id: libxml2-audit-parser-cpp +valid: + - | + xmlCtxtReadMemory(); +invalid: + - | + xmlParseInNodeContext(cur_node->parent, xml_filtered.c_str(), + (int)xml_filtered.length(), 0, &pNewNode); diff --git a/tests/csharp/httponly-false-csharp-test.yml b/tests/csharp/httponly-false-csharp-test.yml new file mode 100644 index 00000000..92062f04 --- /dev/null +++ b/tests/csharp/httponly-false-csharp-test.yml @@ -0,0 +1,11 @@ +id: httponly-false-csharp +valid: + - | + myHttpOnlyCookie.HttpOnly = true; + - | + options.Cookie.HttpOnly = true; +invalid: + - | + myHttpOnlyCookie.HttpOnly = false; + - | + options.Cookie.HttpOnly = false; diff --git a/tests/html/plaintext-http-link-html-test.yml b/tests/html/plaintext-http-link-html-test.yml new file mode 100644 index 00000000..c73d9bd0 --- /dev/null +++ b/tests/html/plaintext-http-link-html-test.yml @@ -0,0 +1,15 @@ +id: plaintext-http-link-html +valid: + - | + Astgrep + Astgrep + Astgrep +invalid: + - | + Astgrep + Astgrep + Astgrep + Astgrep + Astgrep + Astgrep + Astgrep diff --git a/tests/java/cbc-padding-oracle-java-test.yml b/tests/java/cbc-padding-oracle-java-test.yml new file mode 100644 index 00000000..8a0336cf --- /dev/null +++ b/tests/java/cbc-padding-oracle-java-test.yml @@ -0,0 +1,7 @@ +id: cbc-padding-oracle-java +valid: + - | + Cipher.getInstance("AES/GCM/NoPadding"); +invalid: + - | + Cipher.getInstance("AES/CBC/PKCS5Padding"); diff --git a/tests/java/cbc-padding-oracle-test.yml b/tests/java/cbc-padding-oracle-test.yml deleted file mode 100644 index 2085aa72..00000000 --- a/tests/java/cbc-padding-oracle-test.yml +++ /dev/null @@ -1,11 +0,0 @@ -id: cbc-padding-oracle -valid: - - | - Cipher c = Cipher.getInstance("AES/GCM/NoPadding"); - c.init(Cipher.ENCRYPT_MODE, k, iv); - byte[] cipherText = c.doFinal(plainText); -invalid: - - | - Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); - IvParameterSpec iv = new IvParameterSpec(new byte[16]); - cipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(new byte[16], "AES"), iv); \ No newline at end of file diff --git a/tests/java/cookie-secure-flag-false-java-test.yml b/tests/java/cookie-secure-flag-false-java-test.yml new file mode 100644 index 00000000..4d2b0fdb --- /dev/null +++ b/tests/java/cookie-secure-flag-false-java-test.yml @@ -0,0 +1,10 @@ +id: cookie-secure-flag-false-java +valid: + - | + response.addCookie(cookie); + cookie.setSecure(true); + cookie.setHttpOnly(true); + response.addCookie(cookie); +invalid: + - | + cookie.setSecure(false); diff --git a/tests/java/des-is-deprecated-java-test.yml b/tests/java/des-is-deprecated-java-test.yml new file mode 100644 index 00000000..bc26dbd7 --- /dev/null +++ b/tests/java/des-is-deprecated-java-test.yml @@ -0,0 +1,7 @@ +id: des-is-deprecated-java +valid: + - | + Cipher c = Cipher.getInstance("AES/GCM/NoPadding"); +invalid: + - | + Cipher.getInstance("DES/ECB/PKCS5Padding"); diff --git a/tests/java/desede-is-deprecated-java-test.yml b/tests/java/desede-is-deprecated-java-test.yml new file mode 100644 index 00000000..7ae2996e --- /dev/null +++ b/tests/java/desede-is-deprecated-java-test.yml @@ -0,0 +1,8 @@ +id: desede-is-deprecated-java +valid: + - | + Cipher.getInstance("AES/GCM/NoPadding"); +invalid: + - | + Cipher.getInstance("DESede/ECB/PKCS5Padding"); + javax.crypto.KeyGenerator.getInstance("DES") diff --git