diff --git a/.gitignore b/.gitignore deleted file mode 100644 index 8b290246..00000000 --- a/.gitignore +++ /dev/null @@ -1,199 +0,0 @@ -# Other package managers -bun.lockb - -# Created by https://www.toptal.com/developers/gitignore/api/node,tags,macos -# Edit at https://www.toptal.com/developers/gitignore?templates=node,tags,macos - -# migrated namespaces file ignore -scripts/migrate-embeddings/migrated-namespaces.json - -### macOS ### -# General -.DS_Store -.AppleDouble -.LSOverride - -# Icon must end with two \r -Icon - -# Thumbnails -._* -.idea - -# Files that might appear in the root of a volume -.DocumentRevisions-V100 -.fseventsd -.Spotlight-V100 -.TemporaryItems -.Trashes -.VolumeIcon.icns -.com.apple.timemachine.donotpresent - -# Directories potentially created on remote AFP share -.AppleDB -.AppleDesktop -Network Trash Folder -Temporary Items -.apdisk - -### macOS Patch ### -# iCloud generated files -*.icloud - -### Node ### -# Logs -logs -*.log -npm-debug.log* -yarn-debug.log* -yarn-error.log* -lerna-debug.log* -.pnpm-debug.log* - -# Diagnostic reports (https://nodejs.org/api/report.html) -report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json - -# Runtime data -pids -*.pid -*.seed -*.pid.lock - -# Directory for instrumented libs generated by jscoverage/JSCover -lib-cov - -# Coverage directory used by tools like istanbul -coverage -*.lcov - -# nyc test coverage -.nyc_output - -# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files) -.grunt - -# Bower dependency directory (https://bower.io/) -bower_components - -# node-waf configuration -.lock-wscript - -# Compiled binary addons (https://nodejs.org/api/addons.html) -build/Release - -# Dependency directories -node_modules/ -jspm_packages/ - -# Snowpack dependency directory (https://snowpack.dev/) -web_modules/ - -# TypeScript cache -*.tsbuildinfo - -# Optional npm cache directory -.npm - -# Optional eslint cache -.eslintcache - -# Optional stylelint cache -.stylelintcache - -# Microbundle cache -.rpt2_cache/ -.rts2_cache_cjs/ -.rts2_cache_es/ -.rts2_cache_umd/ - -# Optional REPL history -.node_repl_history - -# Output of 'npm pack' -*.tgz - -# Yarn Integrity file -.yarn-integrity - -# dotenv environment variable files -!.env -.env.*.local -.env.local - -# parcel-bundler cache (https://parceljs.org/) -.cache -.parcel-cache - -# Next.js build output -.next -out - -# Nuxt.js build / generate output -.nuxt -dist - -# Gatsby files -.cache/ -# Comment in the public line in if your project uses Gatsby and not Next.js -# https://nextjs.org/blog/next-9-1#public-directory-support -# public - -# vuepress build output -.vuepress/dist - -# vuepress v2.x temp and cache directory -.temp - -# Docusaurus cache and generated files -.docusaurus - -# Serverless directories -.serverless/ - -# FuseBox cache -.fusebox/ - -# DynamoDB Local files -.dynamodb/ - -# TernJS port file -.tern-port - -# Stores VSCode versions used for testing VSCode extensions -.vscode-test - -# yarn v2 -.yarn/cache -.yarn/unplugged -.yarn/build-state.yml -.yarn/install-state.gz -.pnp.* - -### Node Patch ### -# Serverless Webpack directories -.webpack/ - -# Optional stylelint cache - -# SvelteKit build / generate output -.svelte-kit - -### Tags ### -# Ignore tags created by etags, ctags, gtags (GNU global) and cscope -TAGS -.TAGS -!TAGS/ -tags -.tags -!tags/ -gtags.files -GTAGS -GRTAGS -GPATH -GSYMS -cscope.files -cscope.out -cscope.in.out -cscope.po.out - -# End of https://www.toptal.com/developers/gitignore/api/node,tags,macos diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md deleted file mode 100644 index 6b97bf3a..00000000 --- a/CODE_OF_CONDUCT.md +++ /dev/null @@ -1,128 +0,0 @@ -# Contributor Covenant Code of Conduct - -## Our Pledge - -We as members, contributors, and leaders pledge to make participation in our -community a harassment-free experience for everyone, regardless of age, body -size, visible or invisible disability, ethnicity, sex characteristics, gender -identity and expression, level of experience, education, socio-economic status, -nationality, personal appearance, race, religion, or sexual identity -and orientation. - -We pledge to act and interact in ways that contribute to an open, welcoming, -diverse, inclusive, and healthy community. - -## Our Standards - -Examples of behavior that contributes to a positive environment for our -community include: - -* Demonstrating empathy and kindness toward other people -* Being respectful of differing opinions, viewpoints, and experiences -* Giving and gracefully accepting constructive feedback -* Accepting responsibility and apologizing to those affected by our mistakes, - and learning from the experience -* Focusing on what is best not just for us as individuals, but for the - overall community - -Examples of unacceptable behavior include: - -* The use of sexualized language or imagery, and sexual attention or - advances of any kind -* Trolling, insulting or derogatory comments, and personal or political attacks -* Public or private harassment -* Publishing others' private information, such as a physical or email - address, without their explicit permission -* Other conduct which could reasonably be considered inappropriate in a - professional setting - -## Enforcement Responsibilities - -Community leaders are responsible for clarifying and enforcing our standards of -acceptable behavior and will take appropriate and fair corrective action in -response to any behavior that they deem inappropriate, threatening, offensive, -or harmful. - -Community leaders have the right and responsibility to remove, edit, or reject -comments, commits, code, wiki edits, issues, and other contributions that are -not aligned to this Code of Conduct, and will communicate reasons for moderation -decisions when appropriate. - -## Scope - -This Code of Conduct applies within all community spaces, and also applies when -an individual is officially representing the community in public spaces. -Examples of representing our community include using an official e-mail address, -posting via an official social media account, or acting as an appointed -representative at an online or offline event. - -## Enforcement - -Instances of abusive, harassing, or otherwise unacceptable behavior may be -reported to the community leaders responsible for enforcement at -contact@coderabbit.ai. -All complaints will be reviewed and investigated promptly and fairly. - -All community leaders are obligated to respect the privacy and security of the -reporter of any incident. - -## Enforcement Guidelines - -Community leaders will follow these Community Impact Guidelines in determining -the consequences for any action they deem in violation of this Code of Conduct: - -### 1. Correction - -**Community Impact**: Use of inappropriate language or other behavior deemed -unprofessional or unwelcome in the community. - -**Consequence**: A private, written warning from community leaders, providing -clarity around the nature of the violation and an explanation of why the -behavior was inappropriate. A public apology may be requested. - -### 2. Warning - -**Community Impact**: A violation through a single incident or series -of actions. - -**Consequence**: A warning with consequences for continued behavior. No -interaction with the people involved, including unsolicited interaction with -those enforcing the Code of Conduct, for a specified period of time. This -includes avoiding interactions in community spaces as well as external channels -like social media. Violating these terms may lead to a temporary or -permanent ban. - -### 3. Temporary Ban - -**Community Impact**: A serious violation of community standards, including -sustained inappropriate behavior. - -**Consequence**: A temporary ban from any sort of interaction or public -communication with the community for a specified period of time. No public or -private interaction with the people involved, including unsolicited interaction -with those enforcing the Code of Conduct, is allowed during this period. -Violating these terms may lead to a permanent ban. - -### 4. Permanent Ban - -**Community Impact**: Demonstrating a pattern of violation of community -standards, including sustained inappropriate behavior, harassment of an -individual, or aggression toward or disparagement of classes of individuals. - -**Consequence**: A permanent ban from any sort of public interaction within -the community. - -## Attribution - -This Code of Conduct is adapted from the [Contributor Covenant][homepage], -version 2.0, available at -https://www.contributor-covenant.org/version/2/0/code_of_conduct.html. - -Community Impact Guidelines were inspired by [Mozilla's code of conduct -enforcement ladder](https://github.com/mozilla/diversity). - -[homepage]: https://www.contributor-covenant.org - -For answers to common questions about this code of conduct, see the FAQ at -https://www.contributor-covenant.org/faq. Translations are available at -https://www.contributor-covenant.org/translations. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md deleted file mode 100644 index fd931ab2..00000000 --- a/CONTRIBUTING.md +++ /dev/null @@ -1,3 +0,0 @@ -# Contributing - -We welcome contributions to this repo! Please fork and make a pull request. diff --git a/LICENSE b/LICENSE deleted file mode 100644 index 261eeb9e..00000000 --- a/LICENSE +++ /dev/null @@ -1,201 +0,0 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/README.md b/README.md deleted file mode 100644 index ed77134f..00000000 --- a/README.md +++ /dev/null @@ -1,112 +0,0 @@ -# AST-GREP Essentials - -[![CodeRabbit Reviews](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fapi.coderabbit.ai%2Fstats%2Fgithub%2Fcoderabbitai%2Fast-grep-essentials&query=%24.reviews&suffix=%20Reviews&style=for-the-badge&label=CodeRabbit&labelColor=%23FF570A&color=%2325BAB1)](https://app.coderabbit.ai/login) - -## Overview - -`ast-grep-essentials` is a community-led collection of -[`ast-grep`](https://ast-grep.github.io) rules to help developers mitigate -security vulnerabilities and enforce best practices in their codebases. - -> [!TIP] -> -> Please read the CodeRabbit -> [documentation](https://docs.coderabbit.ai/guides/review-instructions) to -> understand how to use `ast-grep` in [CodeRabbit](https://coderabbit.ai) -> reviews. - -## Structure - -```plaintext -ast-grep-essentials -│ -├── rules -│ ├── javascript -│ │ ├── jwt -│ │ │ ├── rule1.yml -│ │ │ ├── rule2.yml -│ │ │ └── ... -│ │ ├── ... -│ │ └── ... -│ └── go -│ ├── jwt-go -│ │ ├── rule1.yml -│ -├── utils -│ ├── script1.yml -│ ├── script2.yml -│ └── ... -│ -└── tests - ├── javascript - │ ├── rule1-test.yml - │ ├── rule2-test.yml - │ └── ... - ├── ... - └── ... -``` - -The package is organized into three main directories: - -- `rules`: Contains `ast-grep` rules categorized by language and security - category. -- `utils`: Houses utility configs to support rule management. -- `tests`: Includes test cases for validating the effectiveness of the rules - across different languages. - -### Rules Structure - -Within the `rules` directory, you'll find the following structure: - -- `language`: Each language supported by `ast-grep` (e.g., Python, JavaScript). -- `category`: Rules categorized based on security concerns (e.g., Input - Validation, Authentication). - -#### Rule file structure - -> [!TIP] -> -> Read the `ast-grep` > documentation to understand the -> [rule configuration](https://ast-grep.github.io/reference/yaml.html) and the -> [rule object properties](https://ast-grep.github.io/reference/rule.html). - -Each rule file should have the following structure: - -```yaml -# Unique across the package, not just the language -id: rule-id -# The language property that the rule is going to get matched against -language: "language" # e.g., javaScript, go -# A short description of the rule -message: "Rule message" -# A more detailed explanation of the rule -note: "Rule note" -# Severity level of the rule (e.g., hint, warning) -severity: "severity" -# ast-grep rule property, check documentation for more information -rule: ... -``` - -### Tests Structure - -Inside the `tests` directory, tests are organized by language: - -- `language`: Test cases specific to the corresponding language's rules. -- `rule-file`: each test rule file should have by convention the - `rule-file-name-test.yml` format. - -> [!NOTE] -> -> Tests should follow the `ast-grep` testing rules format. Please refer to the -> `ast-grep` -> [documentation](https://ast-grep.github.io/guide/test-rule.html#test-case-configuration) - -## Contributing - -This project relies on the community to contribute rules. Please open a pull -request with your rules and tests. Please ensure that the rules are truly -essential and have a low false positive rate. - -## Community - -Join the discussion on our [Discord server](https://discord.gg/C3rGCxHn). diff --git a/package-lock.json b/package-lock.json deleted file mode 100644 index 82b8e232..00000000 --- a/package-lock.json +++ /dev/null @@ -1,171 +0,0 @@ -{ - "name": "ast-grep-essentials", - "version": "1.0.0", - "lockfileVersion": 3, - "requires": true, - "packages": { - "": { - "name": "ast-grep-essentials", - "version": "1.0.0", - "license": "ISC", - "devDependencies": { - "@ast-grep/cli": "^0.31.1" - } - }, - "node_modules/@ast-grep/cli": { - "version": "0.31.1", - "resolved": "https://registry.npmjs.org/@ast-grep/cli/-/cli-0.31.1.tgz", - "integrity": "sha512-bqDlvD5bMd4raO7rjgnHMiNh7BiRgzIbwDbheaxsqaoIMrtHmOtXlj2Kx8aSQFeXaGfOMHQSaGsqjWRUx0V4MQ==", - "dev": true, - "hasInstallScript": true, - "dependencies": { - "detect-libc": "2.0.3" - }, - "bin": { - "ast-grep": "ast-grep", - "sg": "sg" - }, - "engines": { - "node": ">= 12.0.0" - }, - "optionalDependencies": { - "@ast-grep/cli-darwin-arm64": "0.31.1", - "@ast-grep/cli-darwin-x64": "0.31.1", - "@ast-grep/cli-linux-arm64-gnu": "0.31.1", - "@ast-grep/cli-linux-x64-gnu": "0.31.1", - "@ast-grep/cli-win32-arm64-msvc": "0.31.1", - "@ast-grep/cli-win32-ia32-msvc": "0.31.1", - "@ast-grep/cli-win32-x64-msvc": "0.31.1" - } - }, - "node_modules/@ast-grep/cli-darwin-arm64": { - "version": "0.31.1", - "resolved": "https://registry.npmjs.org/@ast-grep/cli-darwin-arm64/-/cli-darwin-arm64-0.31.1.tgz", - "integrity": "sha512-Vzk+s1W5MHmV66VvkofzsMulGs6OMvxs++CRiB8nRlvP7cVHe9nKmIZy0/7chhyOwyIlKmiSxyWo2M8qulsu9w==", - "cpu": [ - "arm64" - ], - "dev": true, - "license": "MIT", - "optional": true, - "os": [ - "darwin" - ], - "engines": { - "node": ">= 10" - } - }, - "node_modules/@ast-grep/cli-darwin-x64": { - "version": "0.31.1", - "resolved": "https://registry.npmjs.org/@ast-grep/cli-darwin-x64/-/cli-darwin-x64-0.31.1.tgz", - "integrity": "sha512-PRF/nBFcvsAfe6CYgigK0CJ3C54t+dgyitMnQOkENCmIKiLIQMlWvuwdaJllC9kFvDJY+L07BaByvYRJXDtcFQ==", - "cpu": [ - "x64" - ], - "dev": true, - "license": "MIT", - "optional": true, - "os": [ - "darwin" - ], - "engines": { - "node": ">= 10" - } - }, - "node_modules/@ast-grep/cli-linux-arm64-gnu": { - "version": "0.31.1", - "resolved": "https://registry.npmjs.org/@ast-grep/cli-linux-arm64-gnu/-/cli-linux-arm64-gnu-0.31.1.tgz", - "integrity": "sha512-1i23qVZ/UjIaA8Aj3ABwry7VOQTQOrgrwtj1rPl9LfhMy1WSsNChcat9cgBnSaiyxLi4Mtia/FSsJuPIZUutrQ==", - "cpu": [ - "arm64" - ], - "dev": true, - "license": "MIT", - "optional": true, - "os": [ - "linux" - ], - "engines": { - "node": ">= 10" - } - }, - "node_modules/@ast-grep/cli-linux-x64-gnu": { - "version": "0.31.1", - "resolved": "https://registry.npmjs.org/@ast-grep/cli-linux-x64-gnu/-/cli-linux-x64-gnu-0.31.1.tgz", - "integrity": "sha512-q4TPZJ/C/uEGBmdyXj634CBMZaPSBSPAWAixqFIWSiwqDeprNX+81bV4lPGhudO83B5QDGMIpVvc66sgCzH0hw==", - "cpu": [ - "x64" - ], - "dev": true, - "license": "MIT", - "optional": true, - "os": [ - "linux" - ], - "engines": { - "node": ">= 10" - } - }, - "node_modules/@ast-grep/cli-win32-arm64-msvc": { - "version": "0.31.1", - "resolved": "https://registry.npmjs.org/@ast-grep/cli-win32-arm64-msvc/-/cli-win32-arm64-msvc-0.31.1.tgz", - "integrity": "sha512-GX/cnBL7fC7q4Ij9yfNB9G04Sg7Ow1PhHyV4zajqqKJB1DIHByfvWKkDn0Pzu+hCtCemvl1JV/VqlnoebwVY8g==", - "cpu": [ - "arm64" - ], - "dev": true, - "license": "MIT", - "optional": true, - "os": [ - "win32" - ], - "engines": { - "node": ">= 10" - } - }, - "node_modules/@ast-grep/cli-win32-ia32-msvc": { - "version": "0.31.1", - "resolved": "https://registry.npmjs.org/@ast-grep/cli-win32-ia32-msvc/-/cli-win32-ia32-msvc-0.31.1.tgz", - "integrity": "sha512-6BdcBijnc0cUC2sTvFpR2UNgv0HcL8n007uRFEawJ0M+jj8IjXiO6l7cUcWA+LDPWEd5paHOmB062NZL/55vPg==", - "cpu": [ - "ia32" - ], - "dev": true, - "license": "MIT", - "optional": true, - "os": [ - "win32" - ], - "engines": { - "node": ">= 10" - } - }, - "node_modules/@ast-grep/cli-win32-x64-msvc": { - "version": "0.31.1", - "resolved": "https://registry.npmjs.org/@ast-grep/cli-win32-x64-msvc/-/cli-win32-x64-msvc-0.31.1.tgz", - "integrity": "sha512-Um52jxkVDbCazmGoT0TknSZszUGD9Ys37FU/SqiqXI7NiPwGxrbcyvsuxN1cHAEhycxJsRWdbU9xXXsYVPUhAw==", - "cpu": [ - "x64" - ], - "dev": true, - "license": "MIT", - "optional": true, - "os": [ - "win32" - ], - "engines": { - "node": ">= 10" - } - }, - "node_modules/detect-libc": { - "version": "2.0.3", - "resolved": "https://registry.npmjs.org/detect-libc/-/detect-libc-2.0.3.tgz", - "integrity": "sha512-bwy0MGW55bG41VqxxypOsdSdGqLwXPI/focwgTYCFMbdUiBAxLg9CFzG08sz2aqzknwiX7Hkl0bQENjg8iLByw==", - "dev": true, - "license": "Apache-2.0", - "engines": { - "node": ">=8" - } - } - } -} diff --git a/package.json b/package.json deleted file mode 100644 index 871f9b15..00000000 --- a/package.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "name": "ast-grep-essentials", - "version": "1.0.0", - "description": "ast-grep essential security rules", - "main": "index.js", - "scripts": { - "test-wip": "ast-grep test --skip-snapshot-tests -c ./sgconfig.yml", - "test-ci": "ast-grep test -c ./sgconfig.yml", - "test": "ast-grep test --interactive -c ./sgconfig.yml", - "test-update-all": "ast-grep test --update-all -c ./sgconfig.yml" - }, - "author": "", - "license": "ISC", - "devDependencies": { - "@ast-grep/cli": "^0.31.1" - } -} \ No newline at end of file diff --git a/rules/.gitkeep b/rules/.gitkeep deleted file mode 100644 index e69de29b..00000000 diff --git a/rules/c/security/dont-call-system-c.yml b/rules/c/security/dont-call-system-c.yml deleted file mode 100644 index 1cc4810a..00000000 --- a/rules/c/security/dont-call-system-c.yml +++ /dev/null @@ -1,61 +0,0 @@ -id: dont-call-system-c -language: c -severity: warning -message: >- - Don't call `system`. It's a high-level wrapper that allows for stacking - multiple commands. Always prefer a more restrictive API such as calling - `execve` from the `exec` family. -note: >- - [CWE-78] Improper Neutralization of Special Elements used in an OS - Command ('OS Command Injection'). - [REFERENCES] - - https://owasp.org/Top10/A03_2021-Injection - -ast-grep-essentials: true - -utils: - PATTERN_SYSTEM_INSIDE_IF_STATEMENT: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: '^system$' - - has: - stopBy: neighbor - kind: argument_list - - inside: - stopBy: end - kind: parenthesized_expression - inside: - kind: if_statement - PATTERN_SYSTEM: - any: - - kind: expression_statement - - kind: return_statement - - kind: field_declaration - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: '^system$' - - has: - stopBy: neighbor - kind: argument_list -rule: - any: - - matches: PATTERN_SYSTEM_INSIDE_IF_STATEMENT - - matches: PATTERN_SYSTEM - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - has: - stopBy: end - kind: ERROR - diff --git a/rules/c/security/file-access-before-action-c.yml b/rules/c/security/file-access-before-action-c.yml deleted file mode 100644 index 1d76a130..00000000 --- a/rules/c/security/file-access-before-action-c.yml +++ /dev/null @@ -1,187 +0,0 @@ -id: file-access-before-action-c -language: c -severity: warning -message: >- - A check is done with `access` and then the file is later used. There is no guarantee that the status of the file has not changed since the call to `access` which may allow attackers to bypass permission checks. -note: >- - [CWE-367]: Time-of-check Time-of-use (TOCTOU) Race Condition - [REFERENCES] - - https://wiki.sei.cmu.edu/confluence/display/c/FIO45-C.+Avoid+TOCTOU+race+conditions+while+accessing+files - -ast-grep-essentials: true - -utils: - PATTERN_1(identifier): - kind: identifier - regex: ^(fopen|freopen|remove|rename|access|open|stat|lstat|unlink|mkdir|rmdir|chdir)$ - all: - - precedes: - kind: argument_list - has: - pattern: $SRC - - inside: - kind: call_expression - not: - inside: - stopBy: end - kind: parenthesized_expression - inside: - stopBy: end - kind: compound_statement - inside: - kind: if_statement - has: - kind: parenthesized_expression - has: - stopBy: end - any: - - kind: binary_expression - has: - stopBy: end - kind: parenthesized_expression - has: - kind: binary_expression - all: - - has: - kind: call_expression - nthChild: 1 - all: - - has: - kind: identifier - regex: ^(access|faccessat|faccessat2)$ - precedes: - kind: argument_list - all: - - has: - nthChild: 1 - pattern: $SRC - - has: - kind: identifier - nthChild: 2 - regex: ^(F_OK|R_OK|W_OK|X_OK)$ - - has: - kind: number_literal - regex: ^(0)$ - follows: - regex: ^==$ - - kind: binary_expression - all: - - has: - nthChild: 1 - kind: call_expression - all: - - has: - nthChild: 1 - kind: identifier - regex: ^(access|faccessat|faccessat2)$ - - has: - nthChild: 2 - kind: argument_list - all: - - has: - nthChild: 1 - pattern: $SRC - - has: - nthChild: 2 - kind: identifier - regex: ^(F_OK|R_OK|W_OK|X_OK)$ - - has: - nthChild: 2 - kind: number_literal - regex: ^(0)$ - follows: - regex: ^==$ - - identifier: - any: - - kind: identifier - regex: ^(fopen|freopen|remove|rename|access|open|stat|lstat|unlink|mkdir|rmdir|chdir)$ - - PATTERN_3(field_expression): - kind: field_expression - has: - nthChild: 1 - stopBy: end - matches: identifier - all: - - precedes: - kind: argument_list - has: - pattern: $SRC - - inside: - kind: call_expression - not: - inside: - stopBy: end - kind: parenthesized_expression - inside: - stopBy: end - kind: compound_statement - inside: - kind: if_statement - has: - kind: parenthesized_expression - has: - stopBy: end - any: - - kind: binary_expression - has: - stopBy: end - kind: parenthesized_expression - has: - kind: binary_expression - all: - - has: - kind: call_expression - nthChild: 1 - all: - - has: - kind: identifier - regex: ^(access|faccessat|faccessat2)$ - precedes: - kind: argument_list - all: - - has: - nthChild: 1 - pattern: $SRC - - has: - kind: identifier - nthChild: 2 - regex: ^(F_OK|R_OK|W_OK|X_OK)$ - - has: - kind: number_literal - regex: ^(0)$ - follows: - regex: ^==$ - - kind: binary_expression - all: - - has: - nthChild: 1 - kind: call_expression - all: - - has: - nthChild: 1 - kind: identifier - regex: ^(access|faccessat|faccessat2)$ - - has: - nthChild: 2 - kind: argument_list - all: - - has: - nthChild: 1 - pattern: $SRC - - has: - nthChild: 2 - kind: identifier - regex: ^(F_OK|R_OK|W_OK|X_OK)$ - - has: - nthChild: 2 - kind: number_literal - regex: ^(0)$ - follows: - regex: ^==$ - -rule: - any: - - matches: PATTERN_1(identifier) - - matches: PATTERN_3(field_expression) diff --git a/rules/c/security/file-stat-before-action-c.yml b/rules/c/security/file-stat-before-action-c.yml deleted file mode 100644 index 1b522409..00000000 --- a/rules/c/security/file-stat-before-action-c.yml +++ /dev/null @@ -1,338 +0,0 @@ -id: file-stat-before-action-c -language: c -severity: warning -message: >- - A check is done with `stat` and then the file is used. There is no guarantee that the status of the file has not changed since the call to `stat` which may allow attackers to bypass permission checks. -note: >- - [CWE-367]: Time-of-check Time-of-use (TOCTOU) Race Condition - [REFERENCES] - - https://wiki.sei.cmu.edu/confluence/display/c/FIO45-C.+Avoid+TOCTOU+race+conditions+while+accessing+files - -ast-grep-essentials: true - -utils: - PATTERN_1(identifier)nth1: - kind: identifier - regex: ^(fopen|freopen|remove|rename|access|open|stat|lstat|unlink|mkdir|rmdir|chdir)$ - all: - - not: - inside: - stopBy: end - kind: parenthesized_expression - nthChild: 1 - inside: - kind: if_statement - - precedes: - kind: argument_list - has: - pattern: $SRC - - inside: - kind: call_expression - not: - inside: - kind: field_expression - inside: - stopBy: end - kind: compound_statement - inside: - kind: if_statement - has: - kind: parenthesized_expression - has: - stopBy: end - any: - - kind: binary_expression - has: - stopBy: end - kind: parenthesized_expression - has: - kind: binary_expression - all: - - has: - kind: call_expression - nthChild: 1 - all: - - has: - kind: identifier - regex: ^(stat|_stat|lstat|_lstat)$ - precedes: - kind: argument_list - all: - - has: - nthChild: 1 - pattern: $SRC - - has: - kind: number_literal - regex: ^(0)$ - - kind: binary_expression - all: - - has: - nthChild: 1 - kind: call_expression - all: - - has: - nthChild: 1 - kind: identifier - regex: ^(stat|_stat|lstat|_lstat)$ - - has: - nthChild: 2 - kind: argument_list - all: - - has: - nthChild: 1 - pattern: $SRC - - has: - nthChild: 2 - kind: number_literal - regex: ^(0)$ - follows: - regex: ^==$ - - PATTERN_1(identifier)nth2: - kind: identifier - regex: ^(fopen|freopen|remove|rename|access|open|stat|lstat|unlink|mkdir|rmdir|chdir)$ - all: - - not: - inside: - stopBy: end - kind: parenthesized_expression - nthChild: 1 - inside: - kind: if_statement - - precedes: - kind: argument_list - has: - pattern: $SRC - - inside: - kind: call_expression - not: - inside: - kind: field_expression - inside: - stopBy: end - kind: compound_statement - inside: - kind: if_statement - has: - kind: parenthesized_expression - has: - stopBy: end - any: - - kind: binary_expression - has: - stopBy: end - kind: parenthesized_expression - has: - kind: binary_expression - all: - - has: - kind: call_expression - nthChild: 1 - all: - - has: - kind: identifier - regex: ^(fstatat|_fstatat)$ - precedes: - kind: argument_list - all: - - has: - nthChild: 3 - pattern: $SRC - - has: - kind: number_literal - regex: ^(0)$ - follows: - regex: ^==$ - - kind: binary_expression - all: - - has: - nthChild: 1 - kind: call_expression - all: - - has: - nthChild: 1 - kind: identifier - regex: ^(fstatat|_fstatat)$ - - has: - nthChild: 2 - kind: argument_list - all: - - has: - nthChild: 2 - pattern: $SRC - - has: - nthChild: 2 - kind: number_literal - regex: ^(0)$ - follows: - regex: ^==$ - - identifier: - any: - - kind: identifier - regex: ^(fopen|freopen|remove|rename|access|open|stat|lstat|unlink|mkdir|rmdir|chdir)$ - - PATTERN_3(field_expression)(identifier)nth1: - kind: field_expression - has: - nthChild: 1 - stopBy: end - matches: identifier - all: - - not: - inside: - stopBy: end - kind: parenthesized_expression - nthChild: 1 - inside: - kind: if_statement - - precedes: - kind: argument_list - has: - pattern: $SRC - - inside: - kind: call_expression - inside: - stopBy: end - kind: compound_statement - inside: - kind: if_statement - has: - kind: parenthesized_expression - has: - stopBy: end - any: - - kind: binary_expression - has: - stopBy: end - kind: parenthesized_expression - has: - kind: binary_expression - all: - - has: - kind: call_expression - nthChild: 1 - all: - - has: - kind: identifier - regex: ^(stat|_stat|lstat|_lstat)$ - precedes: - kind: argument_list - all: - - has: - nthChild: 1 - pattern: $SRC - - has: - kind: number_literal - regex: ^(0)$ - follows: - regex: ^==$ - - kind: binary_expression - all: - - has: - nthChild: 1 - kind: call_expression - all: - - has: - nthChild: 1 - kind: identifier - regex: ^(stat|_stat|lstat|_lstat)$ - - has: - nthChild: 2 - kind: argument_list - all: - - has: - nthChild: 1 - pattern: $SRC - - has: - nthChild: 2 - kind: number_literal - regex: ^(0)$ - follows: - regex: ^==$ - - PATTERN_3(field_expression)(identifier)nth2: - kind: field_expression - has: - nthChild: 1 - stopBy: end - matches: identifier - all: - - not: - inside: - stopBy: end - kind: parenthesized_expression - nthChild: 1 - inside: - kind: if_statement - - precedes: - kind: argument_list - has: - pattern: $SRC - - inside: - kind: call_expression - inside: - stopBy: end - kind: compound_statement - inside: - kind: if_statement - has: - kind: parenthesized_expression - has: - stopBy: end - any: - - kind: binary_expression - has: - stopBy: end - kind: parenthesized_expression - has: - kind: binary_expression - all: - - has: - kind: call_expression - nthChild: 1 - all: - - has: - kind: identifier - regex: ^(fstatat|_fstatat)$ - precedes: - kind: argument_list - all: - - has: - nthChild: 2 - pattern: $SRC - - has: - kind: number_literal - regex: ^(0)$ - follows: - regex: ^==$ - - kind: binary_expression - all: - - has: - nthChild: 1 - kind: call_expression - all: - - has: - nthChild: 1 - kind: identifier - regex: ^(fstatat|_fstatat)$ - - has: - nthChild: 2 - kind: argument_list - all: - - has: - nthChild: 2 - pattern: $SRC - - has: - nthChild: 2 - kind: number_literal - regex: ^(0)$ - follows: - regex: ^==$ - -rule: - any: - - matches: PATTERN_1(identifier)nth1 - - matches: PATTERN_1(identifier)nth2 - - matches: PATTERN_3(field_expression)(identifier)nth1 - - matches: PATTERN_3(field_expression)(identifier)nth2 diff --git a/rules/c/security/insecure-hash-c.yml b/rules/c/security/insecure-hash-c.yml deleted file mode 100644 index e80bf532..00000000 --- a/rules/c/security/insecure-hash-c.yml +++ /dev/null @@ -1,293 +0,0 @@ -id: insecure-hash-c -language: c -severity: warning -message: >- - This hashing algorithm is insecure. If this hash is used in a security - context, such as password hashing, it should be converted to a stronger - hashing algorithm. -note: >- - [CWE-328] Use of Weak Hash. - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures -ast-grep-essentials: true -utils: - MATCH_PATTERN_ONE: - kind: expression_statement - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^(EVP_md2|MD2|MD2_Final|MD2_Init|MD2_Update|MD2_options|EVP_md4|MD4|MD4_Final|MD4_Init|MD4_Transform|MD4_Update|EVP_md5|MD5|MD5_Final|MD5_Init|MD5_Transform|MD5_Update|EVP_sha1|SHA1_Final|SHA1_Init|SHA1_Transform|SHA1_Update)$ - - has: - stopBy: neighbor - kind: argument_list - - MATCH_PATTERN_TWO_(EVP_MD_fetch): - kind: expression_statement - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^(EVP_MD_fetch)$ - - has: - stopBy: neighbor - kind: argument_list - has: - kind: string_literal - all: - - nthChild: - position: 2 - ofRule: - not: - kind: comment - - has: - kind: string_content - regex: ^(MD2|MD4|MD5|SHA1|SHA-1)$ - - MATCH_PATTERN_TWO_with_instance_(EVP_MD_fetch): - kind: expression_statement - all: - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^(EVP_MD_fetch)$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: identifier - pattern: $Q - nthChild: - position: 2 - ofRule: - not: - kind: comment - - any: - - follows: - stopBy: end - kind: declaration - has: - stopBy: end - kind: init_declarator - all: - - has: - stopBy: neighbor - kind: pointer_declarator - has: - stopBy: neighbor - kind: identifier - pattern: $Q - - has: - stopBy: neighbor - kind: string_literal - has: - stopBy: neighbor - kind: string_content - regex: ^(MD2|MD4|MD5|SHA1|SHA-1)$ - - inside: - stopBy: end - follows: - stopBy: end - kind: declaration - has: - stopBy: end - kind: init_declarator - all: - - has: - stopBy: neighbor - kind: pointer_declarator - has: - stopBy: neighbor - kind: identifier - pattern: $Q - - has: - stopBy: neighbor - kind: string_literal - has: - stopBy: neighbor - kind: string_content - regex: ^(MD2|MD4|MD5|SHA1|SHA-1)$ - - MATCH_PATTERN_THREE: - kind: expression_statement - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^(gcry_md_open|gcry_md_enable|gcry_md_read|gcry_md_extract)$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: end - kind: identifier - regex: ^(GCRY_MD_MD2|GCRY_MD_MD4|GCRY_MD_MD5|GCRY_MD_SHA1)$ - nthChild: - position: 2 - ofRule: - not: - kind: comment - - MATCH_PATTERN_TWO_(EVP_get_digestbyname): - kind: expression_statement - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^(EVP_get_digestbyname)$ - - has: - stopBy: neighbor - kind: argument_list - has: - kind: string_literal - all: - - nthChild: - position: 1 - ofRule: - not: - kind: comment - - has: - kind: string_content - regex: ^(MD2|MD4|MD5|SHA1|SHA-1)$ - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - - MATCH_PATTERN_TWO_with_instance_(EVP_get_digestbyname): - kind: expression_statement - all: - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^(EVP_get_digestbyname)$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: identifier - pattern: $Q - nthChild: - position: 1 - ofRule: - not: - kind: comment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - - any: - - follows: - stopBy: end - kind: declaration - has: - stopBy: end - kind: init_declarator - all: - - has: - stopBy: neighbor - kind: pointer_declarator - has: - stopBy: neighbor - kind: identifier - pattern: $Q - - has: - stopBy: neighbor - kind: string_literal - has: - stopBy: neighbor - kind: string_content - regex: ^(MD2|MD4|MD5|SHA1|SHA-1)$ - - inside: - stopBy: end - follows: - stopBy: end - kind: declaration - has: - stopBy: end - kind: init_declarator - all: - - has: - stopBy: neighbor - kind: pointer_declarator - has: - stopBy: neighbor - kind: identifier - pattern: $Q - - has: - stopBy: neighbor - kind: string_literal - has: - stopBy: neighbor - kind: string_content - regex: ^(MD2|MD4|MD5|SHA1|SHA-1)$ - - MATCH_PATTERN_THREE_(gcry_md_hash_buffers): - kind: expression_statement - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^(gcry_md_hash_buffers|gcry_md_hash_buffer)$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: end - kind: identifier - regex: ^(GCRY_MD_MD2|GCRY_MD_MD4|GCRY_MD_MD5|GCRY_MD_SHA1)$ - nthChild: - position: 1 - ofRule: - not: - kind: comment -rule: - any: - - kind: expression_statement - any: - - matches: MATCH_PATTERN_ONE - - matches: MATCH_PATTERN_TWO_(EVP_MD_fetch) - - matches: MATCH_PATTERN_TWO_with_instance_(EVP_MD_fetch) - - matches: MATCH_PATTERN_THREE - - matches: MATCH_PATTERN_TWO_(EVP_get_digestbyname) - - matches: MATCH_PATTERN_TWO_with_instance_(EVP_get_digestbyname) - - matches: MATCH_PATTERN_THREE_(gcry_md_hash_buffers) - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR diff --git a/rules/c/security/libxml2-audit-parser-c.yml b/rules/c/security/libxml2-audit-parser-c.yml deleted file mode 100644 index d955e4fb..00000000 --- a/rules/c/security/libxml2-audit-parser-c.yml +++ /dev/null @@ -1,265 +0,0 @@ -id: libxml2-audit-parser-c -language: c -severity: warning -message: >- - The libxml2 library is used to parse XML. When auditing such code, make - sure that either the document being parsed is trusted or that the parsing - options are safe to consume untrusted documents. In such case make sure - DTD or XInclude documents cannot be loaded and there is no network access. -note: >- - [CWE-611] Improper Restriction of XML External Entity Reference. - [REFERENCES] - - https://owasp.org/Top10/A05_2021-Security_Misconfiguration -ast-grep-essentials: true -utils: - Pattern_having_three_child: - kind: call_expression - all: - - has: - kind: identifier - regex: ^(xmlReadFile)$ - - has: - kind: argument_list - all: - - has: - nthChild: - position: 1 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 3 - ofRule: - not: - kind: comment - - not: - has: - nthChild: - position: 4 - ofRule: - not: - kind: comment - - Pattern_having_five_child: - kind: call_expression - all: - - has: - kind: identifier - regex: ^(xmlParseInNodeContext|xmlReadMemory|xmlCtxtReadDoc|xmlCtxtReadFd)$ - - has: - kind: argument_list - all: - - has: - nthChild: - position: 1 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 3 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 4 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 5 - ofRule: - not: - kind: comment - - not: - has: - nthChild: - position: 6 - ofRule: - not: - kind: comment - - Pattern_having_four_child: - kind: call_expression - all: - - has: - kind: identifier - regex: ^(xmlReadDoc|xmlReadFd|xmlCtxtReadFile)$ - - has: - kind: argument_list - all: - - has: - nthChild: - position: 1 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 3 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 4 - ofRule: - not: - kind: comment - - not: - has: - nthChild: - position: 5 - ofRule: - not: - kind: comment - - Pattern_having_six_child: - kind: call_expression - all: - - has: - kind: identifier - regex: ^(xmlReadIO|xmlCtxtReadMemory)$ - - has: - kind: argument_list - all: - - has: - nthChild: - position: 1 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 3 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 4 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 5 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 6 - ofRule: - not: - kind: comment - - not: - has: - nthChild: - position: 7 - ofRule: - not: - kind: comment - - Pattern_having_seven_child: - kind: call_expression - all: - - has: - kind: identifier - regex: ^(xmlCtxtReadIO)$ - - has: - kind: argument_list - all: - - has: - nthChild: - position: 1 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 3 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 4 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 5 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 6 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 7 - ofRule: - not: - kind: comment - - not: - has: - nthChild: - position: 8 - ofRule: - not: - kind: comment - -rule: - kind: call_expression - any: - - matches: Pattern_having_five_child - - matches: Pattern_having_four_child - - matches: Pattern_having_six_child - - matches: Pattern_having_seven_child - - matches: Pattern_having_three_child - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR diff --git a/rules/c/security/null-library-function-c.yml b/rules/c/security/null-library-function-c.yml deleted file mode 100644 index 5ed6c572..00000000 --- a/rules/c/security/null-library-function-c.yml +++ /dev/null @@ -1,262 +0,0 @@ -id: null-library-function-c -language: C -severity: warning -message: >- - The `$SOURCE` function returns NULL on error and this line dereferences - the return value without checking for NULL. -note: >- - [CWE-476] NULL Pointer Dereference. - [REFERENCES] - - https://wiki.sei.cmu.edu/confluence/display/c/EXP34-C.+Do+not+dereference+null+pointers -ast-grep-essentials: true - -rule: - all: - - not: - has: - stopBy: end - kind: ERROR - - any: - - kind: subscript_expression - # any: - # - pattern: $SOURCE($$$)[$$$] - # - pattern: ($SOURCE($$$))[$$$] - all: - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $SOURCE - regex: ^fgets|::fgets|std::fgets|fopen|::fopen|std::fopen|getenv|::getenv|std::getenv|getgrent|::getgrent|std::getgrent|getgrgid|::getgrgid|std::getgrgid|getgrnam|::getgrnam|std::getgrnam|getlogin|::getlogin|std::getlogin|getpwent|::getpwent|std::getpwent|getpwnam|::getpwnam|std::getpwnam|getpwuid|::getpwuid|std::getpwuid|getpwuuid|::getpwuuid|std::getpwuuid|gets|::gets|std::gets|inet_ntop|::inet_ntop|std::inet_ntop|realpath|::realpath|std::realpath|tempnam|::tempnam|std::tempnam|tmpfile|::tmpfile|std::tmpfile|tmpnam|::tmpnam|std::tmpnam|memchr|::memchr|std::memchr|strcasestr_l|::strcasestr_l|std::strcasestr_l|strcasestr|::strcasestr|std::strcasestr|strchr|::strchr|std::strchr|strnstr|::strnstr|std::strnstr|strpbrk|::strpbrk|std::strpbrk|strrchr|::strrchr|std::strrchr|strstr|::strstr|std::strstr|strtok_r|::strtok_r|std::strtok_r|strtok|::strtok|std::strtok$ - - has: - stopBy: neighbor - kind: argument_list - - has: - stopBy: end - any: - - kind: number_literal - - kind: identifier - - - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $SINK - regex: ^atof|::atof|std::atof|atoi|::atoi|std::atoi|atol_l|::atol_l|std::atol_l|atol|::atol|std::atol|atoll_l|::atoll_l|std::atoll_l|atoll|::atoll|std::atoll|getc|::getc|std::getc|fprintf|::fprintf|std::fprintf|fgetpos|::fgetpos|std::fgetpos|fseek|::fseek|std::fseek|fseeko|::fseeko|std::fseeko|fsetpos|::fsetpos|std::fsetpos|ftell|::ftell|std::ftell|ftello|::ftello|std::ftello|rewind|::rewind|std::rewind|strlen|::strlen|std::strlen|strtoimax|::strtoimax|std::strtoimax|strtod|::strtod|std::strtod|strtol|::strtol|std::strtol|strtoul|::strtoul|std::strtoul|strtoll|::strtoll|std::strtoll|strtoq|::strtoq|std::strtoq$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: call_expression - nthChild: 1 - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $SOURCE - regex: ^fgets|::fgets|std::fgets|fopen|::fopen|std::fopen|getenv|::getenv|std::getenv|getgrent|::getgrent|std::getgrent|getgrgid|::getgrgid|std::getgrgid|getgrnam|::getgrnam|std::getgrnam|getlogin|::getlogin|std::getlogin|getpwent|::getpwent|std::getpwent|getpwnam|::getpwnam|std::getpwnam|getpwuid|::getpwuid|std::getpwuid|getpwuuid|::getpwuuid|std::getpwuuid|gets|::gets|std::gets|inet_ntop|::inet_ntop|std::inet_ntop|realpath|::realpath|std::realpath|tempnam|::tempnam|std::tempnam|tmpfile|::tmpfile|std::tmpfile|tmpnam|::tmpnam|std::tmpnam|memchr|::memchr|std::memchr|strcasestr_l|::strcasestr_l|std::strcasestr_l|strcasestr|::strcasestr|std::strcasestr|strchr|::strchr|std::strchr|strnstr|::strnstr|std::strnstr|strpbrk|::strpbrk|std::strpbrk|strrchr|::strrchr|std::strrchr|strstr|::strstr|std::strstr|strtok_r|::strtok_r|std::strtok_r|strtok|::strtok|std::strtok$ - - has: - stopBy: neighbor - kind: argument_list - - - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $SINK - regex: ^atof|::atof|std::atof|atoi|::atoi|std::atoi|atol_l|::atol_l|std::atol_l|atol|::atol|std::atol|atoll_l|::atoll_l|std::atoll_l|atoll|::atoll|std::atoll|getc|::getc|std::getc|fprintf|::fprintf|std::fprintf|fgetpos|::fgetpos|std::fgetpos|fseek|::fseek|std::fseek|fseeko|::fseeko|std::fseeko|fsetpos|::fsetpos|std::fsetpos|ftell|::ftell|std::ftell|ftello|::ftello|std::ftello|rewind|::rewind|std::rewind|strlen|::strlen|std::strlen|strtoimax|::strtoimax|std::strtoimax|strtod|::strtod|std::strtod|strtol|::strtol|std::strtol|strtoul|::strtoul|std::strtoul|strtoll|::strtoll|std::strtoll|strtoq|::strtoq|std::strtoq$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: assignment_expression - nthChild: 1 - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $VAR - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $SOURCE - regex: ^fgets|::fgets|std::fgets|fopen|::fopen|std::fopen|getenv|::getenv|std::getenv|getgrent|::getgrent|std::getgrent|getgrgid|::getgrgid|std::getgrgid|getgrnam|::getgrnam|std::getgrnam|getlogin|::getlogin|std::getlogin|getpwent|::getpwent|std::getpwent|getpwnam|::getpwnam|std::getpwnam|getpwuid|::getpwuid|std::getpwuid|getpwuuid|::getpwuuid|std::getpwuuid|gets|::gets|std::gets|inet_ntop|::inet_ntop|std::inet_ntop|realpath|::realpath|std::realpath|tempnam|::tempnam|std::tempnam|tmpfile|::tmpfile|std::tmpfile|tmpnam|::tmpnam|std::tmpnam|memchr|::memchr|std::memchr|strcasestr_l|::strcasestr_l|std::strcasestr_l|strcasestr|::strcasestr|std::strcasestr|strchr|::strchr|std::strchr|strnstr|::strnstr|std::strnstr|strpbrk|::strpbrk|std::strpbrk|strrchr|::strrchr|std::strrchr|strstr|::strstr|std::strstr|strtok_r|::strtok_r|std::strtok_r|strtok|::strtok|std::strtok$ - - - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $SINK - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: call_expression - nthChild: 2 - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $SOURCE - regex: ^fgets|::fgets|std::fgets|fopen|::fopen|std::fopen|getenv|::getenv|std::getenv|getgrent|::getgrent|std::getgrent|getgrgid|::getgrgid|std::getgrgid|getgrnam|::getgrnam|std::getgrnam|getlogin|::getlogin|std::getlogin|getpwent|::getpwent|std::getpwent|getpwnam|::getpwnam|std::getpwnam|getpwuid|::getpwuid|std::getpwuid|getpwuuid|::getpwuuid|std::getpwuuid|gets|::gets|std::gets|inet_ntop|::inet_ntop|std::inet_ntop|realpath|::realpath|std::realpath|tempnam|::tempnam|std::tempnam|tmpfile|::tmpfile|std::tmpfile|tmpnam|::tmpnam|std::tmpnam|memchr|::memchr|std::memchr|strcasestr_l|::strcasestr_l|std::strcasestr_l|strcasestr|::strcasestr|std::strcasestr|strchr|::strchr|std::strchr|strnstr|::strnstr|std::strnstr|strpbrk|::strpbrk|std::strpbrk|strrchr|::strrchr|std::strrchr|strstr|::strstr|std::strstr|strtok_r|::strtok_r|std::strtok_r|strtok|::strtok|std::strtok$ - - has: - stopBy: neighbor - kind: argument_list - - not: - inside: - stopBy: end - kind: call_expression - has: - stopBy: neighbor - kind: identifier - pattern: $SINK - - not: - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $SOURCE - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: end - kind: call_expression - has: - stopBy: neighbor - kind: identifier - pattern: $SOURCE - - - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $SINK - regex: ^bcopy|::bcopy|std::bcopy|memccpy|::memccpy|std::memccpy|memcpy|::memcpy|std::memcpy|memmove|::memmove|std::memmove|stpncpy|::stpncpy|std::stpncpy|strcat|::strcat|std::strcat|strcpy|::strcpy|std::strcpy|strcpy|::strcpy|std::strcpy|strlcat|::strlcat|std::strlcat|strlcpy|::strlcpy|std::strlcpy|strncat|::strncat|std::strncat|strpcpy|::strpcpy|std::strpcpy|wcpcpy|::wcpcpy|std::wcpcpy|wcpncpy|::wcpncpy|std::wcpncpy$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: assignment_expression - pattern: $VAR = $SOURCE($$$) - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $VAR - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $SOURCE - regex: ^fgets|::fgets|std::fgets|fopen|::fopen|std::fopen|getenv|::getenv|std::getenv|getgrent|::getgrent|std::getgrent|getgrgid|::getgrgid|std::getgrgid|getgrnam|::getgrnam|std::getgrnam|getlogin|::getlogin|std::getlogin|getpwent|::getpwent|std::getpwent|getpwnam|::getpwnam|std::getpwnam|getpwuid|::getpwuid|std::getpwuid|getpwuuid|::getpwuuid|std::getpwuuid|gets|::gets|std::gets|inet_ntop|::inet_ntop|std::inet_ntop|realpath|::realpath|std::realpath|tempnam|::tempnam|std::tempnam|tmpfile|::tmpfile|std::tmpfile|tmpnam|::tmpnam|std::tmpnam|memchr|::memchr|std::memchr|strcasestr_l|::strcasestr_l|std::strcasestr_l|strcasestr|::strcasestr|std::strcasestr|strchr|::strchr|std::strchr|strnstr|::strnstr|std::strnstr|strpbrk|::strpbrk|std::strpbrk|strrchr|::strrchr|std::strrchr|strstr|::strstr|std::strstr|strtok_r|::strtok_r|std::strtok_r|strtok|::strtok|std::strtok$ - - - kind: call_expression - # any: - # - pattern: $SINK($$$, $SOURCE($$$)) - # - pattern: $SINK($SOURCE($$$)) - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $SINK - regex: ^fwrite|::fwrite|std::fwrite$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $SOURCE - regex: ^fgets|::fgets|std::fgets|fopen|::fopen|std::fopen|getenv|::getenv|std::getenv|getgrent|::getgrent|std::getgrent|getgrgid|::getgrgid|std::getgrgid|getgrnam|::getgrnam|std::getgrnam|getlogin|::getlogin|std::getlogin|getpwent|::getpwent|std::getpwent|getpwnam|::getpwnam|std::getpwnam|getpwuid|::getpwuid|std::getpwuid|getpwuuid|::getpwuuid|std::getpwuuid|gets|::gets|std::gets|inet_ntop|::inet_ntop|std::inet_ntop|realpath|::realpath|std::realpath|tempnam|::tempnam|std::tempnam|tmpfile|::tmpfile|std::tmpfile|tmpnam|::tmpnam|std::tmpnam|memchr|::memchr|std::memchr|strcasestr_l|::strcasestr_l|std::strcasestr_l|strcasestr|::strcasestr|std::strcasestr|strchr|::strchr|std::strchr|strnstr|::strnstr|std::strnstr|strpbrk|::strpbrk|std::strpbrk|strrchr|::strrchr|std::strrchr|strstr|::strstr|std::strstr|strtok_r|::strtok_r|std::strtok_r|strtok|::strtok|std::strtok$ - - has: - stopBy: neighbor - kind: argument_list - - - kind: call_expression - any: - - pattern: $SINK($$$, $VAR = $SOURCE($$$)) - - pattern: $SINK($VAR = $SOURCE($$$)) - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $SINK - regex: ^fwrite|::fwrite|std::fwrite$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: end - kind: assignment_expression - pattern: $VAR = $SOURCE($$$) - all: - - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $SOURCE - regex: ^fgets|::fgets|std::fgets|fopen|::fopen|std::fopen|getenv|::getenv|std::getenv|getgrent|::getgrent|std::getgrent|getgrgid|::getgrgid|std::getgrgid|getgrnam|::getgrnam|std::getgrnam|getlogin|::getlogin|std::getlogin|getpwent|::getpwent|std::getpwent|getpwnam|::getpwnam|std::getpwnam|getpwuid|::getpwuid|std::getpwuid|getpwuuid|::getpwuuid|std::getpwuuid|gets|::gets|std::gets|inet_ntop|::inet_ntop|std::inet_ntop|realpath|::realpath|std::realpath|tempnam|::tempnam|std::tempnam|tmpfile|::tmpfile|std::tmpfile|tmpnam|::tmpnam|std::tmpnam|memchr|::memchr|std::memchr|strcasestr_l|::strcasestr_l|std::strcasestr_l|strcasestr|::strcasestr|std::strcasestr|strchr|::strchr|std::strchr|strnstr|::strnstr|std::strnstr|strpbrk|::strpbrk|std::strpbrk|strrchr|::strrchr|std::strrchr|strstr|::strstr|std::strstr|strtok_r|::strtok_r|std::strtok_r|strtok|::strtok|std::strtok$ - - has: - stopBy: neighbor - kind: argument_list - - - kind: pointer_expression - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $SOURCE - regex: ^fgets|::fgets|std::fgets|fopen|::fopen|std::fopen|getenv|::getenv|std::getenv|getgrent|::getgrent|std::getgrent|getgrgid|::getgrgid|std::getgrgid|getgrnam|::getgrnam|std::getgrnam|getlogin|::getlogin|std::getlogin|getpwent|::getpwent|std::getpwent|getpwnam|::getpwnam|std::getpwnam|getpwuid|::getpwuid|std::getpwuid|getpwuuid|::getpwuuid|std::getpwuuid|gets|::gets|std::gets|inet_ntop|::inet_ntop|std::inet_ntop|realpath|::realpath|std::realpath|tempnam|::tempnam|std::tempnam|tmpfile|::tmpfile|std::tmpfile|tmpnam|::tmpnam|std::tmpnam|memchr|::memchr|std::memchr|strcasestr_l|::strcasestr_l|std::strcasestr_l|strcasestr|::strcasestr|std::strcasestr|strchr|::strchr|std::strchr|strnstr|::strnstr|std::strnstr|strpbrk|::strpbrk|std::strpbrk|strrchr|::strrchr|std::strrchr|strstr|::strstr|std::strstr|strtok_r|::strtok_r|std::strtok_r|strtok|::strtok|std::strtok$ - - has: - stopBy: neighbor - kind: argument_list - - not: - inside: - stopBy: end - any: - - kind: subscript_expression - # - kind: call_expression - - not: - has: - stopBy: end - any: - - kind: assignment_expression - - inside: - stopBy: end - kind: return_statement - \ No newline at end of file diff --git a/rules/c/security/sizeof-this-c.yml b/rules/c/security/sizeof-this-c.yml deleted file mode 100644 index 661b62d3..00000000 --- a/rules/c/security/sizeof-this-c.yml +++ /dev/null @@ -1,131 +0,0 @@ -id: sizeof-this-c -language: c -severity: warning -message: >- - Do not use `sizeof(this)` to get the number of bytes of the object in - memory. It returns the size of the pointer, not the size of the object. -note: >- - [CWE-467]: Use of sizeof() on a Pointer Type - [REFERENCES] - - https://wiki.sei.cmu.edu/confluence/display/c/ARR01-C.+Do+not+apply+the+sizeof+operator+to+a+pointer+when+taking+the+size+of+an+array -ast-grep-essentials: true -rule: - not: - has: - stopBy: end - any: - - kind: ERROR - - kind: pointer_expression - - kind: sizeof_expression - - kind: expression_statement - any: - - kind: macro_type_specifier - all: - - has: - stopBy: end - kind: identifier - nthChild: 1 - regex: ^sizeof$ - - has: - stopBy: end - kind: type_descriptor - nthChild: 2 - not: - has: - nthChild: 2 - has: - kind: type_identifier - pattern: $THIS - - not: - has: - kind: function_declarator - nthChild: 1 - - - kind: function_declarator - all: - - has: - stopBy: end - kind: field_identifier - regex: ^sizeof$ - nthChild: 1 - - has: - stopBy: end - kind: parameter_list - nthChild: 2 - not: - has: - nthChild: 2 - has: - kind: parameter_declaration - pattern: $THIS - - not: - has: - kind: function_declarator - nthChild: 1 - # - not: - # inside: - # has: - # nthChild: 1 - - - kind: parameter_declaration - all: - - has: - kind: type_identifier - nthChild: 1 - regex: ^sizeof$ - - any: - - has: - kind: abstract_function_declarator - has: - kind: parameter_list - not: - has: - nthChild: 2 - has: - kind: parameter_declaration - pattern: $THIS - - has: - kind: abstract_parenthesized_declarator - not: - has: - stopBy: end - nthChild: 2 - has: - stopBy: end - kind: parameter_list - has: - kind: parameter_declaration - pattern: $THIS - - - kind: sizeof_expression - not: - has: - any: - - nthChild: 2 - - kind: parameter_declaration - has: - stopBy: end - kind: identifier - pattern: $THIS - - - kind: type_descriptor - all: - - has: - kind: type_identifier - regex: ^sizeof$ - - has: - stopBy: end - kind: abstract_function_declarator - has: - kind: parameter_list - not: - has: - stopBy: end - nthChild: 2 - has: - kind: parameter_declaration - pattern: $THIS - -constraints: - THIS: - regex: ^this$ diff --git a/rules/c/security/small-key-size-c.yml b/rules/c/security/small-key-size-c.yml deleted file mode 100644 index c826a55f..00000000 --- a/rules/c/security/small-key-size-c.yml +++ /dev/null @@ -1,42 +0,0 @@ -id: small-key-size-c -language: c -severity: warning -message: >- - $KEY_FUNCTION` is using a key size of only $KEY_BITS bits. This is - less than the recommended key size of 2048 bits. -note: >- - [CWE-326]: Inadequate Encryption Strength - [OWASP A02:2021]: Cryptographic Failures - [OWASP A03:2017]: Sensitive Data Exposure - [REFERENCES] - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf - https://owasp.org/Top10/A02_2021-Cryptographic_Failures -ast-grep-essentials: true - -rule: - kind: call_expression - all: - - has: - stopBy: end - kind: identifier - regex: ^(DH_generate_parameters_ex|DSA_generate_parameters_ex|EVP_PKEY_CTX_set_dh_paramgen_prime_len|EVP_PKEY_CTX_set_dsa_paramgen_bits|EVP_PKEY_CTX_set_rsa_keygen_bits|RSA_generate_key_ex|RSA_generate_key_fips)$ - - not: - has: - stopBy: end - kind: field_identifier - regex: ^(DH_generate_parameters_ex|DSA_generate_parameters_ex|EVP_PKEY_CTX_set_dh_paramgen_prime_len|EVP_PKEY_CTX_set_dsa_paramgen_bits|EVP_PKEY_CTX_set_rsa_keygen_bits|RSA_generate_key_ex|RSA_generate_key_fips)$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - any: - - kind: number_literal - - kind: binary_expression - - kind: unary_expression - nthChild: 2 - regex: ^([+-]*\(*[+-]*((0|[1-9][0-9]{0,2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|((0|[1-9][0-9]{0,2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?\/[1-9][0-9]*)|(\.[0-9]+)|(\.[0-9]+\/[1-9][0-9]*))\)*)$ - - not: - has: - stopBy: end - kind: ERROR diff --git a/rules/c/security/world-writable-file-c.yml b/rules/c/security/world-writable-file-c.yml deleted file mode 100644 index a514fd7d..00000000 --- a/rules/c/security/world-writable-file-c.yml +++ /dev/null @@ -1,328 +0,0 @@ -id: world-writable-file-c -language: c -severity: warning -message: >- - This call makes a world-writable file which allows any user on a machine to write to the file. This may allow attackers to influence the behaviour of this process by writing to the file. -note: >- - [CWE-732]: Incorrect Permission Assignment for Critical Resource - [REFERENCES] - - https://wiki.sei.cmu.edu/confluence/display/c/FIO06-C.+Create+files+with+appropriate+access+permissions - -ast-grep-essentials: true - -utils: - follows_umask: - follows: - stopBy: end - kind: expression_statement - has: - kind: call_expression - nthChild: 1 - all: - - has: - nthChild: 1 - kind: identifier - field: function - regex: ^umask$ - - has: - nthChild: 2 - kind: argument_list - field: arguments - - AND_2_EQUALS_2_&_S_IXXXX: - any: - - kind: number_literal - regex: ^-?([2367]|[0-9]*(0[2367]|1[014589]|2[2367]|3[014589]|4[2367]|5[014589]|6[2367]|7[014589]|8[2367]|9[014589]))$ - - all: - - any: - - kind: binary_expression - - kind: identifier - - regex: (\s*S_I[A-Z]{4}\s*\|)*S_I[A-Z]{4} - - regex: .*\bS_IWOTH\b.* - -rule: - any: - # chmod/fchmod/creat - - any: - - matches: AND_2_EQUALS_2_&_S_IXXXX - - kind: identifier - pattern: $MODE - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: declaration - all: - - has: - kind: init_declarator - all: - - has: - kind: identifier - field: declarator - pattern: $MODE - - has: - nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX - - kind: expression_statement - any: - - has: - kind: assignment_expression - all: - - has: - nthChild: 1 - kind: identifier - pattern: $MODE - - has: - nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX - - has: - kind: comma_expression - has: - kind: assignment_expression - all: - - has: - nthChild: 1 - kind: identifier - pattern: $MODE - - has: - nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX - nthChild: - position: 2 - ofRule: - not: - kind: comment - inside: - kind: argument_list - nthChild: 2 - not: - has: - nthChild: - position: 3 - ofRule: - not: - kind: comment - follows: - kind: identifier - regex: ^(chmod|fchmod|creat)$ - inside: - kind: call_expression - not: - any: - - matches: follows_umask - - inside: - stopBy: end - matches: follows_umask - - # fchmodat - - any: - - matches: AND_2_EQUALS_2_&_S_IXXXX - - kind: identifier - pattern: $MODE - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: declaration - all: - - has: - kind: init_declarator - all: - - has: - kind: identifier - field: declarator - pattern: $MODE - - has: - nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX - - kind: expression_statement - any: - - has: - kind: assignment_expression - all: - - has: - nthChild: 1 - kind: identifier - pattern: $MODE - - has: - nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX - - has: - kind: comma_expression - has: - kind: assignment_expression - all: - - has: - nthChild: 1 - kind: identifier - pattern: $MODE - - has: - nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX - nthChild: - position: 3 - ofRule: - not: - kind: comment - inside: - kind: argument_list - nthChild: 2 - follows: - kind: identifier - regex: ^(fchmodat)$ - inside: - kind: call_expression - not: - any: - - matches: follows_umask - - inside: - stopBy: end - matches: follows_umask - - # open - - any: - - matches: AND_2_EQUALS_2_&_S_IXXXX - - kind: identifier - pattern: $MODE - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: declaration - all: - - has: - kind: init_declarator - all: - - has: - kind: identifier - field: declarator - pattern: $MODE - - has: - nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX - - kind: expression_statement - any: - - has: - kind: assignment_expression - all: - - has: - nthChild: 1 - kind: identifier - pattern: $MODE - - has: - nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX - - has: - kind: comma_expression - has: - kind: assignment_expression - all: - - has: - nthChild: 1 - kind: identifier - pattern: $MODE - - has: - nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX - nthChild: - position: 3 - ofRule: - not: - kind: comment - inside: - kind: argument_list - nthChild: 2 - not: - has: - nthChild: - position: 4 - ofRule: - not: - kind: comment - follows: - kind: identifier - regex: ^(open)$ - inside: - kind: call_expression - not: - any: - - matches: follows_umask - - inside: - stopBy: end - matches: follows_umask - - # openat - - any: - - matches: AND_2_EQUALS_2_&_S_IXXXX - - kind: identifier - pattern: $MODE - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: declaration - all: - - has: - kind: init_declarator - all: - - has: - kind: identifier - field: declarator - pattern: $MODE - - has: - nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX - - kind: expression_statement - any: - - has: - kind: assignment_expression - all: - - has: - nthChild: 1 - kind: identifier - pattern: $MODE - - has: - nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX - - has: - kind: comma_expression - has: - kind: assignment_expression - all: - - has: - nthChild: 1 - kind: identifier - pattern: $MODE - - has: - nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX - nthChild: - position: 4 - ofRule: - not: - kind: comment - inside: - kind: argument_list - nthChild: 2 - not: - has: - nthChild: - position: 5 - ofRule: - not: - kind: comment - follows: - kind: identifier - regex: ^(openat)$ - inside: - kind: call_expression - not: - any: - - matches: follows_umask - - inside: - stopBy: end - matches: follows_umask diff --git a/rules/cpp/security/dont-call-system-cpp.yml b/rules/cpp/security/dont-call-system-cpp.yml deleted file mode 100644 index 6855b9be..00000000 --- a/rules/cpp/security/dont-call-system-cpp.yml +++ /dev/null @@ -1,61 +0,0 @@ -id: dont-call-system-cpp -language: cpp -severity: warning -message: >- - Don't call `system`. It's a high-level wrapper that allows for stacking - multiple commands. Always prefer a more restrictive API such as calling - `execve` from the `exec` family. -note: >- - [CWE-78] Improper Neutralization of Special Elements used in an OS - Command ('OS Command Injection'). - [REFERENCES] - - https://owasp.org/Top10/A03_2021-Injection - -ast-grep-essentials: true - -utils: - PATTERN_SYSTEM_INSIDE_IF_STATEMENT: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: '^system$' - - has: - stopBy: neighbor - kind: argument_list - - inside: - stopBy: end - kind: parenthesized_expression - inside: - kind: if_statement - PATTERN_SYSTEM: - any: - - kind: expression_statement - - kind: return_statement - - kind: field_declaration - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: '^system$' - - has: - stopBy: neighbor - kind: argument_list -rule: - any: - - matches: PATTERN_SYSTEM_INSIDE_IF_STATEMENT - - matches: PATTERN_SYSTEM - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - has: - stopBy: end - kind: ERROR - diff --git a/rules/cpp/security/file-access-before-action-cpp.yml b/rules/cpp/security/file-access-before-action-cpp.yml deleted file mode 100644 index 20ccfc62..00000000 --- a/rules/cpp/security/file-access-before-action-cpp.yml +++ /dev/null @@ -1,275 +0,0 @@ -id: file-access-before-action-cpp -language: cpp -severity: warning -message: >- - A check is done with `access` and then the file is later used. There is no guarantee that the status of the file has not changed since the call to `access` which may allow attackers to bypass permission checks. -note: >- - [CWE-367]: Time-of-check Time-of-use (TOCTOU) Race Condition - [REFERENCES] - - https://wiki.sei.cmu.edu/confluence/display/c/FIO45-C.+Avoid+TOCTOU+race+conditions+while+accessing+files - -ast-grep-essentials: true - -utils: - PATTERN_1(identifier): - kind: identifier - regex: ^(fopen|freopen|remove|rename|access|open|stat|lstat|unlink|mkdir|rmdir|chdir)$ - all: - - precedes: - kind: argument_list - has: - pattern: $SRC - - inside: - kind: call_expression - not: - inside: - stopBy: end - kind: condition_clause - inside: - stopBy: end - kind: compound_statement - inside: - kind: if_statement - has: - kind: condition_clause - has: - stopBy: end - any: - - kind: binary_expression - has: - stopBy: end - kind: parenthesized_expression - has: - kind: binary_expression - all: - - has: - kind: call_expression - nthChild: 1 - all: - - has: - kind: identifier - regex: ^(access|faccessat|faccessat2)$ - precedes: - kind: argument_list - all: - - has: - nthChild: 1 - pattern: $SRC - - has: - kind: identifier - nthChild: 2 - regex: ^(F_OK|R_OK|W_OK|X_OK)$ - - has: - kind: number_literal - regex: ^(0)$ - follows: - regex: ^==$ - - kind: binary_expression - all: - - has: - nthChild: 1 - kind: call_expression - all: - - has: - nthChild: 1 - kind: identifier - regex: ^(access|faccessat|faccessat2)$ - - has: - nthChild: 2 - kind: argument_list - all: - - has: - nthChild: 1 - pattern: $SRC - - has: - nthChild: 2 - kind: identifier - regex: ^(F_OK|R_OK|W_OK|X_OK)$ - - has: - nthChild: 2 - kind: number_literal - regex: ^(0)$ - follows: - regex: ^==$ - - PATTERN_2(qualified_identifier): - kind: qualified_identifier - any: - - regex: ^(folly::readFile|folly::writeFile|folly::writeFileAtomic|folly::writeFileAtomicNoThrow|folly::File)$ - - regex: ^(boost::)?(filesystem::file_size|filesystem::create_directory|filesystem::create_directories|filesystem::remove|filesystem::remove_all|filesystem::rename|filesystem::copy_file|filesystem::copy|filesystem::copy_directory|filesystem::resize_file|filesystem::last_write_time|filesystem::permissions|filesystem::symlink_status|filesystem::create_symlink|filesystem::create_hard_link|filesystem::read_symlink)$ - all: - - precedes: - kind: argument_list - has: - pattern: $SRC - - inside: - kind: call_expression - not: - inside: - stopBy: end - kind: condition_clause - inside: - stopBy: end - kind: compound_statement - inside: - kind: if_statement - has: - kind: condition_clause - has: - stopBy: end - any: - - kind: binary_expression - has: - stopBy: end - kind: parenthesized_expression - has: - kind: binary_expression - all: - - has: - kind: call_expression - nthChild: 1 - all: - - has: - kind: identifier - regex: ^(access|faccessat|faccessat2)$ - precedes: - kind: argument_list - all: - - has: - nthChild: 1 - pattern: $SRC - - has: - kind: identifier - nthChild: 2 - regex: ^(F_OK|R_OK|W_OK|X_OK)$ - - has: - kind: number_literal - regex: ^(0)$ - follows: - regex: ^==$ - - kind: binary_expression - all: - - has: - nthChild: 1 - kind: call_expression - all: - - has: - nthChild: 1 - kind: identifier - regex: ^(access|faccessat|faccessat2)$ - - has: - nthChild: 2 - kind: argument_list - all: - - has: - nthChild: 1 - pattern: $SRC - - has: - nthChild: 2 - kind: identifier - regex: ^(F_OK|R_OK|W_OK|X_OK)$ - - has: - nthChild: 2 - kind: number_literal - regex: ^(0)$ - follows: - regex: ^==$ - - identifier_and_qualified_identifier: - any: - - kind: identifier - regex: ^(fopen|freopen|remove|rename|access|open|stat|lstat|unlink|mkdir|rmdir|chdir)$ - - kind: qualified_identifier - any: - - regex: ^(folly::readFile|folly::writeFile|folly::writeFileAtomic|folly::writeFileAtomicNoThrow|folly::File)$ - - regex: ^(boost::)?(filesystem::file_size|filesystem::create_directory|filesystem::create_directories|filesystem::remove|filesystem::remove_all|filesystem::rename|filesystem::copy_file|filesystem::copy|filesystem::copy_directory|filesystem::resize_file|filesystem::last_write_time|filesystem::permissions|filesystem::symlink_status|filesystem::create_symlink|filesystem::create_hard_link|filesystem::read_symlink)$ - - PATTERN_3(field_expression): - kind: field_expression - has: - nthChild: 1 - stopBy: end - matches: identifier_and_qualified_identifier - all: - - precedes: - kind: argument_list - has: - pattern: $SRC - - inside: - kind: call_expression - not: - inside: - stopBy: end - kind: condition_clause - inside: - stopBy: end - kind: compound_statement - inside: - kind: if_statement - has: - kind: condition_clause - has: - stopBy: end - any: - - kind: binary_expression - has: - stopBy: end - kind: parenthesized_expression - has: - kind: binary_expression - all: - - has: - kind: call_expression - nthChild: 1 - all: - - has: - kind: identifier - regex: ^(access|faccessat|faccessat2)$ - precedes: - kind: argument_list - all: - - has: - nthChild: 1 - pattern: $SRC - - has: - kind: identifier - nthChild: 2 - regex: ^(F_OK|R_OK|W_OK|X_OK)$ - - has: - kind: number_literal - regex: ^(0)$ - follows: - regex: ^==$ - - kind: binary_expression - all: - - has: - nthChild: 1 - kind: call_expression - all: - - has: - nthChild: 1 - kind: identifier - regex: ^(access|faccessat|faccessat2)$ - - has: - nthChild: 2 - kind: argument_list - all: - - has: - nthChild: 1 - pattern: $SRC - - has: - nthChild: 2 - kind: identifier - regex: ^(F_OK|R_OK|W_OK|X_OK)$ - - has: - nthChild: 2 - kind: number_literal - regex: ^(0)$ - follows: - regex: ^==$ - -rule: - any: - - matches: PATTERN_1(identifier) - - matches: PATTERN_2(qualified_identifier) - - matches: PATTERN_3(field_expression) diff --git a/rules/cpp/security/file-stat-before-action-cpp.yml b/rules/cpp/security/file-stat-before-action-cpp.yml deleted file mode 100644 index 74bd9bc3..00000000 --- a/rules/cpp/security/file-stat-before-action-cpp.yml +++ /dev/null @@ -1,500 +0,0 @@ -id: file-stat-before-action-cpp -language: cpp -severity: warning -message: >- - A check is done with `stat` and then the file is used. There is no guarantee that the status of the file has not changed since the call to `stat` which may allow attackers to bypass permission checks. -note: >- - [CWE-367]: Time-of-check Time-of-use (TOCTOU) Race Condition - [REFERENCES] - - https://wiki.sei.cmu.edu/confluence/display/c/FIO45-C.+Avoid+TOCTOU+race+conditions+while+accessing+files - -ast-grep-essentials: true - -utils: - PATTERN_1(identifier)nth1: - kind: identifier - regex: ^(fopen|freopen|remove|rename|access|open|stat|lstat|unlink|mkdir|rmdir|chdir)$ - all: - - precedes: - kind: argument_list - has: - pattern: $SRC - - inside: - kind: call_expression - all: - - not: - inside: - stopBy: end - kind: condition_clause - - not: - inside: - kind: field_expression - inside: - stopBy: end - kind: compound_statement - inside: - kind: if_statement - has: - kind: condition_clause - has: - stopBy: end - any: - - kind: binary_expression - has: - stopBy: end - kind: parenthesized_expression - has: - kind: binary_expression - all: - - has: - kind: call_expression - nthChild: 1 - all: - - has: - kind: identifier - regex: ^(stat|_stat|lstat|_lstat)$ - precedes: - kind: argument_list - all: - - has: - nthChild: 1 - pattern: $SRC - - has: - kind: number_literal - regex: ^(0)$ - - kind: binary_expression - all: - - has: - nthChild: 1 - kind: call_expression - all: - - has: - nthChild: 1 - kind: identifier - regex: ^(stat|_stat|lstat|_lstat)$ - - has: - nthChild: 2 - kind: argument_list - all: - - has: - nthChild: 1 - pattern: $SRC - - has: - nthChild: 2 - kind: number_literal - regex: ^(0)$ - follows: - regex: ^==$ - - PATTERN_2(qualified_identifier)nth1: - kind: qualified_identifier - any: - - regex: ^(folly::readFile|folly::writeFile|folly::writeFileAtomic|folly::writeFileAtomicNoThrow|folly::File)$ - - regex: ^(boost::)?(filesystem::file_size|filesystem::create_directory|filesystem::create_directories|filesystem::remove|filesystem::remove_all|filesystem::rename|filesystem::copy_file|filesystem::copy|filesystem::copy_directory|filesystem::resize_file|filesystem::last_write_time|filesystem::permissions|filesystem::symlink_status|filesystem::create_symlink|filesystem::create_hard_link|filesystem::read_symlink)$ - all: - - precedes: - kind: argument_list - has: - pattern: $SRC - - inside: - kind: call_expression - all: - - not: - inside: - stopBy: end - kind: condition_clause - - not: - inside: - kind: field_expression - inside: - stopBy: end - kind: compound_statement - inside: - kind: if_statement - has: - kind: condition_clause - has: - stopBy: end - any: - - kind: binary_expression - has: - stopBy: end - kind: parenthesized_expression - has: - kind: binary_expression - all: - - has: - kind: call_expression - nthChild: 1 - all: - - has: - kind: identifier - regex: ^(stat|_stat|lstat|_lstat)$ - precedes: - kind: argument_list - all: - - has: - nthChild: 1 - pattern: $SRC - - has: - kind: number_literal - regex: ^(0)$ - follows: - regex: ^==$ - - kind: binary_expression - all: - - has: - nthChild: 1 - kind: call_expression - all: - - has: - nthChild: 1 - kind: identifier - regex: ^(stat|_stat|lstat|_lstat)$ - - has: - nthChild: 2 - kind: argument_list - all: - - has: - nthChild: 1 - pattern: $SRC - - has: - nthChild: 2 - kind: number_literal - regex: ^(0)$ - follows: - regex: ^==$ - - PATTERN_1(identifier)nth2: - kind: identifier - regex: ^(fopen|freopen|remove|rename|access|open|stat|lstat|unlink|mkdir|rmdir|chdir)$ - all: - - precedes: - kind: argument_list - has: - pattern: $SRC - - inside: - kind: call_expression - all: - - not: - inside: - stopBy: end - kind: condition_clause - - not: - inside: - kind: field_expression - inside: - stopBy: end - kind: compound_statement - inside: - kind: if_statement - has: - kind: condition_clause - has: - stopBy: end - any: - - kind: binary_expression - has: - stopBy: end - kind: parenthesized_expression - has: - kind: binary_expression - all: - - has: - kind: call_expression - nthChild: 1 - all: - - has: - kind: identifier - regex: ^(fstatat|_fstatat)$ - precedes: - kind: argument_list - all: - - has: - nthChild: 3 - pattern: $SRC - - has: - kind: number_literal - regex: ^(0)$ - follows: - regex: ^==$ - - kind: binary_expression - all: - - has: - nthChild: 1 - kind: call_expression - all: - - has: - nthChild: 1 - kind: identifier - regex: ^(fstatat|_fstatat)$ - - has: - nthChild: 2 - kind: argument_list - all: - - has: - nthChild: 2 - pattern: $SRC - - has: - nthChild: 2 - kind: number_literal - regex: ^(0)$ - follows: - regex: ^==$ - - PATTERN_2(qualified_identifier)nth2: - kind: qualified_identifier - any: - - regex: ^(folly::readFile|folly::writeFile|folly::writeFileAtomic|folly::writeFileAtomicNoThrow|folly::File)$ - - regex: ^(boost::)?(filesystem::file_size|filesystem::create_directory|filesystem::create_directories|filesystem::remove|filesystem::remove_all|filesystem::rename|filesystem::copy_file|filesystem::copy|filesystem::copy_directory|filesystem::resize_file|filesystem::last_write_time|filesystem::permissions|filesystem::symlink_status|filesystem::create_symlink|filesystem::create_hard_link|filesystem::read_symlink)$ - all: - - precedes: - kind: argument_list - has: - pattern: $SRC - - inside: - kind: call_expression - all: - - not: - inside: - stopBy: end - kind: condition_clause - - not: - inside: - kind: field_expression - inside: - stopBy: end - kind: compound_statement - inside: - kind: if_statement - has: - kind: condition_clause - has: - stopBy: end - any: - - kind: binary_expression - has: - stopBy: end - kind: parenthesized_expression - has: - kind: binary_expression - all: - - has: - kind: call_expression - nthChild: 1 - all: - - has: - kind: identifier - regex: ^(fstatat|_fstatat)$ - precedes: - kind: argument_list - all: - - has: - nthChild: 2 - pattern: $SRC - - has: - kind: number_literal - regex: ^(0)$ - follows: - regex: ^==$ - - kind: binary_expression - all: - - has: - nthChild: 1 - kind: call_expression - all: - - has: - nthChild: 1 - kind: identifier - regex: ^(fstatat|_fstatat)$ - - has: - nthChild: 2 - kind: argument_list - all: - - has: - nthChild: 2 - pattern: $SRC - - has: - nthChild: 2 - kind: number_literal - regex: ^(0)$ - follows: - regex: ^==$ - - identifier_and_qualified_identifier: - any: - - kind: identifier - regex: ^(fopen|freopen|remove|rename|access|open|stat|lstat|unlink|mkdir|rmdir|chdir)$ - - kind: qualified_identifier - any: - - regex: ^(folly::readFile|folly::writeFile|folly::writeFileAtomic|folly::writeFileAtomicNoThrow|folly::File)$ - - regex: ^(boost::)?(filesystem::file_size|filesystem::create_directory|filesystem::create_directories|filesystem::remove|filesystem::remove_all|filesystem::rename|filesystem::copy_file|filesystem::copy|filesystem::copy_directory|filesystem::resize_file|filesystem::last_write_time|filesystem::permissions|filesystem::symlink_status|filesystem::create_symlink|filesystem::create_hard_link|filesystem::read_symlink)$ - - PATTERN_3(field_expression)(identifier)nth1: - kind: field_expression - has: - nthChild: 1 - stopBy: end - matches: identifier_and_qualified_identifier - all: - - precedes: - kind: argument_list - has: - pattern: $SRC - - inside: - kind: call_expression - all: - - not: - inside: - stopBy: end - kind: condition_clause - - not: - inside: - kind: field_expression - inside: - stopBy: end - kind: compound_statement - inside: - kind: if_statement - has: - kind: condition_clause - has: - stopBy: end - any: - - kind: binary_expression - has: - stopBy: end - kind: parenthesized_expression - has: - kind: binary_expression - all: - - has: - kind: call_expression - nthChild: 1 - all: - - has: - kind: identifier - regex: ^(stat|_stat|lstat|_lstat)$ - precedes: - kind: argument_list - all: - - has: - nthChild: 1 - pattern: $SRC - - has: - kind: number_literal - regex: ^(0)$ - follows: - regex: ^==$ - - kind: binary_expression - all: - - has: - nthChild: 1 - kind: call_expression - all: - - has: - nthChild: 1 - kind: identifier - regex: ^(stat|_stat|lstat|_lstat)$ - - has: - nthChild: 2 - kind: argument_list - all: - - has: - nthChild: 1 - pattern: $SRC - - has: - nthChild: 2 - kind: number_literal - regex: ^(0)$ - follows: - regex: ^==$ - - PATTERN_3(field_expression)(identifier)nth2: - kind: field_expression - has: - nthChild: 1 - stopBy: end - matches: identifier_and_qualified_identifier - all: - - precedes: - kind: argument_list - has: - pattern: $SRC - - inside: - kind: call_expression - all: - - not: - inside: - stopBy: end - kind: condition_clause - - not: - inside: - kind: field_expression - inside: - stopBy: end - kind: compound_statement - inside: - kind: if_statement - has: - kind: condition_clause - has: - stopBy: end - any: - - kind: binary_expression - has: - stopBy: end - kind: parenthesized_expression - has: - kind: binary_expression - all: - - has: - kind: call_expression - nthChild: 1 - all: - - has: - kind: identifier - regex: ^(fstatat|_fstatat)$ - precedes: - kind: argument_list - all: - - has: - nthChild: 2 - pattern: $SRC - - has: - kind: number_literal - regex: ^(0)$ - follows: - regex: ^==$ - - kind: binary_expression - all: - - has: - nthChild: 1 - kind: call_expression - all: - - has: - nthChild: 1 - kind: identifier - regex: ^(fstatat|_fstatat)$ - - has: - nthChild: 2 - kind: argument_list - all: - - has: - nthChild: 2 - pattern: $SRC - - has: - nthChild: 2 - kind: number_literal - regex: ^(0)$ - follows: - regex: ^==$ - -rule: - any: - - matches: PATTERN_1(identifier)nth1 - - matches: PATTERN_2(qualified_identifier)nth1 - - matches: PATTERN_1(identifier)nth2 - - matches: PATTERN_2(qualified_identifier)nth2 - - matches: PATTERN_3(field_expression)(identifier)nth1 - - matches: PATTERN_3(field_expression)(identifier)nth2 diff --git a/rules/cpp/security/fix-format-security-error-cpp.yml b/rules/cpp/security/fix-format-security-error-cpp.yml deleted file mode 100644 index 5455ba84..00000000 --- a/rules/cpp/security/fix-format-security-error-cpp.yml +++ /dev/null @@ -1,18 +0,0 @@ -id: fix-format-security-error-cpp -language: cpp -severity: warning -message: The Format String exploit occurs when the submitted data of an input string is evaluated as a command by the application. -ast-grep-essentials: true - -rule: - pattern: $PRINTF($S, $VAR) -constraints: - PRINTF: # a format string function - { regex: "^sprintf|fprintf$" } - VAR: # not a literal string - not: - any: - - { kind: string_literal } - - { kind: concatenated_string } -fix: $PRINTF($S, "%s", $VAR) - diff --git a/rules/cpp/security/insecure-hash-cpp.yml b/rules/cpp/security/insecure-hash-cpp.yml deleted file mode 100644 index 8646352f..00000000 --- a/rules/cpp/security/insecure-hash-cpp.yml +++ /dev/null @@ -1,127 +0,0 @@ -id: insecure-hash-cpp -language: cpp -severity: warning -message: >- - This hashing algorithm is insecure. If this hash is used in a security - context, such as password hashing, it should be converted to a stronger - hashing algorithm. -note: >- - [CWE-328] Use of Weak Hash. - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures -ast-grep-essentials: true -utils: - MATCH_PATTERN_ONE: - kind: expression_statement - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^(EVP_md2|MD2|MD2_Final|MD2_Init|MD2_Update|MD2_options|EVP_md4|MD4|MD4_Final|MD4_Init|MD4_Transform|MD4_Update|EVP_md5|MD5|MD5_Final|MD5_Init|MD5_Transform|MD5_Update|EVP_sha1|SHA1_Final|SHA1_Init|SHA1_Transform|SHA1_Update)$ - - has: - stopBy: neighbor - kind: argument_list - - MATCH_PATTERN_TWO: - kind: expression_statement - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^(EVP_MD_fetch|EVP_get_digestbyname)$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: end - kind: string_content - regex: ^(MD2|MD4|MD5|SHA1|SHA-1)$ - - MATCH_PATTERN_TWO_with_instance: - kind: expression_statement - all: - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^(EVP_MD_fetch|EVP_get_digestbyname)$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: identifier - pattern: $Q - - follows: - stopBy: end - kind: declaration - has: - stopBy: end - kind: init_declarator - all: - - has: - stopBy: neighbor - any: - - kind: array_declarator - has: - stopBy: neighbor - kind: identifier - pattern: $Q - - kind: pointer_declarator - has: - stopBy: neighbor - kind: identifier - pattern: $Q - - kind: identifier - pattern: $Q - - - has: - stopBy: neighbor - kind: string_literal - has: - stopBy: neighbor - kind: string_content - regex: ^(MD2|MD4|MD5|SHA1|SHA-1)$ - - MATCH_PATTERN_THREE: - kind: expression_statement - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^(gcry_md_open|gcry_md_enable|gcry_md_read|gcry_md_extract|gcry_md_hash_buffers|gcry_md_hash_buffer)$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: end - kind: identifier - regex: ^(GCRY_MD_MD2|GCRY_MD_MD4|GCRY_MD_MD5|GCRY_MD_SHA1)$ -rule: - any: - - kind: expression_statement - any: - - matches: MATCH_PATTERN_ONE - - matches: MATCH_PATTERN_TWO - - matches: MATCH_PATTERN_TWO_with_instance - - matches: MATCH_PATTERN_THREE - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR diff --git a/rules/cpp/security/libxml2-audit-parser-cpp.yml b/rules/cpp/security/libxml2-audit-parser-cpp.yml deleted file mode 100644 index 1f500981..00000000 --- a/rules/cpp/security/libxml2-audit-parser-cpp.yml +++ /dev/null @@ -1,265 +0,0 @@ -id: libxml2-audit-parser-cpp -language: Cpp -severity: warning -message: >- - The libxml2 library is used to parse XML. When auditing such code, make - sure that either the document being parsed is trusted or that the parsing - options are safe to consume untrusted documents. In such case make sure - DTD or XInclude documents cannot be loaded and there is no network access. -note: >- - [CWE-611] Improper Restriction of XML External Entity Reference. - [REFERENCES] - - https://owasp.org/Top10/A05_2021-Security_Misconfiguration -ast-grep-essentials: true -utils: - Pattern_having_three_child: - kind: call_expression - all: - - has: - kind: identifier - regex: ^(xmlReadFile)$ - - has: - kind: argument_list - all: - - has: - nthChild: - position: 1 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 3 - ofRule: - not: - kind: comment - - not: - has: - nthChild: - position: 4 - ofRule: - not: - kind: comment - - Pattern_having_five_child: - kind: call_expression - all: - - has: - kind: identifier - regex: ^(xmlParseInNodeContext|xmlReadMemory|xmlCtxtReadDoc|xmlCtxtReadFd)$ - - has: - kind: argument_list - all: - - has: - nthChild: - position: 1 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 3 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 4 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 5 - ofRule: - not: - kind: comment - - not: - has: - nthChild: - position: 6 - ofRule: - not: - kind: comment - - Pattern_having_four_child: - kind: call_expression - all: - - has: - kind: identifier - regex: ^(xmlReadDoc|xmlReadFd|xmlCtxtReadFile)$ - - has: - kind: argument_list - all: - - has: - nthChild: - position: 1 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 3 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 4 - ofRule: - not: - kind: comment - - not: - has: - nthChild: - position: 5 - ofRule: - not: - kind: comment - - Pattern_having_six_child: - kind: call_expression - all: - - has: - kind: identifier - regex: ^(xmlReadIO|xmlCtxtReadMemory)$ - - has: - kind: argument_list - all: - - has: - nthChild: - position: 1 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 3 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 4 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 5 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 6 - ofRule: - not: - kind: comment - - not: - has: - nthChild: - position: 7 - ofRule: - not: - kind: comment - - Pattern_having_seven_child: - kind: call_expression - all: - - has: - kind: identifier - regex: ^(xmlCtxtReadIO)$ - - has: - kind: argument_list - all: - - has: - nthChild: - position: 1 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 3 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 4 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 5 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 6 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 7 - ofRule: - not: - kind: comment - - not: - has: - nthChild: - position: 8 - ofRule: - not: - kind: comment - -rule: - kind: call_expression - any: - - matches: Pattern_having_five_child - - matches: Pattern_having_four_child - - matches: Pattern_having_six_child - - matches: Pattern_having_seven_child - - matches: Pattern_having_three_child - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR diff --git a/rules/cpp/security/missing-nul-cpp-string-memcpy-cpp.yml b/rules/cpp/security/missing-nul-cpp-string-memcpy-cpp.yml deleted file mode 100644 index 5191c61c..00000000 --- a/rules/cpp/security/missing-nul-cpp-string-memcpy-cpp.yml +++ /dev/null @@ -1,404 +0,0 @@ -id: missing-nul-cpp-string-memcpy-copy-cpp -language: cpp -severity: warning -message: >- - The number of bytes copied from `$STR` does not include the NUL - terminator. This can lead to an out-of-bounds read and information - disclosure. One extra byte should be added to the length to ensure that - the NUL terminator is copied. -note: >- - [CWE-125]: Out-of-bounds Read - [REFERENCES] - - https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator - -ast-grep-essentials: true - -rule: - any: - - kind: qualified_identifier - - kind: identifier - pattern: $MEMFUNC - regex: ^(memcpy|wmemcpy|memmove|wmemmove|std::memcpy|std::wmemcpy|std::memmove|std::wmemmove)$ - inside: - stopBy: end - any: - - kind: call_expression - all: - - has: - any: - - kind: qualified_identifier - - kind: identifier - nthChild: 1 - pattern: $MEMFUNC - - has: - kind: argument_list - nthChild: 2 - all: - - has: - pattern: $DEST - nthChild: - position: 1 - ofRule: - not: - kind: comment - - has: - pattern: $STR.c_str() - nthChild: - position: 2 - ofRule: - not: - kind: comment - - has: - pattern: strlen($STR.c_str()) - nthChild: - position: 3 - ofRule: - not: - kind: comment - - not: - has: - nthChild: - position: 4 - ofRule: - not: - kind: comment - # - pattern: $MEMFUNC($DEST, $STR.c_str(), strlen($STR.c_str())) - any: - - inside: - stopBy: end - follows: - stopBy: end - any: - - pattern: $TYPE $DEST[$DIM] = $$$; - - pattern: $TYPE $DEST[$DIM]; - - pattern: $TYPE *$DEST = $$$; - - follows: - stopBy: end - any: - - pattern: $TYPE $DEST[$DIM] = $$$; - - pattern: $TYPE $DEST[$DIM]; - - pattern: $TYPE *$DEST = $$$; - - kind: call_expression - all: - - has: - any: - - kind: qualified_identifier - - kind: identifier - nthChild: 1 - pattern: $MEMFUNC - - has: - kind: argument_list - nthChild: 2 - all: - - has: - pattern: $DEST - nthChild: - position: 1 - ofRule: - not: - kind: comment - - has: - pattern: $STR.c_str() - nthChild: - position: 2 - ofRule: - not: - kind: comment - - has: - pattern: $STR.size() - nthChild: - position: 3 - ofRule: - not: - kind: comment - - not: - has: - nthChild: - position: 4 - ofRule: - not: - kind: comment - # pattern: $MEMFUNC($DEST, $STR.c_str(), $STR.size()) - any: - - inside: - stopBy: end - follows: - stopBy: end - any: - - pattern: $TYPE $DEST[$DIM] = $$$; - - pattern: $TYPE $DEST[$DIM]; - - pattern: $TYPE *$DEST = $$$; - - follows: - stopBy: end - any: - - pattern: $TYPE $DEST[$DIM] = $$$; - - pattern: $TYPE $DEST[$DIM]; - - pattern: $TYPE *$DEST = $$$; - - kind: call_expression - all: - - has: - pattern: $MEMFUNC - any: - - kind: qualified_identifier - - kind: identifier - nthChild: 1 - - has: - kind: argument_list - nthChild: 2 - all: - - has: - pattern: $DEST - nthChild: - position: 1 - ofRule: - not: - kind: comment - - has: - pattern: $STR.c_str() - nthChild: - position: 2 - ofRule: - not: - kind: comment - - has: - pattern: $STR.length() - nthChild: - position: 3 - ofRule: - not: - kind: comment - - not: - has: - nthChild: - position: 4 - ofRule: - not: - kind: comment - # pattern: $MEMFUNC($DEST, $STR.c_str(), $STR.length()) - any: - - inside: - stopBy: end - follows: - stopBy: end - any: - - pattern: $TYPE $DEST[$DIM] = $$$; - - pattern: $TYPE $DEST[$DIM]; - - pattern: $TYPE *$DEST = $$$; - - follows: - stopBy: end - any: - - pattern: $TYPE $DEST[$DIM] = $$$; - - pattern: $TYPE $DEST[$DIM]; - - pattern: $TYPE *$DEST = $$$; - - kind: call_expression - all: - - has: - nthChild: 1 - any: - - kind: qualified_identifier - - kind: identifier - pattern: $MEMFUNC - - has: - nthChild: 2 - kind: argument_list - all: - - has: - pattern: $DEST - nthChild: - position: 1 - ofRule: - not: - kind: comment - - has: - pattern: $STR.c_str() - nthChild: - position: 2 - ofRule: - not: - kind: comment - - has: - pattern: $LEN - nthChild: - position: 3 - ofRule: - not: - kind: comment - - not: - has: - nthChild: - position: 4 - ofRule: - not: - kind: comment - # pattern: $MEMFUNC($DEST, $STR.c_str(), $LEN) - - all: - - any: - - follows: - stopBy: end - any: - - pattern: $LEN = strlen($STR.c_str()); - - pattern: $SET $LEN = strlen($STR.c_str()); - - inside: - stopBy: end - follows: - stopBy: end - any: - - pattern: $LEN = strlen($STR.c_str()); - - pattern: $SET $LEN = strlen($STR.c_str()); - - inside: - stopBy: end - follows: - stopBy: end - kind: declaration - has: - kind: init_declarator - all: - - has: - kind: identifier - pattern: $LEN - - has: - kind: call_expression - pattern: from.size() - - any: - - inside: - stopBy: end - follows: - stopBy: end - any: - - pattern: $TYPE $DEST[$DIM] = $$$; - - pattern: $TYPE $DEST[$DIM]; - - pattern: $TYPE *$DEST = $$$; - - follows: - stopBy: end - any: - - pattern: $TYPE $DEST[$DIM] = $$$; - - pattern: $TYPE $DEST[$DIM]; - - pattern: $TYPE *$DEST = $$$; - - kind: call_expression - all: - - has: - any: - - kind: qualified_identifier - - kind: identifier - nthChild: 1 - pattern: $MEMFUNC - - has: - kind: argument_list - all: - - has: - pattern: $DEST - nthChild: - position: 1 - ofRule: - not: - kind: comment - - has: - pattern: $STR.c_str() - nthChild: - position: 2 - ofRule: - not: - kind: comment - - has: - pattern: $LEN - nthChild: - position: 3 - ofRule: - not: - kind: comment - - not: - has: - nthChild: - position: 4 - ofRule: - not: - kind: comment - # pattern: $MEMFUNC($DEST, $STR.c_str(), $LEN) - follows: - stopBy: end - any: - - pattern: $LEN = $STR.size(); - - pattern: $SET $LEN = $STR.size(); - any: - - inside: - stopBy: end - follows: - stopBy: end - any: - - pattern: $TYPE $DEST[$DIM] = $$$; - - pattern: $TYPE $DEST[$DIM]; - - pattern: $TYPE *$DEST = $$$; - - follows: - stopBy: end - any: - - pattern: $TYPE $DEST[$DIM] = $$$; - - pattern: $TYPE $DEST[$DIM]; - - pattern: $TYPE *$DEST = $$$; - - kind: call_expression - all: - - has: - any: - - kind: qualified_identifier - - kind: identifier - nthChild: 1 - pattern: $MEMFUNC - - has: - kind: argument_list - all: - - has: - pattern: $DEST - nthChild: - position: 1 - ofRule: - not: - kind: comment - - has: - pattern: $STR.c_str() - nthChild: - position: 2 - ofRule: - not: - kind: comment - - has: - pattern: $LEN - nthChild: - position: 3 - ofRule: - not: - kind: comment - - not: - has: - nthChild: - position: 4 - ofRule: - not: - kind: comment - # pattern: $MEMFUNC($DEST, $STR.c_str(), $LEN) - - any: - - inside: - stopBy: end - follows: - stopBy: end - any: - - pattern: $LEN = $STR.length(); - - pattern: $SET $LEN = $STR.length(); - - follows: - stopBy: end - any: - - pattern: $LEN = $STR.length(); - - pattern: $SET $LEN = $STR.length(); - any: - - inside: - stopBy: end - follows: - stopBy: end - any: - - pattern: $TYPE $DEST[$DIM] = $$$; - - pattern: $TYPE $DEST[$DIM]; - - pattern: $TYPE *$DEST = $$$; - - follows: - stopBy: end - any: - - pattern: $TYPE $DEST[$DIM] = $$$; - - pattern: $TYPE $DEST[$DIM]; - - pattern: $TYPE *$DEST = $$$; diff --git a/rules/cpp/security/null-library-function-cpp.yml b/rules/cpp/security/null-library-function-cpp.yml deleted file mode 100644 index 8f6ba936..00000000 --- a/rules/cpp/security/null-library-function-cpp.yml +++ /dev/null @@ -1,262 +0,0 @@ -id: null-library-function-cpp -language: cpp -severity: warning -message: >- - The `$SOURCE` function returns NULL on error and this line dereferences - the return value without checking for NULL. -note: >- - [CWE-476] NULL Pointer Dereference. - [REFERENCES] - - https://wiki.sei.cmu.edu/confluence/display/c/EXP34-C.+Do+not+dereference+null+pointers -ast-grep-essentials: true - -rule: - all: - - not: - has: - stopBy: end - kind: ERROR - - any: - - kind: subscript_expression - # any: - # - pattern: $SOURCE($$$)[$$$] - # - pattern: ($SOURCE($$$))[$$$] - all: - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $SOURCE - regex: ^fgets|::fgets|std::fgets|fopen|::fopen|std::fopen|getenv|::getenv|std::getenv|getgrent|::getgrent|std::getgrent|getgrgid|::getgrgid|std::getgrgid|getgrnam|::getgrnam|std::getgrnam|getlogin|::getlogin|std::getlogin|getpwent|::getpwent|std::getpwent|getpwnam|::getpwnam|std::getpwnam|getpwuid|::getpwuid|std::getpwuid|getpwuuid|::getpwuuid|std::getpwuuid|gets|::gets|std::gets|inet_ntop|::inet_ntop|std::inet_ntop|realpath|::realpath|std::realpath|tempnam|::tempnam|std::tempnam|tmpfile|::tmpfile|std::tmpfile|tmpnam|::tmpnam|std::tmpnam|memchr|::memchr|std::memchr|strcasestr_l|::strcasestr_l|std::strcasestr_l|strcasestr|::strcasestr|std::strcasestr|strchr|::strchr|std::strchr|strnstr|::strnstr|std::strnstr|strpbrk|::strpbrk|std::strpbrk|strrchr|::strrchr|std::strrchr|strstr|::strstr|std::strstr|strtok_r|::strtok_r|std::strtok_r|strtok|::strtok|std::strtok$ - - has: - stopBy: neighbor - kind: argument_list - - has: - stopBy: end - any: - - kind: number_literal - - kind: identifier - - - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $SINK - regex: ^atof|::atof|std::atof|atoi|::atoi|std::atoi|atol_l|::atol_l|std::atol_l|atol|::atol|std::atol|atoll_l|::atoll_l|std::atoll_l|atoll|::atoll|std::atoll|getc|::getc|std::getc|fprintf|::fprintf|std::fprintf|fgetpos|::fgetpos|std::fgetpos|fseek|::fseek|std::fseek|fseeko|::fseeko|std::fseeko|fsetpos|::fsetpos|std::fsetpos|ftell|::ftell|std::ftell|ftello|::ftello|std::ftello|rewind|::rewind|std::rewind|strlen|::strlen|std::strlen|strtoimax|::strtoimax|std::strtoimax|strtod|::strtod|std::strtod|strtol|::strtol|std::strtol|strtoul|::strtoul|std::strtoul|strtoll|::strtoll|std::strtoll|strtoq|::strtoq|std::strtoq$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: call_expression - nthChild: 1 - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $SOURCE - regex: ^fgets|::fgets|std::fgets|fopen|::fopen|std::fopen|getenv|::getenv|std::getenv|getgrent|::getgrent|std::getgrent|getgrgid|::getgrgid|std::getgrgid|getgrnam|::getgrnam|std::getgrnam|getlogin|::getlogin|std::getlogin|getpwent|::getpwent|std::getpwent|getpwnam|::getpwnam|std::getpwnam|getpwuid|::getpwuid|std::getpwuid|getpwuuid|::getpwuuid|std::getpwuuid|gets|::gets|std::gets|inet_ntop|::inet_ntop|std::inet_ntop|realpath|::realpath|std::realpath|tempnam|::tempnam|std::tempnam|tmpfile|::tmpfile|std::tmpfile|tmpnam|::tmpnam|std::tmpnam|memchr|::memchr|std::memchr|strcasestr_l|::strcasestr_l|std::strcasestr_l|strcasestr|::strcasestr|std::strcasestr|strchr|::strchr|std::strchr|strnstr|::strnstr|std::strnstr|strpbrk|::strpbrk|std::strpbrk|strrchr|::strrchr|std::strrchr|strstr|::strstr|std::strstr|strtok_r|::strtok_r|std::strtok_r|strtok|::strtok|std::strtok$ - - has: - stopBy: neighbor - kind: argument_list - - - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $SINK - regex: ^atof|::atof|std::atof|atoi|::atoi|std::atoi|atol_l|::atol_l|std::atol_l|atol|::atol|std::atol|atoll_l|::atoll_l|std::atoll_l|atoll|::atoll|std::atoll|getc|::getc|std::getc|fprintf|::fprintf|std::fprintf|fgetpos|::fgetpos|std::fgetpos|fseek|::fseek|std::fseek|fseeko|::fseeko|std::fseeko|fsetpos|::fsetpos|std::fsetpos|ftell|::ftell|std::ftell|ftello|::ftello|std::ftello|rewind|::rewind|std::rewind|strlen|::strlen|std::strlen|strtoimax|::strtoimax|std::strtoimax|strtod|::strtod|std::strtod|strtol|::strtol|std::strtol|strtoul|::strtoul|std::strtoul|strtoll|::strtoll|std::strtoll|strtoq|::strtoq|std::strtoq$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: assignment_expression - nthChild: 1 - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $VAR - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $SOURCE - regex: ^fgets|::fgets|std::fgets|fopen|::fopen|std::fopen|getenv|::getenv|std::getenv|getgrent|::getgrent|std::getgrent|getgrgid|::getgrgid|std::getgrgid|getgrnam|::getgrnam|std::getgrnam|getlogin|::getlogin|std::getlogin|getpwent|::getpwent|std::getpwent|getpwnam|::getpwnam|std::getpwnam|getpwuid|::getpwuid|std::getpwuid|getpwuuid|::getpwuuid|std::getpwuuid|gets|::gets|std::gets|inet_ntop|::inet_ntop|std::inet_ntop|realpath|::realpath|std::realpath|tempnam|::tempnam|std::tempnam|tmpfile|::tmpfile|std::tmpfile|tmpnam|::tmpnam|std::tmpnam|memchr|::memchr|std::memchr|strcasestr_l|::strcasestr_l|std::strcasestr_l|strcasestr|::strcasestr|std::strcasestr|strchr|::strchr|std::strchr|strnstr|::strnstr|std::strnstr|strpbrk|::strpbrk|std::strpbrk|strrchr|::strrchr|std::strrchr|strstr|::strstr|std::strstr|strtok_r|::strtok_r|std::strtok_r|strtok|::strtok|std::strtok$ - - - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $SINK - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: call_expression - nthChild: 2 - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $SOURCE - regex: ^fgets|::fgets|std::fgets|fopen|::fopen|std::fopen|getenv|::getenv|std::getenv|getgrent|::getgrent|std::getgrent|getgrgid|::getgrgid|std::getgrgid|getgrnam|::getgrnam|std::getgrnam|getlogin|::getlogin|std::getlogin|getpwent|::getpwent|std::getpwent|getpwnam|::getpwnam|std::getpwnam|getpwuid|::getpwuid|std::getpwuid|getpwuuid|::getpwuuid|std::getpwuuid|gets|::gets|std::gets|inet_ntop|::inet_ntop|std::inet_ntop|realpath|::realpath|std::realpath|tempnam|::tempnam|std::tempnam|tmpfile|::tmpfile|std::tmpfile|tmpnam|::tmpnam|std::tmpnam|memchr|::memchr|std::memchr|strcasestr_l|::strcasestr_l|std::strcasestr_l|strcasestr|::strcasestr|std::strcasestr|strchr|::strchr|std::strchr|strnstr|::strnstr|std::strnstr|strpbrk|::strpbrk|std::strpbrk|strrchr|::strrchr|std::strrchr|strstr|::strstr|std::strstr|strtok_r|::strtok_r|std::strtok_r|strtok|::strtok|std::strtok$ - - has: - stopBy: neighbor - kind: argument_list - - not: - inside: - stopBy: end - kind: call_expression - has: - stopBy: neighbor - kind: identifier - pattern: $SINK - - not: - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $SOURCE - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: end - kind: call_expression - has: - stopBy: neighbor - kind: identifier - pattern: $SOURCE - - - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $SINK - regex: ^bcopy|::bcopy|std::bcopy|memccpy|::memccpy|std::memccpy|memcpy|::memcpy|std::memcpy|memmove|::memmove|std::memmove|stpncpy|::stpncpy|std::stpncpy|strcat|::strcat|std::strcat|strcpy|::strcpy|std::strcpy|strcpy|::strcpy|std::strcpy|strlcat|::strlcat|std::strlcat|strlcpy|::strlcpy|std::strlcpy|strncat|::strncat|std::strncat|strpcpy|::strpcpy|std::strpcpy|wcpcpy|::wcpcpy|std::wcpcpy|wcpncpy|::wcpncpy|std::wcpncpy$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: assignment_expression - pattern: $VAR = $SOURCE($$$) - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $VAR - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $SOURCE - regex: ^fgets|::fgets|std::fgets|fopen|::fopen|std::fopen|getenv|::getenv|std::getenv|getgrent|::getgrent|std::getgrent|getgrgid|::getgrgid|std::getgrgid|getgrnam|::getgrnam|std::getgrnam|getlogin|::getlogin|std::getlogin|getpwent|::getpwent|std::getpwent|getpwnam|::getpwnam|std::getpwnam|getpwuid|::getpwuid|std::getpwuid|getpwuuid|::getpwuuid|std::getpwuuid|gets|::gets|std::gets|inet_ntop|::inet_ntop|std::inet_ntop|realpath|::realpath|std::realpath|tempnam|::tempnam|std::tempnam|tmpfile|::tmpfile|std::tmpfile|tmpnam|::tmpnam|std::tmpnam|memchr|::memchr|std::memchr|strcasestr_l|::strcasestr_l|std::strcasestr_l|strcasestr|::strcasestr|std::strcasestr|strchr|::strchr|std::strchr|strnstr|::strnstr|std::strnstr|strpbrk|::strpbrk|std::strpbrk|strrchr|::strrchr|std::strrchr|strstr|::strstr|std::strstr|strtok_r|::strtok_r|std::strtok_r|strtok|::strtok|std::strtok$ - - - kind: call_expression - # any: - # - pattern: $SINK($$$, $SOURCE($$$)) - # - pattern: $SINK($SOURCE($$$)) - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $SINK - regex: ^fwrite|::fwrite|std::fwrite$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $SOURCE - regex: ^fgets|::fgets|std::fgets|fopen|::fopen|std::fopen|getenv|::getenv|std::getenv|getgrent|::getgrent|std::getgrent|getgrgid|::getgrgid|std::getgrgid|getgrnam|::getgrnam|std::getgrnam|getlogin|::getlogin|std::getlogin|getpwent|::getpwent|std::getpwent|getpwnam|::getpwnam|std::getpwnam|getpwuid|::getpwuid|std::getpwuid|getpwuuid|::getpwuuid|std::getpwuuid|gets|::gets|std::gets|inet_ntop|::inet_ntop|std::inet_ntop|realpath|::realpath|std::realpath|tempnam|::tempnam|std::tempnam|tmpfile|::tmpfile|std::tmpfile|tmpnam|::tmpnam|std::tmpnam|memchr|::memchr|std::memchr|strcasestr_l|::strcasestr_l|std::strcasestr_l|strcasestr|::strcasestr|std::strcasestr|strchr|::strchr|std::strchr|strnstr|::strnstr|std::strnstr|strpbrk|::strpbrk|std::strpbrk|strrchr|::strrchr|std::strrchr|strstr|::strstr|std::strstr|strtok_r|::strtok_r|std::strtok_r|strtok|::strtok|std::strtok$ - - has: - stopBy: neighbor - kind: argument_list - - - kind: call_expression - any: - - pattern: $SINK($$$, $VAR = $SOURCE($$$)) - - pattern: $SINK($VAR = $SOURCE($$$)) - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $SINK - regex: ^fwrite|::fwrite|std::fwrite$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: end - kind: assignment_expression - pattern: $VAR = $SOURCE($$$) - all: - - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $SOURCE - regex: ^fgets|::fgets|std::fgets|fopen|::fopen|std::fopen|getenv|::getenv|std::getenv|getgrent|::getgrent|std::getgrent|getgrgid|::getgrgid|std::getgrgid|getgrnam|::getgrnam|std::getgrnam|getlogin|::getlogin|std::getlogin|getpwent|::getpwent|std::getpwent|getpwnam|::getpwnam|std::getpwnam|getpwuid|::getpwuid|std::getpwuid|getpwuuid|::getpwuuid|std::getpwuuid|gets|::gets|std::gets|inet_ntop|::inet_ntop|std::inet_ntop|realpath|::realpath|std::realpath|tempnam|::tempnam|std::tempnam|tmpfile|::tmpfile|std::tmpfile|tmpnam|::tmpnam|std::tmpnam|memchr|::memchr|std::memchr|strcasestr_l|::strcasestr_l|std::strcasestr_l|strcasestr|::strcasestr|std::strcasestr|strchr|::strchr|std::strchr|strnstr|::strnstr|std::strnstr|strpbrk|::strpbrk|std::strpbrk|strrchr|::strrchr|std::strrchr|strstr|::strstr|std::strstr|strtok_r|::strtok_r|std::strtok_r|strtok|::strtok|std::strtok$ - - has: - stopBy: neighbor - kind: argument_list - - - kind: pointer_expression - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $SOURCE - regex: ^fgets|::fgets|std::fgets|fopen|::fopen|std::fopen|getenv|::getenv|std::getenv|getgrent|::getgrent|std::getgrent|getgrgid|::getgrgid|std::getgrgid|getgrnam|::getgrnam|std::getgrnam|getlogin|::getlogin|std::getlogin|getpwent|::getpwent|std::getpwent|getpwnam|::getpwnam|std::getpwnam|getpwuid|::getpwuid|std::getpwuid|getpwuuid|::getpwuuid|std::getpwuuid|gets|::gets|std::gets|inet_ntop|::inet_ntop|std::inet_ntop|realpath|::realpath|std::realpath|tempnam|::tempnam|std::tempnam|tmpfile|::tmpfile|std::tmpfile|tmpnam|::tmpnam|std::tmpnam|memchr|::memchr|std::memchr|strcasestr_l|::strcasestr_l|std::strcasestr_l|strcasestr|::strcasestr|std::strcasestr|strchr|::strchr|std::strchr|strnstr|::strnstr|std::strnstr|strpbrk|::strpbrk|std::strpbrk|strrchr|::strrchr|std::strrchr|strstr|::strstr|std::strstr|strtok_r|::strtok_r|std::strtok_r|strtok|::strtok|std::strtok$ - - has: - stopBy: neighbor - kind: argument_list - - not: - inside: - stopBy: end - any: - - kind: subscript_expression - # - kind: call_expression - - not: - has: - stopBy: end - any: - - kind: assignment_expression - - inside: - stopBy: end - kind: return_statement - \ No newline at end of file diff --git a/rules/cpp/security/return-c-str-cpp.yml b/rules/cpp/security/return-c-str-cpp.yml deleted file mode 100644 index 7637bdcf..00000000 --- a/rules/cpp/security/return-c-str-cpp.yml +++ /dev/null @@ -1,124 +0,0 @@ -id: return-c-str-cpp -language: cpp -severity: warning -message: >- - "`$FUNC` returns a pointer to the memory owned by `$STR`. This pointer - is invalid after `$STR` goes out of scope, which can trigger a use after - free." -note: >- - [CWE-416] Use After Free - [REFERENCES] - - https://wiki.sei.cmu.edu/confluence/display/c/DCL30-C.+Declare+objects+with+appropriate+storage+durations - - https://wiki.sei.cmu.edu/confluence/display/cplusplus/EXP54-CPP.+Do+not+access+an+object+outside+of+its+lifetime - -ast-grep-essentials: true - -rule: - any: - - pattern: return basic_string<$TYPE>($$$).$METHOD(); - - pattern: return std::basic_string<$TYPE>($$$).$METHOD(); - - pattern: return string($$$).$METHOD(); - - pattern: return std::string($$$).$METHOD(); - - pattern: return wstring($$$).$METHOD(); - - pattern: return std::wstring($$$).$METHOD(); - - pattern: return $STR.$METHOD(); - any: - - follows: - stopBy: end - all: - - not: - has: - stopBy: end - kind: storage_class_specifier - - any: - - kind: declaration - not: - pattern: $STR_VAL $STR = "$STRG"; - - has: - pattern: $STR_VAL - - has: - stopBy: end - pattern: $STR - - inside: - stopBy: end - follows: - stopBy: end - all: - - not: - has: - stopBy: end - kind: storage_class_specifier - - any: - - kind: declaration - not: - pattern: $STR_VAL $STR = "$STRG"; - - has: - pattern: $STR_VAL - - has: - pattern: $STR - - inside: - stopBy: end - follows: - stopBy: end - all: - - not: - has: - stopBy: end - kind: storage_class_specifier - - any: - - kind: pointer_declarator - not: - has: - stopBy: end - pattern: $STR_VAL $STR = "$STRG"; - has: - kind: function_declarator - all: - - has: - stopBy: end - any: - - kind: qualified_identifier - - kind: type_identifier - regex: ^(basic_string<.*>|std::basic_string<.*>|string|std::string|wstring|std::wstring|string(.*)|std::string(.*)|wstring(.*)|std::wstring(.*)|basic_string<.*>(.*)|std::basic_string<.*>(.*))$ - - has: - stopBy: end - pattern: $STR - - follows: - stopBy: end - all: - - not: - has: - stopBy: end - kind: storage_class_specifier - - any: - - kind: pointer_declarator - has: - kind: function_declarator - all: - - not: - has: - stopBy: end - pattern: $STR_VAL $STR = "$STRG"; - - has: - stopBy: end - any: - - kind: qualified_identifier - - kind: type_identifier - regex: ^(basic_string<.*>|std::basic_string<.*>|string|std::string|wstring|std::wstring|string(.*)|std::string(.*)|wstring(.*)|std::wstring(.*)|basic_string<.*>(.*)|std::basic_string<.*>(.*))$ - - has: - stopBy: end - pattern: $STR - - pattern: return $STR_VAL.$METHOD(); - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR -constraints: - METHOD: - regex: ^(c_str|data)$ - STR_VAL: - regex: ^(basic_string<.*>|std::basic_string<.*>|string|std::string|wstring|std::wstring|string(.*)|std::string(.*)|wstring(.*)|std::wstring(.*)|basic_string<.*>(.*)|std::basic_string<.*>(.*))$ diff --git a/rules/cpp/security/sizeof-this-cpp.yml b/rules/cpp/security/sizeof-this-cpp.yml deleted file mode 100644 index 9cfd5a57..00000000 --- a/rules/cpp/security/sizeof-this-cpp.yml +++ /dev/null @@ -1,43 +0,0 @@ -id: sizeof-this-cpp -language: cpp -severity: warning -message: >- - Do not use `sizeof(this)` to get the number of bytes of the object in - memory. It returns the size of the pointer, not the size of the object. -note: >- - [CWE-467]: Use of sizeof() on a Pointer Type - [REFERENCES] - - https://wiki.sei.cmu.edu/confluence/display/c/ARR01-C.+Do+not+apply+the+sizeof+operator+to+a+pointer+when+taking+the+size+of+an+array -ast-grep-essentials: true -utils: - match_sizeof_this: - kind: sizeof_expression - has: - kind: parenthesized_expression - has: - kind: this - regex: "^this$" - inside: - stopBy: end - kind: return_statement - inside: - kind: compound_statement - follows: - kind: function_declarator - inside: - kind: function_definition - -rule: - kind: sizeof_expression - all: - - has: - stopBy: end - kind: this - - not: - has: - stopBy: end - any: - - nthChild: 2 - - kind: pointer_expression - - kind: ERROR - - kind: sizeof_expression diff --git a/rules/cpp/security/small-key-size-cpp.yml b/rules/cpp/security/small-key-size-cpp.yml deleted file mode 100644 index f4a69291..00000000 --- a/rules/cpp/security/small-key-size-cpp.yml +++ /dev/null @@ -1,42 +0,0 @@ -id: small-key-size-cpp -language: cpp -severity: warning -message: >- - $KEY_FUNCTION` is using a key size of only $KEY_BITS bits. This is - less than the recommended key size of 2048 bits. -note: >- - [CWE-326]: Inadequate Encryption Strength - [OWASP A02:2021]: Cryptographic Failures - [OWASP A03:2017]: Sensitive Data Exposure - [REFERENCES] - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf - https://owasp.org/Top10/A02_2021-Cryptographic_Failures -ast-grep-essentials: true - -rule: - kind: call_expression - all: - - has: - stopBy: end - kind: identifier - regex: ^(DH_generate_parameters_ex|DSA_generate_parameters_ex|EVP_PKEY_CTX_set_dh_paramgen_prime_len|EVP_PKEY_CTX_set_dsa_paramgen_bits|EVP_PKEY_CTX_set_rsa_keygen_bits|RSA_generate_key_ex|RSA_generate_key_fips)$ - - not: - has: - stopBy: end - kind: field_identifier - regex: ^(DH_generate_parameters_ex|DSA_generate_parameters_ex|EVP_PKEY_CTX_set_dh_paramgen_prime_len|EVP_PKEY_CTX_set_dsa_paramgen_bits|EVP_PKEY_CTX_set_rsa_keygen_bits|RSA_generate_key_ex|RSA_generate_key_fips)$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - any: - - kind: number_literal - - kind: binary_expression - - kind: unary_expression - nthChild: 2 - regex: ^([+-]*\(*[+-]*((0|[1-9][0-9]{0,2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|((0|[1-9][0-9]{0,2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?\/[1-9][0-9]*)|(\.[0-9]+)|(\.[0-9]+\/[1-9][0-9]*))\)*)$ - - not: - has: - stopBy: end - kind: ERROR diff --git a/rules/cpp/security/std-return-data-cpp.yml b/rules/cpp/security/std-return-data-cpp.yml deleted file mode 100644 index 3a2b0be6..00000000 --- a/rules/cpp/security/std-return-data-cpp.yml +++ /dev/null @@ -1,85 +0,0 @@ -id: std-return-data-cpp -language: cpp -severity: warning -message: >- - $FUNC` returns a pointer to the memory owned by `$VAR`. This pointer - is invalid after `$VAR` goes out of scope, which can trigger a use after - free. -note: >- - [CWE-416: Use After Free. - [REFERENCES] - - https://wiki.sei.cmu.edu/confluence/display/c/DCL30-C.+Declare+objects+with+appropriate+storage+durations - -ast-grep-essentials: true - -rule: - kind: return_statement - pattern: return $VAR.data(); - all: - - inside: - stopBy: end - kind: function_definition - all: - - has: - nthChild: 1 - pattern: $RETURN_TYPE - - has: - kind: pointer_declarator - - any: - - follows: - stopBy: end - all: - - has: - nthChild: 1 - regex: ^(array<.*>|std::array<.*>|deque<.*>|std::deque<.*>|forward_list<.*>|std::forward_list<.*>|list<.*>|std::list<.*>|map<.*, .*>|std::map<.*, .*>|multimap<.*, .*>|std::multimap<.*, .*>|multiset<.*>|std::multiset<.*>|set<.*>|std::set<.*>|unordered_map<.*>|std::unordered_map<.*>|unordered_multimap<.*, .*>|std::unordered_multimap<.*, .*>|unordered_multiset<.*>|std::unordered_multiset<.*>|unordered_set<.*>|std::unordered_set<.*>|vector<.*>|std::vector<.*>)$ - - has: - stopBy: end - # nthChild: 2 - pattern: $VAR - - not: - inside: - stopBy: end - has: - kind: storage_class_specifier - - inside: - stopBy: end - kind: compound_statement - - inside: - stopBy: end - follows: - stopBy: end - all: - - has: - nthChild: 1 - regex: ^(array<.*>|std::array<.*>|deque<.*>|std::deque<.*>|forward_list<.*>|std::forward_list<.*>|list<.*>|std::list<.*>|map<.*, .*>|std::map<.*, .*>|multimap<.*, .*>|std::multimap<.*, .*>|multiset<.*>|std::multiset<.*>|set<.*>|std::set<.*>|unordered_map<.*>|std::unordered_map<.*>|unordered_multimap<.*, .*>|std::unordered_multimap<.*, .*>|unordered_multiset<.*>|std::unordered_multiset<.*>|unordered_set<.*>|std::unordered_set<.*>|vector<.*>|std::vector<.*>)$ - - has: - # nthChild: 2 - stopBy: end - pattern: $VAR - - not: - inside: - stopBy: end - has: - kind: storage_class_specifier - - inside: - stopBy: end - kind: compound_statement - - inside: - stopBy: end - follows: - stopBy: end - kind: pointer_declarator - all: - - has: - stopBy: end - nthChild: 1 - regex: ^(array<.*>|std::array<.*>|deque<.*>|std::deque<.*>|forward_list<.*>|std::forward_list<.*>|list<.*>|std::list<.*>|map<.*, .*>|std::map<.*, .*>|multimap<.*, .*>|std::multimap<.*, .*>|multiset<.*>|std::multiset<.*>|set<.*>|std::set<.*>|unordered_map<.*>|std::unordered_map<.*>|unordered_multimap<.*, .*>|std::unordered_multimap<.*, .*>|unordered_multiset<.*>|std::unordered_multiset<.*>|unordered_set<.*>|std::unordered_set<.*>|vector<.*>|std::vector<.*>)$ - - has: - # nthChild: 2 - stopBy: end - pattern: $VAR - - not: - inside: - stopBy: end - has: - kind: storage_class_specifier diff --git a/rules/cpp/security/std-vector-invalidation-cpp.yml b/rules/cpp/security/std-vector-invalidation-cpp.yml deleted file mode 100644 index 39fc091f..00000000 --- a/rules/cpp/security/std-vector-invalidation-cpp.yml +++ /dev/null @@ -1,150 +0,0 @@ -id: std-vector-invalidation-cpp -language: cpp -severity: warning -message: >- - Modifying an `std::vector` while iterating over it could cause the - container to reallocate, triggering memory corruption. -note: >- - [CWE-416: Use After Free. - [REFERENCES] - - https://wiki.sei.cmu.edu/confluence/display/c/MEM30-C.+Do+not+access+freed+memory - - https://wiki.sei.cmu.edu/confluence/display/cplusplus/EXP54-CPP.+Do+not+access+an+object+outside+of+its+lifetime - -ast-grep-essentials: true - -rule: - kind: call_expression - all: - - any: - - pattern: $CONTAINER.erase($IT) - all: - - all: - - not: - follows: - stopBy: end - pattern: $CONTAINER.erase($IT) - - not: - precedes: - stopBy: end - pattern: $CONTAINER.erase($IT) - - not: - inside: - stopBy: end - kind: assignment_expression - has: - kind: identifier - pattern: $IT - nthChild: 1 - - pattern: $CONTAINER.assign($$$) - - pattern: $CONTAINER.clear($$$) - - pattern: $CONTAINER.emplace_back($$$) - - pattern: $CONTAINER.insert($$$) - - pattern: $CONTAINER.resize($$$) - - pattern: $CONTAINER.push_back($$$) - - pattern: $CONTAINER.reserve($$$) - - pattern: $CONTAINER.shrink_to_fit($$$) - - pattern: $CONTAINER.resize($$$) - - pattern: $CONTAINER.pop_back($$$) - - not: - inside: - stopBy: end - kind: for_statement - has: - stopBy: end - any: - - kind: break_statement - - kind: continue_statement - - kind: return_statement - - kind: goto_statement - - inside: - stopBy: end - kind: for_statement - any: - - all: - - has: - kind: declaration - any: - - pattern: std::vector<$TY>::$IT_TYPE $IT = $CONTAINER.begin() - - all: - - has: - kind: dependent_type - has: - stopBy: end - pattern: std::vector<$TY>::$IT_TYPE - - has: - stopBy: end - kind: init_declarator - all: - - has: - pattern: $IT - - has: - pattern: $CONTAINER.begin() - - has: - kind: binary_expression - any: - - pattern: $IT != $CONTAINER.end() - - has: - kind: update_expression - any: - - pattern: ++$IT - - pattern: $IT++ - - all: - - has: - kind: declaration - any: - - pattern: std::vector<$TY>::$IT_TYPE $IT = $CONTAINER.rbegin() - - has: - stopBy: end - pattern: std::vector<$TY>::$IT_TYPE $IT = $CONTAINER.rbegin() - - all: - - has: - kind: dependent_type - has: - stopBy: end - pattern: std::vector<$TY>::$IT_TYPE - - has: - stopBy: end - kind: init_declarator - all: - - has: - pattern: $IT - - has: - pattern: $CONTAINER.rbegin() - - has: - kind: binary_expression - any: - - pattern: $IT != $CONTAINER.rend() - - has: - kind: update_expression - any: - - pattern: ++$IT - - pattern: $IT++ - - all: - - has: - kind: declaration - any: - - pattern: std::vector<$TY>::$IT_TYPE $IT = $CONTAINER.begin(), $IT_END = $CONTAINER.end() - - pattern: std::vector<$TY>::$IT_TYPE $IT = $CONTAINER.rbegin(), $IT_END = $CONTAINER.rend() - - has: - stopBy: end - any: - - pattern: std::vector<$TY>::$IT_TYPE $IT = $CONTAINER.begin(), $IT_END = $CONTAINER.end() - - pattern: std::vector<$TY>::$IT_TYPE $IT = $CONTAINER.rbegin(), $IT_END = $CONTAINER.rend() - - has: - kind: binary_expression - any: - - pattern: $IT != $IT_END - - has: - kind: update_expression - any: - - pattern: ++$IT - - pattern: $IT++ - - all: - - not: - has: - stopBy: end - kind: ERROR - - not: - inside: - stopBy: end - kind: ERROR diff --git a/rules/cpp/security/string-view-temporary-string-cpp.yml b/rules/cpp/security/string-view-temporary-string-cpp.yml deleted file mode 100644 index 874d9df0..00000000 --- a/rules/cpp/security/string-view-temporary-string-cpp.yml +++ /dev/null @@ -1,943 +0,0 @@ -id: string-view-temporary-string-cpp -language: Cpp -severity: warning -message: >- - This `std::string_view` is constructed from a temporary `std::string`. - The `std::string` value is immeadiately destroyed after assignment and - accessing data through the `std::string_view` will trigger a - use-after-free. -note: >- - [CWE-416] Use After Free. - [REFERENCES] - - https://wiki.sei.cmu.edu/confluence/display/cplusplus/MEM50-CPP.+Do+not+access+freed+memory - -ast-grep-essentials: true - -utils: - $VAR = std::to_string(...): - # $VAR = std::to_string(...); - kind: expression_statement - has: - stopBy: neighbor - kind: assignment_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^(string_view|wstring_view)$ - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: qualified_identifier - regex: ^std::to_string$ - - has: - stopBy: neighbor - kind: argument_list - - $VAR = $EXPR.substr(...): - # $VAR = std::to_string(...); - kind: expression_statement - has: - stopBy: neighbor - kind: assignment_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^(string_view|wstring_view)$ - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - regex: ^(string.substr|wstring.substr)$ - - has: - stopBy: neighbor - kind: argument_list - - $VAR = $EXPR + ...: - # $VAR = $EXPR + ... - kind: expression_statement - has: - stopBy: neighbor - kind: assignment_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^(string_view|wstring_view)$ - - has: - stopBy: neighbor - kind: binary_expression - has: - stopBy: neighbor - kind: identifier - regex: ^(wstring|string)$ - nthChild: 1 - - $VAR = "..." + $EXPR: - # $VAR = "..." + $EXPR - kind: expression_statement - has: - stopBy: neighbor - kind: assignment_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^(string_view|wstring_view)$ - - has: - stopBy: end - kind: binary_expression - all: - - has: - stopBy: end - kind: string_literal - nthChild: 1 - - has: - stopBy: end - kind: identifier - regex: ^(string|wstring)$ - - $VAR_instance = "..." + $EXPR: - # $VAR_instance = "..." + $EXPR - kind: expression_statement - all: - - has: - stopBy: neighbor - kind: assignment_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $VAR_INSTANCE - - has: - stopBy: neighbor - kind: binary_expression - all: - - has: - stopBy: neighbor - kind: string_literal - - has: - stopBy: neighbor - kind: identifier - pattern: $EXPR_INSTANCE - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: declaration - all: - - has: - stopBy: neighbor - regex: ^(wstring|string|std::wstring|std::string|std::basic_string<.*>|basic_string<.*>)$ - nthChild: 1 - - has: - stopBy: end - kind: identifier - pattern: $EXPR_INSTANCE - - follows: - stopBy: end - any: - - kind: field_declaration - - kind: declaration - all: - - has: - stopBy: neighbor - regex: ^(wstring|string|std::wstring|std::string|std::basic_string<.*>|basic_string<.*>)$ - nthChild: 1 - - has: - stopBy: end - kind: identifier - pattern: $EXPR_INSTANCE - - follows: - stopBy: end - any: - - kind: field_declaration - - kind: declaration - all: - - has: - stopBy: neighbor - any: - - kind: type_identifier - - kind: qualified_identifier - regex: ^(wstring|string|std::wstring|std::string|std::basic_string<.*>|basic_string<.*>)$ - - has: - stopBy: end - kind: init_declarator - has: - stopBy: end - kind: identifier - pattern: $EXPR_INSTANCE - - any: - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: field_declaration - - kind: declaration - all: - - has: - stopBy: neighbor - regex: ^(string_view|basic_string_view<.*>|std::basic_string_view<.*>|std::string_view|std::wstring_view|wstring_view)$ - nthChild: 1 - - has: - stopBy: end - kind: identifier - pattern: $VAR_INSTANCE - - - follows: - stopBy: end - any: - - kind: field_declaration - - kind: declaration - all: - - has: - stopBy: neighbor - regex: ^(string_view|basic_string_view<.*>|std::basic_string_view<.*>|std::string_view|std::wstring_view|wstring_view)$ - nthChild: 1 - - has: - stopBy: end - kind: identifier - pattern: $VAR_INSTANCE - - $VAR_instance = $EXPR_instance + ...: - kind: expression_statement - all: - - has: - stopBy: neighbor - kind: assignment_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $VAR_INSTANCE - - has: - stopBy: neighbor - kind: binary_expression - has: - stopBy: end - kind: identifier - pattern: $EXPR_INSTANCE - - any: - - follows: - stopBy: end - any: - - kind: field_declaration - - kind: declaration - all: - - has: - stopBy: neighbor - regex: ^(wstring|string|std::wstring|std::string|std::basic_string<.*>|basic_string<.*>)$ - nthChild: 1 - - has: - stopBy: end - kind: identifier - pattern: $EXPR_INSTANCE - - follows: - stopBy: end - any: - - kind: field_declaration - - kind: declaration - all: - - has: - stopBy: neighbor - any: - - kind: type_identifier - - kind: qualified_identifier - regex: ^(wstring|string|std::wstring|std::string|std::basic_string<.*>|basic_string<.*>)$ - - has: - stopBy: neighbor - kind: init_declarator - has: - stopBy: end - kind: identifier - pattern: $EXPR_INSTANCE - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: field_declaration - - kind: declaration - all: - - has: - stopBy: end - any: - - kind: type_identifier - - kind: qualified_identifier - regex: ^(wstring|string|std::wstring|std::string|std::basic_string<.*>|basic_string<.*>)$ - - has: - stopBy: end - pattern: $EXPR_INSTANCE - - follows: - stopBy: end - any: - - kind: field_declaration - - kind: declaration - all: - - has: - stopBy: neighbor - regex: ^(string_view|basic_string_view<.*>|std::basic_string_view<.*>|std::string_view|std::wstring_view|wstring_view)$ - nthChild: 1 - - has: - stopBy: end - kind: identifier - pattern: $VAR_INSTANCE - - $VAR_instance = $EXPR_instance.substr(...): - # $VAR = std::to_string(...); - kind: expression_statement - all: - - has: - stopBy: neighbor - kind: assignment_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $VAR_INSTANCE - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: end - kind: field_expression - all: - - any: - - has: - stopBy: end - kind: identifier - pattern: $EXPR_INSTANCE - nthChild: 1 - - has: - stopBy: end - any: - - kind: type_identifier - - kind: qualified_identifier - regex: ^(wstring|string|std::wstring|std::string|std::basic_string<.*>|basic_string<.*>)$ - - has: - stopBy: neighbor - kind: field_identifier - regex: ^substr$ - - has: - stopBy: neighbor - kind: argument_list - - any: - - follows: - stopBy: end - any: - - kind: field_declaration - - kind: declaration - all: - - has: - stopBy: neighbor - regex: ^(wstring|string|std::wstring|std::string|std::basic_string<.*>|basic_string<.*>)$ - nthChild: 1 - - has: - stopBy: end - kind: identifier - pattern: $EXPR_INSTANCE - - follows: - stopBy: end - any: - - kind: field_declaration - - kind: declaration - all: - - has: - stopBy: neighbor - any: - - kind: type_identifier - - kind: qualified_identifier - regex: ^(wstring|string|std::wstring|std::string|std::basic_string<.*>|basic_string<.*>)$ - - has: - stopBy: neighbor - kind: init_declarator - has: - stopBy: neighbor - kind: identifier - pattern: $EXPR_INSTANCE - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: field_declaration - - kind: declaration - all: - - has: - stopBy: end - any: - - kind: type_identifier - - kind: qualified_identifier - regex: ^(wstring|string|std::wstring|std::string|std::basic_string<.*>|basic_string<.