diff --git a/.github/scripts/validate-metadata.py b/.github/scripts/validate-metadata.py index 247b8dde3f..04dc554f6d 100644 --- a/.github/scripts/validate-metadata.py +++ b/.github/scripts/validate-metadata.py @@ -15,7 +15,6 @@ class RegistryMetadataValidator(Draft7Validator): - required_property_messages = { "references": "Please include at least one URL with more information about this rule in a metadata field called 'references'.", "technology": "Please include a metadata field called 'technology' that is a list of relevent tech stacks. For example: [python, flask], or [javascript, jwt].", @@ -24,12 +23,12 @@ class RegistryMetadataValidator(Draft7Validator): "likelihood": "Please include a 'likelihood' metadata field for security rules that is one of that is one of ['LOW', 'MEDIUM', 'HIGH'], See https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository for more info.", "impact": "Please include a 'impact' metadata field for security rules that is one of that is one of ['LOW', 'MEDIUM', 'HIGH'], See https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository for more info.", "confidence": "Please include a 'confidence' metadata field for security rules that is one of that is one of ['LOW', 'MEDIUM', 'HIGH'], See https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository for more info.", - "subcategory": "Please include a 'subcategory' metadata field for security rules that is one of that is one of ['audit', 'vuln', 'guardrail'], See https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository for more info.", + "subcategory": "Please include a 'subcategory' metadata field for security rules that is one of that is one of ['audit', 'vuln', 'secure default'], See https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository for more info.", } def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) - #self.category_enum = self.schema.get('properties', {}).get('category', {}).get('enum', []) + # self.category_enum = self.schema.get('properties', {}).get('category', {}).get('enum', []) self.category_enum = {} def _extend_message(self, error: ValidationError) -> None: @@ -59,7 +58,11 @@ def get_errors(self, instance: dict) -> list[ValidationError]: return errors -def validate_config_file_metadata(config_path: Path, validator: Draft7Validator, invalid_configs: Optional[list] = None): +def validate_config_file_metadata( + config_path: Path, + validator: Draft7Validator, + invalid_configs: Optional[list] = None, +): with open(config_path) as fin: config = yaml.safe_load(fin) @@ -83,10 +86,12 @@ def validate_config_file_metadata(config_path: Path, validator: Draft7Validator, else: logger.warning(f"Invalid config {str(config_path)}: {ve.message}") + def is_rule(path: Path) -> bool: with open(path) as fin: return fin.readlines()[0].startswith("rules:") + if __name__ == "__main__": import argparse @@ -111,7 +116,11 @@ def is_rule(path: Path) -> bool: invalid_configs = [] for config_item in args.config: config_path = Path(config_item) - if config_path.is_file() and config_path.suffix == ".yaml" and is_rule(config_path): + if ( + config_path.is_file() + and config_path.suffix == ".yaml" + and is_rule(config_path) + ): validate_config_file_metadata(config_path, v, invalid_configs) elif config_path.is_dir(): for config_file in config_path.glob("**/*.yaml"): @@ -122,4 +131,3 @@ def is_rule(path: Path) -> bool: for invalid_config in sorted(invalid_configs, key=lambda t: t[0]): print(invalid_config) sys.exit(1) - diff --git a/go/lang/security/audit/crypto/missing-ssl-minversion.yaml b/go/lang/security/audit/crypto/missing-ssl-minversion.yaml index c2a9d46741..fdbcf08f88 100644 --- a/go/lang/security/audit/crypto/missing-ssl-minversion.yaml +++ b/go/lang/security/audit/crypto/missing-ssl-minversion.yaml @@ -23,7 +23,7 @@ rules: - go confidence: HIGH subcategory: - - guardrail + - audit likelihood: MEDIUM impact: LOW languages: [go] diff --git a/javascript/intercom/security/audit/intercom-settings-user-identifier-without-user-hash.yaml b/javascript/intercom/security/audit/intercom-settings-user-identifier-without-user-hash.yaml index c7adaef0fb..683a7a6dd2 100644 --- a/javascript/intercom/security/audit/intercom-settings-user-identifier-without-user-hash.yaml +++ b/javascript/intercom/security/audit/intercom-settings-user-identifier-without-user-hash.yaml @@ -27,7 +27,7 @@ rules: ... Intercom('boot', $VAR); message: Found an initialization of the Intercom Messenger that identifies a - User, but does not specify a `user_hash`.This configuration allows users + User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile @@ -37,7 +37,7 @@ rules: metadata: category: security subcategory: - - guardrail + - audit cwe: - "CWE-287: Improper Authentication" confidence: MEDIUM diff --git a/metadata-schema.yaml.schm b/metadata-schema.yaml.schm index 030bb41ca1..5b54082088 100644 --- a/metadata-schema.yaml.schm +++ b/metadata-schema.yaml.schm @@ -51,7 +51,7 @@ schema: enum: - audit - vuln - - guardrail + - secure default cwe: type: - array @@ -90,4 +90,4 @@ schema: - likelihood - impact - subcategory - \ No newline at end of file + diff --git a/python/django/security/django-no-csrf-token.yaml b/python/django/security/django-no-csrf-token.yaml index 945adc69c1..174d640029 100644 --- a/python/django/security/django-no-csrf-token.yaml +++ b/python/django/security/django-no-csrf-token.yaml @@ -14,7 +14,7 @@ rules: regex: (?i)(post|put|delete|patch) - pattern-not-inside: "