a/tests/java/documentbuilderfactory-external-general-entities-true-java-test.yml b/tests/java/documentbuilderfactory-external-general-entities-true-java-test.yml new file mode 100644 index 00000000..a56a6eb5 --- /dev/null +++ b/tests/java/documentbuilderfactory-external-general-entities-true-java-test.yml @@ -0,0 +1,9 @@ +id: documentbuilderfactory-external-general-entities-true-java +valid: + - | + dbf.setFeature("http://xml.org/sax/features/external-general-entities" , false); + spf.setFeature("http://xml.org/sax/features/external-general-entities" , false); +invalid: + - | + dbf.setFeature("http://xml.org/sax/features/external-general-entities" , true); + spf.setFeature("http://xml.org/sax/features/external-general-entities" , true); diff --git a/tests/java/ecb-cipher-java-test.yml b/tests/java/ecb-cipher-java-test.yml new file mode 100644 index 00000000..b9089221 --- /dev/null +++ b/tests/java/ecb-cipher-java-test.yml @@ -0,0 +1,7 @@ +id: ecb-cipher-java +valid: + - | + Cipher c = Cipher.getInstance("AES/GCM/NoPadding"); +invalid: + - | + Cipher c = Cipher.getInstance("AES/ECB/NoPadding"); diff --git a/tests/java/no-null-cipher-java-test.yml b/tests/java/no-null-cipher-java-test.yml new file mode 100644 index 00000000..ef38e9f6 --- /dev/null +++ b/tests/java/no-null-cipher-java-test.yml @@ -0,0 +1,8 @@ +id: no-null-cipher-java +valid: + - | + Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); +invalid: + - | + Cipher doNothingCihper = new NullCipher(); + new javax.crypto.NullCipher(); diff --git a/tests/java/rsa-no-padding-java-test.yml b/tests/java/rsa-no-padding-java-test.yml new file mode 100644 index 00000000..cb962e9e --- /dev/null +++ b/tests/java/rsa-no-padding-java-test.yml @@ -0,0 +1,8 @@ +id: rsa-no-padding-java +valid: + - | + Cipher.getInstance("RSA/ECB/OAEPWithMD5AndMGF1Padding"); +invalid: + - | + Cipher.getInstance("RSA/None/NoPadding"); + Cipher.getInstance("RSA/NONE/NoPadding"); diff --git a/tests/java/system-setproperty-hardcoded-secret-java-test.yml b/tests/java/system-setproperty-hardcoded-secret-java-test.yml new file mode 100644 index 00000000..4bf72c91 --- /dev/null +++ b/tests/java/system-setproperty-hardcoded-secret-java-test.yml @@ -0,0 +1,9 @@ +id: system-setproperty-hardcoded-secret-java +valid: + - | + System.setProperty("javax.net.ssl.trustStorePassword", config); + System.setProperty("javax.net.ssl.keyStorePassword", config); +invalid: + - | + System.setProperty("javax.net.ssl.keyStorePassword", "password"); + System.setProperty("javax.net.ssl.trustStorePassword", "password"); diff --git a/tests/java/unencrypted-socket-java-test.yml b/tests/java/unencrypted-socket-java-test.yml new file mode 100644 index 00000000..d023debf --- /dev/null +++ b/tests/java/unencrypted-socket-java-test.yml @@ -0,0 +1,23 @@ +id: unencrypted-socket-java +valid: + - | + Socket soc = SSLSocketFactory.getDefault().createSocket("www.google.com", 443); + - | + ServerSocket ssoc = SSLServerSocketFactory.getDefault().createServerSocket(1234); +invalid: + - | + Socket soc = new Socket("www.google.com", 80); + - | + Socket soc1 = new Socket("www.google.com", 80, true); + - | + Socket soc2 = new Socket("www.google.com", 80, InetAddress.getByAddress(address), 13337); + - | + Socket soc3 = new Socket(InetAddress.getByAddress(remoteAddress), 80); + - | + ServerSocket ssoc = new ServerSocket(1234); + - | + ServerSocket ssoc1 = new