*>)$ - - has: - stopBy: end - pattern: $EXPR_INSTANCE - - follows: - stopBy: end - any: - - kind: field_declaration - - kind: declaration - all: - - has: - stopBy: neighbor - regex: ^(string_view|basic_string_view<.*>|std::basic_string_view<.*>|std::string_view|std::wstring_view|wstring_view)$ - nthChild: 1 - - has: - stopBy: end - kind: identifier - pattern: $VAR_INSTANCE - - $VAR_instance = std::to_string(...): - # $VAR = std::to_string(...); - kind: expression_statement - all: - - has: - stopBy: neighbor - kind: assignment_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $VAR_INSTANCE - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: end - kind: qualified_identifier - regex: ^std::to_string$ - - has: - stopBy: neighbor - kind: argument_list - - follows: - stopBy: end - any: - - kind: field_declaration - - kind: declaration - all: - - has: - stopBy: neighbor - regex: ^(string_view|basic_string_view<.*>|std::basic_string_view<.*>|std::string_view|std::wstring_view|wstring_view)$ - nthChild: 1 - - has: - stopBy: neighbor - kind: identifier - pattern: $VAR_INSTANCE - - $VAR(std::to_string(...)): - kind: call_expression - all: - - has: - stopBy: neighbor - regex: ^(basic_string_view<.*>|std::basic_string_view<.*>|string_view|std::string_view|wstring_view|std::wstring_view)$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: qualified_identifier - regex: ^std::to_string$ - - has: - stopBy: neighbor - kind: argument_list - - $VAR(std::to_string(...))_as_declaration: - kind: declaration - all: - - has: - stopBy: neighbor - regex: ^(basic_string_view<.*>|std::basic_string_view<.*>|string_view|std::string_view|wstring_view|std::wstring_view)$ - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: qualified_identifier - regex: ^std::to_string$ - - has: - stopBy: neighbor - kind: argument_list - - $VAR($EXPR + ...): - kind: call_expression - all: - - has: - stopBy: neighbor - regex: ^(basic_string_view<.*>|std::basic_string_view<.*>|string_view|std::string_view|wstring_view|std::wstring_view)$ - - has: - stopBy: end - kind: binary_expression - has: - stopBy: neighbor - kind: identifier - regex: ^(wstring|string)$ - nthChild: 1 - - $VAR($EXPR_instance + ...): - kind: call_expression - all: - - has: - stopBy: neighbor - regex: ^(std::basic_string_view<.*>|basic_string_view<.*>|string_view|std::string_view|wstring_view|std::wstring_view)$ - - has: - stopBy: end - kind: argument_list - has: - stopBy: neighbor - kind: binary_expression - has: - stopBy: end - kind: identifier - nthChild: 1 - pattern: $EXPR_INSTANCE - - any: - - follows: - stopBy: end - any: - - kind: field_declaration - - kind: declaration - all: - - has: - stopBy: neighbor - regex: ^(wstring|string|std::wstring|std::string|std::basic_string<.*>|basic_string<.*>)$ - nthChild: 1 - - has: - stopBy: end - kind: identifier - pattern: $EXPR_INSTANCE - - follows: - stopBy: end - any: - - kind: field_declaration - - kind: declaration - all: - - has: - stopBy: neighbor - any: - - kind: type_identifier - - kind: qualified_identifier - regex: ^(wstring|string|std::wstring|std::string|std::basic_string<.*>|basic_string<.*>)$ - - has: - stopBy: neighbor - kind: init_declarator - has: - stopBy: neighbor - kind: identifier - pattern: $EXPR_INSTANCE - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: field_declaration - - kind: declaration - all: - - has: - stopBy: end - any: - - kind: type_identifier - - kind: qualified_identifier - regex: ^(wstring|string|std::wstring|std::string|std::basic_string<.*>|basic_string<.*>)$ - - has: - stopBy: end - pattern: $EXPR_INSTANCE - - $VAR("..." + $EXPR_instance ): - kind: call_expression - all: - - has: - stopBy: neighbor - regex: ^(basic_string_view<.*>|std::basic_string_view<.*>|string_view|std::string_view|wstring_view|std::wstring_view)$ - - has: - stopBy: end - kind: argument_list - has: - stopBy: end - kind: binary_expression - all: - - has: - stopBy: neighbor - kind: string_literal - nthChild: 1 - has: - stopBy: neighbor - kind: string_content - - has: - stopBy: end - kind: identifier - nthChild: 2 - pattern: $EXPR_INSTANCE - - any: - - follows: - stopBy: end - any: - - kind: field_declaration - - kind: declaration - all: - - has: - stopBy: neighbor - regex: ^(wstring|string|std::wstring|std::string|std::basic_string<.*>|basic_string<.*>)$ - nthChild: 1 - - has: - stopBy: neighbor - kind: identifier - pattern: $EXPR_INSTANCE - - follows: - stopBy: end - any: - - kind: field_declaration - - kind: declaration - all: - - has: - stopBy: neighbor - any: - - kind: type_identifier - - kind: qualified_identifier - regex: ^(wstring|string|std::wstring|std::string|std::basic_string<.*>|basic_string<.*>)$ - - has: - stopBy: neighbor - kind: init_declarator - has: - stopBy: neighbor - kind: identifier - pattern: $EXPR_INSTANCE - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: field_declaration - - kind: declaration - all: - - has: - stopBy: end - any: - - kind: type_identifier - - kind: qualified_identifier - regex: ^(wstring|string|std::wstring|std::string|std::basic_string<.*>|basic_string<.*>)$ - - has: - stopBy: end - pattern: $EXPR_INSTANCE - - $VAR("..." + $EXPR): - kind: call_expression - all: - - has: - stopBy: neighbor - regex: ^(basic_string_view<.*>|std::basic_string_view<.*>|string_view|std::string_view|wstring_view|std::wstring_view)$ - - has: - stopBy: end - kind: argument_list - has: - stopBy: neighbor - kind: binary_expression - all: - - has: - stopBy: neighbor - kind: string_literal - nthChild: 1 - has: - stopBy: neighbor - kind: string_content - - has: - stopBy: end - kind: identifier - nthChild: 2 - regex: ^(wstring|string)$ - - $VAR($EXPR.substr(...)): - kind: call_expression - all: - - has: - stopBy: neighbor - regex: ^(string_view|std::string_view|wstring_view|std::wstring_view)$ - - has: - stopBy: end - kind: argument_list - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - regex: ^(string.substr|wstring.substr)$ - - has: - stopBy: neighbor - kind: argument_list - - $VAR($EXPR_instance.substr(...)): - kind: call_expression - all: - - has: - stopBy: neighbor - regex: ^(basic_string_view<.*>|string_view|std::string_view|wstring_view|std::wstring_view|std::basic_string_view<.*>)$ - - has: - stopBy: end - kind: argument_list - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: end - kind: field_expression - all: - - any: - - has: - stopBy: end - kind: identifier - pattern: $EXPR_INSTANCE - nthChild: 1 - - has: - stopBy: end - any: - - kind: type_identifier - - kind: qualified_identifier - regex: ^(wstring|string|std::wstring|std::string|std::basic_string<.*>|basic_string<.*>)$ - - has: - stopBy: neighbor - kind: field_identifier - regex: ^substr$ - - has: - stopBy: neighbor - kind: argument_list - - any: - - follows: - stopBy: end - any: - - kind: field_declaration - - kind: declaration - all: - - has: - stopBy: neighbor - regex: ^(wstring|string|std::wstring|std::string|std::basic_string<.*>|basic_string<.*>)$ - nthChild: 1 - - has: - stopBy: end - kind: identifier - pattern: $EXPR_INSTANCE - - follows: - stopBy: end - any: - - kind: field_declaration - - kind: declaration - all: - - has: - stopBy: neighbor - any: - - kind: type_identifier - - kind: qualified_identifier - regex: ^(wstring|string|std::wstring|std::string|std::basic_string<.*>|basic_string<.*>)$ - - has: - stopBy: neighbor - kind: init_declarator - has: - stopBy: neighbor - kind: identifier - pattern: $EXPR_INSTANCE - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: field_declaration - - kind: declaration - all: - - has: - stopBy: end - any: - - kind: type_identifier - - kind: qualified_identifier - regex: ^(wstring|string|std::wstring|std::string|std::basic_string<.*>|basic_string<.*>)$ - - has: - stopBy: end - pattern: $EXPR_INSTANCE - - $VAR_instance $VAR = "..." + $EXPR: - # $VAR_instance $VAR = "..." + $EXPR - kind: declaration - all: - - has: - kind: type_identifier - regex: ^(string_view|basic_string_view<.*>|std::basic_string_view<.*>|std::string_view|std::wstring_view|wstring_view)$ - - has: - stopBy: neighbor - kind: init_declarator - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $VAR_INSTANCE - - has: - stopBy: neighbor - kind: binary_expression - all: - - has: - stopBy: neighbor - kind: string_literal - - has: - stopBy: neighbor - kind: identifier - pattern: $EXPR_INSTANCE - - any: - - follows: - stopBy: end - any: - - kind: field_declaration - - kind: declaration - all: - - has: - stopBy: neighbor - regex: ^(wstring|string|std::wstring|std::string|std::basic_string<.*>|basic_string<.*>)$ - nthChild: 1 - - has: - stopBy: neighbor - kind: identifier - pattern: $EXPR_INSTANCE - - follows: - stopBy: end - any: - - kind: field_declaration - - kind: declaration - all: - - has: - stopBy: neighbor - any: - - kind: type_identifier - - kind: qualified_identifier - regex: ^(wstring|string|std::wstring|std::string|std::basic_string<.*>|basic_string<.*>)$ - - has: - stopBy: neighbor - kind: init_declarator - has: - stopBy: neighbor - kind: identifier - pattern: $EXPR_INSTANCE - - $VAR $VAR_instance = "..." + $EXPR: - # $VAR_instance = "..." + $EXPR - kind: declaration - all: - - has: - nthChild: 1 - regex: ^(basic_string_view<.*>|std::basic_string_view<.*>|string_view|std::string_view|wstring_view|std::wstring_view)$ - - has: - stopBy: neighbor - kind: init_declarator - all: - - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: neighbor - kind: binary_expression - all: - - has: - stopBy: neighbor - kind: string_literal - - has: - stopBy: neighbor - kind: identifier - pattern: $EXPR_INSTANCE - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: declaration - all: - - has: - stopBy: neighbor - regex: ^(wstring|string|std::wstring|std::basic_string<.*>|basic_string<.*>)$ - nthChild: 1 - - has: - stopBy: end - kind: identifier - pattern: $EXPR_INSTANCE - - follows: - stopBy: end - any: - - kind: field_declaration - - kind: declaration - all: - - has: - stopBy: neighbor - regex: ^(wstring|string|std::wstring|std::string|std::basic_string<.*>|basic_string<.*>)$ - nthChild: 1 - - has: - stopBy: end - kind: identifier - pattern: $EXPR_INSTANCE - - follows: - stopBy: end - any: - - kind: field_declaration - - kind: declaration - all: - - has: - stopBy: neighbor - any: - - kind: type_identifier - - kind: qualified_identifier - regex: ^(wstring|string|std::wstring|std::string|std::basic_string<.*>|basic_string<.*>)$ - - has: - stopBy: end - kind: init_declarator - has: - stopBy: end - kind: identifier - pattern: $EXPR_INSTANCE - -rule: - any: - - kind: expression_statement - any: - - matches: $VAR = std::to_string(...) - - matches: $VAR = $EXPR.substr(...) - - matches: $VAR = $EXPR + ... - - matches: $VAR = "..." + $EXPR - - matches: $VAR_instance = "..." + $EXPR - - matches: $VAR_instance = $EXPR_instance + ... - - matches: $VAR_instance = $EXPR_instance.substr(...) - - matches: $VAR_instance = $EXPR_instance.substr(...) - - matches: $VAR_instance = std::to_string(...) - - kind: call_expression - any: - - matches: $VAR(std::to_string(...)) - - matches: $VAR($EXPR + ...) - - matches: $VAR($EXPR_instance + ...) - - matches: $VAR("..." + $EXPR_instance ) - - matches: $VAR("..." + $EXPR) - - matches: $VAR($EXPR.substr(...)) - - matches: $VAR($EXPR_instance.substr(...)) - - kind: declaration - any: - - matches: $VAR(std::to_string(...))_as_declaration - - matches: $VAR_instance $VAR = "..." + $EXPR - - matches: $VAR $VAR_instance = "..." + $EXPR - all: - - not: - has: - stopBy: end - kind: ERROR - - not: - inside: - stopBy: end - kind: ERROR diff --git a/rules/cpp/security/world-writable-file-cpp.yml b/rules/cpp/security/world-writable-file-cpp.yml deleted file mode 100644 index d6bc7177..00000000 --- a/rules/cpp/security/world-writable-file-cpp.yml +++ /dev/null @@ -1,329 +0,0 @@ -id: world-writable-file-cpp -language: cpp -severity: warning -message: >- - This call makes a world-writable file which allows any user on a machine to write to the file. This may allow attackers to influence the behaviour of this process by writing to the file. -note: >- - [CWE-732]: Incorrect Permission Assignment for Critical Resource - [REFERENCES] - - https://wiki.sei.cmu.edu/confluence/display/c/FIO06-C.+Create+files+with+appropriate+access+permissions - -ast-grep-essentials: true - -utils: - follows_umask: - follows: - stopBy: end - kind: expression_statement - has: - kind: call_expression - nthChild: 1 - all: - - has: - nthChild: 1 - kind: identifier - field: function - regex: ^umask$ - - has: - nthChild: 2 - kind: argument_list - field: arguments - - AND_2_EQUALS_2_&_S_IXXXX: - any: - - kind: number_literal - regex: ^-?([2367]|[0-9]*(0[2367]|1[014589]|2[2367]|3[014589]|4[2367]|5[014589]|6[2367]|7[014589]|8[2367]|9[014589]))$ - - - all: - - any: - - kind: binary_expression - - kind: identifier - - regex: (\s*S_I[A-Z]{4}\s*\|)*S_I[A-Z]{4} - - regex: .*\bS_IWOTH\b.* - -rule: - any: - # chmod/fchmod/creat - - any: - - matches: AND_2_EQUALS_2_&_S_IXXXX - - kind: identifier - pattern: $MODE - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: declaration - all: - - has: - kind: init_declarator - all: - - has: - kind: identifier - field: declarator - pattern: $MODE - - has: - nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX - - kind: expression_statement - any: - - has: - kind: assignment_expression - all: - - has: - nthChild: 1 - kind: identifier - pattern: $MODE - - has: - nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX - - has: - kind: comma_expression - has: - kind: assignment_expression - all: - - has: - nthChild: 1 - kind: identifier - pattern: $MODE - - has: - nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX - nthChild: - position: 2 - ofRule: - not: - kind: comment - inside: - kind: argument_list - nthChild: 2 - not: - has: - nthChild: - position: 3 - ofRule: - not: - kind: comment - follows: - kind: identifier - regex: ^(chmod|fchmod|creat)$ - inside: - kind: call_expression - not: - any: - - matches: follows_umask - - inside: - stopBy: end - matches: follows_umask - - # fchmodat - - any: - - matches: AND_2_EQUALS_2_&_S_IXXXX - - kind: identifier - pattern: $MODE - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: declaration - all: - - has: - kind: init_declarator - all: - - has: - kind: identifier - field: declarator - pattern: $MODE - - has: - nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX - - kind: expression_statement - any: - - has: - kind: assignment_expression - all: - - has: - nthChild: 1 - kind: identifier - pattern: $MODE - - has: - nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX - - has: - kind: comma_expression - has: - kind: assignment_expression - all: - - has: - nthChild: 1 - kind: identifier - pattern: $MODE - - has: - nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX - nthChild: - position: 3 - ofRule: - not: - kind: comment - inside: - kind: argument_list - nthChild: 2 - follows: - kind: identifier - regex: ^(fchmodat)$ - inside: - kind: call_expression - not: - any: - - matches: follows_umask - - inside: - stopBy: end - matches: follows_umask - - # open - - any: - - matches: AND_2_EQUALS_2_&_S_IXXXX - - kind: identifier - pattern: $MODE - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: declaration - all: - - has: - kind: init_declarator - all: - - has: - kind: identifier - field: declarator - pattern: $MODE - - has: - nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX - - kind: expression_statement - any: - - has: - kind: assignment_expression - all: - - has: - nthChild: 1 - kind: identifier - pattern: $MODE - - has: - nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX - - has: - kind: comma_expression - has: - kind: assignment_expression - all: - - has: - nthChild: 1 - kind: identifier - pattern: $MODE - - has: - nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX - nthChild: - position: 3 - ofRule: - not: - kind: comment - inside: - kind: argument_list - nthChild: 2 - not: - has: - nthChild: - position: 4 - ofRule: - not: - kind: comment - follows: - kind: identifier - regex: ^(open)$ - inside: - kind: call_expression - not: - any: - - matches: follows_umask - - inside: - stopBy: end - matches: follows_umask - - # openat - - any: - - matches: AND_2_EQUALS_2_&_S_IXXXX - - kind: identifier - pattern: $MODE - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: declaration - all: - - has: - kind: init_declarator - all: - - has: - kind: identifier - field: declarator - pattern: $MODE - - has: - nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX - - kind: expression_statement - any: - - has: - kind: assignment_expression - all: - - has: - nthChild: 1 - kind: identifier - pattern: $MODE - - has: - nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX - - has: - kind: comma_expression - has: - kind: assignment_expression - all: - - has: - nthChild: 1 - kind: identifier - pattern: $MODE - - has: - nthChild: 2 - matches: AND_2_EQUALS_2_&_S_IXXXX - nthChild: - position: 4 - ofRule: - not: - kind: comment - inside: - kind: argument_list - nthChild: 2 - not: - has: - nthChild: - position: 5 - ofRule: - not: - kind: comment - follows: - kind: identifier - regex: ^(openat)$ - inside: - kind: call_expression - not: - any: - - matches: follows_umask - - inside: - stopBy: end - matches: follows_umask diff --git a/rules/csharp/security/httponly-false-csharp.yml b/rules/csharp/security/httponly-false-csharp.yml deleted file mode 100644 index 6cbb6709..00000000 --- a/rules/csharp/security/httponly-false-csharp.yml +++ /dev/null @@ -1,48 +0,0 @@ -id: httponly-false-csharp -language: csharp -severity: warning -message: >- - "Detected a cookie where the `HttpOnly` flag is either missing or - disabled. The `HttpOnly` cookie flag instructs the browser to forbid - client-side JavaScript to read the cookie. If JavaScript interaction is - required, you can ignore this finding. However, set the `HttpOnly` flag to - `true` in all other cases. If this wasn't intentional, it's recommended to - set the HttpOnly flag to true so the cookie will not be accessible through - client-side scripts or to use the Cookie Policy Middleware to globally set - the HttpOnly flag. You can then use the CookieOptions class when - instantiating the cookie, which inherits these settings and will require - future developers to have to explicitly override them on a case-by-case - basis if needed. This approach ensures cookies are secure by default." -note: >- - [CWE-1004] Sensitive Cookie Without 'HttpOnly' Flag" - [REFERENCES] - - https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware - - https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions - - https://owasp.org/Top10/A05_2021-Security_Misconfiguration - -ast-grep-essentials: true - -rule: - kind: boolean_literal - pattern: $LITERAL - follows: - regex: ^=$ - follows: - kind: member_access_expression - inside: - kind: assignment_expression - all: - - has: - kind: member_access_expression - nthChild: 1 - regex: \.Cookie$ - - has: - kind: identifier - nthChild: 2 - regex: ^HttpOnly$ - -constraints: - LITERAL: - regex: ^false$ - - diff --git a/rules/csharp/security/insecure-binaryformatter-deserialization-csharp.yml b/rules/csharp/security/insecure-binaryformatter-deserialization-csharp.yml deleted file mode 100644 index 3bee0bbf..00000000 --- a/rules/csharp/security/insecure-binaryformatter-deserialization-csharp.yml +++ /dev/null @@ -1,44 +0,0 @@ -id: insecure-binaryformatter-deserialization-csharp -severity: warning -language: csharp -message: >- - The BinaryFormatter type is dangerous and is not recommended for data - processing. Applications should stop using BinaryFormatter as soon as - possible, even if they believe the data they're processing to be - trustworthy. BinaryFormatter is insecure and can't be made secure. -note: >- - [CWE-502] Deserialization of Untrusted Data. - [REFERENCES] - - https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide - -ast-grep-essentials: true - -utils: - MATCH_PATTERN_BinaryFormatter: - pattern: new BinaryFormatter() - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: using_directive - pattern: using System.Runtime.Serialization.Formatters.Binary; - - inside: - kind: global_statement - stopBy: end - follows: - stopBy: end - kind: using_directive - pattern: using System.Runtime.Serialization.Formatters.Binary - not: - inside: - kind: object_creation_expression - stopBy: end - not: - inside: - kind: variable_declarator - stopBy: end - -rule: - matches: MATCH_PATTERN_BinaryFormatter - diff --git a/rules/csharp/security/jwt-decode-without-verify-csharp.yml b/rules/csharp/security/jwt-decode-without-verify-csharp.yml deleted file mode 100644 index cc971d93..00000000 --- a/rules/csharp/security/jwt-decode-without-verify-csharp.yml +++ /dev/null @@ -1,727 +0,0 @@ -id: jwt-decode-without-verify-csharp -severity: warning -language: csharp -message: >- - Detected the decoding of a JWT token without a verify step. JWT tokens - must be verified before use, otherwise the token's integrity is unknown. - This means a malicious actor could forge a JWT token with any claims. - Validate the token before using it. -note: >- - [CWE-345] Insufficient Verification of Data Authenticity. - [REFERENCES] - - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures - -ast-grep-essentials: true - -utils: - (IJwtDecoder $D).Decode($X,verify-false,.): - kind: invocation_expression - all: - - has: - nthChild: 1 - kind: member_access_expression - all: - - has: - nthChild: 1 - pattern: $INST - - has: - nthChild: 2 - kind: identifier - regex: ^Decode$ - - has: - nthChild: 2 - kind: argument_list - has: - kind: argument - not: - nthChild: 1 - all: - - has: - nthChild: 1 - kind: identifier - regex: ^verify$ - - has: - nthChild: 2 - kind: boolean_literal - regex: ^false$ - - inside: - stopBy: end - follows: - stopBy: end - kind: using_directive - any: - - pattern: using JWT; - - pattern: using JWT.Builder; - - pattern: using Microsoft.IdentityModel.Tokens; - - inside: - stopBy: end - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - all: - - has: - kind: identifier - regex: ^(IJwtDecoder|JwtDecoder)$ - - has: - kind: variable_declarator - has: - kind: identifier - pattern: $INST - - (IJwtDecoder $D).Decode(false): - kind: invocation_expression - all: - - has: - nthChild: 1 - kind: member_access_expression - all: - - has: - nthChild: 1 - pattern: $INST - - has: - nthChild: 2 - kind: identifier - regex: ^Decode$ - - has: - nthChild: 2 - kind: argument_list - has: - kind: argument - has: - kind: boolean_literal - regex: ^false$ - any: - - nthChild: 2 - - nthChild: 3 - - inside: - stopBy: end - follows: - stopBy: end - kind: using_directive - any: - - pattern: using JWT; - - pattern: using JWT.Builder; - - pattern: using Microsoft.IdentityModel.Tokens; - - inside: - stopBy: end - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - all: - - has: - kind: identifier - regex: ^(IJwtDecoder|JwtDecoder)$ - - has: - kind: variable_declarator - has: - kind: identifier - pattern: $INST - - $D.Decode($X,verify-false,.): - kind: invocation_expression - all: - - has: - nthChild: 1 - kind: member_access_expression - all: - - has: - nthChild: 1 - pattern: $INST - - has: - nthChild: 2 - kind: identifier - regex: ^Decode$ - - has: - nthChild: 2 - kind: argument_list - has: - kind: argument - not: - nthChild: 1 - all: - - has: - nthChild: 1 - kind: identifier - regex: ^verify$ - - has: - nthChild: 2 - kind: boolean_literal - regex: ^false$ - - inside: - stopBy: end - follows: - stopBy: end - kind: using_directive - any: - - pattern: using JWT; - - pattern: using JWT.Builder; - - pattern: using Microsoft.IdentityModel.Tokens; - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: local_declaration_statement - has: - stopBy: end - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $INST - - has: - kind: object_creation_expression - has: - kind: identifier - regex: ^JwtDecoder$ - - kind: expression_statement - all: - - has: - kind: assignment_expression - all: - - has: - nthChild: 1 - pattern: $INST - - has: - kind: object_creation_expression - has: - kind: identifier - regex: ^JwtDecoder$ - - ($D).Decode(false): - kind: invocation_expression - all: - - has: - nthChild: 1 - kind: member_access_expression - all: - - has: - nthChild: 1 - pattern: $INST - - has: - nthChild: 2 - kind: identifier - regex: ^Decode$ - - has: - nthChild: 2 - kind: argument_list - has: - kind: argument - has: - kind: boolean_literal - regex: ^false$ - any: - - nthChild: 2 - - nthChild: 3 - - inside: - stopBy: end - follows: - stopBy: end - kind: using_directive - any: - - pattern: using JWT; - - pattern: using JWT.Builder; - - pattern: using Microsoft.IdentityModel.Tokens; - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: local_declaration_statement - has: - stopBy: end - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $INST - - has: - kind: object_creation_expression - has: - kind: identifier - regex: ^JwtDecoder$ - - kind: expression_statement - all: - - has: - kind: assignment_expression - all: - - has: - nthChild: 1 - pattern: $INST - - has: - kind: object_creation_expression - has: - kind: identifier - regex: ^JwtDecoder$ - - JwtBuilder..Decode(...): - kind: invocation_expression - all: - - not: - precedes: - stopBy: end - has: - stopBy: end - kind: member_access_expression - has: - kind: identifier - regex: ^MustVerifySignature$ - precedes: - kind: argument_list - - has: - nthChild: 1 - kind: member_access_expression - all: - - has: - stopBy: end - kind: identifier - regex: ^JwtBuilder$ - - not: - has: - stopBy: end - kind: invocation_expression - all: - - has: - kind: member_access_expression - nthChild: 1 - has: - nthChild: 2 - kind: identifier - regex: ^MustVerifySignature$ - - has: - kind: argument_list - nthChild: 2 - - has: - nthChild: 2 - kind: identifier - regex: ^Decode$ - - has: - nthChild: 2 - kind: argument_list - - inside: - stopBy: end - follows: - stopBy: end - kind: using_directive - any: - - pattern: using JWT; - - pattern: using JWT.Builder; - - pattern: using Microsoft.IdentityModel.Tokens; - - $B. ... .Decode(...): - kind: invocation_expression - all: - - has: - nthChild: 1 - kind: member_access_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $INST - - not: - has: - stopBy: end - kind: invocation_expression - all: - - has: - kind: member_access_expression - nthChild: 1 - has: - nthChild: 2 - kind: identifier - regex: ^MustVerifySignature$ - - has: - kind: argument_list - nthChild: 2 - - has: - nthChild: 2 - kind: identifier - regex: ^Decode$ - - has: - nthChild: 2 - kind: argument_list - - inside: - stopBy: end - follows: - stopBy: end - kind: using_directive - any: - - pattern: using JWT; - - pattern: using JWT.Builder; - - pattern: using Microsoft.IdentityModel.Tokens; - - any: - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: expression_statement - has: - kind: assignment_expression - all: - - has: - kind: identifier - nthChild: 1 - - has: - kind: invocation_expression - pattern: JwtBuilder.Create() - - kind: local_declaration_statement - # not: - # precedes: - # stopBy: end - # has: - # stopBy: end - # kind: member_access_expression - # has: - # kind: identifier - # regex: ^MustVerifySignature$ - # precedes: - # kind: argument_list - has: - stopBy: end - kind: variable_declarator - all: - - has: - nthChild: 1 - kind: identifier - pattern: $INST - - has: - stopBy: end - kind: invocation_expression - pattern: JwtBuilder.Create() - - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - not: - precedes: - stopBy: end - has: - stopBy: end - kind: member_access_expression - has: - kind: identifier - regex: ^MustVerifySignature$ - precedes: - kind: argument_list - has: - kind: assignment_expression - all: - - has: - nthChild: 1 - kind: identifier - pattern: $INST - - has: - stopBy: end - kind: invocation_expression - pattern: JwtBuilder.Create() - - not: - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - any: - - has: - stopBy: end - pattern: MustVerifySignature() - - has: - stopBy: end - kind: member_access_expression - all: - - has: - kind: identifier - pattern: $INST - - has: - kind: identifier - regex: ^MustVerifySignature$ - precedes: - kind: argument_list - - inside: - kind: member_access_expression - all: - - has: - stopBy: end - kind: identifier - regex: ^MustVerifySignature$ - - precedes: - kind: argument_list - - new ValidationParameters() {..., ValidateSignature = false, ...}: - kind: object_creation_expression - all: - - inside: - stopBy: end - follows: - stopBy: end - kind: using_directive - any: - - pattern: using JWT; - - pattern: using JWT.Builder; - - pattern: using Microsoft.IdentityModel.Tokens; - - has: - kind: identifier - nthChild: 1 - regex: ^ValidationParameters$ - - has: - kind: initializer_expression - has: - kind: assignment_expression - pattern: ValidateSignature = false - - $V.ValidateSignature = false: - kind: assignment_expression - all: - - has: - kind: member_access_expression - nthChild: 1 - all: - - has: - nthChild: 1 - kind: identifier - pattern: $INST - - has: - nthChild: 2 - kind: identifier - regex: ^ValidateSignature$ - - has: - nthChild: 2 - kind: boolean_literal - regex: ^false$ - - inside: - stopBy: end - follows: - stopBy: end - kind: using_directive - any: - - pattern: using JWT; - - pattern: using JWT.Builder; - - pattern: using Microsoft.IdentityModel.Tokens; - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: local_declaration_statement - all: - - has: - stopBy: end - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $INST - - has: - kind: object_creation_expression - has: - kind: identifier - regex: ^ValidationParameters$ - - kind: expression_statement - has: - kind: assignment_expression - all: - - has: - kind: identifier - pattern: $INST - - has: - kind: object_creation_expression - has: - kind: identifier - regex: ^ValidationParameters$ - - new JwtAuthenticationOptions() {..., VerifySignature = false, ...}: - kind: object_creation_expression - all: - - inside: - stopBy: end - follows: - stopBy: end - kind: using_directive - any: - - pattern: using JWT; - - pattern: using JWT.Builder; - - pattern: using Microsoft.IdentityModel.Tokens; - - has: - kind: identifier - nthChild: 1 - regex: ^JwtAuthenticationOptions$ - - has: - kind: initializer_expression - has: - kind: assignment_expression - pattern: VerifySignature = false - - $V.VerifySignature = false: - kind: assignment_expression - all: - - has: - kind: member_access_expression - nthChild: 1 - all: - - has: - nthChild: 1 - kind: identifier - pattern: $INST - - has: - nthChild: 2 - kind: identifier - regex: ^VerifySignature$ - - has: - nthChild: 2 - kind: boolean_literal - regex: ^false$ - - inside: - stopBy: end - follows: - stopBy: end - kind: using_directive - any: - - pattern: using JWT; - - pattern: using JWT.Builder; - - pattern: using Microsoft.IdentityModel.Tokens; - - inside: - stopBy: end - any: - - follows: - stopBy: end - any: - - kind: local_declaration_statement - all: - - has: - stopBy: end - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $INST - - has: - kind: object_creation_expression - has: - kind: identifier - regex: ^ValidationParameters$ - - kind: expression_statement - has: - kind: assignment_expression - all: - - has: - kind: identifier - pattern: $INST - - has: - kind: object_creation_expression - has: - kind: identifier - regex: ^ValidationParameters$ - - inside: - stopBy: end - kind: argument_list - follows: - stopBy: end - kind: member_access_expression - has: - nthChild: 2 - kind: identifier - regex: ^AddJwt$ - - new TokenValidationParameters() {..., ValidateIssuerSigningKey = false, ...}: - kind: object_creation_expression - all: - - inside: - stopBy: end - follows: - stopBy: end - kind: using_directive - any: - - pattern: using JWT; - - pattern: using JWT.Builder; - - pattern: using Microsoft.IdentityModel.Tokens; - - has: - kind: identifier - nthChild: 1 - regex: ^TokenValidationParameters$ - - has: - kind: initializer_expression - has: - kind: assignment_expression - pattern: ValidateIssuerSigningKey = false - - $V.ValidateIssuerSigningKey = false: - kind: assignment_expression - all: - - has: - kind: member_access_expression - nthChild: 1 - all: - - has: - nthChild: 1 - kind: identifier - pattern: $INST - - has: - nthChild: 2 - kind: identifier - regex: ^ValidateIssuerSigningKey$ - - has: - nthChild: 2 - kind: boolean_literal - regex: ^false$ - - inside: - stopBy: end - follows: - stopBy: end - kind: using_directive - any: - - pattern: using JWT; - - pattern: using JWT.Builder; - - pattern: using Microsoft.IdentityModel.Tokens; - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: local_declaration_statement - all: - - has: - stopBy: end - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $INST - - has: - kind: object_creation_expression - has: - kind: identifier - regex: ^TokenValidationParameters$ - - kind: expression_statement - has: - kind: assignment_expression - all: - - has: - kind: identifier - pattern: $INST - - has: - kind: object_creation_expression - has: - kind: identifier - regex: ^TokenValidationParameters$ - -rule: - any: - - matches: (IJwtDecoder $D).Decode($X,verify-false,.) - - matches: (IJwtDecoder $D).Decode(false) - - matches: $D.Decode($X,verify-false,.) - - matches: ($D).Decode(false) - - matches: JwtBuilder..Decode(...) - - matches: $B. ... .Decode(...) - - matches: new ValidationParameters() {..., ValidateSignature = false, ...} - - matches: $V.ValidateSignature = false - - matches: new JwtAuthenticationOptions() {..., VerifySignature = false, ...} - - matches: $V.VerifySignature = false - - matches: new TokenValidationParameters() {..., ValidateIssuerSigningKey = false, ...} - - matches: $V.ValidateIssuerSigningKey = false diff --git a/rules/csharp/security/jwt-hardcoded-secret-csharp.yml b/rules/csharp/security/jwt-hardcoded-secret-csharp.yml deleted file mode 100644 index 6b52764a..00000000 --- a/rules/csharp/security/jwt-hardcoded-secret-csharp.yml +++ /dev/null @@ -1,682 +0,0 @@ -id: jwt-hardcoded-secret-csharp -severity: warning -language: csharp -message: >- - A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy. -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures - -ast-grep-essentials: true - -utils: - (IJwtEncoder $D).Encode($X, "..."): - kind: invocation_expression - all: - - has: - nthChild: 1 - kind: member_access_expression - all: - - has: - nthChild: 1 - pattern: $IJWT - - has: - nthChild: 2 - kind: identifier - regex: ^Encode$ - - has: - nthChild: 2 - kind: argument_list - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - kind: argument - has: - kind: string_literal - has: - kind: string_literal_content - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - all: - - has: - kind: identifier - regex: ^(IJwtEncoder|JwtEncoder)$ - - has: - kind: variable_declarator - has: - nthChild: 1 - pattern: $IJWT - - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - all: - - has: - kind: identifier - regex: ^(IJwtEncoder|JwtEncoder)$ - - has: - kind: variable_declarator - has: - nthChild: 1 - pattern: $IJWT - - inside: - stopBy: end - follows: - stopBy: end - kind: using_directive - any: - - pattern: using JWT; - - pattern: using JWT.Builder; - - (IJwtDecoder $D).Decoder($X, "..."): - kind: invocation_expression - all: - - has: - nthChild: 1 - kind: member_access_expression - all: - - has: - nthChild: 1 - pattern: $IJWT - - has: - nthChild: 2 - kind: identifier - regex: ^Decode$ - - has: - nthChild: 2 - kind: argument_list - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - kind: argument - has: - kind: string_literal - has: - kind: string_literal_content - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - all: - - has: - kind: identifier - regex: ^(IJwtDecoder|JwtDecoder)$ - - has: - kind: variable_declarator - has: - nthChild: 1 - pattern: $IJWT - - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - all: - - has: - kind: identifier - regex: ^(IJwtDecoder|JwtDecoder)$ - - has: - kind: variable_declarator - has: - nthChild: 1 - pattern: $IJWT - - inside: - stopBy: end - follows: - stopBy: end - kind: using_directive - any: - - pattern: using JWT; - - pattern: using JWT.Builder; - - (IJwtEncoder $D).Encode($X, "...")_With_Instance: - kind: invocation_expression - all: - - has: - nthChild: 1 - kind: member_access_expression - all: - - has: - nthChild: 1 - pattern: $IJWT - - has: - nthChild: 2 - kind: identifier - regex: ^Encode$ - - has: - nthChild: 2 - kind: argument_list - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - kind: argument - has: - kind: identifier - pattern: $PASS - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - all: - - has: - kind: identifier - regex: ^(IJwtEncoder|JwtEncoder)$ - - has: - kind: variable_declarator - has: - nthChild: 1 - pattern: $IJWT - - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - all: - - has: - kind: identifier - regex: ^(IJwtEncoder|JwtEncoder)$ - - has: - kind: variable_declarator - has: - nthChild: 1 - pattern: $IJWT - - inside: - stopBy: end - follows: - stopBy: end - kind: using_directive - any: - - pattern: using JWT; - - pattern: using JWT.Builder; - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: local_declaration_statement - has: - stopBy: end - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $PASS - - has: - kind: string_literal - has: - kind: string_literal_content - - follows: - stopBy: end - kind: local_declaration_statement - has: - stopBy: end - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $PASS - - has: - kind: string_literal - has: - kind: string_literal_content - - (IJwtDecoder $D).Decoder($X, "...")_With_Instance: - kind: invocation_expression - all: - - has: - nthChild: 1 - kind: member_access_expression - all: - - has: - nthChild: 1 - pattern: $IJWT - - has: - nthChild: 2 - kind: identifier - regex: ^Decode$ - - has: - nthChild: 2 - kind: argument_list - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - kind: argument - has: - kind: identifier - pattern: $PASS - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - all: - - has: - kind: identifier - regex: ^(IJwtDecoder|JwtDecoder)$ - - has: - kind: variable_declarator - has: - nthChild: 1 - pattern: $IJWT - - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - all: - - has: - kind: identifier - regex: ^(IJwtDecoder|JwtDecoder)$ - - has: - kind: variable_declarator - has: - nthChild: 1 - pattern: $IJWT - - inside: - stopBy: end - follows: - stopBy: end - kind: using_directive - any: - - pattern: using JWT; - - pattern: using JWT.Builder; - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: local_declaration_statement - has: - stopBy: end - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $PASS - - has: - kind: string_literal - has: - kind: string_literal_content - - follows: - stopBy: end - kind: local_declaration_statement - has: - stopBy: end - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $PASS - - has: - kind: string_literal - has: - kind: string_literal_content - - $B. ... .WithSecret("..."): - kind: invocation_expression - all: - - has: - kind: member_access_expression - nthChild: 1 - all: - - any: - - has: - kind: member_access_expression - has: - stopBy: end - pattern: $INST - nthChild: 1 - - has: - stopBy: end - pattern: $INST - - - has: - nthChild: 2 - regex: ^WithSecret$ - - has: - kind: argument_list - has: - kind: argument - nthChild: 1 - not: - has: - nthChild: 2 - has: - kind: string_literal - has: - kind: string_literal_content - - has: - kind: argument_list - nthChild: 2 - - inside: - stopBy: end - follows: - stopBy: end - kind: using_directive - any: - - pattern: using JWT; - - pattern: using JWT.Builder; - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: local_declaration_statement - has: - stopBy: end - kind: variable_declarator - all: - - has: - nthChild: 1 - kind: identifier - pattern: $INST - - has: - any: - - kind: object_creation_expression - pattern: new JwtBuilder.Create() - - kind: invocation_expression - nthChild: 2 - pattern: JwtBuilder.Create() - - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - has: - kind: assignment_expression - all: - - has: - kind: identifier - nthChild: 1 - pattern: $INST - - has: - any: - - kind: object_creation_expression - pattern: new JwtBuilder.Create() - - kind: invocation_expression - nthChild: 2 - pattern: JwtBuilder.Create() - - (JwtBuilder $B). ... .WithSecret("..."): - kind: invocation_expression - all: - - has: - kind: member_access_expression - nthChild: 1 - all: - - has: - stopBy: end - kind: identifier - regex: ^JwtBuilder$ - - has: - nthChild: 2 - regex: ^WithSecret$ - - has: - kind: argument_list - has: - kind: argument - nthChild: 1 - not: - has: - nthChild: 2 - has: - kind: string_literal - has: - kind: string_literal_content - - has: - kind: argument_list - nthChild: 2 - - inside: - stopBy: end - follows: - stopBy: end - kind: using_directive - any: - - pattern: using JWT; - - pattern: using JWT.Builder; - - $B. ... .WithSecret("...")_With_Instance: - kind: invocation_expression - all: - - has: - kind: member_access_expression - nthChild: 1 - all: - - has: - stopBy: end - kind: identifier - field: expression - pattern: $INST - - has: - nthChild: 2 - kind: identifier - regex: ^(WithSecret)$ - - has: - kind: argument_list - nthChild: 2 - has: - kind: argument - nthChild: 1 - not: - has: - nthChild: 2 - has: - kind: identifier - pattern: $PASS - - has: - kind: argument_list - nthChild: 2 - - inside: - stopBy: end - follows: - stopBy: end - kind: using_directive - any: - - pattern: using JWT; - - pattern: using JWT.Builder; - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: local_declaration_statement - has: - stopBy: end - kind: variable_declarator - all: - - has: - nthChild: 1 - kind: identifier - pattern: $INST - - has: - nthChild: 2 - kind: invocation_expression - pattern: JwtBuilder.Create() - - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - has: - kind: assignment_expression - all: - - has: - kind: identifier - nthChild: 1 - pattern: $INST - - has: - kind: invocation_expression - nthChild: 2 - pattern: JwtBuilder.Create() - - inside: - stopBy: end - follows: - stopBy: end - kind: local_declaration_statement - has: - stopBy: end - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $PASS - nthChild: 1 - - has: - nthChild: 2 - kind: string_literal - has: - kind: string_literal_content - - (JwtBuilder $B). ... .WithSecret("...")_With_Instance: - kind: invocation_expression - all: - - has: - kind: member_access_expression - nthChild: 1 - all: - - has: - stopBy: end - kind: identifier - regex: ^JwtBuilder$ - - has: - nthChild: 2 - regex: ^WithSecret$ - - has: - kind: argument_list - has: - kind: argument - nthChild: 1 - not: - has: - nthChild: 2 - has: - kind: identifier - pattern: $PASS - - has: - kind: argument_list - nthChild: 2 - - inside: - stopBy: end - follows: - stopBy: end - kind: using_directive - any: - - pattern: using JWT; - - pattern: using JWT.Builder; - - inside: - stopBy: end - follows: - stopBy: end - kind: local_declaration_statement - has: - stopBy: end - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $PASS - nthChild: 1 - - has: - nthChild: 2 - kind: string_literal - has: - kind: string_literal_content - - (JwtBuilder $B). ... .WithSecret("...")_With_Instance2: - kind: invocation_expression - all: - - has: - kind: member_access_expression - nthChild: 1 - all: - - has: - stopBy: end - kind: identifier - pattern: $INST - - has: - nthChild: 2 - regex: ^WithSecret$ - - has: - kind: argument_list - has: - kind: argument - nthChild: 1 - not: - has: - nthChild: 2 - has: - kind: string_literal - has: - kind: string_literal_content - - has: - kind: argument_list - nthChild: 2 - - inside: - stopBy: end - follows: - stopBy: end - kind: using_directive - any: - - pattern: using JWT; - - pattern: using JWT.Builder; - - inside: - stopBy: end - follows: - stopBy: end - kind: local_declaration_statement - has: - stopBy: end - kind: variable_declaration - all: - - has: - nthChild: 1 - kind: identifier - regex: ^JwtBuilder$ - - has: - kind: variable_declarator - has: - kind: identifier - pattern: $INST - -rule: - any: - - matches: (JwtBuilder $B). ... .WithSecret("...")_With_Instance2 - - matches: (IJwtEncoder $D).Encode($X, "...") - - matches: (IJwtDecoder $D).Decoder($X, "...") - - matches: (IJwtEncoder $D).Encode($X, "...")_With_Instance - - matches: (IJwtDecoder $D).Decoder($X, "...")_With_Instance - - matches: $B. ... .WithSecret("...") - - matches: (JwtBuilder $B). ... .WithSecret("...") - - matches: $B. ... .WithSecret("...")_With_Instance - - matches: (JwtBuilder $B). ... .WithSecret("...")_With_Instance diff --git a/rules/csharp/security/jwt-tokenvalidationparameters-no-expiry-validation-csharp.yml b/rules/csharp/security/jwt-tokenvalidationparameters-no-expiry-validation-csharp.yml deleted file mode 100644 index 9fecd003..00000000 --- a/rules/csharp/security/jwt-tokenvalidationparameters-no-expiry-validation-csharp.yml +++ /dev/null @@ -1,146 +0,0 @@ -id: jwt-tokenvalidationparameters-no-expiry-validation-csharp -severity: warning -language: csharp -message: >- - The TokenValidationParameters.$LIFETIME is set to $FALSE, this means - the JWT tokens lifetime is not validated. This can lead to an JWT token - being used after it has expired, which has security implications. It is - recommended to validate the JWT lifetime to ensure only valid tokens are - used. -note: >- - [CWE-613] Insufficient Session Expiration. - [REFERENCES] - - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/ - - https://cwe.mitre.org/data/definitions/613.html - - https://docs.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.tokens.tokenvalidationparameters?view=azure-dotnet - -ast-grep-essentials: true - -utils: - MATCH_PATTERN_ONE: - kind: boolean_literal - inside: - all: - - has: - stopBy: neighbor - regex: ^(RequireExpirationTime|ValidateLifetime).* - any: - - kind: identifier - - kind: member_access_expression - - has: - stopBy: neighbor - regex: '^=$' - - has: - stopBy: neighbor - kind: boolean_literal - regex: '^false$' - - inside: - stopBy: end - kind: object_creation_expression - has: - stopBy: neighbor - kind: identifier - regex: '^TokenValidationParameters$' - - MATCH_PATTERN_TWO: - kind: boolean_literal - inside: - all: - - has: - stopBy: neighbor - kind: member_access_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $T - - - has: - stopBy: neighbor - kind: identifier - regex: ^(RequireExpirationTime|ValidateLifetime).* - - - has: - stopBy: neighbor - regex: '^=$' - - has: - stopBy: neighbor - kind: boolean_literal - regex: '^false$' - - inside: - stopBy: end - kind: global_statement - follows: - stopBy: end - kind: global_statement - has: - stopBy: end - kind: variable_declaration - all: - - has: - stopBy: neighbor - kind: identifier - regex: '^TokenValidationParameters$' - - has: - stopBy: neighbor - kind: variable_declarator - has: - stopBy: neighbor - kind: identifier - pattern: $T - MATCH_PATTERN_THREE: - kind: boolean_literal - inside: - all: - - has: - stopBy: neighbor - kind: member_access_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $S - - - has: - stopBy: neighbor - kind: identifier - regex: ^(RequireExpirationTime|ValidateLifetime).* - - has: - stopBy: neighbor - regex: '^=$' - - has: - stopBy: neighbor - kind: boolean_literal - regex: '^false$' - - inside: - kind: expression_statement - stopBy: end - follows: - stopBy: end - kind: local_declaration_statement - has: - stopBy: end - kind: variable_declaration - all: - - has: - stopBy: end - kind: identifier - regex: '^TokenValidationParameters$' - - has: - stopBy: neighbor - kind: variable_declarator - has: - stopBy: neighbor - kind: identifier - pattern: $S - -rule: - kind: boolean_literal - any: - - matches: MATCH_PATTERN_ONE - - matches: MATCH_PATTERN_TWO - - matches: MATCH_PATTERN_THREE - not: - has: - kind: ERROR - stopBy: end diff --git a/rules/csharp/security/networkcredential-hardcoded-secret-python.yml b/rules/csharp/security/networkcredential-hardcoded-secret-python.yml deleted file mode 100644 index 796bd13f..00000000 --- a/rules/csharp/security/networkcredential-hardcoded-secret-python.yml +++ /dev/null @@ -1,405 +0,0 @@ -id: networkcredential-hardcoded-secret-csharp -language: csharp -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798]: Use of Hard-coded Credentials - [OWASP A07:2021]: Identification and Authentication Failures - [REFERENCES] - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - match_NetworkCredential_with_string: - kind: assignment_expression - all: - - has: - kind: member_access_expression - all: - - has: - kind: identifier - field: expression - pattern: $U - - has: - kind: identifier - field: name - regex: "^Password$" - - has: - kind: string_literal - inside: - stopBy: end - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - all: - - has: - kind: identifier - regex: "^NetworkCredential$" - - has: - kind: variable_declarator - all: - - has: - kind: identifier - field: name - pattern: $U - - has: - kind: object_creation_expression - all: - - has: - kind: identifier - - has: - kind: argument_list - - match_with_brackets: - kind: assignment_expression - all: - - has: - kind: element_access_expression - all: - - has: - kind: identifier - pattern: $U - - has: - kind: bracketed_argument_list - has: - kind: argument - has: - kind: string_literal - has: - kind: string_literal_content - - has: - kind: string_literal - inside: - stopBy: end - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - all: - - has: - kind: identifier - regex: "^NetworkCredential$" - - has: - kind: variable_declarator - all: - - has: - kind: identifier - field: name - pattern: $U - - has: - kind: object_creation_expression - all: - - has: - kind: identifier - - has: - kind: argument_list - - match_instance_with_braces: - kind: assignment_expression - all: - - has: - kind: element_access_expression - all: - - has: - kind: identifier - pattern: $C - - has: - kind: bracketed_argument_list - has: - kind: argument - has: - kind: string_literal - has: - kind: string_literal_content - - has: - kind: string_literal - inside: - stopBy: end - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $C - - has: - kind: object_creation_expression - all: - - has: - kind: identifier - regex: "^NetworkCredential$" - - has: - kind: argument_list - - match_instance_without_braces: - kind: assignment_expression - all: - - has: - kind: member_access_expression - all: - - has: - kind: identifier - field: expression - pattern: $E - - has: - kind: identifier - field: name - regex: "^Password$" - - has: - kind: string_literal - inside: - stopBy: end - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $E - - has: - kind: object_creation_expression - all: - - has: - kind: identifier - regex: "^NetworkCredential$" - - has: - kind: argument_list - - braces_instance: - kind: assignment_expression - all: - - has: - kind: element_access_expression - all: - - has: - kind: identifier - pattern: $Y - - has: - kind: bracketed_argument_list - has: - kind: argument - has: - kind: string_literal - has: - kind: string_literal_content - - has: - kind: identifier - pattern: $P - inside: - stopBy: end - all: - - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $Y - - has: - kind: object_creation_expression - all: - - has: - kind: identifier - regex: "^NetworkCredential$" - - has: - kind: argument_list - - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - field: name - pattern: $P - - has: - kind: string_literal - - match_password_with_instance: - kind: assignment_expression - all: - - has: - kind: member_access_expression - all: - - has: - kind: identifier - field: expression - pattern: $K - - has: - kind: identifier - field: name - regex: "^Password$" - - has: - kind: identifier - pattern: $T - inside: - stopBy: end - all: - - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - field: name - pattern: $T - - has: - kind: string_literal - - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - all: - - has: - kind: identifier - regex: "^NetworkCredential$" - - has: - kind: variable_declarator - all: - - has: - kind: identifier - field: name - pattern: $K - - has: - kind: object_creation_expression - all: - - has: - kind: identifier - - has: - kind: argument_list - (NetworkCredential $VALUE).Password = "$PASSWORD": - kind: assignment_expression - all: - - has: - kind: member_access_expression - all: - - has: - kind: identifier - pattern: $INSTANCE - nthChild: 1 - - has: - kind: identifier - nthChild: 2 - regex: ^Password$ - - has: - kind: string_literal - has: - kind: string_literal_content - inside: - stopBy: end - follows: - stopBy: end - kind: field_declaration - has: - kind: variable_declaration - all: - - has: - kind: identifier - regex: "^NetworkCredential$" - - has: - kind: variable_declarator - all: - - has: - kind: identifier - field: name - pattern: $INSTANCE - - has: - kind: object_creation_expression - all: - - has: - kind: identifier - - has: - kind: argument_list - match_network_credential1: - kind: object_creation_expression - all: - - has: - kind: identifier - regex: "^NetworkCredential$" - - has: - kind: argument_list - all: - - has: - kind: argument - has: - kind: string_literal - - has: - kind: argument - nthChild: 2 - has: - kind: string_literal - match_network_credential2: - kind: object_creation_expression - all: - - has: - kind: identifier - regex: "^NetworkCredential$" - - has: - kind: argument_list - all: - - has: - kind: argument - has: - kind: string_literal - - has: - kind: argument - nthChild: 2 - has: - kind: identifier - pattern: $J - inside: - stopBy: end - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - field: name - pattern: $J - - has: - kind: string_literal -rule: - any: - - matches: match_NetworkCredential_with_string - - matches: match_with_brackets - - matches: match_instance_with_braces - - matches: match_instance_without_braces - - matches: braces_instance - - matches: match_password_with_instance - - matches: (NetworkCredential $VALUE).Password = "$PASSWORD" - - matches: match_network_credential1 - - matches: match_network_credential2 diff --git a/rules/csharp/security/npgsqlconnectionstringbuilder-hardcoded-secret-csharp.yml b/rules/csharp/security/npgsqlconnectionstringbuilder-hardcoded-secret-csharp.yml deleted file mode 100644 index 5c57f8dd..00000000 --- a/rules/csharp/security/npgsqlconnectionstringbuilder-hardcoded-secret-csharp.yml +++ /dev/null @@ -1,350 +0,0 @@ -id: npgsqlconnectionstringbuilder-hardcoded-secret-csharp -language: csharp -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798]: Use of Hard-coded Credentials - [OWASP A07:2021]: Identification and Authentication Failures - [REFERENCES] - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - match_NpgsqlConnectionStringBuilder_with_string: - kind: assignment_expression - all: - - has: - kind: member_access_expression - all: - - has: - kind: identifier - field: expression - pattern: $U - - has: - kind: identifier - field: name - regex: "^Password$" - - has: - kind: string_literal - inside: - stopBy: end - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - all: - - has: - kind: identifier - regex: "^NpgsqlConnectionStringBuilder$" - - has: - kind: variable_declarator - all: - - has: - kind: identifier - field: name - pattern: $U - - has: - kind: object_creation_expression - all: - - has: - kind: identifier - - has: - kind: argument_list - - match_with_brackets: - kind: assignment_expression - all: - - has: - kind: element_access_expression - all: - - has: - kind: identifier - pattern: $U - - has: - kind: bracketed_argument_list - has: - kind: argument - has: - kind: string_literal - has: - kind: string_literal_content - - has: - kind: string_literal - inside: - stopBy: end - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - all: - - has: - kind: identifier - regex: "^NpgsqlConnectionStringBuilder$" - - has: - kind: variable_declarator - all: - - has: - kind: identifier - field: name - pattern: $U - - has: - kind: object_creation_expression - all: - - has: - kind: identifier - - has: - kind: argument_list - - match_instance_with_braces: - kind: assignment_expression - all: - - has: - kind: element_access_expression - all: - - has: - kind: identifier - pattern: $C - - has: - kind: bracketed_argument_list - has: - kind: argument - has: - kind: string_literal - has: - kind: string_literal_content - - has: - kind: string_literal - inside: - stopBy: end - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $C - - has: - kind: object_creation_expression - all: - - has: - kind: identifier - regex: "^NpgsqlConnectionStringBuilder$" - - has: - kind: argument_list - - match_instance_without_braces: - kind: assignment_expression - all: - - has: - kind: member_access_expression - all: - - has: - kind: identifier - field: expression - pattern: $E - - has: - kind: identifier - field: name - regex: "^Password$" - - has: - kind: string_literal - inside: - stopBy: end - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $E - - has: - kind: object_creation_expression - all: - - has: - kind: identifier - regex: "^NpgsqlConnectionStringBuilder$" - - has: - kind: argument_list - - braces_instance: - kind: assignment_expression - all: - - has: - kind: element_access_expression - all: - - has: - kind: identifier - pattern: $Y - - has: - kind: bracketed_argument_list - has: - kind: argument - has: - kind: string_literal - has: - kind: string_literal_content - - has: - kind: identifier - pattern: $P - inside: - stopBy: end - all: - - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $Y - - has: - kind: object_creation_expression - all: - - has: - kind: identifier - regex: "^NpgsqlConnectionStringBuilder$" - - has: - kind: argument_list - - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - field: name - pattern: $P - - has: - kind: string_literal - - match_password_with_instance: - kind: assignment_expression - all: - - has: - kind: member_access_expression - all: - - has: - kind: identifier - field: expression - pattern: $K - - has: - kind: identifier - field: name - regex: "^Password$" - - has: - kind: identifier - pattern: $T - inside: - stopBy: end - all: - - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - field: name - pattern: $T - - has: - kind: string_literal - - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - all: - - has: - kind: identifier - regex: "^NpgsqlConnectionStringBuilder$" - - has: - kind: variable_declarator - all: - - has: - kind: identifier - field: name - pattern: $K - - has: - kind: object_creation_expression - all: - - has: - kind: identifier - - has: - kind: argument_list - (NpgsqlConnectionStringBuilder $VALUE).Password = "$PASSWORD": - kind: assignment_expression - all: - - has: - kind: member_access_expression - all: - - has: - kind: identifier - pattern: $INSTANCE - nthChild: 1 - - has: - kind: identifier - nthChild: 2 - regex: ^Password$ - - has: - kind: string_literal - has: - kind: string_literal_content - inside: - stopBy: end - follows: - stopBy: end - kind: field_declaration - has: - kind: variable_declaration - all: - - has: - kind: identifier - regex: "^NpgsqlConnectionStringBuilder$" - - has: - kind: variable_declarator - all: - - has: - kind: identifier - field: name - pattern: $INSTANCE - - has: - kind: object_creation_expression - all: - - has: - kind: identifier - - has: - kind: argument_list -rule: - any: - - matches: match_NpgsqlConnectionStringBuilder_with_string - - matches: match_with_brackets - - matches: match_instance_with_braces - - matches: match_instance_without_braces - - matches: braces_instance - - matches: match_password_with_instance - - matches: (NpgsqlConnectionStringBuilder $VALUE).Password = "$PASSWORD" diff --git a/rules/csharp/security/oracleconnectionstringbuilder-hardcoded-secret-csharp.yml b/rules/csharp/security/oracleconnectionstringbuilder-hardcoded-secret-csharp.yml deleted file mode 100644 index 1cf2d7f4..00000000 --- a/rules/csharp/security/oracleconnectionstringbuilder-hardcoded-secret-csharp.yml +++ /dev/null @@ -1,350 +0,0 @@ -id: oracleconnectionstringbuilder-hardcoded-secret-csharp -language: csharp -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798]: Use of Hard-coded Credentials - [OWASP A07:2021]: Identification and Authentication Failures - [REFERENCES] - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - match_OracleConnectionStringBuilder_with_string: - kind: assignment_expression - all: - - has: - kind: member_access_expression - all: - - has: - kind: identifier - field: expression - pattern: $U - - has: - kind: identifier - field: name - regex: "^Password$" - - has: - kind: string_literal - inside: - stopBy: end - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - all: - - has: - kind: identifier - regex: "^OracleConnectionStringBuilder$" - - has: - kind: variable_declarator - all: - - has: - kind: identifier - field: name - pattern: $U - - has: - kind: object_creation_expression - all: - - has: - kind: identifier - - has: - kind: argument_list - - match_with_brackets: - kind: assignment_expression - all: - - has: - kind: element_access_expression - all: - - has: - kind: identifier - pattern: $U - - has: - kind: bracketed_argument_list - has: - kind: argument - has: - kind: string_literal - has: - kind: string_literal_content - - has: - kind: string_literal - inside: - stopBy: end - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - all: - - has: - kind: identifier - regex: "^OracleConnectionStringBuilder$" - - has: - kind: variable_declarator - all: - - has: - kind: identifier - field: name - pattern: $U - - has: - kind: object_creation_expression - all: - - has: - kind: identifier - - has: - kind: argument_list - - match_instance_with_braces: - kind: assignment_expression - all: - - has: - kind: element_access_expression - all: - - has: - kind: identifier - pattern: $C - - has: - kind: bracketed_argument_list - has: - kind: argument - has: - kind: string_literal - has: - kind: string_literal_content - - has: - kind: string_literal - inside: - stopBy: end - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $C - - has: - kind: object_creation_expression - all: - - has: - kind: identifier - regex: "^OracleConnectionStringBuilder$" - - has: - kind: argument_list - - match_instance_without_braces: - kind: assignment_expression - all: - - has: - kind: member_access_expression - all: - - has: - kind: identifier - field: expression - pattern: $E - - has: - kind: identifier - field: name - regex: "^Password$" - - has: - kind: string_literal - inside: - stopBy: end - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $E - - has: - kind: object_creation_expression - all: - - has: - kind: identifier - regex: "^OracleConnectionStringBuilder$" - - has: - kind: argument_list - - braces_instance: - kind: assignment_expression - all: - - has: - kind: element_access_expression - all: - - has: - kind: identifier - pattern: $Y - - has: - kind: bracketed_argument_list - has: - kind: argument - has: - kind: string_literal - has: - kind: string_literal_content - - has: - kind: identifier - pattern: $P - inside: - stopBy: end - all: - - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $Y - - has: - kind: object_creation_expression - all: - - has: - kind: identifier - regex: "^OracleConnectionStringBuilder$" - - has: - kind: argument_list - - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - field: name - pattern: $P - - has: - kind: string_literal - - match_password_with_instance: - kind: assignment_expression - all: - - has: - kind: member_access_expression - all: - - has: - kind: identifier - field: expression - pattern: $K - - has: - kind: identifier - field: name - regex: "^Password$" - - has: - kind: identifier - pattern: $T - inside: - stopBy: end - all: - - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - field: name - pattern: $T - - has: - kind: string_literal - - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - all: - - has: - kind: identifier - regex: "^OracleConnectionStringBuilder$" - - has: - kind: variable_declarator - all: - - has: - kind: identifier - field: name - pattern: $K - - has: - kind: object_creation_expression - all: - - has: - kind: identifier - - has: - kind: argument_list - (OracleConnectionStringBuilder $VALUE).Password = "$PASSWORD": - kind: assignment_expression - all: - - has: - kind: member_access_expression - all: - - has: - kind: identifier - pattern: $INSTANCE - nthChild: 1 - - has: - kind: identifier - nthChild: 2 - regex: ^Password$ - - has: - kind: string_literal - has: - kind: string_literal_content - inside: - stopBy: end - follows: - stopBy: end - kind: field_declaration - has: - kind: variable_declaration - all: - - has: - kind: identifier - regex: "^OracleConnectionStringBuilder$" - - has: - kind: variable_declarator - all: - - has: - kind: identifier - field: name - pattern: $INSTANCE - - has: - kind: object_creation_expression - all: - - has: - kind: identifier - - has: - kind: argument_list -rule: - any: - - matches: match_OracleConnectionStringBuilder_with_string - - matches: match_with_brackets - - matches: match_instance_with_braces - - matches: match_instance_without_braces - - matches: braces_instance - - matches: match_password_with_instance - - matches: (OracleConnectionStringBuilder $VALUE).Password = "$PASSWORD" diff --git a/rules/csharp/security/sqlconnectionstringbuilder-hardcoded-secret-csharp.yml b/rules/csharp/security/sqlconnectionstringbuilder-hardcoded-secret-csharp.yml deleted file mode 100644 index ffc2a11e..00000000 --- a/rules/csharp/security/sqlconnectionstringbuilder-hardcoded-secret-csharp.yml +++ /dev/null @@ -1,350 +0,0 @@ -id: sqlconnectionstringbuilder-hardcoded-secret-csharp -language: csharp -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798]: Use of Hard-coded Credentials - [OWASP A07:2021]: Identification and Authentication Failures - [REFERENCES] - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - match_SqlConnectionStringBuilder_with_string: - kind: assignment_expression - all: - - has: - kind: member_access_expression - all: - - has: - kind: identifier - field: expression - pattern: $U - - has: - kind: identifier - field: name - regex: "^Password$" - - has: - kind: string_literal - inside: - stopBy: end - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - all: - - has: - kind: identifier - regex: "^SqlConnectionStringBuilder$" - - has: - kind: variable_declarator - all: - - has: - kind: identifier - field: name - pattern: $U - - has: - kind: object_creation_expression - all: - - has: - kind: identifier - - has: - kind: argument_list - - match_with_brackets: - kind: assignment_expression - all: - - has: - kind: element_access_expression - all: - - has: - kind: identifier - pattern: $U - - has: - kind: bracketed_argument_list - has: - kind: argument - has: - kind: string_literal - has: - kind: string_literal_content - - has: - kind: string_literal - inside: - stopBy: end - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - all: - - has: - kind: identifier - regex: "^SqlConnectionStringBuilder$" - - has: - kind: variable_declarator - all: - - has: - kind: identifier - field: name - pattern: $U - - has: - kind: object_creation_expression - all: - - has: - kind: identifier - - has: - kind: argument_list - - match_instance_with_braces: - kind: assignment_expression - all: - - has: - kind: element_access_expression - all: - - has: - kind: identifier - pattern: $C - - has: - kind: bracketed_argument_list - has: - kind: argument - has: - kind: string_literal - has: - kind: string_literal_content - - has: - kind: string_literal - inside: - stopBy: end - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $C - - has: - kind: object_creation_expression - all: - - has: - kind: identifier - regex: "^SqlConnectionStringBuilder$" - - has: - kind: argument_list - - match_instance_without_braces: - kind: assignment_expression - all: - - has: - kind: member_access_expression - all: - - has: - kind: identifier - field: expression - pattern: $E - - has: - kind: identifier - field: name - regex: "^Password$" - - has: - kind: string_literal - inside: - stopBy: end - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $E - - has: - kind: object_creation_expression - all: - - has: - kind: identifier - regex: "^SqlConnectionStringBuilder$" - - has: - kind: argument_list - - braces_instance: - kind: assignment_expression - all: - - has: - kind: element_access_expression - all: - - has: - kind: identifier - pattern: $Y - - has: - kind: bracketed_argument_list - has: - kind: argument - has: - kind: string_literal - has: - kind: string_literal_content - - has: - kind: identifier - pattern: $P - inside: - stopBy: end - all: - - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $Y - - has: - kind: object_creation_expression - all: - - has: - kind: identifier - regex: "^SqlConnectionStringBuilder$" - - has: - kind: argument_list - - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - field: name - pattern: $P - - has: - kind: string_literal - - match_password_with_instance: - kind: assignment_expression - all: - - has: - kind: member_access_expression - all: - - has: - kind: identifier - field: expression - pattern: $K - - has: - kind: identifier - field: name - regex: "^Password$" - - has: - kind: identifier - pattern: $T - inside: - stopBy: end - all: - - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - field: name - pattern: $T - - has: - kind: string_literal - - follows: - stopBy: end - kind: local_declaration_statement - has: - kind: variable_declaration - all: - - has: - kind: identifier - regex: "^SqlConnectionStringBuilder$" - - has: - kind: variable_declarator - all: - - has: - kind: identifier - field: name - pattern: $K - - has: - kind: object_creation_expression - all: - - has: - kind: identifier - - has: - kind: argument_list - (SqlConnectionStringBuilder $VALUE).Password = "$PASSWORD": - kind: assignment_expression - all: - - has: - kind: member_access_expression - all: - - has: - kind: identifier - pattern: $INSTANCE - nthChild: 1 - - has: - kind: identifier - nthChild: 2 - regex: ^Password$ - - has: - kind: string_literal - has: - kind: string_literal_content - inside: - stopBy: end - follows: - stopBy: end - kind: field_declaration - has: - kind: variable_declaration - all: - - has: - kind: identifier - regex: "^SqlConnectionStringBuilder$" - - has: - kind: variable_declarator - all: - - has: - kind: identifier - field: name - pattern: $INSTANCE - - has: - kind: object_creation_expression - all: - - has: - kind: identifier - - has: - kind: argument_list -rule: - any: - - matches: match_SqlConnectionStringBuilder_with_string - - matches: match_with_brackets - - matches: match_instance_with_braces - - matches: match_instance_without_braces - - matches: braces_instance - - matches: match_password_with_instance - - matches: (SqlConnectionStringBuilder $VALUE).Password = "$PASSWORD" diff --git a/rules/csharp/security/stacktrace-disclosure-csharp.yml b/rules/csharp/security/stacktrace-disclosure-csharp.yml deleted file mode 100644 index 252e1479..00000000 --- a/rules/csharp/security/stacktrace-disclosure-csharp.yml +++ /dev/null @@ -1,53 +0,0 @@ -id: stacktrace-disclosure-csharp -severity: warning -language: csharp -message: >- - Stacktrace information is displayed in a non-Development environment. - Accidentally disclosing sensitive stack trace information in a production - environment aids an attacker in reconnaissance and information gathering. -note: >- - [CWE-209] Generation of Error Message Containing Sensitive Information. - [REFERENCES] - - https://cwe.mitre.org/data/definitions/209.html - - https://owasp.org/Top10/A04_2021-Insecure_Design/ - -ast-grep-essentials: true - -utils: - kind_invocation_expression: - kind: invocation_expression - all: - - has: - nthChild: 1 - kind: member_access_expression - pattern: $ENV.IsDevelopment - - has: - nthChild: 2 - kind: argument_list - - $APP.UseDeveloperExceptionPage(...): - kind: expression_statement - pattern: $APP.UseDeveloperExceptionPage($$$); - not: - inside: - stopBy: end - kind: if_statement - has: - nthChild: 1 - any: - - matches: kind_invocation_expression - - kind: parenthesized_expression - has: - matches: kind_invocation_expression -rule: - kind: expression_statement - matches: $APP.UseDeveloperExceptionPage(...) - all: - - not: - has: - stopBy: end - kind: ERROR - - not: - inside: - stopBy: end - kind: ERROR diff --git a/rules/csharp/security/use-ecb-mode-csharp.yml b/rules/csharp/security/use-ecb-mode-csharp.yml deleted file mode 100644 index ef7a68fc..00000000 --- a/rules/csharp/security/use-ecb-mode-csharp.yml +++ /dev/null @@ -1,182 +0,0 @@ -id: use-ecb-mode-csharp -language: csharp -severity: warning -message: >- - "Usage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305." -note: >- - [CWE-327] Use of a Broken or Risky Cryptographic Algorithm - [REFERENCES] - - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.chacha20poly1305?view=net-6.0 - - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0 - - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.ciphermode?view=net-6.0 - - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes - -ast-grep-essentials: true - -utils: - use_of_instance: - any: - - matches: declaration_of_instance - - has: - matches: declaration_of_instance - declaration_of_instance: - any: - - kind: local_declaration_statement - - kind: field_declaration - has: - nthChild: 1 - kind: variable_declaration - all: - - has: - nthChild: 1 - kind: identifier - field: type - regex: ^(SymmetricAlgorithm|Aes|Rijndael|DES|TripleDES|RC2)$ - - has: - nthChild: 2 - kind: variable_declarator - has: - nthChild: 1 - kind: identifier - field: name - pattern: $INST - -rule: - any: - - all: - - any: - - kind: invocation_expression - all: - - has: - nthChild: 1 - kind: member_access_expression - all: - - has: - nthChild: 1 - kind: identifier - field: expression - pattern: $INST - - has: - nthChild: 2 - kind: identifier - field: name - regex: ^(DecryptEcb|EncryptEcb)$ - - has: - nthChild: 2 - kind: argument_list - - kind: expression_statement - has: - kind: assignment_expression - nthChild: 1 - all: - - has: - nthChild: 1 - kind: member_access_expression - all: - - has: - nthChild: 1 - kind: identifier - field: expression - pattern: $INST - - has: - nthChild: 2 - kind: identifier - field: name - regex: ^(Mode)$ - - - has: - nthChild: 2 - kind: member_access_expression - all: - - has: - nthChild: 1 - kind: identifier - field: expression - regex: ^(CipherMode)$ - - has: - nthChild: 2 - kind: identifier - field: name - regex: ^(ECB)$ - any: - - inside: - stopBy: end - follows: - stopBy: end - matches: use_of_instance - - follows: - stopBy: end - matches: use_of_instance - - inside: - stopBy: end - kind: block - follows: - kind: parameter_list - has: - kind: parameter - all: - - has: - nthChild: 1 - kind: identifier - field: type - regex: ^(SymmetricAlgorithm|Aes|Rijndael|DES|TripleDES|RC2)$ - - has: - nthChild: 2 - kind: identifier - field: name - pattern: $INST - - all: - - any: - - kind: invocation_expression - all: - - has: - nthChild: 1 - kind: member_access_expression - all: - - has: - nthChild: 1 - kind: identifier - field: expression - regex: ^(SymmetricAlgorithm|Aes|Rijndael|DES|TripleDES|RC2)$ - - has: - nthChild: 2 - kind: identifier - field: name - regex: ^(DecryptEcb|EncryptEcb)$ - - has: - nthChild: 2 - kind: argument_list - - kind: expression_statement - has: - kind: assignment_expression - nthChild: 1 - all: - - has: - nthChild: 1 - kind: member_access_expression - all: - - has: - nthChild: 1 - kind: identifier - field: expression - regex: ^(SymmetricAlgorithm|Aes|Rijndael|DES|TripleDES|RC2)$ - - has: - nthChild: 2 - kind: identifier - field: name - regex: ^(Mode)$ - - - has: - nthChild: 2 - kind: member_access_expression - all: - - has: - nthChild: 1 - kind: identifier - field: expression - regex: ^(CipherMode)$ - - has: - nthChild: 2 - kind: identifier - field: name - regex: ^(ECB)$ diff --git a/rules/go/security/avoid-bind-to-all-interfaces-go.yml b/rules/go/security/avoid-bind-to-all-interfaces-go.yml deleted file mode 100644 index 67b0f506..00000000 --- a/rules/go/security/avoid-bind-to-all-interfaces-go.yml +++ /dev/null @@ -1,31 +0,0 @@ -id: avoid-bind-to-all-interfaces-go -language: go -severity: warning -message: >- - "Detected a network listener listening on 0.0.0.0 or an empty string. - This could unexpectedly expose the server publicly as it binds to all - available interfaces. Instead, specify another IP address that is not - 0.0.0.0 nor the empty string." -note: >- - [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor - [REFERENCES] - - https://owasp.org/Top10/A01_2021-Broken_Access_Control - -ast-grep-essentials: true - -rule: - not: - has: - stopBy: end - kind: ERROR - any: - - pattern: tls.Listen($NETWORK, $IP $$$) - - pattern: net.Listen($NETWORK, $IP $$$) - -constraints: - IP: - any: - - kind: interpreted_string_literal - regex: ^"0.0.0.0:.*"$|^":.*"$|^'0.0.0.0:.*'$|^':.*'$ - - kind: raw_string_literal - regex: ^`0.0.0.0:.*`$|^`:.*`$ diff --git a/rules/go/security/gorilla-cookie-store-hardcoded-session-key-go.yml b/rules/go/security/gorilla-cookie-store-hardcoded-session-key-go.yml deleted file mode 100644 index e182d352..00000000 --- a/rules/go/security/gorilla-cookie-store-hardcoded-session-key-go.yml +++ /dev/null @@ -1,95 +0,0 @@ -id: gorilla-cookie-store-hardcoded-session-key-go -language: go -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. It is - recommended to rotate the secret and retrieve them from a secure secret - vault or Hardware Security Module (HSM), alternatively environment - variables can be used if allowed by your company policy. -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures - -ast-grep-essentials: true - -utils: - MATCH_PATTERN_ONE: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: selector_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^sessions$ - - has: - stopBy: neighbor - kind: field_identifier - regex: ^NewCookieStore$ - - has: - stopBy: neighbor - kind: argument_list - any: - - all: - - has: - stopBy: neighbor - kind: type_conversion_expression - all: - - has: - stopBy: neighbor - kind: slice_type - has: - stopBy: neighbor - kind: type_identifier - regex: ^byte$ - - not: - has: - stopBy: neighbor - kind: call_expression - - has: - stopBy: neighbor - kind: interpreted_string_literal - - has: - nthChild: - position: 1 - ofRule: - not: - kind: comment - kind: interpreted_string_literal - - any: - - follows: - stopBy: end - kind: import_declaration - has: - stopBy: end - kind: import_spec - has: - stopBy: neighbor - regex: ^"github.com/gorilla/sessions"$ - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - has: - stopBy: end - kind: import_spec - has: - stopBy: neighbor - regex: ^"github.com/gorilla/sessions"$ -rule: - kind: call_expression - matches: MATCH_PATTERN_ONE - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR diff --git a/rules/go/security/gorilla-csrf-hardcoded-auth-key-go.yml b/rules/go/security/gorilla-csrf-hardcoded-auth-key-go.yml deleted file mode 100644 index 692aa796..00000000 --- a/rules/go/security/gorilla-csrf-hardcoded-auth-key-go.yml +++ /dev/null @@ -1,84 +0,0 @@ -id: gorilla-csrf-hardcoded-auth-key-go -language: go -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. It is - recommended to rotate the secret and retrieve them from a secure secret - vault or Hardware Security Module (HSM), alternatively environment - variables can be used if allowed by your company policy. -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures - -ast-grep-essentials: true - -utils: - MATCH_PATTERN_ONE: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: selector_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^csrf$ - - has: - stopBy: neighbor - kind: field_identifier - regex: ^Protect - - has: - stopBy: neighbor - kind: argument_list - any: - - has: - stopBy: neighbor - nthChild: - position: 1 - ofRule: - not: - kind: comment - kind: type_conversion_expression - all: - - has: - stopBy: neighbor - kind: slice_type - has: - stopBy: neighbor - kind: type_identifier - regex: ^byte$ - - has: - stopBy: neighbor - kind: interpreted_string_literal - - has: - stopBy: neighbor - kind: interpreted_string_literal - nthChild: - position: 1 - ofRule: - not: - kind: comment - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - has: - stopBy: end - kind: import_spec - regex: ^"github.com/gorilla/csrf"$ -rule: - kind: call_expression - matches: MATCH_PATTERN_ONE - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR diff --git a/rules/go/security/grpc-client-insecure-connection-go.yml b/rules/go/security/grpc-client-insecure-connection-go.yml deleted file mode 100644 index 36cc447e..00000000 --- a/rules/go/security/grpc-client-insecure-connection-go.yml +++ /dev/null @@ -1,66 +0,0 @@ -id: grpc-client-insecure-connection-go -language: go -severity: warning -message: >- - Found an insecure gRPC connection using 'grpc.WithInsecure()'. This - creates a connection without encryption to a gRPC server. A malicious - attacker could tamper with the gRPC message, which could compromise the - machine. Instead, establish a secure connection with an SSL certificate - using the 'grpc.WithTransportCredentials()' function. You can create a - create credentials using a 'tls.Config{}' struct with - 'credentials.NewTLS()'. The final fix looks like this: - 'grpc.WithTransportCredentials(credentials.NewTLS())'. -note: >- - [CWE-300] Channel Accessible by Non-Endpoint. - [REFERENCES] - - https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption - -ast-grep-essentials: true - -rule: - kind: call_expression - all: - - has: - kind: selector_expression - all: - - has: - kind: identifier - pattern: $GRPC - nthChild: 1 - - has: - kind: field_identifier - nthChild: 2 - regex: ^Dial$ - - has: - kind: argument_list - all: - - has: - nthChild: - position: 1 - ofRule: - not: - kind: comment - - has: - kind: call_expression - all: - - has: - kind: selector_expression - all: - - has: - kind: identifier - pattern: $GRPC - nthChild: 1 - - has: - kind: field_identifier - nthChild: 2 - regex: ^WithInsecure$ - - has: - kind: argument_list - - not: - all: - - has: - stopBy: end - kind: ERROR - - has: - stopBy: end - kind: ERROR \ No newline at end of file diff --git a/rules/go/security/jwt-go-none-algorithm-go.yml b/rules/go/security/jwt-go-none-algorithm-go.yml deleted file mode 100644 index 496d995c..00000000 --- a/rules/go/security/jwt-go-none-algorithm-go.yml +++ /dev/null @@ -1,43 +0,0 @@ -id: jwt-go-none-algorithm-go -language: go -severity: warning -message: >- - Detected use of the 'none' algorithm in a JWT token. The 'none' - algorithm assumes the integrity of the token has already been verified. - This would allow a malicious actor to forge a JWT token that will - automatically be verified. Do not explicitly use the 'none' algorithm. - Instead, use an algorithm such as 'HS256'. -note: >- - [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm - [OWASP A03:2017]: Sensitive Data Exposure - [OWASP A02:2021]: Cryptographic Failures - [REFERENCES] - https://owasp.org/Top10/A02_2021-Cryptographic_Failures - -ast-grep-essentials: true - -utils: - after_declaration: - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - has: - stopBy: end - kind: import_spec - has: - kind: interpreted_string_literal - has: - kind: interpreted_string_literal_content - regex: ^(github.com/dgrijalva/jwt-go|github.com/golang-jwt/jwt)$ - -rule: - kind: selector_expression - all: - - pattern: $JWT_FUNC - - matches: after_declaration - -constraints: - JWT_FUNC: - regex: (jwt.SigningMethodNone|jwt.UnsafeAllowNoneSignatureType) diff --git a/rules/go/security/missing-ssl-minversion-go.yml b/rules/go/security/missing-ssl-minversion-go.yml deleted file mode 100644 index 038d44b5..00000000 --- a/rules/go/security/missing-ssl-minversion-go.yml +++ /dev/null @@ -1,50 +0,0 @@ -id: missing-ssl-minversion-go -language: go -severity: warning -message: >- - MinVersion` is missing from this TLS configuration. By default, TLS - 1.2 is currently used as the minimum when acting as a client, and TLS 1.0 - when acting as a server. General purpose web applications should default - to TLS 1.3 with all other protocols disabled. Only where it is known that - a web server must support legacy clients with unsupported an insecure - browsers (such as Internet Explorer 10), it may be necessary to enable TLS - 1.0 to provide support. Add `MinVersion: tls.VersionTLS13' to the TLS - configuration to bump the minimum version to TLS 1.3. -note: >- - [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm - [OWASP A03:2017]: Sensitive Data Exposure - [OWASP A02:2021]: Cryptographic Failures - [REFERENCES] - https://owasp.org/Top10/A02_2021-Cryptographic_Failures - -ast-grep-essentials: true - -utils: - match_tls_without_minversion: - kind: composite_literal - all: - - has: - kind: qualified_type - all: - - has: - kind: package_identifier - regex: "^tls$" - - has: - kind: type_identifier - field: name - regex: "^Config$" - - has: - kind: literal_value - not: - has: - kind: keyed_element - all: - - has: - kind: literal_element - regex: ^MinVersion$ - - has: - pattern: $A -rule: - any: - - matches: match_tls_without_minversion - diff --git a/rules/go/security/openai-empty-secret-go.yml b/rules/go/security/openai-empty-secret-go.yml deleted file mode 100644 index 8a7f6157..00000000 --- a/rules/go/security/openai-empty-secret-go.yml +++ /dev/null @@ -1,204 +0,0 @@ -id: openai-empty-secret-go -language: go -severity: warning -message: >- - The application uses an empty credential. This can lead to unauthorized - access by either an internal or external malicious actor. It is - recommended to rotate the secret and retrieve them from a secure secret - vault or Hardware Security Module (HSM), alternatively environment - variables can be used if allowed by your company policy. -note: >- - [CWE-287] Improper Authentication. - [REFERENCES] - - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures - -ast-grep-essentials: true - -utils: - MATCH_openai.NewClient: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: selector_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^openai$ - - has: - stopBy: neighbor - kind: field_identifier - regex: ^NewClient$ - - has: - stopBy: neighbor - kind: argument_list - has: - kind: interpreted_string_literal - regex: \s*\"\"\s* - nthChild: - position: 1 - ofRule: - not: - kind: comment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - - any: - - inside: - stopBy: end - follows: - stopBy: end - has: - stopBy: end - kind: import_spec - regex: "github.com/sashabaranov/go-openai" - - follows: - stopBy: end - has: - stopBy: end - kind: import_spec - regex: "github.com/sashabaranov/go-openai" - MATCH_openai.NewClient_instance: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: selector_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^openai$ - - has: - stopBy: neighbor - kind: field_identifier - regex: ^NewClient$ - - has: - stopBy: neighbor - kind: argument_list - has: - kind: identifier - pattern: $VAR - nthChild: - position: 1 - ofRule: - not: - kind: comment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - - any: - - inside: - stopBy: end - follows: - stopBy: end - has: - stopBy: end - kind: import_spec - regex: "github.com/sashabaranov/go-openai" - - follows: - stopBy: end - has: - stopBy: end - kind: import_spec - regex: "github.com/sashabaranov/go-openai" - - any: - - follows: - stopBy: end - kind: assignment_statement - all: - - has: - kind: expression_list - has: - pattern: $VAR - - has: - kind: expression_list - has: - pattern: $SECRET - - inside: - stopBy: end - follows: - stopBy: end - kind: assignment_statement - all: - - has: - kind: expression_list - has: - pattern: $VAR - - has: - kind: expression_list - has: - pattern: $SECRET - - follows: - kind: const_declaration - all: - - has: - kind: const_spec - has: - pattern: $VAR - - has: - kind: expression_list - has: - pattern: $SECRET - - inside: - stopBy: end - follows: - kind: const_declaration - all: - - has: - kind: const_spec - has: - pattern: $VAR - - has: - kind: expression_list - has: - pattern: $SECRET - - follows: - kind: var_declaration - all: - - has: - kind: var_spec - has: - pattern: $VAR - - has: - kind: expression_list - has: - pattern: $SECRET - - inside: - stopBy: end - follows: - kind: var_declaration - all: - - has: - kind: var_spec - has: - pattern: $VAR - - has: - kind: expression_list - has: - pattern: $SECRET -rule: - kind: call_expression - any: - - matches: MATCH_openai.NewClient - - matches: MATCH_openai.NewClient_instance - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR -constraints: - SECRET: - regex: ^""$ diff --git a/rules/go/security/openai-hardcoded-secret-go.yml b/rules/go/security/openai-hardcoded-secret-go.yml deleted file mode 100644 index 6180459f..00000000 --- a/rules/go/security/openai-hardcoded-secret-go.yml +++ /dev/null @@ -1,213 +0,0 @@ -id: openai-hardcoded-secret-go -language: go -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. It is - recommended to rotate the secret and retrieve them from a secure secret - vault or Hardware Security Module (HSM), alternatively environment - variables can be used if allowed by your company policy. -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures - -ast-grep-essentials: true - -utils: - MATCH_openai.NewClient: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: selector_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^openai$ - - has: - stopBy: neighbor - kind: field_identifier - regex: ^NewClient$ - - has: - stopBy: neighbor - kind: argument_list - has: - kind: interpreted_string_literal - has: - kind: interpreted_string_literal_content - nthChild: - position: 1 - ofRule: - not: - kind: comment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - - any: - - inside: - stopBy: end - follows: - stopBy: end - has: - stopBy: end - kind: import_spec - regex: "github.com/sashabaranov/go-openai" - - follows: - stopBy: end - has: - stopBy: end - kind: import_spec - regex: "github.com/sashabaranov/go-openai" - MATCH_openai.NewClient_instance: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: selector_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^openai$ - - has: - stopBy: neighbor - kind: field_identifier - regex: ^NewClient$ - - has: - stopBy: neighbor - kind: argument_list - has: - kind: identifier - pattern: $VAR - nthChild: - position: 1 - ofRule: - not: - kind: comment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - - any: - - inside: - stopBy: end - follows: - stopBy: end - has: - stopBy: end - kind: import_spec - regex: "github.com/sashabaranov/go-openai" - - follows: - stopBy: end - has: - stopBy: end - kind: import_spec - regex: "github.com/sashabaranov/go-openai" - any: - - follows: - stopBy: end - kind: assignment_statement - all: - - has: - kind: expression_list - has: - pattern: $VAR - - has: - kind: expression_list - has: - pattern: $SECRET - - inside: - stopBy: end - follows: - stopBy: end - kind: assignment_statement - all: - - has: - kind: expression_list - has: - pattern: $VAR - - has: - kind: expression_list - has: - pattern: $SECRET - - follows: - stopBy: end - kind: const_declaration - all: - - has: - kind: const_spec - has: - pattern: $VAR - - has: - kind: expression_list - has: - pattern: $SECRET - - inside: - stopBy: end - follows: - stopBy: end - kind: const_declaration - all: - - has: - kind: const_spec - has: - pattern: $VAR - - has: - kind: expression_list - has: - pattern: $SECRET - - follows: - stopBy: end - kind: var_declaration - has: - kind: var_spec - all: - - has: - kind: identifier - pattern: $VAR - - has: - kind: expression_list - has: - pattern: $SECRET - - inside: - stopBy: end - follows: - stopBy: end - kind: var_declaration - has: - kind: var_spec - all: - - has: - kind: identifier - pattern: $VAR - - has: - kind: expression_list - has: - pattern: $SECRET -rule: - kind: call_expression - any: - - matches: MATCH_openai.NewClient - - matches: MATCH_openai.NewClient_instance - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR -constraints: - SECRET: - not: - regex: ^""$ diff --git a/rules/go/security/ssl-v3-is-insecure-go.yml b/rules/go/security/ssl-v3-is-insecure-go.yml deleted file mode 100644 index c57f00dd..00000000 --- a/rules/go/security/ssl-v3-is-insecure-go.yml +++ /dev/null @@ -1,47 +0,0 @@ -id: ssl-v3-is-insecure-go -language: go -severity: warning -message: >- - SSLv3 is insecure because it has known vulnerabilities. Starting with - go1.14, SSLv3 will be removed. Instead, use 'tls.VersionTLS13'. -note: >- - [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm - [OWASP A03:2017]: Sensitive Data Exposure - [OWASP A02:2021]: Cryptographic Failures - [REFERENCES] - https://golang.org/doc/go1.14#crypto/tls - https://www.us-cert.gov/ncas/alerts/TA14-290A - -ast-grep-essentials: true - -utils: - match_version: - kind: composite_literal - all: - - has: - kind: qualified_type - regex: ^(tls.Config)$ - - has: - kind: literal_value - has: - kind: keyed_element - all: - - has: - kind: literal_element - regex: "^MinVersion$" - - has: - kind: literal_element - has: - kind: selector_expression - all: - - has: - kind: identifier - - has: - kind: field_identifier - regex: "^VersionSSL30$" - -rule: - any: - - matches: match_version - - diff --git a/rules/go/security/tls-with-insecure-cipher-go.yml b/rules/go/security/tls-with-insecure-cipher-go.yml deleted file mode 100644 index bfa88863..00000000 --- a/rules/go/security/tls-with-insecure-cipher-go.yml +++ /dev/null @@ -1,71 +0,0 @@ -id: tls-with-insecure-cipher-go -language: go -severity: warning -message: >- - Detected an insecure CipherSuite via the 'tls' module. This suite is - considered weak. Use the function 'tls.CipherSuites()' to get a list of - good cipher suites. See - https://golang.org/pkg/crypto/tls/#InsecureCipherSuites for why and what - other cipher suites to use. -note: >- - [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm - [OWASP A03:2017]: Sensitive Data Exposure - [OWASP A02:2021]: Cryptographic Failures - [REFERENCES] - https://owasp.org/Top10/A02_2021-Cryptographic_Failures - -ast-grep-essentials: true - -utils: - match_tls_ciphersuite: - kind: composite_literal - all: - - has: - kind: qualified_type - regex: ^(tls.CipherSuite)$ - - has: - kind: literal_value - has: - kind: literal_element - regex: ^(TLS_RSA_WITH_RC4_128_SHA|TLS_RSA_WITH_3DES_EDE_CBC_SHA|TLS_RSA_WITH_AES_128_CBC_SHA256|TLS_ECDHE_ECDSA_WITH_RC4_128_SHA|TLS_ECDHE_RSA_WITH_RC4_128_SHA|TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA|TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256|TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256)$ - method_tls_config: - kind: composite_literal - all: - - has: - kind: qualified_type - regex: ^(tls.Config)$ - - has: - stopBy: end - kind: literal_value - has: - stopBy: end - kind: keyed_element - all: - - has: - kind: literal_element - has: - kind: identifier - regex: "^CipherSuites$" - - has: - kind: literal_element - has: - kind: composite_literal - has: - kind: literal_value - has: - kind: literal_element - has: - kind: selector_expression - all: - - has: - kind: identifier - regex: "^tls$" - - has: - kind: field_identifier - regex: ^(TLS_RSA_WITH_RC4_128_SHA|TLS_RSA_WITH_3DES_EDE_CBC_SHA|TLS_RSA_WITH_AES_128_CBC_SHA256|TLS_ECDHE_ECDSA_WITH_RC4_128_SHA|TLS_ECDHE_RSA_WITH_RC4_128_SHA|TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA|TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256|TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256)$ - -rule: - any: - - matches: match_tls_ciphersuite - - matches: method_tls_config - diff --git a/rules/go/security/use-of-weak-rsa-key-go.yml b/rules/go/security/use-of-weak-rsa-key-go.yml deleted file mode 100644 index 88a003f5..00000000 --- a/rules/go/security/use-of-weak-rsa-key-go.yml +++ /dev/null @@ -1,270 +0,0 @@ -id: use-of-weak-rsa-key-go -language: go -severity: warning -message: >- - RSA keys should be at least 2048 bits. -note: >- - [CWE-326] Inadequate Encryption Strength. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms - -ast-grep-essentials: true - -utils: - statement_match_pattern_int_literal: - kind: int_literal - pattern: $BITS - inside: - stopBy: neighbor - kind: argument_list - inside: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: selector_expression - regex: ^rsa.GenerateKey$|^rsa.GenerateMultiPrimeKey$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - pattern: $BITS - not: - precedes: - stopBy: end - pattern: $SET - all: - - not: - has: - stopBy: end - kind: ERROR - - not: - precedes: - stopBy: end - pattern: $BITS - - not: - inside: - stopBy: neighbor - kind: argument_list - follows: - stopBy: neighbor - kind: selector_expression - regex: ^.rsa.GenerateKey$ - inside: - stopBy: end - kind: call_expression - inside: - stopBy: end - kind: call_expression - has: - stopBy: neighbor - kind: selector_expression - regex: .*rsa.GenerateKey - precedes: - stopBy: neighbor - kind: argument_list - has: - stopBy: end - pattern: $BITS - - not: - inside: - stopBy: end - kind: binary_expression - - not: - inside: - stopBy: end - kind: unary_expression - # - not: - # inside: - # stopBy: end - # kind: call_expression - # has: - # stopBy: neighbor - # kind: selector_expression - # inside: - # stopBy: end - # kind: argument_list - # has: - # stopBy: end - # pattern: $BITS - statement_match_pattern_unary_expression: - kind: unary_expression - pattern: $BITS - inside: - stopBy: neighbor - kind: argument_list - inside: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: selector_expression - regex: ^rsa.GenerateKey$|^rsa.GenerateMultiPrimeKey$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - pattern: $BITS - not: - precedes: - stopBy: end - pattern: $SET - all: - - not: - has: - stopBy: end - kind: ERROR - - not: - precedes: - stopBy: end - pattern: $BITS - - not: - inside: - stopBy: neighbor - kind: argument_list - follows: - stopBy: neighbor - kind: selector_expression - regex: .rsa.GenerateKey - inside: - stopBy: end - kind: call_expression - inside: - stopBy: end - kind: call_expression - has: - stopBy: end - kind: selector_expression - regex: .*rsa.GenerateKey - precedes: - stopBy: end - kind: argument_list - has: - stopBy: end - pattern: $BITS - - not: - inside: - stopBy: end - kind: binary_expression - statement_match_pattern_float_literal: - kind: float_literal - pattern: $BITS - inside: - stopBy: neighbor - kind: argument_list - inside: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: selector_expression - regex: ^rsa.GenerateKey$|^rsa.GenerateMultiPrimeKey$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - pattern: $BITS - not: - precedes: - stopBy: end - pattern: $SET - all: - - not: - has: - stopBy: end - kind: ERROR - - not: - precedes: - stopBy: end - pattern: $BITS - - not: - inside: - stopBy: end - kind: call_expression - inside: - stopBy: end - kind: call_expression - has: - stopBy: end - kind: selector_expression - regex: ^rsa.GenerateKey|rsa.GenerateMultiPrimeKey$ - not: - inside: - stopBy: end - any: - - kind: binary_expression - - kind: unary_expression - statement_match_pattern_binary_expression: - kind: binary_expression - pattern: $BITS - inside: - stopBy: neighbor - kind: argument_list - inside: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: selector_expression - regex: ^rsa.GenerateKey$|^rsa.GenerateMultiPrimeKey$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - pattern: $BITS - not: - precedes: - stopBy: end - pattern: $SET - all: - - not: - has: - stopBy: end - kind: ERROR - - not: - precedes: - stopBy: end - pattern: $BITS - - not: - inside: - stopBy: end - kind: call_expression - inside: - stopBy: end - kind: call_expression - has: - stopBy: end - kind: selector_expression - regex: ^rsa.GenerateKey|rsa.GenerateMultiPrimeKey$ - not: - inside: - stopBy: end - kind: unary_expression -rule: - any: - - kind: int_literal - matches: statement_match_pattern_int_literal - - kind: float_literal - matches: statement_match_pattern_float_literal - - kind: unary_expression - matches: statement_match_pattern_unary_expression - - kind: binary_expression - matches: statement_match_pattern_binary_expression - not: - has: - stopBy: end - kind: ERROR -constraints: - BITS: - any: - - regex: ^([+-]?(0|[1-9][0-9]?|[1-9][0-9]{2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|([+-]?(0|[1-9][0-9]?|[1-9][0-9]{2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?\/[1-9][0-9]*)|[+-]?(\.[0-9]+)|([+-]?\.[0-9]+\/[1-9][0-9]*))$ - - regex: ^-\d+(\.\d+)?(/(\d+(\.\d+)?))?$ - diff --git a/rules/html/security/plaintext-http-link-html.yml b/rules/html/security/plaintext-http-link-html.yml deleted file mode 100644 index d177ad24..00000000 --- a/rules/html/security/plaintext-http-link-html.yml +++ /dev/null @@ -1,80 +0,0 @@ -id: plaintext-http-link-html -language: html -severity: warning -message: >- - "This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible." -note: >- - [CWE-319] Authentication Bypass by Primary Weakness - [REFERENCES] - - https://cwe.mitre.org/data/definitions/319.html -ast-grep-essentials: true - -rule: - not: - has: - stopBy: end - kind: ERROR - any: - - kind: element - not: - has: - kind: erroneous_end_tag - has: - nthChild: 1 - kind: start_tag - all: - - has: - nthChild: 1 - kind: tag_name - regex: ^a$ - - has: - kind: attribute - not: - has: - stopBy: end - kind: ERROR - all: - - has: - stopBy: end - kind: attribute_name - regex: ^href$ - - has: - stopBy: end - kind: attribute_value - regex: ^([Hh][Tt][Tt][Pp]://) - - kind: start_tag - all: - - any: - - all: - - has: - nthChild: 1 - kind: tag_name - regex: ^a$ - - inside: - kind: element - has: - kind: erroneous_end_tag - - all: - - inside: - kind: element - has: - kind: erroneous_end_tag - has: - kind: erroneous_end_tag_name - regex: ^a$ - - has: - kind: attribute - not: - has: - stopBy: end - kind: ERROR - all: - - has: - stopBy: end - kind: attribute_name - regex: ^href$ - - has: - stopBy: end - kind: attribute_value - regex: ^([Hh][Tt][Tt][Pp]://) - \ No newline at end of file diff --git a/rules/java/security/cbc-padding-oracle-java.yml b/rules/java/security/cbc-padding-oracle-java.yml deleted file mode 100644 index 89aab8ee..00000000 --- a/rules/java/security/cbc-padding-oracle-java.yml +++ /dev/null @@ -1,18 +0,0 @@ -id: cbc-padding-oracle-java -severity: warning -language: java -message: >- - Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A - malicious actor could discern the difference between plaintext with valid - or invalid padding. Further, CBC mode does not include any integrity - checks. Use 'AES/GCM/NoPadding' instead. -note: >- - [CWE-327] Use of a Broken or Risky Cryptographic Algorithm. - [REFERENCES] - - https://capec.mitre.org/data/definitions/463.html -ast-grep-essentials: true -rule: - pattern: Cipher.getInstance($MODE) -constraints: - MODE: - regex: ".*/CBC/PKCS5Padding" diff --git a/rules/java/security/cookie-httponly-false-java.yml b/rules/java/security/cookie-httponly-false-java.yml deleted file mode 100644 index f97b3f5c..00000000 --- a/rules/java/security/cookie-httponly-false-java.yml +++ /dev/null @@ -1,14 +0,0 @@ -id: cookie-httponly-false-java -language: java -message: >- - A cookie was detected without setting the 'HttpOnly' flag. The - 'HttpOnly' flag for cookies instructs the browser to forbid client-side - scripts from reading the cookie. Set the 'HttpOnly' flag by calling - 'cookie.setHttpOnly(true);' -note: >- - [CWE-1004] Sensitive Cookie Without 'HttpOnly' Flag. - [REFERENCES] - - https://capec.mitre.org/data/definitions/463.html -ast-grep-essentials: true -rule: - pattern: $COOKIE.setHttpOnly(false); diff --git a/rules/java/security/cookie-missing-httponly-java.yml b/rules/java/security/cookie-missing-httponly-java.yml deleted file mode 100644 index 75cb4098..00000000 --- a/rules/java/security/cookie-missing-httponly-java.yml +++ /dev/null @@ -1,24 +0,0 @@ -id: cookie-missing-httponly-java -severity: warning -language: java -message: >- - A cookie was detected without setting the 'HttpOnly' flag. The - 'HttpOnly' flag for cookies instructs the browser to forbid client-side - scripts from reading the cookie. Set the 'HttpOnly' flag by calling - 'cookie.setHttpOnly(true); -note: >- - [CWE-1004] Sensitive Cookie Without 'HttpOnly' Flag. - [REFERENCES] - - https://owasp.org/www-community/HttpOnly -ast-grep-essentials: true -rule: - pattern: $RESPONSE.addCookie($COOKIE); - all: - - not: - follows: - stopBy: end - pattern: $COOKIE.setValue(""); - - not: - follows: - stopBy: end - pattern: $COOKIE.setHttpOnly($$$); diff --git a/rules/java/security/cookie-missing-samesite-java.yml b/rules/java/security/cookie-missing-samesite-java.yml deleted file mode 100644 index c41e6d8b..00000000 --- a/rules/java/security/cookie-missing-samesite-java.yml +++ /dev/null @@ -1,69 +0,0 @@ -id: cookie-missing-samesite-java -severity: warning -language: java -message: >- - The application does not appear to verify inbound requests which can - lead to a Cross-site request forgery (CSRF) vulnerability. If the - application uses cookie-based authentication, an attacker can trick users - into sending authenticated HTTP requests without their knowledge from any - arbitrary domain they visit. To prevent this vulnerability start by - identifying if the framework or library leveraged has built-in features or - offers plugins for CSRF protection. CSRF tokens should be unique and - securely random. The `Synchronizer Token` or `Double Submit Cookie` - patterns with defense-in-depth mechanisms such as the `sameSite` cookie - flag can help prevent CSRF. For more information, see: [Cross-site request - forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Req\ - uest_Forgery_Prevention_Cheat_Sheet.html). -note: >- - [CWE-352] Cross-Site Request Forgery (CSRF). - [REFERENCES] - - https://stackoverflow.com/questions/42717210/samesite-cookie-in-java-application -ast-grep-essentials: true -rule: - any: - - pattern: $RESP.setHeader("Set-Cookie", $T); - inside: - stopBy: end - kind: block - follows: - stopBy: end - kind: formal_parameters - has: - stopBy: end - kind: formal_parameter - all: - - has: - stopBy: end - kind: type_identifier - regex: "^HttpServletResponse$" - - has: - stopBy: neighbor - kind: identifier - - pattern: $RESP.addCookie($$$); - not: - follows: - stopBy: end - kind: expression_statement - pattern: $RESP.setHeader("Set-Cookie", $T); - inside: - stopBy: end - kind: block - follows: - stopBy: end - kind: formal_parameters - has: - stopBy: end - kind: formal_parameter - all: - - has: - stopBy: end - kind: type_identifier - regex: "^HttpServletResponse$" - - has: - stopBy: neighbor - kind: identifier - - pattern: $RESP.setHeader("Set-Cookie"); -constraints: - T: - not: - regex: ".*SameSite=.*" diff --git a/rules/java/security/cookie-missing-secure-flag-java.yml b/rules/java/security/cookie-missing-secure-flag-java.yml deleted file mode 100644 index 1db150da..00000000 --- a/rules/java/security/cookie-missing-secure-flag-java.yml +++ /dev/null @@ -1,54 +0,0 @@ -id: cookie-missing-secure-flag-java -language: java -severity: warning -message: >- - A cookie was detected without setting the 'secure' flag. The 'secure' - flag for cookies prevents the client from transmitting the cookie over - insecure channels such as HTTP. Set the 'secure' flag by calling - '$COOKIE.setSecure(true);'. -note: >- - [CWE-614] Sensitive Cookie in HTTPS Session Without 'Secure' Attribute. - [REFERENCES] - - https://owasp.org/www-community/controls/SecureCookieAttribute -ast-grep-essentials: true -utils: - MATCH_RESPONSE_COOKIE_STATEMENT: - kind: expression_statement - all: - - has: - stopBy: neighbor - kind: method_invocation - all: - - has: - stopBy: neighbor - kind: identifier - regex: "response" - - has: - stopBy: neighbor - kind: identifier - regex: "addCookie" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: identifier - - not: - follows: - stopBy: end - kind: expression_statement - all: - - has: - stopBy: end - kind: identifier - - has: - stopBy: end - kind: identifier - regex: "setSecure|setValue" - - has: - stopBy: end - kind: argument_list - -rule: - kind: expression_statement - matches: MATCH_RESPONSE_COOKIE_STATEMENT diff --git a/rules/java/security/cookie-secure-flag-false-java.yml b/rules/java/security/cookie-secure-flag-false-java.yml deleted file mode 100644 index 6caea9e4..00000000 --- a/rules/java/security/cookie-secure-flag-false-java.yml +++ /dev/null @@ -1,15 +0,0 @@ -id: cookie-secure-flag-false-java -language: java -severity: warning -message: >- - A cookie was detected without setting the 'secure' flag. The 'secure' - flag for cookies prevents the client from transmitting the cookie over - insecure channels such as HTTP. Set the 'secure' flag by calling - '$COOKIE.setSecure(true);'. -note: >- - [CWE-614] Sensitive Cookie in HTTPS Session Without 'Secure' Attribute. - [REFERENCES] - - https://owasp.org/www-community/controls/SecureCookieAttribute -ast-grep-essentials: true -rule: - pattern: $COOKIE.setSecure(false); diff --git a/rules/java/security/datanucleus-hardcoded-connection-password-java.yml b/rules/java/security/datanucleus-hardcoded-connection-password-java.yml deleted file mode 100644 index 3233e169..00000000 --- a/rules/java/security/datanucleus-hardcoded-connection-password-java.yml +++ /dev/null @@ -1,593 +0,0 @@ -id: datanucleus-hardcoded-connection-password-java -severity: warning -language: java -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - - https://db.apache.org/jdo/api30/apidocs/javax/jdo/PersistenceManagerFactory.html - -ast-grep-essentials: true - -utils: - - (org.datanucleus.api.jdo.JDOPersistenceManagerFactory $JDO). ... .$SETPASS("..."): - kind: identifier - regex: ^setConnectionPassword$ - all: - - precedes: - kind: argument_list - has: - kind: string_literal - has: - kind: string_fragment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - inside: - stopBy: end - kind: method_invocation - has: - stopBy: end - kind: identifier - pattern: $INST - nthChild: 1 - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: local_variable_declaration - - kind: field_declaration - all: - - has: - kind: scoped_type_identifier - regex: ^org.datanucleus.api.jdo.JDOPersistenceManagerFactory$ - - has: - kind: variable_declarator - has: - kind: identifier - pattern: $INST - - (org.datanucleus.api.jdo.JDOPersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance: - kind: identifier - regex: ^setConnectionPassword$ - all: - - precedes: - kind: argument_list - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - has: - kind: identifier - pattern: $PSWD - - inside: - stopBy: end - kind: method_invocation - has: - stopBy: end - kind: identifier - pattern: $INST - nthChild: 1 - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: local_variable_declaration - - kind: field_declaration - all: - - has: - kind: scoped_type_identifier - regex: ^org.datanucleus.api.jdo.JDOPersistenceManagerFactory$ - - has: - kind: variable_declarator - has: - kind: identifier - pattern: $INST - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: local_variable_declaration - - kind: field_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $PSWD - - has: - kind: string_literal - has: - kind: string_fragment - - (jdo.JDOPersistenceManagerFactory $JDO). ... .$SETPASS("..."): - kind: identifier - regex: ^setConnectionPassword$ - all: - - precedes: - kind: argument_list - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - has: - kind: string_literal - has: - kind: string_fragment - - inside: - stopBy: end - kind: method_invocation - has: - stopBy: end - kind: identifier - pattern: $INST - nthChild: 1 - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: local_variable_declaration - - kind: field_declaration - all: - - has: - kind: scoped_type_identifier - regex: ^jdo.JDOPersistenceManagerFactory$ - - has: - kind: variable_declarator - has: - kind: identifier - pattern: $INST - - inside: - stopBy: end - follows: - stopBy: end - any: - - pattern: import org.datanucleus.api.*; - - pattern: import org.datanucleus.api; - - (jdo.JDOPersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance: - kind: identifier - regex: ^setConnectionPassword$ - all: - - precedes: - kind: argument_list - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - has: - kind: identifier - pattern: $PSWD - - inside: - stopBy: end - kind: method_invocation - has: - stopBy: end - kind: identifier - pattern: $INST - nthChild: 1 - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: local_variable_declaration - - kind: field_declaration - all: - - has: - kind: scoped_type_identifier - regex: ^jdo.JDOPersistenceManagerFactory$ - - has: - kind: variable_declarator - has: - kind: identifier - pattern: $INST - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: local_variable_declaration - - kind: field_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $PSWD - - has: - kind: string_literal - has: - kind: string_fragment - - inside: - stopBy: end - follows: - stopBy: end - any: - - pattern: import org.datanucleus.api.*; - - pattern: import org.datanucleus.api; - - (JDOPersistenceManagerFactory $JDO). ... .$SETPASS("..."): - kind: identifier - regex: ^setConnectionPassword$ - all: - - precedes: - kind: argument_list - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - has: - kind: string_literal - has: - kind: string_fragment - - inside: - stopBy: end - kind: method_invocation - has: - stopBy: end - kind: identifier - pattern: $INST - nthChild: 1 - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: local_variable_declaration - - kind: field_declaration - all: - - has: - kind: type_identifier - regex: ^JDOPersistenceManagerFactory$ - - has: - kind: variable_declarator - has: - kind: identifier - pattern: $INST - - inside: - stopBy: end - follows: - stopBy: end - any: - - pattern: import org.datanucleus.*; - - pattern: import org.datanucleus; - - pattern: import org.datanucleus.api.jdo.*; - - pattern: import org.datanucleus.api.jdo.JDOPersistenceManagerFactory; - - (JDOPersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance: - kind: identifier - regex: ^setConnectionPassword$ - all: - - precedes: - kind: argument_list - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - has: - kind: identifier - pattern: $PSWD - - inside: - stopBy: end - kind: method_invocation - has: - stopBy: end - kind: identifier - pattern: $INST - nthChild: 1 - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: local_variable_declaration - - kind: field_declaration - all: - - has: - kind: type_identifier - regex: ^JDOPersistenceManagerFactory$ - - has: - kind: variable_declarator - has: - kind: identifier - pattern: $INST - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: field_declaration - - kind: local_variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $PSWD - - has: - kind: string_literal - has: - kind: string_fragment - - inside: - stopBy: end - follows: - stopBy: end - any: - - pattern: import org.datanucleus.api.jdo.*; - - pattern: import org.datanucleus.*; - - pattern: import org.datanucleus; - - pattern: import org.datanucleus.api.jdo.JDOPersistenceManagerFactory; - - (api.jdo.JDOPersistenceManagerFactory $JDO). ... .$SETPASS("..."): - kind: identifier - regex: ^setConnectionPassword$ - all: - - precedes: - kind: argument_list - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - has: - kind: string_literal - has: - kind: string_fragment - - inside: - stopBy: end - kind: method_invocation - has: - stopBy: end - kind: identifier - pattern: $INST - nthChild: 1 - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: local_variable_declaration - - kind: field_declaration - all: - - has: - kind: scoped_type_identifier - regex: ^api.jdo.JDOPersistenceManagerFactory$ - - has: - kind: variable_declarator - has: - kind: identifier - pattern: $INST - - inside: - stopBy: end - follows: - stopBy: end - any: - - pattern: import org.datanucleus.*; - - pattern: import org.datanucleus; - - (api.jdo.JDOPersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance: - kind: identifier - regex: ^setConnectionPassword$ - all: - - precedes: - kind: argument_list - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - has: - kind: identifier - pattern: $PSWD - - inside: - stopBy: end - kind: method_invocation - has: - stopBy: end - kind: identifier - pattern: $INST - nthChild: 1 - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: local_variable_declaration - - kind: field_declaration - all: - - has: - kind: scoped_type_identifier - regex: ^api.jdo.JDOPersistenceManagerFactory$ - - has: - kind: variable_declarator - has: - kind: identifier - pattern: $INST - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: local_variable_declaration - - kind: field_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $PSWD - - has: - kind: string_literal - has: - kind: string_fragment - - inside: - stopBy: end - follows: - stopBy: end - any: - - pattern: import org.datanucleus.*; - - pattern: import org.datanucleus; - - (datanucleus.api.jdo.JDOPersistenceManagerFactory $JDO). ... .$SETPASS("..."): - kind: identifier - regex: ^setConnectionPassword$ - all: - - precedes: - kind: argument_list - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - has: - kind: string_literal - has: - kind: string_fragment - - inside: - stopBy: end - kind: method_invocation - has: - stopBy: end - kind: identifier - pattern: $INST - nthChild: 1 - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: local_variable_declaration - - kind: field_declaration - all: - - has: - kind: scoped_type_identifier - regex: ^datanucleus.api.jdo.JDOPersistenceManagerFactory$ - - has: - kind: variable_declarator - has: - kind: identifier - pattern: $INST - - inside: - stopBy: end - follows: - stopBy: end - any: - - pattern: import org.*; - - pattern: import org; - - (datanucleus.api.jdo.JDOPersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance: - kind: identifier - regex: ^setConnectionPassword$ - all: - - precedes: - kind: argument_list - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - has: - kind: identifier - pattern: $PSWD - - inside: - stopBy: end - kind: method_invocation - has: - stopBy: end - kind: identifier - pattern: $INST - nthChild: 1 - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: local_variable_declaration - - kind: field_declaration - all: - - has: - kind: scoped_type_identifier - regex: ^datanucleus.api.jdo.JDOPersistenceManagerFactory$ - - has: - kind: variable_declarator - has: - kind: identifier - pattern: $INST - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: local_variable_declaration - - kind: field_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $PSWD - - has: - kind: string_literal - has: - kind: string_fragment - - inside: - stopBy: end - follows: - stopBy: end - any: - - pattern: import org.*; - - pattern: import org; - - -rule: - any: - - matches: (org.datanucleus.api.jdo.JDOPersistenceManagerFactory $JDO). ... .$SETPASS("...") - - matches: (org.datanucleus.api.jdo.JDOPersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance - - matches: (jdo.JDOPersistenceManagerFactory $JDO). ... .$SETPASS("...") - - matches: (jdo.JDOPersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance - - matches: (JDOPersistenceManagerFactory $JDO). ... .$SETPASS("...") - - matches: (JDOPersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance - - matches: (api.jdo.JDOPersistenceManagerFactory $JDO). ... .$SETPASS("...") - - matches: (api.jdo.JDOPersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance - - matches: (datanucleus.api.jdo.JDOPersistenceManagerFactory $JDO). ... .$SETPASS("...") - - matches: (datanucleus.api.jdo.JDOPersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance - diff --git a/rules/java/security/des-is-deprecated-java.yml b/rules/java/security/des-is-deprecated-java.yml deleted file mode 100644 index 5f6d0ddb..00000000 --- a/rules/java/security/des-is-deprecated-java.yml +++ /dev/null @@ -1,17 +0,0 @@ -id: des-is-deprecated-java -severity: warning -language: java -message: >- - DES is considered deprecated. AES is the recommended cipher. Upgrade to - use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard - for more information. -note: >- - [CWE-326] Inadequate Encryption Strength. - [REFERENCES] - - https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard -ast-grep-essentials: true -rule: - pattern: $CIPHER.getInstance($SAS) -constraints: - SAS: - regex: ^".*/DES/.*"|"DES"|"DES/.