Skip to content

Commit

Permalink
Replace guardrail subcategory with secure default (#3425)
Browse files Browse the repository at this point in the history
* Replace guardrail with secure default

* Fix subcategory

---------

Co-authored-by: Pieter De Cremer (Semgrep) <[email protected]>
  • Loading branch information
p4p3r and 0xDC0DE authored Jul 8, 2024
1 parent aa66e52 commit 74d025f
Show file tree
Hide file tree
Showing 9 changed files with 33 additions and 22 deletions.
20 changes: 14 additions & 6 deletions .github/scripts/validate-metadata.py
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@


class RegistryMetadataValidator(Draft7Validator):

required_property_messages = {
"references": "Please include at least one URL with more information about this rule in a metadata field called 'references'.",
"technology": "Please include a metadata field called 'technology' that is a list of relevent tech stacks. For example: [python, flask], or [javascript, jwt].",
Expand All @@ -24,12 +23,12 @@ class RegistryMetadataValidator(Draft7Validator):
"likelihood": "Please include a 'likelihood' metadata field for security rules that is one of that is one of ['LOW', 'MEDIUM', 'HIGH'], See https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository for more info.",
"impact": "Please include a 'impact' metadata field for security rules that is one of that is one of ['LOW', 'MEDIUM', 'HIGH'], See https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository for more info.",
"confidence": "Please include a 'confidence' metadata field for security rules that is one of that is one of ['LOW', 'MEDIUM', 'HIGH'], See https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository for more info.",
"subcategory": "Please include a 'subcategory' metadata field for security rules that is one of that is one of ['audit', 'vuln', 'guardrail'], See https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository for more info.",
"subcategory": "Please include a 'subcategory' metadata field for security rules that is one of that is one of ['audit', 'vuln', 'secure default'], See https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository for more info.",
}

def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs)
#self.category_enum = self.schema.get('properties', {}).get('category', {}).get('enum', [])
# self.category_enum = self.schema.get('properties', {}).get('category', {}).get('enum', [])
self.category_enum = {}

def _extend_message(self, error: ValidationError) -> None:
Expand Down Expand Up @@ -59,7 +58,11 @@ def get_errors(self, instance: dict) -> list[ValidationError]:
return errors


def validate_config_file_metadata(config_path: Path, validator: Draft7Validator, invalid_configs: Optional[list] = None):
def validate_config_file_metadata(
config_path: Path,
validator: Draft7Validator,
invalid_configs: Optional[list] = None,
):
with open(config_path) as fin:
config = yaml.safe_load(fin)

Expand All @@ -83,10 +86,12 @@ def validate_config_file_metadata(config_path: Path, validator: Draft7Validator,
else:
logger.warning(f"Invalid config {str(config_path)}: {ve.message}")


def is_rule(path: Path) -> bool:
with open(path) as fin:
return fin.readlines()[0].startswith("rules:")


if __name__ == "__main__":
import argparse

Expand All @@ -111,7 +116,11 @@ def is_rule(path: Path) -> bool:
invalid_configs = []
for config_item in args.config:
config_path = Path(config_item)
if config_path.is_file() and config_path.suffix == ".yaml" and is_rule(config_path):
if (
config_path.is_file()
and config_path.suffix == ".yaml"
and is_rule(config_path)
):
validate_config_file_metadata(config_path, v, invalid_configs)
elif config_path.is_dir():
for config_file in config_path.glob("**/*.yaml"):
Expand All @@ -122,4 +131,3 @@ def is_rule(path: Path) -> bool:
for invalid_config in sorted(invalid_configs, key=lambda t: t[0]):
print(invalid_config)
sys.exit(1)

2 changes: 1 addition & 1 deletion go/lang/security/audit/crypto/missing-ssl-minversion.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ rules:
- go
confidence: HIGH
subcategory:
- guardrail
- audit
likelihood: MEDIUM
impact: LOW
languages: [go]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ rules:
...
Intercom('boot', $VAR);
message: Found an initialization of the Intercom Messenger that identifies a
User, but does not specify a `user_hash`.This configuration allows users
User, but does not specify a `user_hash`. This configuration allows users
to impersonate one another. See the Intercom Identity Verification docs
for more context
https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile
Expand All @@ -37,7 +37,7 @@ rules:
metadata:
category: security
subcategory:
- guardrail
- audit
cwe:
- "CWE-287: Improper Authentication"
confidence: MEDIUM
Expand Down
4 changes: 2 additions & 2 deletions metadata-schema.yaml.schm
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ schema:
enum:
- audit
- vuln
- guardrail
- secure default
cwe:
type:
- array
Expand Down Expand Up @@ -90,4 +90,4 @@ schema:
- likelihood
- impact
- subcategory


4 changes: 2 additions & 2 deletions python/django/security/django-no-csrf-token.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ rules:
regex: (?i)(post|put|delete|patch)
- pattern-not-inside: "<form...>...{% csrf_token %}...</form>"
- pattern-not-inside: "<form...>...{{ $VAR.csrf_token }}...</form>"
message: Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks
message: Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks.
languages: [generic]
severity: WARNING
metadata:
Expand All @@ -26,7 +26,7 @@ rules:
likelihood: MEDIUM
impact: MEDIUM
subcategory:
- guardrail
- audit
technology:
- django
paths:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,6 @@ rules:
likelihood: MEDIUM
impact: MEDIUM
subcategory:
- guardrail
- audit
technology:
- django
- django
7 changes: 5 additions & 2 deletions terraform/aws/security/aws-provisioner-exec.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,10 @@ rules:
...
}
id: aws-provisioner-exec
message: Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design.
message: >-
Provisioners are a tool of last resort and should be avoided where possible.
Provisioner behavior cannot be mapped by Terraform as part of a plan,
and execute arbitrary shell commands by design.
languages:
- terraform
severity: WARNING
Expand All @@ -27,7 +30,7 @@ rules:
- "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')"
- "CWE-94: Improper Control of Generation of Code ('Code Injection')"
subcategory:
- guardrail
- audit
confidence: HIGH
likelihood: HIGH
impact: MEDIUM
Expand Down
6 changes: 3 additions & 3 deletions yaml/semgrep/metadata-subcategory-incorrect-value.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,10 +20,10 @@ rules:
- audit
- pattern-not: |
subcategory:
- guardrail
- secure default
message: >-
Semgrep rule likelihood: $VALUE detected, but the value must be vuln,
audit, or guardrail. For more information visit:
audit, or secure default. For more information visit:
https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/
languages:
- yaml
Expand All @@ -33,4 +33,4 @@ rules:
- https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/
category: correctness
technology:
- semgrep
- semgrep
4 changes: 2 additions & 2 deletions yaml/semgrep/metadata-subcategory.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ rules:
subcategory: $VALUE
message: >-
This Semgrep rule is missing a valid 'subcategory' field in the 'metadata'.
which should be either audit, vuln, or guardrail. For more information visit
which should be either audit, vuln, or secure default. For more information visit
https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/
languages:
- yaml
Expand All @@ -25,4 +25,4 @@ rules:
- https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/
category: correctness
technology:
- semgrep
- semgrep

0 comments on commit 74d025f

Please sign in to comment.