ServerSocket(); + - | + ServerSocket ssoc2 = new ServerSocket(1234, 10); + - | + ServerSocket ssoc3 = new ServerSocket(1234, 10, InetAddress.getByAddress(address)); diff --git a/tests/java/use-of-aes-ecb-java-test.yml b/tests/java/use-of-aes-ecb-java-test.yml new file mode 100644 index 00000000..cd41ad9e --- /dev/null +++ b/tests/java/use-of-aes-ecb-java-test.yml @@ -0,0 +1,8 @@ +id: use-of-aes-ecb-java +valid: + - | + Cipher.getInstance("AES/CBC/PKCS7PADDING") +invalid: + - | + Cipher.getInstance("AES/ECB/NoPadding") + Cipher.getInstance("AES/ECB/PKCS5Padding") diff --git a/tests/java/use-of-blowfish-java-test.yml b/tests/java/use-of-blowfish-java-test.yml new file mode 100644 index 00000000..c4a43b2d --- /dev/null +++ b/tests/java/use-of-blowfish-java-test.yml @@ -0,0 +1,9 @@ +id: use-of-blowfish-java +valid: + - | + Cipher.getInstance("AES/CBC/PKCS7PADDING"); +invalid: + - | + Cipher.getInstance("Blowfish"); + - | + useCipher(Cipher.getInstance("Blowfish")); diff --git a/tests/java/use-of-md5-digest-utils-java-test.yml b/tests/java/use-of-md5-digest-utils-java-test.yml new file mode 100644 index 00000000..f6bc228d --- /dev/null +++ b/tests/java/use-of-md5-digest-utils-java-test.yml @@ -0,0 +1,9 @@ +id: use-of-md5-digest-utils-java +valid: + - | + MessageDigest md5Digest = MessageDigest.getInstance("MD5"); + - | + byte[] hashValue = DigestUtils.getSha512Digest().digest(password.getBytes()); +invalid: + - | + byte[] hashValue = DigestUtils.getMd5Digest().digest(password.getBytes()); diff --git a/tests/java/use-of-md5-java-test.yml b/tests/java/use-of-md5-java-test.yml new file mode 100644 index 00000000..af34098d --- /dev/null +++ b/tests/java/use-of-md5-java-test.yml @@ -0,0 +1,7 @@ +id: use-of-md5-java +valid: + - | + MessageDigest md5Digest = MessageDigest.getInstance("SHA-512"); +invalid: + - | + MessageDigest md5Digest = MessageDigest.getInstance("MD5"); diff --git a/tests/java/use-of-rc2-java-test.yml b/tests/java/use-of-rc2-java-test.yml new file mode 100644 index 00000000..74f8d6d3 --- /dev/null +++ b/tests/java/use-of-rc2-java-test.yml @@ -0,0 +1,8 @@ +id: use-of-rc2-java +valid: + - | + Cipher.getInstance("AES/CBC/PKCS7PADDING"); +invalid: + - | + useCipher(Cipher.getInstance("RC2")); + Cipher.getInstance("RC2"); diff --git a/tests/java/use-of-rc4-java-test.yml b/tests/java/use-of-rc4-java-test.yml new file mode 100644 index 00000000..a82db3b3 --- /dev/null +++ b/tests/java/use-of-rc4-java-test.yml @@ -0,0 +1,9 @@ +id: use-of-rc4-java +valid: + - | + Cipher.getInstance("AES/CBC/PKCS7PADDING"); +invalid: + - | + Cipher.getInstance("RC4"); + - | + useCipher(Cipher.getInstance("RC4")); diff --git a/tests/java/use-of-sha1-java-test.yml b/tests/java/use-of-sha1-java-test.yml new file mode 100644 index 00000000..307dc641 --- /dev/null +++ b/tests/java/use-of-sha1-java-test.yml @@ -0,0 +1,10 @@ +id: use-of-sha1-java +valid: + - | + java.io.File fileTarget = new java.io.File( + new java.io.File(org.owasp.benchmark.helpers.Utils.TESTFILES_DIR), + "passwordFile.txt"); +invalid: + - | + java.security.MessageDigest md = java.security.MessageDigest.getInstance("SHA1", "SUN"); + DigestUtils.getSha1Digest().digest(password.getBytes()); diff --git a/tests/java/use-of-weak-rsa-key-java-test.yml b/tests/java/use-of-weak-rsa-key-java-test.yml new file mode 100644 index 00000000..c1aee8fa --- /dev/null +++ b/tests/java/use-of-weak-rsa-key-java-test.yml @@ -0,0 +1,18 @@ +id: use-of-weak-rsa-key-java +valid: + - | + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyGen.initialize(2048); +invalid: + - | + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyGen.initialize(512); + - | + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyGen.initialize(-512); + - | + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyGen.initialize(512.09); + - | + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyGen.initialize(512.0); diff --git a/tests/java/weak-ssl-context-java-test.yml b/tests/java/weak-ssl-context-java-test.yml new file mode 100644 index 00000000..66505656 --- /dev/null +++ b/tests/java/weak-ssl-context-java-test.yml @@ -0,0 +1,19 @@ +id: weak-ssl-context-java +valid: + - | + SSLContext ctx = SSLContext.getInstance("TLSv1.2"); + - | + SSLContext ctx = SSLContext.getInstance("TLSv1.3"); + - | + SSLContext ctx = SSLContext.getInstance(getSslContext()); +invalid: + - | + SSLContext ctx = SSLContext.getInstance("SSL"); + - | + SSLContext ctx = SSLContext.getInstance("TLS"); + - | + SSLContext ctx = SSLContext.getInstance("TLSv1"); + - | + SSLContext ctx = SSLContext.getInstance("SSLv3"); + - | + SSLContext ctx = SSLContext.getInstance("TLSv1.1"); diff --git a/tests/kotlin/des-is-deprecated-kotlin-test.yml b/tests/kotlin/des-is-deprecated-kotlin-test.yml new file mode 100644 index 00000000..60949d48 --- /dev/null +++ b/tests/kotlin/des-is-deprecated-kotlin-test.yml @@ -0,0 +1,7 @@ +id: des-is-deprecated-kotlin +valid: + - | + Cipher c = Cipher.getInstance("AES/GCM/NoPadding"); +invalid: + - | + Cipher.getInstance("DES/ECB/PKCS5Padding"); diff --git a/tests/kotlin/desede-is-deprecated-kotlin-test.yml b/tests/kotlin/desede-is-deprecated-kotlin-test.yml new file mode 100644 index 00000000..c3d2e28e --- /dev/null +++ b/tests/kotlin/desede-is-deprecated-kotlin-test.yml @@ -0,0 +1,8 @@ +id: desede-is-deprecated-kotlin +valid: + - | + Cipher.getInstance("AES/GCM/NoPadding"); +invalid: + - | + Cipher.getInstance("DESede/ECB/PKCS5Padding"); + javax.crypto.KeyGenerator.getInstance("DES") diff --git a/tests/kotlin/rsa-no-padding-kotlin.yml b/tests/kotlin/rsa-no-padding-kotlin.yml new file mode 100644 index 00000000..6dc46d21 --- /dev/null +++ b/tests/kotlin/rsa-no-padding-kotlin.yml @@ -0,0 +1,8 @@ +id: rsa-no-padding-kotlin +valid: + - | + Cipher.getInstance("RSA/ECB/OAEPWithMD5AndMGF1Padding"); +invalid: + - | + Cipher.getInstance("RSA/None/NoPadding"); + Cipher.getInstance("RSA/NONE/NoPadding"); diff --git a/tests/kotlin/system-setproperty-hardcoded-secret-kotlin-test.yml b/tests/kotlin/system-setproperty-hardcoded-secret-kotlin-test.yml new file mode 100644 index 00000000..d66da67a --- /dev/null +++ b/tests/kotlin/system-setproperty-hardcoded-secret-kotlin-test.yml @@ -0,0 +1,9 @@ +id: system-setproperty-hardcoded-secret-kotlin +valid: + - | + System.setProperty("javax.net.ssl.trustStorePassword", config); + System.setProperty("javax.net.ssl.keyStorePassword", config); +invalid: + - | + System.setProperty("javax.net.ssl.keyStorePassword", "password"); + System.setProperty("javax.net.ssl.trustStorePassword", "password"); diff --git a/tests/kotlin/use-of-weak-rsa-key-kotlin-test.yml b/tests/kotlin/use-of-weak-rsa-key-kotlin-test.yml new file mode 100644 index 00000000..199c4b1e --- /dev/null +++ b/tests/kotlin/use-of-weak-rsa-key-kotlin-test.yml @@ -0,0 +1,9 @@ +id: use-of-weak-rsa-key-kotlin +valid: + - | + KeyPairGenerator.getInstance("RSA") + keyGen.initialize(2048); +invalid: + - | + KeyPairGenerator.getInstance("RSA") + keyGen.initialize(-5.12); diff --git a/tests/rust/reqwest-accept-invalid-rust-test.yml b/tests/rust/reqwest-accept-invalid-rust-test.yml new file mode 100644 index 00000000..894c5cec --- /dev/null +++ b/tests/rust/reqwest-accept-invalid-rust-test.yml @@ -0,0 +1,13 @@ +id: reqwest-accept-invalid-rust +valid: + - | + reqwest::Client::builder().user_agent("USER AGENT") +invalid: + - | + reqwest::Client::builder().danger_accept_invalid_hostnames(true) + - | + reqwest::Client::builder().danger_accept_invalid_certs(true) + - | + reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_hostnames(true) + - | + reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_certs(true) diff --git a/tests/scala/rsa-padding-set-scala-test.yml b/tests/scala/rsa-padding-set-scala-test.yml new file mode 100644 index 00000000..3196e148 --- /dev/null +++ b/tests/scala/rsa-padding-set-scala-test.yml @@ -0,0 +1,9 @@ +id: rsa-padding-set-scala +valid: + - | + Cipher.getInstance("AES/CBC/PKCS5Padding"); + Cipher.getInstance("DES/ECB/PKCS5Padding"); + Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); +invalid: + - | + Cipher.getInstance("RSA/ECB/NoPadding") diff --git a/tests/scala/xmlinputfactory-dtd-enabled-scala-test.yml b/tests/scala/xmlinputfactory-dtd-enabled-scala-test.yml new file mode 100644 index 00000000..ab78f6be --- /dev/null +++ b/tests/scala/xmlinputfactory-dtd-enabled-scala-test.yml @@ -0,0 +1,11 @@ +id: xmlinputfactory-dtd-enabled-scala +valid: + - | + val factory = XMLInputFactory.newInstance + factory.setProperty("javax.xml.stream.isSupportingExternalEntities", false) + val fileReader = new FileReader(file) +invalid: + - | + val factory = XMLInputFactory.newFactory() + val fileReader = new FileReader(file) + val fileReader = new FileReader(file) \ No newline at end of file diff --git a/tests/swift/insecure-biometrics-swift-test.yml b/tests/swift/insecure-biometrics-swift-test.yml new file mode 100644 index 00000000..fffee11c --- /dev/null +++ b/tests/swift/insecure-biometrics-swift-test.yml @@ -0,0 +1,7 @@ +id: insecure-biometrics-swift +valid: + - | + context.canEvaluatePolicy(.deviceOwnerAuthentication, error: &error) +invalid: + - | + context.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: "Authenticate to the application" From 640eba457267ecc0c1c6fb8f9b2060b6c9fa03f7 Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Tue, 17 Sep 2024 17:41:08 +0530 Subject: [PATCH 2/2] Made changes to scala rule --- rules/scala/security/xmlinputfactory-dtd-enabled-scala.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/rules/scala/security/xmlinputfactory-dtd-enabled-scala.yml b/rules/scala/security/xmlinputfactory-dtd-enabled-scala.yml index 9ba9cb7f..732fddc9 100644 --- a/rules/scala/security/xmlinputfactory-dtd-enabled-scala.yml +++ b/rules/scala/security/xmlinputfactory-dtd-enabled-scala.yml @@ -19,7 +19,4 @@ rule: - pattern: new XMLInputFactory($$$) precedes: not: - pattern: $XMLFACTORY.setProperty($MODE, false) -constraints: - MODE: - regex: "javax.xml.stream.isSupportingExternalEntities" + pattern: $XMLFACTORY.setProperty(javax.xml.stream.isSupportingExternalEntities, false)