*"$ diff --git a/rules/java/security/desede-is-deprecated-java.yml b/rules/java/security/desede-is-deprecated-java.yml deleted file mode 100644 index 8402cf65..00000000 --- a/rules/java/security/desede-is-deprecated-java.yml +++ /dev/null @@ -1,98 +0,0 @@ -id: desede-is-deprecated-java -language: java -severity: warning -message: >- - Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES. -note: >- - [CWE-326]: Inadequate Encryption Strength - [OWASP A03:2017]: Sensitive Data Exposure - [OWASP A02:2021]: Cryptographic Failures - [REFERENCES] - - https://find-sec-bugs.github.io/bugs.htm#TDES_USAGE - - https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA - -ast-grep-essentials: true - -utils: - match_method_invocation: - kind: method_invocation - all: - - has: - stopBy: end - kind: identifier - nthChild: 1 - - has: - kind: identifier - regex: "^getInstance$" - nthChild: 2 - has: - stopBy: end - kind: argument_list - has: - stopBy: end - kind: string_literal - regex: "DESede" - match_key_generator: - kind: method_invocation - all: - - has: - stopBy: end - kind: field_access - field: object - has: - kind: identifier - field: field - regex: "^KeyGenerator$" - - has: - stopBy: end - kind: identifier - field: name - regex: "^getInstance$" - - has: - kind: argument_list - has: - kind: string_literal - has: - kind: string_fragment - regex: "^DES$" - matches_method_invocation_with_identifier: - kind: method_invocation - all: - - has: - kind: identifier - field: name - regex: "^getInstance$" - nthChild: 2 - - has: - kind: argument_list - has: - kind: identifier - pattern: $I - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: local_variable_declaration - - kind: field_declaration - all: - - has: - kind: type_identifier - field: type - - has: - kind: variable_declarator - all: - - has: - kind: identifier - field: name - pattern: $I - - has: - kind: string_literal - has: - kind: string_fragment - -rule: - any: - - matches: match_method_invocation - - matches: match_key_generator - - matches: matches_method_invocation_with_identifier diff --git a/rules/java/security/documentbuilderfactory-disallow-doctype-decl-false-java.yml b/rules/java/security/documentbuilderfactory-disallow-doctype-decl-false-java.yml deleted file mode 100644 index 2674ba14..00000000 --- a/rules/java/security/documentbuilderfactory-disallow-doctype-decl-false-java.yml +++ /dev/null @@ -1,47 +0,0 @@ -id: documentbuilderfactory-disallow-doctype-decl-false-java -language: java -severity: warning -message: >- - DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting - external entity declarations, this is vulnerable to XML external entity - attacks. Disable this by setting the feature - "http://apache.org/xml/features/disallow-doctype-decl" to true. - Alternatively, allow DOCTYPE declarations and only prohibit external - entities declarations. This can be done by setting the features - "http://xml.org/sax/features/external-general-entities" and - "http://xml.org/sax/features/external-parameter-entities" to false. -note: >- - [CWE-611]: mproper Restriction of XML External Entity Reference - [OWASP A04:2017]: XML External Entities (XXE) - [OWASP A05:2021 - Security Misconfiguration] - [REFERENCES] - https://blog.sonarsource.com/secure-xml-processor - https://xerces.apache.org/xerces2-j/features.html -ast-grep-essentials: true -utils: - match_expression_statement: - kind: expression_statement - has: - stopBy: end - kind: method_invocation - all: - - has: - stopBy: end - kind: identifier - - has: - stopBy: end - kind: identifier - regex: "^setFeature$" - has: - kind: argument_list - all: - - has: - stopBy: end - kind: string_literal - regex: "http://apache.org/xml/features/disallow-doctype-decl" - - has: - stopBy: end - regex: "^false$" -rule: - any: - - matches: match_expression_statement diff --git a/rules/java/security/documentbuilderfactory-external-general-entities-true-java.yml b/rules/java/security/documentbuilderfactory-external-general-entities-true-java.yml deleted file mode 100644 index 326676cf..00000000 --- a/rules/java/security/documentbuilderfactory-external-general-entities-true-java.yml +++ /dev/null @@ -1,288 +0,0 @@ -id: documentbuilderfactory-external-general-entities-true-java -language: java -severity: warning -message: >- - External entities are allowed for $DBFACTORY. This is vulnerable to XML - external entity attacks. Disable this by setting the feature - "http://xml.org/sax/features/external-general-entities" to false. -note: >- - [CWE-798]: Use of Hard-coded Credentials - [OWASP A07:2021]: Identification and Authentication Failures - [REFERENCES] - https://blog.sonarsource.com/secure-xml-processor - -ast-grep-essentials: true - -utils: - match_expression_statement: - kind: method_invocation - all: - - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: neighbor - kind: identifier - regex: ^setFeature$ - nthChild: 2 - - has: - stopBy: end - kind: argument_list - all: - - has: - stopBy: neighbor - kind: string_literal - regex: ^"http://xml.org/sax/features/external-general-entities"$ - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - - has: - stopBy: neighbor - regex: "^true$" - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - match_expression_statement_Boolean_Instance: - kind: expression_statement - has: - stopBy: end - kind: method_invocation - all: - - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: neighbor - kind: identifier - regex: ^setFeature$ - nthChild: 2 - has: - stopBy: end - kind: argument_list - field: arguments - all: - - has: - stopBy: neighbor - kind: string_literal - regex: ^"http://xml.org/sax/features/external-general-entities"$ - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - - has: - stopBy: neighbor - pattern: $TRUE - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: local_variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $TRUE - nthChild: 1 - - has: - regex: "^true$" - - follows: - stopBy: end - kind: local_variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $TRUE - nthChild: 1 - - has: - regex: "^true$" - - match_expression_statement_Link_Instance: - kind: expression_statement - has: - stopBy: end - kind: method_invocation - all: - - has: - stopBy: neighbor - kind: identifier - nthChild: 1 - - has: - stopBy: neighbor - kind: identifier - regex: ^setFeature$ - nthChild: 2 - has: - stopBy: end - kind: argument_list - field: arguments - all: - - has: - stopBy: neighbor - pattern: $URL - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - - has: - stopBy: neighbor - regex: "^true$" - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: local_variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $URL - nthChild: 1 - - has: - kind: string_literal - regex: ^"http://xml.org/sax/features/external-general-entities"$ - - follows: - stopBy: end - kind: local_variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $URL - nthChild: 1 - - has: - kind: string_literal - regex: ^"http://xml.org/sax/features/external-general-entities"$ - - match_expression_statement_with_both_instance: - kind: expression_statement - has: - stopBy: end - kind: method_invocation - all: - - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: neighbor - kind: identifier - regex: ^setFeature$ - nthChild: 2 - - has: - kind: argument_list - all: - - not: - has: - nthChild: - position: 3 - ofRule: - not: - kind: line_comment - - has: - kind: identifier - pattern: $URL - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - - has: - kind: identifier - pattern: $TRUE - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - any: - - follows: - stopBy: end - kind: local_variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $TRUE - nthChild: 1 - - has: - regex: "^true$" - - inside: - stopBy: end - follows: - stopBy: end - kind: local_variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $TRUE - nthChild: 1 - - has: - regex: "^true$" - - any: - - follows: - stopBy: end - kind: local_variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $URL - nthChild: 1 - - has: - regex: ^"http://xml.org/sax/features/external-general-entities"$ - - inside: - stopBy: end - follows: - stopBy: end - kind: local_variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $URL - nthChild: 1 - - has: - regex: ^"http://xml.org/sax/features/external-general-entities"$ - -rule: - any: - - matches: match_expression_statement - - matches: match_expression_statement_Boolean_Instance - - matches: match_expression_statement_Link_Instance - - matches: match_expression_statement_with_both_instance - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR diff --git a/rules/java/security/documentbuilderfactory-external-parameter-entities-true-java.yml b/rules/java/security/documentbuilderfactory-external-parameter-entities-true-java.yml deleted file mode 100644 index 24cb4de7..00000000 --- a/rules/java/security/documentbuilderfactory-external-parameter-entities-true-java.yml +++ /dev/null @@ -1,287 +0,0 @@ -id: documentbuilderfactory-external-parameter-entities-true-java -severity: warning -language: java -message: >- - External entities are allowed for $DBFACTORY. This is vulnerable to XML - external entity attacks. Disable this by setting the feature - "http://xml.org/sax/features/external-parameter-entities" to false. -note: >- - [CWE-611] Improper Restriction of XML External Entity Reference. - [REFERENCES] - - https://blog.sonarsource.com/secure-xml-processor - -ast-grep-essentials: true - -utils: - match_expression_statement: - kind: method_invocation - all: - - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: neighbor - kind: identifier - regex: ^setFeature$ - nthChild: 2 - - has: - stopBy: end - kind: argument_list - all: - - has: - stopBy: neighbor - kind: string_literal - regex: ^"http://xml.org/sax/features/external-parameter-entities"$ - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - - has: - stopBy: neighbor - regex: "^true$" - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - match_expression_statement_Boolean_Instance: - kind: expression_statement - has: - stopBy: end - kind: method_invocation - all: - - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: neighbor - kind: identifier - regex: ^setFeature$ - nthChild: 2 - has: - stopBy: end - kind: argument_list - field: arguments - all: - - has: - stopBy: neighbor - kind: string_literal - regex: ^"http://xml.org/sax/features/external-parameter-entities"$ - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - - has: - stopBy: neighbor - pattern: $TRUE - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: local_variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $TRUE - nthChild: 1 - - has: - regex: "^true$" - - follows: - stopBy: end - kind: local_variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $TRUE - nthChild: 1 - - has: - regex: "^true$" - - match_expression_statement_Link_Instance: - kind: expression_statement - has: - stopBy: end - kind: method_invocation - all: - - has: - stopBy: neighbor - kind: identifier - nthChild: 1 - - has: - stopBy: neighbor - kind: identifier - regex: ^setFeature$ - nthChild: 2 - has: - stopBy: end - kind: argument_list - field: arguments - all: - - has: - stopBy: neighbor - pattern: $URL - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - - has: - stopBy: neighbor - regex: "^true$" - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: local_variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $URL - nthChild: 1 - - has: - kind: string_literal - regex: ^"http://xml.org/sax/features/external-parameter-entities"$ - - follows: - stopBy: end - kind: local_variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $URL - nthChild: 1 - - has: - kind: string_literal - regex: ^"http://xml.org/sax/features/external-parameter-entities"$ - - match_expression_statement_with_both_instance: - kind: expression_statement - has: - stopBy: end - kind: method_invocation - all: - - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: neighbor - kind: identifier - regex: ^setFeature$ - nthChild: 2 - - has: - kind: argument_list - all: - - not: - has: - nthChild: - position: 3 - ofRule: - not: - kind: line_comment - - has: - kind: identifier - pattern: $URL - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - - has: - kind: identifier - pattern: $TRUE - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - any: - - follows: - stopBy: end - kind: local_variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $TRUE - nthChild: 1 - - has: - regex: "^true$" - - inside: - stopBy: end - follows: - stopBy: end - kind: local_variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $TRUE - nthChild: 1 - - has: - regex: "^true$" - - any: - - follows: - stopBy: end - kind: local_variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $URL - nthChild: 1 - - has: - regex: ^"http://xml.org/sax/features/external-parameter-entities"$ - - inside: - stopBy: end - follows: - stopBy: end - kind: local_variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $URL - nthChild: 1 - - has: - regex: ^"http://xml.org/sax/features/external-parameter-entities"$ - -rule: - any: - - matches: match_expression_statement - - matches: match_expression_statement_Boolean_Instance - - matches: match_expression_statement_Link_Instance - - matches: match_expression_statement_with_both_instance - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR diff --git a/rules/java/security/drivermanager-hardcoded-secret-java.yml b/rules/java/security/drivermanager-hardcoded-secret-java.yml deleted file mode 100644 index 6d6922d2..00000000 --- a/rules/java/security/drivermanager-hardcoded-secret-java.yml +++ /dev/null @@ -1,153 +0,0 @@ -id: drivermanager-hardcoded-secret-java -severity: warning -language: java -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - MATCH_PATTERN_DriverManager.getConnection: - kind: method_invocation - all: - - has: - stopBy: neighbor - kind: identifier - regex: '^DriverManager$' - - has: - stopBy: neighbor - kind: identifier - regex: '^getConnection$' - - has: - kind: argument_list - # nthChild: 3 - all: - - any: - - has: - stopBy: end - kind: string_literal - nthChild: 3 - pattern: $I - has: - stopBy: neighbor - kind: string_fragment - - has: - stopBy: end - kind: parenthesized_expression - has: - stopBy: end - kind: string_fragment - pattern: $I - - has: - nthChild: 3 - all: - - has: - stopBy: neighbor - kind: string_fragment - inside: - stopBy: neighbor - kind: string_literal - - not: - has: - stopBy: end - kind: string_literal - not: - has: - stopBy: neighbor - kind: string_fragment - - not: - has: - stopBy: end - regex: ^-$ - - not: - has: - nthChild: 4 - - not: - has: - stopBy: end - kind: ERROR - - not: - has: - stopBy: end - kind: binary_expression - - MATCH_PATTERN_DriverManagerDataSource: - kind: object_creation_expression - all: - - has: - stopBy: neighbor - kind: type_identifier - regex: '^DriverManagerDataSource$' - - has: - kind: argument_list - # nthChild: 3 - all: - - any: - - has: - stopBy: neighbor - kind: string_literal - nthChild: 3 - pattern: $I - has: - stopBy: neighbor - kind: string_fragment - - has: - stopBy: end - kind: parenthesized_expression - has: - stopBy: end - kind: string_fragment - pattern: $I - - has: - nthChild: 3 - all: - - has: - stopBy: neighbor - kind: string_fragment - inside: - stopBy: neighbor - kind: string_literal - - not: - has: - stopBy: end - kind: string_literal - not: - has: - stopBy: neighbor - kind: string_fragment - - not: - has: - stopBy: end - regex: ^-$ - - not: - has: - nthChild: 4 - - not: - has: - stopBy: end - kind: binary_expression - - not: - has: - stopBy: end - kind: ERROR - -rule: - any: - - kind: method_invocation - matches: MATCH_PATTERN_DriverManager.getConnection - - kind: object_creation_expression - matches: MATCH_PATTERN_DriverManagerDataSource - -constraints: - I: - not: - regex: ^""$ - diff --git a/rules/java/security/ecb-cipher-java.yml b/rules/java/security/ecb-cipher-java.yml deleted file mode 100644 index 37f0d9ed..00000000 --- a/rules/java/security/ecb-cipher-java.yml +++ /dev/null @@ -1,52 +0,0 @@ -id: ecb-cipher-java -severity: warning -language: java -message: >- - Cipher in ECB mode is detected. ECB mode produces the same output for - the same input each time which allows an attacker to intercept and replay - the data. Further, ECB mode does not provide any integrity checking. See - https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY. -note: >- - [CWE-327] Use of a Broken or Risky Cryptographic Algorithm. - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures - -ast-grep-essentials: true - -rule: - kind: local_variable_declaration - all: - - has: - kind: type_identifier - regex: ^Cipher$ - - has: - kind: variable_declarator - all: - - has: - kind: identifier - - has: - kind: method_invocation - all: - - has: - kind: identifier - regex: ^getInstance$ - - has: - kind: argument_list - has: - pattern: $MODE - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - -constraints: - MODE: - regex: .*ECB.* diff --git a/rules/java/security/hardcoded-connection-password-java.yml b/rules/java/security/hardcoded-connection-password-java.yml deleted file mode 100644 index e47ec3e8..00000000 --- a/rules/java/security/hardcoded-connection-password-java.yml +++ /dev/null @@ -1,352 +0,0 @@ -id: hardcoded-connection-password-java -severity: warning -language: java -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - - https://db.apache.org/jdo/api30/apidocs/javax/jdo/PersistenceManagerFactory.html - -ast-grep-essentials: true - -utils: - - (javax.jdo.PersistenceManagerFactory $JDO). ... .$SETPASS("..."): - kind: identifier - regex: ^setConnectionPassword$ - all: - - precedes: - kind: argument_list - has: - kind: string_literal - has: - kind: string_fragment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - inside: - stopBy: end - kind: method_invocation - has: - stopBy: end - kind: identifier - pattern: $INST - nthChild: 1 - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: local_variable_declaration - - kind: field_declaration - all: - - has: - kind: scoped_type_identifier - regex: ^javax.jdo.PersistenceManagerFactory$ - - has: - kind: variable_declarator - has: - kind: identifier - pattern: $INST - - (javax.jdo.PersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance: - kind: identifier - regex: ^setConnectionPassword$ - all: - - precedes: - kind: argument_list - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - has: - kind: identifier - pattern: $PSWD - - inside: - stopBy: end - kind: method_invocation - has: - stopBy: end - kind: identifier - pattern: $INST - nthChild: 1 - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: local_variable_declaration - - kind: field_declaration - all: - - has: - kind: scoped_type_identifier - regex: ^javax.jdo.PersistenceManagerFactory$ - - has: - kind: variable_declarator - has: - kind: identifier - pattern: $INST - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: local_variable_declaration - - kind: field_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $PSWD - - has: - kind: string_literal - has: - kind: string_fragment - - (jdo.PersistenceManagerFactory $JDO). ... .$SETPASS("..."): - kind: identifier - regex: ^setConnectionPassword$ - all: - - precedes: - kind: argument_list - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - has: - kind: string_literal - has: - kind: string_fragment - - inside: - stopBy: end - kind: method_invocation - has: - stopBy: end - kind: identifier - pattern: $INST - nthChild: 1 - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: local_variable_declaration - - kind: field_declaration - all: - - has: - kind: scoped_type_identifier - regex: ^jdo.PersistenceManagerFactory$ - - has: - kind: variable_declarator - has: - kind: identifier - pattern: $INST - - inside: - stopBy: end - follows: - stopBy: end - any: - - pattern: import javax.*; - - (jdo.PersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance: - kind: identifier - regex: ^setConnectionPassword$ - all: - - precedes: - kind: argument_list - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - has: - kind: identifier - pattern: $PSWD - - inside: - stopBy: end - kind: method_invocation - has: - stopBy: end - kind: identifier - pattern: $INST - nthChild: 1 - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: local_variable_declaration - - kind: field_declaration - all: - - has: - kind: scoped_type_identifier - regex: ^jdo.PersistenceManagerFactory$ - - has: - kind: variable_declarator - has: - kind: identifier - pattern: $INST - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: local_variable_declaration - - kind: field_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $PSWD - - has: - kind: string_literal - has: - kind: string_fragment - - inside: - stopBy: end - follows: - stopBy: end - any: - - pattern: import javax.*; - - (PersistenceManagerFactory $JDO). ... .$SETPASS("..."): - kind: identifier - regex: ^setConnectionPassword$ - all: - - precedes: - kind: argument_list - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - has: - kind: string_literal - has: - kind: string_fragment - - inside: - stopBy: end - kind: method_invocation - has: - stopBy: end - kind: identifier - pattern: $INST - nthChild: 1 - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: local_variable_declaration - - kind: field_declaration - all: - - has: - kind: type_identifier - regex: ^PersistenceManagerFactory$ - - has: - kind: variable_declarator - has: - kind: identifier - pattern: $INST - - inside: - stopBy: end - follows: - stopBy: end - any: - - pattern: import javax.jdo.*; - - pattern: import javax.jdo.PersistenceManagerFactory; - - (PersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance: - kind: identifier - regex: ^setConnectionPassword$ - all: - - precedes: - kind: argument_list - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - has: - kind: identifier - pattern: $PSWD - - inside: - stopBy: end - kind: method_invocation - has: - stopBy: end - kind: identifier - pattern: $INST - nthChild: 1 - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: local_variable_declaration - - kind: field_declaration - all: - - has: - kind: type_identifier - regex: ^PersistenceManagerFactory$ - - has: - kind: variable_declarator - has: - kind: identifier - pattern: $INST - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: field_declaration - - kind: local_variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $PSWD - - has: - kind: string_literal - has: - kind: string_fragment - - inside: - stopBy: end - follows: - stopBy: end - any: - - pattern: import javax.jdo.*; - - pattern: import javax.jdo.PersistenceManagerFactory; -rule: - any: - - matches: (javax.jdo.PersistenceManagerFactory $JDO). ... .$SETPASS("...") - - matches: (javax.jdo.PersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance - - matches: (jdo.PersistenceManagerFactory $JDO). ... .$SETPASS("...") - - matches: (jdo.PersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance - - matches: (PersistenceManagerFactory $JDO). ... .$SETPASS("...") - - matches: (PersistenceManagerFactory $JDO). ... .$SETPASS("...")_with_Instance \ No newline at end of file diff --git a/rules/java/security/hardcoded-secret-in-credentials-java.yml b/rules/java/security/hardcoded-secret-in-credentials-java.yml deleted file mode 100644 index 8c2701a4..00000000 --- a/rules/java/security/hardcoded-secret-in-credentials-java.yml +++ /dev/null @@ -1,292 +0,0 @@ -id: hardcoded-secret-in-credentials-java -severity: warning -language: java -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true -utils: - Credentials.basic($USERNAME, "..."): - kind: method_invocation - all: - - has: - kind: identifier - nthChild: 1 - regex: ^Credentials$ - - has: - kind: identifier - nthChild: 2 - regex: ^basic$ - - has: - kind: argument_list - all: - - not: - has: - nthChild: - position: 3 - ofRule: - not: - kind: line_comment - - has: - kind: string_literal - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - has: - kind: string_fragment - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import okhttp3.Credentials.*; - - pattern: import okhttp3.*; - - Credentials.basic($USERNAME, "...")_with_Instance: - kind: method_invocation - all: - - has: - kind: identifier - nthChild: 1 - regex: ^Credentials$ - - has: - kind: identifier - nthChild: 2 - regex: ^basic$ - - has: - kind: argument_list - all: - - not: - has: - nthChild: - position: 3 - ofRule: - not: - kind: line_comment - - has: - kind: identifier - pattern: $PASSWORD - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import okhttp3.Credentials.*; - - pattern: import okhttp3.*; - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: field_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $PASSWORD - - has: - kind: string_literal - has: - kind: string_fragment - - basic($USERNAME, "..."): - kind: method_invocation - all: - - has: - kind: identifier - nthChild: 1 - regex: ^basic$ - - has: - kind: argument_list - all: - - not: - has: - nthChild: - position: 3 - ofRule: - not: - kind: line_comment - - has: - kind: string_literal - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - has: - kind: string_fragment - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import okhttp3.Credentials.*; - - basic($USERNAME, "...")_with_Instance: - kind: method_invocation - all: - - has: - kind: identifier - nthChild: 1 - regex: ^basic$ - - has: - kind: argument_list - all: - - not: - has: - nthChild: - position: 3 - ofRule: - not: - kind: line_comment - - has: - kind: identifier - pattern: $PASSWORD - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import okhttp3.Credentials.*; - - okhttp3.Credentials.basic($USERNAME, "..."): - kind: method_invocation - all: - - has: - kind: field_access - all: - - has: - kind: identifier - nthChild: 1 - regex: ^okhttp3$ - - has: - kind: identifier - nthChild: 2 - regex: ^Credentials$ - - has: - kind: identifier - nthChild: 2 - regex: ^basic$ - - has: - kind: argument_list - all: - - not: - has: - nthChild: - position: 3 - ofRule: - not: - kind: line_comment - - has: - kind: string_literal - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - has: - kind: string_fragment - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import okhttp3.Credentials.*; - - pattern: import okhttp3.Credentials; - - okhttp3.Credentials.basic($USERNAME, "...")_with_Instance: - kind: method_invocation - all: - - has: - kind: field_access - all: - - has: - kind: identifier - nthChild: 1 - regex: ^okhttp3$ - - has: - kind: identifier - nthChild: 2 - regex: ^Credentials$ - - has: - kind: identifier - nthChild: 2 - regex: ^basic$ - - has: - kind: argument_list - all: - - not: - has: - nthChild: - position: 3 - ofRule: - not: - kind: line_comment - - has: - kind: identifier - pattern: $PASSWORD - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import okhttp3.Credentials.*; - - pattern: import okhttp3.Credentials; - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: field_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $PASSWORD - - has: - kind: string_literal - has: - kind: string_fragment - -rule: - any: - - matches: Credentials.basic($USERNAME, "...") - - matches: Credentials.basic($USERNAME, "...")_with_Instance - - matches: basic($USERNAME, "...") - - matches: basic($USERNAME, "...")_with_Instance - - matches: okhttp3.Credentials.basic($USERNAME, "...") - - matches: okhttp3.Credentials.basic($USERNAME, "...")_with_Instance - diff --git a/rules/java/security/java-jwt-hardcoded-secret-java.yml b/rules/java/security/java-jwt-hardcoded-secret-java.yml deleted file mode 100644 index d1df5d02..00000000 --- a/rules/java/security/java-jwt-hardcoded-secret-java.yml +++ /dev/null @@ -1,129 +0,0 @@ -id: java-jwt-hardcoded-secret-java -language: java -severity: warning -message: >- - A hard-coded credential was detected. It is not recommended to store - credentials in source-code, as this risks secrets being leaked and used by - either an internal or external malicious adversary. It is recommended to - use environment variables to securely provide credentials or retrieve - credentials from a secure vault or HSM (Hardware Security Module). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true -utils: - (Algorithm $ALG) = $ALGO.$HMAC("$Y"): - kind: string_literal - all: - - has: - kind: string_fragment - - inside: - kind: argument_list - all: - - inside: - kind: method_invocation - all: - - has: - stopBy: end - kind: identifier - nthChild: 1 - - has: - stopBy: end - kind: identifier - regex: (HMAC384|HMAC256|HMAC512) - - inside: - kind: variable_declarator - all: - - has: - kind: identifier - - inside: - any: - - kind: local_variable_declaration - - kind: field_declaration - has: - kind: type_identifier - regex: ^Algorithm$ - - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - - (Algorithm $ALG) = $ALGO.$HMAC($SECRET): - kind: string_literal - all: - - has: - kind: string_fragment - - inside: - kind: variable_declarator - has: - kind: identifier - pattern: $SECRET - inside: - stopBy: end - kind: class_declaration - has: - stopBy: end - any: - - kind: field_declaration - - kind: local_variable_declaration - all: - - has: - kind: type_identifier - regex: ^Algorithm$ - - has: - kind: variable_declarator - all: - - has: - kind: identifier - - has: - kind: method_invocation - all: - - has: - kind: identifier - nthChild: 1 - - has: - kind: identifier - nthChild: 2 - regex: ^(HMAC384|HMAC256|HMAC512)$ - - has: - kind: argument_list - has: - kind: identifier - pattern: $SECRET - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - -rule: - any: - - kind: string_literal - matches: (Algorithm $ALG) = $ALGO.$HMAC("$Y") - - kind: string_literal - matches: (Algorithm $ALG) = $ALGO.$HMAC($SECRET) - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR \ No newline at end of file diff --git a/rules/java/security/jedis-jedisclientconfig-hardcoded-password-java.yml b/rules/java/security/jedis-jedisclientconfig-hardcoded-password-java.yml deleted file mode 100644 index 53cddb78..00000000 --- a/rules/java/security/jedis-jedisclientconfig-hardcoded-password-java.yml +++ /dev/null @@ -1,830 +0,0 @@ -id: jedis-jedisclientconfig-hardcoded-password-java -language: java -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - redis.clients.jedis.DefaultJedisClientConfig.builder().password("..."): - kind: method_invocation - all: - - has: - stopBy: end - kind: method_invocation - pattern: redis.clients.jedis.DefaultJedisClientConfig.builder() - - has: - kind: identifier - regex: 'password' - precedes: - kind: argument_list - has: - kind: string_literal - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - has: - kind: string_fragment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - (redis.clients.jedis.DefaultJedisClientConfig.Builder $JEDIS).password("..."): - kind: method_invocation - all: - - has: - stopBy: end - kind: identifier - pattern: $INST - nthChild: 1 - - has: - kind: identifier - regex: ^password$ - precedes: - kind: argument_list - has: - kind: string_literal - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - has: - kind: string_fragment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - inside: - stopBy: end - follows: - stopBy: end - kind: local_variable_declaration - all: - - has: - kind: scoped_type_identifier - regex: ^redis.clients.jedis.DefaultJedisClientConfig.Builder$ - - has: - kind: variable_declarator - has: - kind: identifier - pattern: $INST - - redis.clients.jedis.DefaultJedisClientConfig.create($CONNECTIONTIMEOUTMILLIS, $SOTIMEOUTMILLIS, $BLOCKINGSOCKETTIMEOUTMILLIS, $USER, "..."): - kind: method_invocation - all: - - has: - kind: field_access - nthChild: 1 - regex: ^redis.clients.jedis.DefaultJedisClientConfig$ - - has: - kind: identifier - regex: ^create$ - - has: - kind: argument_list - has: - kind: string_literal - nthChild: - position: 5 - ofRule: - not: - kind: line_comment - has: - kind: string_fragment - - new redis.clients.jedis.DefaultJedisClientConfig($CONNECTIONTIMEOUTMILLIS, $SOTIMEOUTMILLIS, $BLOCKINGSOCKETTIMEOUTMILLIS, $USER, "..."): - kind: object_creation_expression - all: - - has: - kind: scoped_type_identifier - regex: ^redis.clients.jedis.DefaultJedisClientConfig$ - nthChild: 1 - - has: - kind: argument_list - nthChild: 2 - has: - kind: string_literal - nthChild: 5 - has: - kind: string_fragment - - (redis.clients.jedis.JedisClientConfig $JEDIS).updatePassword("..."): - kind: method_invocation - all: - - has: - stopBy: end - kind: identifier - pattern: $INST - nthChild: 1 - - has: - kind: identifier - regex: ^updatePassword$ - precedes: - kind: argument_list - has: - kind: string_literal - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - has: - kind: string_fragment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - inside: - stopBy: end - follows: - stopBy: end - kind: local_variable_declaration - all: - - has: - kind: scoped_type_identifier - regex: ^redis.clients.jedis.JedisClientConfig$ - - has: - kind: variable_declarator - has: - kind: identifier - pattern: $INST - - (redis.clients.jedis.DefaultJedisClientConfig $JEDIS).updatePassword("..."): - kind: method_invocation - all: - - has: - stopBy: end - kind: identifier - pattern: $INST - nthChild: 1 - - has: - kind: identifier - regex: ^updatePassword$ - precedes: - kind: argument_list - has: - kind: string_literal - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - has: - kind: string_fragment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - inside: - stopBy: end - follows: - stopBy: end - kind: local_variable_declaration - all: - - has: - kind: scoped_type_identifier - regex: ^redis.clients.jedis.DefaultJedisClientConfig$ - - has: - kind: variable_declarator - has: - kind: identifier - pattern: $INST - - DefaultJedisClientConfig.builder().password("..."): - kind: method_invocation - all: - - has: - stopBy: end - kind: method_invocation - pattern: DefaultJedisClientConfig.builder() - - has: - kind: identifier - regex: 'password' - precedes: - kind: argument_list - has: - kind: string_literal - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - has: - kind: string_fragment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import redis.clients.jedis.*; - - pattern: import redis.clients.jedis; - - pattern: import redis.clients.jedis.DefaultJedisClientConfig; - - (DefaultJedisClientConfig.Builder $JEDIS).password("..."): - kind: method_invocation - all: - - has: - stopBy: end - kind: identifier - pattern: $INST - nthChild: 1 - - has: - kind: identifier - regex: ^password$ - precedes: - kind: argument_list - has: - kind: string_literal - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - has: - kind: string_fragment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - inside: - stopBy: end - follows: - stopBy: end - kind: local_variable_declaration - all: - - has: - kind: scoped_type_identifier - regex: ^DefaultJedisClientConfig.Builder$ - - has: - kind: variable_declarator - has: - kind: identifier - pattern: $INST - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import redis.clients.jedis.*; - - pattern: import redis.clients.jedis; - - pattern: import redis.clients.jedis.DefaultJedisClientConfig; - - DefaultJedisClientConfig.create($CONNECTIONTIMEOUTMILLIS, $SOTIMEOUTMILLIS, $BLOCKINGSOCKETTIMEOUTMILLIS, $USER, "..."): - kind: method_invocation - all: - - has: - kind: identifier - nthChild: 1 - regex: ^DefaultJedisClientConfig$ - - has: - kind: identifier - regex: ^create$ - - has: - kind: argument_list - has: - kind: string_literal - nthChild: - position: 5 - ofRule: - not: - kind: line_comment - has: - kind: string_fragment - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import redis.clients.jedis.*; - - pattern: import redis.clients.jedis; - - pattern: import redis.clients.jedis.DefaultJedisClientConfig; - - new DefaultJedisClientConfig($CONNECTIONTIMEOUTMILLIS, $SOTIMEOUTMILLIS, $BLOCKINGSOCKETTIMEOUTMILLIS, $USER, "..."): - kind: object_creation_expression - all: - - has: - kind: type_identifier - regex: ^DefaultJedisClientConfig$ - nthChild: 1 - - has: - kind: argument_list - nthChild: 2 - has: - kind: string_literal - nthChild: 5 - has: - kind: string_fragment - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import redis.clients.jedis.*; - - pattern: import redis.clients.jedis; - - pattern: import redis.clients.jedis.DefaultJedisClientConfig; - - (JedisClientConfig|DefaultJedisClientConfig $JEDIS).updatePassword("..."): - kind: method_invocation - all: - - has: - stopBy: end - kind: identifier - pattern: $INST - nthChild: 1 - - has: - kind: identifier - regex: ^updatePassword$ - precedes: - kind: argument_list - has: - kind: string_literal - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - has: - kind: string_fragment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - inside: - stopBy: end - follows: - stopBy: end - kind: local_variable_declaration - all: - - has: - kind: type_identifier - regex: ^(JedisClientConfig|DefaultJedisClientConfig)$ - - has: - kind: variable_declarator - has: - kind: identifier - pattern: $INST - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import redis.clients.jedis.*; - - pattern: import redis.clients.jedis; - - pattern: import redis.clients.jedis.DefaultJedisClientConfig; - - jedis.DefaultJedisClientConfig.builder().password("..."): - kind: method_invocation - all: - - has: - stopBy: end - kind: method_invocation - pattern: jedis.DefaultJedisClientConfig.builder() - - has: - kind: identifier - regex: 'password' - precedes: - kind: argument_list - has: - kind: string_literal - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - has: - kind: string_fragment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import redis.clients.*; - - pattern: import redis.clients; - - jedis.DefaultJedisClientConfig.Builder $JEDIS).password("..."): - kind: method_invocation - all: - - has: - stopBy: end - kind: identifier - pattern: $INST - nthChild: 1 - - has: - kind: identifier - regex: ^password$ - precedes: - kind: argument_list - has: - kind: string_literal - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - has: - kind: string_fragment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - inside: - stopBy: end - follows: - stopBy: end - kind: local_variable_declaration - all: - - has: - kind: scoped_type_identifier - regex: ^jedis.DefaultJedisClientConfig.Builder$ - - has: - kind: variable_declarator - has: - kind: identifier - pattern: $INST - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import redis.clients.*; - - pattern: import redis.clients; - - jedis.DefaultJedisClientConfig.create($CONNECTIONTIMEOUTMILLIS, $SOTIMEOUTMILLIS, $BLOCKINGSOCKETTIMEOUTMILLIS, $USER, "..."): - kind: method_invocation - all: - - has: - kind: field_access - nthChild: 1 - regex: ^jedis.DefaultJedisClientConfig$ - - has: - kind: identifier - regex: ^create$ - - has: - kind: argument_list - has: - kind: string_literal - nthChild: - position: 5 - ofRule: - not: - kind: line_comment - has: - kind: string_fragment - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import redis.clients.*; - - pattern: import redis.clients; - - new jedis.DefaultJedisClientConfig($CONNECTIONTIMEOUTMILLIS, $SOTIMEOUTMILLIS, $BLOCKINGSOCKETTIMEOUTMILLIS, $USER, "..."): - kind: object_creation_expression - all: - - has: - kind: scoped_type_identifier - regex: ^jedis.DefaultJedisClientConfig$ - nthChild: 1 - - has: - kind: argument_list - nthChild: 2 - has: - kind: string_literal - nthChild: 5 - has: - kind: string_fragment - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import redis.clients.*; - - pattern: import redis.clients; - - (jedis.JedisClientConfig|jedis.DefaultJedisClientConfig $JEDIS).updatePassword("..."): - kind: method_invocation - all: - - has: - stopBy: end - kind: identifier - pattern: $INST - nthChild: 1 - - has: - kind: identifier - regex: ^updatePassword$ - precedes: - kind: argument_list - has: - kind: string_literal - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - has: - kind: string_fragment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - inside: - stopBy: end - follows: - stopBy: end - kind: local_variable_declaration - all: - - has: - kind: scoped_type_identifier - regex: ^(jedis.JedisClientConfig|jedis.DefaultJedisClientConfig)$ - - has: - kind: variable_declarator - has: - kind: identifier - pattern: $INST - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import redis.clients.*; - - pattern: import redis.clients; - - pattern: import redis.clients.jedis.*; - - clients.jedis.DefaultJedisClientConfig.builder().password("..."): - kind: method_invocation - all: - - has: - stopBy: end - kind: method_invocation - pattern: clients.jedis.DefaultJedisClientConfig.builder() - - has: - kind: identifier - regex: 'password' - precedes: - kind: argument_list - has: - kind: string_literal - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - has: - kind: string_fragment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import redis.*; - - pattern: import redis; - - clients.jedis.DefaultJedisClientConfig.Builder $JEDIS).password("..."): - kind: method_invocation - all: - - has: - stopBy: end - kind: identifier - pattern: $INST - nthChild: 1 - - has: - kind: identifier - regex: ^password$ - precedes: - kind: argument_list - has: - kind: string_literal - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - has: - kind: string_fragment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - inside: - stopBy: end - follows: - stopBy: end - kind: local_variable_declaration - all: - - has: - kind: scoped_type_identifier - regex: ^clients.jedis.DefaultJedisClientConfig.Builder$ - - has: - kind: variable_declarator - has: - kind: identifier - pattern: $INST - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import redis.*; - - pattern: import redis; - - clients.jedis.DefaultJedisClientConfig.create($CONNECTIONTIMEOUTMILLIS, $SOTIMEOUTMILLIS, $BLOCKINGSOCKETTIMEOUTMILLIS, $USER, "..."): - kind: method_invocation - all: - - has: - kind: field_access - nthChild: 1 - regex: ^clients.jedis.DefaultJedisClientConfig$ - - has: - kind: identifier - regex: ^create$ - - has: - kind: argument_list - has: - kind: string_literal - nthChild: - position: 5 - ofRule: - not: - kind: line_comment - has: - kind: string_fragment - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import redis.*; - - pattern: import redis; - - new clients.jedis.DefaultJedisClientConfig($CONNECTIONTIMEOUTMILLIS, $SOTIMEOUTMILLIS, $BLOCKINGSOCKETTIMEOUTMILLIS, $USER, "..."): - kind: object_creation_expression - all: - - has: - kind: scoped_type_identifier - regex: ^clients.jedis.DefaultJedisClientConfig$ - nthChild: 1 - - has: - kind: argument_list - nthChild: 2 - has: - kind: string_literal - nthChild: 5 - has: - kind: string_fragment - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import redis.*; - - pattern: import redis; - - (clients.jedis.JedisClientConfig|clients.jedis.DefaultJedisClientConfig $JEDIS).updatePassword("..."): - kind: method_invocation - all: - - has: - stopBy: end - kind: identifier - pattern: $INST - nthChild: 1 - - has: - kind: identifier - regex: ^updatePassword$ - precedes: - kind: argument_list - has: - kind: string_literal - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - has: - kind: string_fragment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - inside: - stopBy: end - follows: - stopBy: end - kind: local_variable_declaration - all: - - has: - kind: scoped_type_identifier - regex: ^(clients.jedis.JedisClientConfig|clients.jedis.DefaultJedisClientConfig)$ - - has: - kind: variable_declarator - has: - kind: identifier - pattern: $INST - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import redis.*; - - pattern: import redis; - -rule: - any: - - matches: redis.clients.jedis.DefaultJedisClientConfig.builder().password("...") - - matches: (redis.clients.jedis.DefaultJedisClientConfig.Builder $JEDIS).password("...") - - matches: redis.clients.jedis.DefaultJedisClientConfig.create($CONNECTIONTIMEOUTMILLIS, $SOTIMEOUTMILLIS, $BLOCKINGSOCKETTIMEOUTMILLIS, $USER, "...") - - matches: new redis.clients.jedis.DefaultJedisClientConfig($CONNECTIONTIMEOUTMILLIS, $SOTIMEOUTMILLIS, $BLOCKINGSOCKETTIMEOUTMILLIS, $USER, "...") - - matches: (redis.clients.jedis.JedisClientConfig $JEDIS).updatePassword("...") - - matches: (redis.clients.jedis.DefaultJedisClientConfig $JEDIS).updatePassword("...") - - matches: DefaultJedisClientConfig.builder().password("...") - - matches: (DefaultJedisClientConfig.Builder $JEDIS).password("...") - - matches: DefaultJedisClientConfig.create($CONNECTIONTIMEOUTMILLIS, $SOTIMEOUTMILLIS, $BLOCKINGSOCKETTIMEOUTMILLIS, $USER, "...") - - matches: new DefaultJedisClientConfig($CONNECTIONTIMEOUTMILLIS, $SOTIMEOUTMILLIS, $BLOCKINGSOCKETTIMEOUTMILLIS, $USER, "...") - - matches: (JedisClientConfig|DefaultJedisClientConfig $JEDIS).updatePassword("...") - - matches: jedis.DefaultJedisClientConfig.builder().password("...") - - matches: jedis.DefaultJedisClientConfig.Builder $JEDIS).password("...") - - matches: jedis.DefaultJedisClientConfig.create($CONNECTIONTIMEOUTMILLIS, $SOTIMEOUTMILLIS, $BLOCKINGSOCKETTIMEOUTMILLIS, $USER, "...") - - matches: new jedis.DefaultJedisClientConfig($CONNECTIONTIMEOUTMILLIS, $SOTIMEOUTMILLIS, $BLOCKINGSOCKETTIMEOUTMILLIS, $USER, "...") - - matches: (jedis.JedisClientConfig|jedis.DefaultJedisClientConfig $JEDIS).updatePassword("...") - - matches: clients.jedis.DefaultJedisClientConfig.builder().password("...") - - matches: clients.jedis.DefaultJedisClientConfig.Builder $JEDIS).password("...") - - matches: clients.jedis.DefaultJedisClientConfig.create($CONNECTIONTIMEOUTMILLIS, $SOTIMEOUTMILLIS, $BLOCKINGSOCKETTIMEOUTMILLIS, $USER, "...") - - matches: new clients.jedis.DefaultJedisClientConfig($CONNECTIONTIMEOUTMILLIS, $SOTIMEOUTMILLIS, $BLOCKINGSOCKETTIMEOUTMILLIS, $USER, "...") - - matches: (clients.jedis.JedisClientConfig|clients.jedis.DefaultJedisClientConfig $JEDIS).updatePassword("...") \ No newline at end of file diff --git a/rules/java/security/jedis-jedisfactory-hardcoded-password-java.yml b/rules/java/security/jedis-jedisfactory-hardcoded-password-java.yml deleted file mode 100644 index 553c16d0..00000000 --- a/rules/java/security/jedis-jedisfactory-hardcoded-password-java.yml +++ /dev/null @@ -1,949 +0,0 @@ -id: jedis-jedisfactory-hardcoded-password-java -language: java -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true -utils: - MATCH_PATTERN_JEDISFACTORY: - kind: expression_statement - all: - - has: - stopBy: end - kind: method_invocation - all: - - has: - stopBy: end - kind: identifier - pattern: $R - - has: - stopBy: neighbor - kind: identifier - regex: ^setPassword$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: string_literal - has: - kind: string_fragment - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - follows: - stopBy: end - any: - - kind: field_declaration - - kind: local_variable_declaration - all: - - has: - stopBy: neighbor - kind: type_identifier - regex: ^JedisFactory$ - - has: - stopBy: neighbor - kind: variable_declarator - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $R - - has: - stopBy: neighbor - kind: object_creation_expression - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import redis.clients.jedis.*; - - pattern: import redis.clients.jedis; - - pattern: import redis.clients.jedis.JedisFactory; - - pattern: import redis.clients.jedis.JedisFactory.*; - - MATCH_PATTERN_CLIENT_JEDIS.JEDISFACTORY: - kind: expression_statement - all: - - has: - stopBy: end - kind: method_invocation - all: - - has: - stopBy: end - kind: identifier - pattern: $R - - has: - stopBy: neighbor - kind: identifier - regex: '^setPassword$' - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: string_literal - has: - kind: string_fragment - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - - follows: - stopBy: end - any: - - kind: field_declaration - - kind: local_variable_declaration - all: - - has: - stopBy: neighbor - kind: scoped_type_identifier - all: - - has: - stopBy: neighbor - kind: scoped_type_identifier - regex: ^clients.jedis$ - - has: - stopBy: neighbor - kind: type_identifier - regex: '^JedisFactory$|^ConnectionFactory$' - - has: - stopBy: end - kind: variable_declarator - has: - stopBy: neighbor - kind: identifier - pattern: $R - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import redis.*; - - pattern: import redis.clients.*; - - pattern: import redis.clients.jedis; - - pattern: import redis.clients.jedis.*; - - MATCH_PATTERN_JEDIS.JEDISFACTORY: - kind: expression_statement - all: - - has: - stopBy: end - kind: method_invocation - all: - - has: - stopBy: end - kind: identifier - pattern: $R - - has: - stopBy: neighbor - kind: identifier - regex: ^setPassword$ - - has: - stopBy: neighbor - kind: argument_list - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - has: - stopBy: neighbor - kind: string_literal - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - has: - kind: string_fragment - - follows: - stopBy: end - any: - - kind: field_declaration - - kind: local_variable_declaration - all: - - has: - stopBy: neighbor - kind: scoped_type_identifier - all: - - has: - stopBy: neighbor - kind: type_identifier - regex: ^jedis$ - - has: - stopBy: neighbor - kind: type_identifier - regex: ^JedisFactory$ - - has: - stopBy: neighbor - kind: variable_declarator - has: - stopBy: neighbor - kind: identifier - pattern: $R - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import redis.clients.*; - - pattern: import redis.clients.jedis; - - pattern: import redis.clients.jedis.*; - - MATCH_PATTERN_JEDIS.CONNECTIONFACTORY: - kind: expression_statement - all: - - has: - stopBy: end - kind: method_invocation - all: - - has: - stopBy: end - kind: identifier - pattern: $R - - has: - stopBy: neighbor - kind: identifier - regex: ^setPassword$ - - has: - stopBy: neighbor - kind: argument_list - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - has: - stopBy: neighbor - kind: string_literal - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - has: - kind: string_fragment - - follows: - stopBy: end - any: - - kind: field_declaration - - kind: local_variable_declaration - all: - - has: - stopBy: neighbor - kind: scoped_type_identifier - all: - - has: - stopBy: neighbor - kind: type_identifier - regex: ^jedis$ - - has: - stopBy: neighbor - kind: type_identifier - regex: ^ConnectionFactory$ - - has: - stopBy: neighbor - kind: variable_declarator - has: - stopBy: neighbor - kind: identifier - pattern: $R - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import redis.clients.*; - - pattern: import redis.clients.jedis; - - pattern: import redis.clients.jedis.*; - - MATCH_PATTERN_REDIS_CLIENT_JEDIS.JEDISFACTORY: - kind: expression_statement - all: - - has: - stopBy: end - kind: method_invocation - all: - - has: - stopBy: end - kind: identifier - pattern: $R - - has: - stopBy: neighbor - kind: identifier - regex: '^setPassword$' - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: string_literal - has: - kind: string_fragment - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - any: - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: field_declaration - - kind: local_variable_declaration - all: - - has: - kind: scoped_type_identifier - all: - - has: - kind: scoped_type_identifier - regex: ^redis.clients.jedis$ - - has: - kind: type_identifier - regex: ^(ConnectionFactory|JedisFactory)$ - - has: - kind: variable_declarator - has: - kind: identifier - pattern: $R - - follows: - stopBy: end - any: - - kind: field_declaration - - kind: local_variable_declaration - all: - - has: - kind: scoped_type_identifier - all: - - has: - kind: scoped_type_identifier - regex: ^redis.clients.jedis$ - - has: - kind: type_identifier - regex: ^(ConnectionFactory|JedisFactory)$ - - has: - kind: variable_declarator - has: - kind: identifier - pattern: $R - - MATCH_PATTERN_CONNECTIONFACTORY: - kind: expression_statement - all: - - has: - stopBy: end - kind: method_invocation - all: - - has: - stopBy: end - kind: identifier - pattern: $R - - has: - stopBy: neighbor - kind: identifier - regex: ^setPassword$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: string_literal - has: - kind: string_fragment - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - follows: - stopBy: end - any: - - kind: field_declaration - - kind: local_variable_declaration - all: - - has: - stopBy: neighbor - kind: type_identifier - regex: ^ConnectionFactory$ - - has: - stopBy: neighbor - kind: variable_declarator - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $R - - has: - stopBy: neighbor - kind: object_creation_expression - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import redis.clients.jedis.*; - - pattern: import redis.clients.jedis.ConnectionFactory; - - pattern: import redis.clients.jedis.ConnectionFactory.*; - - MATCH_PATTERN_JEDIS.JEDISFACTORY(instance): - kind: expression_statement - all: - - has: - stopBy: end - kind: method_invocation - all: - - has: - stopBy: end - kind: identifier - pattern: $R - - has: - stopBy: neighbor - kind: identifier - regex: ^setPassword$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: identifier - pattern: $PASSWORD - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - follows: - stopBy: end - any: - - kind: field_declaration - - kind: local_variable_declaration - all: - - has: - stopBy: neighbor - kind: scoped_type_identifier - all: - - has: - stopBy: neighbor - kind: type_identifier - regex: ^jedis$ - - has: - stopBy: neighbor - kind: type_identifier - regex: ^JedisFactory$ - - has: - stopBy: neighbor - kind: variable_declarator - has: - stopBy: neighbor - kind: identifier - pattern: $R - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import redis.clients.*; - - pattern: import redis.clients.jedis; - - pattern: import redis.clients.jedis.*; - - inside: - stopBy: end - follows: - stopBy: end - kind: field_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $PASSWORD - - has: - kind: string_literal - has: - kind: string_fragment - - MATCH_PATTERN_JEDISFACTORY(instance): - kind: expression_statement - all: - - has: - stopBy: end - kind: method_invocation - all: - - has: - stopBy: end - kind: identifier - pattern: $R - - has: - stopBy: neighbor - kind: identifier - regex: ^setPassword$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: identifier - pattern: $PASSWORD - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - follows: - stopBy: end - any: - - kind: field_declaration - - kind: local_variable_declaration - all: - - has: - stopBy: neighbor - kind: type_identifier - regex: ^JedisFactory$ - - has: - stopBy: neighbor - kind: variable_declarator - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $R - - has: - stopBy: neighbor - kind: object_creation_expression - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import redis.clients.jedis.JedisFactory.*; - - pattern: import redis.clients.jedis.JedisFactory; - - pattern: import redis.clients.jedis.*; - - pattern: import redis.clients.jedis; - - inside: - stopBy: end - follows: - stopBy: end - kind: field_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $PASSWORD - - has: - kind: string_literal - has: - kind: string_fragment - - MATCH_PATTERN_CLIENT_JEDIS.JEDISFACTORY(instance): - kind: expression_statement - all: - - has: - stopBy: end - kind: method_invocation - all: - - has: - stopBy: end - kind: identifier - pattern: $R - - has: - stopBy: neighbor - kind: identifier - regex: '^setPassword$' - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: identifier - pattern: $PASSWORD - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - inside: - stopBy: end - follows: - stopBy: end - kind: field_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $PASSWORD - - has: - kind: string_literal - has: - kind: string_fragment - - follows: - stopBy: end - any: - - kind: field_declaration - - kind: local_variable_declaration - all: - - has: - stopBy: neighbor - kind: scoped_type_identifier - all: - - has: - stopBy: neighbor - kind: scoped_type_identifier - regex: ^clients.jedis$ - - has: - stopBy: neighbor - kind: type_identifier - regex: '^JedisFactory$|^ConnectionFactory$' - - has: - stopBy: end - kind: variable_declarator - has: - stopBy: neighbor - kind: identifier - pattern: $R - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import redis.*; - - pattern: import redis.clients.*; - - pattern: import redis.clients.jedis; - - pattern: import redis.clients.jedis.*; - - MATCH_PATTERN_REDIS_CLIENT_JEDIS.JEDISFACTORY(instance): - kind: expression_statement - all: - - has: - stopBy: end - kind: method_invocation - all: - - has: - stopBy: end - kind: identifier - pattern: $R - - has: - stopBy: neighbor - kind: identifier - regex: '^setPassword$' - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: identifier - pattern: $PASSWORD - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - follows: - stopBy: end - any: - - kind: field_declaration - - kind: local_variable_declaration - all: - - has: - kind: scoped_type_identifier - all: - - has: - kind: scoped_type_identifier - regex: ^redis.clients.jedis$ - - has: - kind: type_identifier - regex: ^(ConnectionFactory|JedisFactory)$ - - has: - kind: variable_declarator - has: - kind: identifier - pattern: $R - - inside: - stopBy: end - follows: - stopBy: end - kind: field_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $PASSWORD - - has: - kind: string_literal - has: - kind: string_fragment - - MATCH_PATTERN_JEDIS.CONNECTIONFACTORY(instance): - kind: expression_statement - all: - - has: - stopBy: end - kind: method_invocation - all: - - has: - stopBy: end - kind: identifier - pattern: $R - - has: - stopBy: neighbor - kind: identifier - regex: ^setPassword$ - - has: - stopBy: neighbor - kind: argument_list - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - has: - stopBy: neighbor - kind: identifier - pattern: $PASSWORD - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - - follows: - stopBy: end - any: - - kind: field_declaration - - kind: local_variable_declaration - all: - - has: - stopBy: neighbor - kind: scoped_type_identifier - all: - - has: - stopBy: neighbor - kind: type_identifier - regex: ^jedis$ - - has: - stopBy: neighbor - kind: type_identifier - regex: ^ConnectionFactory$ - - has: - stopBy: neighbor - kind: variable_declarator - has: - stopBy: neighbor - kind: identifier - pattern: $R - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import redis.clients.*; - - pattern: import redis.clients.jedis; - - pattern: import redis.clients.jedis.*; - - inside: - stopBy: end - follows: - stopBy: end - kind: field_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $PASSWORD - - has: - kind: string_literal - has: - kind: string_fragment - - MATCH_PATTERN_CONNECTIONFACTORY(instance): - kind: expression_statement - all: - - has: - stopBy: end - kind: method_invocation - all: - - has: - stopBy: end - kind: identifier - pattern: $R - - has: - stopBy: neighbor - kind: identifier - regex: ^setPassword$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: identifier - pattern: $PASSWORD - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - follows: - stopBy: end - any: - - kind: field_declaration - - kind: local_variable_declaration - all: - - has: - stopBy: neighbor - kind: type_identifier - regex: ^ConnectionFactory$ - - has: - stopBy: neighbor - kind: variable_declarator - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $R - - has: - stopBy: neighbor - kind: object_creation_expression - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import redis.clients.jedis.*; - - pattern: import redis.clients.jedis.ConnectionFactory; - - pattern: import redis.clients.jedis.ConnectionFactory.*; - - inside: - stopBy: end - follows: - stopBy: end - kind: field_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $PASSWORD - - has: - kind: string_literal - has: - kind: string_fragment - - -rule: - kind: expression_statement - any: - - matches: MATCH_PATTERN_JEDIS.JEDISFACTORY - - matches: MATCH_PATTERN_JEDISFACTORY - - matches: MATCH_PATTERN_CLIENT_JEDIS.JEDISFACTORY - - matches: MATCH_PATTERN_REDIS_CLIENT_JEDIS.JEDISFACTORY - - matches: MATCH_PATTERN_CONNECTIONFACTORY - - matches: MATCH_PATTERN_JEDIS.CONNECTIONFACTORY - - matches: MATCH_PATTERN_JEDIS.JEDISFACTORY(instance) - - matches: MATCH_PATTERN_JEDISFACTORY(instance) - - matches: MATCH_PATTERN_CLIENT_JEDIS.JEDISFACTORY(instance) - - matches: MATCH_PATTERN_REDIS_CLIENT_JEDIS.JEDISFACTORY(instance) - - matches: MATCH_PATTERN_JEDIS.CONNECTIONFACTORY(instance) - - matches: MATCH_PATTERN_CONNECTIONFACTORY(instance) - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR - diff --git a/rules/java/security/missing-httponly-java.yml b/rules/java/security/missing-httponly-java.yml deleted file mode 100644 index 90f65f94..00000000 --- a/rules/java/security/missing-httponly-java.yml +++ /dev/null @@ -1,617 +0,0 @@ -id: missing-httponly-java -language: java -severity: warning -message: >- - Detected a cookie where the `HttpOnly` flag is either missing or - disabled. The `HttpOnly` cookie flag instructs the browser to forbid - client-side JavaScript to read the cookie. If JavaScript interaction is - required, you can ignore this finding. However, set the `HttpOnly` flag to - true` in all other cases. -note: >- - [CWE-1004]: Sensitive Cookie Without 'HttpOnly' Flag - [OWASP A05:2021]: Security Misconfiguration - [REFERENCES] - - https://owasp.org/Top10/A05_2021-Security_Misconfiguration - -ast-grep-essentials: true - -utils: - commons_not_rule_parts: - all: - - not: - inside: - any: - - kind: method_invocation - - kind: field_access - - not: - has: - stopBy: end - kind: method_invocation - all: - - has: - nthChild: - position: 2 - reverse: true - kind: identifier - field: name - regex: ^(httpOnly)$ - - has: - nthChild: - position: 1 - reverse: true - kind: argument_list - - not: - has: - nthChild: - position: 2 - reverse: true - kind: identifier - field: name - regex: ^(httpOnly)$ - precedes: - kind: argument_list - - cookie.of_pattern_for_c_equals_Cookie.of: - nthChild: 1 - kind: identifier - any: - - regex: ^(io.micronaut.http.cookie.Cookie)$ - - regex: ^(Cookie)$ - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - has: - nthChild: 1 - kind: scoped_identifier - regex: ^(io.micronaut.http.cookie.Cookie)$ - precedes: - kind: identifier - regex: ^(of)$ - precedes: - kind: argument_list - -rule: - any: - # io.micronaut.http.cookie.Cookie.of(...) - - kind: method_invocation - all: - - has: - nthChild: 1 - kind: identifier - field: object - regex: ^(Cookie)$ - - has: - nthChild: 2 - kind: identifier - field: name - regex: ^(of)$ - - has: - nthChild: 3 - kind: argument_list - - not: - any: - - inside: - stopBy: end - kind: method_invocation - any: - - has: - kind: identifier - field: name - regex: ^(httpOnly)$ - - inside: - any: - - kind: variable_declarator - - kind: assignment_expression - - inside: - stopBy: end - any: - - kind: variable_declarator - - kind: assignment_expression - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - has: - kind: scoped_identifier - nthChild: 1 - regex: ^(io.micronaut.http.cookie.Cookie)$ - - - kind: method_invocation - all: - - has: - nthChild: 1 - kind: field_access - field: object - regex: ^(io.micronaut.http.cookie.Cookie)$ - - has: - nthChild: 2 - kind: identifier - field: name - regex: ^(of)$ - - has: - nthChild: 3 - kind: argument_list - - not: - any: - - inside: - stopBy: end - any: - - kind: method_invocation - - kind: field_access - regex: ^(io.micronaut.http.cookie.Cookie.of()) - has: - kind: identifier - field: name - regex: ^(httpOnly)$ - - - inside: - stopBy: end - any: - - kind: method_invocation - - kind: field_access - regex: ^(io.micronaut.http.cookie.Cookie.of()) - inside: - any: - - kind: variable_declarator - - kind: assignment_expression - - - inside: - any: - - kind: variable_declarator - - kind: assignment_expression - - # new instance of SimpleCookie, NettyCookie and Cookie - # Cookie - - any: - - kind: object_creation_expression - not: - inside: - any: - - kind: field_access - - kind: method_invocation - all: - - has: - kind: type_identifier - nthChild: 1 - regex: ^(Cookie)$ - - has: - kind: argument_list - nthChild: 2 - - not: - inside: - any: - - kind: assignment_expression - - kind: variable_declarator - - - any: - - kind: method_invocation - - kind: field_access - regex: ^(new) - all: - - matches: commons_not_rule_parts - - has: - stopBy: end - kind: object_creation_expression - all: - - has: - kind: type_identifier - nthChild: 1 - regex: ^(Cookie)$ - - has: - kind: argument_list - nthChild: 2 - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - has: - nthChild: 1 - kind: scoped_identifier - regex: ^(io.micronaut.http.cookie.Cookie)$ - - - any: - - kind: object_creation_expression - not: - inside: - any: - - kind: field_access - - kind: method_invocation - all: - - has: - kind: scoped_type_identifier - nthChild: 1 - regex: ^(io.micronaut.http.cookie.Cookie)$ - - has: - kind: argument_list - nthChild: 2 - - not: - inside: - any: - - kind: assignment_expression - - kind: variable_declarator - - - any: - - kind: method_invocation - - kind: field_access - all: - - matches: commons_not_rule_parts - - has: - stopBy: end - kind: object_creation_expression - all: - - has: - kind: scoped_type_identifier - nthChild: 1 - regex: ^(io.micronaut.http.cookie.Cookie)$ - - has: - kind: argument_list - nthChild: 2 - - # SimpleCookie - - any: - - kind: object_creation_expression - not: - inside: - any: - - kind: field_access - - kind: method_invocation - all: - - has: - kind: type_identifier - nthChild: 1 - regex: ^(SimpleCookie)$ - - has: - kind: argument_list - nthChild: 2 - - not: - inside: - any: - - kind: assignment_expression - - kind: variable_declarator - - - any: - - kind: method_invocation - - kind: field_access - regex: ^(new) - all: - - matches: commons_not_rule_parts - - has: - stopBy: end - kind: object_creation_expression - all: - - has: - kind: type_identifier - nthChild: 1 - regex: ^(SimpleCookie)$ - - has: - kind: argument_list - nthChild: 2 - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - has: - nthChild: 1 - kind: scoped_identifier - regex: ^(io.micronaut.http.simple.cookies.SimpleCookie)$ - - - any: - - kind: object_creation_expression - not: - inside: - any: - - kind: field_access - - kind: method_invocation - all: - - has: - kind: scoped_type_identifier - nthChild: 1 - regex: ^(io.micronaut.http.simple.cookies.SimpleCookie)$ - - has: - kind: argument_list - nthChild: 2 - - not: - inside: - any: - - kind: assignment_expression - - kind: variable_declarator - - - any: - - kind: method_invocation - - kind: field_access - all: - - matches: commons_not_rule_parts - - has: - stopBy: end - kind: object_creation_expression - all: - - has: - kind: scoped_type_identifier - nthChild: 1 - regex: ^(io.micronaut.http.simple.cookies.SimpleCookie)$ - - has: - kind: argument_list - nthChild: 2 - - # NettyCookie - - any: - - kind: object_creation_expression - not: - inside: - any: - - kind: field_access - - kind: method_invocation - all: - - has: - kind: type_identifier - nthChild: 1 - regex: ^(NettyCookie)$ - - has: - kind: argument_list - nthChild: 2 - - not: - inside: - any: - - kind: assignment_expression - - kind: variable_declarator - - - any: - - kind: method_invocation - - kind: field_access - regex: ^(new) - all: - - matches: commons_not_rule_parts - - has: - stopBy: end - kind: object_creation_expression - all: - - has: - kind: type_identifier - nthChild: 1 - regex: ^(NettyCookie)$ - - has: - kind: argument_list - nthChild: 2 - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - has: - nthChild: 1 - kind: scoped_identifier - regex: ^(io.micronaut.http.netty.cookies.NettyCookie)$ - - - any: - - kind: object_creation_expression - not: - inside: - any: - - kind: field_access - - kind: method_invocation - all: - - has: - kind: scoped_type_identifier - nthChild: 1 - regex: ^(io.micronaut.http.netty.cookies.NettyCookie)$ - - has: - kind: argument_list - nthChild: 2 - - not: - inside: - any: - - kind: assignment_expression - - kind: variable_declarator - - - any: - - kind: method_invocation - - kind: field_access - all: - - matches: commons_not_rule_parts - - has: - stopBy: end - kind: object_creation_expression - all: - - has: - kind: scoped_type_identifier - nthChild: 1 - regex: ^(io.micronaut.http.netty.cookies.NettyCookie)$ - - has: - kind: argument_list - nthChild: 2 - - # # Assignement Patterns - - kind: identifier - pattern: $C - nthChild: 1 - inside: - kind: variable_declarator - nthChild: 2 - has: - kind: object_creation_expression - all: - - has: - nthChild: 1 - any: - - kind: type_identifier - - kind: scoped_type_identifier - - has: - nthChild: 2 - kind: argument_list - inside: - kind: local_variable_declaration - has: - nthChild: 1 - any: - - kind: scoped_type_identifier - regex: ^(io.micronaut.http.cookie.Cookie|io.micronaut.http.netty.cookies.NettyCookie|io.micronaut.http.simple.cookies.SimpleCookie)$ - not: - precedes: - stopBy: end - has: - stopBy: end - kind: method_invocation - pattern: $C.httpOnly($$$) - - - kind: identifier - pattern: $C - nthChild: 1 - inside: - kind: variable_declarator - nthChild: 2 - has: - kind: object_creation_expression - all: - - has: - nthChild: 1 - any: - - kind: type_identifier - - kind: scoped_type_identifier - - has: - nthChild: 2 - kind: argument_list - inside: - kind: local_variable_declaration - any: - - all: - - has: - nthChild: 1 - any: - - kind: type_identifier - regex: ^(Cookie)$ - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - has: - nthChild: 1 - kind: scoped_identifier - regex: ^(io.micronaut.http.cookie.Cookie)$ - - all: - - has: - nthChild: 1 - any: - - kind: type_identifier - regex: ^(SimpleCookie)$ - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - has: - nthChild: 1 - kind: scoped_identifier - regex: ^(io.micronaut.http.simple.cookies.SimpleCookie)$ - - all: - - has: - nthChild: 1 - any: - - kind: type_identifier - regex: ^(NettyCookie)$ - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - has: - nthChild: 1 - kind: scoped_identifier - regex: ^(io.micronaut.http.netty.cookies.NettyCookie)$ - not: - precedes: - stopBy: end - has: - stopBy: end - kind: method_invocation - pattern: $C.httpOnly($$$) - - # last pattern - - kind: identifier - pattern: $C - nthChild: 1 - inside: - any: - - kind: assignment_expression - - kind: variable_declarator - has: - nthChild: 2 - any: - - any: - - kind: field_access - - kind: method_invocation - not: - has: - stopBy: end - kind: identifier - regex: ^(httpOnly|getCookies)$ - precedes: - kind: argument_list - has: - stopBy: end - kind: method_invocation - all: - - has: - nthChild: 1 - any: - - kind: field_access - regex: ^(io.micronaut.http.cookie.Cookie)$ - - kind: identifier - regex: ^(Cookie)$ - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - has: - nthChild: 1 - kind: scoped_identifier - regex: ^(io.micronaut.http.cookie.Cookie)$ - - has: - nthChild: 2 - kind: identifier - regex: ^(of)$ - - has: - nthChild: 3 - kind: argument_list - - - kind: method_invocation - all: - - has: - nthChild: 1 - any: - - kind: field_access - regex: ^(io.micronaut.http.cookie.Cookie)$ - - kind: identifier - regex: ^(Cookie)$ - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - has: - nthChild: 1 - kind: scoped_identifier - regex: ^(io.micronaut.http.cookie.Cookie)$ - - has: - nthChild: 2 - kind: identifier - regex: ^(of)$ - - has: - nthChild: 3 - kind: argument_list - - not: - inside: - stopBy: end - precedes: - stopBy: end - has: - stopBy: end - kind: method_invocation - pattern: $C.httpOnly($$$) diff --git a/rules/java/security/missing-secure-java.yml b/rules/java/security/missing-secure-java.yml deleted file mode 100644 index 1ad4bd8e..00000000 --- a/rules/java/security/missing-secure-java.yml +++ /dev/null @@ -1,616 +0,0 @@ -id: missing-secure-java -language: java -severity: warning -message: >- - Detected a cookie where the `Secure` flag is either missing or - disabled. The `Secure` cookie flag instructs the browser to forbid sending - the cookie over an insecure HTTP request. Set the `Secure` flag to `true` - so the cookie will only be sent over HTTPS. -note: >- - [CWE-614]: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - [OWASP A05:2021]: Security Misconfiguration - [REFERENCES] - - https://owasp.org/Top10/A05_2021-Security_Misconfiguration - -ast-grep-essentials: true - -utils: - commons_not_rule_parts: - all: - - not: - inside: - any: - - kind: method_invocation - - kind: field_access - - not: - has: - stopBy: end - kind: method_invocation - all: - - has: - nthChild: - position: 2 - reverse: true - kind: identifier - field: name - regex: ^(secure)$ - - has: - nthChild: - position: 1 - reverse: true - kind: argument_list - - not: - has: - nthChild: - position: 2 - reverse: true - kind: identifier - field: name - regex: ^(secure)$ - precedes: - kind: argument_list - - cookie.of_pattern_for_c_equals_Cookie.of: - nthChild: 1 - kind: identifier - any: - - regex: ^(io.micronaut.http.cookie.Cookie)$ - - regex: ^(Cookie)$ - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - has: - nthChild: 1 - kind: scoped_identifier - regex: ^(io.micronaut.http.cookie.Cookie)$ - precedes: - kind: identifier - regex: ^(of)$ - precedes: - kind: argument_list - -rule: - any: - # io.micronaut.http.cookie.Cookie.of(...) - - kind: method_invocation - all: - - has: - nthChild: 1 - kind: identifier - field: object - regex: ^(Cookie)$ - - has: - nthChild: 2 - kind: identifier - field: name - regex: ^(of)$ - - has: - nthChild: 3 - kind: argument_list - - not: - any: - - inside: - stopBy: end - kind: method_invocation - any: - - has: - kind: identifier - field: name - regex: ^(secure)$ - - inside: - any: - - kind: variable_declarator - - kind: assignment_expression - - inside: - stopBy: end - any: - - kind: variable_declarator - - kind: assignment_expression - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - has: - kind: scoped_identifier - nthChild: 1 - regex: ^(io.micronaut.http.cookie.Cookie)$ - - - kind: method_invocation - all: - - has: - nthChild: 1 - kind: field_access - field: object - regex: ^(io.micronaut.http.cookie.Cookie)$ - - has: - nthChild: 2 - kind: identifier - field: name - regex: ^(of)$ - - has: - nthChild: 3 - kind: argument_list - - not: - any: - - inside: - stopBy: end - any: - - kind: method_invocation - - kind: field_access - regex: ^(io.micronaut.http.cookie.Cookie.of()) - has: - kind: identifier - field: name - regex: ^(secure)$ - - - inside: - stopBy: end - any: - - kind: method_invocation - - kind: field_access - regex: ^(io.micronaut.http.cookie.Cookie.of()) - inside: - any: - - kind: variable_declarator - - kind: assignment_expression - - - inside: - any: - - kind: variable_declarator - - kind: assignment_expression - - # new instance of SimpleCookie, NettyCookie and Cookie - # Cookie - - any: - - kind: object_creation_expression - not: - inside: - any: - - kind: field_access - - kind: method_invocation - all: - - has: - kind: type_identifier - nthChild: 1 - regex: ^(Cookie)$ - - has: - kind: argument_list - nthChild: 2 - - not: - inside: - any: - - kind: assignment_expression - - kind: variable_declarator - - - any: - - kind: method_invocation - - kind: field_access - regex: ^(new) - all: - - matches: commons_not_rule_parts - - has: - stopBy: end - kind: object_creation_expression - all: - - has: - kind: type_identifier - nthChild: 1 - regex: ^(Cookie)$ - - has: - kind: argument_list - nthChild: 2 - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - has: - nthChild: 1 - kind: scoped_identifier - regex: ^(io.micronaut.http.cookie.Cookie)$ - - - any: - - kind: object_creation_expression - not: - inside: - any: - - kind: field_access - - kind: method_invocation - all: - - has: - kind: scoped_type_identifier - nthChild: 1 - regex: ^(io.micronaut.http.cookie.Cookie)$ - - has: - kind: argument_list - nthChild: 2 - - not: - inside: - any: - - kind: assignment_expression - - kind: variable_declarator - - - any: - - kind: method_invocation - - kind: field_access - all: - - matches: commons_not_rule_parts - - has: - stopBy: end - kind: object_creation_expression - all: - - has: - kind: scoped_type_identifier - nthChild: 1 - regex: ^(io.micronaut.http.cookie.Cookie)$ - - has: - kind: argument_list - nthChild: 2 - - # SimpleCookie - - any: - - kind: object_creation_expression - not: - inside: - any: - - kind: field_access - - kind: method_invocation - all: - - has: - kind: type_identifier - nthChild: 1 - regex: ^(SimpleCookie)$ - - has: - kind: argument_list - nthChild: 2 - - not: - inside: - any: - - kind: assignment_expression - - kind: variable_declarator - - - any: - - kind: method_invocation - - kind: field_access - regex: ^(new) - all: - - matches: commons_not_rule_parts - - has: - stopBy: end - kind: object_creation_expression - all: - - has: - kind: type_identifier - nthChild: 1 - regex: ^(SimpleCookie)$ - - has: - kind: argument_list - nthChild: 2 - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - has: - nthChild: 1 - kind: scoped_identifier - regex: ^(io.micronaut.http.simple.cookies.SimpleCookie)$ - - - any: - - kind: object_creation_expression - not: - inside: - any: - - kind: field_access - - kind: method_invocation - all: - - has: - kind: scoped_type_identifier - nthChild: 1 - regex: ^(io.micronaut.http.simple.cookies.SimpleCookie)$ - - has: - kind: argument_list - nthChild: 2 - - not: - inside: - any: - - kind: assignment_expression - - kind: variable_declarator - - - any: - - kind: method_invocation - - kind: field_access - all: - - matches: commons_not_rule_parts - - has: - stopBy: end - kind: object_creation_expression - all: - - has: - kind: scoped_type_identifier - nthChild: 1 - regex: ^(io.micronaut.http.simple.cookies.SimpleCookie)$ - - has: - kind: argument_list - nthChild: 2 - - # NettyCookie - - any: - - kind: object_creation_expression - not: - inside: - any: - - kind: field_access - - kind: method_invocation - all: - - has: - kind: type_identifier - nthChild: 1 - regex: ^(NettyCookie)$ - - has: - kind: argument_list - nthChild: 2 - - not: - inside: - any: - - kind: assignment_expression - - kind: variable_declarator - - - any: - - kind: method_invocation - - kind: field_access - regex: ^(new) - all: - - matches: commons_not_rule_parts - - has: - stopBy: end - kind: object_creation_expression - all: - - has: - kind: type_identifier - nthChild: 1 - regex: ^(NettyCookie)$ - - has: - kind: argument_list - nthChild: 2 - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - has: - nthChild: 1 - kind: scoped_identifier - regex: ^(io.micronaut.http.netty.cookies.NettyCookie)$ - - - any: - - kind: object_creation_expression - not: - inside: - any: - - kind: field_access - - kind: method_invocation - all: - - has: - kind: scoped_type_identifier - nthChild: 1 - regex: ^(io.micronaut.http.netty.cookies.NettyCookie)$ - - has: - kind: argument_list - nthChild: 2 - - not: - inside: - any: - - kind: assignment_expression - - kind: variable_declarator - - - any: - - kind: method_invocation - - kind: field_access - all: - - matches: commons_not_rule_parts - - has: - stopBy: end - kind: object_creation_expression - all: - - has: - kind: scoped_type_identifier - nthChild: 1 - regex: ^(io.micronaut.http.netty.cookies.NettyCookie)$ - - has: - kind: argument_list - nthChild: 2 - - # # Assignement Patterns - - kind: identifier - pattern: $C - nthChild: 1 - inside: - kind: variable_declarator - nthChild: 2 - has: - kind: object_creation_expression - all: - - has: - nthChild: 1 - any: - - kind: type_identifier - - kind: scoped_type_identifier - - has: - nthChild: 2 - kind: argument_list - inside: - kind: local_variable_declaration - has: - nthChild: 1 - any: - - kind: scoped_type_identifier - regex: ^(io.micronaut.http.cookie.Cookie|io.micronaut.http.netty.cookies.NettyCookie|io.micronaut.http.simple.cookies.SimpleCookie)$ - not: - precedes: - stopBy: end - has: - stopBy: end - kind: method_invocation - pattern: $C.secure($$$) - - - kind: identifier - pattern: $C - nthChild: 1 - inside: - kind: variable_declarator - nthChild: 2 - has: - kind: object_creation_expression - all: - - has: - nthChild: 1 - any: - - kind: type_identifier - - kind: scoped_type_identifier - - has: - nthChild: 2 - kind: argument_list - inside: - kind: local_variable_declaration - any: - - all: - - has: - nthChild: 1 - any: - - kind: type_identifier - regex: ^(Cookie)$ - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - has: - nthChild: 1 - kind: scoped_identifier - regex: ^(io.micronaut.http.cookie.Cookie)$ - - all: - - has: - nthChild: 1 - any: - - kind: type_identifier - regex: ^(SimpleCookie)$ - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - has: - nthChild: 1 - kind: scoped_identifier - regex: ^(io.micronaut.http.simple.cookies.SimpleCookie)$ - - all: - - has: - nthChild: 1 - any: - - kind: type_identifier - regex: ^(NettyCookie)$ - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - has: - nthChild: 1 - kind: scoped_identifier - regex: ^(io.micronaut.http.netty.cookies.NettyCookie)$ - not: - precedes: - stopBy: end - has: - stopBy: end - kind: method_invocation - pattern: $C.secure($$$) - - # last pattern - - kind: identifier - pattern: $C - nthChild: 1 - inside: - any: - - kind: assignment_expression - - kind: variable_declarator - has: - nthChild: 2 - any: - - any: - - kind: field_access - - kind: method_invocation - not: - has: - stopBy: end - kind: identifier - regex: ^(secure|getCookies)$ - precedes: - kind: argument_list - has: - stopBy: end - kind: method_invocation - all: - - has: - nthChild: 1 - any: - - kind: field_access - regex: ^(io.micronaut.http.cookie.Cookie)$ - - kind: identifier - regex: ^(Cookie)$ - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - has: - nthChild: 1 - kind: scoped_identifier - regex: ^(io.micronaut.http.cookie.Cookie)$ - - has: - nthChild: 2 - kind: identifier - regex: ^(of)$ - - has: - nthChild: 3 - kind: argument_list - - - kind: method_invocation - all: - - has: - nthChild: 1 - any: - - kind: field_access - regex: ^(io.micronaut.http.cookie.Cookie)$ - - kind: identifier - regex: ^(Cookie)$ - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - has: - nthChild: 1 - kind: scoped_identifier - regex: ^(io.micronaut.http.cookie.Cookie)$ - - has: - nthChild: 2 - kind: identifier - regex: ^(of)$ - - has: - nthChild: 3 - kind: argument_list - - not: - inside: - stopBy: end - precedes: - stopBy: end - has: - stopBy: end - kind: method_invocation - pattern: $C.secure($$$) diff --git a/rules/java/security/no-null-cipher-java.yml b/rules/java/security/no-null-cipher-java.yml deleted file mode 100644 index acca08a3..00000000 --- a/rules/java/security/no-null-cipher-java.yml +++ /dev/null @@ -1,45 +0,0 @@ -id: no-null-cipher-java -severity: warning -language: java -message: >- - NullCipher was detected. This will not encrypt anything; the cipher - text will be the same as the plain text. Use a valid, secure cipher: - Cipher.getInstance("AES/CBC/PKCS7PADDING"). See - https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions - for more information. -note: >- - [CWE-327] Use of a Broken or Risky Cryptographic Algorithm. - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures - -ast-grep-essentials: true - -rule: - any: - - kind: local_variable_declaration - not: - any: - - has: - stopBy: end - kind: local_variable_declaration - - kind: expression_statement - not: - has: - stopBy: end - kind: local_variable_declaration - - kind: field_declaration - has: - stopBy: end - any: - - pattern: new NullCipher($$$) - - pattern: new javax.crypto.NullCipher($$$) - not: - all: - - inside: - stopBy: end - kind: ERROR - - has: - stopBy: end - kind: ERROR - - diff --git a/rules/java/security/passwordauthentication-hardcoded-password-java.yml b/rules/java/security/passwordauthentication-hardcoded-password-java.yml deleted file mode 100644 index aa48b0ec..00000000 --- a/rules/java/security/passwordauthentication-hardcoded-password-java.yml +++ /dev/null @@ -1,655 +0,0 @@ -id: passwordauthentication-hardcoded-password-java -language: java -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true -utils: - updated_code: - kind: string_literal - inside: - kind: method_invocation - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - all: - - has: - kind: string_literal - - has: - kind: identifier - field: name - regex: "^toCharArray$" - - has: - kind: argument_list - not: - any: - - has: - kind: identifier - - has: - kind: method_invocation - - has: - kind: string_literal - - has: - kind: decimal_integer_literal - - has: - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - inside: - stopBy: end - kind: object_creation_expression - all: - - has: - kind: type_identifier - regex: "^PasswordAuthentication$" - - has: - kind: argument_list - not: - has: - nthChild: - position: 3 - ofRule: - not: - kind: line_comment - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - has: - kind: scoped_identifier - all: - - has: - kind: scoped_identifier - field: scope - all: - - has: - kind: identifier - field: scope - regex: "^java$" - - has: - kind: identifier - field: name - regex: "^net$" - - has: - kind: identifier - field: name - regex: "^PasswordAuthentication$" - not: - inside: - stopBy: end - kind: enum_declaration - updated_code2: - kind: string_literal - inside: - kind: method_invocation - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - all: - - has: - kind: string_literal - - has: - kind: identifier - field: name - regex: "^toCharArray$" - - has: - kind: argument_list - not: - any: - - has: - kind: identifier - - has: - kind: method_invocation - - has: - kind: string_literal - - has: - kind: decimal_integer_literal - - has: - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - inside: - stopBy: end - kind: object_creation_expression - all: - - has: - kind: type_identifier - regex: "^PasswordAuthentication$" - - has: - kind: argument_list - not: - has: - nthChild: - position: 3 - ofRule: - not: - kind: line_comment - inside: - stopBy: end - kind: expression_statement - follows: - stopBy: end - kind: import_declaration - has: - kind: scoped_identifier - all: - - has: - kind: scoped_identifier - field: scope - all: - - has: - kind: identifier - field: scope - regex: "^java$" - - has: - kind: identifier - field: name - regex: "^net$" - - has: - kind: identifier - field: name - regex: "^PasswordAuthentication$" - updated_code3: - kind: string_literal - inside: - kind: method_invocation - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - all: - - has: - kind: string_literal - - has: - kind: identifier - field: name - regex: "^toCharArray$" - - has: - kind: argument_list - not: - any: - - has: - kind: identifier - - has: - kind: method_invocation - - has: - kind: string_literal - - has: - kind: decimal_integer_literal - - has: - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - inside: - stopBy: end - kind: object_creation_expression - all: - - has: - kind: type_identifier - regex: "^PasswordAuthentication$" - - has: - kind: argument_list - not: - has: - nthChild: - position: 3 - ofRule: - not: - kind: line_comment - inside: - stopBy: end - kind: local_variable_declaration - follows: - stopBy: end - kind: import_declaration - has: - kind: scoped_identifier - all: - - has: - kind: scoped_identifier - field: scope - all: - - has: - kind: identifier - field: scope - regex: "^java$" - - has: - kind: identifier - field: name - regex: "^net$" - - has: - kind: identifier - field: name - regex: "^PasswordAuthentication$" - match_array_creation: - kind: array_creation_expression - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - all: - - has: - kind: integral_type - - has: - kind: dimensions - not: - any: - - has: - kind: identifier - - has: - kind: method_invocation - - has: - kind: string_literal - - has: - kind: decimal_integer_literal - - has: - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - inside: - stopBy: end - kind: argument_list - inside: - kind: object_creation_expression - has: - kind: type_identifier - regex: "^PasswordAuthentication$" - inside: - stopBy: end - kind: local_variable_declaration - inside: - stopBy: end - kind: class_declaration - follows: - stopBy: end - kind: import_declaration - has: - kind: scoped_identifier - all: - - has: - kind: scoped_identifier - all: - - has: - kind: identifier - field: scope - regex: "^java$" - - has: - kind: identifier - field: name - regex: "^net$" - - has: - kind: identifier - field: name - regex: "^PasswordAuthentication$" - match_array_creation2: - kind: array_creation_expression - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - all: - - has: - kind: integral_type - - has: - kind: dimensions - not: - any: - - has: - kind: identifier - - has: - kind: method_invocation - - has: - kind: string_literal - - has: - kind: decimal_integer_literal - - has: - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - inside: - stopBy: end - kind: argument_list - inside: - kind: object_creation_expression - has: - kind: type_identifier - regex: "^PasswordAuthentication$" - inside: - stopBy: end - kind: local_variable_declaration - follows: - stopBy: end - kind: import_declaration - has: - kind: scoped_identifier - all: - - has: - kind: scoped_identifier - all: - - has: - kind: identifier - field: scope - regex: "^java$" - - has: - kind: identifier - field: name - regex: "^net$" - - has: - kind: identifier - field: name - regex: "^PasswordAuthentication$" - match_code_with_identifier: - kind: identifier - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - pattern: $A - inside: - kind: argument_list - inside: - stopBy: end - kind: object_creation_expression - all: - - has: - kind: type_identifier - field: type - regex: "^PasswordAuthentication$" - - has: - kind: argument_list - not: - has: - nthChild: - position: 3 - ofRule: - not: - kind: line_comment - inside: - stopBy: end - follows: - stopBy: end - kind: local_variable_declaration - all: - - has: - kind: array_type - field: type - - has: - kind: variable_declarator - all: - - has: - kind: identifier - field: name - pattern: $A - - any: - - has: - kind: string_literal - has: - kind: string_fragment - - has: - kind: method_invocation - all: - - has: - kind: string_literal - has: - kind: string_fragment - - any: - - has: - kind: identifier - field: name - - has: - kind: argument_list - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - has: - kind: scoped_identifier - all: - - has: - kind: scoped_identifier - all: - - has: - kind: identifier - field: scope - regex: "^java$" - - has: - kind: identifier - field: name - regex: "^net$" - - has: - kind: identifier - field: name - regex: "^PasswordAuthentication$" - match_java_net_without_instance: - kind: string_literal - inside: - kind: method_invocation - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - all: - - has: - kind: string_literal - - has: - kind: identifier - field: name - regex: "^toCharArray$" - - has: - kind: argument_list - not: - any: - - has: - kind: identifier - - has: - kind: method_invocation - - has: - kind: string_literal - - has: - kind: decimal_integer_literal - - has: - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - inside: - stopBy: end - kind: object_creation_expression - all: - - has: - kind: scoped_type_identifier - all: - - has: - kind: scoped_type_identifier - all: - - has: - kind: type_identifier - regex: "^java$" - - has: - kind: type_identifier - regex: "^net$" - - has: - kind: type_identifier - regex: "^PasswordAuthentication$" - - has: - kind: argument_list - not: - has: - nthChild: - position: 3 - ofRule: - not: - kind: line_comment - inside: - stopBy: end - kind: class_declaration - follows: - stopBy: end - kind: import_declaration - has: - kind: scoped_identifier - all: - - has: - kind: scoped_identifier - field: scope - all: - - has: - kind: identifier - field: scope - regex: "^java$" - - has: - kind: identifier - field: name - regex: "^net$" - - has: - kind: identifier - field: name - regex: "^PasswordAuthentication$" - not: - inside: - stopBy: end - kind: enum_declaration - match_java_net_with_instance: - kind: identifier - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - pattern: $O - inside: - kind: argument_list - inside: - stopBy: end - kind: object_creation_expression - all: - - has: - kind: scoped_type_identifier - all: - - has: - kind: scoped_type_identifier - all: - - has: - kind: type_identifier - regex: "^java$" - - has: - kind: type_identifier - regex: "^net$" - - has: - kind: type_identifier - regex: "^PasswordAuthentication$" - - has: - kind: argument_list - not: - has: - nthChild: - position: 3 - ofRule: - not: - kind: line_comment - inside: - stopBy: end - follows: - stopBy: end - kind: local_variable_declaration - all: - - has: - kind: array_type - field: type - - has: - kind: variable_declarator - all: - - has: - kind: identifier - field: name - pattern: $O - - any: - - has: - kind: string_literal - has: - kind: string_fragment - - has: - kind: method_invocation - all: - - has: - kind: string_literal - has: - kind: string_fragment - - any: - - has: - kind: identifier - field: name - - has: - kind: argument_list - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - has: - kind: scoped_identifier - all: - - has: - kind: scoped_identifier - all: - - has: - kind: identifier - field: scope - regex: "^java$" - - has: - kind: identifier - field: name - regex: "^net$" - - has: - kind: identifier - field: name - regex: "^PasswordAuthentication$" -rule: - any: - - matches: updated_code - - matches: updated_code2 - - matches: updated_code3 - - matches: match_array_creation - - matches: match_array_creation2 - - matches: match_code_with_identifier - - matches: match_java_net_without_instance - - matches: match_java_net_with_instance - not: - any: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR diff --git a/rules/java/security/rsa-no-padding-java.yml b/rules/java/security/rsa-no-padding-java.yml deleted file mode 100644 index 905f0e6f..00000000 --- a/rules/java/security/rsa-no-padding-java.yml +++ /dev/null @@ -1,15 +0,0 @@ -id: rsa-no-padding-java -severity: warning -language: java -message: >- - Using RSA without OAEP mode weakens the encryption. -note: >- - [CWE-326] Inadequate Encryption Strength - [REFERENCES] - - https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/ -ast-grep-essentials: true -rule: - pattern: $YST.getInstance($MODE) -constraints: - MODE: - regex: "RSA/[Nn][Oo][Nn][Ee]/NoPadding" diff --git a/rules/java/security/simple-command-injection-direct-input-java.yml b/rules/java/security/simple-command-injection-direct-input-java.yml deleted file mode 100644 index 7933ab1f..00000000 --- a/rules/java/security/simple-command-injection-direct-input-java.yml +++ /dev/null @@ -1,56 +0,0 @@ -id: simple-command-injection-direct-input-java -language: java -severity: warning -message: >- - "Untrusted input might be injected into a command executed by the - application, which can lead to a command injection vulnerability. An - attacker can execute arbitrary commands, potentially gaining complete - control of the system. To prevent this vulnerability, avoid executing OS - commands with user input. If this is unavoidable, validate and sanitize - the input, and use safe methods for executing the commands. For more - information, see: [Java command injection - prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/\ - )" -note: >- - [CWE-78] Improper Neutralization of Special Elements used in an OS - [REFERENCES] - - https://docs.oracle.com/javase/8/docs/api/java/lang/Runtime.html - - https://owasp.org/Top10/A03_2021-Injection -ast-grep-essentials: true -rule: - kind: method_invocation - pattern: Runtime.getRuntime().exec($SOURCE) - inside: - kind: method_declaration - stopBy: end - has: - stopBy: end - kind: formal_parameter - has: - kind: modifiers - any: - - has: - kind: marker_annotation - has: - kind: identifier - pattern: $REQ - - has: - kind: annotation - all: - - has: - kind: identifier - pattern: $REQ - - has: - kind: annotation_argument_list - precedes: - kind: type_identifier - pattern: $TYPE - precedes: - kind: identifier - pattern: $SOURCE - -constraints: - REQ: - regex: ^(RequestBody|PathVariable|RequestParam|RequestHeader|CookieValue|ModelAttribute) - TYPE: - regex: ^[^I].*|^I[^n].*|^In[^t].*|^Int[^e].*|^Inte[^g].*|^Integ[^e].*|^Inge[^r].*|^L[^o].*|^Lo[^n].*|^Lon[^g].*|^F[^l].*|^Fl[^o].*|^Flo[^a].*|^Floa[^t].*|^D[^o].*|^Do[^u].*|^Dou[^b].*|^Doub[^l].*|^Doubl[^e].*|^C[^h].*|^Ch[^a].*|^Cha[^r].*|^B[^o].*|^Bo[^o].*|^Boo[^l].*|^Bool[^e].*|^Boole[^a].*|^Boolea[^n].*|^i[^n].*|^in[^t].*|^l[^o].*|^lo[^n].*|^lon[^g].*|^f[^l].*|^fl[^o].*|^flo[^a].*|^floa[^t].*|^d[^o].*|^do[^u].*|^dou[^b].*|^doub[^l].*|^doubl[^e].*|^c[^h].*|^ch[^a].*|^cha[^r].*|^b[^o].*|^bo[^o].*|^boo[^l].*|^bool[^e].*|^boole[^a].*|^boolea[^n].* diff --git a/rules/java/security/system-setproperty-hardcoded-secret-java.yml b/rules/java/security/system-setproperty-hardcoded-secret-java.yml deleted file mode 100644 index cbf983fd..00000000 --- a/rules/java/security/system-setproperty-hardcoded-secret-java.yml +++ /dev/null @@ -1,321 +0,0 @@ -id: system-setproperty-hardcoded-secret-java -severity: warning -language: java -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true -utils: - match_string_literal: - kind: string_fragment - inside: - kind: string_literal - all: - - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - inside: - kind: argument_list - all: - - not: - has: - nthChild: - position: 3 - ofRule: - not: - kind: line_comment - - has: - kind: string_literal - has: - kind: string_fragment - regex: ^javax.net.ssl.keyStorePassword|javax.net.ssl.trustStorePassword$ - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - - inside: - kind: method_invocation - all: - - has: - kind: identifier - nthChild: 1 - regex: ^System$ - - has: - kind: identifier - nthChild: 2 - regex: ^setProperty$ - - match_string_literal_instance: - kind: identifier - pattern: $PASSWORD - all: - - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - inside: - kind: argument_list - all: - - not: - has: - nthChild: - position: 3 - ofRule: - not: - kind: line_comment - - has: - kind: string_literal - has: - kind: string_fragment - regex: ^javax.net.ssl.keyStorePassword|javax.net.ssl.trustStorePassword$ - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - - inside: - kind: method_invocation - all: - - has: - kind: identifier - nthChild: 1 - regex: ^System$ - - has: - kind: identifier - nthChild: 2 - regex: ^setProperty$ - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: local_variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $PASSWORD - nthChild: 1 - - has: - kind: string_literal - nthChild: 2 - has: - kind: string_fragment - - follows: - stopBy: end - kind: local_variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $PASSWORD - nthChild: 1 - - has: - kind: string_literal - nthChild: 2 - has: - kind: string_fragment - - - match_string_literal_with_link_instance: - kind: string_fragment - inside: - kind: string_literal - all: - - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - inside: - kind: argument_list - all: - - not: - has: - nthChild: - position: 3 - ofRule: - not: - kind: line_comment - - has: - kind: identifier - pattern: $LINK - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - - inside: - kind: method_invocation - all: - - has: - kind: identifier - nthChild: 1 - regex: ^System$ - - has: - kind: identifier - nthChild: 2 - regex: ^setProperty$ - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: local_variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $LINK - nthChild: 1 - - has: - kind: string_literal - nthChild: 2 - has: - kind: string_fragment - regex: ^javax.net.ssl.keyStorePassword|javax.net.ssl.trustStorePassword$ - - follows: - stopBy: end - kind: local_variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $LINK - nthChild: 1 - - has: - kind: string_literal - nthChild: 2 - has: - kind: string_fragment - regex: ^javax.net.ssl.keyStorePassword|javax.net.ssl.trustStorePassword$ - - match_pattern_with_both-links: - kind: identifier - pattern: $PASSWORD - all: - - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - inside: - kind: argument_list - all: - - not: - has: - nthChild: - position: 3 - ofRule: - not: - kind: line_comment - - has: - kind: identifier - pattern: $LINK - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - - inside: - kind: method_invocation - all: - - has: - kind: identifier - nthChild: 1 - regex: ^System$ - - has: - kind: identifier - nthChild: 2 - regex: ^setProperty$ - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: local_variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $LINK - nthChild: 1 - - has: - kind: string_literal - nthChild: 2 - has: - kind: string_fragment - regex: ^javax.net.ssl.keyStorePassword|javax.net.ssl.trustStorePassword$ - - follows: - stopBy: end - kind: local_variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $LINK - nthChild: 1 - - has: - kind: string_literal - nthChild: 2 - has: - kind: string_fragment - regex: ^javax.net.ssl.keyStorePassword|javax.net.ssl.trustStorePassword$ - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: local_variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $PASSWORD - nthChild: 1 - - has: - kind: string_literal - nthChild: 2 - has: - kind: string_fragment - - follows: - stopBy: end - kind: local_variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $PASSWORD - nthChild: 1 - - has: - kind: string_literal - nthChild: 2 - has: - kind: string_fragment - -rule: - any: - - matches: match_string_literal - - matches: match_string_literal_instance - - matches: match_string_literal_with_link_instance - - matches: match_pattern_with_both-links diff --git a/rules/java/security/unencrypted-socket-java.yml b/rules/java/security/unencrypted-socket-java.yml deleted file mode 100644 index 96c8c0bb..00000000 --- a/rules/java/security/unencrypted-socket-java.yml +++ /dev/null @@ -1,23 +0,0 @@ -id: unencrypted-socket-java -language: java -severity: info -message: >- - "Detected use of a Java socket that is not encrypted. As a result, the - traffic could be read by an attacker intercepting the network traffic. Use - an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' - instead." -note: >- - [CWE-319] Cleartext Transmission of Sensitive Information - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures -ast-grep-essentials: true - -rule: - any: - - pattern: new ServerSocket($$$) - - pattern: new Socket($$$) - not: - has: - stopBy: end - kind: ERROR - diff --git a/rules/java/security/use-of-aes-ecb-java.yml b/rules/java/security/use-of-aes-ecb-java.yml deleted file mode 100644 index ca4f64f2..00000000 --- a/rules/java/security/use-of-aes-ecb-java.yml +++ /dev/null @@ -1,76 +0,0 @@ -id: use-of-aes-ecb-java -language: java -severity: warning -message: >- - Use of AES with ECB mode detected. ECB doesn't provide message - confidentiality and is not semantically secure so should not be used. - Instead, use a strong, secure cipher: - Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See - https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions - for more information. -note: >- - [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm - [OWASP A03:2017]: Sensitive Data Exposure - [OWASP A02:2021]: Cryptographic Failures - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures - - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html - -ast-grep-essentials: true - -utils: - match_method_invocation: - kind: method_invocation - all: - - has: - kind: identifier - field: name - regex: "^getInstance$" - nthChild: 2 - - has: - kind: argument_list - has: - kind: string_literal - has: - kind: string_fragment - regex: "AES/ECB" - matches_method_invocation_with_identifier: - kind: method_invocation - all: - - has: - kind: identifier - field: name - regex: "^getInstance$" - nthChild: 2 - - has: - kind: argument_list - has: - kind: identifier - pattern: $I - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: local_variable_declaration - - kind: field_declaration - all: - - has: - kind: type_identifier - field: type - - has: - kind: variable_declarator - all: - - has: - kind: identifier - field: name - pattern: $I - - has: - kind: string_literal - has: - kind: string_fragment - -rule: - any: - - matches: match_method_invocation - - matches: matches_method_invocation_with_identifier diff --git a/rules/java/security/use-of-blowfish-java.yml b/rules/java/security/use-of-blowfish-java.yml deleted file mode 100644 index e8852419..00000000 --- a/rules/java/security/use-of-blowfish-java.yml +++ /dev/null @@ -1,50 +0,0 @@ -id: use-of-blowfish-java -severity: warning -language: java -message: >- - 'Use of Blowfish was detected. Blowfish uses a 64-bit block size - that makes it vulnerable to birthday attacks, and is therefore considered - non-compliant. Instead, use a strong, secure cipher: - Cipher.getInstance("AES/CBC/PKCS7PADDING"). See - https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions - for more information.' -note: >- - [CWE-327] Use of a Broken or Risky Cryptographic Algorithm. - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures - - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html - -ast-grep-essentials: true -rule: - kind: method_invocation - all: - - has: - kind: identifier - field: name - regex: ^getInstance$ - nthChild: - position: 2 - reverse: true - - has: - kind: argument_list - field: arguments - nthChild: - position: 1 - reverse: true - has: - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - kind: string_literal - has: - kind: string_fragment - regex: ^Blowfish$ - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment diff --git a/rules/java/security/use-of-default-aes-java.yml b/rules/java/security/use-of-default-aes-java.yml deleted file mode 100644 index efc9fb51..00000000 --- a/rules/java/security/use-of-default-aes-java.yml +++ /dev/null @@ -1,320 +0,0 @@ -id: use-of-default-aes-java -severity: warning -language: java -message: >- - "Use of AES with no settings detected. By default, java.crypto.Cipher - uses ECB mode. ECB doesn't provide message confidentiality and is not - semantically secure so should not be used. Instead, use a strong, secure - cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See - https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions - for more information." -note: >- - [CWE-327] Use of a Broken or Risky Cryptographic Algorithm. - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures - - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html - -ast-grep-essentials: true -rule: - any: - - kind: method_invocation - all: - - has: - kind: field_access - nthChild: 1 - regex: ^javax.crypto.Cipher$ - - has: - kind: identifier - nthChild: 2 - regex: ^getInstance$ - - has: - kind: argument_list - nthChild: 3 - has: - pattern: $AES - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import javax.*; - - pattern: import javax; - - kind: import_declaration - has: - stopBy: neighbor - kind: scoped_identifier - has: - stopBy: end - kind: identifier - nthChild: 1 - regex: ^javax$ - - kind: method_invocation - all: - - has: - kind: field_access - nthChild: 1 - regex: ^crypto.Cipher$ - - has: - kind: identifier - nthChild: 2 - regex: ^getInstance$ - - has: - kind: argument_list - has: - pattern: $AES - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - kind: import_declaration - has: - stopBy: neighbor - kind: scoped_identifier - has: - stopBy: end - kind: identifier - nthChild: 1 - regex: ^javax$ - - pattern: import javax.crypto; - - pattern: import javax.*; - - kind: import_declaration - has: - stopBy: neighbor - kind: scoped_identifier - has: - stopBy: end - kind: identifier - nthChild: 1 - regex: ^javax$ - - kind: method_invocation - all: - - has: - kind: identifier - nthChild: 1 - regex: ^Cipher$ - - has: - kind: identifier - nthChild: 2 - regex: ^getInstance$ - - has: - kind: argument_list - has: - pattern: $AES - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import javax.crypto.*; - - pattern: import javax.crypto.Cipher; - - kind: import_declaration - has: - stopBy: neighbor - kind: scoped_identifier - has: - stopBy: end - kind: identifier - nthChild: 1 - regex: ^javax.crypto.*$ - - kind: method_invocation - all: - - has: - kind: identifier - nthChild: 1 - pattern: $INST - - has: - kind: identifier - nthChild: 2 - regex: ^getInstance$ - - has: - kind: argument_list - has: - pattern: $AES - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: field_declaration - - kind: local_variable_declaration - all: - - has: - kind: scoped_type_identifier - regex: ^javax.crypto.Cipher$ - - has: - kind: variable_declarator - has: - kind: identifier - pattern: $INST - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import javax.crypto.Cipher; - - pattern: import javax; - - kind: method_invocation - all: - - has: - kind: identifier - nthChild: 1 - pattern: $INST - - has: - kind: identifier - nthChild: 2 - regex: ^getInstance$ - - has: - kind: argument_list - has: - pattern: $AES - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: field_declaration - - kind: local_variable_declaration - all: - - has: - kind: scoped_type_identifier - regex: ^crypto.Cipher$ - - has: - kind: variable_declarator - has: - kind: identifier - pattern: $INST - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import javax.*; - - pattern: import javax.crypto; - - pattern: import javax.crypto.Cipher; - - kind: method_invocation - all: - - has: - kind: identifier - nthChild: 1 - pattern: $INST - - has: - kind: identifier - nthChild: 2 - regex: ^getInstance$ - - has: - kind: argument_list - has: - pattern: $AES - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: field_declaration - - kind: local_variable_declaration - all: - - has: - kind: type_identifier - regex: ^Cipher$ - - has: - kind: variable_declarator - has: - kind: identifier - pattern: $INST - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import javax.crypto.Cipher; - - pattern: import javax.crypto.*; - not: - has: - stopBy: end - kind: ERROR -constraints: - AES: - kind: string_literal - all: - - has: - kind: string_fragment - regex: ^\s*(AES)\s*$ \ No newline at end of file diff --git a/rules/java/security/use-of-md5-digest-utils-java.yml b/rules/java/security/use-of-md5-digest-utils-java.yml deleted file mode 100644 index 553bac8a..00000000 --- a/rules/java/security/use-of-md5-digest-utils-java.yml +++ /dev/null @@ -1,42 +0,0 @@ -id: use-of-md5-digest-utils-java -language: java -severity: warning -message: >- - 'Detected MD5 hash algorithm which is considered insecure. MD5 is not - collision resistant and is therefore not suitable as a cryptographic - signature. Use HMAC instead.' -note: >- - [CWE-328] Use of Weak Hash - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures - -ast-grep-essentials: true - -rule: - kind: identifier - regex: ^getMd5Digest$ - nthChild: 2 - precedes: - nthChild: 3 - kind: argument_list - not: - has: - nthChild: 1 - inside: - kind: method_invocation - nthChild: 1 - inside: - kind: method_invocation - all: - - has: - kind: identifier - nthChild: 2 - regex: ^digest$ - - has: - kind: argument_list - nthChild: 3 - - not: - has: - stopBy: end - kind: ERROR - diff --git a/rules/java/security/use-of-md5-java.yml b/rules/java/security/use-of-md5-java.yml deleted file mode 100644 index b7db1f27..00000000 --- a/rules/java/security/use-of-md5-java.yml +++ /dev/null @@ -1,109 +0,0 @@ -id: use-of-md5-java -severity: warning -language: java -message: >- - Detected MD5 hash algorithm which is considered insecure. MD5 is not - collision resistant and is therefore not suitable as a cryptographic - signature. Use HMAC instead. -note: >- - [CWE-328] Use of Weak Hash. - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures - -ast-grep-essentials: true - -rule: - any: - - kind: string_literal - - kind: character_literal - pattern: $ALGO - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - inside: - stopBy: end - any: - - kind: method_invocation - all: - - has: - kind: identifier - regex: ^MessageDigest$ - nthChild: 1 - - has: - kind: identifier - regex: ^getInstance$ - nthChild: 2 - - has: - kind: argument_list - nthChild: 3 - all: - - has: - pattern: $ALGO - not: - precedes: - stopBy: end - pattern: $ALGO - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - pattern: import java.security.MessageDigest; - - inside: - stopBy: end - any: - - kind: expression_statement - - kind: variable_declarator - - kind: method_invocation - all: - - has: - kind: field_access - regex: ^java.security.MessageDigest$ - nthChild: 1 - - has: - kind: identifier - regex: ^getInstance$ - nthChild: 2 - - has: - kind: argument_list - nthChild: 3 - all: - - has: - pattern: $ALGO - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - pattern: import java.security.MessageDigest; - - inside: - stopBy: end - any: - - kind: expression_statement - - kind: variable_declarator - not: - has: - stopBy: end - kind: ERROR -constraints: - ALGO: - any: - - kind: character_literal - regex: ^'MD5 - - kind: string_literal - has: - kind: string_fragment - regex: ^MD5 - \ No newline at end of file diff --git a/rules/java/security/use-of-rc2-java.yml b/rules/java/security/use-of-rc2-java.yml deleted file mode 100644 index 4aab8efd..00000000 --- a/rules/java/security/use-of-rc2-java.yml +++ /dev/null @@ -1,87 +0,0 @@ -id: use-of-rc2-java -language: java -severity: warning -message: >- - Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and - is therefore considered non-compliant. Instead, use a strong, secure. -note: >- - [CWE-327] Use of a Broken or Risky Cryptographic Algorithm. - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures - - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html -ast-grep-essentials: true -utils: - $CIPHER.getInstance("RC2"): - kind: method_invocation - all: - - has: - stopBy: neighbor - kind: identifier - nthchild: 1 - - has: - stopBy: neighbor - kind: identifier - nthchild: 2 - regex: ^getInstance$ - - has: - stopBy: neighbor - kind: argument_list - all: - - has: - stopBy: end - kind: string_fragment - regex: ^RC2$ - - not: - has: - stopBy: end - kind: array_access - - $CIPHER.getInstance("RC2")_with_instance: - kind: method_invocation - all: - - has: - stopBy: neighbor - kind: identifier - nthchild: 1 - - has: - stopBy: neighbor - kind: identifier - nthchild: 2 - regex: ^getInstance$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: end - kind: identifier - pattern: $RC2 - not: - inside: - stopBy: end - kind: array_access - - inside: - stopBy: end - follows: - stopBy: end - kind: local_variable_declaration - has: - stopBy: end - kind: variable_declarator - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $RC2 - - has: - stopBy: neighbor - kind: string_literal - has: - stopBy: neighbor - kind: string_fragment - regex: ^RC2$ - -rule: - kind: method_invocation - any: - - matches: $CIPHER.getInstance("RC2") - - matches: $CIPHER.getInstance("RC2")_with_instance diff --git a/rules/java/security/use-of-rc4-java.yml b/rules/java/security/use-of-rc4-java.yml deleted file mode 100644 index ad4c235c..00000000 --- a/rules/java/security/use-of-rc4-java.yml +++ /dev/null @@ -1,41 +0,0 @@ -id: use-of-rc4-java -language: java -severity: warning -message: >- - 'Use of RC4 was detected. RC4 is vulnerable to several attacks, - including stream cipher attacks and bit flipping attacks. Instead, use a - strong, secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). See - https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions - for more information.' -note: >- - [CWE-327] Use of a Broken or Risky Cryptographic Algorithm - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures - - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html -ast-grep-essentials: true -rule: - pattern: $CIPHER.getInstance($ARGUMENT) - -constraints: - ARGUMENT: - any: - - has: - stopBy: end - kind: string_literal - has: - kind: string_fragment - regex: ^RC4$ - - kind: string_literal - has: - kind: string_fragment - regex: ^RC4$ - - all: - - not: - has: - nthChild: 2 - - not: - has: - stopBy: end - any: - - kind: array_access diff --git a/rules/java/security/use-of-sha1-java.yml b/rules/java/security/use-of-sha1-java.yml deleted file mode 100644 index b2268c1c..00000000 --- a/rules/java/security/use-of-sha1-java.yml +++ /dev/null @@ -1,172 +0,0 @@ -id: use-of-sha1-java -severity: warning -language: java -message: >- - Detected SHA1 hash algorithm which is considered insecure. SHA1 is not - collision resistant and is therefore not suitable as a cryptographic - signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 - for other hash function applications. -note: >- - [CWE-328] Use of Weak Hash. - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures - -ast-grep-essentials: true -utils: - java.security.MessageDigest.getInstance("SHA-1"): - kind: method_invocation - all: - - has: - kind: field_access - regex: ^java.security.MessageDigest$ - - has: - kind: identifier - regex: ^getInstance$ - - has: - kind: argument_list - has: - kind: string_literal - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - has: - kind: string_fragment - any: - - regex: ^SHA-1 - - regex: ^SHA1 - - MessageDigest.getInstance("SHA-1"): - kind: method_invocation - all: - - has: - kind: identifier - regex: ^MessageDigest$ - nthChild: 1 - - has: - kind: identifier - regex: ^getInstance$ - nthChild: 2 - - has: - kind: argument_list - has: - kind: string_literal - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - has: - kind: string_fragment - any: - - regex: ^SHA-1 - - regex: ^SHA1 - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - pattern: import java.security.MessageDigest - - MessageDigest.getInstance("SHA-1")_with_Instance: - kind: method_invocation - all: - - has: - kind: identifier - regex: ^MessageDigest$ - nthChild: 1 - - has: - kind: identifier - regex: ^getInstance$ - nthChild: 2 - - has: - kind: argument_list - has: - kind: identifier - pattern: $SHA - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - pattern: import java.security.MessageDigest - - inside: - stopBy: end - follows: - stopBy: end - kind: local_variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $SHA - - has: - kind: string_literal - has: - kind: string_fragment - any: - - regex: ^SHA-1 - - regex: ^SHA1 - - java.security.MessageDigest.getInstance("SHA-1")_with_Instance: - kind: method_invocation - all: - - has: - kind: field_access - regex: ^java.security.MessageDigest$ - - has: - kind: identifier - regex: ^getInstance$ - - has: - kind: argument_list - has: - kind: identifier - pattern: $SHA - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - - inside: - stopBy: end - follows: - stopBy: end - kind: local_variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $SHA - - has: - kind: string_literal - has: - kind: string_fragment - any: - - regex: ^SHA-1 - - regex: ^SHA1 - -rule: - kind: method_invocation - any: - - matches: java.security.MessageDigest.getInstance("SHA-1") - - pattern: $DU.getSha1Digest().digest($$$) - - matches: MessageDigest.getInstance("SHA-1") - - matches: MessageDigest.getInstance("SHA-1")_with_Instance - - matches: java.security.MessageDigest.getInstance("SHA-1")_with_Instance - all: - - not: - inside: - stopBy: end - kind: ERROR - - not: - has: - stopBy: end - kind: ERROR \ No newline at end of file diff --git a/rules/java/security/weak-ssl-context-java.yml b/rules/java/security/weak-ssl-context-java.yml deleted file mode 100644 index c2fd1959..00000000 --- a/rules/java/security/weak-ssl-context-java.yml +++ /dev/null @@ -1,79 +0,0 @@ -id: weak-ssl-context-java -language: java -severity: warning -message: >- - 'An insecure SSL context was detected. TLS versions 1.0, 1.1, and all - SSL versions are considered weak encryption and are deprecated. Use - SSLContext.getInstance("TLSv1.2") for the best security.' -note: >- - [CWE-326] Inadequate Encryption Strength - [REFERENCES] - - https://tools.ietf.org/html/rfc7568 - - https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html - -ast-grep-essentials: true - -# rule: -# all: -# - pattern: SSLContext.getInstance($CONTEXT) - -# constraints: -# CONTEXT: -# any: -# - kind: string_literal -# has: -# kind: string_fragment -# all: -# - not: -# regex: ^TLSv1.2$ -# - not: -# regex: ^TLSv1.3$ -# - kind: string_literal -# not: -# has: -# kind: string_fragment - -rule: - kind: method_invocation - not: - has: - stopBy: end - kind: method_invocation - all: - - has: - kind: identifier - field: object - nthChild: 1 - regex: ^SSLContext$ - - has: - kind: identifier - field: name - nthChild: 2 - regex: ^getInstance$ - - has: - kind: argument_list - field: arguments - nthChild: 3 - has: - nthChild: - position: 1 - ofRule: - kind: string_literal - any: - - not: - has: - kind: string_fragment - - has: - kind: string_fragment - all: - - not: - regex: ^TLSv1.2$ - - not: - regex: ^TLSv1.3$ - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment diff --git a/rules/javascript/security/detect-angular-sce-disabled-javascript.yml b/rules/javascript/security/detect-angular-sce-disabled-javascript.yml deleted file mode 100644 index 855b995a..00000000 --- a/rules/javascript/security/detect-angular-sce-disabled-javascript.yml +++ /dev/null @@ -1,18 +0,0 @@ -id: detect-angular-sce-disabled-javascript -language: javascript -severity: warning -message: >- - $sceProvider is set to false. Disabling Strict Contextual escaping - (SCE) in an AngularJS application could provide additional attack surface - for XSS vulnerabilities. -note: >- - [CWE-79] Improper Neutralization of Input During Web Page Generation. - [REFERENCES] - - https://docs.angularjs.org/api/ng/service/$sce - - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf - -ast-grep-essentials: true - -rule: - pattern: | - $sceProvider.enabled(false); diff --git a/rules/javascript/security/express-jwt-hardcoded-secret-javascript.yml b/rules/javascript/security/express-jwt-hardcoded-secret-javascript.yml deleted file mode 100644 index 372fe270..00000000 --- a/rules/javascript/security/express-jwt-hardcoded-secret-javascript.yml +++ /dev/null @@ -1,295 +0,0 @@ -id: express-jwt-hardcoded-secret-javascript -language: javascript -severity: warning -message: >- - A hard-coded credential was detected. It is not recommended to store - credentials in source-code, as this risks secrets being leaked and used by - either an internal or external malicious adversary. It is recommended to - use environment variables to securely provide credentials or retrieve - credentials from a secure vault or HSM (Hardware Security Module). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -ast-grep-essentials: true -utils: - MATCH_SECRET_DIRECTLY: - kind: pair - inside: - stopBy: end - kind: expression_statement - all: - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $E - - has: - stopBy: end - kind: arguments - has: - stopBy: end - kind: object - has: - stopBy: neighbor - kind: pair - all: - - has: - stopBy: neighbor - kind: property_identifier - regex: "^secret$" - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - - - any: - - follows: - stopBy: end - kind: variable_declaration - has: - stopBy: end - kind: variable_declarator - all: - - has: - stopBy: end - kind: identifier - pattern: $E - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^require$" - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^express-jwt$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: end - kind: import_clause - has: - stopBy: neighbor - kind: identifier - pattern: $E - - has: - stopBy: neighbor - kind: string - has: - stopBy: end - kind: string_fragment - regex: "^express-jwt$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: end - kind: import_clause - has: - stopBy: end - kind: namespace_import - has: - stopBy: end - kind: identifier - pattern: $E - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^express-jwt$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: neighbor - kind: named_imports - has: - stopBy: neighbor - kind: import_specifier - has: - stopBy: end - kind: identifier - pattern: $E - - has: - stopBy: end - kind: string - has: - stopBy: end - kind: string_fragment - regex: "^express-jwt$" - - MATCH_PATTERN_WITH_INSTANCE: - kind: pair - pattern: $O - inside: - stopBy: end - kind: expression_statement - all: - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $E - - has: - stopBy: end - kind: arguments - has: - stopBy: end - kind: object - has: - stopBy: neighbor - kind: pair - pattern: $O - all: - - has: - stopBy: neighbor - kind: property_identifier - regex: "^secret$" - - has: - stopBy: neighbor - kind: identifier - pattern: $F - - follows: - stopBy: end - kind: lexical_declaration - has: - stopBy: end - kind: variable_declarator - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $F - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - - - any: - - follows: - stopBy: end - kind: variable_declaration - has: - stopBy: end - kind: variable_declarator - all: - - has: - stopBy: end - kind: identifier - pattern: $E - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^require$" - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^express-jwt$" - - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: end - kind: import_clause - has: - stopBy: neighbor - kind: identifier - pattern: $E - - has: - stopBy: neighbor - kind: string - has: - stopBy: end - kind: string_fragment - regex: "^express-jwt$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: end - kind: import_clause - has: - stopBy: end - kind: namespace_import - has: - stopBy: end - kind: identifier - pattern: $E - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^express-jwt$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: neighbor - kind: named_imports - has: - stopBy: neighbor - kind: import_specifier - has: - stopBy: end - kind: identifier - pattern: $E - - has: - stopBy: end - kind: string - has: - stopBy: end - kind: string_fragment - regex: "^express-jwt$" -rule: - kind: pair - any: - - matches: MATCH_SECRET_DIRECTLY - - matches: MATCH_PATTERN_WITH_INSTANCE diff --git a/rules/javascript/security/express-session-hardcoded-secret-javascript.yml b/rules/javascript/security/express-session-hardcoded-secret-javascript.yml deleted file mode 100644 index eb1331a5..00000000 --- a/rules/javascript/security/express-session-hardcoded-secret-javascript.yml +++ /dev/null @@ -1,106 +0,0 @@ -id: express-session-hardcoded-secret-javascript -language: javascript -severity: warning -message: >- - A hard-coded credential was detected. It is not recommended to store - credentials in source-code, as this risks secrets being leaked and used by - either an internal or external malicious adversary. It is recommended to - use environment variables to securely provide credentials or retrieve - credentials from a secure vault or HSM (Hardware Security Module). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -ast-grep-essentials: true -utils: - MATCH_SECRET: - kind: pair - pattern: $C - inside: - stopBy: end - kind: lexical_declaration - all: - - has: - stopBy: end - kind: variable_declarator - has: - stopBy: end - kind: object - has: - stopBy: end - kind: pair - pattern: $C - all: - - has: - stopBy: end - kind: property_identifier - pattern: $S - - has: - stopBy: end - kind: string - has: - stopBy: end - kind: string_fragment - - - follows: - stopBy: end - kind: import_statement - any: - - pattern: import session from 'express' - - pattern: import session from 'express-session' - - pattern: import {session} from 'express-session' - - pattern: import * as session from 'express-session' - MATCH_SECRET_with_Instance: - kind: pair - all: - - has: - stopBy: neighbor - kind: property_identifier - regex: ^secret$ - - has: - stopBy: neighbor - kind: identifier - pattern: $SECRET - - inside: - stopBy: end - kind: expression_statement - follows: - stopBy: end - kind: lexical_declaration - has: - stopBy: end - kind: variable_declarator - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $SECRET - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - - inside: - stopBy: end - any: - - kind: lexical_declaration - - kind: expression_statement - follows: - stopBy: end - kind: import_statement - any: - - pattern: import session from 'express' - - pattern: import session from 'express-session' - - pattern: import {session} from 'express-session' - - pattern: import * as session from 'express-session' - -rule: - kind: pair - any: - - matches: MATCH_SECRET - - matches: MATCH_SECRET_with_Instance - -constraints: - S: - regex: "^secret$" diff --git a/rules/javascript/security/jwt-simple-noverify-javascript.yml b/rules/javascript/security/jwt-simple-noverify-javascript.yml deleted file mode 100644 index 99a1627d..00000000 --- a/rules/javascript/security/jwt-simple-noverify-javascript.yml +++ /dev/null @@ -1,45 +0,0 @@ -id: jwt-simple-noverify-javascript -language: JavaScript -severity: warning -message: >- - "Detected the decoding of a JWT token without a verify step. JWT tokens - must be verified before use, otherwise the token's integrity is unknown. - This means a malicious actor could forge a JWT token with any claims. Set - 'verify' to `true` before using the token." -note: >- - [CWE-287] Improper Authentication - [CWE-345] Insufficient Verification of Data Authenticity - [CWE-347] Improper Verification of Cryptographic Signature - [REFERENCES] - - https://www.npmjs.com/package/jwt-simple - - https://cwe.mitre.org/data/definitions/287 - - https://cwe.mitre.org/data/definitions/345 - - https://cwe.mitre.org/data/definitions/347 -ast-grep-essentials: true -rule: - kind: call_expression - any: - - pattern: $JWT.decode($TOKEN, $SECRET, true $$$) - - pattern: $JWT.decode($TOKEN, $SECRET, "$$$" $$$) - - pattern: $JWT.decode($TOKEN, $SECRET, '$$$' $$$) - - pattern: $JWT.decode($TOKEN, $SECRET, `$$$` $$$) - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: lexical_declaration - all: - - has: - stopBy: end - kind: identifier - pattern: $JWT - - has: - stopBy: end - kind: call_expression - pattern: require('jwt-simple') - - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - pattern: $JWT = require('jwt-simple') diff --git a/rules/javascript/security/node-rsa-weak-key-javascript.yml b/rules/javascript/security/node-rsa-weak-key-javascript.yml deleted file mode 100644 index 6774832b..00000000 --- a/rules/javascript/security/node-rsa-weak-key-javascript.yml +++ /dev/null @@ -1,581 +0,0 @@ -id: node-rsa-weak-key-javascript -language: javascript -severity: warning -message: >- - Use of RSA-$BITS, which is considered weak. Based on NIST standards, - RSA keys should be at least 2048 bits. -note: >- - [CWE-326] Inadequate Encryption Strength. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms -ast-grep-essentials: true -utils: - MATCH_BITS_DIRECTLY_NODE_FORGE: - kind: number - pattern: $R - inside: - stopBy: end - kind: lexical_declaration - all: - - has: - stopBy: end - kind: variable_declarator - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: end - kind: member_expression - has: - stopBy: end - kind: member_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $A - - has: - stopBy: end - kind: property_identifier - regex: "^rsa$" - - has: - stopBy: end - kind: arguments - has: - stopBy: end - kind: number - pattern: $R - - any: - - follows: - stopBy: end - kind: lexical_declaration - has: - stopBy: end - kind: variable_declarator - all: - - has: - stopBy: end - kind: identifier - pattern: $A - - has: - stopBy: end - kind: member_expression - all: - - has: - stopBy: end - kind: identifier - - has: - stopBy: neighbor - kind: property_identifier - regex: "^pki$" - - any: - - follows: - stopBy: end - kind: lexical_declaration - has: - stopBy: end - kind: variable_declarator - all: - - has: - stopBy: end - kind: identifier - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^require$" - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^node-forge$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: end - kind: namespace_import - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: end - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^node-forge$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^node-forge$" - MATCH_BITS_DIRECTLY_NODE_RSA: - kind: number - pattern: $R - inside: - stopBy: end - kind: lexical_declaration - all: - - has: - stopBy: end - kind: variable_declarator - has: - stopBy: end - kind: new_expression - all: - - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: object - has: - stopBy: neighbor - kind: pair - all: - - has: - stopBy: neighbor - kind: property_identifier - - has: - stopBy: end - kind: number - - any: - - follows: - stopBy: end - kind: lexical_declaration - has: - stopBy: end - kind: variable_declarator - all: - - has: - stopBy: end - kind: identifier - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^require$" - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^node-rsa$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: end - kind: namespace_import - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: end - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^node-rsa$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^node-rsa$" - MATCH_BITS_WITHIN_FUNCTION_WITH_NODE_FORGE: - kind: number - pattern: $R - inside: - stopBy: end - kind: variable_declaration - all: - - has: - stopBy: end - kind: variable_declarator - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: end - kind: member_expression - - has: - stopBy: end - kind: arguments - has: - stopBy: end - kind: object - has: - stopBy: end - kind: pair - all: - - has: - stopBy: end - kind: property_identifier - - has: - stopBy: end - kind: number - pattern: $R - - any: - - follows: - stopBy: end - kind: lexical_declaration - has: - stopBy: end - kind: variable_declarator - all: - - has: - stopBy: end - kind: identifier - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^require$" - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^node-forge$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: end - kind: namespace_import - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: end - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^node-forge$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^node-forge$" - MATCH_BITS_WITHIN_FUNCTION_WITH_CRYPTO_AND_PROMISIFY: - kind: number - pattern: $R - inside: - stopBy: end - kind: lexical_declaration - all: - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: end - kind: member_expression - has: - stopBy: end - kind: property_identifier - regex: "^promisify$" - - has: - stopBy: end - kind: arguments - has: - stopBy: end - kind: member_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $E - - has: - stopBy: end - kind: property_identifier - - has: - stopBy: end - kind: arguments - all: - - has: - stopBy: end - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^rsa$" - - has: - stopBy: end - kind: object - has: - stopBy: neighbor - kind: pair - all: - - has: - stopBy: end - kind: property_identifier - regex: "^modulusLength$" - - has: - stopBy: end - kind: number - - any: - - follows: - stopBy: end - kind: lexical_declaration - has: - stopBy: end - kind: variable_declarator - all: - - has: - stopBy: end - kind: identifier - pattern: $E - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^require$" - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^crypto$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: end - kind: namespace_import - has: - stopBy: neighbor - kind: identifier - pattern: $E - - has: - stopBy: end - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^crypto$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^crypto$" - MATCH_BITS_WITHIN_FUNCTION_WITH_CRYPTO: - kind: number - pattern: $R - inside: - stopBy: end - kind: lexical_declaration - all: - - has: - stopBy: end - kind: variable_declarator - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: end - kind: member_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $S - - has: - stopBy: end - kind: property_identifier - - has: - stopBy: end - kind: arguments - all: - - has: - stopBy: end - kind: string - has: - stopBy: end - kind: string_fragment - regex: "^rsa$" - - has: - stopBy: end - kind: object - has: - stopBy: end - kind: pair - all: - - has: - stopBy: end - kind: property_identifier - regex: "^modulusLength$" - - has: - stopBy: end - kind: number - pattern: $R - - any: - - follows: - stopBy: end - kind: lexical_declaration - has: - stopBy: end - kind: variable_declarator - all: - - has: - stopBy: end - kind: identifier - pattern: $S - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^require$" - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^crypto$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: end - kind: namespace_import - has: - stopBy: neighbor - kind: identifier - pattern: $S - - has: - stopBy: end - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^crypto$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^crypto$" -rule: - kind: number - any: - - matches: MATCH_BITS_DIRECTLY_NODE_FORGE - - matches: MATCH_BITS_DIRECTLY_NODE_RSA - - matches: MATCH_BITS_WITHIN_FUNCTION_WITH_NODE_FORGE - - matches: MATCH_BITS_WITHIN_FUNCTION_WITH_CRYPTO_AND_PROMISIFY - - matches: MATCH_BITS_WITHIN_FUNCTION_WITH_CRYPTO - -constraints: - R: - regex: ^(-?(0|[1-9][0-9]{0,2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?)$ diff --git a/rules/javascript/security/node-sequelize-empty-password-argument-javascript.yml b/rules/javascript/security/node-sequelize-empty-password-argument-javascript.yml deleted file mode 100644 index 795a50b9..00000000 --- a/rules/javascript/security/node-sequelize-empty-password-argument-javascript.yml +++ /dev/null @@ -1,195 +0,0 @@ -id: node-sequelize-empty-password-argument-javascript -language: javascript -severity: warning -message: >- - The application creates a database connection with an empty password. - This can lead to unauthorized access by either an internal or external - malicious actor. To prevent this vulnerability, enforce authentication - when connecting to a database by using environment variables to securely - provide credentials or retrieving them from a secure vault or HSM - (Hardware Security Module). -note: >- - [CWE-287] Improper Authentication. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -ast-grep-essentials: true -utils: - MATCH_BLANK_PASSWORD: - kind: string - pattern: $Q - inside: - stopBy: end - kind: lexical_declaration - all: - - has: - stopBy: end - kind: new_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $E - - has: - stopBy: end - kind: arguments - nthChild: 2 - has: - stopBy: end - kind: string - nthChild: 3 - pattern: $Q - not: - has: - stopBy: end - kind: string_fragment - - any: - - follows: - stopBy: end - kind: lexical_declaration - has: - stopBy: end - kind: variable_declarator - all: - - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^require$" - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^sequelize$" - - follows: - stopBy: end - kind: import_statement - has: - stopBy: end - kind: import_clause - has: - stopBy: end - kind: identifier - pattern: $E - - follows: - stopBy: end - kind: import_statement - has: - stopBy: end - kind: import_clause - has: - stopBy: end - kind: identifier - pattern: $E - - MATCH_BLANK_PASSWORD_WITH_INSTANCE: - kind: identifier - pattern: $Q - inside: - stopBy: end - kind: lexical_declaration - all: - - has: - stopBy: end - kind: new_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $E - - has: - stopBy: end - kind: arguments - nthChild: 2 - has: - stopBy: end - kind: identifier - nthChild: 3 - pattern: $Q - not: - has: - stopBy: end - kind: string_fragment - - follows: - stopBy: end - kind: lexical_declaration - has: - stopBy: end - kind: variable_declarator - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $Q - - has: - stopBy: neighbor - kind: string - not: - has: - stopBy: neighbor - kind: string_fragment - - any: - - follows: - stopBy: end - kind: lexical_declaration - has: - stopBy: end - kind: variable_declarator - all: - - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^require$" - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^sequelize$" - - follows: - stopBy: end - kind: import_statement - has: - stopBy: end - kind: import_clause - has: - stopBy: end - kind: identifier - pattern: $E - - follows: - stopBy: end - kind: import_statement - has: - stopBy: end - kind: import_clause - has: - stopBy: end - kind: identifier - pattern: $E -rule: - any: - - kind: string - matches: MATCH_BLANK_PASSWORD - - kind: identifier - matches: MATCH_BLANK_PASSWORD_WITH_INSTANCE diff --git a/rules/javascript/security/node-sequelize-hardcoded-secret-argument-javascript.yml b/rules/javascript/security/node-sequelize-hardcoded-secret-argument-javascript.yml deleted file mode 100644 index 25c28ceb..00000000 --- a/rules/javascript/security/node-sequelize-hardcoded-secret-argument-javascript.yml +++ /dev/null @@ -1,97 +0,0 @@ -id: node-sequelize-hardcoded-secret-argument-javascript -language: javascript -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-287] Improper Authentication. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -ast-grep-essentials: true -utils: - MATCH_BLANK_PASSWORD: - kind: string - pattern: $Q - inside: - stopBy: end - kind: lexical_declaration - all: - - has: - stopBy: end - kind: new_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $E - - has: - stopBy: end - kind: arguments - nthChild: 2 - has: - stopBy: end - kind: string - nthChild: 3 - pattern: $Q - has: - stopBy: end - kind: string_fragment - - follows: - stopBy: end - any: - - pattern: const $E = require('sequelize') - - pattern: import $E from 'sequelize' - - pattern: import * as $E from 'sequelize' - - pattern: import {$E} from 'sequelize' - MATCH_BLANK_PASSWORD_with_instance: - kind: identifier - pattern: $W - inside: - stopBy: end - kind: lexical_declaration - all: - - has: - stopBy: end - kind: new_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $E - - has: - stopBy: end - kind: arguments - nthChild: 2 - has: - stopBy: end - kind: identifier - nthChild: 3 - pattern: $W - - follows: - stopBy: end - any: - - pattern: const $E = require('sequelize') - - pattern: import $E from 'sequelize' - - pattern: import * as $E from 'sequelize' - - pattern: import {$E} from 'sequelize' - - follows: - stopBy: end - any: - - pattern: $W = $R - - pattern: let $W = $R -rule: - any: - - kind: string - matches: MATCH_BLANK_PASSWORD - - kind: identifier - matches: MATCH_BLANK_PASSWORD_with_instance -constraints: - R: - kind: string - has: - stopBy: neighbor - kind: string_fragment diff --git a/rules/kotlin/security/des-is-deprecated-kotlin.yml b/rules/kotlin/security/des-is-deprecated-kotlin.yml deleted file mode 100644 index e63f26f6..00000000 --- a/rules/kotlin/security/des-is-deprecated-kotlin.yml +++ /dev/null @@ -1,17 +0,0 @@ -id: des-is-deprecated-kotlin -severity: warning -language: kotlin -message: >- - DES is considered deprecated. AES is the recommended cipher. Upgrade to - use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard - for more information. -note: >- - [CWE-326] Inadequate Encryption Strength. - [REFERENCES] - - https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard -ast-grep-essentials: true -rule: - pattern: $CIPHER.getInstance($SAS) -constraints: - SAS: - regex: ^"DES/.*"|"DES"$ diff --git a/rules/kotlin/security/desede-is-deprecated-kotlin.yml b/rules/kotlin/security/desede-is-deprecated-kotlin.yml deleted file mode 100644 index 4ffc7a8f..00000000 --- a/rules/kotlin/security/desede-is-deprecated-kotlin.yml +++ /dev/null @@ -1,468 +0,0 @@ -id: desede-is-deprecated-kotlin -language: kotlin -severity: warning -message: >- - Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES. -note: >- - [CWE-326]: Inadequate Encryption Strength - [OWASP A03:2017]: Sensitive Data Exposure - [OWASP A02:2021]: Cryptographic Failures - [REFERENCES] - - https://find-sec-bugs.github.io/bugs.htm#TDES_USAGE - - https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA - -ast-grep-essentials: true - -utils: - match_call_expression: - kind: call_expression - all: - - has: - kind: navigation_expression - all: - - has: - stopBy: neighbor - kind: simple_identifier - pattern: $KEYGEN - - has: - stopBy: end - kind: navigation_suffix - has: - stopBy: end - kind: simple_identifier - regex: "^getInstance$" - - has: - stopBy: end - kind: call_suffix - has: - kind: value_arguments - has: - kind: value_argument - has: - stopBy: end - kind: string_literal - regex: ^"DES"$ - inside: - stopBy: end - kind: navigation_expression - inside: - stopBy: end - kind: call_expression - inside: - stopBy: end - kind: property_declaration - inside: - stopBy: end - kind: class_declaration - follows: - stopBy: end - kind: import_list - has: - kind: import_header - has: - kind: identifier - all: - - has: - kind: simple_identifier - - has: - kind: simple_identifier - - has: - kind: simple_identifier - pattern: $KEYGEN - nthChild: 3 - match_call_expression_follows_property_declaration: - kind: call_expression - all: - - has: - kind: navigation_expression - all: - - has: - stopBy: neighbor - kind: simple_identifier - pattern: $KEYGEN - - has: - kind: navigation_suffix - has: - stopBy: end - kind: simple_identifier - regex: "^getInstance$" - - has: - kind: call_suffix - has: - kind: value_arguments - has: - kind: value_argument - has: - kind: string_literal - regex: ^"DES"$ - inside: - stopBy: end - kind: property_declaration - inside: - stopBy: end - kind: class_declaration - follows: - stopBy: end - kind: import_list - has: - kind: import_header - has: - kind: identifier - all: - - has: - kind: simple_identifier - - has: - kind: simple_identifier - - has: - kind: simple_identifier - pattern: $KEYGEN - nthChild: 3 - match_call_expression_with_pkcs5: - kind: call_expression - all: - - has: - kind: navigation_expression - all: - - has: - stopBy: end - kind: simple_identifier - - has: - kind: navigation_suffix - has: - stopBy: end - kind: simple_identifier - regex: "^getInstance$" - - has: - kind: call_suffix - has: - kind: value_arguments - has: - kind: value_argument - has: - kind: string_literal - inside: - stopBy: end - kind: property_declaration - inside: - stopBy: end - kind: function_body - inside: - stopBy: end - kind: function_declaration - inside: - kind: class_body - follows: - stopBy: end - kind: import_list - has: - kind: import_header - has: - kind: identifier - all: - - has: - kind: simple_identifier - - has: - kind: simple_identifier - - has: - kind: simple_identifier - pattern: $KEYGEN - nthChild: 3 - match_call_expression_with_navigation_expression: - kind: call_expression - all: - - has: - kind: navigation_expression - all: - - has: - kind: navigation_expression - all: - - has: - kind: simple_identifier - - has: - kind: navigation_suffix - has: - kind: simple_identifier - pattern: $KEYGEN - - has: - kind: navigation_suffix - has: - kind: simple_identifier - regex: "^getInstance$" - - has: - kind: call_suffix - has: - kind: value_arguments - has: - kind: value_argument - has: - kind: string_literal - regex: ^"DES"$ - inside: - stopBy: end - kind: property_declaration - inside: - stopBy: end - kind: class_declaration - follows: - stopBy: end - kind: import_list - has: - kind: import_header - has: - kind: identifier - all: - - has: - kind: simple_identifier - - has: - kind: simple_identifier - - has: - kind: simple_identifier - pattern: $KEYGEN - nthChild: 3 - match_call_expression_with_navigation_expression_without_follow: - kind: call_expression - all: - - has: - kind: navigation_expression - all: - - has: - kind: navigation_expression - all: - - has: - stopBy: end - kind: simple_identifier - - has: - kind: navigation_suffix - has: - kind: simple_identifier - regex: "^KeyGenerator$" - - has: - kind: navigation_suffix - has: - kind: simple_identifier - regex: "^getInstance$" - - has: - kind: call_suffix - has: - kind: value_arguments - has: - kind: value_argument - has: - kind: string_literal - regex: ^"DES"$ - - match_call_expression_with_paranthesis: - kind: call_expression - all: - - has: - kind: navigation_expression - all: - - has: - kind: simple_identifier - pattern: $KEYGEN - - has: - kind: navigation_suffix - has: - kind: simple_identifier - regex: "^getInstance$" - - has: - kind: call_suffix - has: - kind: value_arguments - has: - kind: value_argument - has: - kind: parenthesized_expression - has: - kind: string_literal - regex: ^"DES"$ - inside: - stopBy: end - kind: property_declaration - inside: - stopBy: end - kind: class_declaration - follows: - stopBy: end - kind: import_list - has: - kind: import_header - has: - kind: identifier - all: - - has: - kind: simple_identifier - - has: - kind: simple_identifier - - has: - kind: simple_identifier - pattern: $KEYGEN - nthChild: 3 - match_call_expression_with_ecb: - kind: call_expression - all: - - has: - kind: navigation_expression - all: - - has: - stopBy: end - kind: simple_identifier - - has: - kind: navigation_suffix - has: - kind: simple_identifier - regex: "^getInstance$" - - has: - kind: call_suffix - has: - kind: value_arguments - has: - kind: value_argument - has: - kind: string_literal - regex: "DESede" - match_key_generator_object_inside_follows: - kind: call_expression - all: - - has: - kind: navigation_expression - all: - - has: - stopBy: neighbor - kind: simple_identifier - pattern: $KEYGEN - - has: - stopBy: end - kind: navigation_suffix - has: - stopBy: end - kind: simple_identifier - regex: "^getInstance$" - - has: - stopBy: end - kind: call_suffix - has: - kind: value_arguments - has: - kind: value_argument - has: - stopBy: end - kind: string_literal - regex: ^"DES"$ - inside: - stopBy: end - kind: property_declaration - inside: - stopBy: end - kind: object_declaration - follows: - stopBy: end - kind: import_list - has: - kind: import_header - has: - kind: identifier - all: - - has: - kind: simple_identifier - - has: - kind: simple_identifier - pattern: $KEYGEN - match_key_generator_property_declaration_inside_follows: - kind: call_expression - all: - - has: - kind: navigation_expression - all: - - has: - stopBy: neighbor - kind: simple_identifier - pattern: $KEYGEN - - has: - stopBy: end - kind: navigation_suffix - has: - stopBy: end - kind: simple_identifier - regex: "^getInstance$" - - has: - kind: call_suffix - has: - kind: value_arguments - has: - kind: value_argument - has: - kind: string_literal - regex: ^"DES"$ - inside: - stopBy: end - kind: property_declaration - follows: - stopBy: end - kind: import_list - has: - kind: import_header - has: - kind: identifier - all: - - has: - kind: simple_identifier - - has: - kind: simple_identifier - pattern: $KEYGEN - match_key_generator_class_declaration_inside_follows: - kind: call_expression - all: - - has: - kind: navigation_expression - all: - - has: - stopBy: neighbor - kind: simple_identifier - pattern: $KEYGEN - - has: - stopBy: end - kind: navigation_suffix - has: - stopBy: end - kind: simple_identifier - regex: "^getInstance$" - - has: - stopBy: end - kind: call_suffix - has: - kind: value_arguments - has: - kind: value_argument - has: - stopBy: end - kind: string_literal - regex: ^"DES"$ - inside: - stopBy: end - kind: class_declaration - follows: - stopBy: end - kind: import_list - has: - kind: import_header - has: - kind: identifier - all: - - has: - kind: simple_identifier - - has: - kind: simple_identifier - pattern: $KEYGEN -rule: - any: - - matches: match_call_expression - - matches: match_call_expression_follows_property_declaration - - matches: match_call_expression_with_pkcs5 - - matches: match_call_expression_with_navigation_expression - - matches: match_call_expression_with_navigation_expression_without_follow - - matches: match_call_expression_with_paranthesis - - matches: match_call_expression_with_ecb - - matches: match_key_generator_object_inside_follows - - matches: match_key_generator_property_declaration_inside_follows - - matches: match_key_generator_class_declaration_inside_follows diff --git a/rules/kotlin/security/jwt-hardcode-kotlin.yml b/rules/kotlin/security/jwt-hardcode-kotlin.yml deleted file mode 100644 index 91bdc952..00000000 --- a/rules/kotlin/security/jwt-hardcode-kotlin.yml +++ /dev/null @@ -1,574 +0,0 @@ -id: jwt-hardcode-kotlin -language: kotlin -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. It is - recommended to rotate the secret and retrieve them from a secure secret - vault or Hardware Security Module (HSM), alternatively environment - variables can be used if allowed by your company policy. -note: >- - [CWE-798]: Use of Hard-coded Credentials - [OWASP A03:2021]: Identification and Authentication Failures - [REFERENCES] - - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures - -ast-grep-essentials: true - -utils: - match_Algorithm_HMAC256_follow_imports: - kind: call_expression - all: - - has: - kind: navigation_expression - all: - - has: - kind: simple_identifier - regex: "^Algorithm$" - - has: - kind: navigation_suffix - has: - kind: simple_identifier - regex: "^HMAC256$" - - has: - kind: call_suffix - has: - kind: value_arguments - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - has: - kind: value_argument - has: - kind: string_literal - not: - regex: '""' - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: import_list - has: - kind: import_header - any: - - pattern: import com.auth0.jwt.algorithms.* - - pattern: import com.auth0.jwt.algorithms.Algorithm - match_HMAC256: - kind: call_expression - all: - - has: - kind: simple_identifier - regex: "^HMAC256$" - - has: - kind: call_suffix - has: - kind: value_arguments - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - has: - kind: value_argument - has: - kind: string_literal - not: - regex: '""' - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: import_list - has: - kind: import_header - any: - - pattern: import com.auth0.jwt.algorithms.Algorithm.* - - pattern: import com.auth0.jwt.algorithms.Algorithm.HMAC256 - match_Algorithm_HMAC384: - kind: call_expression - all: - - has: - kind: navigation_expression - all: - - has: - kind: simple_identifier - regex: "^Algorithm$" - - has: - kind: navigation_suffix - has: - kind: simple_identifier - regex: "^HMAC384$" - - has: - kind: call_suffix - has: - kind: value_arguments - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - has: - kind: value_argument - has: - kind: string_literal - not: - regex: '""' - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: import_list - has: - kind: import_header - any: - - pattern: import com.auth0.jwt.algorithms.* - - pattern: import com.auth0.jwt.algorithms.Algorithm - match_HMAC384: - kind: call_expression - all: - - has: - kind: simple_identifier - regex: "^HMAC384$" - - has: - kind: call_suffix - has: - kind: value_arguments - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - has: - kind: value_argument - has: - kind: string_literal - not: - regex: '""' - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: import_list - has: - kind: import_header - any: - - pattern: import com.auth0.jwt.algorithms.Algorithm.* - - pattern: import com.auth0.jwt.algorithms.Algorithm.HMAC384 - match_algorithm_HMAC512: - kind: call_expression - all: - - has: - kind: navigation_expression - all: - - has: - kind: simple_identifier - regex: "^Algorithm$" - - has: - kind: navigation_suffix - has: - kind: simple_identifier - regex: "^HMAC512$" - - has: - kind: call_suffix - has: - kind: value_arguments - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - has: - kind: value_argument - has: - kind: string_literal - not: - regex: '""' - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: import_list - has: - kind: import_header - any: - - pattern: import com.auth0.jwt.algorithms.* - - pattern: import com.auth0.jwt.algorithms.Algorithm - match_HMAC512: - kind: call_expression - all: - - has: - kind: simple_identifier - regex: "^HMAC512$" - - has: - kind: call_suffix - has: - kind: value_arguments - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - has: - kind: value_argument - has: - kind: string_literal - not: - regex: '""' - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: import_list - has: - kind: import_header - any: - - pattern: import com.auth0.jwt.algorithms.Algorithm.* - - pattern: import com.auth0.jwt.algorithms.Algorithm.HMAC512 - match_Algorithm_HMAC256_follow_imports_with_identifier: - kind: call_expression - all: - - has: - kind: navigation_expression - all: - - has: - kind: simple_identifier - regex: "^Algorithm$" - - has: - kind: navigation_suffix - has: - kind: simple_identifier - regex: "^HMAC256$" - - has: - kind: call_suffix - has: - kind: value_arguments - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - has: - kind: value_argument - has: - kind: simple_identifier - pattern: $A - inside: - stopBy: end - follows: - stopBy: end - kind: property_declaration - all: - - has: - kind: variable_declaration - has: - kind: simple_identifier - pattern: $A - - has: - kind: string_literal - not: - regex: '""' - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: import_list - has: - kind: import_header - any: - - pattern: import com.auth0.jwt.algorithms.* - - pattern: import com.auth0.jwt.algorithms.Algorithm - match_HMAC256_with_identifier: - kind: call_expression - all: - - has: - kind: simple_identifier - regex: "^HMAC256$" - - has: - kind: call_suffix - has: - kind: value_arguments - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - has: - kind: value_argument - has: - kind: simple_identifier - pattern: $B - inside: - stopBy: end - follows: - stopBy: end - kind: property_declaration - all: - - has: - kind: variable_declaration - has: - kind: simple_identifier - pattern: $B - - has: - kind: string_literal - not: - regex: '""' - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: import_list - has: - kind: import_header - any: - - pattern: import com.auth0.jwt.algorithms.Algorithm.* - - pattern: import com.auth0.jwt.algorithms.Algorithm.HMAC256 - match_Algorithm_HMAC384_with_identifier: - kind: call_expression - all: - - has: - kind: navigation_expression - all: - - has: - kind: simple_identifier - regex: "^Algorithm$" - - has: - kind: navigation_suffix - has: - kind: simple_identifier - regex: "^HMAC384$" - - has: - kind: call_suffix - has: - kind: value_arguments - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - has: - kind: value_argument - has: - kind: simple_identifier - pattern: $C - inside: - stopBy: end - follows: - stopBy: end - kind: property_declaration - all: - - has: - kind: variable_declaration - has: - kind: simple_identifier - pattern: $C - - has: - kind: string_literal - not: - regex: '""' - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: import_list - has: - kind: import_header - any: - - pattern: import com.auth0.jwt.algorithms.* - - pattern: import com.auth0.jwt.algorithms.Algorithm - match_HMAC384_with_identifier: - kind: call_expression - all: - - has: - kind: simple_identifier - regex: "^HMAC384$" - - has: - kind: call_suffix - has: - kind: value_arguments - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - has: - kind: value_argument - has: - kind: simple_identifier - pattern: $D - inside: - stopBy: end - follows: - stopBy: end - kind: property_declaration - all: - - has: - kind: variable_declaration - has: - kind: simple_identifier - pattern: $D - - has: - kind: string_literal - not: - regex: '""' - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: import_list - has: - kind: import_header - any: - - pattern: import com.auth0.jwt.algorithms.Algorithm.* - - pattern: import com.auth0.jwt.algorithms.Algorithm.HMAC384 - match_algorithm_HMAC512_with_identifier: - kind: call_expression - all: - - has: - kind: navigation_expression - all: - - has: - kind: simple_identifier - regex: "^Algorithm$" - - has: - kind: navigation_suffix - has: - kind: simple_identifier - regex: "^HMAC512$" - - has: - kind: call_suffix - has: - kind: value_arguments - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - has: - kind: value_argument - has: - kind: simple_identifier - pattern: $E - inside: - stopBy: end - follows: - stopBy: end - kind: property_declaration - all: - - has: - kind: variable_declaration - has: - kind: simple_identifier - pattern: $E - - has: - kind: string_literal - not: - regex: '""' - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: import_list - has: - kind: import_header - any: - - pattern: import com.auth0.jwt.algorithms.* - - pattern: import com.auth0.jwt.algorithms.Algorithm - match_HMAC512_with_identifier: - kind: call_expression - all: - - has: - kind: simple_identifier - regex: "^HMAC512$" - - has: - kind: call_suffix - has: - kind: value_arguments - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - has: - kind: value_argument - has: - kind: simple_identifier - pattern: $F - inside: - stopBy: end - follows: - stopBy: end - kind: property_declaration - all: - - has: - kind: variable_declaration - has: - kind: simple_identifier - pattern: $F - - has: - kind: string_literal - not: - regex: '""' - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: import_list - has: - kind: import_header - any: - - pattern: import com.auth0.jwt.algorithms.Algorithm.* - - pattern: import com.auth0.jwt.algorithms.Algorithm.HMAC512 - -rule: - any: - - matches: match_Algorithm_HMAC256_follow_imports - - matches: match_HMAC256 - - matches: match_Algorithm_HMAC384 - - matches: match_HMAC384 - - matches: match_algorithm_HMAC512 - - matches: match_HMAC512 - - matches: match_Algorithm_HMAC256_follow_imports_with_identifier - - matches: match_HMAC256_with_identifier - - matches: match_Algorithm_HMAC384_with_identifier - - matches: match_HMAC384_with_identifier - - matches: match_algorithm_HMAC512_with_identifier - - matches: match_HMAC512_with_identifier diff --git a/rules/kotlin/security/rsa-no-padding-kotlin.yml b/rules/kotlin/security/rsa-no-padding-kotlin.yml deleted file mode 100644 index 8e3f3101..00000000 --- a/rules/kotlin/security/rsa-no-padding-kotlin.yml +++ /dev/null @@ -1,17 +0,0 @@ -id: rsa-no-padding-kotlin -severity: warning -language: kotlin -message: >- - Using RSA without OAEP mode weakens the encryption. -note: >- - [CWE-326] Inadequate Encryption Strength - [REFERENCES] - - https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/ - -ast-grep-essentials: true - -rule: - pattern: $YST.getInstance($MODE) -constraints: - MODE: - regex: "RSA/[Nn][Oo][Nn][Ee]/NoPadding" diff --git a/rules/kotlin/security/system-setproperty-hardcoded-secret-kotlin.yml b/rules/kotlin/security/system-setproperty-hardcoded-secret-kotlin.yml deleted file mode 100644 index 458c35e0..00000000 --- a/rules/kotlin/security/system-setproperty-hardcoded-secret-kotlin.yml +++ /dev/null @@ -1,59 +0,0 @@ -id: system-setproperty-hardcoded-secret-kotlin -language: kotlin -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798]: Use of Hard-coded Credentials - [OWASP A07:2021]: Identification and Authentication Failures - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - match_string_literal: - kind: string_literal - not: - regex: ^""$ - inside: - kind: value_argument - nthChild: 2 - inside: - stopBy: end - kind: value_arguments - has: - kind: value_argument - any: - - has: - kind: string_literal - regex: ^"javax.net.ssl.keyStorePassword"$ - - has: - kind: string_literal - regex: ^"javax.net.ssl.trustStorePassword"$ - - inside: - kind: call_suffix - inside: - kind: call_expression - has: - kind: navigation_expression - all: - - has: - kind: simple_identifier - regex: "^System$" - - has: - stopBy: end - kind: navigation_suffix - has: - stopBy: end - kind: simple_identifier - regex: "^setProperty$" - -rule: - any: - - matches: match_string_literal diff --git a/rules/php/security/openssl-cbc-static-iv-php.yml b/rules/php/security/openssl-cbc-static-iv-php.yml deleted file mode 100644 index 2e1df39c..00000000 --- a/rules/php/security/openssl-cbc-static-iv-php.yml +++ /dev/null @@ -1,651 +0,0 @@ -id: openssl-cbc-static-iv-php -language: php -severity: warning -message: >- - Static IV used with AES in CBC mode. Static IVs enable chosen-plaintext - attacks against encrypted data. -note: >- - [CWE-329] Generation of Predictable IV with CBC Mode. - [REFERENCES] - - https://csrc.nist.gov/publications/detail/sp/800-38a/final -ast-grep-essentials: true -utils: - Match_pattern_directly_with_prefix_openssl_encryptpart2: - kind: function_call_expression - all: - - has: - kind: name - regex: ^(openssl_decrypt|openssl_encrypt)$ - - has: - stopBy: end - kind: arguments - all: - - has: - stopBy: end - kind: argument - nthChild: - position: 2 - ofRule: - not: - kind: comment - has: - stopBy: end - kind: encapsed_string - regex: ".*-CBC" - - has: - stopBy: end - kind: argument - nthChild: - position: 5 - ofRule: - not: - kind: comment - has: - stopBy: end - kind: encapsed_string - - any: - - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - all: - - has: - stopBy: end - kind: variable_name - pattern: $T - - has: - stopBy: end - kind: encapsed_string - - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - all: - - has: - stopBy: end - kind: variable_name - pattern: $T - - has: - stopBy: end - kind: encapsed_string - - not: - inside: - stopBy: end - kind: conditional_expression - - Match_pattern_with_prefix_openssl_encrypt: - kind: function_call_expression - all: - - not: - inside: - stopBy: end - kind: conditional_expression - - has: - kind: name - regex: ^(openssl_decrypt|openssl_encrypt)$ - - has: - stopBy: end - kind: arguments - all: - - has: - stopBy: end - kind: argument - nthChild: - position: 2 - ofRule: - not: - kind: comment - has: - stopBy: end - kind: variable_name - pattern: $R - - has: - stopBy: end - kind: argument - nthChild: - position: 5 - ofRule: - not: - kind: comment - has: - stopBy: end - kind: variable_name - pattern: $T - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - all: - - has: - stopBy: end - kind: variable_name - pattern: $T - - has: - stopBy: end - kind: encapsed_string - - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - all: - - has: - stopBy: end - kind: variable_name - pattern: $T - - has: - stopBy: end - kind: encapsed_string - - any: - - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - all: - - has: - stopBy: end - kind: variable_name - pattern: $R - - has: - stopBy: end - kind: encapsed_string - regex: ".*-CBC" - - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - all: - - has: - stopBy: end - kind: variable_name - pattern: $R - - has: - stopBy: end - kind: encapsed_string - regex: ".*-CBC" - - Match_pattern_with_prefix_openssl_decrypt: - kind: function_call_expression - all: - - not: - inside: - stopBy: end - kind: conditional_expression - - has: - kind: name - regex: ^(openssl_decrypt|openssl_encrypt)$ - - has: - stopBy: end - kind: arguments - all: - - has: - stopBy: end - kind: argument - nthChild: - position: 2 - ofRule: - not: - kind: comment - has: - stopBy: end - kind: variable_name - pattern: $R - - has: - stopBy: end - kind: argument - nthChild: - position: 5 - ofRule: - not: - kind: comment - has: - stopBy: end - kind: variable_name - pattern: $T - - any: - - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - all: - - has: - stopBy: end - kind: variable_name - pattern: $T - - has: - stopBy: end - kind: encapsed_string - - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - all: - - has: - stopBy: end - kind: variable_name - pattern: $T - - has: - stopBy: end - kind: encapsed_string - - any: - - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - all: - - has: - stopBy: end - kind: variable_name - pattern: $R - - has: - stopBy: end - kind: encapsed_string - regex: ".*-CBC" - - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - all: - - has: - stopBy: end - kind: variable_name - pattern: $R - - has: - stopBy: end - kind: encapsed_string - regex: ".*-CBC" - - Match_pattern_directly_with_prefix_openssl_encrypt: - kind: function_call_expression - all: - - not: - inside: - stopBy: end - kind: conditional_expression - - has: - kind: name - regex: ^(openssl_decrypt|openssl_encrypt)$ - - has: - stopBy: end - kind: arguments - all: - - has: - stopBy: end - kind: argument - nthChild: - position: 2 - ofRule: - not: - kind: comment - has: - stopBy: end - kind: encapsed_string - regex: ".*-CBC" - - has: - stopBy: end - kind: argument - nthChild: - position: 5 - ofRule: - not: - kind: comment - has: - stopBy: end - kind: variable_name - pattern: $T - - any: - - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - all: - - has: - stopBy: end - kind: variable_name - pattern: $T - - has: - stopBy: end - kind: encapsed_string - - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - all: - - has: - stopBy: end - kind: variable_name - pattern: $T - - has: - stopBy: end - kind: encapsed_string - - Match_pattern_directly_with_prefix_openssl_encrypt_return_statement: - kind: function_call_expression - all: - - not: - inside: - stopBy: end - kind: conditional_expression - - has: - kind: name - regex: ^(openssl_decrypt|openssl_encrypt)$ - - has: - stopBy: end - kind: arguments - all: - - has: - stopBy: end - kind: argument - nthChild: - position: 2 - ofRule: - not: - kind: comment - has: - stopBy: end - kind: encapsed_string - regex: ".*-CBC" - - has: - stopBy: end - kind: argument - nthChild: - position: 5 - ofRule: - not: - kind: comment - has: - stopBy: end - kind: variable_name - pattern: $T - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - all: - - has: - stopBy: end - kind: variable_name - pattern: $T - - has: - stopBy: end - kind: encapsed_string - - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - all: - - has: - stopBy: end - kind: variable_name - pattern: $T - - has: - stopBy: end - kind: encapsed_string - - Match_pattern_directly_with_prefix_openssl_encrypt_return_statement_(instance of cbc): - kind: function_call_expression - all: - - not: - inside: - stopBy: end - kind: conditional_expression - - has: - kind: name - regex: ^(openssl_decrypt|openssl_encrypt)$ - - has: - stopBy: end - kind: arguments - all: - - has: - stopBy: end - kind: argument - nthChild: - position: 2 - pattern: $CBC - ofRule: - not: - kind: comment - - has: - stopBy: end - kind: argument - nthChild: - position: 5 - ofRule: - not: - kind: comment - has: - stopBy: end - kind: variable_name - pattern: $T - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - all: - - has: - stopBy: end - kind: variable_name - pattern: $T - - has: - stopBy: end - kind: encapsed_string - - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - all: - - has: - stopBy: end - kind: variable_name - pattern: $T - - has: - stopBy: end - kind: encapsed_string - - any: - - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - all: - - has: - stopBy: end - kind: variable_name - pattern: $CBC - - has: - stopBy: end - kind: encapsed_string - regex: "^.*-CBC" - - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - all: - - has: - stopBy: end - kind: variable_name - pattern: $CBC - - has: - stopBy: end - kind: encapsed_string - regex: "^.*-CBC" - - Match_pattern_with_prefix_openssl_encrypt_PART2: - kind: function_call_expression - all: - - not: - inside: - stopBy: end - kind: conditional_expression - - has: - kind: name - regex: ^(openssl_decrypt|openssl_encrypt)$ - - has: - stopBy: end - kind: arguments - all: - - has: - stopBy: end - kind: argument - nthChild: - position: 2 - ofRule: - not: - kind: comment - has: - stopBy: end - kind: variable_name - pattern: $R - - has: - stopBy: end - kind: argument - nthChild: - position: 5 - ofRule: - not: - kind: comment - has: - stopBy: end - kind: encapsed_string - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - all: - - has: - stopBy: end - kind: variable_name - pattern: $T - - has: - stopBy: end - kind: encapsed_string - - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - all: - - has: - stopBy: end - kind: variable_name - pattern: $T - - has: - stopBy: end - kind: encapsed_string - - any: - - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - all: - - has: - stopBy: end - kind: variable_name - pattern: $R - - has: - stopBy: end - kind: encapsed_string - regex: ".*-CBC" - - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - all: - - has: - stopBy: end - kind: variable_name - pattern: $R - - has: - stopBy: end - kind: encapsed_string - regex: ".*-CBC" - -rule: - any: - - kind: function_call_expression - any: - - matches: Match_pattern_with_prefix_openssl_encrypt - - matches: Match_pattern_with_prefix_openssl_encrypt_PART2 - - matches: Match_pattern_directly_with_prefix_openssl_encrypt - - matches: Match_pattern_directly_with_prefix_openssl_encryptpart2 - - kind: return_statement - any: - - matches: Match_pattern_with_prefix_openssl_decrypt - - matches: Match_pattern_directly_with_prefix_openssl_encrypt_return_statement - - matches: Match_pattern_directly_with_prefix_openssl_encrypt_return_statement_(instance of cbc) - all: - - not: - has: - stopBy: end - kind: ERROR - - not: - inside: - stopBy: end - kind: ERROR \ No newline at end of file diff --git a/rules/php/security/search-active-debug-php.yml b/rules/php/security/search-active-debug-php.yml deleted file mode 100644 index fb31b440..00000000 --- a/rules/php/security/search-active-debug-php.yml +++ /dev/null @@ -1,158 +0,0 @@ -id: search-active-debug-php -language: php -severity: warning -message: >- - Debug logging is explicitly enabled. This can potentially disclose - sensitive information and should never be active on production systems. -note: >- - [CWE-489] Active Debug Code. - [REFERENCES] - - https://www.php.net/manual/en/function.setcookie.php -ast-grep-essentials: true -utils: - Match_pattern_one: - kind: function_call_expression - all: - - has: - pattern: $C - - has: - stopBy: end - kind: arguments - all: - - not: - has: - nthChild: - position: 3 - ofRule: - not: - kind: comment - - has: - stopBy: end - kind: argument - nthChild: - position: 1 - ofRule: - not: - kind: comment - has: - kind: encapsed_string - has: - kind: string_content - pattern: $A - - has: - kind: argument - nthChild: - position: 2 - ofRule: - not: - kind: comment - has: - kind: boolean - pattern: $B - - Match_pattern_two_with_integer: - kind: function_call_expression - all: - - has: - pattern: $C - - has: - stopBy: end - kind: arguments - all: - - not: - has: - nthChild: - position: 3 - ofRule: - not: - kind: comment - - has: - stopBy: end - kind: argument - nthChild: - position: 1 - ofRule: - not: - kind: comment - has: - kind: encapsed_string - has: - kind: string_content - pattern: $A - - has: - kind: argument - nthChild: - position: 2 - ofRule: - not: - kind: comment - has: - kind: integer - pattern: $D - - Match_pattern_three_with_string: - kind: function_call_expression - all: - - has: - pattern: $C - - has: - kind: arguments - all: - - not: - has: - nthChild: - position: 3 - ofRule: - not: - kind: comment - - has: - stopBy: end - kind: argument - nthChild: - position: 1 - ofRule: - not: - kind: comment - has: - kind: encapsed_string - has: - kind: string_content - pattern: $A - - has: - stopBy: end - kind: argument - nthChild: - position: 2 - ofRule: - not: - kind: comment - has: - stopBy: end - kind: encapsed_string - has: - stopBy: neighbor - regex: ^[Oo][Nn]$ - -rule: - any: - - matches: Match_pattern_one - - matches: Match_pattern_two_with_integer - - matches: Match_pattern_three_with_string - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR - -constraints: - C: - regex: ^(define|ini_set)$ - A: - regex: ^(WP_DEBUG|display_errors)$ - B: - regex: ^([tT][Rr][Uu][Ee])$ - D: - regex: ^1$ diff --git a/rules/python/security/avoid-mktemp-python.yml b/rules/python/security/avoid-mktemp-python.yml deleted file mode 100644 index d9350bd0..00000000 --- a/rules/python/security/avoid-mktemp-python.yml +++ /dev/null @@ -1,75 +0,0 @@ -id: avoid-mktemp-python -language: python -severity: warning -message: >- - The function `mktemp` is deprecated. When using this function, it is - possible for an attacker to modify the created file before the filename is - returned. Use `NamedTemporaryFile()` instead and pass it the - `delete=False` parameter. -note: >- - [CWE-377]: Insecure Temporary File - [OWASP A01:2021]: Broken Access Control - [REFERENCES] - https://docs.python.org/3/library/tempfile.html#tempfile.mktemp - https://owasp.org/Top10/A01_2021-Broken_Access_Control -ast-grep-essentials: true -utils: - match_call: - kind: call - all: - - has: - stopBy: end - kind: attribute - field: function - all: - - has: - stopBy: end - kind: identifier - field: object - regex: "^tempfile$" - - has: - stopBy: end - kind: identifier - field: attribute - regex: "^mktemp$" - - has: - stopBy: end - kind: argument_list - field: arguments - match_second_call: - kind: call - all: - - has: - stopBy: end - kind: identifier - field: function - regex: "^mktemp$" - - has: - stopBy: end - kind: argument_list - field: arguments - inside: - stopBy: end - kind: expression_statement - follows: - stopBy: end - kind: import_from_statement - all: - - has: - kind: dotted_name - field: module_name - has: - kind: identifier - regex: "^tempfile$" - - has: - stopBy: end - kind: dotted_name - field: name - has: - stopBy: end - kind: identifier - regex: "^mktemp$" -rule: - any: - - matches: match_call - - matches: match_second_call diff --git a/rules/python/security/avoid_app_run_with_bad_host-python.yml b/rules/python/security/avoid_app_run_with_bad_host-python.yml deleted file mode 100644 index c0876275..00000000 --- a/rules/python/security/avoid_app_run_with_bad_host-python.yml +++ /dev/null @@ -1,74 +0,0 @@ -id: avoid_app_run_with_bad_host-python -language: python -severity: warning -message: >- - Running flask app with host 0.0.0.0 could expose the server publicly. -note: >- - [CWE-668]: Exposure of Resource to Wrong Sphere - [OWASP A01:2021]: Broken Access Control - [REFERENCES] - https://owasp.org/Top10/A01_2021-Broken_Access_Control -ast-grep-essentials: true -utils: - MATCH_PATTERN_app.run: - kind: call - all: - - has: - stopBy: neighbor - kind: attribute - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^app$" - - has: - stopBy: neighbor - kind: identifier - regex: "^run$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: string - regex: ^"0.0.0.0"$ - - MATCH_PATTERN_app.run_HOST: - kind: call - all: - - has: - stopBy: neighbor - kind: attribute - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^app$" - - has: - stopBy: neighbor - kind: identifier - regex: "^run$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: keyword_argument - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^host$" - - has: - stopBy: neighbor - kind: string - regex: ^"0.0.0.0"$ - - has: - stopBy: neighbor - regex: "^=$" - -rule: - kind: call - any: - - matches: MATCH_PATTERN_app.run - - matches: MATCH_PATTERN_app.run_HOST diff --git a/rules/python/security/debug-enabled-python.yml b/rules/python/security/debug-enabled-python.yml deleted file mode 100644 index 4e184544..00000000 --- a/rules/python/security/debug-enabled-python.yml +++ /dev/null @@ -1,93 +0,0 @@ -id: debug-enabled-python -severity: warning -language: python -message: >- - Detected Flask app with debug=True. Do not deploy to production with - this flag enabled as it will leak sensitive information. Instead, consider - using Flask configuration variables or setting 'debug' using system - environment variables. -note: >- - [CWE-489] Active Debug Code. - [REFERENCES] - - https://labs.detectify.com/2015/10/02/how-patreon-got-hacked-publicly-exposed-werkzeug-debugger/ -ast-grep-essentials: true -utils: - MATCH_PATTERN_debug=True: - kind: call - all: - - has: - stopBy: neighbor - kind: attribute - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^app$" - - has: - stopBy: neighbor - kind: identifier - regex: "^run$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: keyword_argument - regex: "^debug=True$" - - any: - - inside: - stopBy: end - kind: if_statement - follows: - stopBy: end - kind: import_from_statement - has: - stopBy: end - kind: dotted_name - has: - stopBy: neighbor - kind: identifier - regex: "^Flask$" - - inside: - stopBy: end - kind: function_definition - follows: - stopBy: end - kind: import_from_statement - has: - stopBy: end - kind: dotted_name - has: - stopBy: neighbor - kind: identifier - regex: "^Flask$" - - inside: - stopBy: end - kind: expression_statement - follows: - stopBy: end - kind: import_from_statement - has: - stopBy: end - kind: dotted_name - has: - stopBy: neighbor - kind: identifier - regex: "^Flask$" - - inside: - stopBy: end - kind: decorated_definition - follows: - stopBy: end - kind: import_from_statement - has: - stopBy: end - kind: dotted_name - has: - stopBy: neighbor - kind: identifier - regex: "^Flask$" -rule: - kind: call - any: - - matches: MATCH_PATTERN_debug=True diff --git a/rules/python/security/hashids-with-django-secret-python.yml b/rules/python/security/hashids-with-django-secret-python.yml deleted file mode 100644 index 94104dfe..00000000 --- a/rules/python/security/hashids-with-django-secret-python.yml +++ /dev/null @@ -1,285 +0,0 @@ -id: hashids-with-django-secret-python -language: python -severity: warning -message: >- - The Django secret key is used as salt in HashIDs. The HashID mechanism - is not secure. By observing sufficient HashIDs, the salt used to construct - them can be recovered. This means the Django secret key can be obtained by - attackers, through the HashIDs. -note: >- - [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm - [OWASP A02:2021]: Cryptographic Failures - [REFERENCES] - https://docs.djangoproject.com/en/4.2/ref/settings/#std-setting-SECRET_KEY - http://carnage.github.io/2015/08/cryptanalysis-of-hashids -ast-grep-essentials: true -utils: - Hashids(salt=settings.SECRET_KEY, min_length=settings.ID_HASH_MIN_LENGTH): - kind: call - all: - - has: - kind: identifier - nthChild: 1 - regex: ^Hashids$ - - has: - kind: argument_list - nthChild: 2 - has: - kind: keyword_argument - all: - - has: - kind: identifier - regex: ^salt$ - - has: - kind: attribute - all: - - has: - kind: identifier - regex: ^settings$ - nthChild: 1 - - has: - kind: identifier - nthChild: 2 - regex: ^SECRET_KEY$ - - all: - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - pattern: from django.conf import settings - - follows: - stopBy: end - kind: import_from_statement - pattern: from django.conf import settings - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - pattern: from hashids import Hashids - - follows: - stopBy: end - kind: import_from_statement - pattern: from hashids import Hashids - - Hashids(settings.SECRET_KEY, min_length=length, alphabet=alphabet): - kind: call - all: - - has: - kind: identifier - nthChild: 1 - regex: ^Hashids$ - - has: - kind: argument_list - nthChild: 2 - has: - kind: attribute - all: - - has: - kind: identifier - regex: ^settings$ - nthChild: 1 - - has: - kind: identifier - nthChild: 2 - regex: ^SECRET_KEY$ - - all: - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - pattern: from django.conf import settings - - follows: - stopBy: end - kind: import_from_statement - pattern: from django.conf import settings - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - pattern: from hashids import Hashids - - follows: - stopBy: end - kind: import_from_statement - pattern: from hashids import Hashids - - hashids.Hashids(salt=settings.SECRET_KEY, min_length=settings.ID_HASH_MIN_LENGTH): - kind: call - all: - - has: - kind: attribute - regex: ^hashids.Hashids$ - - has: - kind: argument_list - nthChild: 2 - has: - kind: keyword_argument - all: - - has: - kind: identifier - regex: ^salt$ - - has: - kind: attribute - all: - - has: - kind: identifier - regex: ^settings$ - nthChild: 1 - - has: - kind: identifier - nthChild: 2 - regex: ^SECRET_KEY$ - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - pattern: from django.conf import settings - - follows: - stopBy: end - kind: import_from_statement - pattern: from django.conf import settings - - hashids.Hashids(settings.SECRET_KEY, min_length=length, alphabet=alphabet): - kind: call - all: - - has: - kind: attribute - nthChild: 1 - regex: ^hashids.Hashids$ - - has: - kind: argument_list - nthChild: 2 - has: - kind: attribute - all: - - has: - kind: identifier - regex: ^settings$ - nthChild: 1 - - has: - kind: identifier - nthChild: 2 - regex: ^SECRET_KEY$ - - all: - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - pattern: from django.conf import settings - - follows: - stopBy: end - kind: import_from_statement - pattern: from django.conf import settings - - hashids.Hashids(salt=django.conf.settings.SECRET_KEY, min_length=settings.ID_HASH_MIN_LENGTH): - kind: call - all: - - has: - kind: attribute - nthChild: 1 - regex: ^hashids.Hashids$ - - has: - kind: argument_list - nthChild: 2 - has: - kind: keyword_argument - all: - - has: - kind: identifier - regex: ^salt$ - - has: - kind: attribute - regex: ^django.conf.settings.SECRET_KEY$ - - hashids.Hashids(django.conf.settings.SECRET_KEY, min_length=length, alphabet=alphabet): - kind: call - all: - - has: - kind: attribute - nthChild: 1 - regex: ^hashids.Hashids$ - - has: - kind: argument_list - nthChild: 2 - has: - kind: attribute - regex: ^django.conf.settings.SECRET_KEY$ - - Hashids(django.conf.settings.SECRET_KEY, min_length=length, alphabet=alphabet): - kind: call - all: - - has: - kind: identifier - nthChild: 1 - regex: ^Hashids$ - - has: - kind: argument_list - nthChild: 2 - has: - kind: attribute - regex: ^django.conf.settings.SECRET_KEY$ - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - pattern: from hashids import Hashids - - follows: - stopBy: end - kind: import_from_statement - pattern: from hashids import Hashids - - Hashids(salt=django.conf.settings.SECRET_KEY, min_length=settings.ID_HASH_MIN_LENGTH): - kind: call - all: - - has: - kind: identifier - nthChild: 1 - regex: ^Hashids$ - - has: - kind: argument_list - nthChild: 2 - has: - kind: keyword_argument - all: - - has: - kind: identifier - regex: ^salt$ - - has: - kind: attribute - regex: ^django.conf.settings.SECRET_KEY$ - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - pattern: from hashids import Hashids - - follows: - stopBy: end - kind: import_from_statement - pattern: from hashids import Hashids - - -rule: - any: - - matches: Hashids(salt=settings.SECRET_KEY, min_length=settings.ID_HASH_MIN_LENGTH) - - matches: Hashids(settings.SECRET_KEY, min_length=length, alphabet=alphabet) - - matches: hashids.Hashids(salt=settings.SECRET_KEY, min_length=settings.ID_HASH_MIN_LENGTH) - - matches: hashids.Hashids(settings.SECRET_KEY, min_length=length, alphabet=alphabet) - - matches: hashids.Hashids(salt=django.conf.settings.SECRET_KEY, min_length=settings.ID_HASH_MIN_LENGTH) - - matches: hashids.Hashids(django.conf.settings.SECRET_KEY, min_length=length, alphabet=alphabet) - - matches: Hashids(django.conf.settings.SECRET_KEY, min_length=length, alphabet=alphabet) - - matches: Hashids(salt=django.conf.settings.SECRET_KEY, min_length=settings.ID_HASH_MIN_LENGTH) \ No newline at end of file diff --git a/rules/python/security/hashids-with-flask-secret-python.yml b/rules/python/security/hashids-with-flask-secret-python.yml deleted file mode 100644 index 6a39154e..00000000 --- a/rules/python/security/hashids-with-flask-secret-python.yml +++ /dev/null @@ -1,202 +0,0 @@ -id: hashids-with-flask-secret-python -severity: warning -language: python -message: >- - The Flask secret key is used as salt in HashIDs. The HashID mechanism - is not secure. By observing sufficient HashIDs, the salt used to construct - them can be recovered. This means the Flask secret key can be obtained by - attackers, through the HashIDs). -note: >- - [CWE-327] Use of a Broken or Risky Cryptographic Algorithm. - [REFERENCES] - - https://flask.palletsprojects.com/en/2.2.x/config/#SECRET_KEY - - http://carnage.github.io/2015/08/cryptanalysis-of-hashids -ast-grep-essentials: true -utils: - hashids.Hashids(..., salt=flask.current_app.config['SECRET_KEY'], ...): - # hashids.Hashids(..., salt=flask.current_app.config['SECRET_KEY'], ...) - kind: call - all: - - has: - stopBy: neighbor - kind: attribute - regex: ^hashids.Hashids$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: end - kind: keyword_argument - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^salt$ - - has: - stopBy: neighbor - kind: subscript - pattern: flask.current_app.config['SECRET_KEY'] - hashids.Hashids(flask.current_app.config['SECRET_KEY'], ...): - # hashids.Hashids(flask.current_app.config['SECRET_KEY'], ...) - kind: call - all: - - has: - stopBy: neighbor - kind: attribute - regex: ^hashids.Hashids$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: subscript - pattern: flask.current_app.config['SECRET_KEY'] - hashids.Hashids($APP.config['SECRET_KEY'], ...): - # hashids.Hashids($APP.config['SECRET_KEY'], ...) - kind: call - all: - - has: - stopBy: neighbor - kind: attribute - regex: ^hashids.Hashids$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: subscript - pattern: $APP.config['SECRET_KEY'] - - inside: - stopBy: end - kind: module - has: - stopBy: end - kind: expression_statement - has: - stopBy: neighbor - kind: assignment - pattern: $APP = flask.Flask($$$) - hashids.Hashids(..., salt=$APP.config['SECRET_KEY'], ...): - # hashids.Hashids(..., salt=$APP.config['SECRET_KEY'], ...) - kind: call - all: - - has: - stopBy: neighbor - kind: attribute - regex: ^hashids.Hashids$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: end - kind: keyword_argument - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^salt$ - - has: - stopBy: neighbor - kind: subscript - pattern: $APP.config['SECRET_KEY'] - - inside: - stopBy: end - kind: module - has: - stopBy: end - kind: expression_statement - has: - stopBy: neighbor - kind: assignment - pattern: $APP = flask.Flask($$$) - Hashids(salt=app.config['SECRET_KEY']): - # from hashids import Hashids - # from flask import current_app as app - # hash_id = Hashids(salt=app.config['SECRET_KEY']) - kind: call - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^Hashids$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: end - kind: keyword_argument - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^salt$ - - has: - stopBy: neighbor - kind: subscript - pattern: $APP.config['SECRET_KEY'] - - inside: - stopBy: end - kind: module - all: - - has: - stopBy: end - kind: import_from_statement - pattern: from hashids import Hashids - - any: - - has: - stopBy: end - kind: import_from_statement - pattern: from flask import current_app as $APP - - has: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment - pattern: $APP = Flask($$$) - Hashids(salt=current_app.config['SECRET_KEY']): - # from hashids import Hashids - # from flask import current_app - # hashids = Hashids(min_length=5, salt=current_app.config['SECRET_KEY']) - kind: call - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^Hashids$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: end - kind: keyword_argument - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^salt$ - - has: - stopBy: neighbor - kind: subscript - pattern: current_app.config['SECRET_KEY'] - - inside: - stopBy: end - kind: module - all: - - has: - stopBy: end - kind: import_from_statement - pattern: from hashids import Hashids - - has: - stopBy: end - kind: import_from_statement - pattern: from flask import current_app -rule: - kind: call - any: - - matches: hashids.Hashids(..., salt=flask.current_app.config['SECRET_KEY'], ...) - - matches: hashids.Hashids(flask.current_app.config['SECRET_KEY'], ...) - - matches: hashids.Hashids($APP.config['SECRET_KEY'], ...) - - matches: hashids.Hashids(..., salt=$APP.config['SECRET_KEY'], ...) - - matches: Hashids(salt=app.config['SECRET_KEY']) - - matches: Hashids(salt=current_app.config['SECRET_KEY']) diff --git a/rules/python/security/insecure-cipher-algorithm-rc4-python.yml b/rules/python/security/insecure-cipher-algorithm-rc4-python.yml deleted file mode 100644 index c5b3e805..00000000 --- a/rules/python/security/insecure-cipher-algorithm-rc4-python.yml +++ /dev/null @@ -1,79 +0,0 @@ -id: insecure-cipher-algorithm-rc4-python -severity: warning -language: python -message: >- - Detected ARC4 cipher algorithm which is considered insecure. This - algorithm is not cryptographically secure and can be reversed easily. Use - secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block - cipher such as AES with a block size of 128 bits. When using a block - cipher, use a modern mode of operation that also provides authentication, - such as GCM. -note: >- - [CWE-327] Use of a Broken or Risky Cryptographic Algorithm. - [REFERENCES] - - https://cwe.mitre.org/data/definitions/326.html - - https://www.pycryptodome.org/src/cipher/cipher -ast-grep-essentials: true -utils: - MATCH_PATTERN_arc4.new: - kind: call - all: - - has: - stopBy: end - kind: attribute - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $X - - has: - stopBy: neighbor - kind: identifier - regex: "^new$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: identifier - - inside: - stopBy: end - kind: expression_statement - follows: - stopBy: end - kind: import_from_statement - all: - - has: - stopBy: neighbor - kind: dotted_name - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^Crypto$|^Cryptodome$" - - has: - stopBy: neighbor - kind: identifier - regex: "^Cipher$" - - has: - stopBy: neighbor - kind: aliased_import - all: - - has: - stopBy: neighbor - kind: dotted_name - has: - stopBy: neighbor - kind: identifier - regex: "^ARC4$" - - has: - stopBy: neighbor - kind: identifier - pattern: $X - -rule: - kind: call - any: - - matches: MATCH_PATTERN_arc4.new - - pattern: Cryptodome.Cipher.ARC4.new($$$) - - pattern: Crypto.Cipher.ARC4.new($$$) diff --git a/rules/python/security/jwt-python-hardcoded-secret-python.yml b/rules/python/security/jwt-python-hardcoded-secret-python.yml deleted file mode 100644 index 84ca9ba3..00000000 --- a/rules/python/security/jwt-python-hardcoded-secret-python.yml +++ /dev/null @@ -1,119 +0,0 @@ -id: jwt-python-hardcoded-secret-python -severity: warning -language: python -message: >- - Hardcoded JWT secret or private key is used. This is a Insufficiently - Protected Credentials weakness: - https://cwe.mitre.org/data/definitions/522.html Consider using an - appropriate security mechanism to protect the credentials (e.g. keeping - secrets in environment variables). -note: >- - [CWE-522] Insufficiently Protected Credentials. - [REFERENCES] - - https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ -ast-grep-essentials: true -utils: - MATCH_SECRET_DIRECTLY: - kind: expression_statement - all: - - has: - stopBy: end - kind: call - all: - - has: - stopBy: neighbor - kind: attribute - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^jwt$" - - has: - stopBy: neighbor - kind: identifier - regex: "^encode$" - - has: - stopBy: neighbor - kind: argument_list - all: - - has: - stopBy: neighbor - pattern: $W - - has: - stopBy: neighbor - kind: string - nthChild: 2 - MATCH_SECRET_WITH_INSTANCE: - kind: expression_statement - all: - - has: - stopBy: end - kind: call - all: - - has: - stopBy: neighbor - kind: attribute - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^jwt$" - - has: - stopBy: neighbor - kind: identifier - regex: "^encode$" - - has: - stopBy: neighbor - kind: argument_list - all: - - has: - stopBy: neighbor - pattern: $W - - has: - stopBy: neighbor - kind: identifier - nthChild: 2 - pattern: $S - - any: - - follows: - stopBy: end - kind: expression_statement - has: - stopBy: neighbor - kind: assignment - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $S - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_content - - inside: - stopBy: end - kind: module - has: - stopBy: end - kind: expression_statement - has: - stopBy: neighbor - kind: assignment - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $S - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_content -rule: - kind: expression_statement - any: - - matches: MATCH_SECRET_DIRECTLY - - matches: MATCH_SECRET_WITH_INSTANCE diff --git a/rules/python/security/openai-hardcoded-secret-python.yml b/rules/python/security/openai-hardcoded-secret-python.yml deleted file mode 100644 index ecdb7934..00000000 --- a/rules/python/security/openai-hardcoded-secret-python.yml +++ /dev/null @@ -1,25 +0,0 @@ -id: openai-hardcoded-secret-python -language: python -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798]: Use of Hard-coded Credentials - [OWASP A07:2021]: Identification and Authentication Failures - [REFERENCES] - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -ast-grep-essentials: true -utils: - match_api_key: - kind: string_content - regex: \b(sk-[[:alnum:]]{20}T3BlbkFJ[[:alnum:]]{20})\b - inside: - stopBy: end - kind: string -rule: - all: - - matches: match_api_key diff --git a/rules/python/security/python-cassandra-empty-password-python.yml b/rules/python/security/python-cassandra-empty-password-python.yml deleted file mode 100644 index 207db31e..00000000 --- a/rules/python/security/python-cassandra-empty-password-python.yml +++ /dev/null @@ -1,225 +0,0 @@ -id: python-cassandra-empty-password-python -language: python -severity: warning -message: >- - The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module). -note: >- - [CWE-287]: Improper Authentication - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -ast-grep-essentials: true -rule: - any: - - kind: call - any: - - kind: call - has: - kind: identifier - regex: ^PlainTextAuthProvider$ - precedes: - kind: argument_list - has: - stopBy: end - kind: keyword_argument - all: - - has: - nthChild: 1 - kind: identifier - regex: ^password$ - - has: - nthChild: 2 - kind: string - all: - - has: - kind: string_start - nthChild: 1 - - has: - kind: string_end - nthChild: 2 - - kind: call - has: - kind: identifier - regex: ^PlainTextAuthProvider$ - precedes: - kind: argument_list - has: - stopBy: end - kind: string - all: - - has: - nthChild: 1 - kind: string_start - - has: - nthChild: 2 - kind: string_end - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - all: - - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^cassandra.auth$ - - has: - stopBy: end - kind: dotted_name - regex: ^PlainTextAuthProvider$ - - kind: call - any: - - kind: call - has: - kind: identifier - regex: ^SaslAuthProvider$ - precedes: - kind: argument_list - has: - stopBy: end - kind: keyword_argument - all: - - has: - nthChild: 1 - kind: identifier - regex: ^password$ - - has: - nthChild: 2 - kind: string - all: - - has: - kind: string_start - nthChild: 1 - - has: - kind: string_end - nthChild: 2 - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - all: - - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^cassandra.auth$ - - has: - stopBy: end - kind: dotted_name - regex: ^SaslAuthProvider$ - - kind: call - any: - - kind: call - has: - kind: identifier - pattern: $PLAIN_ALIAS - precedes: - kind: argument_list - has: - stopBy: end - kind: keyword_argument - all: - - has: - nthChild: 1 - kind: identifier - regex: ^password$ - - has: - nthChild: 2 - kind: string - all: - - has: - kind: string_start - nthChild: 1 - - has: - kind: string_end - nthChild: 2 - - kind: call - has: - kind: identifier - regex: ^PlainTextAuthProvider$ - precedes: - kind: argument_list - has: - stopBy: end - kind: string - all: - - has: - nthChild: 1 - kind: string_start - - has: - nthChild: 2 - kind: string_end - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - all: - - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^cassandra.auth$ - - has: - stopBy: end - kind: aliased_import - all: - - has: - kind: dotted_name - nthChild: 1 - regex: ^PlainTextAuthProvider$ - - has: - kind: identifier - nthChild: 2 - pattern: $PLAIN_ALIAS - - kind: call - any: - - kind: call - has: - kind: identifier - pattern: $SASL_ALIAS - precedes: - kind: argument_list - has: - stopBy: end - kind: keyword_argument - all: - - has: - nthChild: 1 - kind: identifier - regex: ^password$ - - has: - nthChild: 2 - kind: string - all: - - has: - kind: string_start - nthChild: 1 - - has: - kind: string_end - nthChild: 2 - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - all: - - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^cassandra.auth$ - - has: - stopBy: end - kind: aliased_import - all: - - has: - kind: dotted_name - nthChild: 1 - regex: ^SaslAuthProvider$ - - has: - kind: identifier - field: alias - nthChild: 2 - pattern: $SASL_ALIAS diff --git a/rules/python/security/python-cassandra-hardcoded-secret-python.yml b/rules/python/security/python-cassandra-hardcoded-secret-python.yml deleted file mode 100644 index 7968e2d5..00000000 --- a/rules/python/security/python-cassandra-hardcoded-secret-python.yml +++ /dev/null @@ -1,398 +0,0 @@ -id: python-cassandra-hardcoded-secret-python -language: python -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798]: Use of Hard-coded Credentials - [A07:2021]: Identification and Authentication Failures - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -ast-grep-essentials: true -utils: - define_string: - kind: string - all: - - has: - kind: string_start - nthChild: 1 - - has: - kind: string_content - nthChild: 2 - - has: - kind: string_end - nthChild: 3 - - define_password: - any: - - matches: define_string - - kind: identifier - pattern: $PWD_IDENTIFIER - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment - nthChild: 1 - all: - - has: - nthChild: 1 - kind: identifier - field: left - pattern: $PWD_IDENTIFIER - - has: - nthChild: 2 - matches: define_string - -rule: - any: - - kind: call - any: - - kind: call - has: - kind: identifier - nthChild: 1 - regex: ^PlainTextAuthProvider$ - precedes: - kind: argument_list - has: - stopBy: end - kind: keyword_argument - all: - - has: - nthChild: 1 - kind: identifier - regex: ^password$ - - has: - nthChild: 2 - matches: define_password - - kind: call - has: - kind: identifier - regex: ^PlainTextAuthProvider$ - precedes: - kind: argument_list - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - matches: define_password - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - all: - - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^cassandra.auth$ - precedes: - stopBy: end - kind: dotted_name - regex: ^PlainTextAuthProvider$ - - kind: call - any: - - kind: call - has: - kind: identifier - regex: ^SaslAuthProvider$ - precedes: - kind: argument_list - has: - stopBy: end - kind: keyword_argument - all: - - has: - nthChild: 1 - kind: identifier - regex: ^password$ - - has: - nthChild: 2 - matches: define_password - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - all: - - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^cassandra.auth$ - precedes: - stopBy: end - kind: dotted_name - regex: ^SaslAuthProvider$ - - kind: call - any: - - kind: call - has: - kind: identifier - pattern: $PLAIN_ALIAS - precedes: - kind: argument_list - has: - stopBy: end - kind: keyword_argument - all: - - has: - nthChild: 1 - kind: identifier - regex: ^password$ - - has: - nthChild: 2 - matches: define_password - - kind: call - has: - kind: identifier - pattern: $PLAIN_ALIAS - precedes: - kind: argument_list - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - matches: define_password - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - all: - - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^cassandra.auth$ - precedes: - stopBy: end - kind: aliased_import - all: - - has: - kind: dotted_name - field: name - nthChild: 1 - regex: ^PlainTextAuthProvider$ - - has: - kind: identifier - field: alias - nthChild: 2 - pattern: $PLAIN_ALIAS - - kind: call - any: - - kind: call - has: - kind: identifier - pattern: $SASL_ALIAS - precedes: - kind: argument_list - has: - stopBy: end - kind: keyword_argument - all: - - has: - nthChild: 1 - kind: identifier - regex: ^password$ - - has: - nthChild: 2 - matches: define_password - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - all: - - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^cassandra.auth$ - precedes: - stopBy: end - kind: aliased_import - all: - - has: - kind: dotted_name - nthChild: 1 - regex: ^SaslAuthProvider$ - - has: - kind: identifier - field: alias - nthChild: 2 - pattern: $SASL_ALIAS - - kind: call - any: - - kind: call - has: - kind: attribute - nthChild: 1 - regex: ^cassandra.auth.PlainTextAuthProvider$ - precedes: - kind: argument_list - has: - stopBy: end - kind: keyword_argument - all: - - has: - nthChild: 1 - kind: identifier - regex: ^password$ - - has: - nthChild: 2 - matches: define_password - - kind: call - has: - kind: attribute - field: function - regex: ^cassandra.auth.PlainTextAuthProvider$ - precedes: - kind: argument_list - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - matches: define_password - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: import_from_statement - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^cassandra.auth$ - - kind: import_statement - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^(cassandra|cassandra.auth)$ - - kind: call - any: - - kind: call - has: - kind: attribute - regex: ^SaslAuthProvider$ - precedes: - kind: argument_list - has: - stopBy: end - kind: keyword_argument - all: - - has: - nthChild: 1 - kind: identifier - regex: ^password$ - - has: - nthChild: 2 - matches: define_password - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - all: - - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^cassandra.auth$ - precedes: - stopBy: end - kind: dotted_name - regex: ^SaslAuthProvider$ - - kind: call - any: - - kind: call - has: - kind: attribute - nthChild: 1 - regex: ^auth.PlainTextAuthProvider$ - precedes: - kind: argument_list - has: - stopBy: end - kind: keyword_argument - all: - - has: - nthChild: 1 - kind: identifier - regex: ^password$ - - has: - nthChild: 2 - matches: define_password - - kind: call - has: - kind: attribute - nthChild: 1 - regex: ^auth.PlainTextAuthProvider$ - precedes: - kind: argument_list - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - matches: define_password - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - all: - - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^cassandra$ - precedes: - stopBy: end - kind: dotted_name - regex: ^auth$ - - kind: call - any: - - kind: call - has: - kind: attribute - nthChild: 1 - regex: ^auth.SaslAuthProvider$ - precedes: - kind: argument_list - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - matches: define_password - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - all: - - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^cassandra$ - precedes: - stopBy: end - kind: dotted_name - regex: ^auth$ diff --git a/rules/python/security/python-couchbase-empty-password-python.yml b/rules/python/security/python-couchbase-empty-password-python.yml deleted file mode 100644 index 9d2f2e73..00000000 --- a/rules/python/security/python-couchbase-empty-password-python.yml +++ /dev/null @@ -1,77 +0,0 @@ -id: python-couchbase-empty-password-python -language: python -severity: warning -message: >- - The application creates a database connection with an empty password. - This can lead to unauthorized access by either an internal or external - malicious actor. To prevent this vulnerability, enforce authentication - when connecting to a database by using environment variables to securely - provide credentials or retrieving them from a secure vault or HSM - (Hardware Security Module). -note: >- - [CWE-287]: Improper Authentication - [OWASP A07:2021]: Identification and Authentication Failures - [REFERENCES] - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -ast-grep-essentials: true -utils: - match_passwordauthenticator: - kind: call - all: - - has: - kind: identifier - pattern: $R - - has: - stopBy: neighbor - kind: argument_list - all: - - any: - - has: - stopBy: end - kind: attribute - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: neighbor - kind: string - - has: - stopBy: neighbor - kind: string - not: - has: - stopBy: neighbor - kind: string_content - - - inside: - stopBy: end - kind: module - has: - stopBy: end - kind: import_from_statement - all: - - has: - stopBy: end - kind: dotted_name - field: module_name - all: - - has: - stopBy: end - kind: identifier - regex: couchbase_core - - has: - stopBy: end - kind: identifier - regex: cluster - - has: - stopBy: end - kind: dotted_name - field: name - has: - stopBy: end - kind: identifier - pattern: $R - regex: PasswordAuthenticator -rule: - all: - - matches: match_passwordauthenticator diff --git a/rules/python/security/python-couchbase-hardcoded-secret-python.yml b/rules/python/security/python-couchbase-hardcoded-secret-python.yml deleted file mode 100644 index e1e06bab..00000000 --- a/rules/python/security/python-couchbase-hardcoded-secret-python.yml +++ /dev/null @@ -1,185 +0,0 @@ -id: python-couchbase-hardcoded-secret-python -language: python -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798]: Use of Hard-coded Credentials - [A07:2021]: Identification and Authentication Failures - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -ast-grep-essentials: true -utils: - define_string: - kind: string - all: - - has: - kind: string_start - nthChild: 1 - - has: - kind: string_content - nthChild: 2 - - has: - kind: string_end - nthChild: 3 - - define_password: - any: - - matches: define_string - - kind: identifier - pattern: $PWD_IDENTIFIER - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment - nthChild: 1 - all: - - has: - nthChild: 1 - kind: identifier - field: left - pattern: $PWD_IDENTIFIER - - has: - nthChild: 2 - matches: define_string - -rule: - any: - - kind: call - any: - - kind: call - has: - kind: identifier - regex: ^PasswordAuthenticator$ - precedes: - kind: argument_list - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - matches: define_password - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - all: - - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^couchbase_core.cluster$ - precedes: - stopBy: end - kind: dotted_name - regex: ^PasswordAuthenticator$ - - kind: call - any: - - kind: call - has: - kind: identifier - pattern: $PLAIN_ALIAS - precedes: - kind: argument_list - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - matches: define_password - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - all: - - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^couchbase_core.cluster$ - precedes: - stopBy: end - kind: aliased_import - all: - - has: - kind: dotted_name - field: name - nthChild: 1 - regex: ^PasswordAuthenticator$ - - has: - kind: identifier - field: alias - nthChild: 2 - pattern: $PLAIN_ALIAS - - kind: call - any: - - kind: call - has: - kind: attribute - field: function - regex: ^couchbase_core.cluster.PasswordAuthenticator$ - precedes: - kind: argument_list - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - matches: define_password - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: import_from_statement - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^couchbase_core.cluster$ - - kind: import_statement - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^(couchbase_core|couchbase_core.cluster)$ - - kind: call - any: - - kind: call - has: - kind: attribute - nthChild: 1 - regex: ^cluster.PasswordAuthenticator$ - precedes: - kind: argument_list - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - matches: define_password - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - all: - - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^couchbase_core$ - precedes: - stopBy: end - kind: dotted_name - regex: ^cluster$ diff --git a/rules/python/security/python-elasticsearch-hardcoded-bearer-auth-python.yml b/rules/python/security/python-elasticsearch-hardcoded-bearer-auth-python.yml deleted file mode 100644 index 998ba36a..00000000 --- a/rules/python/security/python-elasticsearch-hardcoded-bearer-auth-python.yml +++ /dev/null @@ -1,71 +0,0 @@ -id: python-elasticsearch-hardcoded-bearer-auth-python -severity: warning -language: python -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - elasticsearch.Elasticsearch(..., bearer_auth="...",...): - # elasticsearch.Elasticsearch(..., bearer_auth="...",...) - kind: call - all: - - has: - stopBy: neighbor - kind: attribute - regex: ^elasticsearch.Elasticsearch$ - - has: - stopBy: neighbor - kind: argument_list - all: - - has: - stopBy: end - kind: keyword_argument - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^bearer_auth$ - - has: - stopBy: neighbor - kind: string - has: - stopBy: end - kind: string_content - - not: - has: - stopBy: end - kind: keyword_argument - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^bearer_auth$ - - has: - stopBy: neighbor - kind: string - not: - has: - stopBy: end - kind: string_content -rule: - kind: call - matches: elasticsearch.Elasticsearch(..., bearer_auth="...",...) - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR - diff --git a/rules/python/security/python-ldap3-empty-password-python.yml b/rules/python/security/python-ldap3-empty-password-python.yml deleted file mode 100644 index ed07a710..00000000 --- a/rules/python/security/python-ldap3-empty-password-python.yml +++ /dev/null @@ -1,99 +0,0 @@ -id: python-ldap3-empty-password-python -severity: warning -language: python -message: >- - The application creates a database connection with an empty password. - This can lead to unauthorized access by either an internal or external - malicious actor. To prevent this vulnerability, enforce authentication - when connecting to a database by using environment variables to securely - provide credentials or retrieving them from a secure vault or HSM - (Hardware Security Module). -note: >- - [CWE-287] Improper Authentication. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - ldap3.Connection(..., password="",...)_INSTANCE: - kind: call - all: - - has: - stopBy: neighbor - kind: attribute - regex: ^ldap3.Connection$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: keyword_argument - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^password$ - nthChild: 1 - - has: - stopBy: neighbor - kind: identifier - pattern: $INST - nthChild: 2 - - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - has: - kind: assignment - all: - - has: - kind: identifier - pattern: $INST - nthChild: 1 - - has: - kind: string - not: - has: - kind: string_content - - ldap3.Connection(..., password="",...): - kind: call - all: - - has: - stopBy: neighbor - kind: attribute - regex: ^ldap3.Connection$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: keyword_argument - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^password$ - - has: - stopBy: neighbor - kind: string - not: - has: - stopBy: end - kind: string_content - -rule: - kind: call - any: - - matches: ldap3.Connection(..., password="",...)_INSTANCE - - matches: ldap3.Connection(..., password="",...) - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR diff --git a/rules/python/security/python-ldap3-hardcoded-secret-python.yml b/rules/python/security/python-ldap3-hardcoded-secret-python.yml deleted file mode 100644 index 07ae352e..00000000 --- a/rules/python/security/python-ldap3-hardcoded-secret-python.yml +++ /dev/null @@ -1,153 +0,0 @@ -id: python-ldap3-hardcoded-secret-python -language: python -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798]: Use of Hard-coded Credentials - [OWASP A07:2021]: Identification and Authentication Failures - [REFERENCES] - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - define_string: - kind: string - all: - - has: - kind: string_start - nthChild: 1 - - has: - kind: string_content - nthChild: 2 - - has: - kind: string_end - nthChild: 3 - - define_password: - any: - - matches: define_string - - kind: identifier - pattern: $PWD_IDENTIFIER - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment - nthChild: 1 - all: - - has: - nthChild: 1 - kind: identifier - field: left - pattern: $PWD_IDENTIFIER - - has: - nthChild: 2 - matches: define_string - -rule: - any: - - kind: call - any: - - kind: call - has: - kind: identifier - regex: ^Connection$ - precedes: - kind: argument_list - has: - stopBy: end - kind: keyword_argument - all: - - has: - nthChild: 1 - kind: identifier - regex: ^password$ - - has: - nthChild: 2 - matches: define_password - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - all: - - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^ldap3$ - precedes: - stopBy: end - kind: dotted_name - regex: ^Connection$ - - kind: call - any: - - kind: call - has: - kind: identifier - pattern: $SASL_ALIAS - precedes: - kind: argument_list - has: - stopBy: end - kind: keyword_argument - all: - - has: - nthChild: 1 - kind: identifier - regex: ^password$ - - has: - nthChild: 2 - matches: define_password - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - all: - - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^ldap3$ - precedes: - stopBy: end - kind: aliased_import - all: - - has: - kind: dotted_name - nthChild: 1 - regex: ^Connection$ - - has: - kind: identifier - field: alias - nthChild: 2 - pattern: $SASL_ALIAS - - kind: call - any: - - kind: call - has: - kind: attribute - regex: ^ldap3.Connection$ - precedes: - kind: argument_list - has: - stopBy: end - kind: keyword_argument - all: - - has: - nthChild: 1 - kind: identifier - regex: ^password$ - - has: - nthChild: 2 - matches: define_password diff --git a/rules/python/security/python-mariadb-empty-password-python.yml b/rules/python/security/python-mariadb-empty-password-python.yml deleted file mode 100644 index e2f6faed..00000000 --- a/rules/python/security/python-mariadb-empty-password-python.yml +++ /dev/null @@ -1,203 +0,0 @@ -id: python-mariadb-empty-password-python -severity: warning -language: python -message: >- - The application creates a database connection with an empty password. - This can lead to unauthorized access by either an internal or external - malicious actor. To prevent this vulnerability, enforce authentication - when connecting to a database by using environment variables to securely - provide credentials or retrieving them from a secure vault or HSM - (Hardware Security Module). -note: >- - [CWE-287] Improper Authentication. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - define_string: - kind: string - all: - - has: - kind: string_start - nthChild: 1 - - has: - kind: string_end - nthChild: 2 - - not: - has: - kind: string_content - - define_password: - any: - - matches: define_string - - kind: identifier - pattern: $PWD_IDENTIFIER - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment - nthChild: 1 - all: - - has: - nthChild: 1 - kind: identifier - field: left - pattern: $PWD_IDENTIFIER - - has: - nthChild: 2 - matches: define_string - -rule: - any: - - kind: call - any: - - kind: call - has: - kind: identifier - regex: ^connect$ - precedes: - kind: argument_list - has: - stopBy: end - kind: keyword_argument - all: - - has: - nthChild: 1 - kind: identifier - regex: ^(password|passwd)$ - - has: - nthChild: 2 - matches: define_password - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - all: - - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^mariadb$ - precedes: - stopBy: end - kind: dotted_name - regex: ^connect$ - - - kind: call - any: - - kind: call - has: - kind: identifier - pattern: $SASL_ALIAS - precedes: - kind: argument_list - has: - stopBy: end - kind: keyword_argument - all: - - has: - nthChild: 1 - kind: identifier - regex: ^(password|passwd)$ - - has: - nthChild: 2 - matches: define_password - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - all: - - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^mariadb$ - precedes: - stopBy: end - kind: aliased_import - all: - - has: - kind: dotted_name - nthChild: 1 - regex: ^connect$ - - has: - kind: identifier - field: alias - nthChild: 2 - pattern: $SASL_ALIAS - - kind: call - any: - - kind: call - has: - kind: attribute - regex: ^mariadb.connect$ - precedes: - kind: argument_list - has: - stopBy: end - kind: keyword_argument - all: - - has: - nthChild: 1 - kind: identifier - regex: ^(password|passwd)$ - - has: - nthChild: 2 - matches: define_password - - kind: call - any: - - kind: call - has: - kind: attribute - all: - - has: - nthChild: 1 - kind: identifier - field: object - pattern: $MARIADB_ALIAS - - has: - nthChild: 2 - kind: identifier - field: attribute - regex: ^connect$ - # regex: ^mariadb.connect$ - precedes: - kind: argument_list - has: - stopBy: end - kind: keyword_argument - all: - - has: - nthChild: 1 - kind: identifier - regex: ^(password|passwd)$ - - has: - nthChild: 2 - matches: define_password - inside: - stopBy: end - follows: - stopBy: end - kind: import_statement - has: - nthChild: 1 - kind: aliased_import - all: - - has: - nthChild: 1 - kind: dotted_name - field: name - regex: ^mariadb$ - - has: - nthChild: 2 - kind: identifier - field: alias - pattern: $MARIADB_ALIAS diff --git a/rules/python/security/python-mariadb-hardcoded-secret-python.yml b/rules/python/security/python-mariadb-hardcoded-secret-python.yml deleted file mode 100644 index a4339b14..00000000 --- a/rules/python/security/python-mariadb-hardcoded-secret-python.yml +++ /dev/null @@ -1,203 +0,0 @@ -id: python-mariadb-hardcoded-secret-python -language: python -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798]: Use of Hard-coded Credentials - [OWASP A07:2021]: Identification and Authentication Failures - [REFERENCES] - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - define_string: - kind: string - all: - - has: - kind: string_start - nthChild: 1 - - has: - kind: string_content - nthChild: 2 - - has: - kind: string_end - nthChild: 3 - - define_password: - any: - - matches: define_string - - kind: identifier - pattern: $PWD_IDENTIFIER - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment - nthChild: 1 - all: - - has: - nthChild: 1 - kind: identifier - field: left - pattern: $PWD_IDENTIFIER - - has: - nthChild: 2 - matches: define_string - -rule: - any: - - kind: call - any: - - kind: call - has: - kind: identifier - regex: ^connect$ - precedes: - kind: argument_list - has: - stopBy: end - kind: keyword_argument - all: - - has: - nthChild: 1 - kind: identifier - regex: ^(password|passwd)$ - - has: - nthChild: 2 - matches: define_password - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - all: - - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^mariadb$ - precedes: - stopBy: end - kind: dotted_name - regex: ^connect$ - - - kind: call - any: - - kind: call - has: - kind: identifier - pattern: $SASL_ALIAS - precedes: - kind: argument_list - has: - stopBy: end - kind: keyword_argument - all: - - has: - nthChild: 1 - kind: identifier - regex: ^(password|passwd)$ - - has: - nthChild: 2 - matches: define_password - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - all: - - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^mariadb$ - precedes: - stopBy: end - kind: aliased_import - all: - - has: - kind: dotted_name - nthChild: 1 - regex: ^connect$ - - has: - kind: identifier - field: alias - nthChild: 2 - pattern: $SASL_ALIAS - - kind: call - any: - - kind: call - has: - kind: attribute - regex: ^mariadb.connect$ - precedes: - kind: argument_list - has: - stopBy: end - kind: keyword_argument - all: - - has: - nthChild: 1 - kind: identifier - regex: ^(password|passwd)$ - - has: - nthChild: 2 - matches: define_password - - kind: call - any: - - kind: call - has: - kind: attribute - all: - - has: - nthChild: 1 - kind: identifier - field: object - pattern: $MARIADB_ALIAS - - has: - nthChild: 2 - kind: identifier - field: attribute - regex: ^connect$ - # regex: ^mariadb.connect$ - precedes: - kind: argument_list - has: - stopBy: end - kind: keyword_argument - all: - - has: - nthChild: 1 - kind: identifier - regex: ^(password|passwd)$ - - has: - nthChild: 2 - matches: define_password - inside: - stopBy: end - follows: - stopBy: end - kind: import_statement - has: - nthChild: 1 - kind: aliased_import - all: - - has: - nthChild: 1 - kind: dotted_name - field: name - regex: ^mariadb$ - - has: - nthChild: 2 - kind: identifier - field: alias - pattern: $MARIADB_ALIAS diff --git a/rules/python/security/python-mysql-empty-password-python.yml b/rules/python/security/python-mysql-empty-password-python.yml deleted file mode 100644 index a3fd1fbb..00000000 --- a/rules/python/security/python-mysql-empty-password-python.yml +++ /dev/null @@ -1,202 +0,0 @@ -id: python-mysql-empty-password-python -severity: warning -language: python -message: >- - The application creates a database connection with an empty password. - This can lead to unauthorized access by either an internal or external - malicious actor. To prevent this vulnerability, enforce authentication - when connecting to a database by using environment variables to securely - provide credentials or retrieving them from a secure vault or HSM - (Hardware Security Module). -note: >- - [CWE-287] Improper Authentication. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - define_string: - kind: string - all: - - has: - kind: string_start - nthChild: 1 - # - has: - # kind: string_content - # nthChild: 2 - - has: - kind: string_end - nthChild: 2 - - define_password: - any: - - matches: define_string - - kind: identifier - pattern: $PWD_IDENTIFIER - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment - nthChild: 1 - all: - - has: - nthChild: 1 - kind: identifier - field: left - pattern: $PWD_IDENTIFIER - - has: - nthChild: 2 - matches: define_string - -rule: - any: - - kind: call - any: - - kind: call - has: - kind: identifier - regex: ^connect$ - precedes: - kind: argument_list - has: - stopBy: end - kind: keyword_argument - all: - - has: - nthChild: 1 - kind: identifier - regex: ^(password|passwd)$ - - has: - nthChild: 2 - matches: define_password - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - all: - - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^mysql.connector$ - precedes: - stopBy: end - kind: dotted_name - regex: ^connect$ - - kind: call - any: - - kind: call - has: - kind: identifier - pattern: $SASL_ALIAS - precedes: - kind: argument_list - has: - stopBy: end - kind: keyword_argument - all: - - has: - nthChild: 1 - kind: identifier - regex: ^(password|passwd)$ - - has: - nthChild: 2 - matches: define_password - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - all: - - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^mysql.connector$ - precedes: - stopBy: end - kind: aliased_import - all: - - has: - kind: dotted_name - nthChild: 1 - regex: ^connect$ - - has: - kind: identifier - field: alias - nthChild: 2 - pattern: $SASL_ALIAS - - kind: call - any: - - kind: call - has: - kind: attribute - all: - - has: - kind: identifier - field: object - nthChild: 1 - pattern: $MYSQL_ALIAS - - has: - kind: identifier - field: attribute - nthChild: 2 - regex: ^connect$ - precedes: - kind: argument_list - has: - stopBy: end - kind: keyword_argument - all: - - has: - nthChild: 1 - kind: identifier - regex: ^(password|passwd)$ - - has: - nthChild: 2 - matches: define_password - inside: - stopBy: end - follows: - stopBy: end - kind: import_statement - has: - nthChild: 1 - kind: aliased_import - all: - - has: - nthChild: 1 - kind: dotted_name - field: name - regex: ^mysql.connector$ - precedes: - stopBy: end - kind: identifier - pattern: $MYSQL_ALIAS - - kind: call - any: - - kind: call - has: - kind: attribute - field: function - nthChild: 1 - regex: ^mysql.connector.connect$ - precedes: - kind: argument_list - has: - stopBy: end - kind: keyword_argument - all: - - has: - nthChild: 1 - kind: identifier - regex: ^(password|passwd)$ - - has: - nthChild: 2 - matches: define_password diff --git a/rules/python/security/python-mysql-hardcoded-secret-python.yml b/rules/python/security/python-mysql-hardcoded-secret-python.yml deleted file mode 100644 index fa9e5456..00000000 --- a/rules/python/security/python-mysql-hardcoded-secret-python.yml +++ /dev/null @@ -1,204 +0,0 @@ -id: python-mysql-hardcoded-secret-python -severity: warning -language: python -message: >- - The application creates a database connection with an empty password. - This can lead to unauthorized access by either an internal or external - malicious actor. To prevent this vulnerability, enforce authentication - when connecting to a database by using environment variables to securely - provide credentials or retrieving them from a secure vault or HSM - (Hardware Security Module). -note: >- - [CWE-287] Improper Authentication. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - define_string: - kind: string - all: - - has: - kind: string_start - nthChild: 1 - - has: - kind: string_content - nthChild: 2 - - has: - kind: string_end - nthChild: 3 - - define_password: - any: - - matches: define_string - - kind: identifier - pattern: $PWD_IDENTIFIER - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment - nthChild: 1 - all: - - has: - nthChild: 1 - kind: identifier - field: left - pattern: $PWD_IDENTIFIER - - has: - nthChild: 2 - matches: define_string - -rule: - any: - - kind: call - any: - - kind: call - has: - kind: identifier - regex: ^connect$ - precedes: - kind: argument_list - has: - stopBy: end - kind: keyword_argument - all: - - has: - nthChild: 1 - kind: identifier - regex: ^(password|passwd)$ - - has: - nthChild: 2 - matches: define_password - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - all: - - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^mysql.connector$ - precedes: - stopBy: end - kind: dotted_name - regex: ^connect$ - - kind: call - any: - - kind: call - has: - kind: identifier - pattern: $SASL_ALIAS - precedes: - kind: argument_list - has: - stopBy: end - kind: keyword_argument - all: - - has: - nthChild: 1 - kind: identifier - regex: ^(password|passwd)$ - - has: - nthChild: 2 - matches: define_password - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - all: - - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^mysql.connector$ - precedes: - stopBy: end - kind: aliased_import - all: - - has: - kind: dotted_name - nthChild: 1 - regex: ^connect$ - - has: - kind: identifier - field: alias - nthChild: 2 - pattern: $SASL_ALIAS - - kind: call - any: - - kind: call - has: - kind: attribute - all: - - has: - kind: identifier - field: object - nthChild: 1 - pattern: $MYSQL_ALIAS - - has: - kind: identifier - field: attribute - nthChild: 2 - regex: ^connect$ - precedes: - kind: argument_list - has: - stopBy: end - kind: keyword_argument - all: - - has: - nthChild: 1 - kind: identifier - regex: ^(password|passwd)$ - - has: - nthChild: 2 - matches: define_password - inside: - stopBy: end - follows: - stopBy: end - kind: import_statement - has: - nthChild: 1 - kind: aliased_import - all: - - has: - nthChild: 1 - kind: dotted_name - field: name - regex: ^mysql.connector$ - precedes: - stopBy: end - kind: identifier - pattern: $MYSQL_ALIAS - - kind: call - any: - - kind: call - has: - kind: attribute - field: function - nthChild: 1 - regex: ^mysql.connector.connect$ - precedes: - kind: argument_list - has: - stopBy: end - kind: keyword_argument - all: - - has: - nthChild: 1 - kind: identifier - regex: ^(password|passwd)$ - - has: - nthChild: 2 - matches: define_password - - diff --git a/rules/python/security/python-mysqlclient-empty-password-python.yml b/rules/python/security/python-mysqlclient-empty-password-python.yml deleted file mode 100644 index 6f445915..00000000 --- a/rules/python/security/python-mysqlclient-empty-password-python.yml +++ /dev/null @@ -1,201 +0,0 @@ -id: python-mysqlclient-empty-password-python -language: python -severity: warning -message: >- - The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module). -note: >- - [CWE-287]: Improper Authentication - [A07:2021]: Identification and Authentication Failures - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - define_string: - kind: string - all: - - has: - kind: string_start - nthChild: 1 - - has: - kind: string_end - nthChild: 2 - - not: - has: - kind: string_content - - define_password: - any: - - matches: define_string - - kind: identifier - pattern: $PWD_IDENTIFIER - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment - nthChild: 1 - all: - - has: - nthChild: 1 - kind: identifier - field: left - pattern: $PWD_IDENTIFIER - - has: - nthChild: 2 - matches: define_string - - keyword_argument_passwd: - kind: keyword_argument - all: - - has: - nthChild: 1 - kind: identifier - field: name - regex: ^(passwd)$ - - has: - nthChild: 2 - matches: define_password - - argument_list_util: - kind: argument_list - any: - - has: - matches: keyword_argument_passwd - - all: - - has: - nthChild: - position: 3 - ofRule: - not: - kind: comment - matches: define_password - - not: - has: - matches: keyword_argument_passwd -rule: - any: - # MySQLdb.$CONNECT - - kind: call - any: - - kind: call - has: - nthChild: 1 - kind: attribute - all: - - has: - nthChild: 1 - kind: identifier - field: object - regex: ^MySQLdb$ - - has: - nthChild: 2 - kind: identifier - field: attribute - pattern: $CONNECT - precedes: - matches: argument_list_util - - # MySQLdb._mysql.$CONNECT - - kind: call - any: - - kind: call - has: - nthChild: 1 - kind: attribute - all: - - has: - nthChild: 1 - regex: ^MySQLdb._mysql$ - - has: - nthChild: 2 - kind: identifier - field: attribute - pattern: $CONNECT - precedes: - matches: argument_list_util - - kind: call - any: - - kind: call - has: - nthChild: 1 - kind: attribute - all: - - has: - nthChild: 1 - kind: identifier - field: object - regex: ^_mysql$ - - has: - nthChild: 2 - kind: identifier - field: attribute - pattern: $CONNECT - precedes: - matches: argument_list_util - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^MySQLdb$ - precedes: - stopBy: end - kind: dotted_name - regex: ^(_mysql)$ - - - kind: call - any: - - kind: call - has: - nthChild: 1 - kind: attribute - all: - - has: - nthChild: 1 - kind: identifier - field: object - pattern: $MYSQL_ALIAS - - has: - nthChild: 2 - kind: identifier - field: attribute - pattern: $CONNECT - precedes: - matches: argument_list_util - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^MySQLdb$ - precedes: - stopBy: end - kind: aliased_import - all: - - has: - nthChild: 1 - kind: dotted_name - field: name - regex: ^_mysql$ - - has: - nthChild: 2 - kind: identifier - field: alias - pattern: $MYSQL_ALIAS -# constraints: -# CONNECT: -# regex: ^(Connect|connect|Connection|connection)$ - diff --git a/rules/python/security/python-mysqlclient-hardcoded-secret-python.yml b/rules/python/security/python-mysqlclient-hardcoded-secret-python.yml deleted file mode 100644 index a6943792..00000000 --- a/rules/python/security/python-mysqlclient-hardcoded-secret-python.yml +++ /dev/null @@ -1,200 +0,0 @@ -id: python-mysqlclient-hardcoded-secret-python -language: python -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798]: Use of Hard-coded Credentials - [A07:2021]: Identification and Authentication Failures - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - define_string: - kind: string - all: - - has: - kind: string_start - nthChild: 1 - - has: - kind: string_content - nthChild: 2 - - has: - kind: string_end - nthChild: 3 - - define_password: - any: - - matches: define_string - - kind: identifier - pattern: $PWD_IDENTIFIER - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment - nthChild: 1 - all: - - has: - nthChild: 1 - kind: identifier - field: left - pattern: $PWD_IDENTIFIER - - has: - nthChild: 2 - matches: define_string - - keyword_argument_passwd: - kind: keyword_argument - all: - - has: - nthChild: 1 - kind: identifier - field: name - regex: ^(passwd)$ - - has: - nthChild: 2 - matches: define_password - - argument_list_util: - kind: argument_list - any: - - has: - matches: keyword_argument_passwd - - all: - - has: - nthChild: - position: 3 - ofRule: - not: - kind: comment - matches: define_password - - not: - has: - matches: keyword_argument_passwd -rule: - any: - # MySQLdb.$CONNECT - - kind: call - any: - - kind: call - has: - nthChild: 1 - kind: attribute - all: - - has: - nthChild: 1 - kind: identifier - field: object - regex: ^MySQLdb$ - - has: - nthChild: 2 - kind: identifier - field: attribute - pattern: $CONNECT - precedes: - matches: argument_list_util - - # MySQLdb._mysql.$CONNECT - - kind: call - any: - - kind: call - has: - nthChild: 1 - kind: attribute - all: - - has: - nthChild: 1 - regex: ^MySQLdb._mysql$ - - has: - nthChild: 2 - kind: identifier - field: attribute - pattern: $CONNECT - precedes: - matches: argument_list_util - - kind: call - any: - - kind: call - has: - nthChild: 1 - kind: attribute - all: - - has: - nthChild: 1 - kind: identifier - field: object - regex: ^_mysql$ - - has: - nthChild: 2 - kind: identifier - field: attribute - pattern: $CONNECT - precedes: - matches: argument_list_util - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^MySQLdb$ - precedes: - stopBy: end - kind: dotted_name - regex: ^(_mysql)$ - - - kind: call - any: - - kind: call - has: - nthChild: 1 - kind: attribute - all: - - has: - nthChild: 1 - kind: identifier - field: object - pattern: $MYSQL_ALIAS - - has: - nthChild: 2 - kind: identifier - field: attribute - pattern: $CONNECT - precedes: - matches: argument_list_util - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^MySQLdb$ - precedes: - stopBy: end - kind: aliased_import - all: - - has: - nthChild: 1 - kind: dotted_name - field: name - regex: ^_mysql$ - - has: - nthChild: 2 - kind: identifier - field: alias - pattern: $MYSQL_ALIAS -constraints: - CONNECT: - regex: ^(Connect|connect|Connection|connection)$ diff --git a/rules/python/security/python-neo4j-empty-password-python.yml b/rules/python/security/python-neo4j-empty-password-python.yml deleted file mode 100644 index 443b0a2d..00000000 --- a/rules/python/security/python-neo4j-empty-password-python.yml +++ /dev/null @@ -1,217 +0,0 @@ -id: python-neo4j-empty-password-python -severity: warning -language: python -message: >- - The application creates a database connection with an empty password. - This can lead to unauthorized access by either an internal or external - malicious actor. To prevent this vulnerability, enforce authentication - when connecting to a database by using environment variables to securely - provide credentials or retrieving them from a secure vault or HSM - (Hardware Security Module). -note: >- - [CWE-287] Improper Authentication. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - define_string: - kind: string - all: - - has: - kind: string_start - nthChild: 1 - - has: - kind: string_end - nthChild: 2 - - define_password: - any: - - matches: define_string - - kind: identifier - pattern: $PWD_IDENTIFIER - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment - nthChild: 1 - all: - - has: - nthChild: 1 - kind: identifier - field: left - pattern: $PWD_IDENTIFIER - - has: - nthChild: 2 - matches: define_string - -rule: - any: - # basic_auth and custom_auth - - kind: call - any: - - kind: call - has: - nthChild: 1 - kind: attribute - regex: ^(neo4j.custom_auth|neo4j.basic_auth)$ - precedes: - kind: argument_list - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - matches: define_password - - kind: call - any: - - kind: call - has: - nthChild: 1 - kind: identifier - regex: ^basic_auth$ - precedes: - kind: argument_list - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - matches: define_password - - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - all: - - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^neo4j$ - precedes: - stopBy: end - kind: dotted_name - regex: ^basic_auth$ - - kind: call - any: - - kind: call - has: - nthChild: 1 - kind: identifier - regex: ^custom_auth$ - precedes: - kind: argument_list - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - matches: define_password - - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - all: - - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^neo4j$ - precedes: - stopBy: end - kind: dotted_name - regex: ^custom_auth$ - - # kerberos_auth and bearer_auth - - kind: call - any: - - kind: call - has: - nthChild: 1 - kind: attribute - regex: ^(neo4j.kerberos_auth|neo4j.bearer_auth)$ - precedes: - kind: argument_list - has: - nthChild: - position: 1 - ofRule: - not: - kind: comment - matches: define_password - - kind: call - any: - - kind: call - has: - nthChild: 1 - kind: identifier - regex: ^kerberos_auth$ - precedes: - kind: argument_list - has: - nthChild: - position: 1 - ofRule: - not: - kind: comment - matches: define_password - - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - all: - - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^neo4j$ - precedes: - stopBy: end - kind: dotted_name - regex: ^kerberos_auth$ - - kind: call - any: - - kind: call - has: - nthChild: 1 - kind: identifier - regex: ^bearer_auth$ - precedes: - kind: argument_list - has: - nthChild: - position: 1 - ofRule: - not: - kind: comment - matches: define_password - - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - all: - - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^neo4j$ - precedes: - stopBy: end - kind: dotted_name - regex: ^bearer_auth$ diff --git a/rules/python/security/python-neo4j-hardcoded-secret-python.yml b/rules/python/security/python-neo4j-hardcoded-secret-python.yml deleted file mode 100644 index bf603abc..00000000 --- a/rules/python/security/python-neo4j-hardcoded-secret-python.yml +++ /dev/null @@ -1,219 +0,0 @@ -id: python-neo4j-hardcoded-secret-python -severity: warning -language: python -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - define_string: - kind: string - all: - - has: - kind: string_start - nthChild: 1 - - has: - kind: string_content - nthChild: 2 - - has: - kind: string_end - nthChild: 3 - - define_password: - any: - - matches: define_string - - kind: identifier - pattern: $PWD_IDENTIFIER - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment - nthChild: 1 - all: - - has: - nthChild: 1 - kind: identifier - field: left - pattern: $PWD_IDENTIFIER - - has: - nthChild: 2 - matches: define_string - -rule: - any: - # basic_auth and custom_auth - - kind: call - any: - - kind: call - has: - nthChild: 1 - kind: attribute - regex: ^(neo4j.custom_auth|neo4j.basic_auth)$ - precedes: - kind: argument_list - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - matches: define_password - - kind: call - any: - - kind: call - has: - nthChild: 1 - kind: identifier - regex: ^basic_auth$ - precedes: - kind: argument_list - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - matches: define_password - - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - all: - - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^neo4j$ - precedes: - stopBy: end - kind: dotted_name - regex: ^basic_auth$ - - kind: call - any: - - kind: call - has: - nthChild: 1 - kind: identifier - regex: ^custom_auth$ - precedes: - kind: argument_list - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - matches: define_password - - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - all: - - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^neo4j$ - precedes: - stopBy: end - kind: dotted_name - regex: ^custom_auth$ - - # kerberos_auth and bearer_auth - - kind: call - any: - - kind: call - has: - nthChild: 1 - kind: attribute - regex: ^(neo4j.kerberos_auth|neo4j.bearer_auth)$ - precedes: - kind: argument_list - has: - nthChild: - position: 1 - ofRule: - not: - kind: comment - matches: define_password - - kind: call - any: - - kind: call - has: - nthChild: 1 - kind: identifier - regex: ^kerberos_auth$ - precedes: - kind: argument_list - has: - nthChild: - position: 1 - ofRule: - not: - kind: comment - matches: define_password - - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - all: - - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^neo4j$ - precedes: - stopBy: end - kind: dotted_name - regex: ^kerberos_auth$ - - kind: call - any: - - kind: call - has: - nthChild: 1 - kind: identifier - regex: ^bearer_auth$ - precedes: - kind: argument_list - has: - nthChild: - position: 1 - ofRule: - not: - kind: comment - matches: define_password - - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - all: - - has: - nthChild: 1 - kind: dotted_name - field: module_name - regex: ^neo4j$ - precedes: - stopBy: end - kind: dotted_name - regex: ^bearer_auth$ diff --git a/rules/python/security/python-peewee-mysql-empty-password-python.yml b/rules/python/security/python-peewee-mysql-empty-password-python.yml deleted file mode 100644 index e5d4bee5..00000000 --- a/rules/python/security/python-peewee-mysql-empty-password-python.yml +++ /dev/null @@ -1,56 +0,0 @@ -id: python-peewee-mysql-empty-password-python -severity: warning -language: python -message: >- - The application creates a database connection with an empty password. - This can lead to unauthorized access by either an internal or external - malicious actor. To prevent this vulnerability, enforce authentication - when connecting to a database by using environment variables to securely - provide credentials or retrieving them from a secure vault or HSM - (Hardware Security Module). -note: >- - [CWE-287] Improper Authentication. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - $DB(..., password="...",...): - # $DB(..., password="...",...) - kind: call - all: - - has: - stopBy: neighbor - pattern: $DB - regex: ^MySQLDatabase$|^peewee.MySQLDatabase$|^MySQLConnectorDatabase$|^playhouse.mysql_ext.MySQLConnectorDatabase$|^MariaDBConnectorDatabase$|^playhouse.mysql_ext.MariaDBConnectorDatabase$|^PooledMySQLDatabase$|^playhouse.pool.PooledMySQLDatabase$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: keyword_argument - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^password$|^passwd$ - - has: - stopBy: neighbor - kind: string - not: - has: - stopBy: neighbor - kind: string_content -rule: - kind: call - matches: $DB(..., password="...",...) - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR - diff --git a/rules/python/security/python-peewee-mysql-hardcoded-secret-python.yml b/rules/python/security/python-peewee-mysql-hardcoded-secret-python.yml deleted file mode 100644 index 40c8c338..00000000 --- a/rules/python/security/python-peewee-mysql-hardcoded-secret-python.yml +++ /dev/null @@ -1,54 +0,0 @@ -id: python-peewee-mysql-hardcoded-secret-python -severity: warning -language: python -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - $DB(..., password="...",...): - # $DB(..., password="...",...) - kind: call - all: - - has: - stopBy: neighbor - pattern: $DB - regex: ^MySQLDatabase$|^peewee.MySQLDatabase$|^MySQLConnectorDatabase$|^playhouse.mysql_ext.MySQLConnectorDatabase$|^MariaDBConnectorDatabase$|^playhouse.mysql_ext.MariaDBConnectorDatabase$|^PooledMySQLDatabase$|^playhouse.pool.PooledMySQLDatabase$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: keyword_argument - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^password$|^passwd$ - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_content -rule: - kind: call - matches: $DB(..., password="...",...) - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR - diff --git a/rules/python/security/python-peewee-pg-empty-password-python.yml b/rules/python/security/python-peewee-pg-empty-password-python.yml deleted file mode 100644 index c71ae1c6..00000000 --- a/rules/python/security/python-peewee-pg-empty-password-python.yml +++ /dev/null @@ -1,56 +0,0 @@ -id: python-peewee-pg-empty-password-python -severity: warning -language: python -message: >- - The application creates a database connection with an empty password. - This can lead to unauthorized access by either an internal or external - malicious actor. To prevent this vulnerability, enforce authentication - when connecting to a database by using environment variables to securely - provide credentials or retrieving them from a secure vault or HSM - (Hardware Security Module). -note: >- - [CWE-287] Improper Authentication. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - $DB(..., password="...",...): - # $DB(..., password="...",...) - kind: call - all: - - has: - stopBy: neighbor - pattern: $DB - regex: ^PostgresqlDatabase$|6peewee.PostgresqlDatabase$|^PostgresqlExtDatabase|playhouse.postgres_ext.PostgresqlExtDatabase$|^PooledPostgresqlDatabase$|^playhouse.pool.PooledPostgresqlDatabase$|^CockroachDatabase$|^playhouse.cockroachdb.CockroachDatabase$|^PooledCockroachDatabase$|^playhouse.cockroachdb.PooledCockroachDatabase$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: keyword_argument - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^password$|^passwd$ - - has: - stopBy: neighbor - kind: string - not: - has: - stopBy: neighbor - kind: string_content -rule: - kind: call - matches: $DB(..., password="...",...) - all: - - not: - has: - stopBy: end - kind: ERROR - - not: - inside: - stopBy: end - kind: ERROR \ No newline at end of file diff --git a/rules/python/security/python-peewee-pg-hardcoded-secret-python.yml b/rules/python/security/python-peewee-pg-hardcoded-secret-python.yml deleted file mode 100644 index 7d0d77e1..00000000 --- a/rules/python/security/python-peewee-pg-hardcoded-secret-python.yml +++ /dev/null @@ -1,55 +0,0 @@ -id: python-peewee-pg-hardcoded-secret-python -severity: warning -language: python -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - $DB(..., password="...",...): - # $DB(..., password="...",...) - kind: call - all: - - has: - stopBy: neighbor - pattern: $DB - regex: ^PostgresqlDatabase$|6peewee.PostgresqlDatabase$|^PostgresqlExtDatabase|playhouse.postgres_ext.PostgresqlExtDatabase$|^PooledPostgresqlDatabase$|^playhouse.pool.PooledPostgresqlDatabase$|^CockroachDatabase$|^playhouse.cockroachdb.CockroachDatabase$|^PooledCockroachDatabase$|^playhouse.cockroachdb.PooledCockroachDatabase$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: keyword_argument - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^password$|^passwd$ - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_content -rule: - kind: call - matches: $DB(..., password="...",...) - all: - - not: - has: - stopBy: end - kind: ERROR - - not: - inside: - stopBy: end - kind: ERROR - diff --git a/rules/python/security/python-pg8000-empty-password-python.yml b/rules/python/security/python-pg8000-empty-password-python.yml deleted file mode 100644 index e567c16b..00000000 --- a/rules/python/security/python-pg8000-empty-password-python.yml +++ /dev/null @@ -1,50 +0,0 @@ -id: python-pg8000-empty-password-python -severity: warning -language: python -message: >- - The application creates a database connection with an empty password. - This can lead to unauthorized access by either an internal or external - malicious actor. To prevent this vulnerability, enforce authentication - when connecting to a database by using environment variables to securely - provide credentials or retrieving them from a secure vault or HSM - (Hardware Security Module). -note: >- - [CWE-287] Improper Authentication. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - pg8000.dbapi.connect(..., password="...",...): - # pg8000.dbapi.connect(..., password="...",...) - kind: call - pattern: $CALL - all: - - has: - stopBy: neighbor - pattern: $DB - regex: ^pg8000.dbapi.connect$|^pg8000.native.Connection$ - - has: - stopBy: neighbor - kind: argument_list - all: - - has: - stopBy: neighbor - kind: keyword_argument - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^password$ - - has: - stopBy: neighbor - kind: string - not: - has: - stopBy: neighbor - kind: string_content -rule: - kind: call - matches: pg8000.dbapi.connect(..., password="...",...) - diff --git a/rules/python/security/python-pg8000-hardcoded-secret-python.yml b/rules/python/security/python-pg8000-hardcoded-secret-python.yml deleted file mode 100644 index db66b30d..00000000 --- a/rules/python/security/python-pg8000-hardcoded-secret-python.yml +++ /dev/null @@ -1,75 +0,0 @@ -id: python-pg8000-hardcoded-secret-python -severity: warning -language: python -message: >- - The application creates a database connection with an empty password. - This can lead to unauthorized access by either an internal or external - malicious actor. To prevent this vulnerability, enforce authentication - when connecting to a database by using environment variables to securely - provide credentials or retrieving them from a secure vault or HSM - (Hardware Security Module). -note: >- - [CWE-287] Improper Authentication. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - pg8000.dbapi.connect(..., password="...",...): - # pg8000.dbapi.connect(..., password="...",...) - kind: call - pattern: $CALL - all: - - has: - stopBy: neighbor - pattern: $DB - regex: ^pg8000.dbapi.connect$|^pg8000.native.Connection$ - - has: - stopBy: neighbor - kind: argument_list - all: - - has: - stopBy: neighbor - kind: keyword_argument - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^password$ - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_content - - not: - has: - stopBy: neighbor - kind: keyword_argument - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^password$ - - has: - stopBy: neighbor - kind: string - not: - has: - stopBy: end - kind: string_content -rule: - kind: call - matches: pg8000.dbapi.connect(..., password="...",...) - all: - - not: - has: - stopBy: end - kind: ERROR - - not: - inside: - stopBy: end - kind: ERROR - - \ No newline at end of file diff --git a/rules/python/security/python-psycopg2-empty-password-python.yml b/rules/python/security/python-psycopg2-empty-password-python.yml deleted file mode 100644 index 8921395e..00000000 --- a/rules/python/security/python-psycopg2-empty-password-python.yml +++ /dev/null @@ -1,70 +0,0 @@ -id: python-psycopg2-empty-password-python -severity: warning -language: python -message: >- - The application creates a database connection with an empty password. - This can lead to unauthorized access by either an internal or external - malicious actor. To prevent this vulnerability, enforce authentication - when connecting to a database by using environment variables to securely - provide credentials or retrieving them from a secure vault or HSM - (Hardware Security Module). -note: >- - [CWE-287] Improper Authentication. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - psycopg2.connect(..., password="",...): - kind: call - all: - - has: - stopBy: neighbor - kind: attribute - regex: ^psycopg2.connect$ - - has: - stopBy: neighbor - kind: argument_list - all: - - has: - stopBy: neighbor - kind: keyword_argument - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^password$ - - has: - stopBy: neighbor - kind: string - not: - has: - stopBy: neighbor - kind: string_content - - not: - follows: - stopBy: neighbor - kind: keyword_argument - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^password$ - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_content -rule: - kind: call - matches: psycopg2.connect(..., password="",...) - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR \ No newline at end of file diff --git a/rules/python/security/python-psycopg2-hardcoded-secret-python.yml b/rules/python/security/python-psycopg2-hardcoded-secret-python.yml deleted file mode 100644 index df80aeea..00000000 --- a/rules/python/security/python-psycopg2-hardcoded-secret-python.yml +++ /dev/null @@ -1,69 +0,0 @@ -id: python-psycopg2-hardcoded-secret-python -severity: warning -language: python -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - psycopg2.connect(..., password="",...): - kind: call - all: - - has: - stopBy: neighbor - kind: attribute - regex: ^psycopg2.connect$ - - has: - stopBy: neighbor - kind: argument_list - all: - - has: - stopBy: neighbor - kind: keyword_argument - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^password$ - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_content - - not: - has: - stopBy: neighbor - kind: keyword_argument - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^password$ - - has: - stopBy: neighbor - kind: string - not: - has: - stopBy: neighbor - kind: string_content -rule: - kind: call - matches: psycopg2.connect(..., password="",...) - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR \ No newline at end of file diff --git a/rules/python/security/python-pyjwt-hardcoded-secret-python.yml b/rules/python/security/python-pyjwt-hardcoded-secret-python.yml deleted file mode 100644 index 599ca933..00000000 --- a/rules/python/security/python-pyjwt-hardcoded-secret-python.yml +++ /dev/null @@ -1,49 +0,0 @@ -id: python-pyjwt-hardcoded-secret-python -language: python -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798]: Use of Hard-coded Credentials - [OWASP A01:2021]: Identification and Authentication Failures - [REFERENCES] - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - match_call_with_curly_braces: - kind: call - all: - # - not: - # inside: - # stopBy: end - # kind: list_comprehension - - all: - - has: - kind: attribute - all: - - has: - kind: identifier - regex: '^jwt$' - - has: - kind: identifier - regex: ^(encode|decode)$ - - has: - kind: argument_list - all: - - has: - kind: string - nthChild: 2 - - not: - has: - stopBy: end - kind: ERROR -rule: - any: - - matches: match_call_with_curly_braces - diff --git a/rules/python/security/python-pymongo-empty-password-python.yml b/rules/python/security/python-pymongo-empty-password-python.yml deleted file mode 100644 index db0fd45c..00000000 --- a/rules/python/security/python-pymongo-empty-password-python.yml +++ /dev/null @@ -1,88 +0,0 @@ -id: python-pymongo-empty-password-python -language: python -severity: warning -message: >- - The application creates a database connection with an empty password. - This can lead to unauthorized access by either an internal or external - malicious actor. To prevent this vulnerability, enforce authentication - when connecting to a database by using environment variables to securely - provide credentials or retrieving them from a secure vault or HSM - (Hardware Security Module). -note: >- - [CWE-287]: Improper Authentication - [OWASP A07:2021]: Identification and Authentication Failures - [REFERENCES] - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - pymongo.MongoClient(..., password="",...): - kind: call - all: - - has: - stopBy: neighbor - kind: attribute - regex: ^pymongo.MongoClient$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: keyword_argument - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^password$ - - has: - stopBy: neighbor - kind: string - not: - has: - stopBy: end - kind: string_content - # $pymongo.MongoClient(..., password="",...): - # kind: call - # all: - # - has: - # stopBy: neighbor - # kind: identifier - # regex: ^MongoClient$ - # - has: - # stopBy: neighbor - # kind: argument_list - # has: - # stopBy: neighbor - # kind: keyword_argument - # all: - # - has: - # stopBy: neighbor - # kind: identifier - # regex: ^password$ - # - has: - # stopBy: neighbor - # kind: string - # not: - # has: - # stopBy: end - # kind: string_content - # - inside: - # stopBy: end - # follows: - # stopBy: end - # kind: import_from_statement - # pattern: from pymongo import MongoClient -rule: - kind: call - any: - - matches: pymongo.MongoClient(..., password="",...) - # - matches: $pymongo.MongoClient(..., password="",...) - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR diff --git a/rules/python/security/python-pymongo-hardcoded-secret-python.yml b/rules/python/security/python-pymongo-hardcoded-secret-python.yml deleted file mode 100644 index 4690aa06..00000000 --- a/rules/python/security/python-pymongo-hardcoded-secret-python.yml +++ /dev/null @@ -1,85 +0,0 @@ -id: python-pymongo-hardcoded-secret-python -language: python -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798]: Use of Hard-coded Credentials - [OWASP A07:2021]: Identification and Authentication Failures - [REFERENCES] - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - pymongo.MongoClient(..., password="",...): - kind: call - all: - - has: - stopBy: neighbor - kind: attribute - regex: ^pymongo.MongoClient$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: keyword_argument - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^password$ - - has: - stopBy: neighbor - kind: string - has: - stopBy: end - kind: string_content - # $pymongo.MongoClient(..., password="",...): - # kind: call - # all: - # - has: - # stopBy: neighbor - # kind: identifier - # regex: ^MongoClient$ - # - has: - # stopBy: neighbor - # kind: argument_list - # has: - # stopBy: neighbor - # kind: keyword_argument - # all: - # - has: - # stopBy: neighbor - # kind: identifier - # regex: ^password$ - # - has: - # stopBy: neighbor - # kind: string - # has: - # stopBy: end - # kind: string_content - # - inside: - # stopBy: end - # follows: - # stopBy: end - # kind: import_from_statement - # pattern: from pymongo import MongoClient -rule: - kind: call - any: - - matches: pymongo.MongoClient(..., password="",...) - # - matches: $pymongo.MongoClient(..., password="",...) - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR diff --git a/rules/python/security/python-pymssql-empty-password-python.yml b/rules/python/security/python-pymssql-empty-password-python.yml deleted file mode 100644 index 87495adf..00000000 --- a/rules/python/security/python-pymssql-empty-password-python.yml +++ /dev/null @@ -1,88 +0,0 @@ -id: python-pymssql-empty-password-python -language: python -severity: warning -message: >- - The application creates a database connection with an empty password. - This can lead to unauthorized access by either an internal or external - malicious actor. To prevent this vulnerability, enforce authentication - when connecting to a database by using environment variables to securely - provide credentials or retrieving them from a secure vault or HSM - (Hardware Security Module). -note: >- - [CWE-287]: Improper Authentication - [OWASP A07:2021]: Identification and Authentication Failures - [REFERENCES] - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - mssql.connect(..., password="",...): - kind: call - all: - - has: - stopBy: neighbor - kind: attribute - regex: ^pymssql.connect$|^pymssql._mssql.connect$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: keyword_argument - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^password$ - - has: - stopBy: neighbor - kind: string - not: - has: - stopBy: end - kind: string_content - # $mssql.connect(..., password="",...): - # kind: call - # all: - # - has: - # stopBy: neighbor - # kind: attribute - # regex: ^_mssql.connect$ - # - has: - # stopBy: neighbor - # kind: argument_list - # has: - # stopBy: neighbor - # kind: keyword_argument - # all: - # - has: - # stopBy: neighbor - # kind: identifier - # regex: ^password$ - # - has: - # stopBy: neighbor - # kind: string - # not: - # has: - # stopBy: end - # kind: string_content - # - inside: - # stopBy: end - # follows: - # stopBy: end - # kind: import_from_statement - # pattern: from pymssql import _mssql -rule: - kind: call - any: - - matches: mssql.connect(..., password="",...) - # - matches: $mssql.connect(..., password="",...) - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR diff --git a/rules/python/security/python-pymssql-hardcoded-secret-python.yml b/rules/python/security/python-pymssql-hardcoded-secret-python.yml deleted file mode 100644 index 3871aa20..00000000 --- a/rules/python/security/python-pymssql-hardcoded-secret-python.yml +++ /dev/null @@ -1,85 +0,0 @@ -id: python-pymssql-hardcoded-secret-python -language: python -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798]: Use of Hard-coded Credentials - [OWASP A07:2021]: Identification and Authentication Failures - [REFERENCES] - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - mssql.connect(..., password="",...): - kind: call - all: - - has: - stopBy: neighbor - kind: attribute - regex: ^pymssql.connect$|^pymssql._mssql.connect$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: keyword_argument - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^password$ - - has: - stopBy: neighbor - kind: string - has: - stopBy: end - kind: string_content - # $mssql.connect(..., password="",...): - # kind: call - # all: - # - has: - # stopBy: neighbor - # kind: attribute - # regex: ^_mssql.connect$ - # - has: - # stopBy: neighbor - # kind: argument_list - # has: - # stopBy: neighbor - # kind: keyword_argument - # all: - # - has: - # stopBy: neighbor - # kind: identifier - # regex: ^password$ - # - has: - # stopBy: neighbor - # kind: string - # has: - # stopBy: end - # kind: string_content - # - inside: - # stopBy: end - # follows: - # stopBy: end - # kind: import_from_statement - # pattern: from pymssql import _mssql -rule: - kind: call - any: - - matches: mssql.connect(..., password="",...) - # - matches: $mssql.connect(..., password="",...) - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR diff --git a/rules/python/security/python-pymysql-empty-password-python.yml b/rules/python/security/python-pymysql-empty-password-python.yml deleted file mode 100644 index 4277e251..00000000 --- a/rules/python/security/python-pymysql-empty-password-python.yml +++ /dev/null @@ -1,56 +0,0 @@ -id: python-pymysql-empty-password-python -language: python -severity: warning -message: >- - The application creates a database connection with an empty password. - This can lead to unauthorized access by either an internal or external - malicious actor. To prevent this vulnerability, enforce authentication - when connecting to a database by using environment variables to securely - provide credentials or retrieving them from a secure vault or HSM - (Hardware Security Module). -note: >- - [CWE-287]: Improper Authentication - [OWASP A07:2021]: Identification and Authentication Failures - [REFERENCES] - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - pymysql.connect(..., password="",...): - kind: call - all: - - has: - stopBy: neighbor - kind: attribute - regex: ^pymysql.connect$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: keyword_argument - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^password$ - - has: - stopBy: neighbor - kind: string - not: - has: - stopBy: end - kind: string_content -rule: - kind: call - matches: pymysql.connect(..., password="",...) - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR - diff --git a/rules/python/security/python-pymysql-hardcoded-secret-python.yml b/rules/python/security/python-pymysql-hardcoded-secret-python.yml deleted file mode 100644 index 190dd608..00000000 --- a/rules/python/security/python-pymysql-hardcoded-secret-python.yml +++ /dev/null @@ -1,54 +0,0 @@ -id: python-pymysql-hardcoded-secret-python -language: python -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798]: Use of Hard-coded Credentials - [OWASP A07:2021]: Identification and Authentication Failures - [REFERENCES] - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - pymysql.connect(..., password="",...): - kind: call - all: - - has: - stopBy: neighbor - kind: attribute - regex: ^pymysql.connect$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: keyword_argument - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^password$ - - has: - stopBy: neighbor - kind: string - has: - stopBy: end - kind: string_content -rule: - kind: call - matches: pymysql.connect(..., password="",...) - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR - diff --git a/rules/python/security/python-redis-empty-password-python.yml b/rules/python/security/python-redis-empty-password-python.yml deleted file mode 100644 index a3984583..00000000 --- a/rules/python/security/python-redis-empty-password-python.yml +++ /dev/null @@ -1,71 +0,0 @@ -id: python-redis-empty-password-python -severity: warning -language: python -message: >- - The application creates a database connection with an empty password. - This can lead to unauthorized access by either an internal or external - malicious actor. To prevent this vulnerability, enforce authentication - when connecting to a database by using environment variables to securely - provide credentials or retrieving them from a secure vault or HSM - (Hardware Security Module). -note: >- - [CWE-287] Improper Authentication. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - redis.Redis(..., password="...",...): - kind: call - all: - - has: - stopBy: neighbor - kind: attribute - pattern: redis.Redis - - has: - stopBy: neighbor - kind: argument_list - all: - - has: - stopBy: neighbor - kind: keyword_argument - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^password$ - - has: - stopBy: neighbor - kind: string - not: - has: - stopBy: end - kind: string_content - - not: - has: - stopBy: neighbor - kind: keyword_argument - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^password$ - - has: - stopBy: neighbor - kind: string - has: - stopBy: end - kind: string_content -rule: - kind: call - matches: redis.Redis(..., password="...",...) - all: - - not: - has: - stopBy: end - kind: ERROR - - not: - inside: - stopBy: end - kind: ERROR \ No newline at end of file diff --git a/rules/python/security/python-redis-hardcoded-secret-python.yml b/rules/python/security/python-redis-hardcoded-secret-python.yml deleted file mode 100644 index 98a1f92e..00000000 --- a/rules/python/security/python-redis-hardcoded-secret-python.yml +++ /dev/null @@ -1,70 +0,0 @@ -id: python-redis-hardcoded-secret-python -severity: warning -language: python -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - redis.Redis(..., password="...",...): - kind: call - all: - - has: - stopBy: neighbor - kind: attribute - pattern: redis.Redis - - has: - stopBy: neighbor - kind: argument_list - all: - - has: - stopBy: neighbor - kind: keyword_argument - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^password$ - - has: - stopBy: neighbor - kind: string - has: - stopBy: end - kind: string_content - - not: - has: - stopBy: neighbor - kind: keyword_argument - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^password$ - - has: - stopBy: neighbor - kind: string - not: - has: - stopBy: end - kind: string_content -rule: - kind: call - matches: redis.Redis(..., password="...",...) - all: - - not: - has: - stopBy: end - kind: ERROR - - not: - inside: - stopBy: end - kind: ERROR \ No newline at end of file diff --git a/rules/python/security/python-requests-empty-password-python.yml b/rules/python/security/python-requests-empty-password-python.yml deleted file mode 100644 index 9562f4e2..00000000 --- a/rules/python/security/python-requests-empty-password-python.yml +++ /dev/null @@ -1,56 +0,0 @@ -id: python-requests-empty-password-python -severity: warning -language: python -message: >- - The application creates a database connection with an empty password. - This can lead to unauthorized access by either an internal or external - malicious actor. To prevent this vulnerability, enforce authentication - when connecting to a database by using environment variables to securely - provide credentials or retrieving them from a secure vault or HSM - (Hardware Security Module). -note: >- - [CWE-287] Improper Authentication. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - requests.auth.HTTPBasicAuth($USER,"",...): - kind: call - all: - - has: - stopBy: neighbor - kind: attribute - regex: ^requests.auth.HTTPBasicAuth$|^requests.auth.HTTPDigestAuth$|^requests.auth.HTTPProxyAuth$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: string - nthChild: 2 - not: - has: - stopBy: end - kind: string_content - # - not: - # inside: - # stopBy: end - # kind: argument_list - # follows: - # stopBy: end - # kind: attribute - # regex: ^requests.auth.HTTPBasicAuth$|^requests.auth.HTTPDigestAuth$|^requests.auth.HTTPProxyAuth$ -rule: - kind: call - matches: requests.auth.HTTPBasicAuth($USER,"",...) - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR - diff --git a/rules/python/security/python-requests-hardcoded-secret-python.yml b/rules/python/security/python-requests-hardcoded-secret-python.yml deleted file mode 100644 index 937ce2e4..00000000 --- a/rules/python/security/python-requests-hardcoded-secret-python.yml +++ /dev/null @@ -1,155 +0,0 @@ -id: python-requests-hardcoded-secret-python -severity: warning -language: python -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - requests.auth.HTTPBasicAuth($USER,"",...): - kind: call - all: - - has: - stopBy: neighbor - kind: attribute - regex: ^requests.auth.HTTPBasicAuth$|^requests.auth.HTTPDigestAuth$|^requests.auth.HTTPProxyAuth$ - - has: - stopBy: neighbor - kind: argument_list - not: - has: - nthChild: 3 - has: - stopBy: neighbor - kind: string - nthChild: 2 - has: - stopBy: end - kind: string_content - - HTTPBasicAuth($USER,"",...): - kind: call - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^(HTTPBasicAuth)$ - - has: - stopBy: neighbor - kind: argument_list - not: - has: - nthChild: 3 - has: - stopBy: neighbor - kind: string - nthChild: 2 - has: - stopBy: end - kind: string_content - - any: - - follows: - stopBy: end - kind: import_from_statement - any: - - pattern: from requests.auth import HTTPBasicAuth - - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - any: - - pattern: from requests.auth import HTTPBasicAuth - - HTTPProxyAuth($USER,"",...): - kind: call - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^(HTTPProxyAuth)$ - - has: - stopBy: neighbor - kind: argument_list - not: - has: - nthChild: 3 - has: - stopBy: neighbor - kind: string - nthChild: 2 - has: - stopBy: end - kind: string_content - - any: - - follows: - stopBy: end - kind: import_from_statement - any: - - pattern: from requests.auth import HTTPProxyAuth - - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - any: - - pattern: from requests.auth import HTTPProxyAuth - - HTTPDigestAuth($USER,"",...): - kind: call - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^(HTTPDigestAuth)$ - - has: - stopBy: neighbor - kind: argument_list - not: - has: - nthChild: 3 - has: - stopBy: neighbor - kind: string - nthChild: 2 - has: - stopBy: end - kind: string_content - - any: - - follows: - stopBy: end - kind: import_from_statement - any: - - pattern: from requests.auth import HTTPProxyAuth - - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - any: - - pattern: from requests.auth import HTTPDigestAuth - -rule: - kind: call - any: - - matches: HTTPProxyAuth($USER,"",...) - - matches: HTTPDigestAuth($USER,"",...) - - matches: HTTPBasicAuth($USER,"",...) - - matches: requests.auth.HTTPBasicAuth($USER,"",...) - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR diff --git a/rules/python/security/python-requests-oauth-hardcoded-secret-python.yml b/rules/python/security/python-requests-oauth-hardcoded-secret-python.yml deleted file mode 100644 index 88f5728d..00000000 --- a/rules/python/security/python-requests-oauth-hardcoded-secret-python.yml +++ /dev/null @@ -1,290 +0,0 @@ -id: python-requests-oauth-hardcoded-secret-python -language: python -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798]: Use of Hard-coded Credentials - [OWASP A07:2021]: Identification and Authentication Failures - [REFERENCES] - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - requests_oauthlib.OAuth1($KEY, "...", ...): - kind: call - all: - - has: - kind: attribute - regex: ^requests_oauthlib.OAuth1$ - - has: - kind: argument_list - has: - kind: string - has: - kind: string_content - any: - - nthChild: - position: 2 - ofRule: - not: - kind: comment - - nthChild: - position: 4 - ofRule: - not: - kind: comment - - requests_oauthlib.OAuth1($KEY, "...", ...)_with_Instance: - kind: call - all: - - has: - kind: attribute - regex: ^requests_oauthlib.OAuth1$ - - has: - kind: argument_list - has: - kind: identifier - pattern: $STR - any: - - nthChild: - position: 2 - ofRule: - not: - kind: comment - - nthChild: - position: 4 - ofRule: - not: - kind: comment - - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - has: - kind: assignment - all: - - has: - kind: identifier - pattern: $STR - - has: - kind: string - has: - kind: string_content - - OAuth1($KEY, "...", ...): - kind: call - all: - - has: - kind: identifier - regex: ^OAuth1$ - - has: - kind: argument_list - has: - kind: string - has: - kind: string_content - any: - - nthChild: - position: 2 - ofRule: - not: - kind: comment - - nthChild: - position: 4 - ofRule: - not: - kind: comment - - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - pattern: from requests_oauthlib import OAuth1 - - OAuth1($KEY, "...", ...)_with_Instance: - kind: call - all: - - has: - kind: identifier - regex: ^OAuth1$ - - has: - kind: argument_list - has: - kind: identifier - pattern: $STR - any: - - nthChild: - position: 2 - ofRule: - not: - kind: comment - - nthChild: - position: 4 - ofRule: - not: - kind: comment - - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - has: - kind: assignment - all: - - has: - kind: identifier - pattern: $STR - - has: - kind: string - has: - kind: string_content - - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - pattern: from requests_oauthlib import OAuth1 - - $OAUTH.fetch_token(..., client_secret="...", ...): - kind: call - all: - - has: - kind: attribute - all: - - has: - kind: identifier - pattern: $OAUTH - nthChild: 1 - - has: - kind: identifier - regex: ^fetch_token$ - nthChild: 2 - - has: - kind: argument_list - has: - kind: keyword_argument - all: - - has: - kind: identifier - nthChild: 1 - regex: ^client_secret$ - - has: - kind: string - has: - kind: string_content - nthChild: 2 - - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - has: - kind: assignment - all: - - has: - kind: identifier - nthChild: 1 - pattern: $OAUTH - - has: - kind: call - has: - kind: identifier - regex: ^OAuth2Session$ - - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - pattern: from requests_oauthlib import OAuth2Session - - $OAUTH.fetch_token(..., client_secret="...", ...)_with_Instance: - kind: call - all: - - has: - kind: attribute - all: - - has: - kind: identifier - pattern: $OAUTH - nthChild: 1 - - has: - kind: identifier - regex: ^fetch_token$ - nthChild: 2 - - has: - kind: argument_list - has: - kind: keyword_argument - all: - - has: - kind: identifier - nthChild: 1 - regex: ^client_secret$ - - has: - kind: identifier - pattern: $STR - nthChild: 2 - - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - has: - kind: assignment - all: - - has: - kind: identifier - nthChild: 1 - pattern: $OAUTH - - has: - kind: call - has: - kind: identifier - regex: ^OAuth2Session$ - - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - pattern: from requests_oauthlib import OAuth2Session - - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - has: - kind: assignment - all: - - has: - kind: identifier - pattern: $STR - - has: - kind: string - has: - kind: string_content - -rule: - kind: call - any: - - matches: requests_oauthlib.OAuth1($KEY, "...", ...) - - matches: requests_oauthlib.OAuth1($KEY, "...", ...)_with_Instance - - matches: OAuth1($KEY, "...", ...) - - matches: OAuth1($KEY, "...", ...)_with_Instance - - matches: $OAUTH.fetch_token(..., client_secret="...", ...) - - matches: $OAUTH.fetch_token(..., client_secret="...", ...)_with_Instance - all: - - not: - inside: - stopBy: end - kind: ERROR - - not: - has: - stopBy: end - kind: ERROR diff --git a/rules/python/security/python-tormysql-empty-password-python.yml b/rules/python/security/python-tormysql-empty-password-python.yml deleted file mode 100644 index 7b8d8196..00000000 --- a/rules/python/security/python-tormysql-empty-password-python.yml +++ /dev/null @@ -1,313 +0,0 @@ -id: python-tormysql-empty-password-python -language: python -severity: warning -message: >- - The application creates a database connection with an empty password. - This can lead to unauthorized access by either an internal or external - malicious actor. To prevent this vulnerability, enforce authentication - when connecting to a database by using environment variables to securely - provide credentials or retrieving them from a secure vault or HSM - (Hardware Security Module). -note: >- - [CWE-287]: Improper Authentication - [OWASP A07:2021]: Identification and Authentication Failures - [REFERENCES] - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - python-tormysql-hardcoded-secret: - kind: call - all: - - has: - kind: attribute - all: - - has: - kind: identifier - nthChild: 1 - regex: ^tormysql$ - - has: - kind: identifier - nthChild: 2 - regex: ^ConnectionPool$ - - has: - kind: argument_list - has: - kind: keyword_argument - all: - - has: - kind: identifier - nthChild: 1 - regex: ^(password|passwd)$ - - has: - kind: string - not: - has: - kind: string_content - - python-tormysql-hardcoded-secret_INSTANCE: - kind: call - all: - - has: - kind: attribute - all: - - has: - kind: identifier - nthChild: 1 - regex: ^tormysql$ - - has: - kind: identifier - nthChild: 2 - regex: ^ConnectionPool$ - - has: - kind: argument_list - has: - kind: keyword_argument - all: - - has: - kind: identifier - nthChild: 1 - regex: ^(password|passwd)$ - - has: - kind: identifier - nthChild: 2 - pattern: $PASSWORD - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - has: - kind: assignment - all: - - has: - kind: identifier - nthChild: 1 - pattern: $PASSWORD - - has: - kind: string - not: - has: - kind: string_content - - follows: - stopBy: end - kind: expression_statement - has: - kind: assignment - all: - - has: - kind: identifier - nthChild: 1 - pattern: $PASSWORD - - has: - kind: string - not: - has: - kind: string_content - - ConnectionPool(password=""): - kind: call - all: - - has: - kind: identifier - nthChild: 1 - regex: ^ConnectionPool$ - - has: - kind: argument_list - has: - kind: keyword_argument - all: - - has: - kind: identifier - nthChild: 1 - regex: ^(password|passwd)$ - - has: - kind: string - not: - has: - kind: string_content - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - pattern: from tormysql import ConnectionPool - - follows: - stopBy: end - kind: import_from_statement - pattern: from tormysql import ConnectionPool - - ConnectionPool(password="")_INSTANCE: - kind: call - all: - - has: - kind: identifier - nthChild: 1 - regex: ^ConnectionPool$ - - has: - kind: argument_list - has: - kind: keyword_argument - all: - - has: - kind: identifier - nthChild: 1 - regex: ^(password|passwd)$ - - has: - kind: identifier - nthChild: 2 - pattern: $PASSWORD - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - has: - kind: assignment - all: - - has: - kind: identifier - nthChild: 1 - pattern: $PASSWORD - - has: - kind: string - not: - has: - kind: string_content - - follows: - stopBy: end - kind: expression_statement - has: - kind: assignment - all: - - has: - kind: identifier - nthChild: 1 - pattern: $PASSWORD - - has: - kind: string - not: - has: - kind: string_content - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - pattern: from tormysql import ConnectionPool - - follows: - stopBy: end - kind: import_from_statement - pattern: from tormysql import ConnectionPool - - $VAR(password=""): - kind: call - all: - - has: - kind: identifier - nthChild: 1 - pattern: $VAR - - has: - kind: argument_list - has: - kind: keyword_argument - all: - - has: - kind: identifier - nthChild: 1 - regex: ^(password|passwd)$ - - has: - kind: string - not: - has: - kind: string_content - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - pattern: from tormysql import ConnectionPool as $VAR - - follows: - stopBy: end - kind: import_from_statement - pattern: from tormysql import ConnectionPool as $VAR - - $VAR(password="")_INSTANCE: - kind: call - all: - - has: - kind: identifier - nthChild: 1 - pattern: $VAR - - has: - kind: argument_list - has: - kind: keyword_argument - all: - - has: - kind: identifier - nthChild: 1 - regex: ^(password|passwd)$ - - has: - kind: identifier - nthChild: 2 - pattern: $PASSWORD - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - has: - kind: assignment - all: - - has: - kind: identifier - nthChild: 1 - pattern: $PASSWORD - - has: - kind: string - not: - has: - kind: string_content - - follows: - stopBy: end - kind: expression_statement - has: - kind: assignment - all: - - has: - kind: identifier - nthChild: 1 - pattern: $PASSWORD - - has: - kind: string - not: - has: - kind: string_content - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - pattern: from tormysql import ConnectionPool as $VAR - - follows: - stopBy: end - kind: import_from_statement - pattern: from tormysql import ConnectionPool as $VAR - -rule: - any: - - matches: python-tormysql-hardcoded-secret - - matches: python-tormysql-hardcoded-secret_INSTANCE - - matches: ConnectionPool(password="") - - matches: ConnectionPool(password="")_INSTANCE - - matches: $VAR(password="") - - matches: $VAR(password="")_INSTANCE diff --git a/rules/python/security/python-tormysql-hardcoded-secret-python.yml b/rules/python/security/python-tormysql-hardcoded-secret-python.yml deleted file mode 100644 index 7b6a5a9a..00000000 --- a/rules/python/security/python-tormysql-hardcoded-secret-python.yml +++ /dev/null @@ -1,303 +0,0 @@ -id: python-tormysql-hardcoded-secret-python -language: python -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide crede ntials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798]: Use of Hard-coded Credentials - [OWASP A07:2021]: Identification and Authentication Failures - [REFERENCES] - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - python-tormysql-hardcoded-secret: - kind: call - all: - - has: - kind: attribute - all: - - has: - kind: identifier - nthChild: 1 - regex: ^tormysql$ - - has: - kind: identifier - nthChild: 2 - regex: ^ConnectionPool$ - - has: - kind: argument_list - has: - kind: keyword_argument - all: - - has: - kind: identifier - nthChild: 1 - regex: ^(password|passwd)$ - - has: - kind: string - has: - kind: string_content - - python-tormysql-hardcoded-secret_INSTANCE: - kind: call - all: - - has: - kind: attribute - all: - - has: - kind: identifier - nthChild: 1 - regex: ^tormysql$ - - has: - kind: identifier - nthChild: 2 - regex: ^ConnectionPool$ - - has: - kind: argument_list - has: - kind: keyword_argument - all: - - has: - kind: identifier - nthChild: 1 - regex: ^(password|passwd)$ - - has: - kind: identifier - nthChild: 2 - pattern: $PASSWORD - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - has: - kind: assignment - all: - - has: - kind: identifier - nthChild: 1 - pattern: $PASSWORD - - has: - kind: string - has: - kind: string_content - - follows: - stopBy: end - kind: expression_statement - has: - kind: assignment - all: - - has: - kind: identifier - nthChild: 1 - pattern: $PASSWORD - - has: - kind: string - has: - kind: string_content - - ConnectionPool(password=""): - kind: call - all: - - has: - kind: identifier - nthChild: 1 - regex: ^ConnectionPool$ - - has: - kind: argument_list - has: - kind: keyword_argument - all: - - has: - kind: identifier - nthChild: 1 - regex: ^(password|passwd)$ - - has: - kind: string - has: - kind: string_content - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - pattern: from tormysql import ConnectionPool - - follows: - stopBy: end - kind: import_from_statement - pattern: from tormysql import ConnectionPool - - ConnectionPool(password="")_INSTANCE: - kind: call - all: - - has: - kind: identifier - nthChild: 1 - regex: ^ConnectionPool$ - - has: - kind: argument_list - has: - kind: keyword_argument - all: - - has: - kind: identifier - nthChild: 1 - regex: ^(password|passwd)$ - - has: - kind: identifier - nthChild: 2 - pattern: $PASSWORD - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - has: - kind: assignment - all: - - has: - kind: identifier - nthChild: 1 - pattern: $PASSWORD - - has: - kind: string - has: - kind: string_content - - follows: - stopBy: end - kind: expression_statement - has: - kind: assignment - all: - - has: - kind: identifier - nthChild: 1 - pattern: $PASSWORD - - has: - kind: string - has: - kind: string_content - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - pattern: from tormysql import ConnectionPool - - follows: - stopBy: end - kind: import_from_statement - pattern: from tormysql import ConnectionPool - - $VAR(password=""): - kind: call - all: - - has: - kind: identifier - nthChild: 1 - pattern: $VAR - - has: - kind: argument_list - has: - kind: keyword_argument - all: - - has: - kind: identifier - nthChild: 1 - regex: ^(password|passwd)$ - - has: - kind: string - has: - kind: string_content - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - pattern: from tormysql import ConnectionPool as $VAR - - follows: - stopBy: end - kind: import_from_statement - pattern: from tormysql import ConnectionPool as $VAR - - $VAR(password="")_INSTANCE: - kind: call - all: - - has: - kind: identifier - nthChild: 1 - pattern: $VAR - - has: - kind: argument_list - has: - kind: keyword_argument - all: - - has: - kind: identifier - nthChild: 1 - regex: ^(password|passwd)$ - - has: - kind: identifier - nthChild: 2 - pattern: $PASSWORD - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: expression_statement - has: - kind: assignment - all: - - has: - kind: identifier - nthChild: 1 - pattern: $PASSWORD - - has: - kind: string - has: - kind: string_content - - follows: - stopBy: end - kind: expression_statement - has: - kind: assignment - all: - - has: - kind: identifier - nthChild: 1 - pattern: $PASSWORD - - has: - kind: string - has: - kind: string_content - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: import_from_statement - pattern: from tormysql import ConnectionPool as $VAR - - follows: - stopBy: end - kind: import_from_statement - pattern: from tormysql import ConnectionPool as $VAR - -rule: - any: - - matches: python-tormysql-hardcoded-secret - - matches: python-tormysql-hardcoded-secret_INSTANCE - - matches: ConnectionPool(password="") - - matches: ConnectionPool(password="")_INSTANCE - - matches: $VAR(password="") - - matches: $VAR(password="")_INSTANCE diff --git a/rules/python/security/python-urllib3-hardcoded-secret-python.yml b/rules/python/security/python-urllib3-hardcoded-secret-python.yml deleted file mode 100644 index f8e4bfb2..00000000 --- a/rules/python/security/python-urllib3-hardcoded-secret-python.yml +++ /dev/null @@ -1,59 +0,0 @@ -id: python-urllib3-hardcoded-secret-python -severity: warning -language: python -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - urllib3.util.make_headers(...,basic_auth="...",...): - # urllib3.util.make_headers(...,basic_auth="...",...) - kind: call - all: - - has: - stopBy: neighbor - kind: attribute - regex: '^urllib3.util.make_headers$|^urllib3.make_headers$|^requests.packages.urllib3.make_headers$|^requests.packages.urllib3.util.make_headers$' - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: keyword_argument - all: - - has: - stopBy: neighbor - kind: identifier - regex: '^basic_auth$|^proxy_basic_auth$' - - has: - stopBy: neighbor - kind: string - any: - - has: - stopBy: neighbor - kind: string_content - - has: - stopBy: neighbor - regex: '.*' - -rule: - kind: call - matches: urllib3.util.make_headers(...,basic_auth="...",...) - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR - diff --git a/rules/python/security/python-webrepl-empty-password-python.yml b/rules/python/security/python-webrepl-empty-password-python.yml deleted file mode 100644 index 1869d3ee..00000000 --- a/rules/python/security/python-webrepl-empty-password-python.yml +++ /dev/null @@ -1,56 +0,0 @@ -id: python-webrepl-empty-password-python -language: python -severity: warning -message: >- - The application creates a database connection with an empty password. - This can lead to unauthorized access by either an internal or external - malicious actor. To prevent this vulnerability, enforce authentication - when connecting to a database by using environment variables to securely - provide credentials or retrieving them from a secure vault or HSM - (Hardware Security Module). -note: >- - [CWE-287]: Improper Authentication - [OWASP A07:2021]: Identification and Authentication Failures - [REFERENCES] - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - webrepl.start(..., password="",...): - kind: call - all: - - has: - stopBy: neighbor - kind: attribute - regex: ^webrepl.start$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: keyword_argument - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^password$ - - has: - stopBy: neighbor - kind: string - not: - has: - stopBy: end - kind: string_content -rule: - kind: call - matches: webrepl.start(..., password="",...) - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR - diff --git a/rules/python/security/python-webrepl-hardcoded-secret-python.yml b/rules/python/security/python-webrepl-hardcoded-secret-python.yml deleted file mode 100644 index aa04e5a5..00000000 --- a/rules/python/security/python-webrepl-hardcoded-secret-python.yml +++ /dev/null @@ -1,54 +0,0 @@ -id: python-webrepl-hardcoded-secret-python -language: python -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798]: Use of Hard-coded Credentials - [OWASP A07:2021]: Identification and Authentication Failures - [REFERENCES] - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - webrepl.start(..., password="",...): - kind: call - all: - - has: - stopBy: neighbor - kind: attribute - regex: ^webrepl.start$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: keyword_argument - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^password$ - - has: - stopBy: neighbor - kind: string - has: - stopBy: end - kind: string_content -rule: - kind: call - matches: webrepl.start(..., password="",...) - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR - diff --git a/rules/ruby/security/force-ssl-false-ruby.yml b/rules/ruby/security/force-ssl-false-ruby.yml deleted file mode 100644 index cb5966b4..00000000 --- a/rules/ruby/security/force-ssl-false-ruby.yml +++ /dev/null @@ -1,28 +0,0 @@ -id: force-ssl-false-ruby -language: ruby -severity: warning -message: >- - Checks for configuration setting of force_ssl to false. Force_ssl - forces usage of HTTPS, which could lead to network interception of - unencrypted application traffic. To fix, set config.force_ssl = true. -note: >- - [CWE-311] Missing Encryption of Sensitive Data. - [REFERENCES] - - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_force_ssl.rb - -ast-grep-essentials: true - -utils: - config.force_ssl = $FAL: - kind: assignment - all: - - has: - kind: call - pattern: config.force_ssl - - has: - regex: ^\s*false$ - -rule: - kind: assignment - any: - - matches: config.force_ssl = $FAL diff --git a/rules/ruby/security/hardcoded-http-auth-in-controller-ruby.yml b/rules/ruby/security/hardcoded-http-auth-in-controller-ruby.yml deleted file mode 100644 index 6bbc9422..00000000 --- a/rules/ruby/security/hardcoded-http-auth-in-controller-ruby.yml +++ /dev/null @@ -1,59 +0,0 @@ -id: hardcoded-http-auth-in-controller-ruby -language: ruby -severity: warning -message: >- - Detected hardcoded password used in basic authentication in a - controller class. Including this password in version control could expose - this credential. Consider refactoring to use environment variables or - configuration files -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -ast-grep-essentials: true -utils: - MATCH_PASSWORD_STRING: - kind: string - inside: - stopBy: end - kind: pair - all: - - has: - stopBy: neighbor - kind: simple_symbol - regex: "^:password$" - - has: - stopBy: neighbor - kind: string - - inside: - stopBy: neighbor - kind: argument_list - inside: - stopBy: end - kind: call - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^http_basic_authenticate_with$" - - inside: - stopBy: neighbor - kind: body_statement - inside: - stopBy: end - kind: class - all: - - has: - stopBy: neighbor - kind: constant - - has: - stopBy: end - kind: superclass - has: - stopBy: neighbor - kind: constant - regex: "^ApplicationController$" - -rule: - kind: string - matches: MATCH_PASSWORD_STRING diff --git a/rules/ruby/security/hardcoded-secret-rsa-passphrase-ruby.yml b/rules/ruby/security/hardcoded-secret-rsa-passphrase-ruby.yml deleted file mode 100644 index 5bf26bf5..00000000 --- a/rules/ruby/security/hardcoded-secret-rsa-passphrase-ruby.yml +++ /dev/null @@ -1,232 +0,0 @@ -id: hardcoded-secret-rsa-passphrase-ruby -language: ruby -severity: warning -message: >- - Found the use of an hardcoded passphrase for RSA. The passphrase can be - easily discovered, and therefore should not be stored in source-code. It - is recommended to remove the passphrase from source-code, and use system - environment variables or a restricted configuration file. -note: >- - [CWE-798]: Use of Hard-coded Credentials - [OWASP A07:2021]: Identification and Authentication Failures - [REFERENCES] - https://cwe.mitre.org/data/definitions/522.html - -ast-grep-essentials: true - -utils: - OpenSSL::PKey::RSA.new(..., '...'): - kind: call - all: - - has: - stopBy: neighbor - kind: scope_resolution - regex: ^OpenSSL::PKey::RSA$ - - has: - stopBy: neighbor - regex: ^.$ - - has: - stopBy: neighbor - kind: identifier - regex: ^new$ - - has: - stopBy: neighbor - kind: argument_list - all: - - has: - stopBy: neighbor - kind: string - nthChild: 2 - has: - stopBy: neighbor - kind: string_content - - OpenSSL::PKey::RSA.new(...).to_pem(..., '...'): - kind: call - all: - - has: - stopBy: neighbor - kind: call - pattern: OpenSSL::PKey::RSA.new($$$) - - has: - stopBy: neighbor - regex: ^.$ - - has: - stopBy: neighbor - kind: identifier - regex: ^to_pem|export$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: string - nthChild: - position: 2 - ofRule: - not: - kind: comment - not: - precedes: - stopBy: end - nthChild: 3 - - OpenSSL::PKey::RSA.new(..., '...')_with_instance: - kind: call - all: - - has: - stopBy: neighbor - kind: scope_resolution - regex: ^OpenSSL::PKey::RSA$ - - has: - stopBy: neighbor - regex: ^.$ - - has: - stopBy: neighbor - kind: identifier - regex: ^new$ - - has: - stopBy: neighbor - kind: argument_list - all: - - has: - stopBy: neighbor - pattern: $SECRET - nthChild: 2 - - - inside: - stopBy: end - kind: class - has: - stopBy: end - kind: assignment - pattern: $SECRET = '$SECRET_VALUE' - - OpenSSL::PKey::RSA.new(...).to_pem(..., '...')_with_instance: - kind: call - all: - - has: - stopBy: neighbor - kind: call - pattern: OpenSSL::PKey::RSA.new($$$) - - has: - stopBy: neighbor - regex: ^.$ - - has: - stopBy: neighbor - kind: identifier - regex: ^to_pem|export$ - - has: - stopBy: neighbor - kind: argument_list - all: - - has: - stopBy: neighbor - pattern: $SECRET - nthChild: 2 - - - inside: - stopBy: end - kind: class - has: - stopBy: end - kind: assignment - pattern: $SECRET = '$SECRET_VALUE' - - $OPENSSL.export(...,'...'): - kind: call - all: - - has: - stopBy: neighbor - pattern: $OPENSSL - - has: - stopBy: neighbor - regex: ^.$ - - has: - stopBy: neighbor - kind: identifier - regex: ^export|to_pem$ - - has: - stopBy: neighbor - kind: argument_list - all: - - has: - stopBy: neighbor - kind: string - nthChild: 2 - has: - stopBy: neighbor - kind: string_content - - - inside: - stopBy: end - kind: class - has: - stopBy: end - kind: assignment - pattern: $OPENSSL = OpenSSL::PKey::RSA.new - - $OPENSSL.to_pem(...,$ASSIGN): - kind: call - all: - - has: - stopBy: neighbor - pattern: $OPENSSL - - has: - stopBy: neighbor - regex: ^.$ - - has: - stopBy: neighbor - kind: identifier - regex: ^export|to_pem$ - - has: - stopBy: neighbor - kind: argument_list - all: - - has: - stopBy: neighbor - pattern: $SECRET - nthChild: 2 - - inside: - stopBy: end - kind: class - all: - - has: - stopBy: end - kind: assignment - pattern: $OPENSSL = OpenSSL::PKey::RSA.new - - has: - stopBy: end - kind: assignment - pattern: $SECRET = '$SECRET_STRING' - - match_call: - kind: call - all: - - has: - stopBy: end - kind: identifier - field: receiver - - has: - stopBy: end - kind: identifier - field: method - - has: - stopBy: end - kind: argument_list - field: arguments - all: - - has: - kind: call - - has: - kind: string -rule: - kind: call - any: - - matches: OpenSSL::PKey::RSA.new(..., '...') - - matches: OpenSSL::PKey::RSA.new(...).to_pem(..., '...') - - matches: OpenSSL::PKey::RSA.new(..., '...')_with_instance - - matches: OpenSSL::PKey::RSA.new(...).to_pem(..., '...')_with_instance - - matches: $OPENSSL.export(...,'...') - - matches: $OPENSSL.to_pem(...,$ASSIGN) - - matches: match_call diff --git a/rules/ruby/security/insufficient-rsa-key-size-ruby.yml b/rules/ruby/security/insufficient-rsa-key-size-ruby.yml deleted file mode 100644 index bc49a266..00000000 --- a/rules/ruby/security/insufficient-rsa-key-size-ruby.yml +++ /dev/null @@ -1,91 +0,0 @@ -id: insufficient-rsa-key-size-ruby -language: ruby -severity: warning -message: >- - The RSA key size $SIZE is insufficent by NIST standards. It is - recommended to use a key length of 2048 or higher. -note: >- - [CWE-326] Inadequate Encryption Strength. - [REFERENCES] - - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf - -ast-grep-essentials: true - -utils: - OpenSSL::PKey::RSA.generate($SIZE,...): - # OpenSSL::PKey::RSA.generate($SIZE,...) - kind: call - all: - - has: - stopBy: neighbor - kind: scope_resolution - regex: ^OpenSSL::PKey::RSA$ - - has: - stopBy: neighbor - regex: ^.$ - - has: - stopBy: neighbor - kind: identifier - regex: ^(new|generate)$ - - has: - stopBy: neighbor - kind: argument_list - has: - pattern: $KEYS - any: - - regex: '^(-?(0|[1-9][0-9]?|[1-9][0-9]{2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|0|-[1-9][0-9]*|-[1-9][0-9]{2,}|-1[0-9]{3}|-20[0-3][0-9]|-204[0-7])$' - - regex: ^-\d+(\.\d+)?(/(\d+(\.\d+)?))?$ - nthChild: - position: 1 - ofRule: - not: - kind: comment - - OpenSSL::PKey::RSA.new($ASSIGN, ...): - # $ASSIGN = $SIZE - # OpenSSL::PKey::RSA.new($ASSIGN, ...) - kind: call - all: - - has: - stopBy: neighbor - kind: scope_resolution - regex: ^OpenSSL::PKey::RSA$ - - has: - stopBy: neighbor - regex: ^.$ - - has: - stopBy: neighbor - kind: identifier - regex: ^(new|generate)$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - pattern: $BIT - nthChild: - position: 1 - ofRule: - not: - kind: comment - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: assignment - pattern: $BIT = $KEY - - follows: - stopBy: end - kind: assignment - pattern: $BIT = $KEY -rule: - kind: call - any: - - matches: OpenSSL::PKey::RSA.generate($SIZE,...) - - matches: OpenSSL::PKey::RSA.new($ASSIGN, ...) -constraints: - KEY: - any: - - regex: '^(-?(0|[1-9][0-9]?|[1-9][0-9]{2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|0|-[1-9][0-9]*|-[1-9][0-9]{2,}|-1[0-9]{3}|-20[0-3][0-9]|-204[0-7])$' - - regex: ^-\d+(\.\d+)?(/(\d+(\.\d+)?))?$ diff --git a/rules/ruby/security/ruby-aws-sdk-hardcoded-secret-ruby.yml b/rules/ruby/security/ruby-aws-sdk-hardcoded-secret-ruby.yml deleted file mode 100644 index 42398ced..00000000 --- a/rules/ruby/security/ruby-aws-sdk-hardcoded-secret-ruby.yml +++ /dev/null @@ -1,149 +0,0 @@ -id: ruby-aws-sdk-hardcoded-secret-ruby -language: ruby -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - Aws::Credentials.new($X, "...", ...): - # Aws::Credentials.new($X, "...", ...) - kind: call - all: - - has: - stopBy: neighbor - kind: scope_resolution - regex: ^Aws::Credentials$ - - has: - stopBy: neighbor - regex: ^.$ - - has: - stopBy: neighbor - kind: identifier - regex: ^new$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: string - nthChild: - position: 2 - ofRule: - not: - kind: comment - any: - - has: - nthChild: 1 - not: - kind: pair - has: - nthChild: 1 - kind: hash_key_symbol - - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: call - pattern: require 'aws-sdk-core' - - follows: - stopBy: end - kind: call - pattern: require 'aws-sdk-core' - Aws::Credentials.new($X, "...", ...)_instance: - # Aws::Credentials.new($X, $VAR, ...) - kind: call - all: - - has: - stopBy: neighbor - kind: scope_resolution - regex: ^Aws::Credentials$ - - has: - stopBy: neighbor - regex: ^.$ - - has: - stopBy: neighbor - kind: identifier - regex: ^new$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: identifier - pattern: $VAR - nthChild: - position: 2 - ofRule: - not: - kind: comment - any: - - has: - nthChild: 1 - not: - kind: pair - has: - nthChild: 1 - kind: hash_key_symbol - - any: - - follows: - stopBy: end - kind: assignment - all: - - has: - kind: identifier - pattern: $VAR - - has: - kind: string - has: - kind: string_content - - inside: - stopBy: end - follows: - stopBy: end - kind: assignment - all: - - has: - kind: identifier - pattern: $VAR - - has: - kind: string - has: - kind: string_content - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: call - pattern: require 'aws-sdk-core' - - follows: - stopBy: end - kind: call - pattern: require 'aws-sdk-core' - -rule: - kind: call - any: - - matches: Aws::Credentials.new($X, "...", ...) - - matches: Aws::Credentials.new($X, "...", ...)_instance - all: - - not: - has: - stopBy: end - kind: ERROR - - not: - inside: - stopBy: end - kind: ERROR diff --git a/rules/ruby/security/ruby-cassandra-empty-password-ruby.yml b/rules/ruby/security/ruby-cassandra-empty-password-ruby.yml deleted file mode 100644 index d1218655..00000000 --- a/rules/ruby/security/ruby-cassandra-empty-password-ruby.yml +++ /dev/null @@ -1,151 +0,0 @@ -id: ruby-cassandra-empty-password-ruby -language: ruby -severity: warning -message: >- - The application creates a database connection with an empty password. - This can lead to unauthorized access by either an internal or external - malicious actor. To prevent this vulnerability, enforce authentication - when connecting to a database by using environment variables to securely - provide credentials or retrieving them from a secure vault or HSM - (Hardware Security Module). -note: >- - [CWE-287] Improper Authentication. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - Cassandra.cluster(): - # Cassandra.cluster(..., password: "", ...) - kind: call - all: - - has: - stopBy: neighbor - kind: constant - regex: ^Cassandra$ - - has: - stopBy: neighbor - regex: ^.$ - - has: - stopBy: neighbor - kind: identifier - regex: ^cluster$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: pair - all: - - has: - stopBy: neighbor - any: - - kind: hash_key_symbol - regex: ^password$ - - kind: simple_symbol - regex: ^:password$ - - has: - stopBy: neighbor - kind: string - not: - has: - kind: string_content - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: call - pattern: require 'cassandra' - - follows: - stopBy: end - kind: call - pattern: require 'cassandra' - - Cassandra.cluster()_Instance: - # Cassandra.cluster(..., password: "", ...) - kind: call - all: - - has: - stopBy: neighbor - kind: constant - regex: ^Cassandra$ - - has: - stopBy: neighbor - regex: ^.$ - - has: - stopBy: neighbor - kind: identifier - regex: ^cluster$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: pair - all: - - has: - stopBy: neighbor - any: - - kind: hash_key_symbol - regex: ^password$ - - kind: simple_symbol - regex: ^:password$ - - has: - stopBy: neighbor - kind: identifier - pattern: $VAR - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: call - pattern: require 'cassandra' - - follows: - stopBy: end - kind: call - pattern: require 'cassandra' - - any: - - follows: - stopBy: end - kind: assignment - all: - - has: - kind: identifier - pattern: $VAR - - has: - kind: string - not: - has: - kind: string_content - - inside: - stopBy: end - follows: - stopBy: end - kind: assignment - all: - - has: - kind: identifier - pattern: $VAR - - has: - kind: string - not: - has: - kind: string_content - -rule: - kind: call - any: - - matches: Cassandra.cluster() - - matches: Cassandra.cluster()_Instance - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR - diff --git a/rules/ruby/security/ruby-cassandra-hardcoded-secret-ruby.yml b/rules/ruby/security/ruby-cassandra-hardcoded-secret-ruby.yml deleted file mode 100644 index f7a69977..00000000 --- a/rules/ruby/security/ruby-cassandra-hardcoded-secret-ruby.yml +++ /dev/null @@ -1,147 +0,0 @@ -id: ruby-cassandra-hardcoded-secret-ruby -language: ruby -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - Cassandra.cluster(): - # Cassandra.cluster(..., password: "", ...) - kind: call - all: - - has: - stopBy: neighbor - kind: constant - regex: ^Cassandra$ - - has: - stopBy: neighbor - regex: ^.$ - - has: - stopBy: neighbor - kind: identifier - regex: ^cluster$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: pair - all: - - has: - stopBy: neighbor - any: - - kind: hash_key_symbol - regex: ^password$ - - kind: simple_symbol - regex: ^:password$ - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_content - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: call - pattern: require 'cassandra' - - follows: - stopBy: end - kind: call - pattern: require 'cassandra' - - Cassandra.cluster()_Instance: - # Cassandra.cluster(..., password: "", ...) - kind: call - all: - - has: - stopBy: neighbor - kind: constant - regex: ^Cassandra$ - - has: - stopBy: neighbor - regex: ^.$ - - has: - stopBy: neighbor - kind: identifier - regex: ^cluster$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: pair - all: - - has: - stopBy: neighbor - any: - - kind: hash_key_symbol - regex: ^password$ - - kind: simple_symbol - regex: ^:password$ - - has: - stopBy: neighbor - kind: identifier - pattern: $VAR - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: call - pattern: require 'cassandra' - - follows: - stopBy: end - kind: call - pattern: require 'cassandra' - - any: - - follows: - stopBy: end - kind: assignment - all: - - has: - kind: identifier - pattern: $VAR - - has: - kind: string - has: - kind: string_content - - inside: - stopBy: end - follows: - stopBy: end - kind: assignment - all: - - has: - kind: identifier - pattern: $VAR - - has: - kind: string - has: - kind: string_content -rule: - kind: call - any: - - matches: Cassandra.cluster() - - matches: Cassandra.cluster()_Instance - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR - diff --git a/rules/ruby/security/ruby-excon-hardcoded-secret-ruby.yml b/rules/ruby/security/ruby-excon-hardcoded-secret-ruby.yml deleted file mode 100644 index 1e02035d..00000000 --- a/rules/ruby/security/ruby-excon-hardcoded-secret-ruby.yml +++ /dev/null @@ -1,242 +0,0 @@ -id: ruby-excon-hardcoded-secret-ruby -language: ruby -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - Excon.new(..., :password => "...", ...): - # Excon.new(..., :password => "...", ...) - kind: call - all: - - has: - stopBy: neighbor - kind: constant - regex: ^Excon$ - - has: - stopBy: neighbor - regex: ^.$ - - has: - stopBy: neighbor - kind: identifier - regex: ^new$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: pair - all: - - has: - stopBy: neighbor - kind: simple_symbol - regex: ^:password$ - - has: - stopBy: neighbor - kind: string - - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: call - pattern: require 'excon' - - follows: - stopBy: end - kind: call - pattern: require 'excon' - - Excon.new(..., :password => Excon::Utils.escape_uri("..."), ...): - # Excon.new(..., :password => Excon::Utils.escape_uri("..."), ...) - kind: call - all: - - has: - stopBy: neighbor - kind: constant - regex: ^Excon$ - - has: - stopBy: neighbor - regex: ^.$ - - has: - stopBy: neighbor - kind: identifier - regex: ^new$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: pair - all: - - has: - stopBy: neighbor - kind: simple_symbol - regex: ^:password$ - - has: - stopBy: neighbor - kind: call - all: - - has: - stopBy: neighbor - kind: scope_resolution - regex: ^Excon::Utils$ - - has: - stopBy: neighbor - regex: ^.$ - - has: - stopBy: neighbor - kind: identifier - regex: ^escape_uri$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: string - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: call - pattern: require 'excon' - - follows: - stopBy: end - kind: call - pattern: require 'excon' - - Excon.new(..., :password => "...", ...)_instance: - # Excon.new(..., :password => "...", ...) - kind: call - all: - - has: - stopBy: neighbor - kind: constant - regex: ^Excon$ - - has: - stopBy: neighbor - regex: ^.$ - - has: - stopBy: neighbor - kind: identifier - regex: ^new$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: pair - all: - - has: - stopBy: neighbor - kind: simple_symbol - regex: ^:password$ - - has: - stopBy: neighbor - kind: identifier - pattern: $VAR - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: call - pattern: require 'excon' - - follows: - stopBy: end - kind: call - pattern: require 'excon' - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: assignment - all: - - has: - kind: identifier - pattern: $VAR - - has: - kind: string - - - Excon.new(..., :password => Excon::Utils.escape_uri("..."), ...)_instance: - # Excon.new(..., :password => Excon::Utils.escape_uri("..."), ...) - kind: call - all: - - has: - stopBy: neighbor - kind: constant - regex: ^Excon$ - - has: - stopBy: neighbor - regex: ^.$ - - has: - stopBy: neighbor - kind: identifier - regex: ^new$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: pair - all: - - has: - stopBy: neighbor - kind: simple_symbol - regex: ^:password$ - - has: - kind: identifier - pattern: $VAR - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: assignment - pattern: $VAR = Excon::Utils.escape_uri('$$$') - - follows: - stopBy: end - kind: assignment - pattern: $VAR = Excon::Utils.escape_uri('$$$') - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: call - pattern: require 'excon' - - follows: - stopBy: end - kind: call - pattern: require 'excon' - -rule: - kind: call - any: - - matches: Excon.new(..., :password => "...", ...) - - matches: Excon.new(..., :password => Excon::Utils.escape_uri("..."), ...) - - - matches: Excon.new(..., :password => "...", ...)_instance - - matches: Excon.new(..., :password => Excon::Utils.escape_uri("..."), ...)_instance - all: - - not: - has: - stopBy: end - kind: ERROR - - not: - inside: - stopBy: end - kind: ERROR diff --git a/rules/ruby/security/ruby-faraday-hardcoded-secret-ruby.yml b/rules/ruby/security/ruby-faraday-hardcoded-secret-ruby.yml deleted file mode 100644 index 93c4ce24..00000000 --- a/rules/ruby/security/ruby-faraday-hardcoded-secret-ruby.yml +++ /dev/null @@ -1,503 +0,0 @@ -id: ruby-faraday-hardcoded-secret-ruby -language: ruby -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - $X.request :authorization, :basic, $USER, "...": - kind: call - all: - - has: - kind: identifier - nthChild: 2 - regex: ^request$ - - has: - kind: argument_list - nthChild: 3 - all: - - has: - regex: ^:authorization$ - nthChild: - position: 1 - ofRule: - not: - kind: comment - - has: - regex: ^:basic$ - nthChild: - position: 2 - ofRule: - not: - kind: comment - - has: - any: - - kind: chained_string - has: - kind: string - has: - kind: string_content - nthChild: - position: 4 - ofRule: - not: - kind: comment - - kind: string - has: - kind: string_content - nthChild: - position: 4 - ofRule: - not: - kind: comment - - not: - has: - nthChild: - position: 5 - ofRule: - not: - kind: comment - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: call - pattern: require "faraday" - - follows: - stopBy: end - kind: call - pattern: require "faraday" - - $Instance($X.request :authorization, :basic, $USER, "..."): - kind: call - all: - - has: - kind: identifier - nthChild: 2 - regex: ^request$ - - has: - kind: argument_list - nthChild: 3 - all: - - has: - regex: ^:authorization$ - nthChild: - position: 1 - ofRule: - not: - kind: comment - - has: - regex: ^:basic$ - nthChild: - position: 2 - ofRule: - not: - kind: comment - - has: - pattern: $STRING - kind: identifier - nthChild: - position: 4 - ofRule: - not: - kind: comment - - not: - has: - nthChild: - position: 5 - ofRule: - not: - kind: comment - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: call - pattern: require "faraday" - - follows: - stopBy: end - kind: call - pattern: require "faraday" - - any: - - follows: - stopBy: end - kind: assignment - pattern: $STRING = $PASSWORD - - inside: - stopBy: end - follows: - stopBy: end - kind: assignment - pattern: $STRING = $PASSWORD - - $X.request :basic_auth, $USER, "...": - kind: call - all: - - has: - kind: identifier - nthChild: 2 - regex: ^request$ - - has: - kind: argument_list - nthChild: 3 - all: - - has: - regex: ^:basic_auth$ - nthChild: - position: 1 - ofRule: - not: - kind: comment - - has: - any: - - kind: chained_string - has: - kind: string - has: - kind: string_content - position: 3 - ofRule: - not: - kind: comment - - kind: string - has: - kind: string_content - nthChild: - position: 3 - ofRule: - not: - kind: comment - - not: - has: - nthChild: - position: 4 - ofRule: - not: - kind: comment - - any: - - follows: - stopBy: end - kind: call - pattern: require "faraday" - - inside: - stopBy: end - follows: - stopBy: end - kind: call - pattern: require "faraday" - - Instance( $X.request :basic_auth, $USER, "..."): - kind: call - all: - - has: - kind: identifier - nthChild: 2 - regex: ^request$ - - has: - kind: argument_list - nthChild: 3 - all: - - has: - regex: ^:basic_auth$ - nthChild: - position: 1 - ofRule: - not: - kind: comment - - has: - kind: identifier - pattern: $STRING - nthChild: - position: 3 - ofRule: - not: - kind: comment - - not: - has: - nthChild: - position: 4 - ofRule: - not: - kind: comment - - any: - - follows: - stopBy: end - kind: call - pattern: require "faraday" - - inside: - stopBy: end - follows: - stopBy: end - kind: call - pattern: require "faraday" - - any: - - follows: - stopBy: end - kind: assignment - pattern: $STRING = $PASSWORD - - inside: - stopBy: end - follows: - stopBy: end - kind: assignment - pattern: $STRING = $PASSWORD - - $X.request :token_auth, "...", ...: - kind: call - all: - - has: - kind: identifier - nthChild: 2 - regex: ^request$ - - has: - kind: argument_list - nthChild: 3 - all: - - has: - regex: ^:token_auth$ - nthChild: - position: 1 - ofRule: - not: - kind: comment - - has: - any: - - kind: chained_string - has: - kind: string - has: - kind: string_content - position: 2 - ofRule: - not: - kind: comment - - kind: string - has: - kind: string_content - position: 2 - ofRule: - not: - kind: comment - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: call - pattern: require "faraday" - - follows: - stopBy: end - kind: call - pattern: require "faraday" - - Instance($X.request :token_auth, "...", ...): - kind: call - all: - - has: - kind: identifier - nthChild: 2 - regex: ^request$ - - has: - kind: argument_list - nthChild: 3 - all: - - has: - regex: ^:token_auth$ - nthChild: - position: 1 - ofRule: - not: - kind: comment - - has: - kind: identifier - pattern: $STRING - nthChild: - position: 2 - ofRule: - not: - kind: comment - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: call - pattern: require "faraday" - - follows: - stopBy: end - kind: call - pattern: require "faraday" - - any: - - follows: - stopBy: end - kind: assignment - pattern: $STRING = $PASSWORD - - inside: - stopBy: end - follows: - stopBy: end - kind: assignment - pattern: $STRING = $PASSWORD - - $X.request :authorization, $BEARER, "...": - kind: call - all: - - has: - kind: identifier - nthChild: 2 - regex: ^request$ - - has: - kind: argument_list - nthChild: 3 - all: - - has: - regex: ^:authorization$ - nthChild: - position: 1 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - - has: - any: - - kind: chained_string - has: - kind: string - has: - kind: string_content - nthChild: - position: 3 - ofRule: - not: - kind: comment - - kind: string - has: - kind: string_content - nthChild: - position: 3 - ofRule: - not: - kind: comment - - not: - has: - nthChild: - position: 4 - ofRule: - not: - kind: comment - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: call - pattern: require "faraday" - - follows: - stopBy: end - kind: call - pattern: require "faraday" - - Instance($X.request :authorization, $BEARER, "..."): - kind: call - all: - - has: - kind: identifier - nthChild: 2 - regex: ^request$ - - has: - kind: argument_list - nthChild: 3 - all: - - has: - regex: ^:authorization$ - nthChild: - position: 1 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - - has: - kind: identifier - pattern: $STRING - nthChild: - position: 3 - ofRule: - not: - kind: comment - - not: - has: - nthChild: - position: 4 - ofRule: - not: - kind: comment - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: call - pattern: require "faraday" - - follows: - stopBy: end - kind: call - pattern: require "faraday" - - any: - - follows: - stopBy: end - kind: assignment - pattern: $STRING = $PASSWORD - - inside: - stopBy: end - follows: - stopBy: end - kind: assignment - pattern: $STRING = $PASSWORD - -rule: - kind: call - any: - - matches: $X.request :authorization, :basic, $USER, "..." - - matches: $Instance($X.request :authorization, :basic, $USER, "...") - - matches: $X.request :basic_auth, $USER, "..." - - matches: Instance( $X.request :basic_auth, $USER, "...") - - matches: $X.request :token_auth, "...", ... - - matches: Instance($X.request :token_auth, "...", ...) - - matches: $X.request :authorization, $BEARER, "..." - - matches: Instance($X.request :authorization, $BEARER, "...") - all: - - not: - has: - stopBy: end - kind: ERROR - - not: - inside: - stopBy: end - kind: ERROR -constraints: - PASSWORD: - kind: string - has: - kind: string_content diff --git a/rules/ruby/security/ruby-mongo-empty-password-ruby.yml b/rules/ruby/security/ruby-mongo-empty-password-ruby.yml deleted file mode 100644 index a3d71540..00000000 --- a/rules/ruby/security/ruby-mongo-empty-password-ruby.yml +++ /dev/null @@ -1,365 +0,0 @@ -id: ruby-mongo-empty-password-ruby -language: ruby -severity: warning -message: >- - The application creates a database connection with an empty password. - This can lead to unauthorized access by either an internal or external - malicious actor. To prevent this vulnerability, enforce authentication - when connecting to a database by using environment variables to securely - provide credentials or retrieving them from a secure vault or HSM - (Hardware Security Module). -note: >- - [CWE-287]: Improper Authentication - [OWASP A07:2021]: Identification and Authentication Failures - [REFERENCES] - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - match_call_Mongo_client: - kind: call - all: - - has: - kind: scope_resolution - all: - - has: - kind: constant - field: scope - regex: "^Mongo$" - - has: - kind: constant - field: name - regex: "^Client$" - - has: - kind: identifier - regex: "^new$" - - has: - kind: argument_list - has: - kind: pair - all: - - has: - stopBy: end - kind: hash_key_symbol - regex: "^password$" - - has: - kind: string - not: - has: - kind: string_content - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: call - all: - - has: - kind: identifier - regex: "^require$" - - has: - kind: argument_list - has: - kind: string - - follows: - stopBy: end - kind: call - all: - - has: - kind: identifier - regex: "^require$" - - has: - kind: argument_list - has: - kind: string - - match_call_with_identifier: - kind: call - all: - - has: - kind: identifier - pattern: $I - - has: - kind: identifier - regex: "^with$" - - has: - kind: argument_list - has: - stopBy: end - kind: pair - all: - - has: - kind: hash_key_symbol - regex: "^password$" - - has: - kind: string - not: - has: - kind: string_content - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: assignment - all: - - has: - kind: identifier - pattern: $I - - has: - kind: call - all: - - has: - kind: scope_resolution - all: - - has: - kind: constant - field: scope - regex: "^Mongo$" - - has: - kind: constant - field: name - regex: "^Client$" - - has: - kind: identifier - regex: "^new$" - - has: - kind: argument_list - follows: - stopBy: end - kind: call - all: - - has: - kind: identifier - regex: "^require$" - - has: - kind: argument_list - has: - kind: string - - follows: - stopBy: end - kind: assignment - all: - - has: - kind: identifier - pattern: $I - - has: - kind: call - all: - - has: - kind: scope_resolution - all: - - has: - kind: constant - field: scope - regex: "^Mongo$" - - has: - kind: constant - field: name - regex: "^Client$" - - has: - kind: identifier - regex: "^new$" - - has: - kind: argument_list - follows: - stopBy: end - kind: call - all: - - has: - kind: identifier - regex: "^require$" - - has: - kind: argument_list - has: - kind: string - - match_call_Mongo_client_with_identifier: - kind: call - all: - - has: - kind: scope_resolution - all: - - has: - kind: constant - field: scope - regex: "^Mongo$" - - has: - kind: constant - field: name - regex: "^Client$" - - has: - kind: identifier - regex: "^new$" - - has: - kind: argument_list - has: - kind: pair - all: - - has: - stopBy: end - kind: hash_key_symbol - regex: "^password$" - - has: - kind: identifier - pattern: $A - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: assignment - all: - - has: - kind: identifier - pattern: $A - - has: - kind: string - not: - has: - kind: string_content - follows: - stopBy: end - kind: call - all: - - has: - kind: identifier - regex: "^require$" - - has: - kind: argument_list - has: - kind: string - - follows: - stopBy: end - kind: assignment - all: - - has: - kind: identifier - pattern: $A - - has: - kind: string - not: - has: - kind: string_content - follows: - stopBy: end - kind: call - all: - - has: - kind: identifier - regex: "^require$" - - has: - kind: argument_list - has: - kind: string - match_call_with_identifier2: - kind: call - all: - - has: - kind: identifier - pattern: $I - - has: - kind: identifier - regex: "^with$" - - has: - kind: argument_list - has: - stopBy: end - kind: pair - all: - - has: - kind: hash_key_symbol - regex: "^password$" - - has: - kind: identifier - pattern: $A - any: - - inside: - stopBy: end - all: - - follows: - stopBy: end - kind: assignment - all: - - has: - kind: identifier - pattern: $I - - has: - kind: call - all: - - has: - kind: scope_resolution - all: - - has: - kind: constant - field: scope - regex: "^Mongo$" - - has: - kind: constant - field: name - regex: "^Client$" - - has: - kind: identifier - regex: "^new$" - - has: - kind: argument_list - - follows: - stopBy: end - kind: assignment - all: - - has: - kind: identifier - pattern: $A - - has: - kind: string - not: - has: - kind: string_content - - follows: - all: - - follows: - stopBy: end - kind: assignment - all: - - has: - kind: identifier - pattern: $I - - has: - kind: call - all: - - has: - kind: scope_resolution - all: - - has: - kind: constant - field: scope - regex: "^Mongo$" - - has: - kind: constant - field: name - regex: "^Client$" - - has: - kind: identifier - regex: "^new$" - - has: - kind: argument_list - - follows: - stopBy: end - kind: assignment - all: - - has: - kind: identifier - pattern: $A - - has: - kind: string - not: - has: - kind: string_content - -rule: - any: - - matches: match_call_Mongo_client - - matches: match_call_Mongo_client_with_identifier - - matches: match_call_with_identifier - - matches: match_call_with_identifier2 diff --git a/rules/ruby/security/ruby-mongo-hardcoded-secret-ruby.yml b/rules/ruby/security/ruby-mongo-hardcoded-secret-ruby.yml deleted file mode 100644 index ffa0e8cb..00000000 --- a/rules/ruby/security/ruby-mongo-hardcoded-secret-ruby.yml +++ /dev/null @@ -1,409 +0,0 @@ -id: ruby-mongo-hardcoded-secret-ruby -language: ruby -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798]: Use of Hard-coded Credentials - [OWASP A07:2021]: Identification and Authentication Failures - [REFERENCES] - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - match_call_Mongo_client: - kind: call - all: - - has: - kind: scope_resolution - all: - - has: - kind: constant - field: scope - regex: "^Mongo$" - - has: - kind: constant - field: name - regex: "^Client$" - - has: - kind: identifier - regex: "^new$" - - has: - kind: argument_list - has: - kind: pair - all: - - has: - stopBy: end - kind: hash_key_symbol - regex: "^password$" - - has: - kind: string - has: - kind: string_content - inside: - stopBy: end - follows: - stopBy: end - kind: call - all: - - has: - kind: identifier - regex: "^require$" - - has: - kind: argument_list - has: - kind: string - has: - kind: string_content - - match_call_with_identifier: - kind: call - all: - - has: - kind: identifier - pattern: $I - - has: - kind: identifier - regex: "^with$" - - has: - kind: argument_list - has: - stopBy: end - kind: pair - all: - - has: - kind: hash_key_symbol - regex: "^password$" - - has: - kind: string - has: - kind: string_content - inside: - stopBy: end - follows: - stopBy: end - kind: assignment - all: - - has: - kind: identifier - pattern: $I - - has: - kind: call - all: - - has: - kind: scope_resolution - all: - - has: - kind: constant - field: scope - regex: "^Mongo$" - - has: - kind: constant - field: name - regex: "^Client$" - - has: - kind: identifier - regex: "^new$" - - has: - kind: argument_list - follows: - stopBy: end - kind: call - all: - - has: - kind: identifier - regex: "^require$" - - has: - kind: argument_list - has: - kind: string - has: - kind: string_content - match_call_Mongo_client_with_identifier: - kind: call - all: - - has: - kind: scope_resolution - all: - - has: - kind: constant - field: scope - regex: "^Mongo$" - - has: - kind: constant - field: name - regex: "^Client$" - - has: - kind: identifier - regex: "^new$" - - has: - kind: argument_list - has: - kind: pair - all: - - has: - stopBy: end - kind: hash_key_symbol - regex: "^password$" - - has: - kind: identifier - pattern: $A - inside: - stopBy: end - follows: - stopBy: end - kind: assignment - all: - - has: - kind: identifier - pattern: $A - - has: - kind: string - has: - kind: string_content - follows: - stopBy: end - kind: call - all: - - has: - kind: identifier - regex: "^require$" - - has: - kind: argument_list - has: - kind: string - has: - kind: string_content - match_call_with_identifier2: - kind: call - all: - - has: - kind: identifier - pattern: $I - - has: - kind: identifier - regex: "^with$" - - has: - kind: argument_list - has: - stopBy: end - kind: pair - all: - - has: - kind: hash_key_symbol - regex: "^password$" - - has: - kind: identifier - pattern: $A - inside: - stopBy: end - all: - - follows: - stopBy: end - kind: assignment - all: - - has: - kind: identifier - pattern: $I - - has: - kind: call - all: - - has: - kind: scope_resolution - all: - - has: - kind: constant - field: scope - regex: "^Mongo$" - - has: - kind: constant - field: name - regex: "^Client$" - - has: - kind: identifier - regex: "^new$" - - has: - kind: argument_list - - follows: - stopBy: end - kind: assignment - all: - - has: - kind: identifier - pattern: $A - - has: - kind: string - has: - kind: string_content - - match_call_Mongo_client_without_inside: - kind: call - all: - - has: - kind: scope_resolution - all: - - has: - kind: constant - field: scope - regex: "^Mongo$" - - has: - kind: constant - field: name - regex: "^Client$" - - has: - kind: identifier - regex: "^new$" - - has: - kind: argument_list - has: - kind: pair - all: - - has: - stopBy: end - kind: hash_key_symbol - regex: "^password$" - - has: - kind: string - has: - kind: string_content - follows: - stopBy: end - kind: call - all: - - has: - kind: identifier - regex: "^require$" - - has: - kind: argument_list - has: - kind: string - has: - kind: string_content - match_call_with_identifier2_new: - kind: call - all: - - has: - kind: identifier - pattern: $I - - has: - kind: identifier - regex: "^with$" - - has: - kind: argument_list - has: - stopBy: end - kind: pair - all: - - has: - kind: hash_key_symbol - regex: "^password$" - - has: - kind: identifier - pattern: $A - all: - - follows: - stopBy: end - kind: assignment - all: - - has: - kind: identifier - pattern: $I - - has: - kind: call - all: - - has: - kind: scope_resolution - all: - - has: - kind: constant - field: scope - regex: "^Mongo$" - - has: - kind: constant - field: name - regex: "^Client$" - - has: - kind: identifier - regex: "^new$" - - has: - kind: argument_list - - follows: - stopBy: end - kind: assignment - all: - - has: - kind: identifier - pattern: $A - - has: - kind: string - has: - kind: string_content - match_call_with_identifier_new: - kind: call - all: - - has: - kind: scope_resolution - all: - - has: - kind: constant - field: scope - regex: "^Mongo$" - - has: - kind: constant - field: name - regex: "^Client$" - - has: - kind: identifier - regex: "^new$" - - has: - kind: argument_list - has: - kind: pair - all: - - has: - stopBy: end - kind: hash_key_symbol - regex: "^password$" - - has: - kind: identifier - pattern: $A - follows: - stopBy: end - kind: assignment - all: - - has: - kind: identifier - pattern: $A - - has: - kind: string - has: - kind: string_content - follows: - stopBy: end - kind: call - all: - - has: - kind: identifier - regex: "^require$" - - has: - kind: argument_list - has: - kind: string - has: - kind: string_content - -rule: - any: - - matches: match_call_Mongo_client - - matches: match_call_Mongo_client_with_identifier - - matches: match_call_with_identifier - - matches: match_call_with_identifier2 - - matches: match_call_Mongo_client_without_inside - - matches: match_call_with_identifier2_new - - matches: match_call_with_identifier_new diff --git a/rules/ruby/security/ruby-mysql2-empty-password-ruby.yml b/rules/ruby/security/ruby-mysql2-empty-password-ruby.yml deleted file mode 100644 index 4a9d231e..00000000 --- a/rules/ruby/security/ruby-mysql2-empty-password-ruby.yml +++ /dev/null @@ -1,234 +0,0 @@ -id: ruby-mysql2-empty-password-ruby -language: ruby -severity: warning -message: >- - The application creates a database connection with an empty password. - This can lead to unauthorized access by either an internal or external - malicious actor. To prevent this vulnerability, enforce authentication - when connecting to a database by using environment variables to securely - provide credentials or retrieving them from a secure vault or HSM - (Hardware Security Module). -note: >- - [CWE-287]: Improper Authentication - [OWASP A07:2021]: Identification and Authentication Failures - [REFERENCES] - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - match_Mysql2:Client: - kind: call - all: - - has: - kind: scope_resolution - all: - - has: - kind: constant - field: scope - regex: "^Mysql2$" - - has: - kind: constant - field: name - regex: "^Client$" - - has: - kind: identifier - regex: "^new$" - - has: - kind: argument_list - has: - kind: pair - all: - - has: - stopBy: end - kind: hash_key_symbol - regex: "^password$" - - has: - kind: string - not: - has: - kind: string_content - inside: - stopBy: end - follows: - stopBy: end - kind: call - all: - - has: - kind: identifier - regex: "^require$" - - has: - kind: argument_list - has: - kind: string - has: - kind: string_content - regex: "^mysql2$" - match_Mysql2:Client_with_identifier: - kind: call - all: - - has: - kind: scope_resolution - all: - - has: - kind: constant - field: scope - regex: "^Mysql2$" - - has: - kind: constant - field: name - regex: "^Client$" - - has: - kind: identifier - regex: "^new$" - - has: - kind: argument_list - has: - kind: pair - all: - - has: - stopBy: end - kind: hash_key_symbol - regex: "^password$" - - has: - kind: identifier - pattern: $A - inside: - stopBy: end - follows: - stopBy: end - kind: assignment - all: - - has: - kind: identifier - pattern: $A - - has: - kind: string - not: - has: - kind: string_content - follows: - stopBy: end - kind: call - all: - - has: - kind: identifier - regex: "^require$" - - has: - kind: argument_list - has: - kind: string - has: - kind: string_content - regex: "^mysql2$" - match_Mysql2:Client_with_identifier2: - kind: call - all: - - has: - kind: scope_resolution - all: - - has: - kind: constant - field: scope - regex: "^Mysql2$" - - has: - kind: constant - field: name - regex: "^Client$" - - has: - kind: identifier - regex: "^new$" - - has: - kind: argument_list - has: - kind: pair - all: - - has: - kind: hash_key_symbol - regex: "^password$" - - has: - kind: identifier - pattern: $R - follows: - stopBy: end - kind: assignment - all: - - has: - kind: identifier - pattern: $R - - has: - kind: string - not: - has: - kind: string_content - inside: - stopBy: end - kind: singleton_method - inside: - stopBy: end - follows: - stopBy: end - kind: call - all: - - has: - kind: identifier - regex: "^require$" - - has: - kind: argument_list - has: - kind: string - has: - kind: string_content - regex: "^mysql2$" - match_Mysql2_new: - kind: call - all: - - has: - kind: scope_resolution - all: - - has: - kind: constant - field: scope - regex: "^Mysql2$" - - has: - kind: constant - field: name - regex: "^Client$" - - has: - kind: identifier - regex: "^new$" - - has: - kind: argument_list - has: - kind: pair - all: - - has: - stopBy: end - kind: hash_key_symbol - regex: "^password$" - - has: - kind: string - not: - has: - kind: string_content - follows: - stopBy: end - kind: call - all: - - has: - kind: identifier - regex: "^require$" - - has: - kind: argument_list - has: - kind: string - has: - kind: string_content - regex: "^mysql2$" -rule: - any: - - matches: match_Mysql2:Client - - matches: match_Mysql2:Client_with_identifier - - matches: match_Mysql2:Client_with_identifier2 - - matches: match_Mysql2_new - diff --git a/rules/ruby/security/ruby-mysql2-hardcoded-secret-ruby.yml b/rules/ruby/security/ruby-mysql2-hardcoded-secret-ruby.yml deleted file mode 100644 index 73e4ff8e..00000000 --- a/rules/ruby/security/ruby-mysql2-hardcoded-secret-ruby.yml +++ /dev/null @@ -1,257 +0,0 @@ -id: ruby-mysql2-hardcoded-secret-ruby -language: ruby -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798]: Use of Hard-coded Credentials - [OWASP A07:2021]: Identification and Authentication Failures - [REFERENCES] - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - match_Mysql2:Client: - kind: call - all: - - has: - kind: scope_resolution - all: - - has: - kind: constant - field: scope - regex: "^Mysql2$" - - has: - kind: constant - field: name - regex: "^Client$" - - has: - kind: identifier - regex: "^new$" - - has: - kind: argument_list - has: - kind: pair - all: - - has: - stopBy: end - kind: hash_key_symbol - regex: "^password$" - - has: - kind: string - has: - kind: string_content - inside: - stopBy: end - follows: - stopBy: end - kind: call - all: - - has: - kind: identifier - regex: "^require$" - - has: - kind: argument_list - has: - kind: string - has: - kind: string_content - regex: "^mysql2$" - match_Mysql2:Client_with_identifier: - kind: call - all: - - has: - kind: scope_resolution - all: - - has: - kind: constant - field: scope - regex: "^Mysql2$" - - has: - kind: constant - field: name - regex: "^Client$" - - has: - kind: identifier - regex: "^new$" - - has: - kind: argument_list - has: - kind: pair - all: - - has: - stopBy: end - kind: hash_key_symbol - regex: "^password$" - - has: - kind: identifier - pattern: $A - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: assignment - all: - - has: - kind: identifier - pattern: $A - - has: - kind: string - has: - kind: string_content - follows: - stopBy: end - kind: call - all: - - has: - kind: identifier - regex: "^require$" - - has: - kind: argument_list - has: - kind: string - has: - kind: string_content - regex: "^mysql2$" - - follows: - stopBy: end - kind: assignment - all: - - has: - kind: identifier - pattern: $A - - has: - kind: string - has: - kind: string_content - follows: - stopBy: end - kind: call - all: - - has: - kind: identifier - regex: "^require$" - - has: - kind: argument_list - has: - kind: string - has: - kind: string_content - regex: "^mysql2$" - - match_Mysql3: - kind: call - all: - - has: - kind: scope_resolution - all: - - has: - kind: constant - field: scope - regex: "^Mysql2$" - - has: - kind: constant - field: name - regex: "^Client$" - - has: - kind: identifier - regex: "^new$" - - has: - kind: argument_list - has: - kind: pair - all: - - has: - stopBy: end - kind: hash_key_symbol - regex: "^password$" - - has: - kind: string - has: - kind: string_content - follows: - stopBy: end - kind: call - all: - - has: - kind: identifier - regex: "^require$" - - has: - kind: argument_list - has: - kind: string - has: - kind: string_content - regex: "^mysql2$" - match_Mysql2:Client_with_identifier2: - kind: call - all: - - has: - kind: scope_resolution - all: - - has: - kind: constant - field: scope - regex: "^Mysql2$" - - has: - kind: constant - field: name - regex: "^Client$" - - has: - kind: identifier - regex: "^new$" - - has: - kind: argument_list - has: - kind: pair - all: - - has: - kind: hash_key_symbol - regex: "^password$" - - has: - kind: identifier - pattern: $R - follows: - stopBy: end - kind: assignment - all: - - has: - kind: identifier - pattern: $R - - has: - kind: string - has: - kind: string_content - inside: - stopBy: end - kind: singleton_method - inside: - stopBy: end - follows: - stopBy: end - kind: call - all: - - has: - kind: identifier - regex: "^require$" - - has: - kind: argument_list - has: - kind: string - has: - kind: string_content - regex: "^mysql2$" - -rule: - any: - - matches: match_Mysql2:Client - - matches: match_Mysql3 - - matches: match_Mysql2:Client_with_identifier - - matches: match_Mysql2:Client_with_identifier2 - diff --git a/rules/ruby/security/ruby-octokit-hardcoded-secret-ruby.yml b/rules/ruby/security/ruby-octokit-hardcoded-secret-ruby.yml deleted file mode 100644 index 722ba8cb..00000000 --- a/rules/ruby/security/ruby-octokit-hardcoded-secret-ruby.yml +++ /dev/null @@ -1,132 +0,0 @@ -id: ruby-octokit-hardcoded-secret-ruby -language: ruby -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - Octokit::Client.new(password:""): - # Octokit::Client.new(..., password: "", ...) - kind: call - all: - - has: - stopBy: neighbor - kind: scope_resolution - regex: ^Octokit::Client$ - - has: - stopBy: neighbor - regex: ^.$ - - has: - stopBy: neighbor - kind: identifier - regex: ^new$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: pair - all: - - has: - stopBy: neighbor - any: - - kind: simple_symbol - regex: ^:password$|^:access_token$|^:client_secret$ - - kind: hash_key_symbol - regex: ^password$|^access_token$|^client_secret$ - - has: - stopBy: neighbor - kind: string - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: call - pattern: require 'octokit' - - follows: - stopBy: end - kind: call - pattern: require 'octokit' - Octokit::Client.new(password:"")_Instance: - kind: call - all: - - has: - stopBy: neighbor - kind: scope_resolution - regex: ^Octokit::Client$ - - has: - stopBy: neighbor - regex: ^.$ - - has: - stopBy: neighbor - kind: identifier - regex: ^new$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: pair - all: - - has: - stopBy: neighbor - any: - - kind: simple_symbol - regex: ^:password$|^:access_token$|^:client_secret$ - - kind: hash_key_symbol - regex: ^password$|^access_token$|^client_secret$ - - has: - stopBy: neighbor - kind: identifier - pattern: $SECRET - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: call - pattern: require 'octokit' - - follows: - stopBy: end - kind: call - pattern: require 'octokit' - - any: - - follows: - stopBy: end - kind: assignment - pattern: $SECRET = $PASS - - inside: - stopBy: end - follows: - stopBy: end - kind: assignment - pattern: $SECRET = $PASS -rule: - kind: call - any: - - matches: Octokit::Client.new(password:"") - - matches: Octokit::Client.new(password:"")_Instance - all: - - not: - has: - stopBy: end - kind: ERROR - - not: - inside: - stopBy: end - kind: ERROR - -constraints: - PASS: - kind: string \ No newline at end of file diff --git a/rules/ruby/security/ruby-pg-empty-password-ruby.yml b/rules/ruby/security/ruby-pg-empty-password-ruby.yml deleted file mode 100644 index a2d63613..00000000 --- a/rules/ruby/security/ruby-pg-empty-password-ruby.yml +++ /dev/null @@ -1,159 +0,0 @@ -id: ruby-pg-empty-password-ruby -language: ruby -severity: warning -message: >- - The application creates a database connection with an empty password. - This can lead to unauthorized access by either an internal or external - malicious actor. To prevent this vulnerability, enforce authentication - when connecting to a database by using environment variables to securely - provide credentials or retrieving them from a secure vault or HSM - (Hardware Security Module). -note: >- - [CWE-287] Improper Authentication. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - PG.connect(password:""): - # PG.connect(..., password: "", ...) - kind: call - all: - - has: - stopBy: neighbor - kind: constant - regex: ^PG$ - - has: - stopBy: neighbor - regex: ^.$ - - has: - stopBy: neighbor - kind: identifier - regex: ^connect$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: pair - all: - - has: - stopBy: neighbor - any: - - regex: ^password$ - not: - precedes: - regex: ^=>$ - - regex: ^:password$ - - has: - stopBy: neighbor - kind: string - not: - has: - stopBy: neighbor - kind: string_content - PG.connect($HOST, $PORT, $OPS, $TTY, $DB, $USER, ""): - # PG.connect($HOST, $PORT, $OPS, $TTY, $DB, $USER, "", ...) - kind: call - all: - - has: - stopBy: neighbor - kind: constant - regex: ^PG$ - - has: - stopBy: neighbor - regex: ^.$ - - has: - stopBy: neighbor - kind: identifier - regex: ^connect$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: string - nthChild: 7 - not: - has: - stopBy: neighbor - kind: string_content - PG::Connection.new($HOST, $PORT, $OPS, $TTY, $DB, $USER, ""): - # PG::Connection.connect_start($HOST, $PORT, $OPS, $TTY, $DB, $USER,"", ...) - kind: call - all: - - has: - stopBy: neighbor - kind: scope_resolution - regex: ^PG::Connection$ - - has: - stopBy: neighbor - regex: ^.$ - - has: - stopBy: neighbor - kind: identifier - regex: ^connect_start$|^new$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: string - nthChild: 7 - not: - has: - stopBy: neighbor - kind: string_content - PG::Connection.new(password:""): - # PG::Connection.new(..., password: '', ...) - kind: call - all: - - has: - stopBy: neighbor - kind: scope_resolution - regex: ^PG::Connection$ - - has: - stopBy: neighbor - regex: ^.$ - - has: - stopBy: neighbor - kind: identifier - regex: ^new$|^connect_start$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: pair - all: - - has: - stopBy: neighbor - any: - - regex: ^password$ - not: - precedes: - regex: ^=>$ - - regex: ^:password$ - - has: - stopBy: neighbor - kind: string - not: - has: - stopBy: neighbor - kind: string_content -rule: - kind: call - any: - - matches: PG.connect(password:"") - - matches: PG.connect($HOST, $PORT, $OPS, $TTY, $DB, $USER, "") - - matches: PG::Connection.new($HOST, $PORT, $OPS, $TTY, $DB, $USER, "") - - matches: PG::Connection.new(password:"") - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR \ No newline at end of file diff --git a/rules/ruby/security/ruby-pg-hardcoded-secret-ruby.yml b/rules/ruby/security/ruby-pg-hardcoded-secret-ruby.yml deleted file mode 100644 index c730d538..00000000 --- a/rules/ruby/security/ruby-pg-hardcoded-secret-ruby.yml +++ /dev/null @@ -1,199 +0,0 @@ -id: ruby-pg-hardcoded-secret-ruby -language: ruby -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - PG.connect(password:""): - # PG::Connection.new(..., password: '', ...) - kind: call - all: - - has: - stopBy: neighbor - kind: constant - regex: ^PG$ - - has: - stopBy: neighbor - regex: ^.$ - - has: - stopBy: neighbor - kind: identifier - regex: ^connect$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: end - kind: pair - all: - - has: - stopBy: neighbor - any: - - regex: ^password$ - not: - precedes: - regex: ^=>$ - - regex: ^:password$ - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_content - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: call - pattern: require "pg" - - follows: - stopBy: end - kind: call - pattern: require "pg" - PG.connect($HOST, $PORT, $OPS, $TTY, $DB, $USER, ""): - # PG.connect($HOST, $PORT, $OPS, $TTY, $DB, $USER, "", ...) - kind: call - all: - - has: - stopBy: neighbor - kind: constant - regex: ^PG$ - - has: - stopBy: neighbor - regex: ^.$ - - has: - stopBy: neighbor - kind: identifier - regex: ^connect$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: string - nthChild: 7 - has: - stopBy: neighbor - kind: string_content - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: call - pattern: require "pg" - - follows: - stopBy: end - kind: call - pattern: require "pg" - PG::Connection.new($HOST, $PORT, $OPS, $TTY, $DB, $USER, ""): - # PG::Connection.connect_start($HOST, $PORT, $OPS, $TTY, $DB, $USER,"", ...) - kind: call - all: - - has: - stopBy: neighbor - kind: scope_resolution - regex: ^PG::Connection$ - - has: - stopBy: neighbor - regex: ^.$ - - has: - stopBy: neighbor - kind: identifier - regex: ^connect_start$|^new$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: string - nthChild: 7 - has: - stopBy: neighbor - kind: string_content - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: call - pattern: require "pg" - - follows: - stopBy: end - kind: call - pattern: require "pg" - PG::Connection.new(password:""): - # PG::Connection.new(..., password: '', ...) - kind: call - all: - - has: - stopBy: neighbor - kind: scope_resolution - regex: ^PG::Connection$ - - has: - stopBy: neighbor - regex: ^.$ - - has: - stopBy: neighbor - kind: identifier - regex: ^new$|^connect_start$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: end - kind: pair - all: - - has: - stopBy: neighbor - any: - - regex: ^password$ - not: - precedes: - regex: ^=>$ - - regex: ^:password$ - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_content - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: call - pattern: require "pg" - - follows: - stopBy: end - kind: call - pattern: require "pg" -rule: - kind: call - any: - - matches: PG.connect(password:"") - - matches: PG.connect($HOST, $PORT, $OPS, $TTY, $DB, $USER, "") - - matches: PG::Connection.new($HOST, $PORT, $OPS, $TTY, $DB, $USER, "") - - matches: PG::Connection.new(password:"") - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR - \ No newline at end of file diff --git a/rules/ruby/security/ruby-redis-empty-password-ruby.yml b/rules/ruby/security/ruby-redis-empty-password-ruby.yml deleted file mode 100644 index 4f8ef8ca..00000000 --- a/rules/ruby/security/ruby-redis-empty-password-ruby.yml +++ /dev/null @@ -1,78 +0,0 @@ -id: ruby-redis-empty-password-ruby -language: ruby -severity: warning -message: >- - The application creates a database connection with an empty password. - This can lead to unauthorized access by either an internal or external - malicious actor. To prevent this vulnerability, enforce authentication - when connecting to a database by using environment variables to securely - provide credentials or retrieving them from a secure vault or HSM - (Hardware Security Module). -note: >- - [CWE-287] Improper Authentication. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - Redis.new(..., password:"", ...): - # Redis.new(..., password: "", ...) - kind: call - all: - - has: - stopBy: neighbor - kind: constant - regex: ^Redis$ - - has: - stopBy: neighbor - regex: ^.$ - - has: - stopBy: neighbor - kind: identifier - regex: ^new$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: pair - all: - - has: - stopBy: neighbor - any: - - regex: ^password$ - not: - precedes: - regex: ^=>$ - - regex: ^:password$ - - has: - stopBy: neighbor - kind: string - not: - has: - stopBy: neighbor - kind: string_content - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: call - pattern: require "redis" - - follows: - stopBy: end - kind: call - pattern: require "redis" -rule: - kind: call - matches: Redis.new(..., password:"", ...) - all: - - not: - has: - stopBy: end - kind: ERROR - - not: - inside: - stopBy: end - kind: ERROR diff --git a/rules/ruby/security/ruby-redis-hardcoded-secret-ruby.yml b/rules/ruby/security/ruby-redis-hardcoded-secret-ruby.yml deleted file mode 100644 index 2bfccf0e..00000000 --- a/rules/ruby/security/ruby-redis-hardcoded-secret-ruby.yml +++ /dev/null @@ -1,76 +0,0 @@ -id: ruby-redis-hardcoded-secret-ruby -language: ruby -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -ast-grep-essentials: true - -utils: - Redis.new(..., password:"", ...): - # Redis.new(..., password: "", ...) - kind: call - all: - - has: - stopBy: neighbor - kind: constant - regex: ^Redis$ - - has: - stopBy: neighbor - regex: ^.$ - - has: - stopBy: neighbor - kind: identifier - regex: ^new$ - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: pair - all: - - has: - stopBy: neighbor - any: - - regex: ^password$ - not: - precedes: - regex: ^=>$ - - regex: ^:password$ - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_content - - any: - - inside: - stopBy: end - follows: - stopBy: end - kind: call - pattern: require "redis" - - follows: - stopBy: end - kind: call - pattern: require "redis" -rule: - kind: call - matches: Redis.new(..., password:"", ...) - all: - - not: - has: - stopBy: end - kind: ERROR - - not: - inside: - stopBy: end - kind: ERROR diff --git a/rules/rust/security/empty-password-rust.yml b/rules/rust/security/empty-password-rust.yml deleted file mode 100644 index a00a3943..00000000 --- a/rules/rust/security/empty-password-rust.yml +++ /dev/null @@ -1,1059 +0,0 @@ -id: empty-password-rust -language: rust -severity: warning -message: >- - The application uses an empty credential. This can lead to unauthorized - access by either an internal or external malicious actor. It is - recommended to rotate the secret and retrieve them from a secure secret - vault or Hardware Security Module (HSM), alternatively environment - variables can be used if allowed by your company policy. -note: >- - [CWE-87]: Improper Authentication - [REFERENCES] - - https://docs.rs/sqlx/latest/sqlx/ - - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures -ast-grep-essentials: true -utils: - - MySqlConnectOptions::new(...). ... .password(""): - kind: call_expression - all: - - has: - kind: field_expression - all: - - has: - kind: call_expression - has: - stopBy: end - kind: scoped_identifier - regex: ^MySqlConnectOptions::new$ - precedes: - kind: arguments - - has: - kind: field_identifier - regex: ^password$ - - has: - kind: arguments - has: - kind: string_literal - not: - has: - kind: string_content - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: use_declaration - has: - kind: scoped_identifier - all: - - has: - kind: scoped_identifier - regex: ^sqlx::mysql$ - - has: - kind: identifier - regex: ^MySqlConnectOptions$ - - kind: use_declaration - has: - kind: scoped_use_list - all: - - has: - kind: scoped_identifier - regex: ^sqlx::mysql$ - - has: - kind: use_list - has: - kind: identifier - regex: ^MySqlConnectOptions$ - - PgConnectOptions::new(...). ... .password(""): - kind: call_expression - all: - - has: - kind: field_expression - all: - - has: - kind: call_expression - has: - stopBy: end - kind: scoped_identifier - regex: ^PgConnectOptions::new$ - precedes: - kind: arguments - - has: - kind: field_identifier - regex: ^password$ - - has: - kind: arguments - has: - kind: string_literal - not: - has: - kind: string_content - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: use_declaration - has: - kind: scoped_identifier - all: - - has: - kind: scoped_identifier - regex: ^sqlx::postgres$ - - has: - kind: identifier - regex: ^PgConnectOptions$ - - kind: use_declaration - has: - kind: scoped_use_list - all: - - has: - kind: scoped_identifier - regex: ^sqlx::postgres$ - - has: - kind: use_list - has: - kind: identifier - regex: ^PgConnectOptions$ - - sqlx::mysql::MySqlConnectOptions::new(...). ... .password(""): - kind: call_expression - all: - - has: - kind: field_expression - all: - - has: - kind: call_expression - has: - stopBy: end - kind: scoped_identifier - regex: ^sqlx::mysql::MySqlConnectOptions::new$ - precedes: - kind: arguments - - has: - kind: field_identifier - regex: ^password$ - - has: - kind: arguments - has: - kind: string_literal - not: - has: - kind: string_content - - sqlx::postgres::PgConnectOptions::new(...). ... .password(""): - kind: call_expression - all: - - has: - kind: field_expression - all: - - has: - kind: call_expression - has: - stopBy: end - kind: scoped_identifier - regex: ^sqlx::postgres::PgConnectOptions::new$ - precedes: - kind: arguments - - has: - kind: field_identifier - regex: ^password$ - - has: - kind: arguments - has: - kind: string_literal - not: - has: - kind: string_content - - $PgConnectOptions::new(...). ... .password(""): - kind: call_expression - all: - - has: - kind: field_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $INSTANCE - - has: - kind: field_identifier - regex: ^password$ - - has: - kind: arguments - has: - kind: string_literal - not: - has: - kind: string_content - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: use_declaration - has: - kind: scoped_identifier - all: - - has: - kind: scoped_identifier - regex: ^sqlx::postgres$ - - has: - kind: identifier - regex: ^PgConnectOptions$ - - kind: use_declaration - has: - kind: scoped_use_list - all: - - has: - kind: scoped_identifier - regex: ^sqlx::postgres$ - - has: - kind: use_list - has: - kind: identifier - regex: ^PgConnectOptions$ - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $INSTANCE - nthChild: 1 - - has: - kind: call_expression - nthChild: 2 - all: - - has: - kind: scoped_identifier - regex: ^PgConnectOptions::new$ - - has: - kind: arguments - - $MySqlConnectOptions::new(...). ... .password(""): - kind: call_expression - all: - - has: - kind: field_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $INSTANCE - - has: - kind: field_identifier - regex: ^password$ - - has: - kind: arguments - has: - kind: string_literal - not: - has: - kind: string_content - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: use_declaration - has: - kind: scoped_identifier - all: - - has: - kind: scoped_identifier - regex: ^sqlx::mysql$ - - has: - kind: identifier - regex: ^MySqlConnectOptions$ - - kind: use_declaration - has: - kind: scoped_use_list - all: - - has: - kind: scoped_identifier - regex: ^sqlx::mysql$ - - has: - kind: use_list - has: - kind: identifier - regex: ^MySqlConnectOptions$ - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $INSTANCE - nthChild: 1 - - has: - kind: call_expression - nthChild: 2 - all: - - has: - kind: scoped_identifier - regex: ^MySqlConnectOptions::new$ - - has: - kind: arguments - - $MySqlConnectOptions::new(...). ... .password("")_with_Instance: - kind: call_expression - all: - - has: - kind: field_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $INSTANCE - - has: - kind: field_identifier - regex: ^password$ - - has: - kind: arguments - has: - kind: identifier - pattern: $STR - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: use_declaration - has: - kind: scoped_identifier - all: - - has: - kind: scoped_identifier - regex: ^sqlx::mysql$ - - has: - kind: identifier - regex: ^MySqlConnectOptions$ - - kind: use_declaration - has: - kind: scoped_use_list - all: - - has: - kind: scoped_identifier - regex: ^sqlx::mysql$ - - has: - kind: use_list - has: - kind: identifier - regex: ^MySqlConnectOptions$ - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $INSTANCE - nthChild: 1 - - has: - kind: call_expression - nthChild: 2 - all: - - has: - kind: scoped_identifier - regex: ^MySqlConnectOptions::new$ - - has: - kind: arguments - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: expression_statement - has: - kind: assignment_expression - all: - - has: - kind: identifier - pattern: $STR - - has: - kind: string_literal - not: - has: - kind: string_content - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $STR - - has: - kind: string_literal - not: - has: - kind: string_content - - $PgConnectOption::new(...). ... .password("")_with_Instance: - kind: call_expression - all: - - has: - kind: field_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $INSTANCE - - has: - kind: field_identifier - regex: ^password$ - - has: - kind: arguments - has: - kind: identifier - pattern: $STR - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: use_declaration - has: - kind: scoped_identifier - all: - - has: - kind: scoped_identifier - regex: ^sqlx::postgres$ - - has: - kind: identifier - regex: ^PgConnectOptions$ - - kind: use_declaration - has: - kind: scoped_use_list - all: - - has: - kind: scoped_identifier - regex: ^sqlx::postgres$ - - has: - kind: use_list - has: - kind: identifier - regex: ^PgConnectOptions$ - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $INSTANCE - nthChild: 1 - - has: - kind: call_expression - nthChild: 2 - all: - - has: - kind: scoped_identifier - regex: ^PgConnectOption::new$ - - has: - kind: arguments - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: expression_statement - has: - kind: assignment_expression - all: - - has: - kind: identifier - pattern: $STR - - has: - kind: string_literal - not: - has: - kind: string_content - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $STR - - has: - kind: string_literal - not: - has: - kind: string_content - - sqlx::postgres::PgConnectOptions::new(...). ... .password("")_with_Instance: - kind: call_expression - all: - - has: - kind: field_expression - all: - - has: - kind: call_expression - has: - stopBy: end - kind: scoped_identifier - regex: ^sqlx::postgres::PgConnectOptions::new$ - precedes: - kind: arguments - - has: - kind: field_identifier - regex: ^password$ - - has: - kind: arguments - has: - kind: identifier - pattern: $STR - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: expression_statement - has: - kind: assignment_expression - all: - - has: - kind: identifier - pattern: $STR - - has: - kind: string_literal - not: - has: - kind: string_content - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $STR - - has: - kind: string_literal - not: - has: - kind: string_content - - sqlx::mysql::MySqlConnectOptions::new(...). ... .password("")_with_Instance: - kind: call_expression - all: - - has: - kind: field_expression - all: - - has: - kind: call_expression - has: - stopBy: end - kind: scoped_identifier - regex: ^sqlx::mysql::MySqlConnectOptions::new$ - precedes: - kind: arguments - - has: - kind: field_identifier - regex: ^password$ - - has: - kind: arguments - has: - kind: identifier - pattern: $STR - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: expression_statement - has: - kind: assignment_expression - all: - - has: - kind: identifier - pattern: $STR - - has: - kind: string_literal - not: - has: - kind: string_content - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $STR - - has: - kind: string_literal - not: - has: - kind: string_content - - PgConnectOptions::new(...). ... .password("")_with_Instance: - kind: call_expression - all: - - has: - kind: field_expression - all: - - has: - kind: call_expression - has: - stopBy: end - kind: scoped_identifier - regex: ^PgConnectOptions::new$ - precedes: - kind: arguments - - has: - kind: field_identifier - regex: ^password$ - - has: - kind: arguments - has: - kind: identifier - pattern: $STR - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: use_declaration - has: - kind: scoped_identifier - all: - - has: - kind: scoped_identifier - regex: ^sqlx::postgres$ - - has: - kind: identifier - regex: ^PgConnectOptions$ - - kind: use_declaration - has: - kind: scoped_use_list - all: - - has: - kind: scoped_identifier - regex: ^sqlx::postgres$ - - has: - kind: use_list - has: - kind: identifier - regex: ^PgConnectOptions$ - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: expression_statement - has: - kind: assignment_expression - all: - - has: - kind: identifier - pattern: $STR - - has: - kind: string_literal - not: - has: - kind: string_content - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $STR - - has: - kind: string_literal - not: - has: - kind: string_content - - MySqlConnectOptions::new(...). ... .password("")_with_Instance: - kind: call_expression - all: - - has: - kind: field_expression - all: - - has: - kind: call_expression - has: - stopBy: end - kind: scoped_identifier - regex: ^MySqlConnectOptions::new$ - precedes: - kind: arguments - - has: - kind: field_identifier - regex: ^password$ - - has: - kind: arguments - has: - kind: identifier - pattern: $STR - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: use_declaration - has: - kind: scoped_identifier - all: - - has: - kind: scoped_identifier - regex: ^sqlx::mysql$ - - has: - kind: identifier - regex: ^MySqlConnectOptions$ - - kind: use_declaration - has: - kind: scoped_use_list - all: - - has: - kind: scoped_identifier - regex: ^sqlx::mysql$ - - has: - kind: use_list - has: - kind: identifier - regex: ^MySqlConnectOptions$ - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: expression_statement - has: - kind: assignment_expression - all: - - has: - kind: identifier - pattern: $STR - - has: - kind: string_literal - not: - has: - kind: string_content - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $STR - - has: - kind: string_literal - not: - has: - kind: string_content - - let $OPTS = sqlx::mysql::MySqlConnectOptions::new(...): - kind: call_expression - all: - - has: - kind: field_expression - all: - - has: - kind: call_expression - has: - stopBy: end - kind: field_expression - has: - kind: identifier - nthChild: 1 - pattern: $SQL - - has: - kind: field_identifier - regex: ^password$ - - has: - kind: arguments - has: - kind: string_literal - not: - has: - kind: string_content - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: expression_statement - has: - kind: assignment_expression - all: - - has: - kind: identifier - pattern: $SQL - - has: - kind: call_expression - all: - - has: - kind: scoped_identifier - regex: ^sqlx::mysql::MySqlConnectOptions::new$ - precedes: - kind: arguments - - has: - kind: arguments - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $SQL - - has: - kind: call_expression - all: - - has: - kind: scoped_identifier - regex: ^sqlx::mysql::MySqlConnectOptions::new$ - - has: - kind: arguments - - let $OPTS = sqlx::postgres::PgConnectOptions::new(...): - kind: call_expression - all: - - has: - kind: field_expression - all: - - has: - kind: call_expression - has: - stopBy: end - kind: field_expression - has: - kind: identifier - nthChild: 1 - pattern: $SQL - - has: - kind: field_identifier - regex: ^password$ - - has: - kind: arguments - has: - kind: string_literal - not: - has: - kind: string_content - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: expression_statement - has: - kind: assignment_expression - all: - - has: - kind: identifier - pattern: $SQL - - has: - kind: call_expression - all: - - has: - kind: scoped_identifier - regex: ^sqlx::postgres::PgConnectOptions::new$ - precedes: - kind: arguments - - has: - kind: arguments - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $SQL - - has: - kind: call_expression - all: - - has: - kind: scoped_identifier - regex: ^sqlx::postgres::PgConnectOptions::new$ - precedes: - kind: arguments - - let $OPTS = sqlx::postgres::PgConnectOptions::new(...)_with_Instance: - kind: call_expression - all: - - has: - kind: field_expression - all: - - has: - kind: call_expression - has: - stopBy: end - kind: field_expression - has: - kind: identifier - nthChild: 1 - pattern: $SQL - - has: - kind: field_identifier - regex: ^password$ - - has: - kind: arguments - has: - kind: identifier - pattern: $STR - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: expression_statement - has: - kind: assignment_expression - all: - - has: - kind: identifier - pattern: $SQL - - has: - kind: call_expression - all: - - has: - kind: scoped_identifier - regex: ^sqlx::postgres::PgConnectOptions::new$ - precedes: - kind: arguments - - has: - kind: arguments - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $SQL - - has: - kind: call_expression - all: - - has: - kind: scoped_identifier - regex: ^sqlx::postgres::PgConnectOptions::new$ - - has: - kind: arguments - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: expression_statement - has: - kind: assignment_expression - all: - - has: - kind: identifier - pattern: $STR - - has: - kind: string_literal - not: - has: - kind: string_content - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $STR - - has: - kind: string_literal - not: - has: - kind: string_content - - let $OPTS = sqlx::mysql::MySqlConnectOptions::new(...)_with_Instance: - kind: call_expression - all: - - has: - kind: field_expression - all: - - has: - kind: call_expression - has: - stopBy: end - kind: field_expression - has: - kind: identifier - nthChild: 1 - pattern: $SQL - - has: - kind: field_identifier - regex: ^password$ - - has: - kind: arguments - has: - kind: identifier - pattern: $STR - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: expression_statement - has: - kind: assignment_expression - all: - - has: - kind: identifier - pattern: $SQL - - has: - kind: call_expression - all: - - has: - kind: scoped_identifier - regex: ^sqlx::mysql::MySqlConnectOptions::new$ - precedes: - kind: arguments - - has: - kind: arguments - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $SQL - - has: - kind: call_expression - all: - - has: - kind: scoped_identifier - regex: ^sqlx::mysql::MySqlConnectOptions::new$ - - has: - kind: arguments - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: expression_statement - has: - kind: assignment_expression - all: - - has: - kind: identifier - pattern: $STR - - has: - kind: string_literal - not: - has: - kind: string_content - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $STR - - has: - kind: string_literal - not: - has: - kind: string_content - -rule: - any: - - matches: MySqlConnectOptions::new(...). ... .password("") - - matches: PgConnectOptions::new(...). ... .password("") - - matches: sqlx::mysql::MySqlConnectOptions::new(...). ... .password("") - - matches: sqlx::postgres::PgConnectOptions::new(...). ... .password("") - - matches: $PgConnectOptions::new(...). ... .password("") - - matches: $MySqlConnectOptions::new(...). ... .password("") - - matches: $MySqlConnectOptions::new(...). ... .password("")_with_Instance - - matches: $PgConnectOption::new(...). ... .password("")_with_Instance - - matches: sqlx::postgres::PgConnectOptions::new(...). ... .password("")_with_Instance - - matches: sqlx::mysql::MySqlConnectOptions::new(...). ... .password("")_with_Instance - - matches: PgConnectOptions::new(...). ... .password("")_with_Instance - - matches: MySqlConnectOptions::new(...). ... .password("")_with_Instance - - matches: let $OPTS = sqlx::mysql::MySqlConnectOptions::new(...) - - matches: let $OPTS = sqlx::postgres::PgConnectOptions::new(...) - - matches: let $OPTS = sqlx::postgres::PgConnectOptions::new(...)_with_Instance - - matches: let $OPTS = sqlx::mysql::MySqlConnectOptions::new(...)_with_Instance \ No newline at end of file diff --git a/rules/rust/security/hardcoded-password-rust.yml b/rules/rust/security/hardcoded-password-rust.yml deleted file mode 100644 index 21161486..00000000 --- a/rules/rust/security/hardcoded-password-rust.yml +++ /dev/null @@ -1,1036 +0,0 @@ -id: hardcoded-password-rust -language: rust -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. It is - recommended to rotate the secret and retrieve them from a secure secret - vault or Hardware Security Module (HSM), alternatively environment - variables can be used if allowed by your company policy. -note: >- - [CWE-798]: Use of Hard-coded Credentials - [REFERENCES] - - https://docs.rs/sqlx/latest/sqlx/ - - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures -ast-grep-essentials: true -utils: - - MySqlConnectOptions::new(...). ... .password(""): - kind: call_expression - all: - - has: - kind: field_expression - all: - - has: - kind: call_expression - has: - stopBy: end - kind: scoped_identifier - regex: ^MySqlConnectOptions::new$ - precedes: - kind: arguments - - has: - kind: field_identifier - regex: ^password$ - - has: - kind: arguments - has: - kind: string_literal - has: - kind: string_content - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: use_declaration - has: - kind: scoped_identifier - all: - - has: - kind: scoped_identifier - regex: ^sqlx::mysql$ - - has: - kind: identifier - regex: ^MySqlConnectOptions$ - - kind: use_declaration - has: - kind: scoped_use_list - all: - - has: - kind: scoped_identifier - regex: ^sqlx::mysql$ - - has: - kind: use_list - has: - kind: identifier - regex: ^MySqlConnectOptions$ - - PgConnectOptions::new(...). ... .password(""): - kind: call_expression - all: - - has: - kind: field_expression - all: - - has: - kind: call_expression - has: - stopBy: end - kind: scoped_identifier - regex: ^PgConnectOptions::new$ - precedes: - kind: arguments - - has: - kind: field_identifier - regex: ^password$ - - has: - kind: arguments - has: - kind: string_literal - has: - kind: string_content - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: use_declaration - has: - kind: scoped_identifier - all: - - has: - kind: scoped_identifier - regex: ^sqlx::postgres$ - - has: - kind: identifier - regex: ^PgConnectOptions$ - - kind: use_declaration - has: - kind: scoped_use_list - all: - - has: - kind: scoped_identifier - regex: ^sqlx::postgres$ - - has: - kind: use_list - has: - kind: identifier - regex: ^PgConnectOptions$ - - sqlx::mysql::MySqlConnectOptions::new(...). ... .password(""): - kind: call_expression - all: - - has: - kind: field_expression - all: - - has: - kind: call_expression - has: - stopBy: end - kind: scoped_identifier - regex: ^sqlx::mysql::MySqlConnectOptions::new$ - precedes: - kind: arguments - - has: - kind: field_identifier - regex: ^password$ - - has: - kind: arguments - has: - kind: string_literal - has: - kind: string_content - - sqlx::postgres::PgConnectOptions::new(...). ... .password(""): - kind: call_expression - all: - - has: - kind: field_expression - all: - - has: - kind: call_expression - has: - stopBy: end - kind: scoped_identifier - regex: ^sqlx::postgres::PgConnectOptions::new$ - precedes: - kind: arguments - - has: - kind: field_identifier - regex: ^password$ - - has: - kind: arguments - has: - kind: string_literal - has: - kind: string_content - - $PgConnectOptions::new(...). ... .password(""): - kind: call_expression - all: - - has: - kind: field_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $INSTANCE - - has: - kind: field_identifier - regex: ^password$ - - has: - kind: arguments - has: - kind: string_literal - has: - kind: string_content - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: use_declaration - has: - kind: scoped_identifier - all: - - has: - kind: scoped_identifier - regex: ^sqlx::postgres$ - - has: - kind: identifier - regex: ^PgConnectOptions$ - - kind: use_declaration - has: - kind: scoped_use_list - all: - - has: - kind: scoped_identifier - regex: ^sqlx::postgres$ - - has: - kind: use_list - has: - kind: identifier - regex: ^PgConnectOptions$ - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $INSTANCE - nthChild: 1 - - has: - kind: call_expression - nthChild: 2 - all: - - has: - kind: scoped_identifier - regex: ^PgConnectOptions::new$ - - has: - kind: arguments - - $MySqlConnectOptions::new(...). ... .password(""): - kind: call_expression - all: - - has: - kind: field_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $INSTANCE - - has: - kind: field_identifier - regex: ^password$ - - has: - kind: arguments - has: - kind: string_literal - has: - kind: string_content - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: use_declaration - has: - kind: scoped_identifier - all: - - has: - kind: scoped_identifier - regex: ^sqlx::mysql$ - - has: - kind: identifier - regex: ^MySqlConnectOptions$ - - kind: use_declaration - has: - kind: scoped_use_list - all: - - has: - kind: scoped_identifier - regex: ^sqlx::mysql$ - - has: - kind: use_list - has: - kind: identifier - regex: ^MySqlConnectOptions$ - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $INSTANCE - nthChild: 1 - - has: - kind: call_expression - nthChild: 2 - all: - - has: - kind: scoped_identifier - regex: ^MySqlConnectOptions::new$ - - has: - kind: arguments - - $MySqlConnectOptions::new(...). ... .password("")_with_Instance: - kind: call_expression - all: - - has: - kind: field_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $INSTANCE - - has: - kind: field_identifier - regex: ^password$ - - has: - kind: arguments - has: - kind: identifier - pattern: $STR - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: use_declaration - has: - kind: scoped_identifier - all: - - has: - kind: scoped_identifier - regex: ^sqlx::mysql$ - - has: - kind: identifier - regex: ^MySqlConnectOptions$ - - kind: use_declaration - has: - kind: scoped_use_list - all: - - has: - kind: scoped_identifier - regex: ^sqlx::mysql$ - - has: - kind: use_list - has: - kind: identifier - regex: ^MySqlConnectOptions$ - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $INSTANCE - nthChild: 1 - - has: - kind: call_expression - nthChild: 2 - all: - - has: - kind: scoped_identifier - regex: ^MySqlConnectOptions::new$ - - has: - kind: arguments - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: expression_statement - has: - kind: assignment_expression - all: - - has: - kind: identifier - pattern: $STR - - has: - kind: string_literal - has: - kind: string_content - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $STR - - has: - kind: string_literal - has: - kind: string_content - - $PgConnectOption::new(...). ... .password("")_with_Instance: - kind: call_expression - all: - - has: - kind: field_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $INSTANCE - - has: - kind: field_identifier - regex: ^password$ - - has: - kind: arguments - has: - kind: identifier - pattern: $STR - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: use_declaration - has: - kind: scoped_identifier - all: - - has: - kind: scoped_identifier - regex: ^sqlx::postgres$ - - has: - kind: identifier - regex: ^PgConnectOptions$ - - kind: use_declaration - has: - kind: scoped_use_list - all: - - has: - kind: scoped_identifier - regex: ^sqlx::postgres$ - - has: - kind: use_list - has: - kind: identifier - regex: ^PgConnectOptions$ - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $INSTANCE - nthChild: 1 - - has: - kind: call_expression - nthChild: 2 - all: - - has: - kind: scoped_identifier - regex: ^PgConnectOption::new$ - - has: - kind: arguments - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: expression_statement - has: - kind: assignment_expression - all: - - has: - kind: identifier - pattern: $STR - - has: - kind: string_literal - has: - kind: string_content - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $STR - - has: - kind: string_literal - has: - kind: string_content - - sqlx::postgres::PgConnectOptions::new(...). ... .password("")_with_Instance: - kind: call_expression - all: - - has: - kind: field_expression - all: - - has: - kind: call_expression - has: - stopBy: end - kind: scoped_identifier - regex: ^sqlx::postgres::PgConnectOptions::new$ - precedes: - kind: arguments - - has: - kind: field_identifier - regex: ^password$ - - has: - kind: arguments - has: - kind: identifier - pattern: $STR - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: expression_statement - has: - kind: assignment_expression - all: - - has: - kind: identifier - pattern: $STR - - has: - kind: string_literal - has: - kind: string_content - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $STR - - has: - kind: string_literal - has: - kind: string_content - - sqlx::mysql::MySqlConnectOptions::new(...). ... .password("")_with_Instance: - kind: call_expression - all: - - has: - kind: field_expression - all: - - has: - kind: call_expression - has: - stopBy: end - kind: scoped_identifier - regex: ^sqlx::mysql::MySqlConnectOptions::new$ - precedes: - kind: arguments - - has: - kind: field_identifier - regex: ^password$ - - has: - kind: arguments - has: - kind: identifier - pattern: $STR - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: expression_statement - has: - kind: assignment_expression - all: - - has: - kind: identifier - pattern: $STR - - has: - kind: string_literal - has: - kind: string_content - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $STR - - has: - kind: string_literal - has: - kind: string_content - - PgConnectOptions::new(...). ... .password("")_with_Instance: - kind: call_expression - all: - - has: - kind: field_expression - all: - - has: - kind: call_expression - has: - stopBy: end - kind: scoped_identifier - regex: ^PgConnectOptions::new$ - precedes: - kind: arguments - - has: - kind: field_identifier - regex: ^password$ - - has: - kind: arguments - has: - kind: identifier - pattern: $STR - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: use_declaration - has: - kind: scoped_identifier - all: - - has: - kind: scoped_identifier - regex: ^sqlx::postgres$ - - has: - kind: identifier - regex: ^PgConnectOptions$ - - kind: use_declaration - has: - kind: scoped_use_list - all: - - has: - kind: scoped_identifier - regex: ^sqlx::postgres$ - - has: - kind: use_list - has: - kind: identifier - regex: ^PgConnectOptions$ - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: expression_statement - has: - kind: assignment_expression - all: - - has: - kind: identifier - pattern: $STR - - has: - kind: string_literal - has: - kind: string_content - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $STR - - has: - kind: string_literal - has: - kind: string_content - - MySqlConnectOptions::new(...). ... .password("")_with_Instance: - kind: call_expression - all: - - has: - kind: field_expression - all: - - has: - kind: call_expression - has: - stopBy: end - kind: scoped_identifier - regex: ^MySqlConnectOptions::new$ - precedes: - kind: arguments - - has: - kind: field_identifier - regex: ^password$ - - has: - kind: arguments - has: - kind: identifier - pattern: $STR - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: use_declaration - has: - kind: scoped_identifier - all: - - has: - kind: scoped_identifier - regex: ^sqlx::mysql$ - - has: - kind: identifier - regex: ^MySqlConnectOptions$ - - kind: use_declaration - has: - kind: scoped_use_list - all: - - has: - kind: scoped_identifier - regex: ^sqlx::mysql$ - - has: - kind: use_list - has: - kind: identifier - regex: ^MySqlConnectOptions$ - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: expression_statement - has: - kind: assignment_expression - all: - - has: - kind: identifier - pattern: $STR - - has: - kind: string_literal - has: - kind: string_content - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $STR - - has: - kind: string_literal - has: - kind: string_content - - let $OPTS = sqlx::mysql::MySqlConnectOptions::new(...): - kind: call_expression - all: - - has: - kind: field_expression - all: - - has: - kind: call_expression - has: - stopBy: end - kind: field_expression - has: - kind: identifier - nthChild: 1 - pattern: $SQL - - has: - kind: field_identifier - regex: ^password$ - - has: - kind: arguments - has: - kind: string_literal - has: - kind: string_content - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: expression_statement - has: - kind: assignment_expression - all: - - has: - kind: identifier - pattern: $SQL - - has: - kind: call_expression - all: - - has: - kind: scoped_identifier - regex: ^sqlx::mysql::MySqlConnectOptions::new$ - precedes: - kind: arguments - - has: - kind: arguments - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $SQL - - has: - kind: call_expression - all: - - has: - kind: scoped_identifier - regex: ^sqlx::mysql::MySqlConnectOptions::new$ - - has: - kind: arguments - - let $OPTS = sqlx::postgres::PgConnectOptions::new(...): - kind: call_expression - all: - - has: - kind: field_expression - all: - - has: - kind: call_expression - has: - stopBy: end - kind: field_expression - has: - kind: identifier - nthChild: 1 - pattern: $SQL - - has: - kind: field_identifier - regex: ^password$ - - has: - kind: arguments - has: - kind: string_literal - has: - kind: string_content - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: expression_statement - has: - kind: assignment_expression - all: - - has: - kind: identifier - pattern: $SQL - - has: - kind: call_expression - all: - - has: - kind: scoped_identifier - regex: ^sqlx::postgres::PgConnectOptions::new$ - precedes: - kind: arguments - - has: - kind: arguments - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $SQL - - has: - kind: call_expression - all: - - has: - kind: scoped_identifier - regex: ^sqlx::postgres::PgConnectOptions::new$ - precedes: - kind: arguments - - let $OPTS = sqlx::postgres::PgConnectOptions::new(...)_with_Instance: - kind: call_expression - all: - - has: - kind: field_expression - all: - - has: - kind: call_expression - has: - stopBy: end - kind: field_expression - has: - kind: identifier - nthChild: 1 - pattern: $SQL - - has: - kind: field_identifier - regex: ^password$ - - has: - kind: arguments - has: - kind: identifier - pattern: $STR - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: expression_statement - has: - kind: assignment_expression - all: - - has: - kind: identifier - pattern: $SQL - - has: - kind: call_expression - all: - - has: - kind: scoped_identifier - regex: ^sqlx::postgres::PgConnectOptions::new$ - precedes: - kind: arguments - - has: - kind: arguments - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $SQL - - has: - kind: call_expression - all: - - has: - kind: scoped_identifier - regex: ^sqlx::postgres::PgConnectOptions::new$ - - has: - kind: arguments - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: expression_statement - has: - kind: assignment_expression - all: - - has: - kind: identifier - pattern: $STR - - has: - kind: string_literal - has: - kind: string_content - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $STR - - has: - kind: string_literal - has: - kind: string_content - - let $OPTS = sqlx::mysql::MySqlConnectOptions::new(...)_with_Instance: - kind: call_expression - all: - - has: - kind: field_expression - all: - - has: - kind: call_expression - has: - stopBy: end - kind: field_expression - has: - kind: identifier - nthChild: 1 - pattern: $SQL - - has: - kind: field_identifier - regex: ^password$ - - has: - kind: arguments - has: - kind: identifier - pattern: $STR - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: expression_statement - has: - kind: assignment_expression - all: - - has: - kind: identifier - pattern: $SQL - - has: - kind: call_expression - all: - - has: - kind: scoped_identifier - regex: ^sqlx::mysql::MySqlConnectOptions::new$ - precedes: - kind: arguments - - has: - kind: arguments - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $SQL - - has: - kind: call_expression - all: - - has: - kind: scoped_identifier - regex: ^sqlx::mysql::MySqlConnectOptions::new$ - - has: - kind: arguments - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: expression_statement - has: - kind: assignment_expression - all: - - has: - kind: identifier - pattern: $STR - - has: - kind: string_literal - has: - kind: string_content - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $STR - - has: - kind: string_literal - has: - kind: string_content - -rule: - any: - - matches: MySqlConnectOptions::new(...). ... .password("") - - matches: PgConnectOptions::new(...). ... .password("") - - matches: sqlx::mysql::MySqlConnectOptions::new(...). ... .password("") - - matches: sqlx::postgres::PgConnectOptions::new(...). ... .password("") - - matches: $PgConnectOptions::new(...). ... .password("") - - matches: $MySqlConnectOptions::new(...). ... .password("") - - matches: $MySqlConnectOptions::new(...). ... .password("")_with_Instance - - matches: $PgConnectOption::new(...). ... .password("")_with_Instance - - matches: sqlx::postgres::PgConnectOptions::new(...). ... .password("")_with_Instance - - matches: sqlx::mysql::MySqlConnectOptions::new(...). ... .password("")_with_Instance - - matches: PgConnectOptions::new(...). ... .password("")_with_Instance - - matches: MySqlConnectOptions::new(...). ... .password("")_with_Instance - - matches: let $OPTS = sqlx::mysql::MySqlConnectOptions::new(...) - - matches: let $OPTS = sqlx::postgres::PgConnectOptions::new(...) - - matches: let $OPTS = sqlx::postgres::PgConnectOptions::new(...)_with_Instance - - matches: let $OPTS = sqlx::mysql::MySqlConnectOptions::new(...)_with_Instance \ No newline at end of file diff --git a/rules/rust/security/postgres-empty-password-rust.yml b/rules/rust/security/postgres-empty-password-rust.yml deleted file mode 100644 index ad36d0db..00000000 --- a/rules/rust/security/postgres-empty-password-rust.yml +++ /dev/null @@ -1,291 +0,0 @@ -id: postgres-empty-password-rust -language: rust -severity: warning -message: >- - The application uses an empty credential. This can lead to unauthorized - access by either an internal or external malicious actor. It is - recommended to rotate the secret and retrieve them from a secure secret - vault or Hardware Security Module (HSM), alternatively environment - variables can be used if allowed by your company policy. -note: >- - [CWE-287] Improper Authentication. - [REFERENCES] - - https://docs.rs/postgres/latest/postgres/ - - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures -ast-grep-essentials: true -utils: - MATCH_PATTERN_WITH_INSTANCE: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - all: - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - all: - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $C - - has: - stopBy: neighbor - kind: arguments - - has: - stopBy: neighbor - kind: field_identifier - - has: - stopBy: neighbor - kind: arguments - - has: - stopBy: neighbor - kind: field_identifier - regex: "^password$" - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: string_literal - not: - has: - stopBy: neighbor - kind: string_content - - inside: - stopBy: end - kind: expression_statement - follows: - stopBy: end - kind: let_declaration - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $C - - has: - stopBy: neighbor - kind: call_expression - pattern: postgres::Config::new() - - MATCH_PASSWORD_DIRECTLY: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - all: - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - all: - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - has: - stopBy: neighbor - kind: call_expression - pattern: postgres::Config::new() - - has: - stopBy: neighbor - kind: arguments - - has: - stopBy: neighbor - kind: field_identifier - - has: - stopBy: neighbor - kind: arguments - - has: - stopBy: neighbor - kind: field_identifier - regex: "^password$" - - has: - stopBy: end - kind: arguments - has: - stopBy: end - kind: string_literal - not: - has: - stopBy: neighbor - kind: string_content - - MATCH_PATTERN_PASSWORD_WITH_ITS_INSTANCE: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - all: - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - all: - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - has: - stopBy: neighbor - kind: call_expression - pattern: postgres::Config::new() - - has: - stopBy: neighbor - kind: arguments - - has: - stopBy: neighbor - kind: field_identifier - - has: - stopBy: neighbor - kind: arguments - - has: - stopBy: neighbor - kind: field_identifier - regex: "^password$" - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: identifier - pattern: $E - - inside: - stopBy: end - kind: let_declaration - follows: - stopby: end - kind: expression_statement - has: - stopBy: neighbor - kind: assignment_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $E - - has: - stopBy: end - kind: string_literal - not: - has: - stopBy: end - kind: string_content - - MATCH_PATTERN_WITH_INSTANCE_&_PASSWORD_WITH_ITS_INSTANCE: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - all: - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - all: - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $C - - has: - stopBy: neighbor - kind: arguments - - has: - stopBy: neighbor - kind: field_identifier - - has: - stopBy: neighbor - kind: arguments - - has: - stopBy: neighbor - kind: field_identifier - regex: "^password$" - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: identifier - pattern: $Z - - inside: - stopBy: end - kind: expression_statement - follows: - stopBy: end - kind: let_declaration - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $C - - has: - stopBy: neighbor - kind: call_expression - pattern: postgres::Config::new() - - inside: - stopBy: end - kind: block - has: - stopBy: end - kind: expression_statement - has: - stopBy: neighbor - kind: assignment_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $Z - - has: - stopBy: neighbor - kind: string_literal - not: - has: - stopBy: neighbor - kind: string_content - -rule: - kind: call_expression - any: - - matches: MATCH_PATTERN_WITH_INSTANCE - - matches: MATCH_PASSWORD_DIRECTLY - - matches: MATCH_PATTERN_PASSWORD_WITH_ITS_INSTANCE - - matches: MATCH_PATTERN_WITH_INSTANCE_&_PASSWORD_WITH_ITS_INSTANCE diff --git a/rules/rust/security/reqwest-accept-invalid-rust.yml b/rules/rust/security/reqwest-accept-invalid-rust.yml deleted file mode 100644 index f7fdd0c1..00000000 --- a/rules/rust/security/reqwest-accept-invalid-rust.yml +++ /dev/null @@ -1,23 +0,0 @@ -id: reqwest-accept-invalid-rust -language: rust -severity: warning -message: >- - Dangerously accepting invalid TLS -note: >- - [CWE-295]: Improper Certificate - [REFERENCES] - - https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_hostnames - - https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_certs -ast-grep-essentials: true -utils: - match_call_expression: - kind: call_expression - any: - - pattern: $CLIENT.danger_accept_invalid_hostnames(true) - - pattern: $CLIENT.danger_accept_invalid_certs(true) -rule: - any: - - matches: match_call_expression -constraints: - CLIENT: - regex: '^reqwest::Client::builder\(\)' diff --git a/rules/rust/security/secrets-reqwest-hardcoded-auth-rust.yml b/rules/rust/security/secrets-reqwest-hardcoded-auth-rust.yml deleted file mode 100644 index 4f703ca4..00000000 --- a/rules/rust/security/secrets-reqwest-hardcoded-auth-rust.yml +++ /dev/null @@ -1,302 +0,0 @@ -id: secrets-reqwest-hardcoded-auth-rust -language: rust -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. It is - recommended to rotate the secret and retrieve them from a secure secret - vault or Hardware Security Module (HSM), alternatively environment - variables can be used if allowed by your company polic -note: >- - [CWE-798]: Use of Hard-coded Credentials - [REFERENCES] - - https://docs.rs/reqwest/latest/reqwest/ - - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures -ast-grep-essentials: true -utils: - MATCH_PATTERN_ONE.basic_auth: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $C - - has: - stopBy: neighbor - kind: field_identifier - regex: ^basic_auth$ - - has: - stopBy: end - kind: arguments - not: - has: - nthChild: - position: 3 - ofRule: - not: - kind: line_comment - has: - stopBy: neighbor - kind: call_expression - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^Some$ - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: string_literal - has: - kind: string_content - - inside: - stopBy: end - all: - - follows: - stopBy: end - kind: let_declaration - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $C - - has: - stopBy: neighbor - kind: call_expression - pattern: reqwest::Client::new($$$) - # - inside: - # stopBy: end - # kind: block - - - MATCH_PATTERN_TWO.bearer_auth: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $C - - has: - stopBy: neighbor - kind: field_identifier - regex: ^bearer_auth$ - - inside: - stopBy: end - follows: - stopBy: end - kind: let_declaration - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $C - - has: - stopBy: neighbor - kind: call_expression - pattern: reqwest::Client::new($$$) - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: string_literal - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - has: - stopBy: neighbor - kind: string_content - not: - has: - nthChild: 2 - - not: - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^Some$ - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: identifier - - MATCH_PATTERN_ONE.basic_auth_Instance: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $C - - has: - stopBy: neighbor - kind: field_identifier - regex: ^basic_auth$ - - has: - stopBy: end - kind: arguments - not: - has: - nthChild: - position: 3 - ofRule: - not: - kind: line_comment - has: - stopBy: neighbor - kind: call_expression - nthChild: - position: 2 - ofRule: - not: - kind: line_comment - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^Some$ - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: identifier - pattern: $PASSWORD - - inside: - stopBy: end - all: - - follows: - stopBy: end - kind: let_declaration - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $C - - has: - stopBy: neighbor - kind: call_expression - pattern: reqwest::Client::new($$$) - - follows: - stopBy: end - kind: let_declaration - all: - - has: - kind: identifier - pattern: $PASSWORD - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - - has: - kind: string_literal - has: - kind: string_content - - inside: - stopBy: end - kind: block - - MATCH_PATTERN_TWO.bearer_auth_Instance: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $C - - has: - stopBy: neighbor - kind: field_identifier - regex: ^bearer_auth$ - - inside: - stopBy: end - all: - - follows: - stopBy: end - kind: let_declaration - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $C - - has: - stopBy: neighbor - kind: call_expression - pattern: reqwest::Client::new($$$) - - follows: - stopBy: end - kind: let_declaration - all: - - has: - kind: identifier - pattern: $PASSWORD - nthChild: 1 - - has: - kind: string_literal - has: - kind: string_content - - inside: - stopBy: end - kind: block - - has: - stopBy: end - kind: arguments - has: - stopBy: neighbor - kind: identifier - pattern: $PASS - nthChild: - position: 1 - ofRule: - not: - kind: line_comment - not: - has: - nthChild: 2 - - -rule: - kind: call_expression - any: - - matches: MATCH_PATTERN_ONE.basic_auth - - matches: MATCH_PATTERN_TWO.bearer_auth - - matches: MATCH_PATTERN_ONE.basic_auth_Instance - - matches: MATCH_PATTERN_TWO.bearer_auth_Instance - not: - all: - - has: - stopBy: end - kind: ERROR - - inside: - stopBy: end - kind: ERROR diff --git a/rules/rust/security/ssl-verify-none-rust.yml b/rules/rust/security/ssl-verify-none-rust.yml deleted file mode 100644 index 7fb9e280..00000000 --- a/rules/rust/security/ssl-verify-none-rust.yml +++ /dev/null @@ -1,106 +0,0 @@ -id: ssl-verify-none-rust -language: rust -severity: warning -message: >- - SSL verification disabled, this allows for MitM attacks -note: >- - [CWE-295]: Improper Certificate Validation - [REFERENCES] - - https://docs.rs/openssl/latest/openssl/ssl/struct.SslContextBuilder.html#method.set_verify -ast-grep-essentials: true -rule: - kind: call_expression - any: - - pattern: $BUILDER.set_verify(openssl::ssl::SSL_VERIFY_NONE) - inside: - stopBy: end - follows: - stopBy: end - kind: use_declaration - any: - - pattern: use openssl; - - pattern: use openssl::ssl; - - pattern: use openssl::ssl::SSL_VERIFY_NONE; - - all: - - has: - stopBy: end - kind: use_list - has: - stopBy: end - kind: identifier - regex: ^SSL_VERIFY_NONE$ - - has: - stopBy: end - kind: scoped_identifier - regex: ^openssl::ssl$ - - - pattern: $BUILDER.set_verify(ssl::SSL_VERIFY_NONE) - inside: - stopBy: end - follows: - stopBy: end - kind: use_declaration - any: - - pattern: use openssl::ssl; - - pattern: use openssl::ssl::SSL_VERIFY_NONE; - - all: - - has: - stopBy: end - kind: use_list - has: - stopBy: end - kind: identifier - regex: ^SSL_VERIFY_NONE$ - - has: - stopBy: end - kind: scoped_identifier - regex: ^openssl::ssl$ - - - pattern: $BUILDER.set_verify(SSL_VERIFY_NONE) - inside: - stopBy: end - follows: - stopBy: end - kind: use_declaration - any: - - pattern: use openssl; - - pattern: use openssl::ssl; - - pattern: use openssl::ssl::SSL_VERIFY_NONE; - - all: - - has: - stopBy: end - kind: use_list - has: - stopBy: end - kind: identifier - regex: ^SSL_VERIFY_NONE$ - - has: - stopBy: end - kind: scoped_identifier - regex: ^openssl::ssl$ - - - pattern: $BUILDER.set_verify($ALIAS) - inside: - stopBy: end - follows: - stopBy: end - kind: use_declaration - any: - - pattern: use openssl::ssl::SSL_VERIFY_NONE as $ALIAS; - - has: - stopBy: end - kind: use_list - has: - stopBy: end - kind: use_as_clause - all: - - has: - kind: identifier - field: path - pattern: SSL_VERIFY_NONE - - has: - kind: identifier - field: alias - pattern: $ALIAS - - - pattern: $BUILDER.set_verify(openssl::ssl::SSL_VERIFY_NONE) diff --git a/rules/rust/security/tokio-postgres-empty-password-rust.yml b/rules/rust/security/tokio-postgres-empty-password-rust.yml deleted file mode 100644 index 98686b07..00000000 --- a/rules/rust/security/tokio-postgres-empty-password-rust.yml +++ /dev/null @@ -1,246 +0,0 @@ -id: tokio-postgres-empty-password-rust -language: rust -severity: warning -message: >- - The application uses an empty credential. This can lead to unauthorized - access by either an internal or external malicious actor. It is - recommended to rotate the secret and retrieve them from a secure secret - vault or Hardware Security Module (HSM), alternatively environment - variables can be used if allowed by your company policy. -note: >- - [CWE-287] Improper Authentication. - [REFERENCES] - - https://docs.rs/tokio-postgres/latest/tokio_postgres/ - - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures - -ast-grep-essentials: true -utils: - MATCH_FOLLOW_1: - follows: - stopBy: end - any: - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $CONFIG - - has: - kind: call_expression - regex: ^tokio_postgres::Config::new\(\)$ - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $CONFIG - - has: - kind: call_expression - regex: ^Config::new\(\)$ - any: - - follows: - stopBy: end - kind: use_declaration - has: - stopBy: end - kind: scoped_identifier - regex: ^tokio_postgres::Config$ - - inside: - stopBy: end - follows: - stopBy: end - kind: use_declaration - has: - stopBy: end - kind: scoped_identifier - regex: ^tokio_postgres::Config$ - -rule: - kind: call_expression - not: - has: - stopBy: end - kind: ERROR - any: - # CONFIG IS DIRECT AND PWD IS DIRECT - - all: - - has: - stopBy: end - kind: scoped_identifier - regex: ^tokio_postgres::Config::new()$ - - has: - kind: field_expression - regex: \.password$ - nthChild: 1 - - has: - kind: arguments - nthChild: 2 - has: - stopBy: end - kind: string_literal - not: - has: - kind: string_content - nthChild: 1 - all: - - not: - has: - stopBy: end - nthChild: 2 - - not: - has: - stopBy: end - any: - - kind: block - - kind: array_expression - # CONFIG IS DIRECT AND PWD IS INSTANCE - - all: - - has: - stopBy: end - kind: scoped_identifier - regex: ^tokio_postgres::Config::new()$ - - has: - kind: field_expression - regex: \.password$ - nthChild: 1 - - has: - kind: arguments - nthChild: 2 - has: - stopBy: end - kind: identifier - pattern: $PASSWORD - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: let_declaration - has: - kind: identifier - pattern: $PASSWORD - precedes: - stopBy: end - kind: string_literal - not: - has: - kind: string_content - - kind: expression_statement - has: - kind: assignment_expression - has: - kind: identifier - pattern: $PASSWORD - precedes: - stopBy: end - kind: string_literal - not: - has: - kind: string_content - - nthChild: 1 - all: - - not: - has: - stopBy: end - nthChild: 2 - - not: - has: - stopBy: end - any: - - kind: block - - kind: array_expression - # CONFIG IS INSTANCE AND PWD IS DIRECT - - all: - - has: - stopBy: end - kind: identifier - pattern: $CONFIG - any: - - inside: - stopBy: end - matches: MATCH_FOLLOW_1 - - has: - kind: field_expression - regex: \.password$ - nthChild: 1 - - has: - kind: arguments - nthChild: 2 - has: - stopBy: end - kind: string_literal - not: - has: - kind: string_content - nthChild: 1 - all: - - not: - has: - stopBy: end - nthChild: 2 - - not: - has: - stopBy: end - any: - - kind: block - - kind: array_expression - # CONFIG IS INSTANCE AND PWD IS INSTANCE - - all: - - has: - stopBy: end - kind: identifier - pattern: $CONFIG - any: - - inside: - stopBy: end - matches: MATCH_FOLLOW_1 - - has: - kind: field_expression - regex: \.password$ - nthChild: 1 - - has: - kind: arguments - nthChild: 2 - has: - stopBy: end - kind: identifier - pattern: $PASSWORD - nthChild: 1 - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $PASSWORD - - has: - kind: string_literal - not: - has: - kind: string_content - - kind: expression_statement - has: - kind: assignment_expression - all: - - has: - kind: identifier - pattern: $PASSWORD - - has: - kind: string_literal - not: - has: - kind: string_content - - all: - - not: - has: - stopBy: end - nthChild: 2 - - not: - has: - stopBy: end - any: - - kind: block - - kind: array_expression diff --git a/rules/rust/security/tokio-postgres-hardcoded-password-rust.yml b/rules/rust/security/tokio-postgres-hardcoded-password-rust.yml deleted file mode 100644 index e7f5f414..00000000 --- a/rules/rust/security/tokio-postgres-hardcoded-password-rust.yml +++ /dev/null @@ -1,239 +0,0 @@ -id: tokio-postgres-hardcoded-password-rust -language: rust -severity: warning -message: >- - The application uses an empty credential. This can lead to unauthorized - access by either an internal or external malicious actor. It is - recommended to rotate the secret and retrieve them from a secure secret - vault or Hardware Security Module (HSM), alternatively environment - variables can be used if allowed by your company policy. -note: >- - [CWE-287] Improper Authentication. - [REFERENCES] - - https://docs.rs/tokio-postgres/latest/tokio_postgres/ - - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures -ast-grep-essentials: true -utils: - MATCH_FOLLOW_1: - follows: - stopBy: end - any: - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $CONFIG - - has: - kind: call_expression - regex: ^tokio_postgres::Config::new\(\)$ - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $CONFIG - - has: - kind: call_expression - regex: ^Config::new\(\)$ - any: - - follows: - stopBy: end - kind: use_declaration - has: - stopBy: end - kind: scoped_identifier - regex: ^tokio_postgres::Config$ - - inside: - stopBy: end - follows: - stopBy: end - kind: use_declaration - has: - stopBy: end - kind: scoped_identifier - regex: ^tokio_postgres::Config$ - -rule: - kind: call_expression - not: - has: - stopBy: end - kind: ERROR - any: - # CONFIG IS DIRECT AND PWD IS DIRECT - - all: - - has: - stopBy: end - kind: scoped_identifier - regex: ^tokio_postgres::Config::new()$ - - has: - kind: field_expression - regex: \.password$ - nthChild: 1 - - has: - kind: arguments - nthChild: 2 - has: - stopBy: end - kind: string_literal - has: - kind: string_content - nthChild: 1 - all: - - not: - has: - stopBy: end - nthChild: 2 - - not: - has: - stopBy: end - any: - - kind: block - - kind: array_expression - # CONFIG IS DIRECT AND PWD IS INSTANCE - - all: - - has: - stopBy: end - kind: scoped_identifier - regex: ^tokio_postgres::Config::new()$ - - has: - kind: field_expression - regex: \.password$ - nthChild: 1 - - has: - kind: arguments - nthChild: 2 - has: - stopBy: end - kind: identifier - pattern: $PASSWORD - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: let_declaration - has: - kind: identifier - pattern: $PASSWORD - precedes: - stopBy: end - kind: string_literal - has: - kind: string_content - - kind: expression_statement - has: - kind: assignment_expression - has: - kind: identifier - pattern: $PASSWORD - precedes: - stopBy: end - kind: string_literal - has: - kind: string_content - - nthChild: 1 - all: - - not: - has: - stopBy: end - nthChild: 2 - - not: - has: - stopBy: end - any: - - kind: block - - kind: array_expression - # CONFIG IS INSTANCE AND PWD IS DIRECT - - all: - - has: - stopBy: end - kind: identifier - pattern: $CONFIG - any: - - inside: - stopBy: end - matches: MATCH_FOLLOW_1 - - has: - kind: field_expression - regex: \.password$ - nthChild: 1 - - has: - kind: arguments - nthChild: 2 - has: - stopBy: end - kind: string_literal - has: - kind: string_content - nthChild: 1 - all: - - not: - has: - stopBy: end - nthChild: 2 - - not: - has: - stopBy: end - any: - - kind: block - - kind: array_expression - # CONFIG IS INSTANCE AND PWD IS INSTANCE - - all: - - has: - stopBy: end - kind: identifier - pattern: $CONFIG - any: - - inside: - stopBy: end - matches: MATCH_FOLLOW_1 - - has: - kind: field_expression - regex: \.password$ - nthChild: 1 - - has: - kind: arguments - nthChild: 2 - has: - stopBy: end - kind: identifier - pattern: $PASSWORD - nthChild: 1 - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: let_declaration - all: - - has: - kind: identifier - pattern: $PASSWORD - - has: - kind: string_literal - has: - kind: string_content - - kind: expression_statement - has: - kind: assignment_expression - all: - - has: - kind: identifier - pattern: $PASSWORD - - has: - kind: string_literal - has: - kind: string_content - - all: - - not: - has: - stopBy: end - nthChild: 2 - - not: - has: - stopBy: end - any: - - kind: block - - kind: array_expression diff --git a/rules/scala/security/jwt-scala-hardcode-scala.yml b/rules/scala/security/jwt-scala-hardcode-scala.yml deleted file mode 100644 index 3c7ea471..00000000 --- a/rules/scala/security/jwt-scala-hardcode-scala.yml +++ /dev/null @@ -1,118 +0,0 @@ -id: jwt-scala-hardcode-scala -language: scala -severity: warning -message: >- - Hardcoded JWT secret or private key is used. This is a Insufficiently - Protected Credentials weakness: - https://cwe.mitre.org/data/definitions/522.html Consider using an - appropriate security mechanism to protect the credentials (e.g. keeping - secrets in environment variables). -note: >- - [CWE-522] Insufficiently Protected Credentials. - [REFERENCES] - - https://jwt-scala.github.io/jwt-scala/ - -ast-grep-essentials: true - -utils: - PATTERN: - kind: call_expression - all: - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - regex: ^import pdi.jwt.* - - has: - kind: field_expression - all: - - has: - kind: identifier - nthChild: 1 - regex: ^(Jwt|JwtArgonaut|JwtCirce|JwtJson4s|JwtJson|JwtUpickle)$ - - has: - kind: identifier - nthChild: 2 - regex: ^(encode|decode|decodeRawAll|decodeRaw|decodeAll|validate|isValid|decodeJson|decodeJsonAll)$ - - has: - kind: arguments - has: - kind: string - not: - regex: ^""$ - nthChild: - position: 2 - ofRule: - not: - kind: comment - - PATTERN_with_Instance: - kind: call_expression - all: - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - regex: ^import pdi.jwt.* - - has: - kind: field_expression - all: - - has: - kind: identifier - nthChild: 1 - regex: ^(Jwt|JwtArgonaut|JwtCirce|JwtJson4s|JwtJson|JwtUpickle)$ - - has: - kind: identifier - nthChild: 2 - regex: ^(encode|decode|decodeRawAll|decodeRaw|decodeAll|validate|isValid|decodeJson|decodeJsonAll)$ - - has: - kind: arguments - any: - - has: - kind: field_expression - all: - - has: - nthChild: 1 - regex: ^this$ - - has: - nthChild: 2 - kind: identifier - pattern: $STRG - - has: - kind: identifier - pattern: $STRG - nthChild: - position: 2 - ofRule: - not: - kind: comment - - inside: - stopBy: end - follows: - stopBy: end - kind: val_definition - all: - - has: - kind: identifier - field: pattern - pattern: $STRG - # nthChild: 1 - - has: - kind: string - field: value - # nthChild: 2 - not: - regex: ^""$ - - inside: - stopBy: end - any: - - kind: object_definition - - kind: class_definition - -rule: - kind: call_expression - any: - - matches: PATTERN - - matches: PATTERN_with_Instance diff --git a/rules/scala/security/scala-jwt-hardcoded-secret-scala.yml b/rules/scala/security/scala-jwt-hardcoded-secret-scala.yml deleted file mode 100644 index 20b710c2..00000000 --- a/rules/scala/security/scala-jwt-hardcoded-secret-scala.yml +++ /dev/null @@ -1,183 +0,0 @@ -id: scala-jwt-hardcoded-secret-scala -severity: warning -language: scala -message: >- - Hardcoded JWT secret or private key is used. This is a Insufficiently - Protected Credentials weakness: - https://cwe.mitre.org/data/definitions/522.html Consider using an - appropriate security mechanism to protect the credentials (e.g. keeping - secrets in environment variables). -note: >- - [CWE-522] Insufficiently Protected Credentials. - [REFERENCES] - - https://owasp.org/Top10/A04_2021-Insecure_Design - -ast-grep-essentials: true - -utils: - call_expression_HMAC256: - kind: call_expression - all: - - has: - kind: field_expression - nthChild: 1 - all: - - has: - kind: identifier - field: value - nthChild: 1 - regex: ^(Algorithm)$ - - has: - kind: identifier - field: field - nthChild: 2 - regex: ^(HMAC256)$ - - has: - kind: arguments - nthChild: 2 - has: - nthChild: - position: 1 - ofRule: - not: - kind: comment - kind: identifier - pattern: $STRG - - call_expression_HMAC256_no_import: - kind: call_expression - all: - - has: - kind: field_expression - nthChild: 1 - regex: ^(com\.auth0\.jwt\.algorithms\.Algorithm\.(HMAC256|HMAC512|HMAC384))$ - - has: - kind: arguments - nthChild: 2 - has: - nthChild: - position: 1 - ofRule: - not: - kind: comment - kind: identifier - pattern: $STRG - -rule: - any: - - kind: call_expression - all: - - has: - kind: field_expression - nthChild: 1 - regex: ^(com.auth0.jwt.algorithms.Algorithm.HMAC256|com.auth0.jwt.algorithms.Algorithm.HMAC384|com.auth0.jwt.algorithms.Algorithm.HMAC512)$ - precedes: - kind: arguments - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - has: - nthChild: - position: 1 - ofRule: - not: - kind: comment - kind: string - not: - regex: ^""$ - - kind: call_expression - all: - - has: - kind: field_expression - regex: ^(Algorithm.HMAC256|Algorithm.HMAC384|Algorithm.HMAC512)$ - precedes: - kind: arguments - has: - kind: string - nthChild: - position: 1 - ofRule: - not: - kind: comment - not: - regex: ^""$ - not: - has: - nthChild: - position: 2 - ofRule: - not: - kind: comment - - inside: - stopBy: end - follows: - stopBy: end - kind: import_declaration - pattern: import com.auth0.jwt.algorithms.Algorithm - - kind: class_definition - has: - kind: template_body - has: - any: - - kind: val_definition - - kind: assignment_expression - all: - - has: - nthChild: 1 - kind: identifier - pattern: $STRG - - has: - nthChild: 2 - kind: string - not: - regex: ^""$ - - precedes: - stopBy: end - kind: function_definition - has: - kind: block - has: - any: - - matches: call_expression_HMAC256 - - kind: val_definition - has: - nthChild: 2 - matches: call_expression_HMAC256 - - follows: - stopBy: end - kind: import_declaration - pattern: import com.auth0.jwt.algorithms.Algorithm - - kind: class_definition - has: - kind: template_body - has: - any: - - kind: val_definition - - kind: assignment_expression - all: - - has: - nthChild: 1 - kind: identifier - pattern: $STRG - - has: - nthChild: 2 - kind: string - not: - regex: ^""$ - - precedes: - stopBy: end - kind: function_definition - has: - kind: block - has: - any: - - matches: call_expression_HMAC256_no_import - - kind: val_definition - has: - nthChild: 2 - matches: call_expression_HMAC256_no_import diff --git a/rules/swift/security/aes-hardcoded-secret-swift.yml b/rules/swift/security/aes-hardcoded-secret-swift.yml deleted file mode 100644 index 29918e62..00000000 --- a/rules/swift/security/aes-hardcoded-secret-swift.yml +++ /dev/null @@ -1,357 +0,0 @@ -id: aes-hardcoded-secret-swift -severity: warning -language: swift -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -ast-grep-essentials: true -utils: - match_pattern_try_expression_directly: - kind: try_expression - not: - inside: - stopBy: end - kind: call_expression - has: - kind: simple_identifier - regex: ^AES$ - has: - stopBy: neighbor - kind: call_expression - all: - - has: - kind: simple_identifier - regex: '^AES$' - - has: - kind: call_suffix - has: - kind: value_arguments - has: - kind: value_argument - all: - - has: - stopBy: end - kind: simple_identifier - regex: '^key$' - - has: - stopBy: neighbor - kind: line_string_literal - has: - kind: line_str_text - - not: - follows: - stopBy: end - kind: throw_keyword - - not: - inside: - stopBy: end - kind: throw_keyword - - match_pattern_AES_statement_directly: - kind: call_expression - not: - inside: - stopBy: end - kind: call_expression - has: - kind: simple_identifier - regex: ^AES$ - all: - - has: - stopBy: end - kind: simple_identifier - regex: '^AES$' - - has: - stopBy: end - kind: call_suffix - has: - stopBy: end - kind: value_arguments - has: - stopBy: end - kind: value_argument - all: - - has: - stopBy: end - kind: simple_identifier - regex: '^key$' - - has: - kind: line_string_literal - has: - stopBy: end - kind: line_str_text - - not: - inside: - stopBy: end - kind: try_expression - - not: - follows: - stopBy: end - kind: throw_keyword - - not: - inside: - stopBy: end - kind: throw_keyword - - not: - inside: - kind: function_declaration - - match_pattern_AES_expression_with_instance: - kind: call_expression - not: - inside: - stopBy: end - kind: call_expression - has: - kind: simple_identifier - regex: ^AES$ - all: - - has: - kind: simple_identifier - regex: '^AES$' - - has: - kind: call_suffix - has: - kind: value_arguments - has: - kind: value_argument - all: - - has: - stopBy: end - kind: simple_identifier - regex: '^key$' - - has: - kind: simple_identifier - nthChild: 2 - pattern: $R - - not: - inside: - stopBy: neighbor - kind: try_expression - - any: - - follows: - stopBy: end - kind: property_declaration - all: - - has: - kind: pattern - has: - stopBy: end - kind: simple_identifier - pattern: $R - - has: - stopBy: neighbor - kind: call_expression - pattern: Array($SECRET.utf8) - - inside: - stopBy: end - follows: - stopBy: end - kind: property_declaration - all: - - has: - kind: pattern - has: - kind: simple_identifier - pattern: $R - - has: - stopBy: neighbor - kind: call_expression - pattern: Array($SECRET.utf8) - - not: - follows: - stopBy: end - kind: throw_keyword - - not: - inside: - stopBy: end - kind: throw_keyword - - not: - inside: - kind: function_declaration - - match_pattern_try_expression_with_instance: - kind: try_expression - not: - inside: - stopBy: end - kind: call_expression - has: - kind: simple_identifier - regex: ^AES$ - all: - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - kind: simple_identifier - regex: '^AES$' - - has: - kind: call_suffix - has: - kind: value_arguments - has: - kind: value_argument - all: - - has: - stopBy: end - kind: simple_identifier - regex: '^key$' - - has: - kind: simple_identifier - nthChild: 2 - pattern: $R - - not: - follows: - stopBy: end - kind: throw_keyword - - not: - inside: - stopBy: end - kind: throw_keyword - - any: - - follows: - stopBy: end - kind: property_declaration - all: - - has: - kind: pattern - has: - kind: simple_identifier - pattern: $R - - has: - stopBy: neighbor - kind: call_expression - pattern: Array($SECRET.utf8) - - inside: - stopBy: end - follows: - stopBy: end - kind: property_declaration - all: - - has: - kind: pattern - has: - kind: simple_identifier - pattern: $R - - has: - stopBy: neighbor - kind: call_expression - pattern: Array($SECRET.utf8) - - match_pattern_try_expression_with_utf8: - kind: try_expression - not: - inside: - stopBy: end - kind: call_expression - has: - kind: simple_identifier - regex: ^AES$ - has: - stopBy: end - kind: call_expression - all: - - not: - follows: - stopBy: end - kind: throw_keyword - - not: - inside: - stopBy: end - kind: throw_keyword - - has: - stopBy: end - kind: simple_identifier - regex: '^AES$' - - has: - stopBy: neighbor - kind: call_suffix - has: - stopBy: end - kind: value_argument - all: - - has: - stopBy: end - kind: simple_identifier - regex: ^key$ - - has: - stopBy: end - kind: call_expression - pattern: Array($SECRET.utf8) - - match_pattern_AES_expression_with_utf8: - kind: call_expression - not: - inside: - stopBy: end - kind: call_expression - has: - kind: simple_identifier - regex: ^AES$ - all: - - not: - inside: - kind: function_declaration - - not: - follows: - stopBy: end - kind: throw_keyword - - not: - inside: - stopBy: end - kind: throw_keyword - - not: - inside: - stopBy: end - kind: try_expression - - has: - stopBy: neighbor - kind: simple_identifier - regex: '^AES$' - - has: - stopBy: neighbor - kind: call_suffix - has: - stopBy: end - kind: value_argument - all: - - has: - stopBy: end - kind: simple_identifier - regex: ^key$ - - has: - stopBy: end - kind: call_expression - pattern: Array($SECRET.utf8) - -rule: - any: - - kind: try_expression - any: - - matches: match_pattern_try_expression_directly - - matches: match_pattern_try_expression_with_instance - - matches: match_pattern_try_expression_with_utf8 - - - kind: call_expression - any: - - matches: match_pattern_AES_statement_directly - - matches: match_pattern_AES_expression_with_instance - - matches: match_pattern_AES_expression_with_utf8 - -constraints: - SECRET: - kind: line_string_literal - has: - stopBy: neighbor - kind: line_str_text - field: text - diff --git a/rules/swift/security/blowfish-hardcoded-secret-swift.yml b/rules/swift/security/blowfish-hardcoded-secret-swift.yml deleted file mode 100644 index 735078a9..00000000 --- a/rules/swift/security/blowfish-hardcoded-secret-swift.yml +++ /dev/null @@ -1,357 +0,0 @@ -id: blowfish-hardcoded-secret-swift -severity: warning -language: swift -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -ast-grep-essentials: true -utils: - match_pattern_try_expression_directly: - kind: try_expression - not: - inside: - stopBy: end - kind: call_expression - has: - kind: simple_identifier - regex: ^Blowfish$ - has: - stopBy: neighbor - kind: call_expression - all: - - has: - kind: simple_identifier - regex: '^Blowfish$' - - has: - kind: call_suffix - has: - kind: value_arguments - has: - kind: value_argument - all: - - has: - stopBy: end - kind: simple_identifier - regex: '^key$' - - has: - stopBy: neighbor - kind: line_string_literal - has: - kind: line_str_text - - not: - follows: - stopBy: end - kind: throw_keyword - - not: - inside: - stopBy: end - kind: throw_keyword - - match_pattern_Blowfish_statement_directly: - kind: call_expression - not: - inside: - stopBy: end - kind: call_expression - has: - kind: simple_identifier - regex: ^Blowfish$ - all: - - has: - stopBy: end - kind: simple_identifier - regex: '^Blowfish$' - - has: - stopBy: end - kind: call_suffix - has: - stopBy: end - kind: value_arguments - has: - stopBy: end - kind: value_argument - all: - - has: - stopBy: end - kind: simple_identifier - regex: '^key$' - - has: - kind: line_string_literal - has: - stopBy: end - kind: line_str_text - - not: - inside: - stopBy: end - kind: try_expression - - not: - follows: - stopBy: end - kind: throw_keyword - - not: - inside: - stopBy: end - kind: throw_keyword - - not: - inside: - kind: function_declaration - - match_pattern_Blowfish_expression_with_instance: - kind: call_expression - not: - inside: - stopBy: end - kind: call_expression - has: - kind: simple_identifier - regex: ^Blowfish$ - all: - - has: - kind: simple_identifier - regex: '^Blowfish$' - - has: - kind: call_suffix - has: - kind: value_arguments - has: - kind: value_argument - all: - - has: - stopBy: end - kind: simple_identifier - regex: '^key$' - - has: - kind: simple_identifier - nthChild: 2 - pattern: $R - - not: - inside: - stopBy: neighbor - kind: try_expression - - any: - - follows: - stopBy: end - kind: property_declaration - all: - - has: - kind: pattern - has: - stopBy: end - kind: simple_identifier - pattern: $R - - has: - stopBy: neighbor - kind: call_expression - pattern: Array($SECRET.utf8) - - inside: - stopBy: end - follows: - stopBy: end - kind: property_declaration - all: - - has: - kind: pattern - has: - kind: simple_identifier - pattern: $R - - has: - stopBy: neighbor - kind: call_expression - pattern: Array($SECRET.utf8) - - not: - follows: - stopBy: end - kind: throw_keyword - - not: - inside: - stopBy: end - kind: throw_keyword - - not: - inside: - kind: function_declaration - - match_pattern_try_expression_with_instance: - kind: try_expression - not: - inside: - stopBy: end - kind: call_expression - has: - kind: simple_identifier - regex: ^Blowfish$ - all: - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - kind: simple_identifier - regex: '^Blowfish$' - - has: - kind: call_suffix - has: - kind: value_arguments - has: - kind: value_argument - all: - - has: - stopBy: end - kind: simple_identifier - regex: '^key$' - - has: - kind: simple_identifier - nthChild: 2 - pattern: $R - - not: - follows: - stopBy: end - kind: throw_keyword - - not: - inside: - stopBy: end - kind: throw_keyword - - any: - - follows: - stopBy: end - kind: property_declaration - all: - - has: - kind: pattern - has: - kind: simple_identifier - pattern: $R - - has: - stopBy: neighbor - kind: call_expression - pattern: Array($SECRET.utf8) - - inside: - stopBy: end - follows: - stopBy: end - kind: property_declaration - all: - - has: - kind: pattern - has: - kind: simple_identifier - pattern: $R - - has: - stopBy: neighbor - kind: call_expression - pattern: Array($SECRET.utf8) - - match_pattern_try_expression_with_utf8: - kind: try_expression - not: - inside: - stopBy: end - kind: call_expression - has: - kind: simple_identifier - regex: ^Blowfish$ - has: - stopBy: end - kind: call_expression - all: - - not: - follows: - stopBy: end - kind: throw_keyword - - not: - inside: - stopBy: end - kind: throw_keyword - - has: - stopBy: end - kind: simple_identifier - regex: '^Blowfish$' - - has: - stopBy: neighbor - kind: call_suffix - has: - stopBy: end - kind: value_argument - all: - - has: - stopBy: end - kind: simple_identifier - regex: ^key$ - - has: - stopBy: end - kind: call_expression - pattern: Array($SECRET.utf8) - - match_pattern_Blowfish_expression_with_utf8: - kind: call_expression - not: - inside: - stopBy: end - kind: call_expression - has: - kind: simple_identifier - regex: ^Blowfish$ - all: - - not: - inside: - kind: function_declaration - - not: - follows: - stopBy: end - kind: throw_keyword - - not: - inside: - stopBy: end - kind: throw_keyword - - not: - inside: - stopBy: end - kind: try_expression - - has: - stopBy: neighbor - kind: simple_identifier - regex: '^Blowfish$' - - has: - stopBy: neighbor - kind: call_suffix - has: - stopBy: end - kind: value_argument - all: - - has: - stopBy: end - kind: simple_identifier - regex: ^key$ - - has: - stopBy: end - kind: call_expression - pattern: Array($SECRET.utf8) - -rule: - any: - - kind: try_expression - any: - - matches: match_pattern_try_expression_directly - - matches: match_pattern_try_expression_with_instance - - matches: match_pattern_try_expression_with_utf8 - - - kind: call_expression - any: - - matches: match_pattern_Blowfish_statement_directly - - matches: match_pattern_Blowfish_expression_with_instance - - matches: match_pattern_Blowfish_expression_with_utf8 - -constraints: - SECRET: - kind: line_string_literal - has: - stopBy: neighbor - kind: line_str_text - field: text - diff --git a/rules/swift/security/chacha20-hardcoded-secret-swift.yml b/rules/swift/security/chacha20-hardcoded-secret-swift.yml deleted file mode 100644 index 8544ac12..00000000 --- a/rules/swift/security/chacha20-hardcoded-secret-swift.yml +++ /dev/null @@ -1,358 +0,0 @@ -id: chacha20-hardcoded-secret-swift -severity: warning -language: swift -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -ast-grep-essentials: true -utils: - match_pattern_try_expression_directly: - kind: try_expression - not: - inside: - stopBy: end - kind: call_expression - has: - kind: simple_identifier - regex: ^ChaCha20$ - has: - stopBy: neighbor - kind: call_expression - all: - - has: - kind: simple_identifier - regex: '^ChaCha20$' - - has: - kind: call_suffix - has: - kind: value_arguments - has: - kind: value_argument - all: - - has: - stopBy: end - kind: simple_identifier - regex: '^key$' - - has: - stopBy: neighbor - kind: line_string_literal - has: - kind: line_str_text - - not: - follows: - stopBy: end - kind: throw_keyword - - not: - inside: - stopBy: end - kind: throw_keyword - - match_pattern_ChaCha20_statement_directly: - kind: call_expression - not: - inside: - stopBy: end - kind: call_expression - has: - kind: simple_identifier - regex: ^ChaCha20$ - all: - - has: - stopBy: end - kind: simple_identifier - regex: '^ChaCha20$' - - has: - stopBy: end - kind: call_suffix - has: - stopBy: end - kind: value_arguments - has: - stopBy: end - kind: value_argument - all: - - has: - stopBy: end - kind: simple_identifier - regex: '^key$' - - has: - kind: line_string_literal - has: - stopBy: end - kind: line_str_text - - not: - inside: - stopBy: end - kind: try_expression - - not: - follows: - stopBy: end - kind: throw_keyword - - not: - inside: - stopBy: end - kind: throw_keyword - - not: - inside: - kind: function_declaration - - match_pattern_ChaCha20_expression_with_instance: - kind: call_expression - not: - inside: - stopBy: end - kind: call_expression - has: - kind: simple_identifier - regex: ^ChaCha20$ - all: - - has: - kind: simple_identifier - regex: '^ChaCha20$' - - has: - kind: call_suffix - has: - kind: value_arguments - has: - kind: value_argument - all: - - has: - stopBy: end - kind: simple_identifier - regex: '^key$' - - has: - kind: simple_identifier - nthChild: 2 - pattern: $R - - not: - inside: - stopBy: neighbor - kind: try_expression - - any: - - follows: - stopBy: end - kind: property_declaration - all: - - has: - kind: pattern - has: - stopBy: end - kind: simple_identifier - pattern: $R - - has: - stopBy: neighbor - kind: call_expression - pattern: Array($SECRET.utf8) - - inside: - stopBy: end - follows: - stopBy: end - kind: property_declaration - all: - - has: - kind: pattern - has: - kind: simple_identifier - pattern: $R - - has: - stopBy: neighbor - kind: call_expression - pattern: Array($SECRET.utf8) - - not: - follows: - stopBy: end - kind: throw_keyword - - not: - inside: - stopBy: end - kind: throw_keyword - - not: - inside: - kind: function_declaration - - match_pattern_try_expression_with_instance: - kind: try_expression - not: - inside: - stopBy: end - kind: call_expression - has: - kind: simple_identifier - regex: ^ChaCha20$ - all: - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - kind: simple_identifier - regex: '^ChaCha20$' - - has: - kind: call_suffix - has: - kind: value_arguments - has: - kind: value_argument - all: - - has: - stopBy: end - kind: simple_identifier - regex: '^key$' - - has: - kind: simple_identifier - nthChild: 2 - pattern: $R - - not: - follows: - stopBy: end - kind: throw_keyword - - not: - inside: - stopBy: end - kind: throw_keyword - - any: - - follows: - stopBy: end - kind: property_declaration - all: - - has: - kind: pattern - has: - kind: simple_identifier - pattern: $R - - has: - stopBy: neighbor - kind: call_expression - pattern: Array($SECRET.utf8) - - inside: - stopBy: end - follows: - stopBy: end - kind: property_declaration - all: - - has: - kind: pattern - has: - kind: simple_identifier - pattern: $R - - has: - stopBy: neighbor - kind: call_expression - pattern: Array($SECRET.utf8) - - match_pattern_try_expression_with_utf8: - kind: try_expression - not: - inside: - stopBy: end - kind: call_expression - has: - kind: simple_identifier - regex: ^ChaCha20$ - has: - stopBy: end - kind: call_expression - all: - - not: - follows: - stopBy: end - kind: throw_keyword - - not: - inside: - stopBy: end - kind: throw_keyword - - has: - stopBy: end - kind: simple_identifier - regex: '^ChaCha20$' - - has: - stopBy: neighbor - kind: call_suffix - has: - stopBy: end - kind: value_argument - all: - - has: - stopBy: end - kind: simple_identifier - regex: ^key$ - - has: - stopBy: end - kind: call_expression - pattern: Array($SECRET.utf8) - - match_pattern_ChaCha20_expression_with_utf8: - kind: call_expression - not: - inside: - stopBy: end - kind: call_expression - has: - kind: simple_identifier - regex: ^ChaCha20$ - all: - - not: - inside: - kind: function_declaration - - not: - follows: - stopBy: end - kind: throw_keyword - - not: - inside: - stopBy: end - kind: throw_keyword - - not: - inside: - stopBy: end - kind: try_expression - - has: - stopBy: neighbor - kind: simple_identifier - regex: '^ChaCha20$' - - has: - stopBy: neighbor - kind: call_suffix - has: - stopBy: end - kind: value_argument - all: - - has: - stopBy: end - kind: simple_identifier - regex: ^key$ - - has: - stopBy: end - kind: call_expression - pattern: Array($SECRET.utf8) - -rule: - any: - - kind: try_expression - any: - - matches: match_pattern_try_expression_directly - - matches: match_pattern_try_expression_with_instance - - matches: match_pattern_try_expression_with_utf8 - - - kind: call_expression - any: - - matches: match_pattern_ChaCha20_statement_directly - - matches: match_pattern_ChaCha20_expression_with_instance - - matches: match_pattern_ChaCha20_expression_with_utf8 - -constraints: - SECRET: - kind: line_string_literal - has: - stopBy: neighbor - kind: line_str_text - field: text - - diff --git a/rules/swift/security/insecure-biometrics-swift.yml b/rules/swift/security/insecure-biometrics-swift.yml deleted file mode 100644 index 87c9b2cf..00000000 --- a/rules/swift/security/insecure-biometrics-swift.yml +++ /dev/null @@ -1,49 +0,0 @@ -id: insecure-biometrics-swift -language: swift -severity: info -message: >- - The application was observed to leverage biometrics via Local - Authentication, which returns a simple boolean result for authentication. - This design is subject to bypass with runtime tampering tools such as - Frida, Substrate, and others. Although this is limited to rooted - (jailbroken) devices, consider implementing biometric authentication the - reliable way - via Keychain Services. -note: >- - [CWE-305] Authentication Bypass by Primary Weakness - [REFERENCES] - - https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication - - https://shirazkhan030.medium.com/biometric-authentication-in-ios-6c53c54f17df - -ast-grep-essentials: true - -rule: - any: - - kind: navigation_expression - pattern: $X.evaluatePolicy - not: - has: - stopBy: end - kind: tuple_expression - has: - nthChild: 2 - - - kind: navigation_expression - has: - kind: navigation_suffix - regex: \.evaluatePolicy$ - nthChild: - position: 1 - reverse: true - not: - has: - stopBy: end - kind: tuple_expression - has: - nthChild: 2 - - - pattern: ".evaluatePolicy" - - not: - has: - stopBy: end - kind: ERROR diff --git a/rules/swift/security/rabbit-hardcoded-secret-swift.yml b/rules/swift/security/rabbit-hardcoded-secret-swift.yml deleted file mode 100644 index 89fdf0ee..00000000 --- a/rules/swift/security/rabbit-hardcoded-secret-swift.yml +++ /dev/null @@ -1,357 +0,0 @@ -id: rabbit-hardcoded-secret-swift -severity: warning -language: swift -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -ast-grep-essentials: true -utils: - match_pattern_try_expression_directly: - kind: try_expression - not: - inside: - stopBy: end - kind: call_expression - has: - kind: simple_identifier - regex: ^Rabbit$ - has: - stopBy: neighbor - kind: call_expression - all: - - has: - kind: simple_identifier - regex: '^Rabbit$' - - has: - kind: call_suffix - has: - kind: value_arguments - has: - kind: value_argument - all: - - has: - stopBy: end - kind: simple_identifier - regex: '^key$' - - has: - stopBy: neighbor - kind: line_string_literal - has: - kind: line_str_text - - not: - follows: - stopBy: end - kind: throw_keyword - - not: - inside: - stopBy: end - kind: throw_keyword - - match_pattern_Rabbit_statement_directly: - kind: call_expression - not: - inside: - stopBy: end - kind: call_expression - has: - kind: simple_identifier - regex: ^Rabbit$ - all: - - has: - stopBy: end - kind: simple_identifier - regex: '^Rabbit$' - - has: - stopBy: end - kind: call_suffix - has: - stopBy: end - kind: value_arguments - has: - stopBy: end - kind: value_argument - all: - - has: - stopBy: end - kind: simple_identifier - regex: '^key$' - - has: - kind: line_string_literal - has: - stopBy: end - kind: line_str_text - - not: - inside: - stopBy: end - kind: try_expression - - not: - follows: - stopBy: end - kind: throw_keyword - - not: - inside: - stopBy: end - kind: throw_keyword - - not: - inside: - kind: function_declaration - - match_pattern_Rabbit_expression_with_instance: - kind: call_expression - not: - inside: - stopBy: end - kind: call_expression - has: - kind: simple_identifier - regex: ^Rabbit$ - all: - - has: - kind: simple_identifier - regex: '^Rabbit$' - - has: - kind: call_suffix - has: - kind: value_arguments - has: - kind: value_argument - all: - - has: - stopBy: end - kind: simple_identifier - regex: '^key$' - - has: - kind: simple_identifier - nthChild: 2 - pattern: $R - - not: - inside: - stopBy: neighbor - kind: try_expression - - any: - - follows: - stopBy: end - kind: property_declaration - all: - - has: - kind: pattern - has: - stopBy: end - kind: simple_identifier - pattern: $R - - has: - stopBy: neighbor - kind: call_expression - pattern: Array($SECRET.utf8) - - inside: - stopBy: end - follows: - stopBy: end - kind: property_declaration - all: - - has: - kind: pattern - has: - kind: simple_identifier - pattern: $R - - has: - stopBy: neighbor - kind: call_expression - pattern: Array($SECRET.utf8) - - not: - follows: - stopBy: end - kind: throw_keyword - - not: - inside: - stopBy: end - kind: throw_keyword - - not: - inside: - kind: function_declaration - - match_pattern_try_expression_with_instance: - kind: try_expression - not: - inside: - stopBy: end - kind: call_expression - has: - kind: simple_identifier - regex: ^Rabbit$ - all: - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - kind: simple_identifier - regex: '^Rabbit$' - - has: - kind: call_suffix - has: - kind: value_arguments - has: - kind: value_argument - all: - - has: - stopBy: end - kind: simple_identifier - regex: '^key$' - - has: - kind: simple_identifier - nthChild: 2 - pattern: $R - - not: - follows: - stopBy: end - kind: throw_keyword - - not: - inside: - stopBy: end - kind: throw_keyword - - any: - - follows: - stopBy: end - kind: property_declaration - all: - - has: - kind: pattern - has: - kind: simple_identifier - pattern: $R - - has: - stopBy: neighbor - kind: call_expression - pattern: Array($SECRET.utf8) - - inside: - stopBy: end - follows: - stopBy: end - kind: property_declaration - all: - - has: - kind: pattern - has: - kind: simple_identifier - pattern: $R - - has: - stopBy: neighbor - kind: call_expression - pattern: Array($SECRET.utf8) - - match_pattern_try_expression_with_utf8: - kind: try_expression - not: - inside: - stopBy: end - kind: call_expression - has: - kind: simple_identifier - regex: ^Rabbit$ - has: - stopBy: end - kind: call_expression - all: - - not: - follows: - stopBy: end - kind: throw_keyword - - not: - inside: - stopBy: end - kind: throw_keyword - - has: - stopBy: end - kind: simple_identifier - regex: '^Rabbit$' - - has: - stopBy: neighbor - kind: call_suffix - has: - stopBy: end - kind: value_argument - all: - - has: - stopBy: end - kind: simple_identifier - regex: ^key$ - - has: - stopBy: end - kind: call_expression - pattern: Array($SECRET.utf8) - - match_pattern_Rabbit_expression_with_utf8: - kind: call_expression - not: - inside: - stopBy: end - kind: call_expression - has: - kind: simple_identifier - regex: ^Rabbit$ - all: - - not: - inside: - kind: function_declaration - - not: - follows: - stopBy: end - kind: throw_keyword - - not: - inside: - stopBy: end - kind: throw_keyword - - not: - inside: - stopBy: end - kind: try_expression - - has: - stopBy: neighbor - kind: simple_identifier - regex: '^Rabbit$' - - has: - stopBy: neighbor - kind: call_suffix - has: - stopBy: end - kind: value_argument - all: - - has: - stopBy: end - kind: simple_identifier - regex: ^key$ - - has: - stopBy: end - kind: call_expression - pattern: Array($SECRET.utf8) - -rule: - any: - - kind: try_expression - any: - - matches: match_pattern_try_expression_directly - - matches: match_pattern_try_expression_with_instance - - matches: match_pattern_try_expression_with_utf8 - - - kind: call_expression - any: - - matches: match_pattern_Rabbit_statement_directly - - matches: match_pattern_Rabbit_expression_with_instance - - matches: match_pattern_Rabbit_expression_with_utf8 - -constraints: - SECRET: - kind: line_string_literal - has: - stopBy: neighbor - kind: line_str_text - field: text - diff --git a/rules/typescript/security/detect-angular-sce-disabled-typescript.yml b/rules/typescript/security/detect-angular-sce-disabled-typescript.yml deleted file mode 100644 index 8c533e35..00000000 --- a/rules/typescript/security/detect-angular-sce-disabled-typescript.yml +++ /dev/null @@ -1,38 +0,0 @@ -id: detect-angular-sce-disabled-typescript -language: typescript -severity: warning -message: >- - $sceProvider is set to false. Disabling Strict Contextual escaping - (SCE) in an AngularJS application could provide additional attack surface - for XSS vulnerabilities. -note: >- - [CWE-79] Improper Neutralization of Input During Web Page Generation. - [REFERENCES] - - https://docs.angularjs.org/api/ng/service/$sce - - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf -ast-grep-essentials: true -rule: - kind: expression_statement - regex: ^\$sceProvider - has: - kind: call_expression - stopBy: end - all: - - has: - kind: member_expression - nthChild: 1 - all: - - has: - kind: identifier - regex: ^\$sceProvider$ - - has: - kind: property_identifier - regex: ^enabled$ - precedes: - kind: arguments - has: - kind: "false" - nthChild: 1 - not: - has: - nthChild: 2 diff --git a/rules/typescript/security/express-session-hardcoded-secret-typescript.yml b/rules/typescript/security/express-session-hardcoded-secret-typescript.yml deleted file mode 100644 index f2f8e624..00000000 --- a/rules/typescript/security/express-session-hardcoded-secret-typescript.yml +++ /dev/null @@ -1,207 +0,0 @@ -id: express-session-hardcoded-secret-typescript -language: typescript -severity: warning -message: >- - A hard-coded credential was detected. It is not recommended to store - credentials in source-code, as this risks secrets being leaked and used by - either an internal or external malicious adversary. It is recommended to - use environment variables to securely provide credentials or retrieve - credentials from a secure vault or HSM (Hardware Security Module). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -ast-grep-essentials: true -rule: - kind: pair - all: - - has: - kind: property_identifier - regex: ^secret$ - nthChild: 1 - - has: - kind: string - nthChild: 2 - inside: - stopBy: end - kind: object - pattern: $OBJECT - any: - - inside: - stopBy: end - kind: call_expression - pattern: $APP.use($SESSION($OBJECT)) - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: import_statement - all: - - has: - kind: import_clause - any: - - has: - kind: namespace_import - has: - kind: identifier - pattern: $SESSION - - has: - kind: named_imports - has: - kind: import_specifier - pattern: $SESSION - - has: - kind: identifier - pattern: $SESSION - - has: - kind: string - nthChild: 2 - regex: ^'express-session'$ - - any: - - kind: lexical_declaration - all: - - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $SESSION - nthChild: 1 - - has: - kind: call_expression - nthChild: 2 - regex: ^require\('express-session'\)$ - - kind: expression_statement - has: - kind: assignment_expression - all: - - has: - kind: identifier - pattern: $SESSION - nthChild: 1 - - has: - kind: call_expression - nthChild: 2 - regex: ^require\('express-session'\)$ - - - inside: - stopBy: end - - any: - - kind: lexical_declaration - - any: - - kind: expression_statement - - kind: assignment_expression - not: - follows: - kind: ERROR - - kind: variable_declaration - has: - stopBy: end - any: - - kind: variable_declarator - - kind: assignment_expression - has: - kind: identifier - pattern: $IDENTIFIER - any: - - precedes: - stopBy: end - kind: object - pattern: $OBJECT - - precedes: - stopBy: end - has: - stopBy: end - kind: object - pattern: $OBJECT - - inside: - stopBy: end - precedes: - stopBy: end - has: - stopBy: end - kind: object - pattern: $OBJECT - precedes: - stopBy: end - has: - stopBy: end - kind: call_expression - pattern: $APP.use($SESSION($IDENTIFIER)) - has: - stopBy: end - kind: identifier - pattern: $IDENTIFIER - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: import_statement - all: - - has: - kind: import_clause - any: - - has: - kind: namespace_import - has: - kind: identifier - pattern: $SESSION - - has: - kind: named_imports - has: - kind: import_specifier - pattern: $SESSION - - has: - kind: identifier - pattern: $SESSION - - has: - kind: string - nthChild: 2 - regex: ^'express-session'$ - - any: - - any: - - kind: lexical_declaration - - kind: variable_declaration - all: - - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $SESSION - nthChild: 1 - - has: - kind: call_expression - nthChild: 2 - all: - - has: - nthChild: 1 - kind: identifier - regex: ^require$ - - has: - nthChild: 2 - kind: arguments - regex: ^\('express-session'\)$ - - kind: expression_statement - has: - kind: assignment_expression - all: - - has: - kind: identifier - pattern: $SESSION - nthChild: 1 - - has: - kind: call_expression - nthChild: 2 - all: - - has: - nthChild: 1 - kind: identifier - regex: ^require$ - - has: - nthChild: 2 - kind: arguments - regex: ^\('express-session'\)$ diff --git a/rules/typescript/security/jwt-simple-noverify-typescript.yml b/rules/typescript/security/jwt-simple-noverify-typescript.yml deleted file mode 100644 index e2d8d4c0..00000000 --- a/rules/typescript/security/jwt-simple-noverify-typescript.yml +++ /dev/null @@ -1,116 +0,0 @@ -id: jwt-simple-noverify-typescript -language: TypeScript -severity: warning -message: >- - "Detected the decoding of a JWT token without a verify step. JWT tokens - must be verified before use, otherwise the token's integrity is unknown. - This means a malicious actor could forge a JWT token with any claims. Set - 'verify' to `true` before using the token." -note: >- - [CWE-287] Improper Authentication - [CWE-345] Insufficient Verification of Data Authenticity - [CWE-347] Improper Verification of Cryptographic Signature - [REFERENCES] - - https://www.npmjs.com/package/jwt-simple - - https://cwe.mitre.org/data/definitions/287 - - https://cwe.mitre.org/data/definitions/345 - - https://cwe.mitre.org/data/definitions/347 -ast-grep-essentials: true -rule: - pattern: $JWT.decode($TOKEN, $SECRET, $NOVERIFY $$$) - inside: - stopBy: end - follows: - stopBy: end - any: - - any: - - kind: lexical_declaration - - kind: variable_declaration - all: - - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $JWT - nthChild: 1 - - has: - kind: call_expression - nthChild: 2 - all: - - has: - nthChild: 1 - kind: identifier - regex: ^require$ - - has: - nthChild: 2 - kind: arguments - has: - stopBy: end - kind: string - nthChild: 1 - has: - kind: string_fragment - regex: ^jwt-simple$ - all: - - not: - has: - nthChild: 2 - - not: - has: - stopBy: end - any: - - kind: object - - kind: array - - kind: pair - - - kind: expression_statement - has: - kind: assignment_expression - all: - - has: - kind: identifier - pattern: $JWT - nthChild: 1 - - has: - kind: call_expression - nthChild: 2 - all: - - has: - nthChild: 1 - kind: identifier - regex: ^require$ - - has: - nthChild: 2 - kind: arguments - has: - stopBy: end - kind: string - has: - kind: string_fragment - regex: ^jwt-simple$ - -constraints: - NOVERIFY: - all: - - any: - - any: - - regex: ^true$ - - kind: string - - kind: template_string - - has: - stopBy: end - any: - - regex: ^true$ - - kind: string - - kind: template_string - not: - any: - - kind: property_identifier - - kind: shorthand_property_identifier - - any: - - kind: string - - kind: template_string - nthChild: 1 - inside: - kind: pair diff --git a/rules/typescript/security/node-rsa-weak-key-typescript.yml b/rules/typescript/security/node-rsa-weak-key-typescript.yml deleted file mode 100644 index 53054884..00000000 --- a/rules/typescript/security/node-rsa-weak-key-typescript.yml +++ /dev/null @@ -1,1490 +0,0 @@ -id: node-rsa-weak-key-typescript -language: typescript -severity: warning -message: >- - Use of RSA-$BITS, which is considered weak. Based on NIST standards, - RSA keys should be at least 2048 bits. -note: >- - [CWE-326] Inadequate Encryption Strength. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms -ast-grep-essentials: true -utils: - PATTERN_require("crypto"): - pattern: $NUMBER - all: - - inside: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: member_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $CRYPTO - - has: - stopBy: neighbor - kind: property_identifier - - has: - stopBy: neighbor - kind: arguments - all: - - has: - stopBy: neighbor - kind: string - regex: ^"rsa"$ - - has: - stopBy: neighbor - kind: object - all: - - has: - stopBy: neighbor - kind: pair - all: - - has: - stopBy: neighbor - kind: property_identifier - regex: ^modulusLength$ - - has: - stopBy: neighbor - pattern: $NUMBER - - inside: - stopBy: neighbor - kind: pair - not: - follows: - stopBy: end - kind: pair - all: - - has: - stopBy: neighbor - kind: property_identifier - regex: ^modulusLength$ - - inside: - stopBy: end - any: - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: neighbor - kind: named_imports - has: - stopBy: neighbor - kind: import_specifier - has: - stopBy: neighbor - kind: identifier - pattern: $CRYPTO - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: ^crypto$ - not: - inside: - stopBy: end - kind: array - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - all: - - has: - stopBy: neighbor - kind: identifier - nthChild: 1 - pattern: $CRYPTO - - not: - has: - stopBy: neighbor - nthChild: 2 - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: ^crypto$ - not: - inside: - stopBy: end - kind: array - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: neighbor - kind: namespace_import - all: - - has: - stopBy: neighbor - kind: identifier - nthChild: 1 - pattern: $CRYPTO - - not: - has: - stopBy: neighbor - nthChild: 2 - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: ^crypto$ - not: - inside: - stopBy: end - kind: array - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: neighbor - kind: named_imports - has: - stopBy: neighbor - kind: import_specifier - has: - stopBy: neighbor - kind: identifier - pattern: $CRYPTO - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: ^crypto$ - not: - inside: - stopBy: end - kind: array - - follows: - stopBy: end - kind: lexical_declaration - has: - stopBy: neighbor - kind: variable_declarator - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $CRYPTO - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^require$ - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: end - kind: string_fragment - regex: ^crypto$ - not: - inside: - stopBy: end - kind: array - - follows: - stopBy: end - kind: variable_declaration - has: - stopBy: neighbor - kind: variable_declarator - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $CRYPTO - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^require$ - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: end - kind: string_fragment - regex: ^crypto$ - not: - inside: - stopBy: end - kind: array - - follows: - stopBy: end - kind: expression_statement - has: - stopBy: neighbor - kind: assignment_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $CRYPTO - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^require$ - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: end - kind: string_fragment - regex: ^crypto$ - not: - inside: - stopBy: end - kind: array - - PATTERN_require("crypto")_pattern_2: - pattern: $NUMBER - all: - - inside: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: member_expression - all: - - has: - stopBy: end - kind: identifier - - has: - stopBy: neighbor - kind: property_identifier - regex: ^promisify$ - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: member_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $CRYPTO - - has: - stopBy: neighbor - kind: property_identifier - - has: - stopBy: neighbor - kind: arguments - all: - - has: - stopBy: neighbor - kind: string - regex: ^"rsa"$ - - has: - stopBy: neighbor - kind: object - all: - - has: - stopBy: neighbor - kind: pair - all: - - has: - stopBy: neighbor - kind: property_identifier - regex: ^modulusLength$ - - has: - stopBy: neighbor - pattern: $NUMBER - - inside: - stopBy: neighbor - kind: pair - not: - follows: - stopBy: end - kind: pair - all: - - has: - stopBy: neighbor - kind: property_identifier - regex: ^modulusLength$ - - inside: - stopBy: end - any: - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: neighbor - kind: named_imports - has: - stopBy: neighbor - kind: import_specifier - has: - stopBy: neighbor - kind: identifier - pattern: $CRYPTO - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: ^crypto$ - not: - inside: - stopBy: end - kind: array - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - all: - - has: - stopBy: neighbor - kind: identifier - nthChild: 1 - pattern: $CRYPTO - - not: - has: - stopBy: neighbor - nthChild: 2 - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: ^crypto$ - not: - inside: - stopBy: end - kind: array - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: neighbor - kind: namespace_import - all: - - has: - stopBy: neighbor - kind: identifier - nthChild: 1 - pattern: $CRYPTO - - not: - has: - stopBy: neighbor - nthChild: 2 - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: ^crypto$ - not: - inside: - stopBy: end - kind: array - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: neighbor - kind: named_imports - has: - stopBy: neighbor - kind: import_specifier - has: - stopBy: neighbor - kind: identifier - pattern: $CRYPTO - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: ^crypto$ - not: - inside: - stopBy: end - kind: array - - follows: - stopBy: end - kind: lexical_declaration - has: - stopBy: neighbor - kind: variable_declarator - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $CRYPTO - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^require$ - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: end - kind: string_fragment - regex: ^crypto$ - not: - inside: - stopBy: end - kind: array - - follows: - stopBy: end - kind: variable_declaration - has: - stopBy: neighbor - kind: variable_declarator - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $CRYPTO - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^require$ - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: end - kind: string_fragment - regex: ^crypto$ - not: - inside: - stopBy: end - kind: array - - follows: - stopBy: end - kind: expression_statement - has: - stopBy: neighbor - kind: assignment_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $CRYPTO - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^require$ - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: end - kind: string_fragment - regex: ^crypto$ - not: - inside: - stopBy: end - kind: array - - PATTERN_require("node-rsa"): - pattern: $NUMBER - all: - - inside: - stopBy: end - kind: new_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $NODERSA - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: object - has: - stopBy: neighbor - kind: pair - all: - - has: - stopBy: neighbor - kind: property_identifier - regex: ^b$ - - has: - stopBy: neighbor - pattern: $NUMBER - - inside: - stopBy: end - kind: pair - all: - - not: - follows: - stopBy: end - kind: pair - has: - stopBy: neighbor - kind: property_identifier - regex: ^b$ - - not: - has: - stopBy: end - kind: computed_property_name - - inside: - stopBy: neighbor - kind: object - all: - - not: - follows: - stopBy: end - kind: object - has: - stopBy: neighbor - kind: pair - has: - stopBy: neighbor - kind: property_identifier - regex: ^b$ - - not: - precedes: - stopBy: end - kind: object - has: - stopBy: neighbor - kind: pair - has: - stopBy: neighbor - kind: property_identifier - regex: ^b$ - - not: - has: - stopBy: end - kind: object - has: - stopBy: neighbor - kind: pair - has: - stopBy: neighbor - kind: property_identifier - regex: ^b$ - - not: - inside: - stopBy: end - kind: object - has: - stopBy: neighbor - kind: pair - has: - stopBy: neighbor - kind: property_identifier - regex: ^b$ - - inside: - stopBy: end - any: - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: neighbor - kind: named_imports - has: - stopBy: neighbor - kind: import_specifier - has: - stopBy: neighbor - kind: identifier - pattern: $NODERSA - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: ^node-rsa$ - not: - inside: - stopBy: end - kind: array - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - all: - - has: - stopBy: neighbor - kind: identifier - nthChild: 1 - pattern: $NODERSA - - not: - has: - stopBy: neighbor - nthChild: 2 - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: ^node-rsa$ - not: - inside: - stopBy: end - kind: array - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: neighbor - kind: namespace_import - all: - - has: - stopBy: neighbor - kind: identifier - nthChild: 1 - pattern: $NODERSA - - not: - has: - stopBy: neighbor - nthChild: 2 - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: ^node-rsa$ - not: - inside: - stopBy: end - kind: array - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: neighbor - kind: named_imports - has: - stopBy: neighbor - kind: import_specifier - has: - stopBy: neighbor - kind: identifier - pattern: $NODERSA - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: ^node-rsa$ - not: - inside: - stopBy: end - kind: array - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: neighbor - kind: named_imports - has: - stopBy: neighbor - kind: import_specifier - has: - stopBy: neighbor - kind: identifier - pattern: $NODERSA - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: ^node-rsa$ - - follows: - stopBy: end - kind: variable_declaration - has: - stopBy: neighbor - kind: variable_declarator - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $NODERSA - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^require$ - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: end - kind: string_fragment - regex: ^node-rsa$ - not: - inside: - stopBy: end - kind: array - - follows: - stopBy: end - kind: expression_statement - has: - stopBy: neighbor - kind: assignment_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $NODERSA - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^require$ - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: end - kind: string_fragment - regex: ^node-rsa$ - not: - inside: - stopBy: end - kind: array - - follows: - stopBy: end - kind: lexical_declaration - has: - stopBy: neighbor - kind: variable_declarator - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $NODERSA - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^require$ - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: end - kind: string_fragment - regex: ^node-rsa$ - not: - inside: - stopBy: end - kind: array - - PATTERN_require("node-forge"): - pattern: $NUMBER - all: - - inside: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: member_expression - all: - - has: - stopBy: neighbor - kind: member_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $FORGE - nthChild: 1 - - has: - stopBy: neighbor - kind: property_identifier - nthChild: 2 - regex: ^rsa$ - - has: - stopBy: neighbor - kind: property_identifier - - has: - stopBy: neighbor - kind: arguments - all: - - has: - stopBy: neighbor - pattern: $NUMBER - - not: - follows: - stopBy: end - pattern: $NUMBER - - not: - has: - stopBy: end - nthChild: 2 - - inside: - stopBy: end - follows: - stopBy: end - any: - - pattern: $FORGE = $NODEFORGE.pki; - - pattern: const $FORGE = $NODEFORGE.pki; - - pattern: var $FORGE = $NODEFORGE.pki; - - pattern: $FORGE = $NODEFORGE.pki.rsa; - - pattern: const $FORGE = $NODEFORGE.pki.rsa; - - pattern: var $FORGE = $NODEFORGE.pki.rsa; - - inside: - stopBy: end - any: - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: neighbor - kind: named_imports - has: - stopBy: neighbor - kind: import_specifier - has: - stopBy: neighbor - kind: identifier - pattern: $NODEFORGE - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: ^node-forge$ - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - all: - - has: - stopBy: neighbor - kind: identifier - nthChild: 1 - pattern: $NODEFORGE - - not: - has: - stopBy: neighbor - nthChild: 2 - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: ^node-forge$ - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: neighbor - kind: namespace_import - all: - - has: - stopBy: neighbor - kind: identifier - nthChild: 1 - pattern: $NODEFORGE - - not: - has: - stopBy: neighbor - nthChild: 2 - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: ^node-forge$ - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: neighbor - kind: named_imports - has: - stopBy: neighbor - kind: import_specifier - has: - stopBy: neighbor - kind: identifier - pattern: $NODEFORGE - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: ^node-forge$ - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: neighbor - kind: named_imports - has: - stopBy: neighbor - kind: import_specifier - has: - stopBy: neighbor - kind: identifier - pattern: $NODEFORGE - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: ^node-forgeo$ - not: - inside: - stopBy: end - kind: array - - follows: - stopBy: end - kind: variable_declaration - has: - stopBy: neighbor - kind: variable_declarator - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $NODEFORGE - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^require$ - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: end - kind: string_fragment - regex: ^node-forge$ - not: - inside: - stopBy: end - kind: array - - follows: - stopBy: end - kind: expression_statement - has: - stopBy: neighbor - kind: assignment_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $NODEFORGE - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^require$ - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: end - kind: string_fragment - regex: ^node-forge$ - not: - inside: - stopBy: end - kind: array - - follows: - stopBy: end - kind: lexical_declaration - has: - stopBy: neighbor - kind: variable_declarator - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $NODEFORGE - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^require$ - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: end - kind: string_fragment - regex: ^node-forge$ - not: - inside: - stopBy: end - kind: array - - inside: - stopBy: neighbor - kind: arguments - not: - has: - all: - - kind: array - - PATTERN_require("node-forge")_pattern_2: - pattern: $NUMBER - all: - - inside: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: member_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $FORGE - - has: - stopBy: neighbor - kind: property_identifier - - has: - stopBy: neighbor - kind: arguments - all: - - has: - stopBy: neighbor - kind: object - all: - - has: - stopBy: neighbor - kind: pair - all: - - has: - stopBy: neighbor - kind: property_identifier - regex: ^bits$ - - has: - stopBy: neighbor - pattern: $NUMBER - - not: - follows: - stopBy: end - kind: pair - has: - stopBy: end - kind: property_identifier - regex: ^bits$ - - not: - follows: - stopBy: end - kind: pair - has: - stopBy: end - kind: property_identifier - regex: ^bits$ - - inside: - stopBy: end - follows: - stopBy: end - any: - - pattern: $FORGE = $NODEFORGE.pki - - pattern: const $FORGE = $NODEFORGE.pki - - pattern: var $FORGE = $NODEFORGE.pki - - pattern: $FORGE = $NODEFORGE.pki.rsa - - pattern: const $FORGE = $NODEFORGE.pki.rsa - - pattern: var $FORGE = $NODEFORGE.pki.rsa - - inside: - stopBy: end - kind: object - not: - has: - all: - - kind: array - - inside: - stopBy: end - kind: pair - not: - follows: - stopBy: end - kind: pair - has: - stopBy: end - kind: property_identifier - regex: ^bits$ - - inside: - stopBy: end - any: - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: neighbor - kind: named_imports - has: - stopBy: neighbor - kind: import_specifier - has: - stopBy: neighbor - kind: identifier - pattern: $NODEFORGE - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: ^node-forge$ - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - all: - - has: - stopBy: neighbor - kind: identifier - nthChild: 1 - pattern: $NODEFORGE - - not: - has: - stopBy: neighbor - nthChild: 2 - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: ^node-forge$ - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: neighbor - kind: namespace_import - all: - - has: - stopBy: neighbor - kind: identifier - nthChild: 1 - pattern: $NODEFORGE - - not: - has: - stopBy: neighbor - nthChild: 2 - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: ^node-forge$ - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: neighbor - kind: named_imports - has: - stopBy: neighbor - kind: import_specifier - has: - stopBy: neighbor - kind: identifier - pattern: $NODEFORGE - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: ^node-forge$ - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: neighbor - kind: named_imports - has: - stopBy: neighbor - kind: import_specifier - has: - stopBy: neighbor - kind: identifier - pattern: $NODEFORGE - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: ^node-forgeo$ - not: - inside: - stopBy: end - kind: array - - follows: - stopBy: end - kind: variable_declaration - has: - stopBy: neighbor - kind: variable_declarator - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $NODEFORGE - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^require$ - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: end - kind: string_fragment - regex: ^node-forge$ - not: - inside: - stopBy: end - kind: array - - follows: - stopBy: end - kind: expression_statement - has: - stopBy: neighbor - kind: assignment_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $NODEFORGE - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^require$ - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: end - kind: string_fragment - regex: ^node-forge$ - not: - inside: - stopBy: end - kind: array - - follows: - stopBy: end - kind: lexical_declaration - has: - stopBy: neighbor - kind: variable_declarator - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $NODEFORGE - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^require$ - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: end - kind: string_fragment - regex: ^node-forge$ - not: - inside: - stopBy: end - kind: array - -rule: - any: - - kind: number - any: - - matches: PATTERN_require("crypto") - - matches: PATTERN_require("crypto")_pattern_2 - - matches: PATTERN_require("node-rsa") - - matches: PATTERN_require("node-forge") - - matches: PATTERN_require("node-forge")_pattern_2 - - kind: unary_expression - any: - - matches: PATTERN_require("crypto") - - matches: PATTERN_require("crypto")_pattern_2 - - matches: PATTERN_require("node-rsa") - - matches: PATTERN_require("node-forge") - - matches: PATTERN_require("node-forge")_pattern_2 - - kind: binary_expression - any: - - matches: PATTERN_require("crypto") - - matches: PATTERN_require("crypto")_pattern_2 - - matches: PATTERN_require("node-rsa") - - matches: PATTERN_require("node-forge") - - matches: PATTERN_require("node-forge")_pattern_2 -constraints: - NUMBER: - regex: ^([+-]?(0|[1-9][0-9]?|[1-9][0-9]{2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|([+-]?(0|[1-9][0-9]?|[1-9][0-9]{2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?\/[1-9][0-9]*)|[+-]?(\.[0-9]+)|([+-]?\.[0-9]+\/[1-9][0-9]*))$ diff --git a/rules/typescript/security/node-sequelize-empty-password-argument-typescript.yml b/rules/typescript/security/node-sequelize-empty-password-argument-typescript.yml deleted file mode 100644 index a9a5acbe..00000000 --- a/rules/typescript/security/node-sequelize-empty-password-argument-typescript.yml +++ /dev/null @@ -1,173 +0,0 @@ -id: node-sequelize-empty-password-argument-typescript -language: typescript -severity: warning -message: >- - The application creates a database connection with an empty password. - This can lead to unauthorized access by either an internal or external - malicious actor. To prevent this vulnerability, enforce authentication - when connecting to a database by using environment variables to securely - provide credentials or retrieving them from a secure vault or HSM - (Hardware Security Module). -note: >- - [CWE-287] Improper Authentication. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -ast-grep-essentials: true -utils: - Match_pattern_directly: - kind: string - all: - - not: - has: - kind: string_fragment - - nthChild: - position: 3 - ofRule: - not: - kind: comment - - inside: - kind: arguments - all: - - has: - nthChild: - position: 4 - ofRule: - not: - kind: comment - - not: - has: - nthChild: - position: 5 - ofRule: - not: - kind: comment - - inside: - kind: new_expression - all: - - has: - kind: identifier - pattern: $SQL - - any: - - inside: - stopBy: end - follows: - stopBy: end - any: - - pattern: $SQL = require('sequelize'); - - pattern: const $SQL = require('sequelize'); - - pattern: var $SQL = require('sequelize'); - - pattern: let $SQL = require('sequelize'); - - pattern: import $SQL from 'sequelize'; - - pattern: import * as $SQL from 'sequelize'; - - kind: import_statement - all: - - has: - kind: import_clause - has: - stopBy: end - pattern: $SQL - - has: - kind: string - has: - kind: string_fragment - regex: ^sequelize$ - - not: - inside: - stopBy: end - kind: enum_declaration - - Match_pattern_with_Instance: - kind: identifier - pattern: $PASS - all: - - nthChild: - position: 3 - ofRule: - not: - kind: comment - - inside: - kind: arguments - all: - - not: - has: - nthChild: - position: 5 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 4 - ofRule: - not: - kind: comment - - inside: - kind: new_expression - all: - - has: - kind: identifier - pattern: $SQL - - any: - - inside: - stopBy: end - follows: - stopBy: end - any: - - pattern: $SQL = require('sequelize'); - - pattern: const $SQL = require('sequelize'); - - pattern: var $SQL = require('sequelize'); - - pattern: let $SQL = require('sequelize'); - - pattern: import $SQL from 'sequelize'; - - pattern: import * as $SQL from 'sequelize'; - - kind: import_statement - all: - - has: - kind: import_clause - has: - stopBy: end - pattern: $SQL - - has: - kind: string - has: - kind: string_fragment - regex: ^sequelize$ - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: lexical_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $PASS - - has: - any: - - kind: template_string - regex: ^``$ - - kind: string - not: - has: - kind: string_fragment - - kind: variable_declaration - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $PASS - - has: - kind: string - not: - has: - kind: string_fragment - - not: - inside: - stopBy: end - kind: enum_declaration -rule: - any: - - matches: Match_pattern_directly - - matches: Match_pattern_with_Instance \ No newline at end of file diff --git a/rules/typescript/security/node-sequelize-hardcoded-secret-argument-typescript.yml b/rules/typescript/security/node-sequelize-hardcoded-secret-argument-typescript.yml deleted file mode 100644 index 8e80b2cd..00000000 --- a/rules/typescript/security/node-sequelize-hardcoded-secret-argument-typescript.yml +++ /dev/null @@ -1,158 +0,0 @@ -id: node-sequelize-hardcoded-secret-argument-typescript -language: typescript -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-287] Improper Authentication. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -ast-grep-essentials: true -utils: - Match_pattern_directly: - kind: string - all: - - has: - kind: string_fragment - - nthChild: - position: 3 - ofRule: - not: - kind: comment - - inside: - kind: arguments - all: - - has: - nthChild: - position: 4 - ofRule: - not: - kind: comment - - not: - has: - nthChild: - position: 5 - ofRule: - not: - kind: comment - - inside: - kind: new_expression - all: - - has: - kind: identifier - pattern: $SQL - - any: - - inside: - stopBy: end - follows: - stopBy: end - any: - - pattern: $SQL = require('sequelize'); - - pattern: const $SQL = require('sequelize'); - - pattern: var $SQL = require('sequelize'); - - pattern: let $SQL = require('sequelize'); - - pattern: import $SQL from 'sequelize'; - - pattern: import * as $SQL from 'sequelize'; - - kind: import_statement - all: - - has: - kind: import_clause - has: - stopBy: end - pattern: $SQL - - has: - kind: string - has: - kind: string_fragment - regex: ^sequelize$ - - not: - inside: - stopBy: end - kind: enum_declaration - - Match_pattern_with_Instance: - kind: identifier - pattern: $PASS - all: - - nthChild: - position: 3 - ofRule: - not: - kind: comment - - inside: - kind: arguments - all: - - not: - has: - nthChild: - position: 5 - ofRule: - not: - kind: comment - - has: - nthChild: - position: 4 - ofRule: - not: - kind: comment - - inside: - kind: new_expression - all: - - has: - kind: identifier - pattern: $SQL - - any: - - inside: - stopBy: end - follows: - stopBy: end - any: - - pattern: $SQL = require('sequelize'); - - pattern: const $SQL = require('sequelize'); - - pattern: var $SQL = require('sequelize'); - - pattern: let $SQL = require('sequelize'); - - pattern: import $SQL from 'sequelize'; - - pattern: import * as $SQL from 'sequelize'; - - kind: import_statement - all: - - has: - kind: import_clause - has: - stopBy: end - pattern: $SQL - - has: - kind: string - has: - kind: string_fragment - regex: ^sequelize$ - - inside: - stopBy: end - follows: - stopBy: end - any: - - kind: lexical_declaration - not: - has: - regex: ^let$ - has: - kind: variable_declarator - all: - - has: - kind: identifier - pattern: $PASS - - has: - kind: string - has: - kind: string_fragment - - not: - inside: - stopBy: end - kind: enum_declaration -rule: - any: - - matches: Match_pattern_directly - - matches: Match_pattern_with_Instance \ No newline at end of file diff --git a/sgconfig.yml b/sgconfig.yml deleted file mode 100644 index 861e99e5..00000000 --- a/sgconfig.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -ruleDirs: - - rules -utilDirs: - - utils -testConfigs: - - testDir: tests \ No newline at end of file diff --git a/tests/__snapshots__/aes-hardcoded-secret-swift-snapshot.yml b/tests/__snapshots__/aes-hardcoded-secret-swift-snapshot.yml deleted file mode 100644 index 21a87d48..00000000 --- a/tests/__snapshots__/aes-hardcoded-secret-swift-snapshot.yml +++ /dev/null @@ -1,184 +0,0 @@ -id: aes-hardcoded-secret-swift -snapshots: - ? | - AES(key: "hello", iv: "123") - : labels: - - source: 'AES(key: "hello", iv: "123")' - style: primary - start: 0 - end: 28 - - source: AES - style: secondary - start: 0 - end: 3 - - source: key - style: secondary - start: 4 - end: 7 - - source: hello - style: secondary - start: 10 - end: 15 - - source: '"hello"' - style: secondary - start: 9 - end: 16 - - source: 'key: "hello"' - style: secondary - start: 4 - end: 16 - - source: '(key: "hello", iv: "123")' - style: secondary - start: 3 - end: 28 - - source: '(key: "hello", iv: "123")' - style: secondary - start: 3 - end: 28 - ? | - let password: Array = Array("s33krit".utf8) - AES(key: password, iv: "123") - : labels: - - source: 'AES(key: password, iv: "123")' - style: primary - start: 51 - end: 80 - - source: AES - style: secondary - start: 51 - end: 54 - - source: key - style: secondary - start: 55 - end: 58 - - source: password - style: secondary - start: 60 - end: 68 - - source: 'key: password' - style: secondary - start: 55 - end: 68 - - source: '(key: password, iv: "123")' - style: secondary - start: 54 - end: 80 - - source: '(key: password, iv: "123")' - style: secondary - start: 54 - end: 80 - - source: password - style: secondary - start: 4 - end: 12 - - source: password - style: secondary - start: 4 - end: 12 - - source: Array("s33krit".utf8) - style: secondary - start: 29 - end: 50 - - source: 'let password: Array = Array("s33krit".utf8)' - style: secondary - start: 0 - end: 50 - - source: s33krit - style: secondary - start: 36 - end: 43 - ? | - let password: Array = Array("s33krit".utf8) - try AES(key: password, iv: "123") - : labels: - - source: 'try AES(key: password, iv: "123")' - style: primary - start: 51 - end: 84 - - source: AES - style: secondary - start: 55 - end: 58 - - source: key - style: secondary - start: 59 - end: 62 - - source: password - style: secondary - start: 64 - end: 72 - - source: 'key: password' - style: secondary - start: 59 - end: 72 - - source: '(key: password, iv: "123")' - style: secondary - start: 58 - end: 84 - - source: '(key: password, iv: "123")' - style: secondary - start: 58 - end: 84 - - source: 'AES(key: password, iv: "123")' - style: secondary - start: 55 - end: 84 - - source: password - style: secondary - start: 4 - end: 12 - - source: password - style: secondary - start: 4 - end: 12 - - source: Array("s33krit".utf8) - style: secondary - start: 29 - end: 50 - - source: 'let password: Array = Array("s33krit".utf8)' - style: secondary - start: 0 - end: 50 - - source: s33krit - style: secondary - start: 36 - end: 43 - ? | - try AES(key: "hello", iv: "123") - : labels: - - source: 'try AES(key: "hello", iv: "123")' - style: primary - start: 0 - end: 32 - - source: AES - style: secondary - start: 4 - end: 7 - - source: key - style: secondary - start: 8 - end: 11 - - source: hello - style: secondary - start: 14 - end: 19 - - source: '"hello"' - style: secondary - start: 13 - end: 20 - - source: 'key: "hello"' - style: secondary - start: 8 - end: 20 - - source: '(key: "hello", iv: "123")' - style: secondary - start: 7 - end: 32 - - source: '(key: "hello", iv: "123")' - style: secondary - start: 7 - end: 32 - - source: 'AES(key: "hello", iv: "123")' - style: secondary - start: 4 - end: 32 diff --git a/tests/__snapshots__/avoid-bind-to-all-interfaces-go-snapshot.yml b/tests/__snapshots__/avoid-bind-to-all-interfaces-go-snapshot.yml deleted file mode 100644 index 7c22130f..00000000 --- a/tests/__snapshots__/avoid-bind-to-all-interfaces-go-snapshot.yml +++ /dev/null @@ -1,16 +0,0 @@ -id: avoid-bind-to-all-interfaces-go -snapshots: - ? | - l, err := net.Listen("tcp", "0.0.0.0:2000") - : labels: - - source: net.Listen("tcp", "0.0.0.0:2000") - style: primary - start: 10 - end: 43 - ? | - l, err := net.Listen("tcp", ":2000") - : labels: - - source: net.Listen("tcp", ":2000") - style: primary - start: 10 - end: 36 diff --git a/tests/__snapshots__/avoid-mktemp-python-snapshot.yml b/tests/__snapshots__/avoid-mktemp-python-snapshot.yml deleted file mode 100644 index 50822287..00000000 --- a/tests/__snapshots__/avoid-mktemp-python-snapshot.yml +++ /dev/null @@ -1,42 +0,0 @@ -id: avoid-mktemp-python -snapshots: - ? | - from tempfile import mktemp - ff = mktemp() - : labels: - - source: mktemp() - style: primary - start: 33 - end: 41 - - source: mktemp - style: secondary - start: 33 - end: 39 - - source: () - style: secondary - start: 39 - end: 41 - - source: tempfile - style: secondary - start: 5 - end: 13 - - source: tempfile - style: secondary - start: 5 - end: 13 - - source: mktemp - style: secondary - start: 21 - end: 27 - - source: mktemp - style: secondary - start: 21 - end: 27 - - source: from tempfile import mktemp - style: secondary - start: 0 - end: 27 - - source: ff = mktemp() - style: secondary - start: 28 - end: 41 diff --git a/tests/__snapshots__/avoid_app_run_with_bad_host-python-snapshot.yml b/tests/__snapshots__/avoid_app_run_with_bad_host-python-snapshot.yml deleted file mode 100644 index da08aa56..00000000 --- a/tests/__snapshots__/avoid_app_run_with_bad_host-python-snapshot.yml +++ /dev/null @@ -1,42 +0,0 @@ -id: avoid_app_run_with_bad_host-python -snapshots: - ? | - app.run(host="0.0.0.0") - app.run("0.0.0.0") - : labels: - - source: app.run(host="0.0.0.0") - style: primary - start: 0 - end: 23 - - source: app - style: secondary - start: 0 - end: 3 - - source: run - style: secondary - start: 4 - end: 7 - - source: app.run - style: secondary - start: 0 - end: 7 - - source: host - style: secondary - start: 8 - end: 12 - - source: '"0.0.0.0"' - style: secondary - start: 13 - end: 22 - - source: = - style: secondary - start: 12 - end: 13 - - source: host="0.0.0.0" - style: secondary - start: 8 - end: 22 - - source: (host="0.0.0.0") - style: secondary - start: 7 - end: 23 diff --git a/tests/__snapshots__/blowfish-hardcoded-secret-swift-snapshot.yml b/tests/__snapshots__/blowfish-hardcoded-secret-swift-snapshot.yml deleted file mode 100644 index b9482edc..00000000 --- a/tests/__snapshots__/blowfish-hardcoded-secret-swift-snapshot.yml +++ /dev/null @@ -1,218 +0,0 @@ -id: blowfish-hardcoded-secret-swift -snapshots: - 'Blowfish(key: "hello", iv: "123")': - labels: - - source: 'Blowfish(key: "hello", iv: "123")' - style: primary - start: 0 - end: 33 - - source: Blowfish - style: secondary - start: 0 - end: 8 - - source: key - style: secondary - start: 9 - end: 12 - - source: hello - style: secondary - start: 15 - end: 20 - - source: '"hello"' - style: secondary - start: 14 - end: 21 - - source: 'key: "hello"' - style: secondary - start: 9 - end: 21 - - source: '(key: "hello", iv: "123")' - style: secondary - start: 8 - end: 33 - - source: '(key: "hello", iv: "123")' - style: secondary - start: 8 - end: 33 - ? | - Blowfish(key: "hello", iv: "123") - : labels: - - source: 'Blowfish(key: "hello", iv: "123")' - style: primary - start: 0 - end: 33 - - source: Blowfish - style: secondary - start: 0 - end: 8 - - source: key - style: secondary - start: 9 - end: 12 - - source: hello - style: secondary - start: 15 - end: 20 - - source: '"hello"' - style: secondary - start: 14 - end: 21 - - source: 'key: "hello"' - style: secondary - start: 9 - end: 21 - - source: '(key: "hello", iv: "123")' - style: secondary - start: 8 - end: 33 - - source: '(key: "hello", iv: "123")' - style: secondary - start: 8 - end: 33 - ? |- - let password: Array = Array("s33krit".utf8) - Blowfish(key: password, iv: "123") - : labels: - - source: 'Blowfish(key: password, iv: "123")' - style: primary - start: 51 - end: 85 - - source: Blowfish - style: secondary - start: 51 - end: 59 - - source: key - style: secondary - start: 60 - end: 63 - - source: password - style: secondary - start: 65 - end: 73 - - source: 'key: password' - style: secondary - start: 60 - end: 73 - - source: '(key: password, iv: "123")' - style: secondary - start: 59 - end: 85 - - source: '(key: password, iv: "123")' - style: secondary - start: 59 - end: 85 - - source: password - style: secondary - start: 4 - end: 12 - - source: password - style: secondary - start: 4 - end: 12 - - source: Array("s33krit".utf8) - style: secondary - start: 29 - end: 50 - - source: 'let password: Array = Array("s33krit".utf8)' - style: secondary - start: 0 - end: 50 - - source: s33krit - style: secondary - start: 36 - end: 43 - ? | - let password: Array = Array("s33krit".utf8) - try Blowfish(key: password, iv: "123") - : labels: - - source: 'try Blowfish(key: password, iv: "123")' - style: primary - start: 51 - end: 89 - - source: Blowfish - style: secondary - start: 55 - end: 63 - - source: key - style: secondary - start: 64 - end: 67 - - source: password - style: secondary - start: 69 - end: 77 - - source: 'key: password' - style: secondary - start: 64 - end: 77 - - source: '(key: password, iv: "123")' - style: secondary - start: 63 - end: 89 - - source: '(key: password, iv: "123")' - style: secondary - start: 63 - end: 89 - - source: 'Blowfish(key: password, iv: "123")' - style: secondary - start: 55 - end: 89 - - source: password - style: secondary - start: 4 - end: 12 - - source: password - style: secondary - start: 4 - end: 12 - - source: Array("s33krit".utf8) - style: secondary - start: 29 - end: 50 - - source: 'let password: Array = Array("s33krit".utf8)' - style: secondary - start: 0 - end: 50 - - source: s33krit - style: secondary - start: 36 - end: 43 - ? | - try Blowfish(key: "hello", iv: "123") - : labels: - - source: 'try Blowfish(key: "hello", iv: "123")' - style: primary - start: 0 - end: 37 - - source: Blowfish - style: secondary - start: 4 - end: 12 - - source: key - style: secondary - start: 13 - end: 16 - - source: hello - style: secondary - start: 19 - end: 24 - - source: '"hello"' - style: secondary - start: 18 - end: 25 - - source: 'key: "hello"' - style: secondary - start: 13 - end: 25 - - source: '(key: "hello", iv: "123")' - style: secondary - start: 12 - end: 37 - - source: '(key: "hello", iv: "123")' - style: secondary - start: 12 - end: 37 - - source: 'Blowfish(key: "hello", iv: "123")' - style: secondary - start: 4 - end: 37 diff --git a/tests/__snapshots__/cbc-padding-oracle-java-snapshot.yml b/tests/__snapshots__/cbc-padding-oracle-java-snapshot.yml deleted file mode 100644 index 89c27d11..00000000 --- a/tests/__snapshots__/cbc-padding-oracle-java-snapshot.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: cbc-padding-oracle-java -snapshots: - ? | - Cipher.getInstance("AES/CBC/PKCS5Padding"); - : labels: - - source: Cipher.getInstance("AES/CBC/PKCS5Padding") - style: primary - start: 0 - end: 42 diff --git a/tests/__snapshots__/chacha20-hardcoded-secret-swift-snapshot.yml b/tests/__snapshots__/chacha20-hardcoded-secret-swift-snapshot.yml deleted file mode 100644 index bb3255a8..00000000 --- a/tests/__snapshots__/chacha20-hardcoded-secret-swift-snapshot.yml +++ /dev/null @@ -1,184 +0,0 @@ -id: chacha20-hardcoded-secret-swift -snapshots: - ? | - ChaCha20(key: "hello", iv: "123") - : labels: - - source: 'ChaCha20(key: "hello", iv: "123")' - style: primary - start: 0 - end: 33 - - source: ChaCha20 - style: secondary - start: 0 - end: 8 - - source: key - style: secondary - start: 9 - end: 12 - - source: hello - style: secondary - start: 15 - end: 20 - - source: '"hello"' - style: secondary - start: 14 - end: 21 - - source: 'key: "hello"' - style: secondary - start: 9 - end: 21 - - source: '(key: "hello", iv: "123")' - style: secondary - start: 8 - end: 33 - - source: '(key: "hello", iv: "123")' - style: secondary - start: 8 - end: 33 - ? |- - let password: Array = Array("s33krit".utf8) - ChaCha20(key: password, iv: "123") - : labels: - - source: 'ChaCha20(key: password, iv: "123")' - style: primary - start: 51 - end: 85 - - source: ChaCha20 - style: secondary - start: 51 - end: 59 - - source: key - style: secondary - start: 60 - end: 63 - - source: password - style: secondary - start: 65 - end: 73 - - source: 'key: password' - style: secondary - start: 60 - end: 73 - - source: '(key: password, iv: "123")' - style: secondary - start: 59 - end: 85 - - source: '(key: password, iv: "123")' - style: secondary - start: 59 - end: 85 - - source: password - style: secondary - start: 4 - end: 12 - - source: password - style: secondary - start: 4 - end: 12 - - source: Array("s33krit".utf8) - style: secondary - start: 29 - end: 50 - - source: 'let password: Array = Array("s33krit".utf8)' - style: secondary - start: 0 - end: 50 - - source: s33krit - style: secondary - start: 36 - end: 43 - ? | - let password: Array = Array("s33krit".utf8) - try ChaCha20(key: password, iv: "123") - : labels: - - source: 'try ChaCha20(key: password, iv: "123")' - style: primary - start: 51 - end: 89 - - source: ChaCha20 - style: secondary - start: 55 - end: 63 - - source: key - style: secondary - start: 64 - end: 67 - - source: password - style: secondary - start: 69 - end: 77 - - source: 'key: password' - style: secondary - start: 64 - end: 77 - - source: '(key: password, iv: "123")' - style: secondary - start: 63 - end: 89 - - source: '(key: password, iv: "123")' - style: secondary - start: 63 - end: 89 - - source: 'ChaCha20(key: password, iv: "123")' - style: secondary - start: 55 - end: 89 - - source: password - style: secondary - start: 4 - end: 12 - - source: password - style: secondary - start: 4 - end: 12 - - source: Array("s33krit".utf8) - style: secondary - start: 29 - end: 50 - - source: 'let password: Array = Array("s33krit".utf8)' - style: secondary - start: 0 - end: 50 - - source: s33krit - style: secondary - start: 36 - end: 43 - ? | - try ChaCha20(key: "hello", iv: "123") - : labels: - - source: 'try ChaCha20(key: "hello", iv: "123")' - style: primary - start: 0 - end: 37 - - source: ChaCha20 - style: secondary - start: 4 - end: 12 - - source: key - style: secondary - start: 13 - end: 16 - - source: hello - style: secondary - start: 19 - end: 24 - - source: '"hello"' - style: secondary - start: 18 - end: 25 - - source: 'key: "hello"' - style: secondary - start: 13 - end: 25 - - source: '(key: "hello", iv: "123")' - style: secondary - start: 12 - end: 37 - - source: '(key: "hello", iv: "123")' - style: secondary - start: 12 - end: 37 - - source: 'ChaCha20(key: "hello", iv: "123")' - style: secondary - start: 4 - end: 37 diff --git a/tests/__snapshots__/cookie-httponly-false-java-snapshot.yml b/tests/__snapshots__/cookie-httponly-false-java-snapshot.yml deleted file mode 100644 index c1460483..00000000 --- a/tests/__snapshots__/cookie-httponly-false-java-snapshot.yml +++ /dev/null @@ -1,16 +0,0 @@ -id: cookie-httponly-false-java -snapshots: - ? |2 - - @RequestMapping(value = "/cookie4", method = "GET") - public void explicitDisable(@RequestParam String value, HttpServletResponse response) { - Cookie cookie = new Cookie("cookie", value); - cookie.setSecure(false); - cookie.setHttpOnly(false); - response.addCookie(cookie); - } - : labels: - - source: cookie.setHttpOnly(false); - style: primary - start: 223 - end: 249 diff --git a/tests/__snapshots__/cookie-missing-httponly-java-snapshot.yml b/tests/__snapshots__/cookie-missing-httponly-java-snapshot.yml deleted file mode 100644 index aa712115..00000000 --- a/tests/__snapshots__/cookie-missing-httponly-java-snapshot.yml +++ /dev/null @@ -1,19 +0,0 @@ -id: cookie-missing-httponly-java -snapshots: - ? | - @RequestMapping(value = "/cookie1", method = "GET") - public void setCookie(@RequestParam String value, HttpServletResponse response) { - Cookie cookie = new Cookie("cookie", value); - response.addCookie(cookie); - } - @RequestMapping(value = "/cookie2", method = "GET") - public void setSecureCookie(@RequestParam String value, HttpServletResponse response) { - Cookie cookie = new Cookie("cookie", value); - cookie.setSecure(true); - response.addCookie(cookie); - } - : labels: - - source: response.addCookie(cookie); - style: primary - start: 187 - end: 214 diff --git a/tests/__snapshots__/cookie-missing-samesite-java-snapshot.yml b/tests/__snapshots__/cookie-missing-samesite-java-snapshot.yml deleted file mode 100644 index dc3df37f..00000000 --- a/tests/__snapshots__/cookie-missing-samesite-java-snapshot.yml +++ /dev/null @@ -1,19 +0,0 @@ -id: cookie-missing-samesite-java -snapshots: - ? | - @RequestMapping(value = "/cookie3", method = "GET") - public void setSecureHttponlyCookie(@RequestParam String value, HttpServletResponse response) { - Cookie cookie = new Cookie("cookie", value); - cookie.setSecure(true); - cookie.setHttpOnly(true); - response.addCookie(cookie); - } - @RequestMapping(value = "/cookie2", method = "GET") - public void setSecureCookie(@RequestParam String value, HttpServletResponse response) { - response.setHeader("Set-Cookie", "key=value; HttpOnly;"); - } - : labels: - - source: response.addCookie(cookie); - style: primary - start: 255 - end: 282 diff --git a/tests/__snapshots__/cookie-missing-secure-flag-java-snapshot.yml b/tests/__snapshots__/cookie-missing-secure-flag-java-snapshot.yml deleted file mode 100644 index 7eb55ce5..00000000 --- a/tests/__snapshots__/cookie-missing-secure-flag-java-snapshot.yml +++ /dev/null @@ -1,35 +0,0 @@ -id: cookie-missing-secure-flag-java -snapshots: - ? | - public class CookieController { - - @RequestMapping(value = "/cookie1", method = "GET") - public void setCookie(@RequestParam String value, HttpServletResponse response) { - Cookie cookie = new Cookie("cookie", value); - response.addCookie(cookie); - } - : labels: - - source: response.addCookie(cookie); - style: primary - start: 220 - end: 247 - - source: response - style: secondary - start: 220 - end: 228 - - source: addCookie - style: secondary - start: 229 - end: 238 - - source: cookie - style: secondary - start: 239 - end: 245 - - source: (cookie) - style: secondary - start: 238 - end: 246 - - source: response.addCookie(cookie) - style: secondary - start: 220 - end: 246 diff --git a/tests/__snapshots__/cookie-secure-flag-false-java-snapshot.yml b/tests/__snapshots__/cookie-secure-flag-false-java-snapshot.yml deleted file mode 100644 index b4c1bec6..00000000 --- a/tests/__snapshots__/cookie-secure-flag-false-java-snapshot.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: cookie-secure-flag-false-java -snapshots: - ? | - cookie.setSecure(false); - : labels: - - source: cookie.setSecure(false); - style: primary - start: 0 - end: 24 diff --git a/tests/__snapshots__/datanucleus-hardcoded-connection-password-java-snapshot.yml b/tests/__snapshots__/datanucleus-hardcoded-connection-password-java-snapshot.yml deleted file mode 100644 index a21740f8..00000000 --- a/tests/__snapshots__/datanucleus-hardcoded-connection-password-java-snapshot.yml +++ /dev/null @@ -1,145 +0,0 @@ -id: datanucleus-hardcoded-connection-password-java -snapshots: - ? |- - import org.datanucleus.api.jdo.JDOPersistenceManagerFactory; - public class PeopleTest { - JDOPersistenceManagerFactory pmf = new JDOPersistenceManagerFactory(props); - private String pw = "asdf"; - public void setUp() throws SQLException { - pmf.setConnectionPassword(pw); - } - } - : labels: - - source: setConnectionPassword - style: primary - start: 237 - end: 258 - - source: pw - style: secondary - start: 259 - end: 261 - - source: (pw) - style: secondary - start: 258 - end: 262 - - source: pmf - style: secondary - start: 233 - end: 236 - - source: pmf.setConnectionPassword(pw) - style: secondary - start: 233 - end: 262 - - source: JDOPersistenceManagerFactory - style: secondary - start: 87 - end: 115 - - source: pmf - style: secondary - start: 116 - end: 119 - - source: pmf = new JDOPersistenceManagerFactory(props) - style: secondary - start: 116 - end: 161 - - source: JDOPersistenceManagerFactory pmf = new JDOPersistenceManagerFactory(props); - style: secondary - start: 87 - end: 162 - - source: JDOPersistenceManagerFactory pmf = new JDOPersistenceManagerFactory(props); - style: secondary - start: 87 - end: 162 - - source: pw - style: secondary - start: 178 - end: 180 - - source: asdf - style: secondary - start: 184 - end: 188 - - source: '"asdf"' - style: secondary - start: 183 - end: 189 - - source: pw = "asdf" - style: secondary - start: 178 - end: 189 - - source: private String pw = "asdf"; - style: secondary - start: 163 - end: 190 - - source: private String pw = "asdf"; - style: secondary - start: 163 - end: 190 - - source: import org.datanucleus.api.jdo.JDOPersistenceManagerFactory; - style: secondary - start: 0 - end: 60 - - source: import org.datanucleus.api.jdo.JDOPersistenceManagerFactory; - style: secondary - start: 0 - end: 60 - ? | - import org.datanucleus.api.jdo.JDOPersistenceManagerFactory; - public class PeopleTest { - JDOPersistenceManagerFactory pmf = new JDOPersistenceManagerFactory(props); - public void setUp() throws SQLException { - pmf.setConnectionPassword("asdf"); - } - } - : labels: - - source: setConnectionPassword - style: primary - start: 209 - end: 230 - - source: asdf - style: secondary - start: 232 - end: 236 - - source: '"asdf"' - style: secondary - start: 231 - end: 237 - - source: ("asdf") - style: secondary - start: 230 - end: 238 - - source: pmf - style: secondary - start: 205 - end: 208 - - source: pmf.setConnectionPassword("asdf") - style: secondary - start: 205 - end: 238 - - source: JDOPersistenceManagerFactory - style: secondary - start: 87 - end: 115 - - source: pmf - style: secondary - start: 116 - end: 119 - - source: pmf = new JDOPersistenceManagerFactory(props) - style: secondary - start: 116 - end: 161 - - source: JDOPersistenceManagerFactory pmf = new JDOPersistenceManagerFactory(props); - style: secondary - start: 87 - end: 162 - - source: JDOPersistenceManagerFactory pmf = new JDOPersistenceManagerFactory(props); - style: secondary - start: 87 - end: 162 - - source: import org.datanucleus.api.jdo.JDOPersistenceManagerFactory; - style: secondary - start: 0 - end: 60 - - source: import org.datanucleus.api.jdo.JDOPersistenceManagerFactory; - style: secondary - start: 0 - end: 60 diff --git a/tests/__snapshots__/debug-enabled-python-snapshot.yml b/tests/__snapshots__/debug-enabled-python-snapshot.yml deleted file mode 100644 index 6e09f677..00000000 --- a/tests/__snapshots__/debug-enabled-python-snapshot.yml +++ /dev/null @@ -1,47 +0,0 @@ -id: debug-enabled-python -snapshots: - ? |- - from flask import Flask - if __name__ == "__main__": - app.run("0.0.0.0", debug=True) - : labels: - - source: app.run("0.0.0.0", debug=True) - style: primary - start: 51 - end: 81 - - source: app - style: secondary - start: 51 - end: 54 - - source: run - style: secondary - start: 55 - end: 58 - - source: app.run - style: secondary - start: 51 - end: 58 - - source: debug=True - style: secondary - start: 70 - end: 80 - - source: ("0.0.0.0", debug=True) - style: secondary - start: 58 - end: 81 - - source: Flask - style: secondary - start: 18 - end: 23 - - source: Flask - style: secondary - start: 18 - end: 23 - - source: from flask import Flask - style: secondary - start: 0 - end: 23 - - source: app.run("0.0.0.0", debug=True) - style: secondary - start: 51 - end: 81 diff --git a/tests/__snapshots__/des-is-deprecated-java-snapshot.yml b/tests/__snapshots__/des-is-deprecated-java-snapshot.yml deleted file mode 100644 index 35070ef2..00000000 --- a/tests/__snapshots__/des-is-deprecated-java-snapshot.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: des-is-deprecated-java -snapshots: - ? | - Cipher.getInstance("DES/ECB/PKCS5Padding"); - : labels: - - source: Cipher.getInstance("DES/ECB/PKCS5Padding") - style: primary - start: 0 - end: 42 diff --git a/tests/__snapshots__/des-is-deprecated-kotlin-snapshot.yml b/tests/__snapshots__/des-is-deprecated-kotlin-snapshot.yml deleted file mode 100644 index ebce9bbf..00000000 --- a/tests/__snapshots__/des-is-deprecated-kotlin-snapshot.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: des-is-deprecated-kotlin -snapshots: - ? | - Cipher.getInstance("DES/ECB/PKCS5Padding"); - : labels: - - source: Cipher.getInstance("DES/ECB/PKCS5Padding") - style: primary - start: 0 - end: 42 diff --git a/tests/__snapshots__/desede-is-deprecated-java-snapshot.yml b/tests/__snapshots__/desede-is-deprecated-java-snapshot.yml deleted file mode 100644 index ad0b4da0..00000000 --- a/tests/__snapshots__/desede-is-deprecated-java-snapshot.yml +++ /dev/null @@ -1,56 +0,0 @@ -id: desede-is-deprecated-java -snapshots: - ? | - Cipher c = Cipher.getInstance("kDESede/ECB/PKCS5Padding"); - c.init(Cipher.ENCRYPT_MODE, k, iv); - : labels: - - source: Cipher.getInstance("kDESede/ECB/PKCS5Padding") - style: primary - start: 11 - end: 57 - - source: Cipher - style: secondary - start: 11 - end: 17 - - source: getInstance - style: secondary - start: 18 - end: 29 - - source: '"kDESede/ECB/PKCS5Padding"' - style: secondary - start: 30 - end: 56 - - source: ("kDESede/ECB/PKCS5Padding") - style: secondary - start: 29 - end: 57 - ? "javax.crypto.SecretKey key = javax.crypto.KeyGenerator.getInstance(\"DES\").generateKey(); \n" - : labels: - - source: javax.crypto.KeyGenerator.getInstance("DES") - style: primary - start: 29 - end: 73 - - source: KeyGenerator - style: secondary - start: 42 - end: 54 - - source: javax.crypto.KeyGenerator - style: secondary - start: 29 - end: 54 - - source: getInstance - style: secondary - start: 55 - end: 66 - - source: DES - style: secondary - start: 68 - end: 71 - - source: '"DES"' - style: secondary - start: 67 - end: 72 - - source: ("DES") - style: secondary - start: 66 - end: 73 diff --git a/tests/__snapshots__/desede-is-deprecated-kotlin-snapshot.yml b/tests/__snapshots__/desede-is-deprecated-kotlin-snapshot.yml deleted file mode 100644 index 6e003d03..00000000 --- a/tests/__snapshots__/desede-is-deprecated-kotlin-snapshot.yml +++ /dev/null @@ -1,92 +0,0 @@ -id: desede-is-deprecated-kotlin -snapshots: - ? | - Cipher c = Cipher.getInstance("kDESede/ECB/PKCS5Padding"); - c.init(Cipher.ENCRYPT_MODE, k, iv); - : labels: - - source: Cipher.getInstance("kDESede/ECB/PKCS5Padding") - style: primary - start: 11 - end: 57 - - source: Cipher - style: secondary - start: 11 - end: 17 - - source: getInstance - style: secondary - start: 18 - end: 29 - - source: .getInstance - style: secondary - start: 17 - end: 29 - - source: Cipher.getInstance - style: secondary - start: 11 - end: 29 - - source: '"kDESede/ECB/PKCS5Padding"' - style: secondary - start: 30 - end: 56 - - source: '"kDESede/ECB/PKCS5Padding"' - style: secondary - start: 30 - end: 56 - - source: ("kDESede/ECB/PKCS5Padding") - style: secondary - start: 29 - end: 57 - - source: ("kDESede/ECB/PKCS5Padding") - style: secondary - start: 29 - end: 57 - ? "javax.crypto.SecretKey key = javax.crypto.KeyGenerator.getInstance(\"DES\").generateKey(); \n" - : labels: - - source: javax.crypto.KeyGenerator.getInstance("DES") - style: primary - start: 29 - end: 73 - - source: javax - style: secondary - start: 29 - end: 34 - - source: KeyGenerator - style: secondary - start: 42 - end: 54 - - source: .KeyGenerator - style: secondary - start: 41 - end: 54 - - source: javax.crypto.KeyGenerator - style: secondary - start: 29 - end: 54 - - source: getInstance - style: secondary - start: 55 - end: 66 - - source: .getInstance - style: secondary - start: 54 - end: 66 - - source: javax.crypto.KeyGenerator.getInstance - style: secondary - start: 29 - end: 66 - - source: '"DES"' - style: secondary - start: 67 - end: 72 - - source: '"DES"' - style: secondary - start: 67 - end: 72 - - source: ("DES") - style: secondary - start: 66 - end: 73 - - source: ("DES") - style: secondary - start: 66 - end: 73 diff --git a/tests/__snapshots__/detect-angular-sce-disabled-javascript-snapshot.yml b/tests/__snapshots__/detect-angular-sce-disabled-javascript-snapshot.yml deleted file mode 100644 index 809d3ff2..00000000 --- a/tests/__snapshots__/detect-angular-sce-disabled-javascript-snapshot.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: detect-angular-sce-disabled-javascript -snapshots: - ? | - $sceProvider.enabled(false); - : labels: - - source: $sceProvider.enabled(false); - style: primary - start: 0 - end: 28 diff --git a/tests/__snapshots__/detect-angular-sce-disabled-typescript-snapshot.yml b/tests/__snapshots__/detect-angular-sce-disabled-typescript-snapshot.yml deleted file mode 100644 index 09fcd42c..00000000 --- a/tests/__snapshots__/detect-angular-sce-disabled-typescript-snapshot.yml +++ /dev/null @@ -1,94 +0,0 @@ -id: detect-angular-sce-disabled-typescript -snapshots: - $sceProvider.enabled(false)(false);: - labels: - - source: $sceProvider.enabled(false)(false); - style: primary - start: 0 - end: 35 - - source: $sceProvider - style: secondary - start: 0 - end: 12 - - source: enabled - style: secondary - start: 13 - end: 20 - - source: 'false' - style: secondary - start: 21 - end: 26 - - source: (false) - style: secondary - start: 20 - end: 27 - - source: $sceProvider.enabled - style: secondary - start: 0 - end: 20 - - source: $sceProvider.enabled(false) - style: secondary - start: 0 - end: 27 - ? | - $sceProvider.enabled(false).someFunction(true).anything("anything"); - : labels: - - source: $sceProvider.enabled(false).someFunction(true).anything("anything"); - style: primary - start: 0 - end: 68 - - source: $sceProvider - style: secondary - start: 0 - end: 12 - - source: enabled - style: secondary - start: 13 - end: 20 - - source: 'false' - style: secondary - start: 21 - end: 26 - - source: (false) - style: secondary - start: 20 - end: 27 - - source: $sceProvider.enabled - style: secondary - start: 0 - end: 20 - - source: $sceProvider.enabled(false) - style: secondary - start: 0 - end: 27 - ? | - $sceProvider.enabled(false); - : labels: - - source: $sceProvider.enabled(false); - style: primary - start: 0 - end: 28 - - source: $sceProvider - style: secondary - start: 0 - end: 12 - - source: enabled - style: secondary - start: 13 - end: 20 - - source: 'false' - style: secondary - start: 21 - end: 26 - - source: (false) - style: secondary - start: 20 - end: 27 - - source: $sceProvider.enabled - style: secondary - start: 0 - end: 20 - - source: $sceProvider.enabled(false) - style: secondary - start: 0 - end: 27 diff --git a/tests/__snapshots__/documentbuilderfactory-disallow-doctype-decl-false-java-snapshot.yml b/tests/__snapshots__/documentbuilderfactory-disallow-doctype-decl-false-java-snapshot.yml deleted file mode 100644 index 9d49ce7d..00000000 --- a/tests/__snapshots__/documentbuilderfactory-disallow-doctype-decl-false-java-snapshot.yml +++ /dev/null @@ -1,70 +0,0 @@ -id: documentbuilderfactory-disallow-doctype-decl-false-java -snapshots: - ? | - ParserConfigurationException { - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false); - } - : labels: - - source: dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false); - style: primary - start: 106 - end: 184 - - source: dbf - style: secondary - start: 106 - end: 109 - - source: setFeature - style: secondary - start: 110 - end: 120 - - source: '"http://apache.org/xml/features/disallow-doctype-decl"' - style: secondary - start: 121 - end: 175 - - source: 'false' - style: secondary - start: 177 - end: 182 - - source: ("http://apache.org/xml/features/disallow-doctype-decl", false) - style: secondary - start: 120 - end: 183 - - source: dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false) - style: secondary - start: 106 - end: 183 - ? | - ParserConfigurationException { - SAXParserFactory spf = SAXParserFactory.newInstance(); - spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false); - } - : labels: - - source: spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false); - style: primary - start: 94 - end: 172 - - source: spf - style: secondary - start: 94 - end: 97 - - source: setFeature - style: secondary - start: 98 - end: 108 - - source: '"http://apache.org/xml/features/disallow-doctype-decl"' - style: secondary - start: 109 - end: 163 - - source: 'false' - style: secondary - start: 165 - end: 170 - - source: ("http://apache.org/xml/features/disallow-doctype-decl", false) - style: secondary - start: 108 - end: 171 - - source: spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false) - style: secondary - start: 94 - end: 171 diff --git a/tests/__snapshots__/documentbuilderfactory-external-general-entities-true-java-snapshot.yml b/tests/__snapshots__/documentbuilderfactory-external-general-entities-true-java-snapshot.yml deleted file mode 100644 index 30e1dd6b..00000000 --- a/tests/__snapshots__/documentbuilderfactory-external-general-entities-true-java-snapshot.yml +++ /dev/null @@ -1,30 +0,0 @@ -id: documentbuilderfactory-external-general-entities-true-java -snapshots: - ? | - dbf.setFeature("http://xml.org/sax/features/external-general-entities" , true); - spf.setFeature("http://xml.org/sax/features/external-general-entities" , true); - : labels: - - source: dbf.setFeature("http://xml.org/sax/features/external-general-entities" , true) - style: primary - start: 0 - end: 78 - - source: dbf - style: secondary - start: 0 - end: 3 - - source: setFeature - style: secondary - start: 4 - end: 14 - - source: '"http://xml.org/sax/features/external-general-entities"' - style: secondary - start: 15 - end: 70 - - source: 'true' - style: secondary - start: 73 - end: 77 - - source: ("http://xml.org/sax/features/external-general-entities" , true) - style: secondary - start: 14 - end: 78 diff --git a/tests/__snapshots__/documentbuilderfactory-external-parameter-entities-true-java-snapshot.yml b/tests/__snapshots__/documentbuilderfactory-external-parameter-entities-true-java-snapshot.yml deleted file mode 100644 index 4a5c5fc5..00000000 --- a/tests/__snapshots__/documentbuilderfactory-external-parameter-entities-true-java-snapshot.yml +++ /dev/null @@ -1,30 +0,0 @@ -id: documentbuilderfactory-external-parameter-entities-true-java -snapshots: - ? | - dbf.setFeature("http://xml.org/sax/features/external-parameter-entities" , true); - spf.setFeature("http://xml.org/sax/features/external-parameter-entities" , true); - : labels: - - source: dbf.setFeature("http://xml.org/sax/features/external-parameter-entities" , true) - style: primary - start: 0 - end: 80 - - source: dbf - style: secondary - start: 0 - end: 3 - - source: setFeature - style: secondary - start: 4 - end: 14 - - source: '"http://xml.org/sax/features/external-parameter-entities"' - style: secondary - start: 15 - end: 72 - - source: 'true' - style: secondary - start: 75 - end: 79 - - source: ("http://xml.org/sax/features/external-parameter-entities" , true) - style: secondary - start: 14 - end: 80 diff --git a/tests/__snapshots__/dont-call-system-c-snapshot.yml b/tests/__snapshots__/dont-call-system-c-snapshot.yml deleted file mode 100644 index 97ca6fda..00000000 --- a/tests/__snapshots__/dont-call-system-c-snapshot.yml +++ /dev/null @@ -1,45 +0,0 @@ -id: dont-call-system-c -snapshots: - ? | - void test_002(const char *input) - { - char cmdbuf[BUFFERSIZE]; - int len_wanted = snprintf(cmdbuf, BUFFERSIZE, - "any_cmd '%s'", input); - system(cmdbuf); - } - void test_001(const char *input) - { - char cmdbuf[BUFFERSIZE]; - int len_wanted = snprintf(cmdbuf, BUFFERSIZE, - "any_cmd '%s'", input); - if (len_wanted >= BUFFERSIZE) - { - /* Handle error */ - } - else if (len_wanted < 0) - { - /* Handle error */ - } - else if (system(cmdbuf) == -1) - { - /* Handle error */ - } - } - : labels: - - source: system(cmdbuf); - style: primary - start: 156 - end: 171 - - source: system - style: secondary - start: 156 - end: 162 - - source: (cmdbuf) - style: secondary - start: 162 - end: 170 - - source: system(cmdbuf) - style: secondary - start: 156 - end: 170 diff --git a/tests/__snapshots__/dont-call-system-cpp-snapshot.yml b/tests/__snapshots__/dont-call-system-cpp-snapshot.yml deleted file mode 100644 index fca691e3..00000000 --- a/tests/__snapshots__/dont-call-system-cpp-snapshot.yml +++ /dev/null @@ -1,45 +0,0 @@ -id: dont-call-system-cpp -snapshots: - ? | - void test_002(const char *input) - { - char cmdbuf[BUFFERSIZE]; - int len_wanted = snprintf(cmdbuf, BUFFERSIZE, - "any_cmd '%s'", input); - system(cmdbuf); - } - void test_001(const char *input) - { - char cmdbuf[BUFFERSIZE]; - int len_wanted = snprintf(cmdbuf, BUFFERSIZE, - "any_cmd '%s'", input); - if (len_wanted >= BUFFERSIZE) - { - /* Handle error */ - } - else if (len_wanted < 0) - { - /* Handle error */ - } - else if (system(cmdbuf) == -1) - { - /* Handle error */ - } - } - : labels: - - source: system(cmdbuf); - style: primary - start: 156 - end: 171 - - source: system - style: secondary - start: 156 - end: 162 - - source: (cmdbuf) - style: secondary - start: 162 - end: 170 - - source: system(cmdbuf) - style: secondary - start: 156 - end: 170 diff --git a/tests/__snapshots__/drivermanager-hardcoded-secret-java-snapshot.yml b/tests/__snapshots__/drivermanager-hardcoded-secret-java-snapshot.yml deleted file mode 100644 index 5ebcecc8..00000000 --- a/tests/__snapshots__/drivermanager-hardcoded-secret-java-snapshot.yml +++ /dev/null @@ -1,29 +0,0 @@ -id: drivermanager-hardcoded-secret-java -snapshots: - ? | - Connection conn =DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:o92", "a", "password"); - : labels: - - source: DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:o92", "a", "password") - style: primary - start: 17 - end: 101 - - source: DriverManager - style: secondary - start: 17 - end: 30 - - source: getConnection - style: secondary - start: 31 - end: 44 - - source: password - style: secondary - start: 91 - end: 99 - - source: '"password"' - style: secondary - start: 90 - end: 100 - - source: ("jdbc:oracle:thin:@localhost:1521:o92", "a", "password") - style: secondary - start: 44 - end: 101 diff --git a/tests/__snapshots__/ecb-cipher-java-snapshot.yml b/tests/__snapshots__/ecb-cipher-java-snapshot.yml deleted file mode 100644 index 2b611b24..00000000 --- a/tests/__snapshots__/ecb-cipher-java-snapshot.yml +++ /dev/null @@ -1,36 +0,0 @@ -id: ecb-cipher-java -snapshots: - Cipher c = Cipher.getInstance("AES/ECB/NoPadding");: - labels: - - source: Cipher c = Cipher.getInstance("AES/ECB/NoPadding"); - style: primary - start: 0 - end: 51 - - source: Cipher - style: secondary - start: 0 - end: 6 - - source: c - style: secondary - start: 7 - end: 8 - - source: getInstance - style: secondary - start: 18 - end: 29 - - source: '"AES/ECB/NoPadding"' - style: secondary - start: 30 - end: 49 - - source: ("AES/ECB/NoPadding") - style: secondary - start: 29 - end: 50 - - source: Cipher.getInstance("AES/ECB/NoPadding") - style: secondary - start: 11 - end: 50 - - source: c = Cipher.getInstance("AES/ECB/NoPadding") - style: secondary - start: 7 - end: 50 diff --git a/tests/__snapshots__/empty-password-rust-snapshot.yml b/tests/__snapshots__/empty-password-rust-snapshot.yml deleted file mode 100644 index 12bf0bbc..00000000 --- a/tests/__snapshots__/empty-password-rust-snapshot.yml +++ /dev/null @@ -1,179 +0,0 @@ -id: empty-password-rust -snapshots: - ? | - use sqlx::mysql::{MySqlConnectOptions, MySqlConnection, MySqlPool, MySqlSslMode}; - async fn test1() -> Result<(), sqlx::Error> { - let conn = MySqlConnectOptions::new() - .host("localhost") - .username("root") - .password("") - .database("db") - .connect().await?; - - use_connection(conn); - Ok(()) - } - : labels: - - source: |- - MySqlConnectOptions::new() - .host("localhost") - .username("root") - .password("") - style: primary - start: 139 - end: 219 - - source: () - style: secondary - start: 163 - end: 165 - - source: MySqlConnectOptions::new - style: secondary - start: 139 - end: 163 - - source: |- - MySqlConnectOptions::new() - .host("localhost") - .username("root") - style: secondary - start: 139 - end: 204 - - source: password - style: secondary - start: 207 - end: 215 - - source: |- - MySqlConnectOptions::new() - .host("localhost") - .username("root") - .password - style: secondary - start: 139 - end: 215 - - source: '""' - style: secondary - start: 216 - end: 218 - - source: ("") - style: secondary - start: 215 - end: 219 - - source: sqlx::mysql - style: secondary - start: 4 - end: 15 - - source: MySqlConnectOptions - style: secondary - start: 18 - end: 37 - - source: '{MySqlConnectOptions, MySqlConnection, MySqlPool, MySqlSslMode}' - style: secondary - start: 17 - end: 80 - - source: sqlx::mysql::{MySqlConnectOptions, MySqlConnection, MySqlPool, MySqlSslMode} - style: secondary - start: 4 - end: 80 - - source: use sqlx::mysql::{MySqlConnectOptions, MySqlConnection, MySqlPool, MySqlSslMode}; - style: secondary - start: 0 - end: 81 - - source: use sqlx::mysql::{MySqlConnectOptions, MySqlConnection, MySqlPool, MySqlSslMode}; - style: secondary - start: 0 - end: 81 - ? |- - use sqlx::postgres::{PgConnectOptions, PgConnection, PgPool, PgSslMode}; - async fn test3() -> Result<(), sqlx::Error> { - let pg = PgConnectOptions::new(); - let conn = pg.host("secret-host") - .port(2525) - .username("secret-user") - .password("") - .ssl_mode(PgSslMode::Require) - .connect() - .await?; - - use_connection(conn); - Ok(()) - } - : labels: - - source: |- - pg.host("secret-host") - .port(2525) - .username("secret-user") - .password("") - style: primary - start: 164 - end: 237 - - source: pg - style: secondary - start: 164 - end: 166 - - source: password - style: secondary - start: 225 - end: 233 - - source: |- - pg.host("secret-host") - .port(2525) - .username("secret-user") - .password - style: secondary - start: 164 - end: 233 - - source: '""' - style: secondary - start: 234 - end: 236 - - source: ("") - style: secondary - start: 233 - end: 237 - - source: sqlx::postgres - style: secondary - start: 4 - end: 18 - - source: PgConnectOptions - style: secondary - start: 21 - end: 37 - - source: '{PgConnectOptions, PgConnection, PgPool, PgSslMode}' - style: secondary - start: 20 - end: 71 - - source: sqlx::postgres::{PgConnectOptions, PgConnection, PgPool, PgSslMode} - style: secondary - start: 4 - end: 71 - - source: use sqlx::postgres::{PgConnectOptions, PgConnection, PgPool, PgSslMode}; - style: secondary - start: 0 - end: 72 - - source: use sqlx::postgres::{PgConnectOptions, PgConnection, PgPool, PgSslMode}; - style: secondary - start: 0 - end: 72 - - source: pg - style: secondary - start: 123 - end: 125 - - source: PgConnectOptions::new - style: secondary - start: 128 - end: 149 - - source: () - style: secondary - start: 149 - end: 151 - - source: PgConnectOptions::new() - style: secondary - start: 128 - end: 151 - - source: let pg = PgConnectOptions::new(); - style: secondary - start: 119 - end: 152 - - source: let pg = PgConnectOptions::new(); - style: secondary - start: 119 - end: 152 diff --git a/tests/__snapshots__/express-jwt-hardcoded-secret-javascript-snapshot.yml b/tests/__snapshots__/express-jwt-hardcoded-secret-javascript-snapshot.yml deleted file mode 100644 index 8e8d96e8..00000000 --- a/tests/__snapshots__/express-jwt-hardcoded-secret-javascript-snapshot.yml +++ /dev/null @@ -1,431 +0,0 @@ -id: express-jwt-hardcoded-secret-javascript -snapshots: - ? | - import express from 'express'; - import jwt from 'express-jwt'; - app.get('/protected1', jwt({ secret: 'super-secret-key' }), function(req, res) { - if (!req.user.admin) return res.sendStatus(401); - res.sendStatus(200); - }); - : labels: - - source: 'secret: ''super-secret-key''' - style: primary - start: 91 - end: 117 - - source: jwt - style: secondary - start: 85 - end: 88 - - source: secret - style: secondary - start: 91 - end: 97 - - source: super-secret-key - style: secondary - start: 100 - end: 116 - - source: '''super-secret-key''' - style: secondary - start: 99 - end: 117 - - source: 'secret: ''super-secret-key''' - style: secondary - start: 91 - end: 117 - - source: '{ secret: ''super-secret-key'' }' - style: secondary - start: 89 - end: 119 - - source: '({ secret: ''super-secret-key'' })' - style: secondary - start: 88 - end: 120 - - source: 'jwt({ secret: ''super-secret-key'' })' - style: secondary - start: 85 - end: 120 - - source: jwt - style: secondary - start: 38 - end: 41 - - source: jwt - style: secondary - start: 38 - end: 41 - - source: express-jwt - style: secondary - start: 48 - end: 59 - - source: '''express-jwt''' - style: secondary - start: 47 - end: 60 - - source: import jwt from 'express-jwt'; - style: secondary - start: 31 - end: 61 - - source: |- - app.get('/protected1', jwt({ secret: 'super-secret-key' }), function(req, res) { - if (!req.user.admin) return res.sendStatus(401); - res.sendStatus(200); - }); - style: secondary - start: 62 - end: 216 - ? | - import express from 'express'; - import jwt from 'express-jwt'; - const secret3 = 'static-secret'; - app.get('/protected4', jwt({ secret: secret3, issuer: 'http://issuer' }), function(req, res) { - if (!req.user.admin) return res.sendStatus(401); - res.sendStatus(200); - }); - : labels: - - source: 'secret: secret3' - style: primary - start: 124 - end: 139 - - source: jwt - style: secondary - start: 118 - end: 121 - - source: secret - style: secondary - start: 124 - end: 130 - - source: secret3 - style: secondary - start: 132 - end: 139 - - source: 'secret: secret3' - style: secondary - start: 124 - end: 139 - - source: '{ secret: secret3, issuer: ''http://issuer'' }' - style: secondary - start: 122 - end: 166 - - source: '({ secret: secret3, issuer: ''http://issuer'' })' - style: secondary - start: 121 - end: 167 - - source: 'jwt({ secret: secret3, issuer: ''http://issuer'' })' - style: secondary - start: 118 - end: 167 - - source: secret3 - style: secondary - start: 68 - end: 75 - - source: static-secret - style: secondary - start: 79 - end: 92 - - source: '''static-secret''' - style: secondary - start: 78 - end: 93 - - source: secret3 = 'static-secret' - style: secondary - start: 68 - end: 93 - - source: const secret3 = 'static-secret'; - style: secondary - start: 62 - end: 94 - - source: jwt - style: secondary - start: 38 - end: 41 - - source: jwt - style: secondary - start: 38 - end: 41 - - source: express-jwt - style: secondary - start: 48 - end: 59 - - source: '''express-jwt''' - style: secondary - start: 47 - end: 60 - - source: import jwt from 'express-jwt'; - style: secondary - start: 31 - end: 61 - - source: |- - app.get('/protected4', jwt({ secret: secret3, issuer: 'http://issuer' }), function(req, res) { - if (!req.user.admin) return res.sendStatus(401); - res.sendStatus(200); - }); - style: secondary - start: 95 - end: 263 - ? | - import express from 'express'; - import jwt from 'express-jwt'; - let hardcodedSecret1 = 'super-secret-key'; - app.get('/protected2', jwt({ secret: hardcodedSecret1 }), function(req, res) { - if (!req.user.admin) return res.sendStatus(401); - res.sendStatus(200); - }); - : labels: - - source: 'secret: hardcodedSecret1' - style: primary - start: 134 - end: 158 - - source: jwt - style: secondary - start: 128 - end: 131 - - source: secret - style: secondary - start: 134 - end: 140 - - source: hardcodedSecret1 - style: secondary - start: 142 - end: 158 - - source: 'secret: hardcodedSecret1' - style: secondary - start: 134 - end: 158 - - source: '{ secret: hardcodedSecret1 }' - style: secondary - start: 132 - end: 160 - - source: '({ secret: hardcodedSecret1 })' - style: secondary - start: 131 - end: 161 - - source: 'jwt({ secret: hardcodedSecret1 })' - style: secondary - start: 128 - end: 161 - - source: hardcodedSecret1 - style: secondary - start: 66 - end: 82 - - source: super-secret-key - style: secondary - start: 86 - end: 102 - - source: '''super-secret-key''' - style: secondary - start: 85 - end: 103 - - source: hardcodedSecret1 = 'super-secret-key' - style: secondary - start: 66 - end: 103 - - source: let hardcodedSecret1 = 'super-secret-key'; - style: secondary - start: 62 - end: 104 - - source: jwt - style: secondary - start: 38 - end: 41 - - source: jwt - style: secondary - start: 38 - end: 41 - - source: express-jwt - style: secondary - start: 48 - end: 59 - - source: '''express-jwt''' - style: secondary - start: 47 - end: 60 - - source: import jwt from 'express-jwt'; - style: secondary - start: 31 - end: 61 - - source: |- - app.get('/protected2', jwt({ secret: hardcodedSecret1 }), function(req, res) { - if (!req.user.admin) return res.sendStatus(401); - res.sendStatus(200); - }); - style: secondary - start: 105 - end: 257 - ? | - import { expressJwt } from 'express-jwt'; - const secret4 = 'jwt-hardcoded-secret'; - app.get('/protected7', expressJwt({ secret: secret4 }), function(req, res) { - if (!req.user.admin) return res.sendStatus(401); - res.sendStatus(200); - }); - : labels: - - source: 'secret: secret4' - style: primary - start: 118 - end: 133 - - source: expressJwt - style: secondary - start: 105 - end: 115 - - source: secret - style: secondary - start: 118 - end: 124 - - source: secret4 - style: secondary - start: 126 - end: 133 - - source: 'secret: secret4' - style: secondary - start: 118 - end: 133 - - source: '{ secret: secret4 }' - style: secondary - start: 116 - end: 135 - - source: '({ secret: secret4 })' - style: secondary - start: 115 - end: 136 - - source: 'expressJwt({ secret: secret4 })' - style: secondary - start: 105 - end: 136 - - source: secret4 - style: secondary - start: 48 - end: 55 - - source: jwt-hardcoded-secret - style: secondary - start: 59 - end: 79 - - source: '''jwt-hardcoded-secret''' - style: secondary - start: 58 - end: 80 - - source: secret4 = 'jwt-hardcoded-secret' - style: secondary - start: 48 - end: 80 - - source: const secret4 = 'jwt-hardcoded-secret'; - style: secondary - start: 42 - end: 81 - - source: expressJwt - style: secondary - start: 9 - end: 19 - - source: expressJwt - style: secondary - start: 9 - end: 19 - - source: '{ expressJwt }' - style: secondary - start: 7 - end: 21 - - source: '{ expressJwt }' - style: secondary - start: 7 - end: 21 - - source: express-jwt - style: secondary - start: 28 - end: 39 - - source: '''express-jwt''' - style: secondary - start: 27 - end: 40 - - source: import { expressJwt } from 'express-jwt'; - style: secondary - start: 0 - end: 41 - - source: |- - app.get('/protected7', expressJwt({ secret: secret4 }), function(req, res) { - if (!req.user.admin) return res.sendStatus(401); - res.sendStatus(200); - }); - style: secondary - start: 82 - end: 232 - ? | - var jwt = require('express-jwt'); - app.get('/protected', jwt({ secret: 'shhhhhhared-secret' }), function(req, res) { - if (!req.user.admin) return res.sendStatus(401); - res.sendStatus(200); - }); - : labels: - - source: 'secret: ''shhhhhhared-secret''' - style: primary - start: 62 - end: 90 - - source: jwt - style: secondary - start: 56 - end: 59 - - source: secret - style: secondary - start: 62 - end: 68 - - source: shhhhhhared-secret - style: secondary - start: 71 - end: 89 - - source: '''shhhhhhared-secret''' - style: secondary - start: 70 - end: 90 - - source: 'secret: ''shhhhhhared-secret''' - style: secondary - start: 62 - end: 90 - - source: '{ secret: ''shhhhhhared-secret'' }' - style: secondary - start: 60 - end: 92 - - source: '({ secret: ''shhhhhhared-secret'' })' - style: secondary - start: 59 - end: 93 - - source: 'jwt({ secret: ''shhhhhhared-secret'' })' - style: secondary - start: 56 - end: 93 - - source: jwt - style: secondary - start: 4 - end: 7 - - source: require - style: secondary - start: 10 - end: 17 - - source: express-jwt - style: secondary - start: 19 - end: 30 - - source: '''express-jwt''' - style: secondary - start: 18 - end: 31 - - source: ('express-jwt') - style: secondary - start: 17 - end: 32 - - source: require('express-jwt') - style: secondary - start: 10 - end: 32 - - source: jwt = require('express-jwt') - style: secondary - start: 4 - end: 32 - - source: var jwt = require('express-jwt'); - style: secondary - start: 0 - end: 33 - - source: |- - app.get('/protected', jwt({ secret: 'shhhhhhared-secret' }), function(req, res) { - if (!req.user.admin) return res.sendStatus(401); - res.sendStatus(200); - }); - style: secondary - start: 34 - end: 189 diff --git a/tests/__snapshots__/express-session-hardcoded-secret-javascript-snapshot.yml b/tests/__snapshots__/express-session-hardcoded-secret-javascript-snapshot.yml deleted file mode 100644 index ae94c35e..00000000 --- a/tests/__snapshots__/express-session-hardcoded-secret-javascript-snapshot.yml +++ /dev/null @@ -1,183 +0,0 @@ -id: express-session-hardcoded-secret-javascript -snapshots: - ? | - import * as session from 'express-session' - let a = 'a' - app.use(session({ - secret: a, - resave: false, - saveUninitialized: false, - })); - : labels: - - source: 'secret: a' - style: primary - start: 73 - end: 82 - - source: secret - style: secondary - start: 73 - end: 79 - - source: a - style: secondary - start: 81 - end: 82 - - source: a - style: secondary - start: 47 - end: 48 - - source: a - style: secondary - start: 52 - end: 53 - - source: '''a''' - style: secondary - start: 51 - end: 54 - - source: a = 'a' - style: secondary - start: 47 - end: 54 - - source: let a = 'a' - style: secondary - start: 43 - end: 54 - - source: |- - app.use(session({ - secret: a, - resave: false, - saveUninitialized: false, - })); - style: secondary - start: 55 - end: 129 - - source: import * as session from 'express-session' - style: secondary - start: 0 - end: 42 - - source: |- - app.use(session({ - secret: a, - resave: false, - saveUninitialized: false, - })); - style: secondary - start: 55 - end: 129 - ? | - import * as session from 'express-session' - let config = { - secret: 'a', - resave: false, - saveUninitialized: false, - } - : labels: - - source: 'secret: ''a''' - style: primary - start: 58 - end: 69 - - source: secret - style: secondary - start: 58 - end: 64 - - source: a - style: secondary - start: 67 - end: 68 - - source: '''a''' - style: secondary - start: 66 - end: 69 - - source: 'secret: ''a''' - style: secondary - start: 58 - end: 69 - - source: |- - { - secret: 'a', - resave: false, - saveUninitialized: false, - } - style: secondary - start: 56 - end: 113 - - source: |- - config = { - secret: 'a', - resave: false, - saveUninitialized: false, - } - style: secondary - start: 47 - end: 113 - - source: import * as session from 'express-session' - style: secondary - start: 0 - end: 42 - - source: |- - let config = { - secret: 'a', - resave: false, - saveUninitialized: false, - } - style: secondary - start: 43 - end: 113 - ? |- - import * as session from 'express-session' - let secret2 = { - resave: false, - secret: 'foo', - saveUninitialized: false, - } - : labels: - - source: 'secret: ''foo''' - style: primary - start: 74 - end: 87 - - source: secret - style: secondary - start: 74 - end: 80 - - source: foo - style: secondary - start: 83 - end: 86 - - source: '''foo''' - style: secondary - start: 82 - end: 87 - - source: 'secret: ''foo''' - style: secondary - start: 74 - end: 87 - - source: |- - { - resave: false, - secret: 'foo', - saveUninitialized: false, - } - style: secondary - start: 57 - end: 116 - - source: |- - secret2 = { - resave: false, - secret: 'foo', - saveUninitialized: false, - } - style: secondary - start: 47 - end: 116 - - source: import * as session from 'express-session' - style: secondary - start: 0 - end: 42 - - source: |- - let secret2 = { - resave: false, - secret: 'foo', - saveUninitialized: false, - } - style: secondary - start: 43 - end: 116 diff --git a/tests/__snapshots__/express-session-hardcoded-secret-typescript-snapshot.yml b/tests/__snapshots__/express-session-hardcoded-secret-typescript-snapshot.yml deleted file mode 100644 index fd7cbd8f..00000000 --- a/tests/__snapshots__/express-session-hardcoded-secret-typescript-snapshot.yml +++ /dev/null @@ -1,96 +0,0 @@ -id: express-session-hardcoded-secret-typescript -snapshots: - ? | - import express from 'express' - import session from 'express-session' - let secret2 = { - resave: false, - secret: 'foo', - saveUninitialized: false, - } - app.use(session(secret2)); - : labels: - - source: 'secret: ''foo''' - style: primary - start: 101 - end: 114 - - source: secret - style: secondary - start: 101 - end: 107 - - source: '''foo''' - style: secondary - start: 109 - end: 114 - - source: |- - { - resave: false, - secret: 'foo', - saveUninitialized: false, - } - style: secondary - start: 82 - end: 144 - - source: secret2 - style: secondary - start: 72 - end: 79 - - source: |- - secret2 = { - resave: false, - secret: 'foo', - saveUninitialized: false, - } - style: secondary - start: 72 - end: 144 - - source: session - style: secondary - start: 37 - end: 44 - - source: session - style: secondary - start: 37 - end: 44 - - source: '''express-session''' - style: secondary - start: 50 - end: 67 - - source: import session from 'express-session' - style: secondary - start: 30 - end: 67 - - source: import session from 'express-session' - style: secondary - start: 30 - end: 67 - - source: secret2 - style: secondary - start: 161 - end: 168 - - source: app.use(session(secret2)) - style: secondary - start: 145 - end: 170 - - source: app.use(session(secret2)) - style: secondary - start: 145 - end: 170 - - source: |- - let secret2 = { - resave: false, - secret: 'foo', - saveUninitialized: false, - } - style: secondary - start: 68 - end: 144 - - source: |- - { - resave: false, - secret: 'foo', - saveUninitialized: false, - } - style: secondary - start: 82 - end: 144 diff --git a/tests/__snapshots__/file-access-before-action-c-snapshot.yml b/tests/__snapshots__/file-access-before-action-c-snapshot.yml deleted file mode 100644 index 8719c370..00000000 --- a/tests/__snapshots__/file-access-before-action-c-snapshot.yml +++ /dev/null @@ -1,191 +0,0 @@ -id: file-access-before-action-c -snapshots: - ? | - { - const char *original_key = "path/to/file/filename"; - const char *mirror_key = "path/to/another/file/filename"; - - if ((access(original_key, F_OK) == 0) && (access(mirror_key, F_OK) == 0)){ - copy_file("/bin/cp %s %s", original_key, mirror_key); - unlink(original_key); - } - - void test_002(){ - const char *original_key = "path/to/file/filename"; - - if (access(original_key, W_OK) == 0){ - File *fp = fopen(original_key, "wb"); - } - } - } - : labels: - - source: unlink - style: primary - start: 260 - end: 266 - - source: original_key - style: secondary - start: 267 - end: 279 - - source: (original_key) - style: secondary - start: 266 - end: 280 - - source: original_key - style: secondary - start: 131 - end: 143 - - source: F_OK - style: secondary - start: 145 - end: 149 - - source: (original_key, F_OK) - style: secondary - start: 130 - end: 150 - - source: access - style: secondary - start: 124 - end: 130 - - source: access(original_key, F_OK) - style: secondary - start: 124 - end: 150 - - source: == - style: secondary - start: 151 - end: 153 - - source: '0' - style: secondary - start: 154 - end: 155 - - source: access(original_key, F_OK) == 0 - style: secondary - start: 124 - end: 155 - - source: (access(original_key, F_OK) == 0) - style: secondary - start: 123 - end: 156 - - source: (access(original_key, F_OK) == 0) && (access(mirror_key, F_OK) == 0) - style: secondary - start: 123 - end: 191 - - source: ((access(original_key, F_OK) == 0) && (access(mirror_key, F_OK) == 0)) - style: secondary - start: 122 - end: 192 - - source: |- - if ((access(original_key, F_OK) == 0) && (access(mirror_key, F_OK) == 0)){ - copy_file("/bin/cp %s %s", original_key, mirror_key); - unlink(original_key); - } - style: secondary - start: 119 - end: 285 - - source: |- - { - copy_file("/bin/cp %s %s", original_key, mirror_key); - unlink(original_key); - } - style: secondary - start: 192 - end: 285 - - source: unlink(original_key) - style: secondary - start: 260 - end: 280 - ? | - { - const char *original_key = "path/to/file/filename"; - const char *mirror_key = "path/to/another/file/filename"; - - if ((access(original_key, F_OK) == 0) && (access(mirror_key, F_OK) == 0)){ - copy_file("/bin/cp %s %s", original_key, mirror_key); - unlink(original_key); - } - - void test_002(){ - const char *original_key = "path/to/file/filename"; - - if (access(original_key, W_OK) == 0){ - File *fp = fopen(original_key, "wb"); - } - } - : labels: - - source: unlink - style: primary - start: 250 - end: 256 - - source: original_key - style: secondary - start: 257 - end: 269 - - source: (original_key) - style: secondary - start: 256 - end: 270 - - source: original_key - style: secondary - start: 125 - end: 137 - - source: F_OK - style: secondary - start: 139 - end: 143 - - source: (original_key, F_OK) - style: secondary - start: 124 - end: 144 - - source: access - style: secondary - start: 118 - end: 124 - - source: access(original_key, F_OK) - style: secondary - start: 118 - end: 144 - - source: == - style: secondary - start: 145 - end: 147 - - source: '0' - style: secondary - start: 148 - end: 149 - - source: access(original_key, F_OK) == 0 - style: secondary - start: 118 - end: 149 - - source: (access(original_key, F_OK) == 0) - style: secondary - start: 117 - end: 150 - - source: (access(original_key, F_OK) == 0) && (access(mirror_key, F_OK) == 0) - style: secondary - start: 117 - end: 185 - - source: ((access(original_key, F_OK) == 0) && (access(mirror_key, F_OK) == 0)) - style: secondary - start: 116 - end: 186 - - source: |- - if ((access(original_key, F_OK) == 0) && (access(mirror_key, F_OK) == 0)){ - copy_file("/bin/cp %s %s", original_key, mirror_key); - unlink(original_key); - } - style: secondary - start: 113 - end: 273 - - source: |- - { - copy_file("/bin/cp %s %s", original_key, mirror_key); - unlink(original_key); - } - style: secondary - start: 186 - end: 273 - - source: unlink(original_key) - style: secondary - start: 250 - end: 270 diff --git a/tests/__snapshots__/file-access-before-action-cpp-snapshot.yml b/tests/__snapshots__/file-access-before-action-cpp-snapshot.yml deleted file mode 100644 index 34f76db2..00000000 --- a/tests/__snapshots__/file-access-before-action-cpp-snapshot.yml +++ /dev/null @@ -1,189 +0,0 @@ -id: file-access-before-action-cpp -snapshots: - ? | - { - const char *original_key = "path/to/file/filename"; - const char *mirror_key = "path/to/another/file/filename"; - - if ((access(original_key, F_OK) == 0) && (access(mirror_key, F_OK) == 0)){ - copy_file("/bin/cp %s %s", original_key, mirror_key); - unlink(original_key); - } - - void test_002(){ - const char *original_key = "path/to/file/filename"; - if (access(original_key, W_OK) == 0){ - FILe *fp = fopen(original_key, "wb"); - } - } - } - : labels: - - source: unlink - style: primary - start: 260 - end: 266 - - source: original_key - style: secondary - start: 267 - end: 279 - - source: (original_key) - style: secondary - start: 266 - end: 280 - - source: original_key - style: secondary - start: 131 - end: 143 - - source: F_OK - style: secondary - start: 145 - end: 149 - - source: (original_key, F_OK) - style: secondary - start: 130 - end: 150 - - source: access - style: secondary - start: 124 - end: 130 - - source: access(original_key, F_OK) - style: secondary - start: 124 - end: 150 - - source: == - style: secondary - start: 151 - end: 153 - - source: '0' - style: secondary - start: 154 - end: 155 - - source: access(original_key, F_OK) == 0 - style: secondary - start: 124 - end: 155 - - source: (access(original_key, F_OK) == 0) - style: secondary - start: 123 - end: 156 - - source: (access(original_key, F_OK) == 0) && (access(mirror_key, F_OK) == 0) - style: secondary - start: 123 - end: 191 - - source: ((access(original_key, F_OK) == 0) && (access(mirror_key, F_OK) == 0)) - style: secondary - start: 122 - end: 192 - - source: |- - if ((access(original_key, F_OK) == 0) && (access(mirror_key, F_OK) == 0)){ - copy_file("/bin/cp %s %s", original_key, mirror_key); - unlink(original_key); - } - style: secondary - start: 119 - end: 285 - - source: |- - { - copy_file("/bin/cp %s %s", original_key, mirror_key); - unlink(original_key); - } - style: secondary - start: 192 - end: 285 - - source: unlink(original_key) - style: secondary - start: 260 - end: 280 - ? | - { - const char *original_key = "path/to/file/filename"; - const char *mirror_key = "path/to/another/file/filename"; - - if ((access(original_key, F_OK) == 0) && (access(mirror_key, F_OK) == 0)){ - copy_file("/bin/cp %s %s", original_key, mirror_key); - unlink(original_key); - } - - void test_002(){ - const char *original_key = "path/to/file/filename"; - if (access(original_key, W_OK) == 0){ - FILe *fp = fopen(original_key, "wb"); - } - } - : labels: - - source: unlink - style: primary - start: 250 - end: 256 - - source: original_key - style: secondary - start: 257 - end: 269 - - source: (original_key) - style: secondary - start: 256 - end: 270 - - source: original_key - style: secondary - start: 125 - end: 137 - - source: F_OK - style: secondary - start: 139 - end: 143 - - source: (original_key, F_OK) - style: secondary - start: 124 - end: 144 - - source: access - style: secondary - start: 118 - end: 124 - - source: access(original_key, F_OK) - style: secondary - start: 118 - end: 144 - - source: == - style: secondary - start: 145 - end: 147 - - source: '0' - style: secondary - start: 148 - end: 149 - - source: access(original_key, F_OK) == 0 - style: secondary - start: 118 - end: 149 - - source: (access(original_key, F_OK) == 0) - style: secondary - start: 117 - end: 150 - - source: (access(original_key, F_OK) == 0) && (access(mirror_key, F_OK) == 0) - style: secondary - start: 117 - end: 185 - - source: ((access(original_key, F_OK) == 0) && (access(mirror_key, F_OK) == 0)) - style: secondary - start: 116 - end: 186 - - source: |- - if ((access(original_key, F_OK) == 0) && (access(mirror_key, F_OK) == 0)){ - copy_file("/bin/cp %s %s", original_key, mirror_key); - unlink(original_key); - } - style: secondary - start: 113 - end: 273 - - source: |- - { - copy_file("/bin/cp %s %s", original_key, mirror_key); - unlink(original_key); - } - style: secondary - start: 186 - end: 273 - - source: unlink(original_key) - style: secondary - start: 250 - end: 270 diff --git a/tests/__snapshots__/file-stat-before-action-c-snapshot.yml b/tests/__snapshots__/file-stat-before-action-c-snapshot.yml deleted file mode 100644 index e1cd5cbb..00000000 --- a/tests/__snapshots__/file-stat-before-action-c-snapshot.yml +++ /dev/null @@ -1,216 +0,0 @@ -id: file-stat-before-action-c -snapshots: - ? | - if (stat(file.c_str(), &buf) == 0) - { - // Open the file for reading - fp = fopen(file.c_str(), "r"); - if (fp == NULL) - { - char message[2560]; - sprintf(message, "File '%s' Cound Not be Opened", file.c_str()); - // DISPLAY_MSG_ERROR( this, message, "GetFileContents", "System" ); - throw message; - } - - // Read the file - MvString s, ss; - while (fgets(data, sizeof(data), fp) != (char *)0) - { - s = data; - s.trimBoth(); - if (s.compare(0, 5, "GROUP") == 0) - { - // size_t t = s.find_last_of( ":" ); - size_t t = s.find(":"); - if (t != string::npos){ - ss = s.substr(t + 1).c_str(); - ss.trimBoth(); - ss = ss.substr(1, ss.length() - 3).c_str(); - group_list.push_back(ss); - } - } - - // Close the file - fclose(fp); - } - : labels: - - source: fopen - style: primary - start: 80 - end: 85 - - source: file.c_str() - style: secondary - start: 86 - end: 98 - - source: (file.c_str(), "r") - style: secondary - start: 85 - end: 104 - - source: stat - style: secondary - start: 4 - end: 8 - - source: file.c_str() - style: secondary - start: 9 - end: 21 - - source: (file.c_str(), &buf) - style: secondary - start: 8 - end: 28 - - source: stat(file.c_str(), &buf) - style: secondary - start: 4 - end: 28 - - source: == - style: secondary - start: 29 - end: 31 - - source: '0' - style: secondary - start: 32 - end: 33 - - source: stat(file.c_str(), &buf) == 0 - style: secondary - start: 4 - end: 33 - - source: (stat(file.c_str(), &buf) == 0) - style: secondary - start: 3 - end: 34 - - source: |- - if (stat(file.c_str(), &buf) == 0) - { - // Open the file for reading - fp = fopen(file.c_str(), "r"); - if (fp == NULL) - { - char message[2560]; - sprintf(message, "File '%s' Cound Not be Opened", file.c_str()); - // DISPLAY_MSG_ERROR( this, message, "GetFileContents", "System" ); - throw message; - } - - // Read the file - MvString s, ss; - while (fgets(data, sizeof(data), fp) != (char *)0) - { - s = data; - s.trimBoth(); - if (s.compare(0, 5, "GROUP") == 0) - { - // size_t t = s.find_last_of( ":" ); - size_t t = s.find(":"); - if (t != string::npos){ - ss = s.substr(t + 1).c_str(); - ss.trimBoth(); - ss = ss.substr(1, ss.length() - 3).c_str(); - group_list.push_back(ss); - } - } - - // Close the file - fclose(fp); - } - style: secondary - start: 0 - end: 843 - - source: |- - { - // Open the file for reading - fp = fopen(file.c_str(), "r"); - if (fp == NULL) - { - char message[2560]; - sprintf(message, "File '%s' Cound Not be Opened", file.c_str()); - // DISPLAY_MSG_ERROR( this, message, "GetFileContents", "System" ); - throw message; - } - - // Read the file - MvString s, ss; - while (fgets(data, sizeof(data), fp) != (char *)0) - { - s = data; - s.trimBoth(); - if (s.compare(0, 5, "GROUP") == 0) - { - // size_t t = s.find_last_of( ":" ); - size_t t = s.find(":"); - if (t != string::npos){ - ss = s.substr(t + 1).c_str(); - ss.trimBoth(); - ss = ss.substr(1, ss.length() - 3).c_str(); - group_list.push_back(ss); - } - } - - // Close the file - fclose(fp); - } - style: secondary - start: 36 - end: 843 - - source: fopen(file.c_str(), "r") - style: secondary - start: 80 - end: 104 - ? "if (stat(file.c_str(), &buf) == 0){\n // Open the file for reading\n fp = fopen(file.c_str(), \"r\");\n if (fp == NULL){\n char message[2560];\n sprintf(message, \"File '%s' Cound Not be Opened\", file.c_str());\n // DISPLAY_MSG_ERROR( this, message, \"GetFileContents\", \"System\" );\n throw message;\n }\n\n // Read the file\n MvString s, ss;\n while (fgets(data, sizeof(data), fp) != (char *)0){\n s = data;\n s.trimBoth();\n if (s.compare(0, 5, \"GROUP\") == 0){\n // size_t t = s.find_last_of( \":\" );\n size_t t = s.find(\":\");\n \n if (t != string::npos){\n ss = s.substr(t + 1).c_str();\n ss.trimBoth();\n ss = ss.substr(1, ss.length() - 3).c_str();\n group_list.push_back(ss);\n }\n }\n }\n\n // Close the file\n fclose(fp);\n}\n" - : labels: - - source: fopen - style: primary - start: 74 - end: 79 - - source: file.c_str() - style: secondary - start: 80 - end: 92 - - source: (file.c_str(), "r") - style: secondary - start: 79 - end: 98 - - source: stat - style: secondary - start: 4 - end: 8 - - source: file.c_str() - style: secondary - start: 9 - end: 21 - - source: (file.c_str(), &buf) - style: secondary - start: 8 - end: 28 - - source: stat(file.c_str(), &buf) - style: secondary - start: 4 - end: 28 - - source: == - style: secondary - start: 29 - end: 31 - - source: '0' - style: secondary - start: 32 - end: 33 - - source: stat(file.c_str(), &buf) == 0 - style: secondary - start: 4 - end: 33 - - source: (stat(file.c_str(), &buf) == 0) - style: secondary - start: 3 - end: 34 - - source: "if (stat(file.c_str(), &buf) == 0){\n // Open the file for reading\n fp = fopen(file.c_str(), \"r\");\n if (fp == NULL){\n char message[2560];\n sprintf(message, \"File '%s' Cound Not be Opened\", file.c_str());\n // DISPLAY_MSG_ERROR( this, message, \"GetFileContents\", \"System\" );\n throw message;\n }\n\n // Read the file\n MvString s, ss;\n while (fgets(data, sizeof(data), fp) != (char *)0){\n s = data;\n s.trimBoth();\n if (s.compare(0, 5, \"GROUP\") == 0){\n // size_t t = s.find_last_of( \":\" );\n size_t t = s.find(\":\");\n \n if (t != string::npos){\n ss = s.substr(t + 1).c_str();\n ss.trimBoth();\n ss = ss.substr(1, ss.length() - 3).c_str();\n group_list.push_back(ss);\n }\n }\n }\n\n // Close the file\n fclose(fp);\n}" - style: secondary - start: 0 - end: 782 - - source: "{\n // Open the file for reading\n fp = fopen(file.c_str(), \"r\");\n if (fp == NULL){\n char message[2560];\n sprintf(message, \"File '%s' Cound Not be Opened\", file.c_str());\n // DISPLAY_MSG_ERROR( this, message, \"GetFileContents\", \"System\" );\n throw message;\n }\n\n // Read the file\n MvString s, ss;\n while (fgets(data, sizeof(data), fp) != (char *)0){\n s = data;\n s.trimBoth();\n if (s.compare(0, 5, \"GROUP\") == 0){\n // size_t t = s.find_last_of( \":\" );\n size_t t = s.find(\":\");\n \n if (t != string::npos){\n ss = s.substr(t + 1).c_str();\n ss.trimBoth();\n ss = ss.substr(1, ss.length() - 3).c_str();\n group_list.push_back(ss);\n }\n }\n }\n\n // Close the file\n fclose(fp);\n}" - style: secondary - start: 34 - end: 782 - - source: fopen(file.c_str(), "r") - style: secondary - start: 74 - end: 98 diff --git a/tests/__snapshots__/file-stat-before-action-cpp-snapshot.yml b/tests/__snapshots__/file-stat-before-action-cpp-snapshot.yml deleted file mode 100644 index 5aba6ff8..00000000 --- a/tests/__snapshots__/file-stat-before-action-cpp-snapshot.yml +++ /dev/null @@ -1,162 +0,0 @@ -id: file-stat-before-action-cpp -snapshots: - ? | - if (stat(file.c_str(), &buf) == 0){ - // Open the file for reading - fp = fopen(file.c_str(), "r"); - if (fp == NULL) - { - char message[2560]; - sprintf(message, "File '%s' Cound Not be Opened", file.c_str()); - // DISPLAY_MSG_ERROR( this, message, "GetFileContents", "System" ); - throw message; - } - - // Read the file - MvString s, ss; - while (fgets(data, sizeof(data), fp) != (char *)0) - { - s = data; - s.trimBoth(); - if (s.compare(0, 5, "GROUP") == 0) - { - // size_t t = s.find_last_of( ":" ); - size_t t = s.find(":"); - if (t != string::npos) - { - ss = s.substr(t + 1).c_str(); - ss.trimBoth(); - ss = ss.substr(1, ss.length() - 3).c_str(); - group_list.push_back(ss); - } - } - } - - // Close the file - fclose(fp); - } - : labels: - - source: fopen - style: primary - start: 74 - end: 79 - - source: file.c_str() - style: secondary - start: 80 - end: 92 - - source: (file.c_str(), "r") - style: secondary - start: 79 - end: 98 - - source: stat - style: secondary - start: 4 - end: 8 - - source: file.c_str() - style: secondary - start: 9 - end: 21 - - source: (file.c_str(), &buf) - style: secondary - start: 8 - end: 28 - - source: stat(file.c_str(), &buf) - style: secondary - start: 4 - end: 28 - - source: == - style: secondary - start: 29 - end: 31 - - source: '0' - style: secondary - start: 32 - end: 33 - - source: stat(file.c_str(), &buf) == 0 - style: secondary - start: 4 - end: 33 - - source: (stat(file.c_str(), &buf) == 0) - style: secondary - start: 3 - end: 34 - - source: |- - if (stat(file.c_str(), &buf) == 0){ - // Open the file for reading - fp = fopen(file.c_str(), "r"); - if (fp == NULL) - { - char message[2560]; - sprintf(message, "File '%s' Cound Not be Opened", file.c_str()); - // DISPLAY_MSG_ERROR( this, message, "GetFileContents", "System" ); - throw message; - } - - // Read the file - MvString s, ss; - while (fgets(data, sizeof(data), fp) != (char *)0) - { - s = data; - s.trimBoth(); - if (s.compare(0, 5, "GROUP") == 0) - { - // size_t t = s.find_last_of( ":" ); - size_t t = s.find(":"); - if (t != string::npos) - { - ss = s.substr(t + 1).c_str(); - ss.trimBoth(); - ss = ss.substr(1, ss.length() - 3).c_str(); - group_list.push_back(ss); - } - } - } - - // Close the file - fclose(fp); - } - style: secondary - start: 0 - end: 793 - - source: |- - { - // Open the file for reading - fp = fopen(file.c_str(), "r"); - if (fp == NULL) - { - char message[2560]; - sprintf(message, "File '%s' Cound Not be Opened", file.c_str()); - // DISPLAY_MSG_ERROR( this, message, "GetFileContents", "System" ); - throw message; - } - - // Read the file - MvString s, ss; - while (fgets(data, sizeof(data), fp) != (char *)0) - { - s = data; - s.trimBoth(); - if (s.compare(0, 5, "GROUP") == 0) - { - // size_t t = s.find_last_of( ":" ); - size_t t = s.find(":"); - if (t != string::npos) - { - ss = s.substr(t + 1).c_str(); - ss.trimBoth(); - ss = ss.substr(1, ss.length() - 3).c_str(); - group_list.push_back(ss); - } - } - } - - // Close the file - fclose(fp); - } - style: secondary - start: 34 - end: 793 - - source: fopen(file.c_str(), "r") - style: secondary - start: 74 - end: 98 diff --git a/tests/__snapshots__/fix-format-security-error-cpp-snapshot.yml b/tests/__snapshots__/fix-format-security-error-cpp-snapshot.yml deleted file mode 100644 index 9c3d60e1..00000000 --- a/tests/__snapshots__/fix-format-security-error-cpp-snapshot.yml +++ /dev/null @@ -1,29 +0,0 @@ -id: fix-format-security-error-cpp -snapshots: - ? | - fprintf(stderr, out); - : fixed: | - fprintf(stderr, "%s", out); - labels: - - source: fprintf(stderr, out) - style: primary - start: 0 - end: 20 - ? | - sprintf(&buffer[2], obj->Text); - : fixed: | - sprintf(&buffer[2], "%s", obj->Text); - labels: - - source: sprintf(&buffer[2], obj->Text) - style: primary - start: 0 - end: 30 - ? | - sprintf(buf1, Text_String(TXT_WAITING_FOR_CONNECTIONS)); - : fixed: | - sprintf(buf1, "%s", Text_String(TXT_WAITING_FOR_CONNECTIONS)); - labels: - - source: sprintf(buf1, Text_String(TXT_WAITING_FOR_CONNECTIONS)) - style: primary - start: 0 - end: 55 diff --git a/tests/__snapshots__/force-ssl-false-ruby-snapshot.yml b/tests/__snapshots__/force-ssl-false-ruby-snapshot.yml deleted file mode 100644 index 618758d2..00000000 --- a/tests/__snapshots__/force-ssl-false-ruby-snapshot.yml +++ /dev/null @@ -1,19 +0,0 @@ -id: force-ssl-false-ruby -snapshots: - ? | - def bad_ssl - config.force_ssl = false - end - : labels: - - source: config.force_ssl = false - style: primary - start: 12 - end: 36 - - source: config.force_ssl - style: secondary - start: 12 - end: 28 - - source: 'false' - style: secondary - start: 31 - end: 36 diff --git a/tests/__snapshots__/gorilla-cookie-store-hardcoded-session-key-go-snapshot.yml b/tests/__snapshots__/gorilla-cookie-store-hardcoded-session-key-go-snapshot.yml deleted file mode 100644 index 19e8085e..00000000 --- a/tests/__snapshots__/gorilla-cookie-store-hardcoded-session-key-go-snapshot.yml +++ /dev/null @@ -1,223 +0,0 @@ -id: gorilla-cookie-store-hardcoded-session-key-go -snapshots: - ? | - import ( - "crypto/rand" - "fmt" - "github.com/gorilla/sessions" - ) - var storeHardcoded = sessions.NewCookieStore([]byte("hardcoded-session-key")) - : labels: - - source: sessions.NewCookieStore([]byte("hardcoded-session-key")) - style: primary - start: 85 - end: 141 - - source: sessions - style: secondary - start: 85 - end: 93 - - source: NewCookieStore - style: secondary - start: 94 - end: 108 - - source: sessions.NewCookieStore - style: secondary - start: 85 - end: 108 - - source: byte - style: secondary - start: 111 - end: 115 - - source: '[]byte' - style: secondary - start: 109 - end: 115 - - source: '"hardcoded-session-key"' - style: secondary - start: 116 - end: 139 - - source: '[]byte("hardcoded-session-key")' - style: secondary - start: 109 - end: 140 - - source: ([]byte("hardcoded-session-key")) - style: secondary - start: 108 - end: 141 - - source: '"github.com/gorilla/sessions"' - style: secondary - start: 32 - end: 61 - - source: '"github.com/gorilla/sessions"' - style: secondary - start: 32 - end: 61 - - source: |- - import ( - "crypto/rand" - "fmt" - "github.com/gorilla/sessions" - ) - style: secondary - start: 0 - end: 63 - - source: |- - import ( - "crypto/rand" - "fmt" - "github.com/gorilla/sessions" - ) - style: secondary - start: 0 - end: 63 - ? |- - import ( - "crypto/rand" - "fmt" - "github.com/gorilla/sessions" - ) - var storeMultipleHardcoded = sessions.NewCookieStore( - []byte("old-authentication-key"), - []byte("old-encryption-key"), - ) - : labels: - - source: |- - sessions.NewCookieStore( - []byte("old-authentication-key"), - []byte("old-encryption-key"), - ) - style: primary - start: 93 - end: 185 - - source: sessions - style: secondary - start: 93 - end: 101 - - source: NewCookieStore - style: secondary - start: 102 - end: 116 - - source: sessions.NewCookieStore - style: secondary - start: 93 - end: 116 - - source: byte - style: secondary - start: 121 - end: 125 - - source: '[]byte' - style: secondary - start: 119 - end: 125 - - source: '"old-authentication-key"' - style: secondary - start: 126 - end: 150 - - source: '[]byte("old-authentication-key")' - style: secondary - start: 119 - end: 151 - - source: |- - ( - []byte("old-authentication-key"), - []byte("old-encryption-key"), - ) - style: secondary - start: 116 - end: 185 - - source: '"github.com/gorilla/sessions"' - style: secondary - start: 32 - end: 61 - - source: '"github.com/gorilla/sessions"' - style: secondary - start: 32 - end: 61 - - source: |- - import ( - "crypto/rand" - "fmt" - "github.com/gorilla/sessions" - ) - style: secondary - start: 0 - end: 63 - - source: |- - import ( - "crypto/rand" - "fmt" - "github.com/gorilla/sessions" - ) - style: secondary - start: 0 - end: 63 - ? | - import ( - "github.com/gorilla/sessions" - ) - var store = sessions.NewCookieStore([]byte("hardcoded-session-key-here")) - var store = sessions.NewCookieStore( - []byte("new-authentication-key"), - []byte("new-encryption-key"), - []byte("old-authentication-key"), - []byte("old-encryption-key"), - ) - : labels: - - source: sessions.NewCookieStore([]byte("hardcoded-session-key-here")) - style: primary - start: 53 - end: 114 - - source: sessions - style: secondary - start: 53 - end: 61 - - source: NewCookieStore - style: secondary - start: 62 - end: 76 - - source: sessions.NewCookieStore - style: secondary - start: 53 - end: 76 - - source: byte - style: secondary - start: 79 - end: 83 - - source: '[]byte' - style: secondary - start: 77 - end: 83 - - source: '"hardcoded-session-key-here"' - style: secondary - start: 84 - end: 112 - - source: '[]byte("hardcoded-session-key-here")' - style: secondary - start: 77 - end: 113 - - source: ([]byte("hardcoded-session-key-here")) - style: secondary - start: 76 - end: 114 - - source: '"github.com/gorilla/sessions"' - style: secondary - start: 9 - end: 38 - - source: '"github.com/gorilla/sessions"' - style: secondary - start: 9 - end: 38 - - source: |- - import ( - "github.com/gorilla/sessions" - ) - style: secondary - start: 0 - end: 40 - - source: |- - import ( - "github.com/gorilla/sessions" - ) - style: secondary - start: 0 - end: 40 diff --git a/tests/__snapshots__/gorilla-csrf-hardcoded-auth-key-go-snapshot.yml b/tests/__snapshots__/gorilla-csrf-hardcoded-auth-key-go-snapshot.yml deleted file mode 100644 index 2e20a442..00000000 --- a/tests/__snapshots__/gorilla-csrf-hardcoded-auth-key-go-snapshot.yml +++ /dev/null @@ -1,128 +0,0 @@ -id: gorilla-csrf-hardcoded-auth-key-go -snapshots: - ? |- - import ( - "github.com/gorilla/csrf" - ) - func main() { - http.ListenAndServe(":8000", - csrf.Protect([]byte("32-byte-long-auth-key"))(r)) - } - : labels: - - source: csrf.Protect([]byte("32-byte-long-auth-key")) - style: primary - start: 84 - end: 129 - - source: csrf - style: secondary - start: 84 - end: 88 - - source: Protect - style: secondary - start: 89 - end: 96 - - source: csrf.Protect - style: secondary - start: 84 - end: 96 - - source: byte - style: secondary - start: 99 - end: 103 - - source: '[]byte' - style: secondary - start: 97 - end: 103 - - source: '"32-byte-long-auth-key"' - style: secondary - start: 104 - end: 127 - - source: '[]byte("32-byte-long-auth-key")' - style: secondary - start: 97 - end: 128 - - source: ([]byte("32-byte-long-auth-key")) - style: secondary - start: 96 - end: 129 - - source: '"github.com/gorilla/csrf"' - style: secondary - start: 9 - end: 34 - - source: |- - import ( - "github.com/gorilla/csrf" - ) - style: secondary - start: 0 - end: 36 - - source: |- - import ( - "github.com/gorilla/csrf" - ) - style: secondary - start: 0 - end: 36 - ? |- - import ( - "github.com/gorilla/csrf" - ) - func main() { - http.ListenAndServe(":8000", - csrf.Protect([]byte("32-byte-long-auth-key"))(r)) - } - : labels: - - source: csrf.Protect([]byte("32-byte-long-auth-key")) - style: primary - start: 84 - end: 129 - - source: csrf - style: secondary - start: 84 - end: 88 - - source: Protect - style: secondary - start: 89 - end: 96 - - source: csrf.Protect - style: secondary - start: 84 - end: 96 - - source: byte - style: secondary - start: 99 - end: 103 - - source: '[]byte' - style: secondary - start: 97 - end: 103 - - source: '"32-byte-long-auth-key"' - style: secondary - start: 104 - end: 127 - - source: '[]byte("32-byte-long-auth-key")' - style: secondary - start: 97 - end: 128 - - source: ([]byte("32-byte-long-auth-key")) - style: secondary - start: 96 - end: 129 - - source: '"github.com/gorilla/csrf"' - style: secondary - start: 9 - end: 34 - - source: |- - import ( - "github.com/gorilla/csrf" - ) - style: secondary - start: 0 - end: 36 - - source: |- - import ( - "github.com/gorilla/csrf" - ) - style: secondary - start: 0 - end: 36 diff --git a/tests/__snapshots__/grpc-client-insecure-connection-go-snapshot.yml b/tests/__snapshots__/grpc-client-insecure-connection-go-snapshot.yml deleted file mode 100644 index 4b883430..00000000 --- a/tests/__snapshots__/grpc-client-insecure-connection-go-snapshot.yml +++ /dev/null @@ -1,48 +0,0 @@ -id: grpc-client-insecure-connection-go -snapshots: - conn, err := grpc.Dial(address, grpc.WithInsecure()): - labels: - - source: grpc.Dial(address, grpc.WithInsecure()) - style: primary - start: 13 - end: 52 - - source: grpc - style: secondary - start: 13 - end: 17 - - source: Dial - style: secondary - start: 18 - end: 22 - - source: grpc.Dial - style: secondary - start: 13 - end: 22 - - source: address - style: secondary - start: 23 - end: 30 - - source: grpc - style: secondary - start: 32 - end: 36 - - source: WithInsecure - style: secondary - start: 37 - end: 49 - - source: grpc.WithInsecure - style: secondary - start: 32 - end: 49 - - source: () - style: secondary - start: 49 - end: 51 - - source: grpc.WithInsecure() - style: secondary - start: 32 - end: 51 - - source: (address, grpc.WithInsecure()) - style: secondary - start: 22 - end: 52 diff --git a/tests/__snapshots__/hardcoded-connection-password-java-snapshot.yml b/tests/__snapshots__/hardcoded-connection-password-java-snapshot.yml deleted file mode 100644 index 4b6aee6f..00000000 --- a/tests/__snapshots__/hardcoded-connection-password-java-snapshot.yml +++ /dev/null @@ -1,147 +0,0 @@ -id: hardcoded-connection-password-java -snapshots: - ? |- - import org.datanucleus.api.jdo.JDOPersistenceManagerFactory; - import javax.jdo.PersistenceManagerFactory; - public class PeopleTest { - private PersistenceManagerFactory pmf; - private String pw = "asdf"; - public void setUp() throws SQLException { - pmf.setConnectionPassword(pw); - } - } - : labels: - - source: setConnectionPassword - style: primary - start: 244 - end: 265 - - source: pw - style: secondary - start: 266 - end: 268 - - source: (pw) - style: secondary - start: 265 - end: 269 - - source: pmf - style: secondary - start: 240 - end: 243 - - source: pmf.setConnectionPassword(pw) - style: secondary - start: 240 - end: 269 - - source: PersistenceManagerFactory - style: secondary - start: 139 - end: 164 - - source: pmf - style: secondary - start: 165 - end: 168 - - source: pmf - style: secondary - start: 165 - end: 168 - - source: private PersistenceManagerFactory pmf; - style: secondary - start: 131 - end: 169 - - source: private PersistenceManagerFactory pmf; - style: secondary - start: 131 - end: 169 - - source: pw - style: secondary - start: 185 - end: 187 - - source: asdf - style: secondary - start: 191 - end: 195 - - source: '"asdf"' - style: secondary - start: 190 - end: 196 - - source: pw = "asdf" - style: secondary - start: 185 - end: 196 - - source: private String pw = "asdf"; - style: secondary - start: 170 - end: 197 - - source: private String pw = "asdf"; - style: secondary - start: 170 - end: 197 - - source: import javax.jdo.PersistenceManagerFactory; - style: secondary - start: 61 - end: 104 - - source: import javax.jdo.PersistenceManagerFactory; - style: secondary - start: 61 - end: 104 - ? | - import org.datanucleus.api.jdo.JDOPersistenceManagerFactory; - import javax.jdo.PersistenceManagerFactory; - public class PeopleTest { - private PersistenceManagerFactory pmf; - public void setUp() throws SQLException { - pmf.setConnectionPassword("asdf"); - } - } - : labels: - - source: setConnectionPassword - style: primary - start: 216 - end: 237 - - source: asdf - style: secondary - start: 239 - end: 243 - - source: '"asdf"' - style: secondary - start: 238 - end: 244 - - source: ("asdf") - style: secondary - start: 237 - end: 245 - - source: pmf - style: secondary - start: 212 - end: 215 - - source: pmf.setConnectionPassword("asdf") - style: secondary - start: 212 - end: 245 - - source: PersistenceManagerFactory - style: secondary - start: 139 - end: 164 - - source: pmf - style: secondary - start: 165 - end: 168 - - source: pmf - style: secondary - start: 165 - end: 168 - - source: private PersistenceManagerFactory pmf; - style: secondary - start: 131 - end: 169 - - source: private PersistenceManagerFactory pmf; - style: secondary - start: 131 - end: 169 - - source: import javax.jdo.PersistenceManagerFactory; - style: secondary - start: 61 - end: 104 - - source: import javax.jdo.PersistenceManagerFactory; - style: secondary - start: 61 - end: 104 diff --git a/tests/__snapshots__/hardcoded-http-auth-in-controller-ruby-snapshot.yml b/tests/__snapshots__/hardcoded-http-auth-in-controller-ruby-snapshot.yml deleted file mode 100644 index 5043b45e..00000000 --- a/tests/__snapshots__/hardcoded-http-auth-in-controller-ruby-snapshot.yml +++ /dev/null @@ -1,62 +0,0 @@ -id: hardcoded-http-auth-in-controller-ruby -snapshots: - ? |- - class DangerousController < ApplicationController - http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index - puts "do more stuff" - end - : labels: - - source: '"secret"' - style: primary - start: 108 - end: 116 - - source: :password - style: secondary - start: 95 - end: 104 - - source: '"secret"' - style: secondary - start: 108 - end: 116 - - source: http_basic_authenticate_with - style: secondary - start: 50 - end: 78 - - source: DangerousController - style: secondary - start: 6 - end: 25 - - source: ApplicationController - style: secondary - start: 28 - end: 49 - - source: < ApplicationController - style: secondary - start: 26 - end: 49 - - source: |- - class DangerousController < ApplicationController - http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index - puts "do more stuff" - end - style: secondary - start: 0 - end: 160 - - source: |- - http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index - puts "do more stuff" - style: secondary - start: 50 - end: 156 - - source: http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index - style: secondary - start: 50 - end: 135 - - source: :name => "dhh", :password => "secret", :except => :index - style: secondary - start: 79 - end: 135 - - source: :password => "secret" - style: secondary - start: 95 - end: 116 diff --git a/tests/__snapshots__/hardcoded-password-rust-snapshot.yml b/tests/__snapshots__/hardcoded-password-rust-snapshot.yml deleted file mode 100644 index abd2b0de..00000000 --- a/tests/__snapshots__/hardcoded-password-rust-snapshot.yml +++ /dev/null @@ -1,187 +0,0 @@ -id: hardcoded-password-rust -snapshots: - ? | - use sqlx::mysql::{MySqlConnectOptions, MySqlConnection, MySqlPool, MySqlSslMode}; - async fn test1() -> Result<(), sqlx::Error> { - let conn = MySqlConnectOptions::new() - .host("localhost") - .username("root") - .password("password") - .database("db") - .connect().await?; - - use_connection(conn); - Ok(()) - } - : labels: - - source: |- - MySqlConnectOptions::new() - .host("localhost") - .username("root") - .password("password") - style: primary - start: 139 - end: 227 - - source: () - style: secondary - start: 163 - end: 165 - - source: MySqlConnectOptions::new - style: secondary - start: 139 - end: 163 - - source: |- - MySqlConnectOptions::new() - .host("localhost") - .username("root") - style: secondary - start: 139 - end: 204 - - source: password - style: secondary - start: 207 - end: 215 - - source: |- - MySqlConnectOptions::new() - .host("localhost") - .username("root") - .password - style: secondary - start: 139 - end: 215 - - source: password - style: secondary - start: 217 - end: 225 - - source: '"password"' - style: secondary - start: 216 - end: 226 - - source: ("password") - style: secondary - start: 215 - end: 227 - - source: sqlx::mysql - style: secondary - start: 4 - end: 15 - - source: MySqlConnectOptions - style: secondary - start: 18 - end: 37 - - source: '{MySqlConnectOptions, MySqlConnection, MySqlPool, MySqlSslMode}' - style: secondary - start: 17 - end: 80 - - source: sqlx::mysql::{MySqlConnectOptions, MySqlConnection, MySqlPool, MySqlSslMode} - style: secondary - start: 4 - end: 80 - - source: use sqlx::mysql::{MySqlConnectOptions, MySqlConnection, MySqlPool, MySqlSslMode}; - style: secondary - start: 0 - end: 81 - - source: use sqlx::mysql::{MySqlConnectOptions, MySqlConnection, MySqlPool, MySqlSslMode}; - style: secondary - start: 0 - end: 81 - ? |- - use sqlx::postgres::{PgConnectOptions, PgConnection, PgPool, PgSslMode}; - async fn test3() -> Result<(), sqlx::Error> { - let pg = PgConnectOptions::new(); - let conn = pg.host("secret-host") - .port(2525) - .username("secret-user") - .password("secret-password") - .ssl_mode(PgSslMode::Require) - .connect() - .await?; - - use_connection(conn); - Ok(()) - } - : labels: - - source: |- - pg.host("secret-host") - .port(2525) - .username("secret-user") - .password("secret-password") - style: primary - start: 164 - end: 252 - - source: pg - style: secondary - start: 164 - end: 166 - - source: password - style: secondary - start: 225 - end: 233 - - source: |- - pg.host("secret-host") - .port(2525) - .username("secret-user") - .password - style: secondary - start: 164 - end: 233 - - source: secret-password - style: secondary - start: 235 - end: 250 - - source: '"secret-password"' - style: secondary - start: 234 - end: 251 - - source: ("secret-password") - style: secondary - start: 233 - end: 252 - - source: sqlx::postgres - style: secondary - start: 4 - end: 18 - - source: PgConnectOptions - style: secondary - start: 21 - end: 37 - - source: '{PgConnectOptions, PgConnection, PgPool, PgSslMode}' - style: secondary - start: 20 - end: 71 - - source: sqlx::postgres::{PgConnectOptions, PgConnection, PgPool, PgSslMode} - style: secondary - start: 4 - end: 71 - - source: use sqlx::postgres::{PgConnectOptions, PgConnection, PgPool, PgSslMode}; - style: secondary - start: 0 - end: 72 - - source: use sqlx::postgres::{PgConnectOptions, PgConnection, PgPool, PgSslMode}; - style: secondary - start: 0 - end: 72 - - source: pg - style: secondary - start: 123 - end: 125 - - source: PgConnectOptions::new - style: secondary - start: 128 - end: 149 - - source: () - style: secondary - start: 149 - end: 151 - - source: PgConnectOptions::new() - style: secondary - start: 128 - end: 151 - - source: let pg = PgConnectOptions::new(); - style: secondary - start: 119 - end: 152 - - source: let pg = PgConnectOptions::new(); - style: secondary - start: 119 - end: 152 diff --git a/tests/__snapshots__/hardcoded-secret-in-credentials-java-snapshot.yml b/tests/__snapshots__/hardcoded-secret-in-credentials-java-snapshot.yml deleted file mode 100644 index 780a2eb6..00000000 --- a/tests/__snapshots__/hardcoded-secret-in-credentials-java-snapshot.yml +++ /dev/null @@ -1,90 +0,0 @@ -id: hardcoded-secret-in-credentials-java -snapshots: - ? "import okhttp3.*;\npublic class OkhttpSecretBasicAuth {\nprivate String password = \"hi\";\npublic void run() { \nString credential = Credentials.basic(username, password);\n}\n}" - : labels: - - source: Credentials.basic(username, password) - style: primary - start: 128 - end: 165 - - source: Credentials - style: secondary - start: 128 - end: 139 - - source: basic - style: secondary - start: 140 - end: 145 - - source: password - style: secondary - start: 156 - end: 164 - - source: (username, password) - style: secondary - start: 145 - end: 165 - - source: import okhttp3.*; - style: secondary - start: 0 - end: 17 - - source: import okhttp3.*; - style: secondary - start: 0 - end: 17 - - source: password - style: secondary - start: 70 - end: 78 - - source: hi - style: secondary - start: 82 - end: 84 - - source: '"hi"' - style: secondary - start: 81 - end: 85 - - source: password = "hi" - style: secondary - start: 70 - end: 85 - - source: private String password = "hi"; - style: secondary - start: 55 - end: 86 - - source: private String password = "hi"; - style: secondary - start: 55 - end: 86 - ? "import okhttp3.*;\npublic class OkhttpSecretBasicAuth {\npublic void run() { \nString credential = Credentials.basic(username, \"asdf\");\n}\n}\n" - : labels: - - source: Credentials.basic(username, "asdf") - style: primary - start: 96 - end: 131 - - source: Credentials - style: secondary - start: 96 - end: 107 - - source: basic - style: secondary - start: 108 - end: 113 - - source: asdf - style: secondary - start: 125 - end: 129 - - source: '"asdf"' - style: secondary - start: 124 - end: 130 - - source: (username, "asdf") - style: secondary - start: 113 - end: 131 - - source: import okhttp3.*; - style: secondary - start: 0 - end: 17 - - source: import okhttp3.*; - style: secondary - start: 0 - end: 17 diff --git a/tests/__snapshots__/hardcoded-secret-rsa-passphrase-ruby-snapshot.yml b/tests/__snapshots__/hardcoded-secret-rsa-passphrase-ruby-snapshot.yml deleted file mode 100644 index ba9c7bf5..00000000 --- a/tests/__snapshots__/hardcoded-secret-rsa-passphrase-ruby-snapshot.yml +++ /dev/null @@ -1,42 +0,0 @@ -id: hardcoded-secret-rsa-passphrase-ruby -snapshots: - ? | - module Test - require 'openssl' - class Test - $pass = 'super secret' - def initialize(key = nil, iv = nil) - @pass1 = 'my secure pass phrase goes here' - @keypem = 'foo.pem' - OpenSSL::PKey::RSA.new(1024).to_pem(cipher, "secret") - bad - bad1 - bad2 - bad3 - ok - end - : labels: - - source: OpenSSL::PKey::RSA.new(1024).to_pem(cipher, "secret") - style: primary - start: 173 - end: 226 - - source: OpenSSL::PKey::RSA.new(1024) - style: secondary - start: 173 - end: 201 - - source: . - style: secondary - start: 201 - end: 202 - - source: to_pem - style: secondary - start: 202 - end: 208 - - source: '"secret"' - style: secondary - start: 217 - end: 225 - - source: (cipher, "secret") - style: secondary - start: 208 - end: 226 diff --git a/tests/__snapshots__/hashids-with-django-secret-python-snapshot.yml b/tests/__snapshots__/hashids-with-django-secret-python-snapshot.yml deleted file mode 100644 index b65472f1..00000000 --- a/tests/__snapshots__/hashids-with-django-secret-python-snapshot.yml +++ /dev/null @@ -1,252 +0,0 @@ -id: hashids-with-django-secret-python -snapshots: - ? | - from django.conf import settings - from hashids import Hashids - import hashlib - hashid_1 = Hashids(salt=settings.SECRET_KEY) - : labels: - - source: Hashids(salt=settings.SECRET_KEY) - style: primary - start: 87 - end: 120 - - source: Hashids - style: secondary - start: 87 - end: 94 - - source: salt - style: secondary - start: 95 - end: 99 - - source: settings - style: secondary - start: 100 - end: 108 - - source: SECRET_KEY - style: secondary - start: 109 - end: 119 - - source: settings.SECRET_KEY - style: secondary - start: 100 - end: 119 - - source: salt=settings.SECRET_KEY - style: secondary - start: 95 - end: 119 - - source: (salt=settings.SECRET_KEY) - style: secondary - start: 94 - end: 120 - - source: from django.conf import settings - style: secondary - start: 0 - end: 32 - - source: from django.conf import settings - style: secondary - start: 0 - end: 32 - - source: from hashids import Hashids - style: secondary - start: 33 - end: 60 - - source: from hashids import Hashids - style: secondary - start: 33 - end: 60 - ? "from django.conf import settings\nfrom hashids import Hashids\nimport hashlib\nhashid_2 = Hashids(salt=settings.SECRET_KEY, min_length=8) \n" - : labels: - - source: Hashids(salt=settings.SECRET_KEY, min_length=8) - style: primary - start: 87 - end: 134 - - source: Hashids - style: secondary - start: 87 - end: 94 - - source: salt - style: secondary - start: 95 - end: 99 - - source: settings - style: secondary - start: 100 - end: 108 - - source: SECRET_KEY - style: secondary - start: 109 - end: 119 - - source: settings.SECRET_KEY - style: secondary - start: 100 - end: 119 - - source: salt=settings.SECRET_KEY - style: secondary - start: 95 - end: 119 - - source: (salt=settings.SECRET_KEY, min_length=8) - style: secondary - start: 94 - end: 134 - - source: from django.conf import settings - style: secondary - start: 0 - end: 32 - - source: from django.conf import settings - style: secondary - start: 0 - end: 32 - - source: from hashids import Hashids - style: secondary - start: 33 - end: 60 - - source: from hashids import Hashids - style: secondary - start: 33 - end: 60 - ? | - from django.conf import settings - from hashids import Hashids - import hashlib - hashid_3 = Hashids(settings.SECRET_KEY, min_length=10) - : labels: - - source: Hashids(settings.SECRET_KEY, min_length=10) - style: primary - start: 87 - end: 130 - - source: Hashids - style: secondary - start: 87 - end: 94 - - source: settings - style: secondary - start: 95 - end: 103 - - source: SECRET_KEY - style: secondary - start: 104 - end: 114 - - source: settings.SECRET_KEY - style: secondary - start: 95 - end: 114 - - source: (settings.SECRET_KEY, min_length=10) - style: secondary - start: 94 - end: 130 - - source: from django.conf import settings - style: secondary - start: 0 - end: 32 - - source: from django.conf import settings - style: secondary - start: 0 - end: 32 - - source: from hashids import Hashids - style: secondary - start: 33 - end: 60 - - source: from hashids import Hashids - style: secondary - start: 33 - end: 60 - ? | - from django.conf import settings - from hashids import Hashids - import hashlib - hashid_4 = Hashids(settings.SECRET_KEY, alphabet="1234567890abcdef") - : labels: - - source: Hashids(settings.SECRET_KEY, alphabet="1234567890abcdef") - style: primary - start: 87 - end: 144 - - source: Hashids - style: secondary - start: 87 - end: 94 - - source: settings - style: secondary - start: 95 - end: 103 - - source: SECRET_KEY - style: secondary - start: 104 - end: 114 - - source: settings.SECRET_KEY - style: secondary - start: 95 - end: 114 - - source: (settings.SECRET_KEY, alphabet="1234567890abcdef") - style: secondary - start: 94 - end: 144 - - source: from django.conf import settings - style: secondary - start: 0 - end: 32 - - source: from django.conf import settings - style: secondary - start: 0 - end: 32 - - source: from hashids import Hashids - style: secondary - start: 33 - end: 60 - - source: from hashids import Hashids - style: secondary - start: 33 - end: 60 - ? | - from django.conf import settings - from hashids import Hashids - import hashlib - hashid_5 = Hashids(salt=settings.SECRET_KEY, min_length=12, alphabet="abcdef") - : labels: - - source: Hashids(salt=settings.SECRET_KEY, min_length=12, alphabet="abcdef") - style: primary - start: 87 - end: 154 - - source: Hashids - style: secondary - start: 87 - end: 94 - - source: salt - style: secondary - start: 95 - end: 99 - - source: settings - style: secondary - start: 100 - end: 108 - - source: SECRET_KEY - style: secondary - start: 109 - end: 119 - - source: settings.SECRET_KEY - style: secondary - start: 100 - end: 119 - - source: salt=settings.SECRET_KEY - style: secondary - start: 95 - end: 119 - - source: (salt=settings.SECRET_KEY, min_length=12, alphabet="abcdef") - style: secondary - start: 94 - end: 154 - - source: from django.conf import settings - style: secondary - start: 0 - end: 32 - - source: from django.conf import settings - style: secondary - start: 0 - end: 32 - - source: from hashids import Hashids - style: secondary - start: 33 - end: 60 - - source: from hashids import Hashids - style: secondary - start: 33 - end: 60 diff --git a/tests/__snapshots__/hashids-with-flask-secret-python-snapshot.yml b/tests/__snapshots__/hashids-with-flask-secret-python-snapshot.yml deleted file mode 100644 index 2154f4ee..00000000 --- a/tests/__snapshots__/hashids-with-flask-secret-python-snapshot.yml +++ /dev/null @@ -1,230 +0,0 @@ -id: hashids-with-flask-secret-python -snapshots: - ? |- - from hashids import Hashids - app = Flask(__name__.split('.')[0]) - hashids = Hashids(min_length=4, salt=app.config['SECRET_KEY']) - : labels: - - source: Hashids(min_length=4, salt=app.config['SECRET_KEY']) - style: primary - start: 74 - end: 126 - - source: Hashids - style: secondary - start: 74 - end: 81 - - source: salt - style: secondary - start: 96 - end: 100 - - source: app.config['SECRET_KEY'] - style: secondary - start: 101 - end: 125 - - source: salt=app.config['SECRET_KEY'] - style: secondary - start: 96 - end: 125 - - source: (min_length=4, salt=app.config['SECRET_KEY']) - style: secondary - start: 81 - end: 126 - - source: from hashids import Hashids - style: secondary - start: 0 - end: 27 - - source: app = Flask(__name__.split('.')[0]) - style: secondary - start: 28 - end: 63 - - source: app = Flask(__name__.split('.')[0]) - style: secondary - start: 28 - end: 63 - - source: |- - from hashids import Hashids - app = Flask(__name__.split('.')[0]) - hashids = Hashids(min_length=4, salt=app.config['SECRET_KEY']) - style: secondary - start: 0 - end: 126 - ? | - from hashids import Hashids - foo = Flask() - hashids = Hashids(min_length=4, salt=foo.config['SECRET_KEY']) - : labels: - - source: Hashids(min_length=4, salt=foo.config['SECRET_KEY']) - style: primary - start: 52 - end: 104 - - source: Hashids - style: secondary - start: 52 - end: 59 - - source: salt - style: secondary - start: 74 - end: 78 - - source: foo.config['SECRET_KEY'] - style: secondary - start: 79 - end: 103 - - source: salt=foo.config['SECRET_KEY'] - style: secondary - start: 74 - end: 103 - - source: (min_length=4, salt=foo.config['SECRET_KEY']) - style: secondary - start: 59 - end: 104 - - source: from hashids import Hashids - style: secondary - start: 0 - end: 27 - - source: foo = Flask() - style: secondary - start: 28 - end: 41 - - source: foo = Flask() - style: secondary - start: 28 - end: 41 - - source: | - from hashids import Hashids - foo = Flask() - hashids = Hashids(min_length=4, salt=foo.config['SECRET_KEY']) - style: secondary - start: 0 - end: 105 - ? | - from hashids import Hashids - from flask import current_app - hashids = Hashids(min_length=5, salt=current_app.config['SECRET_KEY']) - : labels: - - source: Hashids(min_length=5, salt=current_app.config['SECRET_KEY']) - style: primary - start: 68 - end: 128 - - source: Hashids - style: secondary - start: 68 - end: 75 - - source: salt - style: secondary - start: 90 - end: 94 - - source: current_app.config['SECRET_KEY'] - style: secondary - start: 95 - end: 127 - - source: salt=current_app.config['SECRET_KEY'] - style: secondary - start: 90 - end: 127 - - source: (min_length=5, salt=current_app.config['SECRET_KEY']) - style: secondary - start: 75 - end: 128 - - source: from hashids import Hashids - style: secondary - start: 0 - end: 27 - - source: from flask import current_app - style: secondary - start: 28 - end: 57 - - source: | - from hashids import Hashids - from flask import current_app - hashids = Hashids(min_length=5, salt=current_app.config['SECRET_KEY']) - style: secondary - start: 0 - end: 129 - ? | - from hashids import Hashids - from flask import current_app as app - hash_id = Hashids(salt=app.config['SECRET_KEY'], min_length=34) - : labels: - - source: Hashids(salt=app.config['SECRET_KEY'], min_length=34) - style: primary - start: 75 - end: 128 - - source: Hashids - style: secondary - start: 75 - end: 82 - - source: salt - style: secondary - start: 83 - end: 87 - - source: app.config['SECRET_KEY'] - style: secondary - start: 88 - end: 112 - - source: salt=app.config['SECRET_KEY'] - style: secondary - start: 83 - end: 112 - - source: (salt=app.config['SECRET_KEY'], min_length=34) - style: secondary - start: 82 - end: 128 - - source: from hashids import Hashids - style: secondary - start: 0 - end: 27 - - source: from flask import current_app as app - style: secondary - start: 28 - end: 64 - - source: | - from hashids import Hashids - from flask import current_app as app - hash_id = Hashids(salt=app.config['SECRET_KEY'], min_length=34) - style: secondary - start: 0 - end: 129 - ? | - from hashids import Hashids - from flask import current_app as app - hashids = Hashids(min_length=4, salt=app.config['SECRET_KEY']) - : labels: - - source: Hashids(min_length=4, salt=app.config['SECRET_KEY']) - style: primary - start: 75 - end: 127 - - source: Hashids - style: secondary - start: 75 - end: 82 - - source: salt - style: secondary - start: 97 - end: 101 - - source: app.config['SECRET_KEY'] - style: secondary - start: 102 - end: 126 - - source: salt=app.config['SECRET_KEY'] - style: secondary - start: 97 - end: 126 - - source: (min_length=4, salt=app.config['SECRET_KEY']) - style: secondary - start: 82 - end: 127 - - source: from hashids import Hashids - style: secondary - start: 0 - end: 27 - - source: from flask import current_app as app - style: secondary - start: 28 - end: 64 - - source: | - from hashids import Hashids - from flask import current_app as app - hashids = Hashids(min_length=4, salt=app.config['SECRET_KEY']) - style: secondary - start: 0 - end: 128 diff --git a/tests/__snapshots__/httponly-false-csharp-snapshot.yml b/tests/__snapshots__/httponly-false-csharp-snapshot.yml deleted file mode 100644 index a9af953f..00000000 --- a/tests/__snapshots__/httponly-false-csharp-snapshot.yml +++ /dev/null @@ -1,29 +0,0 @@ -id: httponly-false-csharp -snapshots: - ? | - options.Cookie.HttpOnly = false; - : labels: - - source: 'false' - style: primary - start: 26 - end: 31 - - source: options.Cookie - style: secondary - start: 0 - end: 14 - - source: HttpOnly - style: secondary - start: 15 - end: 23 - - source: options.Cookie.HttpOnly = false - style: secondary - start: 0 - end: 31 - - source: options.Cookie.HttpOnly - style: secondary - start: 0 - end: 23 - - source: = - style: secondary - start: 24 - end: 25 diff --git a/tests/__snapshots__/insecure-binaryformatter-deserialization-csharp-snapshot.yml b/tests/__snapshots__/insecure-binaryformatter-deserialization-csharp-snapshot.yml deleted file mode 100644 index d2c29dfb..00000000 --- a/tests/__snapshots__/insecure-binaryformatter-deserialization-csharp-snapshot.yml +++ /dev/null @@ -1,16 +0,0 @@ -id: insecure-binaryformatter-deserialization-csharp -snapshots: - ? "using System.Runtime.Serialization.Formatters.Binary; \nnamespace InsecureDeserialization\n{\n public class InsecureBinaryFormatterDeserialization\n {\n public void BinaryFormatterDeserialization(string json)\n {\n try\n {\n BinaryFormatter binaryFormatter = new BinaryFormatter();\n\n MemoryStream memoryStream = new MemoryStream(Encoding.UTF8.GetBytes(json));\n binaryFormatter.Deserialize(memoryStream);\n memoryStream.Close();\n }\n catch (Exception e)\n {\n Console.WriteLine(e);\n }\n }\n}\n}\n" - : labels: - - source: new BinaryFormatter() - style: primary - start: 281 - end: 302 - - source: using System.Runtime.Serialization.Formatters.Binary; - style: secondary - start: 0 - end: 53 - - source: using System.Runtime.Serialization.Formatters.Binary; - style: secondary - start: 0 - end: 53 diff --git a/tests/__snapshots__/insecure-biometrics-swift-snapshot.yml b/tests/__snapshots__/insecure-biometrics-swift-snapshot.yml deleted file mode 100644 index b22adcac..00000000 --- a/tests/__snapshots__/insecure-biometrics-swift-snapshot.yml +++ /dev/null @@ -1,8 +0,0 @@ -id: insecure-biometrics-swift -snapshots: - abc.evaluatePolicy(): - labels: - - source: abc.evaluatePolicy - style: primary - start: 0 - end: 18 diff --git a/tests/__snapshots__/insecure-cipher-algorithm-rc4-python-snapshot.yml b/tests/__snapshots__/insecure-cipher-algorithm-rc4-python-snapshot.yml deleted file mode 100644 index 8ef609ae..00000000 --- a/tests/__snapshots__/insecure-cipher-algorithm-rc4-python-snapshot.yml +++ /dev/null @@ -1,157 +0,0 @@ -id: insecure-cipher-algorithm-rc4-python -snapshots: - ? | - Crypto.Cipher.ARC4.new() - : labels: - - source: Crypto.Cipher.ARC4.new() - style: primary - start: 0 - end: 24 - ? | - Crypto.Cipher.ARC4.new(adasfdasfs) - : labels: - - source: Crypto.Cipher.ARC4.new(adasfdasfs) - style: primary - start: 0 - end: 34 - ? | - Cryptodome.Cipher.ARC4.new() - : labels: - - source: Cryptodome.Cipher.ARC4.new() - style: primary - start: 0 - end: 28 - Cryptodome.Cipher.ARC4.new(asdsd): - labels: - - source: Cryptodome.Cipher.ARC4.new(asdsd) - style: primary - start: 0 - end: 33 - ? | - from Crypto.Cipher import ARC4 as pycrypto_arc4 - cipher = pycrypto_arc4.new(tempkey) - : labels: - - source: pycrypto_arc4.new(tempkey) - style: primary - start: 57 - end: 83 - - source: pycrypto_arc4 - style: secondary - start: 57 - end: 70 - - source: new - style: secondary - start: 71 - end: 74 - - source: pycrypto_arc4.new - style: secondary - start: 57 - end: 74 - - source: tempkey - style: secondary - start: 75 - end: 82 - - source: (tempkey) - style: secondary - start: 74 - end: 83 - - source: Crypto - style: secondary - start: 5 - end: 11 - - source: Cipher - style: secondary - start: 12 - end: 18 - - source: Crypto.Cipher - style: secondary - start: 5 - end: 18 - - source: ARC4 - style: secondary - start: 26 - end: 30 - - source: ARC4 - style: secondary - start: 26 - end: 30 - - source: pycrypto_arc4 - style: secondary - start: 34 - end: 47 - - source: ARC4 as pycrypto_arc4 - style: secondary - start: 26 - end: 47 - - source: from Crypto.Cipher import ARC4 as pycrypto_arc4 - style: secondary - start: 0 - end: 47 - - source: cipher = pycrypto_arc4.new(tempkey) - style: secondary - start: 48 - end: 83 - ? | - from Cryptodome.Cipher import ARC4 as pycryptodomex_arc4 - cipher = pycryptodomex_arc4.new(tempkey) - : labels: - - source: pycryptodomex_arc4.new(tempkey) - style: primary - start: 66 - end: 97 - - source: pycryptodomex_arc4 - style: secondary - start: 66 - end: 84 - - source: new - style: secondary - start: 85 - end: 88 - - source: pycryptodomex_arc4.new - style: secondary - start: 66 - end: 88 - - source: tempkey - style: secondary - start: 89 - end: 96 - - source: (tempkey) - style: secondary - start: 88 - end: 97 - - source: Cryptodome - style: secondary - start: 5 - end: 15 - - source: Cipher - style: secondary - start: 16 - end: 22 - - source: Cryptodome.Cipher - style: secondary - start: 5 - end: 22 - - source: ARC4 - style: secondary - start: 30 - end: 34 - - source: ARC4 - style: secondary - start: 30 - end: 34 - - source: pycryptodomex_arc4 - style: secondary - start: 38 - end: 56 - - source: ARC4 as pycryptodomex_arc4 - style: secondary - start: 30 - end: 56 - - source: from Cryptodome.Cipher import ARC4 as pycryptodomex_arc4 - style: secondary - start: 0 - end: 56 - - source: cipher = pycryptodomex_arc4.new(tempkey) - style: secondary - start: 57 - end: 97 diff --git a/tests/__snapshots__/insecure-hash-c-snapshot.yml b/tests/__snapshots__/insecure-hash-c-snapshot.yml deleted file mode 100644 index 0e98dc59..00000000 --- a/tests/__snapshots__/insecure-hash-c-snapshot.yml +++ /dev/null @@ -1,290 +0,0 @@ -id: insecure-hash-c -snapshots: - ? | - EVP_MD_fetch(NULL, "MD2", NULL); - : labels: - - source: EVP_MD_fetch(NULL, "MD2", NULL); - style: primary - start: 0 - end: 32 - - source: EVP_MD_fetch - style: secondary - start: 0 - end: 12 - - source: MD2 - style: secondary - start: 20 - end: 23 - - source: '"MD2"' - style: secondary - start: 19 - end: 24 - - source: (NULL, "MD2", NULL) - style: secondary - start: 12 - end: 31 - - source: EVP_MD_fetch(NULL, "MD2", NULL) - style: secondary - start: 0 - end: 31 - ? | - EVP_MD_fetch(NULL, "MD4", NULL); - : labels: - - source: EVP_MD_fetch(NULL, "MD4", NULL); - style: primary - start: 0 - end: 32 - - source: EVP_MD_fetch - style: secondary - start: 0 - end: 12 - - source: MD4 - style: secondary - start: 20 - end: 23 - - source: '"MD4"' - style: secondary - start: 19 - end: 24 - - source: (NULL, "MD4", NULL) - style: secondary - start: 12 - end: 31 - - source: EVP_MD_fetch(NULL, "MD4", NULL) - style: secondary - start: 0 - end: 31 - ? | - EVP_MD_fetch(NULL, "MD5", NULL); - : labels: - - source: EVP_MD_fetch(NULL, "MD5", NULL); - style: primary - start: 0 - end: 32 - - source: EVP_MD_fetch - style: secondary - start: 0 - end: 12 - - source: MD5 - style: secondary - start: 20 - end: 23 - - source: '"MD5"' - style: secondary - start: 19 - end: 24 - - source: (NULL, "MD5", NULL) - style: secondary - start: 12 - end: 31 - - source: EVP_MD_fetch(NULL, "MD5", NULL) - style: secondary - start: 0 - end: 31 - ? | - EVP_get_digestbyname("MD2"); - : labels: - - source: EVP_get_digestbyname("MD2"); - style: primary - start: 0 - end: 28 - - source: EVP_get_digestbyname - style: secondary - start: 0 - end: 20 - - source: MD2 - style: secondary - start: 22 - end: 25 - - source: '"MD2"' - style: secondary - start: 21 - end: 26 - - source: ("MD2") - style: secondary - start: 20 - end: 27 - - source: EVP_get_digestbyname("MD2") - style: secondary - start: 0 - end: 27 - ? | - EVP_get_digestbyname("MD4"); - : labels: - - source: EVP_get_digestbyname("MD4"); - style: primary - start: 0 - end: 28 - - source: EVP_get_digestbyname - style: secondary - start: 0 - end: 20 - - source: MD4 - style: secondary - start: 22 - end: 25 - - source: '"MD4"' - style: secondary - start: 21 - end: 26 - - source: ("MD4") - style: secondary - start: 20 - end: 27 - - source: EVP_get_digestbyname("MD4") - style: secondary - start: 0 - end: 27 - ? | - EVP_get_digestbyname("MD5"); - : labels: - - source: EVP_get_digestbyname("MD5"); - style: primary - start: 0 - end: 28 - - source: EVP_get_digestbyname - style: secondary - start: 0 - end: 20 - - source: MD5 - style: secondary - start: 22 - end: 25 - - source: '"MD5"' - style: secondary - start: 21 - end: 26 - - source: ("MD5") - style: secondary - start: 20 - end: 27 - - source: EVP_get_digestbyname("MD5") - style: secondary - start: 0 - end: 27 - ? | - MD2_Init(ctx); - : labels: - - source: MD2_Init(ctx); - style: primary - start: 0 - end: 14 - - source: MD2_Init - style: secondary - start: 0 - end: 8 - - source: (ctx) - style: secondary - start: 8 - end: 13 - - source: MD2_Init(ctx) - style: secondary - start: 0 - end: 13 - ? | - MD2_Update(ctx, data, size); - : labels: - - source: MD2_Update(ctx, data, size); - style: primary - start: 0 - end: 28 - - source: MD2_Update - style: secondary - start: 0 - end: 10 - - source: (ctx, data, size) - style: secondary - start: 10 - end: 27 - - source: MD2_Update(ctx, data, size) - style: secondary - start: 0 - end: 27 - ? | - MD5_Init(ctx); - : labels: - - source: MD5_Init(ctx); - style: primary - start: 0 - end: 14 - - source: MD5_Init - style: secondary - start: 0 - end: 8 - - source: (ctx) - style: secondary - start: 8 - end: 13 - - source: MD5_Init(ctx) - style: secondary - start: 0 - end: 13 - ? | - gcry_md_extract(handle, GCRY_MD_SHA1, output); - : labels: - - source: gcry_md_extract(handle, GCRY_MD_SHA1, output); - style: primary - start: 0 - end: 46 - - source: gcry_md_extract - style: secondary - start: 0 - end: 15 - - source: GCRY_MD_SHA1 - style: secondary - start: 24 - end: 36 - - source: (handle, GCRY_MD_SHA1, output) - style: secondary - start: 15 - end: 45 - - source: gcry_md_extract(handle, GCRY_MD_SHA1, output) - style: secondary - start: 0 - end: 45 - ? | - gcry_md_hash_buffer(GCRY_MD_MD4, data, size); - : labels: - - source: gcry_md_hash_buffer(GCRY_MD_MD4, data, size); - style: primary - start: 0 - end: 45 - - source: gcry_md_hash_buffer - style: secondary - start: 0 - end: 19 - - source: GCRY_MD_MD4 - style: secondary - start: 20 - end: 31 - - source: (GCRY_MD_MD4, data, size) - style: secondary - start: 19 - end: 44 - - source: gcry_md_hash_buffer(GCRY_MD_MD4, data, size) - style: secondary - start: 0 - end: 44 - ? | - gcry_md_open(handle, GCRY_MD_MD2, 0); - : labels: - - source: gcry_md_open(handle, GCRY_MD_MD2, 0); - style: primary - start: 0 - end: 37 - - source: gcry_md_open - style: secondary - start: 0 - end: 12 - - source: GCRY_MD_MD2 - style: secondary - start: 21 - end: 32 - - source: (handle, GCRY_MD_MD2, 0) - style: secondary - start: 12 - end: 36 - - source: gcry_md_open(handle, GCRY_MD_MD2, 0) - style: secondary - start: 0 - end: 36 diff --git a/tests/__snapshots__/insecure-hash-cpp-snapshot.yml b/tests/__snapshots__/insecure-hash-cpp-snapshot.yml deleted file mode 100644 index feebb547..00000000 --- a/tests/__snapshots__/insecure-hash-cpp-snapshot.yml +++ /dev/null @@ -1,266 +0,0 @@ -id: insecure-hash-cpp -snapshots: - ? | - EVP_MD_fetch(NULL, "MD2", NULL); - : labels: - - source: EVP_MD_fetch(NULL, "MD2", NULL); - style: primary - start: 0 - end: 32 - - source: EVP_MD_fetch - style: secondary - start: 0 - end: 12 - - source: MD2 - style: secondary - start: 20 - end: 23 - - source: (NULL, "MD2", NULL) - style: secondary - start: 12 - end: 31 - - source: EVP_MD_fetch(NULL, "MD2", NULL) - style: secondary - start: 0 - end: 31 - ? | - EVP_MD_fetch(NULL, "MD4", NULL); - : labels: - - source: EVP_MD_fetch(NULL, "MD4", NULL); - style: primary - start: 0 - end: 32 - - source: EVP_MD_fetch - style: secondary - start: 0 - end: 12 - - source: MD4 - style: secondary - start: 20 - end: 23 - - source: (NULL, "MD4", NULL) - style: secondary - start: 12 - end: 31 - - source: EVP_MD_fetch(NULL, "MD4", NULL) - style: secondary - start: 0 - end: 31 - ? | - EVP_MD_fetch(NULL, "MD5", NULL); - : labels: - - source: EVP_MD_fetch(NULL, "MD5", NULL); - style: primary - start: 0 - end: 32 - - source: EVP_MD_fetch - style: secondary - start: 0 - end: 12 - - source: MD5 - style: secondary - start: 20 - end: 23 - - source: (NULL, "MD5", NULL) - style: secondary - start: 12 - end: 31 - - source: EVP_MD_fetch(NULL, "MD5", NULL) - style: secondary - start: 0 - end: 31 - ? | - EVP_get_digestbyname("MD2"); - : labels: - - source: EVP_get_digestbyname("MD2"); - style: primary - start: 0 - end: 28 - - source: EVP_get_digestbyname - style: secondary - start: 0 - end: 20 - - source: MD2 - style: secondary - start: 22 - end: 25 - - source: ("MD2") - style: secondary - start: 20 - end: 27 - - source: EVP_get_digestbyname("MD2") - style: secondary - start: 0 - end: 27 - ? | - EVP_get_digestbyname("MD4"); - : labels: - - source: EVP_get_digestbyname("MD4"); - style: primary - start: 0 - end: 28 - - source: EVP_get_digestbyname - style: secondary - start: 0 - end: 20 - - source: MD4 - style: secondary - start: 22 - end: 25 - - source: ("MD4") - style: secondary - start: 20 - end: 27 - - source: EVP_get_digestbyname("MD4") - style: secondary - start: 0 - end: 27 - ? | - EVP_get_digestbyname("MD5"); - : labels: - - source: EVP_get_digestbyname("MD5"); - style: primary - start: 0 - end: 28 - - source: EVP_get_digestbyname - style: secondary - start: 0 - end: 20 - - source: MD5 - style: secondary - start: 22 - end: 25 - - source: ("MD5") - style: secondary - start: 20 - end: 27 - - source: EVP_get_digestbyname("MD5") - style: secondary - start: 0 - end: 27 - ? | - MD2_Init(ctx); - : labels: - - source: MD2_Init(ctx); - style: primary - start: 0 - end: 14 - - source: MD2_Init - style: secondary - start: 0 - end: 8 - - source: (ctx) - style: secondary - start: 8 - end: 13 - - source: MD2_Init(ctx) - style: secondary - start: 0 - end: 13 - ? | - MD2_Update(ctx, data, size); - : labels: - - source: MD2_Update(ctx, data, size); - style: primary - start: 0 - end: 28 - - source: MD2_Update - style: secondary - start: 0 - end: 10 - - source: (ctx, data, size) - style: secondary - start: 10 - end: 27 - - source: MD2_Update(ctx, data, size) - style: secondary - start: 0 - end: 27 - ? | - MD5_Init(ctx); - : labels: - - source: MD5_Init(ctx); - style: primary - start: 0 - end: 14 - - source: MD5_Init - style: secondary - start: 0 - end: 8 - - source: (ctx) - style: secondary - start: 8 - end: 13 - - source: MD5_Init(ctx) - style: secondary - start: 0 - end: 13 - ? | - gcry_md_extract(handle, GCRY_MD_SHA1, output); - : labels: - - source: gcry_md_extract(handle, GCRY_MD_SHA1, output); - style: primary - start: 0 - end: 46 - - source: gcry_md_extract - style: secondary - start: 0 - end: 15 - - source: GCRY_MD_SHA1 - style: secondary - start: 24 - end: 36 - - source: (handle, GCRY_MD_SHA1, output) - style: secondary - start: 15 - end: 45 - - source: gcry_md_extract(handle, GCRY_MD_SHA1, output) - style: secondary - start: 0 - end: 45 - ? | - gcry_md_hash_buffer(GCRY_MD_MD4, data, size); - : labels: - - source: gcry_md_hash_buffer(GCRY_MD_MD4, data, size); - style: primary - start: 0 - end: 45 - - source: gcry_md_hash_buffer - style: secondary - start: 0 - end: 19 - - source: GCRY_MD_MD4 - style: secondary - start: 20 - end: 31 - - source: (GCRY_MD_MD4, data, size) - style: secondary - start: 19 - end: 44 - - source: gcry_md_hash_buffer(GCRY_MD_MD4, data, size) - style: secondary - start: 0 - end: 44 - ? | - gcry_md_open(handle, GCRY_MD_MD2, 0); - : labels: - - source: gcry_md_open(handle, GCRY_MD_MD2, 0); - style: primary - start: 0 - end: 37 - - source: gcry_md_open - style: secondary - start: 0 - end: 12 - - source: GCRY_MD_MD2 - style: secondary - start: 21 - end: 32 - - source: (handle, GCRY_MD_MD2, 0) - style: secondary - start: 12 - end: 36 - - source: gcry_md_open(handle, GCRY_MD_MD2, 0) - style: secondary - start: 0 - end: 36 diff --git a/tests/__snapshots__/insufficient-rsa-key-size-ruby-snapshot.yml b/tests/__snapshots__/insufficient-rsa-key-size-ruby-snapshot.yml deleted file mode 100644 index 6a44747d..00000000 --- a/tests/__snapshots__/insufficient-rsa-key-size-ruby-snapshot.yml +++ /dev/null @@ -1,29 +0,0 @@ -id: insufficient-rsa-key-size-ruby -snapshots: - ? | - key = OpenSSL::PKey::RSA.new(204) - : labels: - - source: OpenSSL::PKey::RSA.new(204) - style: primary - start: 6 - end: 33 - - source: OpenSSL::PKey::RSA - style: secondary - start: 6 - end: 24 - - source: . - style: secondary - start: 24 - end: 25 - - source: new - style: secondary - start: 25 - end: 28 - - source: '204' - style: secondary - start: 29 - end: 32 - - source: (204) - style: secondary - start: 28 - end: 33 diff --git a/tests/__snapshots__/java-jwt-hardcoded-secret-java-snapshot.yml b/tests/__snapshots__/java-jwt-hardcoded-secret-java-snapshot.yml deleted file mode 100644 index b70769fe..00000000 --- a/tests/__snapshots__/java-jwt-hardcoded-secret-java-snapshot.yml +++ /dev/null @@ -1,142 +0,0 @@ -id: java-jwt-hardcoded-secret-java -snapshots: - ? | - import com.auth0.jwt.algorithms.Algorithm; - public class App - { - static String secret = "secret"; - private static void bad1() { - try { - Algorithm algorithm = Algorithm.HMAC256("secret"); - String token = JWT.create() - .withIssuer("auth0") - .sign(algorithm); - } catch (JWTCreationException exception){ - //Invalid Signing configuration / Couldn't convert Claims. - } - } - } - : labels: - - source: '"secret"' - style: primary - start: 180 - end: 188 - - source: secret - style: secondary - start: 181 - end: 187 - - source: Algorithm - style: secondary - start: 162 - end: 171 - - source: HMAC256 - style: secondary - start: 172 - end: 179 - - source: algorithm - style: secondary - start: 150 - end: 159 - - source: Algorithm - style: secondary - start: 140 - end: 149 - - source: Algorithm algorithm = Algorithm.HMAC256("secret"); - style: secondary - start: 140 - end: 190 - - source: algorithm = Algorithm.HMAC256("secret") - style: secondary - start: 150 - end: 189 - - source: Algorithm.HMAC256("secret") - style: secondary - start: 162 - end: 189 - - source: ("secret") - style: secondary - start: 179 - end: 189 - ? |- - import com.auth0.jwt.algorithms.Algorithm; - public class App - { - static String secret = "secret"; - public void bad2() { - try { - Algorithm algorithm = Algorithm.HMAC256(secret); - String token = JWT.create() - .withIssuer("auth0") - .sign(algorithm); - } catch (JWTCreationException exception){ - } - } - : labels: - - source: '"secret"' - style: primary - start: 85 - end: 93 - - source: secret - style: secondary - start: 86 - end: 92 - - source: Algorithm - style: secondary - start: 132 - end: 141 - - source: algorithm - style: secondary - start: 142 - end: 151 - - source: Algorithm - style: secondary - start: 154 - end: 163 - - source: HMAC256 - style: secondary - start: 164 - end: 171 - - source: secret - style: secondary - start: 172 - end: 178 - - source: (secret) - style: secondary - start: 171 - end: 179 - - source: Algorithm.HMAC256(secret) - style: secondary - start: 154 - end: 179 - - source: algorithm = Algorithm.HMAC256(secret) - style: secondary - start: 142 - end: 179 - - source: Algorithm algorithm = Algorithm.HMAC256(secret); - style: secondary - start: 132 - end: 180 - - source: |- - public class App - { - static String secret = "secret"; - public void bad2() { - try { - Algorithm algorithm = Algorithm.HMAC256(secret); - String token = JWT.create() - .withIssuer("auth0") - .sign(algorithm); - } catch (JWTCreationException exception){ - } - } - style: secondary - start: 43 - end: 326 - - source: secret - style: secondary - start: 76 - end: 82 - - source: secret = "secret" - style: secondary - start: 76 - end: 93 diff --git a/tests/__snapshots__/jedis-jedisclientconfig-hardcoded-password-java-snapshot.yml b/tests/__snapshots__/jedis-jedisclientconfig-hardcoded-password-java-snapshot.yml deleted file mode 100644 index 440411bd..00000000 --- a/tests/__snapshots__/jedis-jedisclientconfig-hardcoded-password-java-snapshot.yml +++ /dev/null @@ -1,202 +0,0 @@ -id: jedis-jedisclientconfig-hardcoded-password-java -snapshots: - ? |- - import redis.clients.jedis.JedisClientConfig; - import redis.clients.jedis.DefaultJedisClientConfig; - public class JedisTest { - void run() { - DefaultJedisClientConfig.Builder builder = DefaultJedisClientConfig.builder(); - builder.password("asdf"); - } - } - : labels: - - source: builder.password("asdf") - style: primary - start: 220 - end: 244 - - source: builder - style: secondary - start: 220 - end: 227 - - source: asdf - style: secondary - start: 238 - end: 242 - - source: '"asdf"' - style: secondary - start: 237 - end: 243 - - source: ("asdf") - style: secondary - start: 236 - end: 244 - - source: password - style: secondary - start: 228 - end: 236 - - source: DefaultJedisClientConfig.Builder - style: secondary - start: 137 - end: 169 - - source: builder - style: secondary - start: 170 - end: 177 - - source: builder = DefaultJedisClientConfig.builder() - style: secondary - start: 170 - end: 214 - - source: DefaultJedisClientConfig.Builder builder = DefaultJedisClientConfig.builder(); - style: secondary - start: 137 - end: 215 - - source: DefaultJedisClientConfig.Builder builder = DefaultJedisClientConfig.builder(); - style: secondary - start: 137 - end: 215 - - source: import redis.clients.jedis.DefaultJedisClientConfig; - style: secondary - start: 46 - end: 98 - - source: import redis.clients.jedis.DefaultJedisClientConfig; - style: secondary - start: 46 - end: 98 - ? | - import redis.clients.jedis.JedisClientConfig; - import redis.clients.jedis.DefaultJedisClientConfig; - public class JedisTest { - void run() { - JedisClientConfig cc = DefaultJedisClientConfig.builder() - .password("asdf") - .ssl(useSsl) - .build(); - cc.updatePassword("hello"); - } - } - : labels: - - source: |- - DefaultJedisClientConfig.builder() - .password("asdf") - style: primary - start: 160 - end: 220 - - source: DefaultJedisClientConfig.builder() - style: secondary - start: 160 - end: 194 - - source: asdf - style: secondary - start: 214 - end: 218 - - source: '"asdf"' - style: secondary - start: 213 - end: 219 - - source: ("asdf") - style: secondary - start: 212 - end: 220 - - source: password - style: secondary - start: 204 - end: 212 - - source: import redis.clients.jedis.DefaultJedisClientConfig; - style: secondary - start: 46 - end: 98 - - source: import redis.clients.jedis.DefaultJedisClientConfig; - style: secondary - start: 46 - end: 98 - ? | - import redis.clients.jedis.JedisClientConfig; - import redis.clients.jedis.DefaultJedisClientConfig; - public class JedisTest { - void run() { - JedisClientConfig cc = DefaultJedisClientConfig.builder() - .password("asdf") - .ssl(useSsl) - .build(); - } - } - : labels: - - source: |- - DefaultJedisClientConfig.builder() - .password("asdf") - style: primary - start: 160 - end: 220 - - source: DefaultJedisClientConfig.builder() - style: secondary - start: 160 - end: 194 - - source: asdf - style: secondary - start: 214 - end: 218 - - source: '"asdf"' - style: secondary - start: 213 - end: 219 - - source: ("asdf") - style: secondary - start: 212 - end: 220 - - source: password - style: secondary - start: 204 - end: 212 - - source: import redis.clients.jedis.DefaultJedisClientConfig; - style: secondary - start: 46 - end: 98 - - source: import redis.clients.jedis.DefaultJedisClientConfig; - style: secondary - start: 46 - end: 98 - ? | - import redis.clients.jedis.JedisClientConfig; - import redis.clients.jedis.DefaultJedisClientConfig; - public class JedisTest { - void run() { - new DefaultJedisClientConfig(connectionTimeoutMillis, socketTimeoutMillis, - blockingSocketTimeoutMillis, user, "identifier", database, clientName, ssl, sslSocketFactory, - sslParameters, hostnameVerifier, hostAndPortMapper); - } - } - : labels: - - source: |- - new DefaultJedisClientConfig(connectionTimeoutMillis, socketTimeoutMillis, - blockingSocketTimeoutMillis, user, "identifier", database, clientName, ssl, sslSocketFactory, - sslParameters, hostnameVerifier, hostAndPortMapper) - style: primary - start: 137 - end: 357 - - source: DefaultJedisClientConfig - style: secondary - start: 141 - end: 165 - - source: identifier - style: secondary - start: 248 - end: 258 - - source: '"identifier"' - style: secondary - start: 247 - end: 259 - - source: |- - (connectionTimeoutMillis, socketTimeoutMillis, - blockingSocketTimeoutMillis, user, "identifier", database, clientName, ssl, sslSocketFactory, - sslParameters, hostnameVerifier, hostAndPortMapper) - style: secondary - start: 165 - end: 357 - - source: import redis.clients.jedis.DefaultJedisClientConfig; - style: secondary - start: 46 - end: 98 - - source: import redis.clients.jedis.DefaultJedisClientConfig; - style: secondary - start: 46 - end: 98 diff --git a/tests/__snapshots__/jedis-jedisfactory-hardcoded-password-java-snapshot.yml b/tests/__snapshots__/jedis-jedisfactory-hardcoded-password-java-snapshot.yml deleted file mode 100644 index 557d1df7..00000000 --- a/tests/__snapshots__/jedis-jedisfactory-hardcoded-password-java-snapshot.yml +++ /dev/null @@ -1,67 +0,0 @@ -id: jedis-jedisfactory-hardcoded-password-java -snapshots: - ? | - import redis.clients.jedis.JedisFactory; - public void notHardcoded(String password) { - JedisFactory jedisFactory = new JedisFactory(); - jedisFactory.setHostName(hostName); - jedisFactory.setPort(port); - jedisFactory.setPassword("password"); - } - : labels: - - source: jedisFactory.setPassword("password"); - style: primary - start: 201 - end: 238 - - source: jedisFactory - style: secondary - start: 201 - end: 213 - - source: setPassword - style: secondary - start: 214 - end: 225 - - source: password - style: secondary - start: 227 - end: 235 - - source: '"password"' - style: secondary - start: 226 - end: 236 - - source: ("password") - style: secondary - start: 225 - end: 237 - - source: jedisFactory.setPassword("password") - style: secondary - start: 201 - end: 237 - - source: JedisFactory - style: secondary - start: 86 - end: 98 - - source: jedisFactory - style: secondary - start: 99 - end: 111 - - source: new JedisFactory() - style: secondary - start: 114 - end: 132 - - source: jedisFactory = new JedisFactory() - style: secondary - start: 99 - end: 132 - - source: JedisFactory jedisFactory = new JedisFactory(); - style: secondary - start: 86 - end: 133 - - source: import redis.clients.jedis.JedisFactory; - style: secondary - start: 0 - end: 40 - - source: import redis.clients.jedis.JedisFactory; - style: secondary - start: 0 - end: 40 diff --git a/tests/__snapshots__/jwt-decode-without-verify-csharp-snapshot.yml b/tests/__snapshots__/jwt-decode-without-verify-csharp-snapshot.yml deleted file mode 100644 index 1207e061..00000000 --- a/tests/__snapshots__/jwt-decode-without-verify-csharp-snapshot.yml +++ /dev/null @@ -1,907 +0,0 @@ -id: jwt-decode-without-verify-csharp -snapshots: - ? | - using JWT; - using JWT.Builder; - using Microsoft.IdentityModel.Tokens; - namespace Example.Foobar - { - public class JwtTestPatterns{ - public void JwtTest1(){ - IJsonSerializer serializer = new JsonNetSerializer(); - IDateTimeProvider provider = new UtcDateTimeProvider(); - IJwtValidator validator = new JwtValidator(serializer, provider); - IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); - IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); - IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); - var json1 = decoder.Decode(token, verify: false); - } - } - } - : labels: - - source: 'decoder.Decode(token, verify: false)' - style: primary - start: 580 - end: 616 - - source: decoder - style: secondary - start: 580 - end: 587 - - source: Decode - style: secondary - start: 588 - end: 594 - - source: decoder.Decode - style: secondary - start: 580 - end: 594 - - source: verify - style: secondary - start: 602 - end: 608 - - source: 'false' - style: secondary - start: 610 - end: 615 - - source: 'verify: false' - style: secondary - start: 602 - end: 615 - - source: '(token, verify: false)' - style: secondary - start: 594 - end: 616 - - source: using Microsoft.IdentityModel.Tokens; - style: secondary - start: 30 - end: 67 - - source: using Microsoft.IdentityModel.Tokens; - style: secondary - start: 30 - end: 67 - - source: IJwtDecoder - style: secondary - start: 478 - end: 489 - - source: decoder - style: secondary - start: 490 - end: 497 - - source: decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm) - style: secondary - start: 490 - end: 560 - - source: IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm) - style: secondary - start: 478 - end: 560 - - source: IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); - style: secondary - start: 478 - end: 561 - - source: IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); - style: secondary - start: 478 - end: 561 - ? | - using JWT; - using JWT.Builder; - using Microsoft.IdentityModel.Tokens; - namespace Example.Foobar - { - public class JwtTestPatterns{ - public void JwtTest1(){ - IJsonSerializer serializer = new JsonNetSerializer(); - IDateTimeProvider provider = new UtcDateTimeProvider(); - IJwtValidator validator = new JwtValidator(serializer, provider); - IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); - IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); - IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); - var json2 = decoder.Decode(token, null, false); - Console.WriteLine(json); - } - } - } - : labels: - - source: decoder.Decode(token, null, false) - style: primary - start: 580 - end: 614 - - source: decoder - style: secondary - start: 580 - end: 587 - - source: Decode - style: secondary - start: 588 - end: 594 - - source: decoder.Decode - style: secondary - start: 580 - end: 594 - - source: 'false' - style: secondary - start: 608 - end: 613 - - source: 'false' - style: secondary - start: 608 - end: 613 - - source: (token, null, false) - style: secondary - start: 594 - end: 614 - - source: using Microsoft.IdentityModel.Tokens; - style: secondary - start: 30 - end: 67 - - source: using Microsoft.IdentityModel.Tokens; - style: secondary - start: 30 - end: 67 - - source: IJwtDecoder - style: secondary - start: 478 - end: 489 - - source: decoder - style: secondary - start: 490 - end: 497 - - source: decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm) - style: secondary - start: 490 - end: 560 - - source: IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm) - style: secondary - start: 478 - end: 560 - - source: IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); - style: secondary - start: 478 - end: 561 - - source: IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); - style: secondary - start: 478 - end: 561 - ? | - using JWT; - using JWT.Builder; - using Microsoft.IdentityModel.Tokens; - namespace Example.Foobar - { - public class JwtTestPatterns{ - public void JwtTest10(){ - var builder = JwtBuilder.Create(); - var json = builder.WithAlgorithm(new HMACSHA256Algorithm()) - .WithSecret(key) - .Decode(token); - Console.WriteLine(json); - } - } - } - : labels: - - source: |- - builder.WithAlgorithm(new HMACSHA256Algorithm()) - .WithSecret(key) - .Decode(token) - style: primary - start: 214 - end: 342 - - source: builder - style: secondary - start: 214 - end: 221 - - source: Decode - style: secondary - start: 329 - end: 335 - - source: |- - builder.WithAlgorithm(new HMACSHA256Algorithm()) - .WithSecret(key) - .Decode - style: secondary - start: 214 - end: 335 - - source: (token) - style: secondary - start: 335 - end: 342 - - source: using Microsoft.IdentityModel.Tokens; - style: secondary - start: 30 - end: 67 - - source: using Microsoft.IdentityModel.Tokens; - style: secondary - start: 30 - end: 67 - - source: builder - style: secondary - start: 166 - end: 173 - - source: JwtBuilder.Create() - style: secondary - start: 176 - end: 195 - - source: builder = JwtBuilder.Create() - style: secondary - start: 166 - end: 195 - - source: var builder = JwtBuilder.Create(); - style: secondary - start: 162 - end: 196 - - source: var builder = JwtBuilder.Create(); - style: secondary - start: 162 - end: 196 - ? | - using JWT; - using JWT.Builder; - using Microsoft.IdentityModel.Tokens; - namespace Example.Foobar - { - public class JwtTestPatterns{ - public void JwtTest11(){ - var builder = JwtBuilder.Create(); - var json = builder.WithAlgorithm(new HMACSHA256Algorithm()) - .WithSecret(key) - .Decode(token, verify: false); - Console.WriteLine(json); - } - } - } - : labels: - - source: |- - builder.WithAlgorithm(new HMACSHA256Algorithm()) - .WithSecret(key) - .Decode(token, verify: false) - style: primary - start: 214 - end: 357 - - source: builder - style: secondary - start: 214 - end: 221 - - source: Decode - style: secondary - start: 329 - end: 335 - - source: |- - builder.WithAlgorithm(new HMACSHA256Algorithm()) - .WithSecret(key) - .Decode - style: secondary - start: 214 - end: 335 - - source: '(token, verify: false)' - style: secondary - start: 335 - end: 357 - - source: using Microsoft.IdentityModel.Tokens; - style: secondary - start: 30 - end: 67 - - source: using Microsoft.IdentityModel.Tokens; - style: secondary - start: 30 - end: 67 - - source: builder - style: secondary - start: 166 - end: 173 - - source: JwtBuilder.Create() - style: secondary - start: 176 - end: 195 - - source: builder = JwtBuilder.Create() - style: secondary - start: 166 - end: 195 - - source: var builder = JwtBuilder.Create(); - style: secondary - start: 162 - end: 196 - - source: var builder = JwtBuilder.Create(); - style: secondary - start: 162 - end: 196 - ? | - using JWT; - using JWT.Builder; - using Microsoft.IdentityModel.Tokens; - namespace Example.Foobar - { - public class JwtTestPatterns{ - public void JwtTest13(){ - var validationParameters = new ValidationParameters - { - ValidateSignature = false, - ValidateExpirationTime = false, - ValidateIssuedTime = false, - TimeMargin = 100 - }; - } - } - } - : labels: - - source: |- - new ValidationParameters - { - ValidateSignature = false, - ValidateExpirationTime = false, - ValidateIssuedTime = false, - TimeMargin = 100 - } - style: primary - start: 189 - end: 373 - - source: using Microsoft.IdentityModel.Tokens; - style: secondary - start: 30 - end: 67 - - source: using Microsoft.IdentityModel.Tokens; - style: secondary - start: 30 - end: 67 - - source: ValidationParameters - style: secondary - start: 193 - end: 213 - - source: ValidateSignature = false - style: secondary - start: 232 - end: 257 - - source: |- - { - ValidateSignature = false, - ValidateExpirationTime = false, - ValidateIssuedTime = false, - TimeMargin = 100 - } - style: secondary - start: 220 - end: 373 - ? | - using JWT; - using JWT.Builder; - using Microsoft.IdentityModel.Tokens; - namespace Example.Foobar - { - public class JwtTestPatterns{ - public void JwtTest15(){ - var builder = JwtBuilder.Create() - .WithAlgorithm(new HMACSHA256Algorithm()) - .WithSecret(key); - var json = builder.Decode(token); - Console.WriteLine(json); - } - } - } - : labels: - - source: builder.Decode(token) - style: primary - start: 293 - end: 314 - - source: builder - style: secondary - start: 293 - end: 300 - - source: Decode - style: secondary - start: 301 - end: 307 - - source: builder.Decode - style: secondary - start: 293 - end: 307 - - source: (token) - style: secondary - start: 307 - end: 314 - - source: using Microsoft.IdentityModel.Tokens; - style: secondary - start: 30 - end: 67 - - source: using Microsoft.IdentityModel.Tokens; - style: secondary - start: 30 - end: 67 - - source: builder - style: secondary - start: 166 - end: 173 - - source: JwtBuilder.Create() - style: secondary - start: 176 - end: 195 - - source: |- - builder = JwtBuilder.Create() - .WithAlgorithm(new HMACSHA256Algorithm()) - .WithSecret(key) - style: secondary - start: 166 - end: 274 - - source: |- - var builder = JwtBuilder.Create() - .WithAlgorithm(new HMACSHA256Algorithm()) - .WithSecret(key); - style: secondary - start: 162 - end: 275 - - source: |- - var builder = JwtBuilder.Create() - .WithAlgorithm(new HMACSHA256Algorithm()) - .WithSecret(key); - style: secondary - start: 162 - end: 275 - ? | - using JWT; - using JWT.Builder; - using Microsoft.IdentityModel.Tokens; - namespace Example.Foobar - { - public class JwtTestPatterns{ - public void JwtTest17(){ - var options = new JwtAuthenticationOptions - { - VerifySignature = false - }; - Console.WriteLine("JWT Authentication setup with signature verification disabled."); - } - } - } - : labels: - - source: |- - new JwtAuthenticationOptions - { - VerifySignature = false - } - style: primary - start: 176 - end: 254 - - source: using Microsoft.IdentityModel.Tokens; - style: secondary - start: 30 - end: 67 - - source: using Microsoft.IdentityModel.Tokens; - style: secondary - start: 30 - end: 67 - - source: JwtAuthenticationOptions - style: secondary - start: 180 - end: 204 - - source: VerifySignature = false - style: secondary - start: 223 - end: 246 - - source: |- - { - VerifySignature = false - } - style: secondary - start: 211 - end: 254 - ? | - using JWT; - using JWT.Builder; - using Microsoft.IdentityModel.Tokens; - namespace Example.Foobar - { - public class JwtTestPatterns{ - public void JwtTest18(){ - var validationParameters = new TokenValidationParameters - { - ValidateIssuerSigningKey = false, - ValidateIssuer = true, - ValidateAudience = true - }; - var tokenHandler = new JwtSecurityTokenHandler(); - var json = tokenHandler.ValidateToken(token, validationParameters, out var validatedToken); - Console.WriteLine(json); - } - } - } - : labels: - - source: |- - new TokenValidationParameters - { - ValidateIssuerSigningKey = false, - ValidateIssuer = true, - ValidateAudience = true - } - style: primary - start: 189 - end: 345 - - source: using Microsoft.IdentityModel.Tokens; - style: secondary - start: 30 - end: 67 - - source: using Microsoft.IdentityModel.Tokens; - style: secondary - start: 30 - end: 67 - - source: TokenValidationParameters - style: secondary - start: 193 - end: 218 - - source: ValidateIssuerSigningKey = false - style: secondary - start: 237 - end: 269 - - source: |- - { - ValidateIssuerSigningKey = false, - ValidateIssuer = true, - ValidateAudience = true - } - style: secondary - start: 225 - end: 345 - ? | - using JWT; - using JWT.Builder; - using Microsoft.IdentityModel.Tokens; - namespace Example.Foobar - { - public class JwtTestPatterns{ - public void JwtTest19(){ - var validationParameters = new TokenValidationParameters - { - ValidateIssuerSigningKey = false, - ValidateIssuer = true, - ValidateAudience = true - }; - Console.WriteLine("JWT decode with validation params where signature validation is disabled."); - } - } - } - : labels: - - source: |- - new TokenValidationParameters - { - ValidateIssuerSigningKey = false, - ValidateIssuer = true, - ValidateAudience = true - } - style: primary - start: 189 - end: 345 - - source: using Microsoft.IdentityModel.Tokens; - style: secondary - start: 30 - end: 67 - - source: using Microsoft.IdentityModel.Tokens; - style: secondary - start: 30 - end: 67 - - source: TokenValidationParameters - style: secondary - start: 193 - end: 218 - - source: ValidateIssuerSigningKey = false - style: secondary - start: 237 - end: 269 - - source: |- - { - ValidateIssuerSigningKey = false, - ValidateIssuer = true, - ValidateAudience = true - } - style: secondary - start: 225 - end: 345 - ? "using JWT;\nusing JWT.Builder;\nusing Microsoft.IdentityModel.Tokens;\nnamespace Example.Foobar\n{\n public class JwtTestPatterns{\n public void JwtTest19(){\n var validationParameters = new TokenValidationParameters\n {\n ValidateIssuerSigningKey = false, \n ValidateIssuer = true,\n ValidateAudience = true\n };\n Console.WriteLine(\"JWT decode with validation params where signature validation is disabled.\");\n }\n }\n}\n" - : labels: - - source: "new TokenValidationParameters\n {\n ValidateIssuerSigningKey = false, \n ValidateIssuer = true,\n ValidateAudience = true\n }" - style: primary - start: 189 - end: 346 - - source: using Microsoft.IdentityModel.Tokens; - style: secondary - start: 30 - end: 67 - - source: using Microsoft.IdentityModel.Tokens; - style: secondary - start: 30 - end: 67 - - source: TokenValidationParameters - style: secondary - start: 193 - end: 218 - - source: ValidateIssuerSigningKey = false - style: secondary - start: 237 - end: 269 - - source: "{\n ValidateIssuerSigningKey = false, \n ValidateIssuer = true,\n ValidateAudience = true\n }" - style: secondary - start: 225 - end: 346 - ? | - using JWT; - using JWT.Builder; - using Microsoft.IdentityModel.Tokens; - namespace Example.Foobar - { - public class JwtTestPatterns{ - public void JwtTest2(){ - var json = JwtBuilder.Create() - .WithAlgorithm(new HMACSHA256Algorithm()) - .WithSecret(key) - .Decode(token); - Console.WriteLine(json); - } - } - } - : labels: - - source: |- - JwtBuilder.Create() - .WithAlgorithm(new HMACSHA256Algorithm()) - .WithSecret(key) - .Decode(token) - style: primary - start: 174 - end: 303 - - source: JwtBuilder - style: secondary - start: 174 - end: 184 - - source: Decode - style: secondary - start: 290 - end: 296 - - source: |- - JwtBuilder.Create() - .WithAlgorithm(new HMACSHA256Algorithm()) - .WithSecret(key) - .Decode - style: secondary - start: 174 - end: 296 - - source: (token) - style: secondary - start: 296 - end: 303 - - source: using Microsoft.IdentityModel.Tokens; - style: secondary - start: 30 - end: 67 - - source: using Microsoft.IdentityModel.Tokens; - style: secondary - start: 30 - end: 67 - ? | - using JWT; - using JWT.Builder; - using Microsoft.IdentityModel.Tokens; - namespace Example.Foobar - { - public class JwtTestPatterns{ - public void JwtTest3(){ - var builder = JwtBuilder.Create(); - var json = builder - .WithAlgorithm(new HMACSHA256Algorithm()) - .WithSecret(key) - .Decode(token); - Console.WriteLine(json); - } - } - } - : labels: - - source: |- - builder - .WithAlgorithm(new HMACSHA256Algorithm()) - .WithSecret(key) - .Decode(token) - style: primary - start: 213 - end: 324 - - source: builder - style: secondary - start: 213 - end: 220 - - source: Decode - style: secondary - start: 311 - end: 317 - - source: |- - builder - .WithAlgorithm(new HMACSHA256Algorithm()) - .WithSecret(key) - .Decode - style: secondary - start: 213 - end: 317 - - source: (token) - style: secondary - start: 317 - end: 324 - - source: using Microsoft.IdentityModel.Tokens; - style: secondary - start: 30 - end: 67 - - source: using Microsoft.IdentityModel.Tokens; - style: secondary - start: 30 - end: 67 - - source: builder - style: secondary - start: 165 - end: 172 - - source: JwtBuilder.Create() - style: secondary - start: 175 - end: 194 - - source: builder = JwtBuilder.Create() - style: secondary - start: 165 - end: 194 - - source: var builder = JwtBuilder.Create(); - style: secondary - start: 161 - end: 195 - - source: var builder = JwtBuilder.Create(); - style: secondary - start: 161 - end: 195 - ? | - using JWT; - using JWT.Builder; - using Microsoft.IdentityModel.Tokens; - namespace Example.Foobar - { - public class JwtTestPatterns{ - public void JwtTest7(){ - IJsonSerializer serializer = new JsonNetSerializer(); - IDateTimeProvider provider = new UtcDateTimeProvider(); - IJwtValidator validator = new JwtValidator(serializer, provider); - IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); - IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); - IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); - var json = decoder.Decode(token, verify: false); - Console.WriteLine(json); - } - } - } - : labels: - - source: 'decoder.Decode(token, verify: false)' - style: primary - start: 579 - end: 615 - - source: decoder - style: secondary - start: 579 - end: 586 - - source: Decode - style: secondary - start: 587 - end: 593 - - source: decoder.Decode - style: secondary - start: 579 - end: 593 - - source: verify - style: secondary - start: 601 - end: 607 - - source: 'false' - style: secondary - start: 609 - end: 614 - - source: 'verify: false' - style: secondary - start: 601 - end: 614 - - source: '(token, verify: false)' - style: secondary - start: 593 - end: 615 - - source: using Microsoft.IdentityModel.Tokens; - style: secondary - start: 30 - end: 67 - - source: using Microsoft.IdentityModel.Tokens; - style: secondary - start: 30 - end: 67 - - source: IJwtDecoder - style: secondary - start: 478 - end: 489 - - source: decoder - style: secondary - start: 490 - end: 497 - - source: decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm) - style: secondary - start: 490 - end: 560 - - source: IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm) - style: secondary - start: 478 - end: 560 - - source: IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); - style: secondary - start: 478 - end: 561 - - source: IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); - style: secondary - start: 478 - end: 561 - ? | - using JWT; - using JWT.Builder; - using Microsoft.IdentityModel.Tokens; - namespace Example.Foobar - { - public class JwtTestPatterns{ - public void JwtTest9(){ - var decoder = new JwtDecoder(new JsonNetSerializer(), new JwtValidator(new JsonNetSerializer(), new UtcDateTimeProvider()), new JwtBase64UrlEncoder(), new HMACSHA256Algorithm()); - var json = decoder.Decode(token, null, false); // decode with no signature verification - Console.WriteLine(json); - } - } - } - : labels: - - source: decoder.Decode(token, null, false) - style: primary - start: 357 - end: 391 - - source: decoder - style: secondary - start: 357 - end: 364 - - source: Decode - style: secondary - start: 365 - end: 371 - - source: decoder.Decode - style: secondary - start: 357 - end: 371 - - source: 'false' - style: secondary - start: 385 - end: 390 - - source: 'false' - style: secondary - start: 385 - end: 390 - - source: (token, null, false) - style: secondary - start: 371 - end: 391 - - source: using Microsoft.IdentityModel.Tokens; - style: secondary - start: 30 - end: 67 - - source: using Microsoft.IdentityModel.Tokens; - style: secondary - start: 30 - end: 67 - - source: decoder - style: secondary - start: 165 - end: 172 - - source: JwtDecoder - style: secondary - start: 179 - end: 189 - - source: new JwtDecoder(new JsonNetSerializer(), new JwtValidator(new JsonNetSerializer(), new UtcDateTimeProvider()), new JwtBase64UrlEncoder(), new HMACSHA256Algorithm()) - style: secondary - start: 175 - end: 338 - - source: decoder = new JwtDecoder(new JsonNetSerializer(), new JwtValidator(new JsonNetSerializer(), new UtcDateTimeProvider()), new JwtBase64UrlEncoder(), new HMACSHA256Algorithm()) - style: secondary - start: 165 - end: 338 - - source: var decoder = new JwtDecoder(new JsonNetSerializer(), new JwtValidator(new JsonNetSerializer(), new UtcDateTimeProvider()), new JwtBase64UrlEncoder(), new HMACSHA256Algorithm()); - style: secondary - start: 161 - end: 339 - - source: var decoder = new JwtDecoder(new JsonNetSerializer(), new JwtValidator(new JsonNetSerializer(), new UtcDateTimeProvider()), new JwtBase64UrlEncoder(), new HMACSHA256Algorithm()); - style: secondary - start: 161 - end: 339 diff --git a/tests/__snapshots__/jwt-go-none-algorithm-go-snapshot.yml b/tests/__snapshots__/jwt-go-none-algorithm-go-snapshot.yml deleted file mode 100644 index d6e5b671..00000000 --- a/tests/__snapshots__/jwt-go-none-algorithm-go-snapshot.yml +++ /dev/null @@ -1,49 +0,0 @@ -id: jwt-go-none-algorithm-go -snapshots: - ? | - import ( - "fmt" - "github.com/dgrijalva/jwt-go" - ) - func bad1(key []byte) { - claims := jwt.StandardClaims{ - ExpiresAt:15000, - Issuer:"test" - } - token := jwt.NewWithClaims(jwt.SigningMethodNone, claims) - ss, err := token.SignedString(jwt.UnsafeAllowNoneSignatureType) - fmt.Printf("%v %v\n", ss, err) - } - : labels: - - source: jwt.SigningMethodNone - style: primary - start: 179 - end: 200 - - source: github.com/dgrijalva/jwt-go - style: secondary - start: 20 - end: 47 - - source: '"github.com/dgrijalva/jwt-go"' - style: secondary - start: 19 - end: 48 - - source: '"github.com/dgrijalva/jwt-go"' - style: secondary - start: 19 - end: 48 - - source: |- - import ( - "fmt" - "github.com/dgrijalva/jwt-go" - ) - style: secondary - start: 0 - end: 50 - - source: |- - import ( - "fmt" - "github.com/dgrijalva/jwt-go" - ) - style: secondary - start: 0 - end: 50 diff --git a/tests/__snapshots__/jwt-hardcode-kotlin-snapshot.yml b/tests/__snapshots__/jwt-hardcode-kotlin-snapshot.yml deleted file mode 100644 index 636bc434..00000000 --- a/tests/__snapshots__/jwt-hardcode-kotlin-snapshot.yml +++ /dev/null @@ -1,60 +0,0 @@ -id: jwt-hardcode-kotlin -snapshots: - ? "package com.foobar.org.configuration\nimport com.auth0.jwt.JWT\nimport com.auth0.jwt.algorithms.Algorithm\nimport com.auth0.jwt.algorithms.Algorithm.HMAC512\nimport com.auth0.jwt.exceptions.JWTCreationException\nobject App {\n private fun bad1() {\n try {\n val algorithm = Algorithm.HMAC256(\"secret\")\n val token = JWT.create()\n .withIssuer(\"auth0\")\n .sign(algorithm)\n } \n catch (exception: JWTCreationException) {}\n }\n}\n" - : labels: - - source: Algorithm.HMAC256("secret") - style: primary - start: 275 - end: 302 - - source: Algorithm - style: secondary - start: 275 - end: 284 - - source: HMAC256 - style: secondary - start: 285 - end: 292 - - source: .HMAC256 - style: secondary - start: 284 - end: 292 - - source: Algorithm.HMAC256 - style: secondary - start: 275 - end: 292 - - source: '"secret"' - style: secondary - start: 293 - end: 301 - - source: '"secret"' - style: secondary - start: 293 - end: 301 - - source: ("secret") - style: secondary - start: 292 - end: 302 - - source: ("secret") - style: secondary - start: 292 - end: 302 - - source: import com.auth0.jwt.algorithms.Algorithm - style: secondary - start: 62 - end: 103 - - source: |- - import com.auth0.jwt.JWT - import com.auth0.jwt.algorithms.Algorithm - import com.auth0.jwt.algorithms.Algorithm.HMAC512 - import com.auth0.jwt.exceptions.JWTCreationException - style: secondary - start: 37 - end: 206 - - source: |- - import com.auth0.jwt.JWT - import com.auth0.jwt.algorithms.Algorithm - import com.auth0.jwt.algorithms.Algorithm.HMAC512 - import com.auth0.jwt.exceptions.JWTCreationException - style: secondary - start: 37 - end: 206 diff --git a/tests/__snapshots__/jwt-hardcoded-secret-csharp-snapshot.yml b/tests/__snapshots__/jwt-hardcoded-secret-csharp-snapshot.yml deleted file mode 100644 index 5794fa21..00000000 --- a/tests/__snapshots__/jwt-hardcoded-secret-csharp-snapshot.yml +++ /dev/null @@ -1,468 +0,0 @@ -id: jwt-hardcoded-secret-csharp -snapshots: - ? | - using JWT; - using JWT.Builder; - namespace Example.Foobar; - public class Foobar{ - public void JwtTest1(){ - var payload = new Dictionary - { - { "claim1", 0 }, - { "claim2", "claim2-value" } - }; - IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); - IJsonSerializer serializer = new JsonNetSerializer(); - IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); - IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); - const string key = "razdvatri"; - var token = encoder.Encode(payload, key); - Console.WriteLine(token); - } - } - : labels: - - source: encoder.Encode(payload, key) - style: primary - start: 533 - end: 561 - - source: encoder - style: secondary - start: 533 - end: 540 - - source: Encode - style: secondary - start: 541 - end: 547 - - source: encoder.Encode - style: secondary - start: 533 - end: 547 - - source: key - style: secondary - start: 557 - end: 560 - - source: key - style: secondary - start: 557 - end: 560 - - source: (payload, key) - style: secondary - start: 547 - end: 561 - - source: IJwtEncoder - style: secondary - start: 408 - end: 419 - - source: encoder - style: secondary - start: 420 - end: 427 - - source: encoder = new JwtEncoder(algorithm, serializer, urlEncoder) - style: secondary - start: 420 - end: 479 - - source: IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder) - style: secondary - start: 408 - end: 479 - - source: IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); - style: secondary - start: 408 - end: 480 - - source: IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); - style: secondary - start: 408 - end: 480 - - source: using JWT.Builder; - style: secondary - start: 11 - end: 29 - - source: using JWT.Builder; - style: secondary - start: 11 - end: 29 - - source: key - style: secondary - start: 498 - end: 501 - - source: razdvatri - style: secondary - start: 505 - end: 514 - - source: '"razdvatri"' - style: secondary - start: 504 - end: 515 - - source: key = "razdvatri" - style: secondary - start: 498 - end: 515 - - source: const string key = "razdvatri"; - style: secondary - start: 485 - end: 516 - - source: const string key = "razdvatri"; - style: secondary - start: 485 - end: 516 - ? | - using JWT; - using JWT.Builder; - namespace Example.Foobar; - public class Foobar{ - public void JwtTest13(){ - IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); - IJsonSerializer serializer = new JsonNetSerializer(); - IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); - IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); - var token = encoder.Encode(new Dictionary - { - { "user", "alice" }, - { "permissions", "read, write" } - }, "hardcodedJWTSecret987"); - Console.WriteLine(token); - } - } - : labels: - - source: |- - encoder.Encode(new Dictionary - { - { "user", "alice" }, - { "permissions", "read, write" } - }, "hardcodedJWTSecret987") - style: primary - start: 374 - end: 527 - - source: encoder - style: secondary - start: 374 - end: 381 - - source: Encode - style: secondary - start: 382 - end: 388 - - source: encoder.Encode - style: secondary - start: 374 - end: 388 - - source: hardcodedJWTSecret987 - style: secondary - start: 504 - end: 525 - - source: '"hardcodedJWTSecret987"' - style: secondary - start: 503 - end: 526 - - source: '"hardcodedJWTSecret987"' - style: secondary - start: 503 - end: 526 - - source: |- - (new Dictionary - { - { "user", "alice" }, - { "permissions", "read, write" } - }, "hardcodedJWTSecret987") - style: secondary - start: 388 - end: 527 - - source: IJwtEncoder - style: secondary - start: 285 - end: 296 - - source: encoder - style: secondary - start: 297 - end: 304 - - source: encoder = new JwtEncoder(algorithm, serializer, urlEncoder) - style: secondary - start: 297 - end: 356 - - source: IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder) - style: secondary - start: 285 - end: 356 - - source: IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); - style: secondary - start: 285 - end: 357 - - source: IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); - style: secondary - start: 285 - end: 357 - - source: using JWT.Builder; - style: secondary - start: 11 - end: 29 - - source: using JWT.Builder; - style: secondary - start: 11 - end: 29 - ? | - using JWT; - using JWT.Builder; - namespace Example.Foobar; - public class Foobar{ - public void JwtTest17(){ - IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); - IJsonSerializer serializer = new JsonNetSerializer(); - IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); - IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); - var token = encoder.Encode(new Dictionary - { - { "sub", "user123" }, - { "scope", "admin" } - }, "secretkey2024"); - - Console.WriteLine(token); - } - } - : labels: - - source: |- - encoder.Encode(new Dictionary - { - { "sub", "user123" }, - { "scope", "admin" } - }, "secretkey2024") - style: primary - start: 374 - end: 508 - - source: encoder - style: secondary - start: 374 - end: 381 - - source: Encode - style: secondary - start: 382 - end: 388 - - source: encoder.Encode - style: secondary - start: 374 - end: 388 - - source: secretkey2024 - style: secondary - start: 493 - end: 506 - - source: '"secretkey2024"' - style: secondary - start: 492 - end: 507 - - source: '"secretkey2024"' - style: secondary - start: 492 - end: 507 - - source: |- - (new Dictionary - { - { "sub", "user123" }, - { "scope", "admin" } - }, "secretkey2024") - style: secondary - start: 388 - end: 508 - - source: IJwtEncoder - style: secondary - start: 285 - end: 296 - - source: encoder - style: secondary - start: 297 - end: 304 - - source: encoder = new JwtEncoder(algorithm, serializer, urlEncoder) - style: secondary - start: 297 - end: 356 - - source: IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder) - style: secondary - start: 285 - end: 356 - - source: IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); - style: secondary - start: 285 - end: 357 - - source: IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); - style: secondary - start: 285 - end: 357 - - source: using JWT.Builder; - style: secondary - start: 11 - end: 29 - - source: using JWT.Builder; - style: secondary - start: 11 - end: 29 - ? | - using JWT; - using JWT.Builder; - namespace Example.Foobar; - public class Foobar{ - public void JwtTest2(){ - IJsonSerializer serializer = new JsonNetSerializer(); - IDateTimeProvider provider = new UtcDateTimeProvider(); - IJwtValidator validator = new JwtValidator(serializer, provider); - IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); - IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); - IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); - var json = decoder.Decode(token, "secret123"); - Console.WriteLine(json); - } - } - : labels: - - source: decoder.Decode(token, "secret123") - style: primary - start: 513 - end: 547 - - source: decoder - style: secondary - start: 513 - end: 520 - - source: Decode - style: secondary - start: 521 - end: 527 - - source: decoder.Decode - style: secondary - start: 513 - end: 527 - - source: secret123 - style: secondary - start: 536 - end: 545 - - source: '"secret123"' - style: secondary - start: 535 - end: 546 - - source: '"secret123"' - style: secondary - start: 535 - end: 546 - - source: (token, "secret123") - style: secondary - start: 527 - end: 547 - - source: IJwtDecoder - style: secondary - start: 414 - end: 425 - - source: decoder - style: secondary - start: 426 - end: 433 - - source: decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm) - style: secondary - start: 426 - end: 496 - - source: IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm) - style: secondary - start: 414 - end: 496 - - source: IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); - style: secondary - start: 414 - end: 497 - - source: IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); - style: secondary - start: 414 - end: 497 - - source: using JWT.Builder; - style: secondary - start: 11 - end: 29 - - source: using JWT.Builder; - style: secondary - start: 11 - end: 29 - ? | - using JWT; - using JWT.Builder; - namespace Example.Foobar; - public class Foobar{ - public void JwtTest20(){ - IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); - IJsonSerializer serializer = new JsonNetSerializer(); - IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); - IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); - var token = encoder.Encode(new Dictionary - { - { "userId", "999" }, - { "role", "admin" } - }, "hardcodedTokenSecret987"); - Console.WriteLine(token); - } - } - : labels: - - source: |- - encoder.Encode(new Dictionary - { - { "userId", "999" }, - { "role", "admin" } - }, "hardcodedTokenSecret987") - style: primary - start: 374 - end: 516 - - source: encoder - style: secondary - start: 374 - end: 381 - - source: Encode - style: secondary - start: 382 - end: 388 - - source: encoder.Encode - style: secondary - start: 374 - end: 388 - - source: hardcodedTokenSecret987 - style: secondary - start: 491 - end: 514 - - source: '"hardcodedTokenSecret987"' - style: secondary - start: 490 - end: 515 - - source: '"hardcodedTokenSecret987"' - style: secondary - start: 490 - end: 515 - - source: |- - (new Dictionary - { - { "userId", "999" }, - { "role", "admin" } - }, "hardcodedTokenSecret987") - style: secondary - start: 388 - end: 516 - - source: IJwtEncoder - style: secondary - start: 285 - end: 296 - - source: encoder - style: secondary - start: 297 - end: 304 - - source: encoder = new JwtEncoder(algorithm, serializer, urlEncoder) - style: secondary - start: 297 - end: 356 - - source: IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder) - style: secondary - start: 285 - end: 356 - - source: IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); - style: secondary - start: 285 - end: 357 - - source: IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); - style: secondary - start: 285 - end: 357 - - source: using JWT.Builder; - style: secondary - start: 11 - end: 29 - - source: using JWT.Builder; - style: secondary - start: 11 - end: 29 diff --git a/tests/__snapshots__/jwt-python-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/jwt-python-hardcoded-secret-python-snapshot.yml deleted file mode 100644 index 8573bd12..00000000 --- a/tests/__snapshots__/jwt-python-hardcoded-secret-python-snapshot.yml +++ /dev/null @@ -1,185 +0,0 @@ -id: jwt-python-hardcoded-secret-python -snapshots: - ? | - encoded = jwt.encode({"some": "payload"}, "secret", algorithm="HS256") - : labels: - - source: 'encoded = jwt.encode({"some": "payload"}, "secret", algorithm="HS256")' - style: primary - start: 0 - end: 70 - - source: jwt - style: secondary - start: 10 - end: 13 - - source: encode - style: secondary - start: 14 - end: 20 - - source: jwt.encode - style: secondary - start: 10 - end: 20 - - source: '{"some": "payload"}' - style: secondary - start: 21 - end: 40 - - source: '"secret"' - style: secondary - start: 42 - end: 50 - - source: '({"some": "payload"}, "secret", algorithm="HS256")' - style: secondary - start: 20 - end: 70 - - source: 'jwt.encode({"some": "payload"}, "secret", algorithm="HS256")' - style: secondary - start: 10 - end: 70 - ? | - encoded = jwt.encode({'some': 'payload'}, 'secret', algorithm='HS256') - : labels: - - source: 'encoded = jwt.encode({''some'': ''payload''}, ''secret'', algorithm=''HS256'')' - style: primary - start: 0 - end: 70 - - source: jwt - style: secondary - start: 10 - end: 13 - - source: encode - style: secondary - start: 14 - end: 20 - - source: jwt.encode - style: secondary - start: 10 - end: 20 - - source: '{''some'': ''payload''}' - style: secondary - start: 21 - end: 40 - - source: '''secret''' - style: secondary - start: 42 - end: 50 - - source: '({''some'': ''payload''}, ''secret'', algorithm=''HS256'')' - style: secondary - start: 20 - end: 70 - - source: 'jwt.encode({''some'': ''payload''}, ''secret'', algorithm=''HS256'')' - style: secondary - start: 10 - end: 70 - ? | - secret = "secret" - encoded = jwt.encode({"some": "payload"}, secret, algorithm="HS256") - : labels: - - source: 'encoded = jwt.encode({"some": "payload"}, secret, algorithm="HS256")' - style: primary - start: 18 - end: 86 - - source: jwt - style: secondary - start: 28 - end: 31 - - source: encode - style: secondary - start: 32 - end: 38 - - source: jwt.encode - style: secondary - start: 28 - end: 38 - - source: '{"some": "payload"}' - style: secondary - start: 39 - end: 58 - - source: secret - style: secondary - start: 60 - end: 66 - - source: '({"some": "payload"}, secret, algorithm="HS256")' - style: secondary - start: 38 - end: 86 - - source: 'jwt.encode({"some": "payload"}, secret, algorithm="HS256")' - style: secondary - start: 28 - end: 86 - - source: secret - style: secondary - start: 0 - end: 6 - - source: secret - style: secondary - start: 10 - end: 16 - - source: '"secret"' - style: secondary - start: 9 - end: 17 - - source: secret = "secret" - style: secondary - start: 0 - end: 17 - - source: secret = "secret" - style: secondary - start: 0 - end: 17 - ? | - secret_const = "this-is-secret" - def bad2(): - encoded = jwt.encode({"some": "payload"}, secret_const, algorithm="HS256") - : labels: - - source: 'encoded = jwt.encode({"some": "payload"}, secret_const, algorithm="HS256")' - style: primary - start: 44 - end: 118 - - source: jwt - style: secondary - start: 54 - end: 57 - - source: encode - style: secondary - start: 58 - end: 64 - - source: jwt.encode - style: secondary - start: 54 - end: 64 - - source: '{"some": "payload"}' - style: secondary - start: 65 - end: 84 - - source: secret_const - style: secondary - start: 86 - end: 98 - - source: '({"some": "payload"}, secret_const, algorithm="HS256")' - style: secondary - start: 64 - end: 118 - - source: 'jwt.encode({"some": "payload"}, secret_const, algorithm="HS256")' - style: secondary - start: 54 - end: 118 - - source: secret_const - style: secondary - start: 0 - end: 12 - - source: this-is-secret - style: secondary - start: 16 - end: 30 - - source: '"this-is-secret"' - style: secondary - start: 15 - end: 31 - - source: secret_const = "this-is-secret" - style: secondary - start: 0 - end: 31 - - source: secret_const = "this-is-secret" - style: secondary - start: 0 - end: 31 diff --git a/tests/__snapshots__/jwt-scala-hardcode-scala-snapshot.yml b/tests/__snapshots__/jwt-scala-hardcode-scala-snapshot.yml deleted file mode 100644 index f4ebba81..00000000 --- a/tests/__snapshots__/jwt-scala-hardcode-scala-snapshot.yml +++ /dev/null @@ -1,534 +0,0 @@ -id: jwt-scala-hardcode-scala -snapshots: - ? | - import pdi.jwt.{JwtJson, JwtAlgorithm, JwtArgonaut} - class Test6 { - val secretKey = "secretKey" - def run() = { - val claim = Json.obj(("user", 1), ("nbf", 1431520421)) - val algo = JwtAlgorithm.HS256 - val token = JwtJson.encode(claim, secretKey, algo) - println(token) - } - } - : labels: - - source: JwtJson.encode(claim, secretKey, algo) - style: primary - start: 221 - end: 259 - - source: import pdi.jwt.{JwtJson, JwtAlgorithm, JwtArgonaut} - style: secondary - start: 0 - end: 51 - - source: import pdi.jwt.{JwtJson, JwtAlgorithm, JwtArgonaut} - style: secondary - start: 0 - end: 51 - - source: JwtJson - style: secondary - start: 221 - end: 228 - - source: encode - style: secondary - start: 229 - end: 235 - - source: JwtJson.encode - style: secondary - start: 221 - end: 235 - - source: secretKey - style: secondary - start: 243 - end: 252 - - source: (claim, secretKey, algo) - style: secondary - start: 235 - end: 259 - - source: secretKey - style: secondary - start: 72 - end: 81 - - source: '"secretKey"' - style: secondary - start: 84 - end: 95 - - source: |- - class Test6 { - val secretKey = "secretKey" - def run() = { - val claim = Json.obj(("user", 1), ("nbf", 1431520421)) - val algo = JwtAlgorithm.HS256 - val token = JwtJson.encode(claim, secretKey, algo) - println(token) - } - } - style: secondary - start: 52 - end: 284 - - source: val secretKey = "secretKey" - style: secondary - start: 68 - end: 95 - - source: val secretKey = "secretKey" - style: secondary - start: 68 - end: 95 - ? | - import pdi.jwt.{JwtJson, JwtAlgorithm, JwtArgonaut} - class Test7 { - val secretKey = "secretKey" - def run(token: String) = { - val algo = JwtAlgorithm.HS256 - val decoded = JwtJson.decodeJson(token, secretKey, Seq(algo)) - println(decoded) - } - } - : labels: - - source: JwtJson.decodeJson(token, secretKey, Seq(algo)) - style: primary - start: 177 - end: 224 - - source: import pdi.jwt.{JwtJson, JwtAlgorithm, JwtArgonaut} - style: secondary - start: 0 - end: 51 - - source: import pdi.jwt.{JwtJson, JwtAlgorithm, JwtArgonaut} - style: secondary - start: 0 - end: 51 - - source: JwtJson - style: secondary - start: 177 - end: 184 - - source: decodeJson - style: secondary - start: 185 - end: 195 - - source: JwtJson.decodeJson - style: secondary - start: 177 - end: 195 - - source: secretKey - style: secondary - start: 203 - end: 212 - - source: (token, secretKey, Seq(algo)) - style: secondary - start: 195 - end: 224 - - source: secretKey - style: secondary - start: 72 - end: 81 - - source: '"secretKey"' - style: secondary - start: 84 - end: 95 - - source: |- - class Test7 { - val secretKey = "secretKey" - def run(token: String) = { - val algo = JwtAlgorithm.HS256 - val decoded = JwtJson.decodeJson(token, secretKey, Seq(algo)) - println(decoded) - } - } - style: secondary - start: 52 - end: 251 - - source: val secretKey = "secretKey" - style: secondary - start: 68 - end: 95 - - source: val secretKey = "secretKey" - style: secondary - start: 68 - end: 95 - ? | - import pdi.jwt.{JwtJson, JwtAlgorithm, JwtArgonaut} - class Test9 { - val secretKey = "secretKey" - def run(token: String) = { - val algo = JwtAlgorithm.HS256 - val decodedRaw = JwtJson.decodeRaw(token, secretKey, Seq(algo)) - println(decodedRaw) - } - } - : labels: - - source: JwtJson.decodeRaw(token, secretKey, Seq(algo)) - style: primary - start: 180 - end: 226 - - source: import pdi.jwt.{JwtJson, JwtAlgorithm, JwtArgonaut} - style: secondary - start: 0 - end: 51 - - source: import pdi.jwt.{JwtJson, JwtAlgorithm, JwtArgonaut} - style: secondary - start: 0 - end: 51 - - source: JwtJson - style: secondary - start: 180 - end: 187 - - source: decodeRaw - style: secondary - start: 188 - end: 197 - - source: JwtJson.decodeRaw - style: secondary - start: 180 - end: 197 - - source: secretKey - style: secondary - start: 205 - end: 214 - - source: (token, secretKey, Seq(algo)) - style: secondary - start: 197 - end: 226 - - source: secretKey - style: secondary - start: 72 - end: 81 - - source: '"secretKey"' - style: secondary - start: 84 - end: 95 - - source: |- - class Test9 { - val secretKey = "secretKey" - def run(token: String) = { - val algo = JwtAlgorithm.HS256 - val decodedRaw = JwtJson.decodeRaw(token, secretKey, Seq(algo)) - println(decodedRaw) - } - } - style: secondary - start: 52 - end: 256 - - source: val secretKey = "secretKey" - style: secondary - start: 68 - end: 95 - - source: val secretKey = "secretKey" - style: secondary - start: 68 - end: 95 - ? "import pdi.jwt.{JwtJson, JwtAlgorithm, JwtArgonaut}\nobject Test1 {\n val secretKey = \"secretKey\" \n def run() = {\n val claim = Json.obj((\"user\", 1), (\"nbf\", 1431520421))\n val algo = JwtAlgorithm.HS256\n val token = JwtJson.encode(claim, secretKey, algo)\n println(token)\n }\n}\n" - : labels: - - source: JwtJson.encode(claim, secretKey, algo) - style: primary - start: 223 - end: 261 - - source: import pdi.jwt.{JwtJson, JwtAlgorithm, JwtArgonaut} - style: secondary - start: 0 - end: 51 - - source: import pdi.jwt.{JwtJson, JwtAlgorithm, JwtArgonaut} - style: secondary - start: 0 - end: 51 - - source: JwtJson - style: secondary - start: 223 - end: 230 - - source: encode - style: secondary - start: 231 - end: 237 - - source: JwtJson.encode - style: secondary - start: 223 - end: 237 - - source: secretKey - style: secondary - start: 245 - end: 254 - - source: (claim, secretKey, algo) - style: secondary - start: 237 - end: 261 - - source: secretKey - style: secondary - start: 73 - end: 82 - - source: '"secretKey"' - style: secondary - start: 85 - end: 96 - - source: "object Test1 {\n val secretKey = \"secretKey\" \n def run() = {\n val claim = Json.obj((\"user\", 1), (\"nbf\", 1431520421))\n val algo = JwtAlgorithm.HS256\n val token = JwtJson.encode(claim, secretKey, algo)\n println(token)\n }\n}" - style: secondary - start: 52 - end: 286 - - source: val secretKey = "secretKey" - style: secondary - start: 69 - end: 96 - - source: val secretKey = "secretKey" - style: secondary - start: 69 - end: 96 - ? | - import pdi.jwt.{JwtJson, JwtAlgorithm, JwtArgonaut} - object Test15 { - val secretKey = "secretKey" - def run(token: String) = { - val algo = JwtAlgorithm.HS256 - val decodedAll = JwtJson.decodeAll(token, this.secretKey, Seq(algo)) - println(decodedAll) - } - } - : labels: - - source: JwtJson.decodeAll(token, this.secretKey, Seq(algo)) - style: primary - start: 182 - end: 233 - - source: import pdi.jwt.{JwtJson, JwtAlgorithm, JwtArgonaut} - style: secondary - start: 0 - end: 51 - - source: import pdi.jwt.{JwtJson, JwtAlgorithm, JwtArgonaut} - style: secondary - start: 0 - end: 51 - - source: JwtJson - style: secondary - start: 182 - end: 189 - - source: decodeAll - style: secondary - start: 190 - end: 199 - - source: JwtJson.decodeAll - style: secondary - start: 182 - end: 199 - - source: this - style: secondary - start: 207 - end: 211 - - source: secretKey - style: secondary - start: 212 - end: 221 - - source: this.secretKey - style: secondary - start: 207 - end: 221 - - source: (token, this.secretKey, Seq(algo)) - style: secondary - start: 199 - end: 233 - - source: secretKey - style: secondary - start: 74 - end: 83 - - source: '"secretKey"' - style: secondary - start: 86 - end: 97 - - source: |- - object Test15 { - val secretKey = "secretKey" - def run(token: String) = { - val algo = JwtAlgorithm.HS256 - val decodedAll = JwtJson.decodeAll(token, this.secretKey, Seq(algo)) - println(decodedAll) - } - } - style: secondary - start: 52 - end: 263 - - source: val secretKey = "secretKey" - style: secondary - start: 70 - end: 97 - - source: val secretKey = "secretKey" - style: secondary - start: 70 - end: 97 - ? | - import pdi.jwt.{JwtJson, JwtAlgorithm, JwtArgonaut} - object Test2 { - val secretKey = "secretKey" - def run(token: String) = { - val algo = JwtAlgorithm.HS256 - val decoded = JwtJson.decodeJson(token, secretKey, Seq(algo)) - println(decoded) - } - } - : labels: - - source: JwtJson.decodeJson(token, secretKey, Seq(algo)) - style: primary - start: 178 - end: 225 - - source: import pdi.jwt.{JwtJson, JwtAlgorithm, JwtArgonaut} - style: secondary - start: 0 - end: 51 - - source: import pdi.jwt.{JwtJson, JwtAlgorithm, JwtArgonaut} - style: secondary - start: 0 - end: 51 - - source: JwtJson - style: secondary - start: 178 - end: 185 - - source: decodeJson - style: secondary - start: 186 - end: 196 - - source: JwtJson.decodeJson - style: secondary - start: 178 - end: 196 - - source: secretKey - style: secondary - start: 204 - end: 213 - - source: (token, secretKey, Seq(algo)) - style: secondary - start: 196 - end: 225 - - source: secretKey - style: secondary - start: 73 - end: 82 - - source: '"secretKey"' - style: secondary - start: 85 - end: 96 - - source: |- - object Test2 { - val secretKey = "secretKey" - def run(token: String) = { - val algo = JwtAlgorithm.HS256 - val decoded = JwtJson.decodeJson(token, secretKey, Seq(algo)) - println(decoded) - } - } - style: secondary - start: 52 - end: 252 - - source: val secretKey = "secretKey" - style: secondary - start: 69 - end: 96 - - source: val secretKey = "secretKey" - style: secondary - start: 69 - end: 96 - ? | - import pdi.jwt.{JwtJson, JwtAlgorithm, JwtArgonaut} - object Test3 { - val secretKey = "secretKey" - def run(token: String) = { - val algo = JwtAlgorithm.HS256 - val decodedJson = JwtJson.decodeJson(token, secretKey, Seq(algo)) - println(decodedJson) - } - } - : labels: - - source: JwtJson.decodeJson(token, secretKey, Seq(algo)) - style: primary - start: 182 - end: 229 - - source: import pdi.jwt.{JwtJson, JwtAlgorithm, JwtArgonaut} - style: secondary - start: 0 - end: 51 - - source: import pdi.jwt.{JwtJson, JwtAlgorithm, JwtArgonaut} - style: secondary - start: 0 - end: 51 - - source: JwtJson - style: secondary - start: 182 - end: 189 - - source: decodeJson - style: secondary - start: 190 - end: 200 - - source: JwtJson.decodeJson - style: secondary - start: 182 - end: 200 - - source: secretKey - style: secondary - start: 208 - end: 217 - - source: (token, secretKey, Seq(algo)) - style: secondary - start: 200 - end: 229 - - source: secretKey - style: secondary - start: 73 - end: 82 - - source: '"secretKey"' - style: secondary - start: 85 - end: 96 - - source: |- - object Test3 { - val secretKey = "secretKey" - def run(token: String) = { - val algo = JwtAlgorithm.HS256 - val decodedJson = JwtJson.decodeJson(token, secretKey, Seq(algo)) - println(decodedJson) - } - } - style: secondary - start: 52 - end: 260 - - source: val secretKey = "secretKey" - style: secondary - start: 69 - end: 96 - - source: val secretKey = "secretKey" - style: secondary - start: 69 - end: 96 - ? | - import pdi.jwt.{JwtJson, JwtAlgorithm, JwtArgonaut} - object Test5 { - def run(token: String) = { - val algo = JwtAlgorithm.HS256 - val decodedAll = JwtJson.decodeAll(token, "secretKey", Seq(algo)) - println(decodedAll) - } - } - : labels: - - source: JwtJson.decodeAll(token, "secretKey", Seq(algo)) - style: primary - start: 151 - end: 199 - - source: import pdi.jwt.{JwtJson, JwtAlgorithm, JwtArgonaut} - style: secondary - start: 0 - end: 51 - - source: import pdi.jwt.{JwtJson, JwtAlgorithm, JwtArgonaut} - style: secondary - start: 0 - end: 51 - - source: JwtJson - style: secondary - start: 151 - end: 158 - - source: decodeAll - style: secondary - start: 159 - end: 168 - - source: JwtJson.decodeAll - style: secondary - start: 151 - end: 168 - - source: '"secretKey"' - style: secondary - start: 176 - end: 187 - - source: (token, "secretKey", Seq(algo)) - style: secondary - start: 168 - end: 199 diff --git a/tests/__snapshots__/jwt-simple-noverify-javascript-snapshot.yml b/tests/__snapshots__/jwt-simple-noverify-javascript-snapshot.yml deleted file mode 100644 index b219795b..00000000 --- a/tests/__snapshots__/jwt-simple-noverify-javascript-snapshot.yml +++ /dev/null @@ -1,68 +0,0 @@ -id: jwt-simple-noverify-javascript -snapshots: - ? "const jwt = require('jwt-simple'); \n\napp.get('/protectedRoute1', (req, res) => {\n const token = req.headers.authorization;\n\n if (!token) {\n return res.status(401).json({ error: 'Unauthorized. Token missing.' });\n }\n\n try {\n const decoded = jwt.decode(token, secretKey, 'HS256', 12);\n res.json({ message: `Hello ${decoded.username}` });\n } catch (error) {\n res.status(401).json({ error: 'Unauthorized. Invalid token.' });\n }\n});\n" - : labels: - - source: jwt.decode(token, secretKey, 'HS256', 12) - style: primary - start: 250 - end: 291 - - source: jwt - style: secondary - start: 6 - end: 9 - - source: require('jwt-simple') - style: secondary - start: 12 - end: 33 - - source: const jwt = require('jwt-simple'); - style: secondary - start: 0 - end: 34 - - source: const jwt = require('jwt-simple'); - style: secondary - start: 0 - end: 34 - ? "const jwt = require('jwt-simple'); \n\napp.get('/protectedRoute2', (req, res) => {\n const token = req.headers.authorization;\n\n if (!token) {\n return res.status(401).json({ error: 'Unauthorized. Token missing.' });\n }\n\n try {\n const decoded = jwt.decode(token, secretKey, true);\n res.json({ message: `Hello ${decoded.username}` });\n } catch (error) {\n res.status(401).json({ error: 'Unauthorized. Invalid token.' });\n }\n});\n" - : labels: - - source: jwt.decode(token, secretKey, true) - style: primary - start: 251 - end: 285 - - source: jwt - style: secondary - start: 6 - end: 9 - - source: require('jwt-simple') - style: secondary - start: 12 - end: 33 - - source: const jwt = require('jwt-simple'); - style: secondary - start: 0 - end: 34 - - source: const jwt = require('jwt-simple'); - style: secondary - start: 0 - end: 34 - ? "const jwt = require('jwt-simple'); \n\napp.get('/protectedRoute3', (req, res) => {\n const token = req.headers.authorization;\n\n if (!token) {\n return res.status(401).json({ error: 'Unauthorized. Token missing.' });\n }\n\n try {\n const decoded = jwt.decode(token, secretKey, 'false');\n res.json({ message: `Hello ${decoded.username}` });\n } catch (error) {\n res.status(401).json({ error: 'Unauthorized. Invalid token.' });\n }\n});\n" - : labels: - - source: jwt.decode(token, secretKey, 'false') - style: primary - start: 251 - end: 288 - - source: jwt - style: secondary - start: 6 - end: 9 - - source: require('jwt-simple') - style: secondary - start: 12 - end: 33 - - source: const jwt = require('jwt-simple'); - style: secondary - start: 0 - end: 34 - - source: const jwt = require('jwt-simple'); - style: secondary - start: 0 - end: 34 diff --git a/tests/__snapshots__/jwt-simple-noverify-typescript-snapshot.yml b/tests/__snapshots__/jwt-simple-noverify-typescript-snapshot.yml deleted file mode 100644 index 04c3018e..00000000 --- a/tests/__snapshots__/jwt-simple-noverify-typescript-snapshot.yml +++ /dev/null @@ -1,128 +0,0 @@ -id: jwt-simple-noverify-typescript -snapshots: - ? "const jwt = require('jwt-simple'); \n\napp.get('/protectedRoute1', (req, res) => {\n const token = req.headers.authorization;\n\n if (!token) {\n return res.status(401).json({ error: 'Unauthorized. Token missing.' });\n }\n\n try {\n const decoded = jwt.decode(token, secretKey, 'HS256', 12);\n res.json({ message: `Hello ${decoded.username}` });\n } catch (error) {\n res.status(401).json({ error: 'Unauthorized. Invalid token.' });\n }\n});\n" - : labels: - - source: jwt.decode(token, secretKey, 'HS256', 12) - style: primary - start: 250 - end: 291 - - source: jwt - style: secondary - start: 6 - end: 9 - - source: require - style: secondary - start: 12 - end: 19 - - source: jwt-simple - style: secondary - start: 21 - end: 31 - - source: '''jwt-simple''' - style: secondary - start: 20 - end: 32 - - source: ('jwt-simple') - style: secondary - start: 19 - end: 33 - - source: require('jwt-simple') - style: secondary - start: 12 - end: 33 - - source: jwt = require('jwt-simple') - style: secondary - start: 6 - end: 33 - - source: const jwt = require('jwt-simple'); - style: secondary - start: 0 - end: 34 - - source: const jwt = require('jwt-simple'); - style: secondary - start: 0 - end: 34 - ? "const jwt = require('jwt-simple'); \n\napp.get('/protectedRoute2', (req, res) => {\n const token = req.headers.authorization;\n\n if (!token) {\n return res.status(401).json({ error: 'Unauthorized. Token missing.' });\n }\n\n try {\n const decoded = jwt.decode(token, secretKey, true);\n res.json({ message: `Hello ${decoded.username}` });\n } catch (error) {\n res.status(401).json({ error: 'Unauthorized. Invalid token.' });\n }\n});\n" - : labels: - - source: jwt.decode(token, secretKey, true) - style: primary - start: 251 - end: 285 - - source: jwt - style: secondary - start: 6 - end: 9 - - source: require - style: secondary - start: 12 - end: 19 - - source: jwt-simple - style: secondary - start: 21 - end: 31 - - source: '''jwt-simple''' - style: secondary - start: 20 - end: 32 - - source: ('jwt-simple') - style: secondary - start: 19 - end: 33 - - source: require('jwt-simple') - style: secondary - start: 12 - end: 33 - - source: jwt = require('jwt-simple') - style: secondary - start: 6 - end: 33 - - source: const jwt = require('jwt-simple'); - style: secondary - start: 0 - end: 34 - - source: const jwt = require('jwt-simple'); - style: secondary - start: 0 - end: 34 - ? "const jwt = require('jwt-simple'); \n\napp.get('/protectedRoute3', (req, res) => {\n const token = req.headers.authorization;\n\n if (!token) {\n return res.status(401).json({ error: 'Unauthorized. Token missing.' });\n }\n\n try {\n const decoded = jwt.decode(token, secretKey, 'false');\n res.json({ message: `Hello ${decoded.username}` });\n } catch (error) {\n res.status(401).json({ error: 'Unauthorized. Invalid token.' });\n }\n});\n" - : labels: - - source: jwt.decode(token, secretKey, 'false') - style: primary - start: 251 - end: 288 - - source: jwt - style: secondary - start: 6 - end: 9 - - source: require - style: secondary - start: 12 - end: 19 - - source: jwt-simple - style: secondary - start: 21 - end: 31 - - source: '''jwt-simple''' - style: secondary - start: 20 - end: 32 - - source: ('jwt-simple') - style: secondary - start: 19 - end: 33 - - source: require('jwt-simple') - style: secondary - start: 12 - end: 33 - - source: jwt = require('jwt-simple') - style: secondary - start: 6 - end: 33 - - source: const jwt = require('jwt-simple'); - style: secondary - start: 0 - end: 34 - - source: const jwt = require('jwt-simple'); - style: secondary - start: 0 - end: 34 diff --git a/tests/__snapshots__/jwt-tokenvalidationparameters-no-expiry-validation-csharp-snapshot.yml b/tests/__snapshots__/jwt-tokenvalidationparameters-no-expiry-validation-csharp-snapshot.yml deleted file mode 100644 index f7b23cff..00000000 --- a/tests/__snapshots__/jwt-tokenvalidationparameters-no-expiry-validation-csharp-snapshot.yml +++ /dev/null @@ -1,169 +0,0 @@ -id: jwt-tokenvalidationparameters-no-expiry-validation-csharp -snapshots: - ? | - TokenValidationParameters parameters = new TokenValidationParameters - { - ValidateLifetime = false, - RequireExpirationTime = false, - ValidateIssuer = false, - ValidateAudience = false - }; - : labels: - - source: 'false' - style: primary - start: 90 - end: 95 - - source: ValidateLifetime - style: secondary - start: 71 - end: 87 - - source: = - style: secondary - start: 88 - end: 89 - - source: 'false' - style: secondary - start: 90 - end: 95 - - source: TokenValidationParameters - style: secondary - start: 43 - end: 68 - - source: |- - new TokenValidationParameters - { - ValidateLifetime = false, - RequireExpirationTime = false, - ValidateIssuer = false, - ValidateAudience = false - } - style: secondary - start: 39 - end: 178 - - source: ValidateLifetime = false - style: secondary - start: 71 - end: 95 - ? "TokenValidationParameters parameters = new TokenValidationParameters\n{ \nValidateLifetime = false,\nRequireExpirationTime = false,\nValidateIssuer = false,\nValidateAudience = false\n};\n" - : labels: - - source: 'false' - style: primary - start: 91 - end: 96 - - source: ValidateLifetime - style: secondary - start: 72 - end: 88 - - source: = - style: secondary - start: 89 - end: 90 - - source: 'false' - style: secondary - start: 91 - end: 96 - - source: TokenValidationParameters - style: secondary - start: 43 - end: 68 - - source: "new TokenValidationParameters\n{ \nValidateLifetime = false,\nRequireExpirationTime = false,\nValidateIssuer = false,\nValidateAudience = false\n}" - style: secondary - start: 39 - end: 179 - - source: ValidateLifetime = false - style: secondary - start: 72 - end: 96 - ? | - options.TokenValidationParameters = new TokenValidationParameters - { - ValidateLifetime = true, - RequireExpirationTime = false, - ValidateIssuer = false, - ValidateAudience = false - }; - : labels: - - source: 'false' - style: primary - start: 125 - end: 130 - - source: RequireExpirationTime - style: secondary - start: 101 - end: 122 - - source: = - style: secondary - start: 123 - end: 124 - - source: 'false' - style: secondary - start: 125 - end: 130 - - source: TokenValidationParameters - style: secondary - start: 40 - end: 65 - - source: |- - new TokenValidationParameters - { - ValidateLifetime = true, - RequireExpirationTime = false, - ValidateIssuer = false, - ValidateAudience = false - } - style: secondary - start: 36 - end: 190 - - source: RequireExpirationTime = false - style: secondary - start: 101 - end: 130 - ? | - options.TokenValidationParameters = new TokenValidationParameters - { - ValidateLifetime = false, - RequireSignedTokens = true, - ValidateIssuer = false, - ValidateAudience = false, - RequireExpirationTime = false - }; - TokenValidationParameters parameters = new TokenValidationParameters(); - parameters.RequireExpirationTime = false; - parameters.ValidateLifetime = false; - : labels: - - source: 'false' - style: primary - start: 87 - end: 92 - - source: ValidateLifetime - style: secondary - start: 68 - end: 84 - - source: = - style: secondary - start: 85 - end: 86 - - source: 'false' - style: secondary - start: 87 - end: 92 - - source: TokenValidationParameters - style: secondary - start: 40 - end: 65 - - source: |- - new TokenValidationParameters - { - ValidateLifetime = false, - RequireSignedTokens = true, - ValidateIssuer = false, - ValidateAudience = false, - RequireExpirationTime = false - } - style: secondary - start: 36 - end: 203 - - source: ValidateLifetime = false - style: secondary - start: 68 - end: 92 diff --git a/tests/__snapshots__/libxml2-audit-parser-c-snapshot.yml b/tests/__snapshots__/libxml2-audit-parser-c-snapshot.yml deleted file mode 100644 index 11ade65f..00000000 --- a/tests/__snapshots__/libxml2-audit-parser-c-snapshot.yml +++ /dev/null @@ -1,323 +0,0 @@ -id: libxml2-audit-parser-c -snapshots: - ? | - doc = xmlCtxtReadMemory(ctxt, (char *)string, len, NULL, NULL, 0); - : labels: - - source: xmlCtxtReadMemory(ctxt, (char *)string, len, NULL, NULL, 0) - style: primary - start: 6 - end: 65 - - source: xmlCtxtReadMemory - style: secondary - start: 6 - end: 23 - - source: ctxt - style: secondary - start: 24 - end: 28 - - source: (char *)string - style: secondary - start: 30 - end: 44 - - source: len - style: secondary - start: 46 - end: 49 - - source: 'NULL' - style: secondary - start: 51 - end: 55 - - source: 'NULL' - style: secondary - start: 57 - end: 61 - - source: '0' - style: secondary - start: 63 - end: 64 - - source: (ctxt, (char *)string, len, NULL, NULL, 0) - style: secondary - start: 23 - end: 65 - ? | - doc = xmlReadFile(xmlFilename.c_str(), NULL, 0); - : labels: - - source: xmlReadFile(xmlFilename.c_str(), NULL, 0) - style: primary - start: 6 - end: 47 - - source: xmlReadFile - style: secondary - start: 6 - end: 17 - - source: xmlFilename.c_str() - style: secondary - start: 18 - end: 37 - - source: 'NULL' - style: secondary - start: 39 - end: 43 - - source: '0' - style: secondary - start: 45 - end: 46 - - source: (xmlFilename.c_str(), NULL, 0) - style: secondary - start: 17 - end: 47 - ? | - mPimpl->mXmlDocPtr = xmlCtxtReadDoc(context, reinterpret_cast(input.c_str()), "/", nullptr, 0); - : labels: - - source: xmlCtxtReadDoc(context, reinterpret_cast(input.c_str()), "/", nullptr, 0) - style: primary - start: 21 - end: 111 - - source: xmlCtxtReadDoc - style: secondary - start: 21 - end: 35 - - source: context - style: secondary - start: 36 - end: 43 - - source: reinterpret_cast(input.c_str()) - style: secondary - start: 45 - end: 93 - - source: '"/"' - style: secondary - start: 95 - end: 98 - - source: nullptr - style: secondary - start: 100 - end: 107 - - source: '0' - style: secondary - start: 109 - end: 110 - - source: (context, reinterpret_cast(input.c_str()), "/", nullptr, 0) - style: secondary - start: 35 - end: 111 - ? | - xmlDocPtr const pDoc = xmlCtxtReadIO(pContext.get(), xmlIO_read_func, xmlIO_close_func, &c, nullptr, nullptr, 0); - : labels: - - source: xmlCtxtReadIO(pContext.get(), xmlIO_read_func, xmlIO_close_func, &c, nullptr, nullptr, 0) - style: primary - start: 23 - end: 112 - - source: xmlCtxtReadIO - style: secondary - start: 23 - end: 36 - - source: pContext.get() - style: secondary - start: 37 - end: 51 - - source: xmlIO_read_func - style: secondary - start: 53 - end: 68 - - source: xmlIO_close_func - style: secondary - start: 70 - end: 86 - - source: '&c' - style: secondary - start: 88 - end: 90 - - source: nullptr - style: secondary - start: 92 - end: 99 - - source: nullptr - style: secondary - start: 101 - end: 108 - - source: '0' - style: secondary - start: 110 - end: 111 - - source: (pContext.get(), xmlIO_read_func, xmlIO_close_func, &c, nullptr, nullptr, 0) - style: secondary - start: 36 - end: 112 - ? | - xmlDocPtr doc = xmlCtxtReadFd(ctx_, fd, url_, encoding_, options_); - load(doc, node); - : labels: - - source: xmlCtxtReadFd(ctx_, fd, url_, encoding_, options_) - style: primary - start: 16 - end: 66 - - source: xmlCtxtReadFd - style: secondary - start: 16 - end: 29 - - source: ctx_ - style: secondary - start: 30 - end: 34 - - source: fd - style: secondary - start: 36 - end: 38 - - source: url_ - style: secondary - start: 40 - end: 44 - - source: encoding_ - style: secondary - start: 46 - end: 55 - - source: options_ - style: secondary - start: 57 - end: 65 - - source: (ctx_, fd, url_, encoding_, options_) - style: secondary - start: 29 - end: 66 - ? | - xmlDocPtr xml = xmlReadIO(readStream, closeStream, static_cast(&stream), fileName.c_str(), 0, options); - : labels: - - source: xmlReadIO(readStream, closeStream, static_cast(&stream), fileName.c_str(), 0, options) - style: primary - start: 16 - end: 110 - - source: xmlReadIO - style: secondary - start: 16 - end: 25 - - source: readStream - style: secondary - start: 26 - end: 36 - - source: closeStream - style: secondary - start: 38 - end: 49 - - source: static_cast(&stream) - style: secondary - start: 51 - end: 79 - - source: fileName.c_str() - style: secondary - start: 81 - end: 97 - - source: '0' - style: secondary - start: 99 - end: 100 - - source: options - style: secondary - start: 102 - end: 109 - - source: (readStream, closeStream, static_cast(&stream), fileName.c_str(), 0, options) - style: secondary - start: 25 - end: 110 - ? | - xmlParseInNodeContext(cur_node->parent, xml_filtered.c_str(), - (int)xml_filtered.length(), 0, &pNewNode); - : labels: - - source: |- - xmlParseInNodeContext(cur_node->parent, xml_filtered.c_str(), - (int)xml_filtered.length(), 0, &pNewNode) - style: primary - start: 0 - end: 103 - - source: xmlParseInNodeContext - style: secondary - start: 0 - end: 21 - - source: cur_node->parent - style: secondary - start: 22 - end: 38 - - source: xml_filtered.c_str() - style: secondary - start: 40 - end: 60 - - source: (int)xml_filtered.length() - style: secondary - start: 62 - end: 88 - - source: '0' - style: secondary - start: 90 - end: 91 - - source: '&pNewNode' - style: secondary - start: 93 - end: 102 - - source: |- - (cur_node->parent, xml_filtered.c_str(), - (int)xml_filtered.length(), 0, &pNewNode) - style: secondary - start: 21 - end: 103 - ? | - xmlReadDoc((xmlChar *)ptr, "", NULL, 0); - : labels: - - source: xmlReadDoc((xmlChar *)ptr, "", NULL, 0) - style: primary - start: 0 - end: 39 - - source: xmlReadDoc - style: secondary - start: 0 - end: 10 - - source: (xmlChar *)ptr - style: secondary - start: 11 - end: 25 - - source: '""' - style: secondary - start: 27 - end: 29 - - source: 'NULL' - style: secondary - start: 31 - end: 35 - - source: '0' - style: secondary - start: 37 - end: 38 - - source: ((xmlChar *)ptr, "", NULL, 0) - style: secondary - start: 10 - end: 39 - ? | - xmlReadFd(f, NULL, NULL, XML_PARSE_NOBLANKS); - : labels: - - source: xmlReadFd(f, NULL, NULL, XML_PARSE_NOBLANKS) - style: primary - start: 0 - end: 44 - - source: xmlReadFd - style: secondary - start: 0 - end: 9 - - source: f - style: secondary - start: 10 - end: 11 - - source: 'NULL' - style: secondary - start: 13 - end: 17 - - source: 'NULL' - style: secondary - start: 19 - end: 23 - - source: XML_PARSE_NOBLANKS - style: secondary - start: 25 - end: 43 - - source: (f, NULL, NULL, XML_PARSE_NOBLANKS) - style: secondary - start: 9 - end: 44 diff --git a/tests/__snapshots__/libxml2-audit-parser-cpp-snapshot.yml b/tests/__snapshots__/libxml2-audit-parser-cpp-snapshot.yml deleted file mode 100644 index 97fdb7ca..00000000 --- a/tests/__snapshots__/libxml2-audit-parser-cpp-snapshot.yml +++ /dev/null @@ -1,323 +0,0 @@ -id: libxml2-audit-parser-cpp -snapshots: - ? | - doc = xmlCtxtReadMemory(ctxt, (char *)string, len, NULL, NULL, 0); - : labels: - - source: xmlCtxtReadMemory(ctxt, (char *)string, len, NULL, NULL, 0) - style: primary - start: 6 - end: 65 - - source: xmlCtxtReadMemory - style: secondary - start: 6 - end: 23 - - source: ctxt - style: secondary - start: 24 - end: 28 - - source: (char *)string - style: secondary - start: 30 - end: 44 - - source: len - style: secondary - start: 46 - end: 49 - - source: 'NULL' - style: secondary - start: 51 - end: 55 - - source: 'NULL' - style: secondary - start: 57 - end: 61 - - source: '0' - style: secondary - start: 63 - end: 64 - - source: (ctxt, (char *)string, len, NULL, NULL, 0) - style: secondary - start: 23 - end: 65 - ? | - doc = xmlReadFile(xmlFilename.c_str(), NULL, 0); - : labels: - - source: xmlReadFile(xmlFilename.c_str(), NULL, 0) - style: primary - start: 6 - end: 47 - - source: xmlReadFile - style: secondary - start: 6 - end: 17 - - source: xmlFilename.c_str() - style: secondary - start: 18 - end: 37 - - source: 'NULL' - style: secondary - start: 39 - end: 43 - - source: '0' - style: secondary - start: 45 - end: 46 - - source: (xmlFilename.c_str(), NULL, 0) - style: secondary - start: 17 - end: 47 - ? | - mPimpl->mXmlDocPtr = xmlCtxtReadDoc(context, reinterpret_cast(input.c_str()), "/", nullptr, 0); - : labels: - - source: xmlCtxtReadDoc(context, reinterpret_cast(input.c_str()), "/", nullptr, 0) - style: primary - start: 21 - end: 111 - - source: xmlCtxtReadDoc - style: secondary - start: 21 - end: 35 - - source: context - style: secondary - start: 36 - end: 43 - - source: reinterpret_cast(input.c_str()) - style: secondary - start: 45 - end: 93 - - source: '"/"' - style: secondary - start: 95 - end: 98 - - source: nullptr - style: secondary - start: 100 - end: 107 - - source: '0' - style: secondary - start: 109 - end: 110 - - source: (context, reinterpret_cast(input.c_str()), "/", nullptr, 0) - style: secondary - start: 35 - end: 111 - ? | - xmlDocPtr const pDoc = xmlCtxtReadIO(pContext.get(), xmlIO_read_func, xmlIO_close_func, &c, nullptr, nullptr, 0); - : labels: - - source: xmlCtxtReadIO(pContext.get(), xmlIO_read_func, xmlIO_close_func, &c, nullptr, nullptr, 0) - style: primary - start: 23 - end: 112 - - source: xmlCtxtReadIO - style: secondary - start: 23 - end: 36 - - source: pContext.get() - style: secondary - start: 37 - end: 51 - - source: xmlIO_read_func - style: secondary - start: 53 - end: 68 - - source: xmlIO_close_func - style: secondary - start: 70 - end: 86 - - source: '&c' - style: secondary - start: 88 - end: 90 - - source: nullptr - style: secondary - start: 92 - end: 99 - - source: nullptr - style: secondary - start: 101 - end: 108 - - source: '0' - style: secondary - start: 110 - end: 111 - - source: (pContext.get(), xmlIO_read_func, xmlIO_close_func, &c, nullptr, nullptr, 0) - style: secondary - start: 36 - end: 112 - ? | - xmlDocPtr doc = xmlCtxtReadFd(ctx_, fd, url_, encoding_, options_); - load(doc, node); - : labels: - - source: xmlCtxtReadFd(ctx_, fd, url_, encoding_, options_) - style: primary - start: 16 - end: 66 - - source: xmlCtxtReadFd - style: secondary - start: 16 - end: 29 - - source: ctx_ - style: secondary - start: 30 - end: 34 - - source: fd - style: secondary - start: 36 - end: 38 - - source: url_ - style: secondary - start: 40 - end: 44 - - source: encoding_ - style: secondary - start: 46 - end: 55 - - source: options_ - style: secondary - start: 57 - end: 65 - - source: (ctx_, fd, url_, encoding_, options_) - style: secondary - start: 29 - end: 66 - ? | - xmlDocPtr xml = xmlReadIO(readStream, closeStream, static_cast(&stream), fileName.c_str(), 0, options); - : labels: - - source: xmlReadIO(readStream, closeStream, static_cast(&stream), fileName.c_str(), 0, options) - style: primary - start: 16 - end: 110 - - source: xmlReadIO - style: secondary - start: 16 - end: 25 - - source: readStream - style: secondary - start: 26 - end: 36 - - source: closeStream - style: secondary - start: 38 - end: 49 - - source: static_cast(&stream) - style: secondary - start: 51 - end: 79 - - source: fileName.c_str() - style: secondary - start: 81 - end: 97 - - source: '0' - style: secondary - start: 99 - end: 100 - - source: options - style: secondary - start: 102 - end: 109 - - source: (readStream, closeStream, static_cast(&stream), fileName.c_str(), 0, options) - style: secondary - start: 25 - end: 110 - ? | - xmlParseInNodeContext(cur_node->parent, xml_filtered.c_str(), - (int)xml_filtered.length(), 0, &pNewNode); - : labels: - - source: |- - xmlParseInNodeContext(cur_node->parent, xml_filtered.c_str(), - (int)xml_filtered.length(), 0, &pNewNode) - style: primary - start: 0 - end: 103 - - source: xmlParseInNodeContext - style: secondary - start: 0 - end: 21 - - source: cur_node->parent - style: secondary - start: 22 - end: 38 - - source: xml_filtered.c_str() - style: secondary - start: 40 - end: 60 - - source: (int)xml_filtered.length() - style: secondary - start: 62 - end: 88 - - source: '0' - style: secondary - start: 90 - end: 91 - - source: '&pNewNode' - style: secondary - start: 93 - end: 102 - - source: |- - (cur_node->parent, xml_filtered.c_str(), - (int)xml_filtered.length(), 0, &pNewNode) - style: secondary - start: 21 - end: 103 - ? | - xmlReadDoc((xmlChar *)ptr, "", NULL, 0); - : labels: - - source: xmlReadDoc((xmlChar *)ptr, "", NULL, 0) - style: primary - start: 0 - end: 39 - - source: xmlReadDoc - style: secondary - start: 0 - end: 10 - - source: (xmlChar *)ptr - style: secondary - start: 11 - end: 25 - - source: '""' - style: secondary - start: 27 - end: 29 - - source: 'NULL' - style: secondary - start: 31 - end: 35 - - source: '0' - style: secondary - start: 37 - end: 38 - - source: ((xmlChar *)ptr, "", NULL, 0) - style: secondary - start: 10 - end: 39 - ? | - xmlReadFd(f, NULL, NULL, XML_PARSE_NOBLANKS); - : labels: - - source: xmlReadFd(f, NULL, NULL, XML_PARSE_NOBLANKS) - style: primary - start: 0 - end: 44 - - source: xmlReadFd - style: secondary - start: 0 - end: 9 - - source: f - style: secondary - start: 10 - end: 11 - - source: 'NULL' - style: secondary - start: 13 - end: 17 - - source: 'NULL' - style: secondary - start: 19 - end: 23 - - source: XML_PARSE_NOBLANKS - style: secondary - start: 25 - end: 43 - - source: (f, NULL, NULL, XML_PARSE_NOBLANKS) - style: secondary - start: 9 - end: 44 diff --git a/tests/__snapshots__/missing-httponly-java-snapshot.yml b/tests/__snapshots__/missing-httponly-java-snapshot.yml deleted file mode 100644 index 0afce8c4..00000000 --- a/tests/__snapshots__/missing-httponly-java-snapshot.yml +++ /dev/null @@ -1,208 +0,0 @@ -id: missing-httponly-java -snapshots: - ? | - package com.example; - - import io.micronaut.http.*; - import io.micronaut.http.cookie.Cookie; - import io.micronaut.http.netty.cookies.NettyCookie; - import io.micronaut.http.simple.cookies.SimpleCookie; - import java.io.*; - - @Controller("/hello") - public class HelloController { - - @Post("/test1") - public MutableHttpMessage postTest1() throws FileNotFoundException { - Cookie cookie = request.getCookies() - .findCookie( "foobar" ) - .orElse( new NettyCookie( "foo", "bar" ) ); - } - } - : labels: - - source: new NettyCookie( "foo", "bar" ) - style: primary - start: 464 - end: 495 - - source: NettyCookie - style: secondary - start: 468 - end: 479 - - source: ( "foo", "bar" ) - style: secondary - start: 479 - end: 495 - - source: io.micronaut.http.netty.cookies.NettyCookie - style: secondary - start: 97 - end: 140 - - source: import io.micronaut.http.netty.cookies.NettyCookie; - style: secondary - start: 90 - end: 141 - - source: import io.micronaut.http.netty.cookies.NettyCookie; - style: secondary - start: 90 - end: 141 - ? | - package com.example; - - import io.micronaut.http.*; - import io.micronaut.http.cookie.Cookie; - import io.micronaut.http.netty.cookies.NettyCookie; - import io.micronaut.http.simple.cookies.SimpleCookie; - import java.io.*; - - @Controller("/hello") - public class HelloController { - - @Post("/test1") - public MutableHttpMessage postTest1() throws FileNotFoundException { - Cookie z = new NettyCookie("foo", "bar"); - } - } - : labels: - - source: z - style: primary - start: 377 - end: 378 - - source: Cookie - style: secondary - start: 370 - end: 376 - - source: io.micronaut.http.cookie.Cookie - style: secondary - start: 57 - end: 88 - - source: import io.micronaut.http.cookie.Cookie; - style: secondary - start: 50 - end: 89 - - source: import io.micronaut.http.cookie.Cookie; - style: secondary - start: 50 - end: 89 - - source: Cookie z = new NettyCookie("foo", "bar"); - style: secondary - start: 370 - end: 411 - - source: NettyCookie - style: secondary - start: 385 - end: 396 - - source: ("foo", "bar") - style: secondary - start: 396 - end: 410 - - source: new NettyCookie("foo", "bar") - style: secondary - start: 381 - end: 410 - - source: z = new NettyCookie("foo", "bar") - style: secondary - start: 377 - end: 410 - ? | - package com.example; - - import io.micronaut.http.*; - import io.micronaut.http.cookie.Cookie; - import io.micronaut.http.netty.cookies.NettyCookie; - import io.micronaut.http.simple.cookies.SimpleCookie; - import java.io.*; - - @Controller("/hello") - public class HelloController { - - @Post("/test1") - public MutableHttpMessage postTest1() throws FileNotFoundException { - SimpleCookie s = new SimpleCookie("foo", "bar"); - } - } - : labels: - - source: s - style: primary - start: 383 - end: 384 - - source: SimpleCookie - style: secondary - start: 370 - end: 382 - - source: io.micronaut.http.simple.cookies.SimpleCookie - style: secondary - start: 149 - end: 194 - - source: import io.micronaut.http.simple.cookies.SimpleCookie; - style: secondary - start: 142 - end: 195 - - source: import io.micronaut.http.simple.cookies.SimpleCookie; - style: secondary - start: 142 - end: 195 - - source: SimpleCookie s = new SimpleCookie("foo", "bar"); - style: secondary - start: 370 - end: 418 - - source: SimpleCookie - style: secondary - start: 391 - end: 403 - - source: ("foo", "bar") - style: secondary - start: 403 - end: 417 - - source: new SimpleCookie("foo", "bar") - style: secondary - start: 387 - end: 417 - - source: s = new SimpleCookie("foo", "bar") - style: secondary - start: 383 - end: 417 - ? | - package com.example; - - import io.micronaut.http.*; - import io.micronaut.http.cookie.Cookie; - import io.micronaut.http.netty.cookies.NettyCookie; - import io.micronaut.http.simple.cookies.SimpleCookie; - import java.io.*; - - @Controller("/hello") - public class HelloController { - - @Post("/test1") - public MutableHttpMessage postTest1() throws FileNotFoundException { - return HttpResponse.ok().cookie(Cookie.of("zzz", "ddd")); - } - } - : labels: - - source: Cookie.of("zzz", "ddd") - style: primary - start: 402 - end: 425 - - source: Cookie - style: secondary - start: 402 - end: 408 - - source: of - style: secondary - start: 409 - end: 411 - - source: ("zzz", "ddd") - style: secondary - start: 411 - end: 425 - - source: io.micronaut.http.cookie.Cookie - style: secondary - start: 57 - end: 88 - - source: import io.micronaut.http.cookie.Cookie; - style: secondary - start: 50 - end: 89 - - source: import io.micronaut.http.cookie.Cookie; - style: secondary - start: 50 - end: 89 diff --git a/tests/__snapshots__/missing-nul-cpp-string-memcpy-copy-cpp-snapshot.yml b/tests/__snapshots__/missing-nul-cpp-string-memcpy-copy-cpp-snapshot.yml deleted file mode 100644 index 2a9efda5..00000000 --- a/tests/__snapshots__/missing-nul-cpp-string-memcpy-copy-cpp-snapshot.yml +++ /dev/null @@ -1,173 +0,0 @@ -id: missing-nul-cpp-string-memcpy-copy-cpp -snapshots: - ? | - void test_001() - { - string from = "hello"; - char to[20]; - size_t len_001 = strlen(from.c_str()); - memcpy(to, from.c_str(), len_001); - } - : labels: - - source: memcpy - style: primary - start: 109 - end: 115 - - source: memcpy - style: secondary - start: 109 - end: 115 - - source: to - style: secondary - start: 116 - end: 118 - - source: from.c_str() - style: secondary - start: 120 - end: 132 - - source: len_001 - style: secondary - start: 134 - end: 141 - - source: (to, from.c_str(), len_001) - style: secondary - start: 115 - end: 142 - - source: size_t len_001 = strlen(from.c_str()); - style: secondary - start: 66 - end: 104 - - source: size_t len_001 = strlen(from.c_str()); - style: secondary - start: 66 - end: 104 - - source: char to[20]; - style: secondary - start: 49 - end: 61 - - source: char to[20]; - style: secondary - start: 49 - end: 61 - - source: memcpy(to, from.c_str(), len_001) - style: secondary - start: 109 - end: 142 - ? | - void test_002() - { - string from = "hello"; - char to[20]; - size_t len_002 = from.size(); - memcpy(to, from.c_str(), len_002); - } - : labels: - - source: memcpy - style: primary - start: 100 - end: 106 - - source: memcpy - style: secondary - start: 100 - end: 106 - - source: to - style: secondary - start: 107 - end: 109 - - source: from.c_str() - style: secondary - start: 111 - end: 123 - - source: len_002 - style: secondary - start: 125 - end: 132 - - source: (to, from.c_str(), len_002) - style: secondary - start: 106 - end: 133 - - source: len_002 - style: secondary - start: 73 - end: 80 - - source: from.size() - style: secondary - start: 83 - end: 94 - - source: len_002 = from.size() - style: secondary - start: 73 - end: 94 - - source: size_t len_002 = from.size(); - style: secondary - start: 66 - end: 95 - - source: size_t len_002 = from.size(); - style: secondary - start: 66 - end: 95 - - source: char to[20]; - style: secondary - start: 49 - end: 61 - - source: char to[20]; - style: secondary - start: 49 - end: 61 - - source: memcpy(to, from.c_str(), len_002) - style: secondary - start: 100 - end: 133 - ? | - void test_003() - { - string from = "hello"; - char to[20]; - size_t len_003 = from.length(); - memcpy(to, from.c_str(), len_003); - } - : labels: - - source: memcpy - style: primary - start: 102 - end: 108 - - source: memcpy - style: secondary - start: 102 - end: 108 - - source: to - style: secondary - start: 109 - end: 111 - - source: from.c_str() - style: secondary - start: 113 - end: 125 - - source: len_003 - style: secondary - start: 127 - end: 134 - - source: (to, from.c_str(), len_003) - style: secondary - start: 108 - end: 135 - - source: size_t len_003 = from.length(); - style: secondary - start: 66 - end: 97 - - source: size_t len_003 = from.length(); - style: secondary - start: 66 - end: 97 - - source: char to[20]; - style: secondary - start: 49 - end: 61 - - source: char to[20]; - style: secondary - start: 49 - end: 61 - - source: memcpy(to, from.c_str(), len_003) - style: secondary - start: 102 - end: 135 diff --git a/tests/__snapshots__/missing-secure-java-snapshot.yml b/tests/__snapshots__/missing-secure-java-snapshot.yml deleted file mode 100644 index 8e93db52..00000000 --- a/tests/__snapshots__/missing-secure-java-snapshot.yml +++ /dev/null @@ -1,208 +0,0 @@ -id: missing-secure-java -snapshots: - ? | - package com.example; - - import io.micronaut.http.*; - import io.micronaut.http.cookie.Cookie; - import io.micronaut.http.netty.cookies.NettyCookie; - import io.micronaut.http.simple.cookies.SimpleCookie; - import java.io.*; - - @Controller("/hello") - public class HelloController { - - @Post("/test1") - public MutableHttpMessage postTest1() throws FileNotFoundException { - Cookie cookie = request.getCookies() - .findCookie( "foobar" ) - .orElse( new NettyCookie( "foo", "bar" ) ); - } - } - : labels: - - source: new NettyCookie( "foo", "bar" ) - style: primary - start: 464 - end: 495 - - source: NettyCookie - style: secondary - start: 468 - end: 479 - - source: ( "foo", "bar" ) - style: secondary - start: 479 - end: 495 - - source: io.micronaut.http.netty.cookies.NettyCookie - style: secondary - start: 97 - end: 140 - - source: import io.micronaut.http.netty.cookies.NettyCookie; - style: secondary - start: 90 - end: 141 - - source: import io.micronaut.http.netty.cookies.NettyCookie; - style: secondary - start: 90 - end: 141 - ? | - package com.example; - - import io.micronaut.http.*; - import io.micronaut.http.cookie.Cookie; - import io.micronaut.http.netty.cookies.NettyCookie; - import io.micronaut.http.simple.cookies.SimpleCookie; - import java.io.*; - - @Controller("/hello") - public class HelloController { - - @Post("/test1") - public MutableHttpMessage postTest1() throws FileNotFoundException { - Cookie z = new NettyCookie("foo", "bar"); - } - } - : labels: - - source: z - style: primary - start: 377 - end: 378 - - source: Cookie - style: secondary - start: 370 - end: 376 - - source: io.micronaut.http.cookie.Cookie - style: secondary - start: 57 - end: 88 - - source: import io.micronaut.http.cookie.Cookie; - style: secondary - start: 50 - end: 89 - - source: import io.micronaut.http.cookie.Cookie; - style: secondary - start: 50 - end: 89 - - source: Cookie z = new NettyCookie("foo", "bar"); - style: secondary - start: 370 - end: 411 - - source: NettyCookie - style: secondary - start: 385 - end: 396 - - source: ("foo", "bar") - style: secondary - start: 396 - end: 410 - - source: new NettyCookie("foo", "bar") - style: secondary - start: 381 - end: 410 - - source: z = new NettyCookie("foo", "bar") - style: secondary - start: 377 - end: 410 - ? | - package com.example; - - import io.micronaut.http.*; - import io.micronaut.http.cookie.Cookie; - import io.micronaut.http.netty.cookies.NettyCookie; - import io.micronaut.http.simple.cookies.SimpleCookie; - import java.io.*; - - @Controller("/hello") - public class HelloController { - - @Post("/test1") - public MutableHttpMessage postTest1() throws FileNotFoundException { - SimpleCookie s = new SimpleCookie("foo", "bar"); - } - } - : labels: - - source: s - style: primary - start: 383 - end: 384 - - source: SimpleCookie - style: secondary - start: 370 - end: 382 - - source: io.micronaut.http.simple.cookies.SimpleCookie - style: secondary - start: 149 - end: 194 - - source: import io.micronaut.http.simple.cookies.SimpleCookie; - style: secondary - start: 142 - end: 195 - - source: import io.micronaut.http.simple.cookies.SimpleCookie; - style: secondary - start: 142 - end: 195 - - source: SimpleCookie s = new SimpleCookie("foo", "bar"); - style: secondary - start: 370 - end: 418 - - source: SimpleCookie - style: secondary - start: 391 - end: 403 - - source: ("foo", "bar") - style: secondary - start: 403 - end: 417 - - source: new SimpleCookie("foo", "bar") - style: secondary - start: 387 - end: 417 - - source: s = new SimpleCookie("foo", "bar") - style: secondary - start: 383 - end: 417 - ? | - package com.example; - - import io.micronaut.http.*; - import io.micronaut.http.cookie.Cookie; - import io.micronaut.http.netty.cookies.NettyCookie; - import io.micronaut.http.simple.cookies.SimpleCookie; - import java.io.*; - - @Controller("/hello") - public class HelloController { - - @Post("/test1") - public MutableHttpMessage postTest1() throws FileNotFoundException { - return HttpResponse.ok().cookie(Cookie.of("zzz", "ddd")); - } - } - : labels: - - source: Cookie.of("zzz", "ddd") - style: primary - start: 402 - end: 425 - - source: Cookie - style: secondary - start: 402 - end: 408 - - source: of - style: secondary - start: 409 - end: 411 - - source: ("zzz", "ddd") - style: secondary - start: 411 - end: 425 - - source: io.micronaut.http.cookie.Cookie - style: secondary - start: 57 - end: 88 - - source: import io.micronaut.http.cookie.Cookie; - style: secondary - start: 50 - end: 89 - - source: import io.micronaut.http.cookie.Cookie; - style: secondary - start: 50 - end: 89 diff --git a/tests/__snapshots__/missing-ssl-minversion-go-snapshot.yml b/tests/__snapshots__/missing-ssl-minversion-go-snapshot.yml deleted file mode 100644 index 3cb06bac..00000000 --- a/tests/__snapshots__/missing-ssl-minversion-go-snapshot.yml +++ /dev/null @@ -1,25 +0,0 @@ -id: missing-ssl-minversion-go -snapshots: - ? | - server.TLS = &tls.Config{ Rand: zeroSource{}, } - : labels: - - source: 'tls.Config{ Rand: zeroSource{}, }' - style: primary - start: 14 - end: 47 - - source: tls - style: secondary - start: 14 - end: 17 - - source: Config - style: secondary - start: 18 - end: 24 - - source: tls.Config - style: secondary - start: 14 - end: 24 - - source: '{ Rand: zeroSource{}, }' - style: secondary - start: 24 - end: 47 diff --git a/tests/__snapshots__/networkcredential-hardcoded-secret-csharp-snapshot.yml b/tests/__snapshots__/networkcredential-hardcoded-secret-csharp-snapshot.yml deleted file mode 100644 index f96aae7e..00000000 --- a/tests/__snapshots__/networkcredential-hardcoded-secret-csharp-snapshot.yml +++ /dev/null @@ -1,242 +0,0 @@ -id: networkcredential-hardcoded-secret-csharp -snapshots: - ? | - private A GetConnection(args) - { - NetworkCredential cre = new NetworkCredential(); - cre.Password = "aaaa"; - } - : labels: - - source: cre.Password = "aaaa" - style: primary - start: 85 - end: 106 - - source: cre - style: secondary - start: 85 - end: 88 - - source: Password - style: secondary - start: 89 - end: 97 - - source: cre.Password - style: secondary - start: 85 - end: 97 - - source: '"aaaa"' - style: secondary - start: 100 - end: 106 - - source: NetworkCredential - style: secondary - start: 34 - end: 51 - - source: cre - style: secondary - start: 52 - end: 55 - - source: NetworkCredential - style: secondary - start: 62 - end: 79 - - source: () - style: secondary - start: 79 - end: 81 - - source: new NetworkCredential() - style: secondary - start: 58 - end: 81 - - source: cre = new NetworkCredential() - style: secondary - start: 52 - end: 81 - - source: NetworkCredential cre = new NetworkCredential() - style: secondary - start: 34 - end: 81 - - source: NetworkCredential cre = new NetworkCredential(); - style: secondary - start: 34 - end: 82 - - source: NetworkCredential cre = new NetworkCredential(); - style: secondary - start: 34 - end: 82 - ? | - private A GetConnection(args) - { - NetworkCredential cre = new NetworkCredential(); - string password = "aaa"; - cre.Password = password; - } - : labels: - - source: cre.Password = password - style: primary - start: 112 - end: 135 - - source: cre - style: secondary - start: 112 - end: 115 - - source: Password - style: secondary - start: 116 - end: 124 - - source: cre.Password - style: secondary - start: 112 - end: 124 - - source: password - style: secondary - start: 127 - end: 135 - - source: password - style: secondary - start: 92 - end: 100 - - source: '"aaa"' - style: secondary - start: 103 - end: 108 - - source: password = "aaa" - style: secondary - start: 92 - end: 108 - - source: string password = "aaa" - style: secondary - start: 85 - end: 108 - - source: string password = "aaa"; - style: secondary - start: 85 - end: 109 - - source: NetworkCredential - style: secondary - start: 34 - end: 51 - - source: cre - style: secondary - start: 52 - end: 55 - - source: NetworkCredential - style: secondary - start: 62 - end: 79 - - source: () - style: secondary - start: 79 - end: 81 - - source: new NetworkCredential() - style: secondary - start: 58 - end: 81 - - source: cre = new NetworkCredential() - style: secondary - start: 52 - end: 81 - - source: NetworkCredential cre = new NetworkCredential() - style: secondary - start: 34 - end: 81 - - source: NetworkCredential cre = new NetworkCredential(); - style: secondary - start: 34 - end: 82 - - source: cre.Password = password; - style: secondary - start: 112 - end: 136 - ? | - private A GetConnection(args) - { - new NetworkCredential("username", "password"); - } - : labels: - - source: new NetworkCredential("username", "password") - style: primary - start: 34 - end: 79 - - source: NetworkCredential - style: secondary - start: 38 - end: 55 - - source: '"username"' - style: secondary - start: 56 - end: 66 - - source: '"username"' - style: secondary - start: 56 - end: 66 - - source: '"password"' - style: secondary - start: 68 - end: 78 - - source: '"password"' - style: secondary - start: 68 - end: 78 - - source: ("username", "password") - style: secondary - start: 55 - end: 79 - ? | - private A GetConnection(args) - { - string password = "aaa"; - new NetworkCredential("username", password); - } - : labels: - - source: new NetworkCredential("username", password) - style: primary - start: 61 - end: 104 - - source: NetworkCredential - style: secondary - start: 65 - end: 82 - - source: '"username"' - style: secondary - start: 83 - end: 93 - - source: '"username"' - style: secondary - start: 83 - end: 93 - - source: password - style: secondary - start: 95 - end: 103 - - source: password - style: secondary - start: 95 - end: 103 - - source: ("username", password) - style: secondary - start: 82 - end: 104 - - source: password - style: secondary - start: 41 - end: 49 - - source: '"aaa"' - style: secondary - start: 52 - end: 57 - - source: password = "aaa" - style: secondary - start: 41 - end: 57 - - source: string password = "aaa" - style: secondary - start: 34 - end: 57 - - source: string password = "aaa"; - style: secondary - start: 34 - end: 58 - - source: string password = "aaa"; - style: secondary - start: 34 - end: 58 diff --git a/tests/__snapshots__/no-null-cipher-java-snapshot.yml b/tests/__snapshots__/no-null-cipher-java-snapshot.yml deleted file mode 100644 index 7410b823..00000000 --- a/tests/__snapshots__/no-null-cipher-java-snapshot.yml +++ /dev/null @@ -1,14 +0,0 @@ -id: no-null-cipher-java -snapshots: - ? | - Cipher doNothingCihper = new NullCipher(); - new javax.crypto.NullCipher(); - : labels: - - source: Cipher doNothingCihper = new NullCipher(); - style: primary - start: 0 - end: 42 - - source: new NullCipher() - style: secondary - start: 25 - end: 41 diff --git a/tests/__snapshots__/node-rsa-weak-key-javascript-snapshot.yml b/tests/__snapshots__/node-rsa-weak-key-javascript-snapshot.yml deleted file mode 100644 index 250b87cb..00000000 --- a/tests/__snapshots__/node-rsa-weak-key-javascript-snapshot.yml +++ /dev/null @@ -1,387 +0,0 @@ -id: node-rsa-weak-key-javascript -snapshots: - ? | - const NodeRSA = require('node-rsa'); - const key = new NodeRSA({b: 204}); - : labels: - - source: '204' - style: primary - start: 65 - end: 68 - - source: NodeRSA - style: secondary - start: 53 - end: 60 - - source: b - style: secondary - start: 62 - end: 63 - - source: '204' - style: secondary - start: 65 - end: 68 - - source: 'b: 204' - style: secondary - start: 62 - end: 68 - - source: '{b: 204}' - style: secondary - start: 61 - end: 69 - - source: '({b: 204})' - style: secondary - start: 60 - end: 70 - - source: 'new NodeRSA({b: 204})' - style: secondary - start: 49 - end: 70 - - source: 'key = new NodeRSA({b: 204})' - style: secondary - start: 43 - end: 70 - - source: NodeRSA - style: secondary - start: 6 - end: 13 - - source: require - style: secondary - start: 16 - end: 23 - - source: node-rsa - style: secondary - start: 25 - end: 33 - - source: '''node-rsa''' - style: secondary - start: 24 - end: 34 - - source: ('node-rsa') - style: secondary - start: 23 - end: 35 - - source: require('node-rsa') - style: secondary - start: 16 - end: 35 - - source: NodeRSA = require('node-rsa') - style: secondary - start: 6 - end: 35 - - source: const NodeRSA = require('node-rsa'); - style: secondary - start: 0 - end: 36 - - source: 'const key = new NodeRSA({b: 204});' - style: secondary - start: 37 - end: 71 - ? | - const NodeRSA = require('node-rsa'); - const key = new NodeRSA({b: 512}); - : labels: - - source: '512' - style: primary - start: 65 - end: 68 - - source: NodeRSA - style: secondary - start: 53 - end: 60 - - source: b - style: secondary - start: 62 - end: 63 - - source: '512' - style: secondary - start: 65 - end: 68 - - source: 'b: 512' - style: secondary - start: 62 - end: 68 - - source: '{b: 512}' - style: secondary - start: 61 - end: 69 - - source: '({b: 512})' - style: secondary - start: 60 - end: 70 - - source: 'new NodeRSA({b: 512})' - style: secondary - start: 49 - end: 70 - - source: 'key = new NodeRSA({b: 512})' - style: secondary - start: 43 - end: 70 - - source: NodeRSA - style: secondary - start: 6 - end: 13 - - source: require - style: secondary - start: 16 - end: 23 - - source: node-rsa - style: secondary - start: 25 - end: 33 - - source: '''node-rsa''' - style: secondary - start: 24 - end: 34 - - source: ('node-rsa') - style: secondary - start: 23 - end: 35 - - source: require('node-rsa') - style: secondary - start: 16 - end: 35 - - source: NodeRSA = require('node-rsa') - style: secondary - start: 6 - end: 35 - - source: const NodeRSA = require('node-rsa'); - style: secondary - start: 0 - end: 36 - - source: 'const key = new NodeRSA({b: 512});' - style: secondary - start: 37 - end: 71 - ? | - const crypto = require("crypto"); - const keypair2 = await util.promisify(crypto.generateKeyPair)("rsa", { - modulusLength: 512, - }); - : labels: - - source: '512' - style: primary - start: 120 - end: 123 - - source: promisify - style: secondary - start: 62 - end: 71 - - source: util.promisify - style: secondary - start: 57 - end: 71 - - source: crypto - style: secondary - start: 72 - end: 78 - - source: generateKeyPair - style: secondary - start: 79 - end: 94 - - source: crypto.generateKeyPair - style: secondary - start: 72 - end: 94 - - source: (crypto.generateKeyPair) - style: secondary - start: 71 - end: 95 - - source: util.promisify(crypto.generateKeyPair) - style: secondary - start: 57 - end: 95 - - source: rsa - style: secondary - start: 97 - end: 100 - - source: '"rsa"' - style: secondary - start: 96 - end: 101 - - source: modulusLength - style: secondary - start: 105 - end: 118 - - source: '512' - style: secondary - start: 120 - end: 123 - - source: 'modulusLength: 512' - style: secondary - start: 105 - end: 123 - - source: |- - { - modulusLength: 512, - } - style: secondary - start: 103 - end: 126 - - source: |- - ("rsa", { - modulusLength: 512, - }) - style: secondary - start: 95 - end: 127 - - source: |- - util.promisify(crypto.generateKeyPair)("rsa", { - modulusLength: 512, - }) - style: secondary - start: 57 - end: 127 - - source: crypto - style: secondary - start: 6 - end: 12 - - source: require - style: secondary - start: 15 - end: 22 - - source: crypto - style: secondary - start: 24 - end: 30 - - source: '"crypto"' - style: secondary - start: 23 - end: 31 - - source: ("crypto") - style: secondary - start: 22 - end: 32 - - source: require("crypto") - style: secondary - start: 15 - end: 32 - - source: crypto = require("crypto") - style: secondary - start: 6 - end: 32 - - source: const crypto = require("crypto"); - style: secondary - start: 0 - end: 33 - - source: |- - const keypair2 = await util.promisify(crypto.generateKeyPair)("rsa", { - modulusLength: 512, - }); - style: secondary - start: 34 - end: 128 - ? | - const crypto = require("crypto"); - const { publicKey, privateKey } = crypto.generateKeyPairSync("rsa", { - a: 123, - modulusLength: 512, - }); - : labels: - - source: '512' - style: primary - start: 127 - end: 130 - - source: crypto - style: secondary - start: 68 - end: 74 - - source: generateKeyPairSync - style: secondary - start: 75 - end: 94 - - source: crypto.generateKeyPairSync - style: secondary - start: 68 - end: 94 - - source: rsa - style: secondary - start: 96 - end: 99 - - source: '"rsa"' - style: secondary - start: 95 - end: 100 - - source: modulusLength - style: secondary - start: 112 - end: 125 - - source: '512' - style: secondary - start: 127 - end: 130 - - source: 'modulusLength: 512' - style: secondary - start: 112 - end: 130 - - source: |- - { - a: 123, - modulusLength: 512, - } - style: secondary - start: 102 - end: 133 - - source: |- - ("rsa", { - a: 123, - modulusLength: 512, - }) - style: secondary - start: 94 - end: 134 - - source: |- - crypto.generateKeyPairSync("rsa", { - a: 123, - modulusLength: 512, - }) - style: secondary - start: 68 - end: 134 - - source: |- - { publicKey, privateKey } = crypto.generateKeyPairSync("rsa", { - a: 123, - modulusLength: 512, - }) - style: secondary - start: 40 - end: 134 - - source: crypto - style: secondary - start: 6 - end: 12 - - source: require - style: secondary - start: 15 - end: 22 - - source: crypto - style: secondary - start: 24 - end: 30 - - source: '"crypto"' - style: secondary - start: 23 - end: 31 - - source: ("crypto") - style: secondary - start: 22 - end: 32 - - source: require("crypto") - style: secondary - start: 15 - end: 32 - - source: crypto = require("crypto") - style: secondary - start: 6 - end: 32 - - source: const crypto = require("crypto"); - style: secondary - start: 0 - end: 33 - - source: |- - const { publicKey, privateKey } = crypto.generateKeyPairSync("rsa", { - a: 123, - modulusLength: 512, - }); - style: secondary - start: 34 - end: 135 diff --git a/tests/__snapshots__/node-rsa-weak-key-typescript-snapshot.yml b/tests/__snapshots__/node-rsa-weak-key-typescript-snapshot.yml deleted file mode 100644 index 2fddb231..00000000 --- a/tests/__snapshots__/node-rsa-weak-key-typescript-snapshot.yml +++ /dev/null @@ -1,375 +0,0 @@ -id: node-rsa-weak-key-typescript -snapshots: - ? | - const NodeRSA = require('node-rsa'); - const key = new NodeRSA({b: 204}); - : labels: - - source: '204' - style: primary - start: 65 - end: 68 - - source: NodeRSA - style: secondary - start: 53 - end: 60 - - source: b - style: secondary - start: 62 - end: 63 - - source: '204' - style: secondary - start: 65 - end: 68 - - source: 'b: 204' - style: secondary - start: 62 - end: 68 - - source: '{b: 204}' - style: secondary - start: 61 - end: 69 - - source: '({b: 204})' - style: secondary - start: 60 - end: 70 - - source: 'new NodeRSA({b: 204})' - style: secondary - start: 49 - end: 70 - - source: '{b: 204}' - style: secondary - start: 61 - end: 69 - - source: 'b: 204' - style: secondary - start: 62 - end: 68 - - source: NodeRSA - style: secondary - start: 6 - end: 13 - - source: require - style: secondary - start: 16 - end: 23 - - source: node-rsa - style: secondary - start: 25 - end: 33 - - source: ('node-rsa') - style: secondary - start: 23 - end: 35 - - source: require('node-rsa') - style: secondary - start: 16 - end: 35 - - source: NodeRSA = require('node-rsa') - style: secondary - start: 6 - end: 35 - - source: const NodeRSA = require('node-rsa'); - style: secondary - start: 0 - end: 36 - - source: 'const key = new NodeRSA({b: 204});' - style: secondary - start: 37 - end: 71 - ? | - const NodeRSA = require('node-rsa'); - const key = new NodeRSA({b: 512}); - : labels: - - source: '512' - style: primary - start: 65 - end: 68 - - source: NodeRSA - style: secondary - start: 53 - end: 60 - - source: b - style: secondary - start: 62 - end: 63 - - source: '512' - style: secondary - start: 65 - end: 68 - - source: 'b: 512' - style: secondary - start: 62 - end: 68 - - source: '{b: 512}' - style: secondary - start: 61 - end: 69 - - source: '({b: 512})' - style: secondary - start: 60 - end: 70 - - source: 'new NodeRSA({b: 512})' - style: secondary - start: 49 - end: 70 - - source: '{b: 512}' - style: secondary - start: 61 - end: 69 - - source: 'b: 512' - style: secondary - start: 62 - end: 68 - - source: NodeRSA - style: secondary - start: 6 - end: 13 - - source: require - style: secondary - start: 16 - end: 23 - - source: node-rsa - style: secondary - start: 25 - end: 33 - - source: ('node-rsa') - style: secondary - start: 23 - end: 35 - - source: require('node-rsa') - style: secondary - start: 16 - end: 35 - - source: NodeRSA = require('node-rsa') - style: secondary - start: 6 - end: 35 - - source: const NodeRSA = require('node-rsa'); - style: secondary - start: 0 - end: 36 - - source: 'const key = new NodeRSA({b: 512});' - style: secondary - start: 37 - end: 71 - ? | - const crypto = require("crypto"); - const keypair2 = await util.promisify(crypto.generateKeyPair)("rsa", { - modulusLength: 512, - }); - : labels: - - source: '512' - style: primary - start: 120 - end: 123 - - source: util - style: secondary - start: 57 - end: 61 - - source: promisify - style: secondary - start: 62 - end: 71 - - source: util.promisify - style: secondary - start: 57 - end: 71 - - source: crypto - style: secondary - start: 72 - end: 78 - - source: generateKeyPair - style: secondary - start: 79 - end: 94 - - source: crypto.generateKeyPair - style: secondary - start: 72 - end: 94 - - source: (crypto.generateKeyPair) - style: secondary - start: 71 - end: 95 - - source: util.promisify(crypto.generateKeyPair) - style: secondary - start: 57 - end: 95 - - source: '"rsa"' - style: secondary - start: 96 - end: 101 - - source: modulusLength - style: secondary - start: 105 - end: 118 - - source: '512' - style: secondary - start: 120 - end: 123 - - source: 'modulusLength: 512' - style: secondary - start: 105 - end: 123 - - source: |- - { - modulusLength: 512, - } - style: secondary - start: 103 - end: 126 - - source: |- - ("rsa", { - modulusLength: 512, - }) - style: secondary - start: 95 - end: 127 - - source: |- - util.promisify(crypto.generateKeyPair)("rsa", { - modulusLength: 512, - }) - style: secondary - start: 57 - end: 127 - - source: 'modulusLength: 512' - style: secondary - start: 105 - end: 123 - - source: crypto - style: secondary - start: 6 - end: 12 - - source: require - style: secondary - start: 15 - end: 22 - - source: crypto - style: secondary - start: 24 - end: 30 - - source: ("crypto") - style: secondary - start: 22 - end: 32 - - source: require("crypto") - style: secondary - start: 15 - end: 32 - - source: crypto = require("crypto") - style: secondary - start: 6 - end: 32 - - source: const crypto = require("crypto"); - style: secondary - start: 0 - end: 33 - - source: |- - const keypair2 = await util.promisify(crypto.generateKeyPair)("rsa", { - modulusLength: 512, - }); - style: secondary - start: 34 - end: 128 - ? | - const crypto = require("crypto"); - const { publicKey, privateKey } = crypto.generateKeyPairSync("rsa", { - a: 123, - modulusLength: 512, - }); - : labels: - - source: '512' - style: primary - start: 127 - end: 130 - - source: crypto - style: secondary - start: 68 - end: 74 - - source: generateKeyPairSync - style: secondary - start: 75 - end: 94 - - source: crypto.generateKeyPairSync - style: secondary - start: 68 - end: 94 - - source: '"rsa"' - style: secondary - start: 95 - end: 100 - - source: modulusLength - style: secondary - start: 112 - end: 125 - - source: '512' - style: secondary - start: 127 - end: 130 - - source: 'modulusLength: 512' - style: secondary - start: 112 - end: 130 - - source: |- - { - a: 123, - modulusLength: 512, - } - style: secondary - start: 102 - end: 133 - - source: |- - ("rsa", { - a: 123, - modulusLength: 512, - }) - style: secondary - start: 94 - end: 134 - - source: |- - crypto.generateKeyPairSync("rsa", { - a: 123, - modulusLength: 512, - }) - style: secondary - start: 68 - end: 134 - - source: 'modulusLength: 512' - style: secondary - start: 112 - end: 130 - - source: crypto - style: secondary - start: 6 - end: 12 - - source: require - style: secondary - start: 15 - end: 22 - - source: crypto - style: secondary - start: 24 - end: 30 - - source: ("crypto") - style: secondary - start: 22 - end: 32 - - source: require("crypto") - style: secondary - start: 15 - end: 32 - - source: crypto = require("crypto") - style: secondary - start: 6 - end: 32 - - source: const crypto = require("crypto"); - style: secondary - start: 0 - end: 33 - - source: |- - const { publicKey, privateKey } = crypto.generateKeyPairSync("rsa", { - a: 123, - modulusLength: 512, - }); - style: secondary - start: 34 - end: 135 diff --git a/tests/__snapshots__/node-sequelize-empty-password-argument-javascript-snapshot.yml b/tests/__snapshots__/node-sequelize-empty-password-argument-javascript-snapshot.yml deleted file mode 100644 index 1f2d60ee..00000000 --- a/tests/__snapshots__/node-sequelize-empty-password-argument-javascript-snapshot.yml +++ /dev/null @@ -1,273 +0,0 @@ -id: node-sequelize-empty-password-argument-javascript -snapshots: - ? | - const Sequelize = require('sequelize'); - const passwordDynamic = ''; - const sequelize2 = new Sequelize('database', 'username', passwordDynamic, { - host: 'localhost', - port: 5432, - dialect: 'postgres' - }); - : labels: - - source: passwordDynamic - style: primary - start: 125 - end: 140 - - source: Sequelize - style: secondary - start: 91 - end: 100 - - source: passwordDynamic - style: secondary - start: 125 - end: 140 - - source: |- - ('database', 'username', passwordDynamic, { - host: 'localhost', - port: 5432, - dialect: 'postgres' - }) - style: secondary - start: 100 - end: 197 - - source: |- - new Sequelize('database', 'username', passwordDynamic, { - host: 'localhost', - port: 5432, - dialect: 'postgres' - }) - style: secondary - start: 87 - end: 197 - - source: passwordDynamic - style: secondary - start: 46 - end: 61 - - source: '''''' - style: secondary - start: 64 - end: 66 - - source: passwordDynamic = '' - style: secondary - start: 46 - end: 66 - - source: const passwordDynamic = ''; - style: secondary - start: 40 - end: 67 - - source: Sequelize - style: secondary - start: 6 - end: 15 - - source: require - style: secondary - start: 18 - end: 25 - - source: sequelize - style: secondary - start: 27 - end: 36 - - source: '''sequelize''' - style: secondary - start: 26 - end: 37 - - source: ('sequelize') - style: secondary - start: 25 - end: 38 - - source: require('sequelize') - style: secondary - start: 18 - end: 38 - - source: Sequelize = require('sequelize') - style: secondary - start: 6 - end: 38 - - source: const Sequelize = require('sequelize'); - style: secondary - start: 0 - end: 39 - - source: |- - const sequelize2 = new Sequelize('database', 'username', passwordDynamic, { - host: 'localhost', - port: 5432, - dialect: 'postgres' - }); - style: secondary - start: 68 - end: 198 - ? | - const Sequelize = require('sequelize'); - const passwordFromEnv = ''; - const sequelize2 = new Sequelize('database', 'username', passwordFromEnv, { - host: 'localhost', - port: 5432, - dialect: 'postgres' - }); - : labels: - - source: passwordFromEnv - style: primary - start: 125 - end: 140 - - source: Sequelize - style: secondary - start: 91 - end: 100 - - source: passwordFromEnv - style: secondary - start: 125 - end: 140 - - source: |- - ('database', 'username', passwordFromEnv, { - host: 'localhost', - port: 5432, - dialect: 'postgres' - }) - style: secondary - start: 100 - end: 197 - - source: |- - new Sequelize('database', 'username', passwordFromEnv, { - host: 'localhost', - port: 5432, - dialect: 'postgres' - }) - style: secondary - start: 87 - end: 197 - - source: passwordFromEnv - style: secondary - start: 46 - end: 61 - - source: '''''' - style: secondary - start: 64 - end: 66 - - source: passwordFromEnv = '' - style: secondary - start: 46 - end: 66 - - source: const passwordFromEnv = ''; - style: secondary - start: 40 - end: 67 - - source: Sequelize - style: secondary - start: 6 - end: 15 - - source: require - style: secondary - start: 18 - end: 25 - - source: sequelize - style: secondary - start: 27 - end: 36 - - source: '''sequelize''' - style: secondary - start: 26 - end: 37 - - source: ('sequelize') - style: secondary - start: 25 - end: 38 - - source: require('sequelize') - style: secondary - start: 18 - end: 38 - - source: Sequelize = require('sequelize') - style: secondary - start: 6 - end: 38 - - source: const Sequelize = require('sequelize'); - style: secondary - start: 0 - end: 39 - - source: |- - const sequelize2 = new Sequelize('database', 'username', passwordFromEnv, { - host: 'localhost', - port: 5432, - dialect: 'postgres' - }); - style: secondary - start: 68 - end: 198 - ? | - const Sequelize = require('sequelize'); - const sequelize1 = new Sequelize('database', 'username', '', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) - : labels: - - source: '''''' - style: primary - start: 97 - end: 99 - - source: Sequelize - style: secondary - start: 63 - end: 72 - - source: '''''' - style: secondary - start: 97 - end: 99 - - source: |- - ('database', 'username', '', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) - style: secondary - start: 72 - end: 158 - - source: |- - new Sequelize('database', 'username', '', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) - style: secondary - start: 59 - end: 158 - - source: Sequelize - style: secondary - start: 6 - end: 15 - - source: require - style: secondary - start: 18 - end: 25 - - source: sequelize - style: secondary - start: 27 - end: 36 - - source: '''sequelize''' - style: secondary - start: 26 - end: 37 - - source: ('sequelize') - style: secondary - start: 25 - end: 38 - - source: require('sequelize') - style: secondary - start: 18 - end: 38 - - source: Sequelize = require('sequelize') - style: secondary - start: 6 - end: 38 - - source: const Sequelize = require('sequelize'); - style: secondary - start: 0 - end: 39 - - source: |- - const sequelize1 = new Sequelize('database', 'username', '', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) - style: secondary - start: 40 - end: 158 diff --git a/tests/__snapshots__/node-sequelize-empty-password-argument-typescript-snapshot.yml b/tests/__snapshots__/node-sequelize-empty-password-argument-typescript-snapshot.yml deleted file mode 100644 index a4ca97bf..00000000 --- a/tests/__snapshots__/node-sequelize-empty-password-argument-typescript-snapshot.yml +++ /dev/null @@ -1,197 +0,0 @@ -id: node-sequelize-empty-password-argument-typescript -snapshots: - ? | - const Sequelize = require('sequelize'); - const passwordDynamic = ''; - const sequelize2 = new Sequelize('database', 'username', passwordDynamic, { - host: 'localhost', - port: 5432, - dialect: 'postgres' - }); - : labels: - - source: passwordDynamic - style: primary - start: 125 - end: 140 - - source: |- - { - host: 'localhost', - port: 5432, - dialect: 'postgres' - } - style: secondary - start: 142 - end: 196 - - source: Sequelize - style: secondary - start: 91 - end: 100 - - source: const Sequelize = require('sequelize'); - style: secondary - start: 0 - end: 39 - - source: const Sequelize = require('sequelize'); - style: secondary - start: 0 - end: 39 - - source: |- - new Sequelize('database', 'username', passwordDynamic, { - host: 'localhost', - port: 5432, - dialect: 'postgres' - }) - style: secondary - start: 87 - end: 197 - - source: |- - ('database', 'username', passwordDynamic, { - host: 'localhost', - port: 5432, - dialect: 'postgres' - }) - style: secondary - start: 100 - end: 197 - - source: passwordDynamic - style: secondary - start: 46 - end: 61 - - source: '''''' - style: secondary - start: 64 - end: 66 - - source: passwordDynamic = '' - style: secondary - start: 46 - end: 66 - - source: const passwordDynamic = ''; - style: secondary - start: 40 - end: 67 - - source: const passwordDynamic = ''; - style: secondary - start: 40 - end: 67 - ? | - const Sequelize = require('sequelize'); - const passwordFromEnv = ''; - const sequelize2 = new Sequelize('database', 'username', passwordFromEnv, { - host: 'localhost', - port: 5432, - dialect: 'postgres' - }); - : labels: - - source: passwordFromEnv - style: primary - start: 125 - end: 140 - - source: |- - { - host: 'localhost', - port: 5432, - dialect: 'postgres' - } - style: secondary - start: 142 - end: 196 - - source: Sequelize - style: secondary - start: 91 - end: 100 - - source: const Sequelize = require('sequelize'); - style: secondary - start: 0 - end: 39 - - source: const Sequelize = require('sequelize'); - style: secondary - start: 0 - end: 39 - - source: |- - new Sequelize('database', 'username', passwordFromEnv, { - host: 'localhost', - port: 5432, - dialect: 'postgres' - }) - style: secondary - start: 87 - end: 197 - - source: |- - ('database', 'username', passwordFromEnv, { - host: 'localhost', - port: 5432, - dialect: 'postgres' - }) - style: secondary - start: 100 - end: 197 - - source: passwordFromEnv - style: secondary - start: 46 - end: 61 - - source: '''''' - style: secondary - start: 64 - end: 66 - - source: passwordFromEnv = '' - style: secondary - start: 46 - end: 66 - - source: const passwordFromEnv = ''; - style: secondary - start: 40 - end: 67 - - source: const passwordFromEnv = ''; - style: secondary - start: 40 - end: 67 - ? | - const Sequelize = require('sequelize'); - const sequelize1 = new Sequelize('database', 'username', '', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) - : labels: - - source: '''''' - style: primary - start: 97 - end: 99 - - source: |- - { - host: 'localhost', - port: '5433', - dialect: 'postgres' - } - style: secondary - start: 101 - end: 157 - - source: Sequelize - style: secondary - start: 63 - end: 72 - - source: const Sequelize = require('sequelize'); - style: secondary - start: 0 - end: 39 - - source: const Sequelize = require('sequelize'); - style: secondary - start: 0 - end: 39 - - source: |- - new Sequelize('database', 'username', '', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) - style: secondary - start: 59 - end: 158 - - source: |- - ('database', 'username', '', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) - style: secondary - start: 72 - end: 158 diff --git a/tests/__snapshots__/node-sequelize-hardcoded-secret-argument-javascript-snapshot.yml b/tests/__snapshots__/node-sequelize-hardcoded-secret-argument-javascript-snapshot.yml deleted file mode 100644 index c00d22c4..00000000 --- a/tests/__snapshots__/node-sequelize-hardcoded-secret-argument-javascript-snapshot.yml +++ /dev/null @@ -1,93 +0,0 @@ -id: node-sequelize-hardcoded-secret-argument-javascript -snapshots: - ? | - const Sequelize = require('sequelize'); - const sequelize = new Sequelize('database', 'username', 'password', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) - : labels: - - source: '''password''' - style: primary - start: 96 - end: 106 - - source: Sequelize - style: secondary - start: 62 - end: 71 - - source: password - style: secondary - start: 97 - end: 105 - - source: '''password''' - style: secondary - start: 96 - end: 106 - - source: |- - ('database', 'username', 'password', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) - style: secondary - start: 71 - end: 165 - - source: |- - new Sequelize('database', 'username', 'password', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) - style: secondary - start: 58 - end: 165 - - source: const Sequelize = require('sequelize'); - style: secondary - start: 0 - end: 39 - - source: |- - const sequelize = new Sequelize('database', 'username', 'password', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) - style: secondary - start: 40 - end: 165 - ? | - const Sequelize = require('sequelize'); - const sequelize8 = new Sequelize('database', 'username', 'password', options); - : labels: - - source: '''password''' - style: primary - start: 97 - end: 107 - - source: Sequelize - style: secondary - start: 63 - end: 72 - - source: password - style: secondary - start: 98 - end: 106 - - source: '''password''' - style: secondary - start: 97 - end: 107 - - source: ('database', 'username', 'password', options) - style: secondary - start: 72 - end: 117 - - source: new Sequelize('database', 'username', 'password', options) - style: secondary - start: 59 - end: 117 - - source: const Sequelize = require('sequelize'); - style: secondary - start: 0 - end: 39 - - source: const sequelize8 = new Sequelize('database', 'username', 'password', options); - style: secondary - start: 40 - end: 118 diff --git a/tests/__snapshots__/node-sequelize-hardcoded-secret-argument-typescript-snapshot.yml b/tests/__snapshots__/node-sequelize-hardcoded-secret-argument-typescript-snapshot.yml deleted file mode 100644 index 53491e43..00000000 --- a/tests/__snapshots__/node-sequelize-hardcoded-secret-argument-typescript-snapshot.yml +++ /dev/null @@ -1,133 +0,0 @@ -id: node-sequelize-hardcoded-secret-argument-typescript -snapshots: - ? |- - const Sequelize = require('sequelize'); - const passwordFromEnv = 'test'; - const sequelize2 = new Sequelize('database', 'username', passwordFromEnv, { - host: 'localhost', - port: 5432, - dialect: 'postgres' - }); - : labels: - - source: passwordFromEnv - style: primary - start: 129 - end: 144 - - source: |- - { - host: 'localhost', - port: 5432, - dialect: 'postgres' - } - style: secondary - start: 146 - end: 200 - - source: Sequelize - style: secondary - start: 95 - end: 104 - - source: const Sequelize = require('sequelize'); - style: secondary - start: 0 - end: 39 - - source: const Sequelize = require('sequelize'); - style: secondary - start: 0 - end: 39 - - source: |- - new Sequelize('database', 'username', passwordFromEnv, { - host: 'localhost', - port: 5432, - dialect: 'postgres' - }) - style: secondary - start: 91 - end: 201 - - source: |- - ('database', 'username', passwordFromEnv, { - host: 'localhost', - port: 5432, - dialect: 'postgres' - }) - style: secondary - start: 104 - end: 201 - - source: passwordFromEnv - style: secondary - start: 46 - end: 61 - - source: test - style: secondary - start: 65 - end: 69 - - source: '''test''' - style: secondary - start: 64 - end: 70 - - source: passwordFromEnv = 'test' - style: secondary - start: 46 - end: 70 - - source: const passwordFromEnv = 'test'; - style: secondary - start: 40 - end: 71 - - source: const passwordFromEnv = 'test'; - style: secondary - start: 40 - end: 71 - ? | - const Sequelize = require('sequelize'); - const sequelize = new Sequelize('database', 'username', 'password', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) - : labels: - - source: '''password''' - style: primary - start: 96 - end: 106 - - source: password - style: secondary - start: 97 - end: 105 - - source: |- - { - host: 'localhost', - port: '5433', - dialect: 'postgres' - } - style: secondary - start: 108 - end: 164 - - source: Sequelize - style: secondary - start: 62 - end: 71 - - source: const Sequelize = require('sequelize'); - style: secondary - start: 0 - end: 39 - - source: const Sequelize = require('sequelize'); - style: secondary - start: 0 - end: 39 - - source: |- - new Sequelize('database', 'username', 'password', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) - style: secondary - start: 58 - end: 165 - - source: |- - ('database', 'username', 'password', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) - style: secondary - start: 71 - end: 165 diff --git a/tests/__snapshots__/npgsqlconnectionstringbuilder-hardcoded-secret-csharp-snapshot.yml b/tests/__snapshots__/npgsqlconnectionstringbuilder-hardcoded-secret-csharp-snapshot.yml deleted file mode 100644 index 73b4e36c..00000000 --- a/tests/__snapshots__/npgsqlconnectionstringbuilder-hardcoded-secret-csharp-snapshot.yml +++ /dev/null @@ -1,244 +0,0 @@ -id: npgsqlconnectionstringbuilder-hardcoded-secret-csharp -snapshots: - ? | - using System; - using Npgsql; - namespace a - { - class Program - { - static void Main(string[] args) - { - NpgsqlConnectionStringBuilder urlBuilder = new NpgsqlConnectionStringBuilder(); - string password = "aaa"; - urlBuilder.Password = "aaaa"; - } - } - } - : labels: - - source: urlBuilder.Password = "aaaa" - style: primary - start: 227 - end: 255 - - source: urlBuilder - style: secondary - start: 227 - end: 237 - - source: Password - style: secondary - start: 238 - end: 246 - - source: urlBuilder.Password - style: secondary - start: 227 - end: 246 - - source: '"aaaa"' - style: secondary - start: 249 - end: 255 - - source: NpgsqlConnectionStringBuilder - style: secondary - start: 110 - end: 139 - - source: urlBuilder - style: secondary - start: 140 - end: 150 - - source: NpgsqlConnectionStringBuilder - style: secondary - start: 157 - end: 186 - - source: () - style: secondary - start: 186 - end: 188 - - source: new NpgsqlConnectionStringBuilder() - style: secondary - start: 153 - end: 188 - - source: urlBuilder = new NpgsqlConnectionStringBuilder() - style: secondary - start: 140 - end: 188 - - source: NpgsqlConnectionStringBuilder urlBuilder = new NpgsqlConnectionStringBuilder() - style: secondary - start: 110 - end: 188 - - source: NpgsqlConnectionStringBuilder urlBuilder = new NpgsqlConnectionStringBuilder(); - style: secondary - start: 110 - end: 189 - - source: NpgsqlConnectionStringBuilder urlBuilder = new NpgsqlConnectionStringBuilder(); - style: secondary - start: 110 - end: 189 - ? | - using System; - using Npgsql; - namespace a - { - class Program - { - static void Main(string[] args) - { - NpgsqlConnectionStringBuilder urlBuilder = new NpgsqlConnectionStringBuilder(); - string password = "aaa"; - urlBuilder["Password"] = "aaaa"; - } - } - } - : labels: - - source: urlBuilder["Password"] = "aaaa" - style: primary - start: 227 - end: 258 - - source: urlBuilder - style: secondary - start: 227 - end: 237 - - source: Password - style: secondary - start: 239 - end: 247 - - source: '"Password"' - style: secondary - start: 238 - end: 248 - - source: '"Password"' - style: secondary - start: 238 - end: 248 - - source: '["Password"]' - style: secondary - start: 237 - end: 249 - - source: urlBuilder["Password"] - style: secondary - start: 227 - end: 249 - - source: '"aaaa"' - style: secondary - start: 252 - end: 258 - - source: NpgsqlConnectionStringBuilder - style: secondary - start: 110 - end: 139 - - source: urlBuilder - style: secondary - start: 140 - end: 150 - - source: NpgsqlConnectionStringBuilder - style: secondary - start: 157 - end: 186 - - source: () - style: secondary - start: 186 - end: 188 - - source: new NpgsqlConnectionStringBuilder() - style: secondary - start: 153 - end: 188 - - source: urlBuilder = new NpgsqlConnectionStringBuilder() - style: secondary - start: 140 - end: 188 - - source: NpgsqlConnectionStringBuilder urlBuilder = new NpgsqlConnectionStringBuilder() - style: secondary - start: 110 - end: 188 - - source: NpgsqlConnectionStringBuilder urlBuilder = new NpgsqlConnectionStringBuilder(); - style: secondary - start: 110 - end: 189 - - source: NpgsqlConnectionStringBuilder urlBuilder = new NpgsqlConnectionStringBuilder(); - style: secondary - start: 110 - end: 189 - ? "using System;\nusing Npgsql;\nnamespace a\n{\n class Program\n {\n static void Main(string[] args)\n {\n NpgsqlConnectionStringBuilder urlBuilder = new NpgsqlConnectionStringBuilder();\n string password = \"aaa\"; \n urlBuilder[\"Password\"] = password;\n }\n }\n}\n" - : labels: - - source: urlBuilder["Password"] = password - style: primary - start: 229 - end: 262 - - source: urlBuilder - style: secondary - start: 229 - end: 239 - - source: Password - style: secondary - start: 241 - end: 249 - - source: '"Password"' - style: secondary - start: 240 - end: 250 - - source: '"Password"' - style: secondary - start: 240 - end: 250 - - source: '["Password"]' - style: secondary - start: 239 - end: 251 - - source: urlBuilder["Password"] - style: secondary - start: 229 - end: 251 - - source: password - style: secondary - start: 254 - end: 262 - - source: urlBuilder - style: secondary - start: 140 - end: 150 - - source: NpgsqlConnectionStringBuilder - style: secondary - start: 157 - end: 186 - - source: () - style: secondary - start: 186 - end: 188 - - source: new NpgsqlConnectionStringBuilder() - style: secondary - start: 153 - end: 188 - - source: urlBuilder = new NpgsqlConnectionStringBuilder() - style: secondary - start: 140 - end: 188 - - source: NpgsqlConnectionStringBuilder urlBuilder = new NpgsqlConnectionStringBuilder() - style: secondary - start: 110 - end: 188 - - source: NpgsqlConnectionStringBuilder urlBuilder = new NpgsqlConnectionStringBuilder(); - style: secondary - start: 110 - end: 189 - - source: password - style: secondary - start: 203 - end: 211 - - source: '"aaa"' - style: secondary - start: 214 - end: 219 - - source: password = "aaa" - style: secondary - start: 203 - end: 219 - - source: string password = "aaa" - style: secondary - start: 196 - end: 219 - - source: string password = "aaa"; - style: secondary - start: 196 - end: 220 - - source: urlBuilder["Password"] = password; - style: secondary - start: 229 - end: 263 diff --git a/tests/__snapshots__/null-library-function-c-snapshot.yml b/tests/__snapshots__/null-library-function-c-snapshot.yml deleted file mode 100644 index ca60a298..00000000 --- a/tests/__snapshots__/null-library-function-c-snapshot.yml +++ /dev/null @@ -1,124 +0,0 @@ -id: null-library-function-c -snapshots: - ? | - void f() { - char buf[128]; - strcpy(buf, getenv("FOO")); - } - : labels: - - source: strcpy(buf, getenv("FOO")) - style: primary - start: 32 - end: 58 - - source: strcpy - style: secondary - start: 32 - end: 38 - - source: getenv - style: secondary - start: 44 - end: 50 - - source: ("FOO") - style: secondary - start: 50 - end: 57 - - source: getenv("FOO") - style: secondary - start: 44 - end: 57 - - source: (buf, getenv("FOO")) - style: secondary - start: 38 - end: 58 - ? |- - void test_getc() { - int c = getc(fptr = fopen(file_name, "r")); - } - : labels: - - source: getc(fptr = fopen(file_name, "r")) - style: primary - start: 28 - end: 62 - - source: getc - style: secondary - start: 28 - end: 32 - - source: fptr - style: secondary - start: 33 - end: 37 - - source: fopen - style: secondary - start: 40 - end: 45 - - source: fopen(file_name, "r") - style: secondary - start: 40 - end: 61 - - source: fptr = fopen(file_name, "r") - style: secondary - start: 33 - end: 61 - - source: (fptr = fopen(file_name, "r")) - style: secondary - start: 32 - end: 62 - ? | - { - FILE *fptr; - fwrite("foo", 3, 1, fptr = fopen("foo.txt", "w")); - } - : labels: - - source: fwrite("foo", 3, 1, fptr = fopen("foo.txt", "w")) - style: primary - start: 16 - end: 65 - - source: fwrite - style: secondary - start: 16 - end: 22 - - source: fopen - style: secondary - start: 43 - end: 48 - - source: ("foo.txt", "w") - style: secondary - start: 48 - end: 64 - - source: fopen("foo.txt", "w") - style: secondary - start: 43 - end: 64 - - source: ("foo", 3, 1, fptr = fopen("foo.txt", "w")) - style: secondary - start: 22 - end: 65 - ? | - { - fwrite("foo", 3, 1, fopen("foo.txt", "w")); - } - : labels: - - source: fwrite("foo", 3, 1, fopen("foo.txt", "w")) - style: primary - start: 3 - end: 45 - - source: fwrite - style: secondary - start: 3 - end: 9 - - source: fopen - style: secondary - start: 23 - end: 28 - - source: ("foo.txt", "w") - style: secondary - start: 28 - end: 44 - - source: fopen("foo.txt", "w") - style: secondary - start: 23 - end: 44 - - source: ("foo", 3, 1, fopen("foo.txt", "w")) - style: secondary - start: 9 - end: 45 diff --git a/tests/__snapshots__/null-library-function-cpp-snapshot.yml b/tests/__snapshots__/null-library-function-cpp-snapshot.yml deleted file mode 100644 index e8d68475..00000000 --- a/tests/__snapshots__/null-library-function-cpp-snapshot.yml +++ /dev/null @@ -1,124 +0,0 @@ -id: null-library-function-cpp -snapshots: - ? | - void f() { - char buf[128]; - strcpy(buf, getenv("FOO")); - } - : labels: - - source: strcpy(buf, getenv("FOO")) - style: primary - start: 32 - end: 58 - - source: strcpy - style: secondary - start: 32 - end: 38 - - source: getenv - style: secondary - start: 44 - end: 50 - - source: ("FOO") - style: secondary - start: 50 - end: 57 - - source: getenv("FOO") - style: secondary - start: 44 - end: 57 - - source: (buf, getenv("FOO")) - style: secondary - start: 38 - end: 58 - ? |- - void test_getc() { - int c = getc(fptr = fopen(file_name, "r")); - } - : labels: - - source: getc(fptr = fopen(file_name, "r")) - style: primary - start: 28 - end: 62 - - source: getc - style: secondary - start: 28 - end: 32 - - source: fptr - style: secondary - start: 33 - end: 37 - - source: fopen - style: secondary - start: 40 - end: 45 - - source: fopen(file_name, "r") - style: secondary - start: 40 - end: 61 - - source: fptr = fopen(file_name, "r") - style: secondary - start: 33 - end: 61 - - source: (fptr = fopen(file_name, "r")) - style: secondary - start: 32 - end: 62 - ? | - { - FILE *fptr; - fwrite("foo", 3, 1, fptr = fopen("foo.txt", "w")); - } - : labels: - - source: fwrite("foo", 3, 1, fptr = fopen("foo.txt", "w")) - style: primary - start: 16 - end: 65 - - source: fwrite - style: secondary - start: 16 - end: 22 - - source: fopen - style: secondary - start: 43 - end: 48 - - source: ("foo.txt", "w") - style: secondary - start: 48 - end: 64 - - source: fopen("foo.txt", "w") - style: secondary - start: 43 - end: 64 - - source: ("foo", 3, 1, fptr = fopen("foo.txt", "w")) - style: secondary - start: 22 - end: 65 - ? | - { - fwrite("foo", 3, 1, fopen("foo.txt", "w")); - } - : labels: - - source: fwrite("foo", 3, 1, fopen("foo.txt", "w")) - style: primary - start: 3 - end: 45 - - source: fwrite - style: secondary - start: 3 - end: 9 - - source: fopen - style: secondary - start: 23 - end: 28 - - source: ("foo.txt", "w") - style: secondary - start: 28 - end: 44 - - source: fopen("foo.txt", "w") - style: secondary - start: 23 - end: 44 - - source: ("foo", 3, 1, fopen("foo.txt", "w")) - style: secondary - start: 9 - end: 45 diff --git a/tests/__snapshots__/openai-empty-secret-go-snapshot.yml b/tests/__snapshots__/openai-empty-secret-go-snapshot.yml deleted file mode 100644 index df055371..00000000 --- a/tests/__snapshots__/openai-empty-secret-go-snapshot.yml +++ /dev/null @@ -1,46 +0,0 @@ -id: openai-empty-secret-go -snapshots: - ? | - import ( - "github.com/sashabaranov/go-openai" - ) - func main() { - client := openai.NewClient("") - } - : labels: - - source: openai.NewClient("") - style: primary - start: 72 - end: 92 - - source: openai - style: secondary - start: 72 - end: 78 - - source: NewClient - style: secondary - start: 79 - end: 88 - - source: openai.NewClient - style: secondary - start: 72 - end: 88 - - source: '""' - style: secondary - start: 89 - end: 91 - - source: ("") - style: secondary - start: 88 - end: 92 - - source: '"github.com/sashabaranov/go-openai"' - style: secondary - start: 9 - end: 44 - - source: '"github.com/sashabaranov/go-openai"' - style: secondary - start: 9 - end: 44 - - source: '"github.com/sashabaranov/go-openai"' - style: secondary - start: 9 - end: 44 diff --git a/tests/__snapshots__/openai-hardcoded-secret-go-snapshot.yml b/tests/__snapshots__/openai-hardcoded-secret-go-snapshot.yml deleted file mode 100644 index 5f2af31f..00000000 --- a/tests/__snapshots__/openai-hardcoded-secret-go-snapshot.yml +++ /dev/null @@ -1,50 +0,0 @@ -id: openai-hardcoded-secret-go -snapshots: - ? | - import ( - "github.com/sashabaranov/go-openai" - ) - func main() { - client := openai.NewClient("my-openai-token") - } - : labels: - - source: openai.NewClient("my-openai-token") - style: primary - start: 75 - end: 110 - - source: openai - style: secondary - start: 75 - end: 81 - - source: NewClient - style: secondary - start: 82 - end: 91 - - source: openai.NewClient - style: secondary - start: 75 - end: 91 - - source: my-openai-token - style: secondary - start: 93 - end: 108 - - source: '"my-openai-token"' - style: secondary - start: 92 - end: 109 - - source: ("my-openai-token") - style: secondary - start: 91 - end: 110 - - source: '"github.com/sashabaranov/go-openai"' - style: secondary - start: 11 - end: 46 - - source: '"github.com/sashabaranov/go-openai"' - style: secondary - start: 11 - end: 46 - - source: '"github.com/sashabaranov/go-openai"' - style: secondary - start: 11 - end: 46 diff --git a/tests/__snapshots__/openai-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/openai-hardcoded-secret-python-snapshot.yml deleted file mode 100644 index 7be78d4f..00000000 --- a/tests/__snapshots__/openai-hardcoded-secret-python-snapshot.yml +++ /dev/null @@ -1,14 +0,0 @@ -id: openai-hardcoded-secret-python -snapshots: - ? | - api_key="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" - f = "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" - : labels: - - source: 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 - style: primary - start: 9 - end: 60 - - source: '"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"' - style: secondary - start: 8 - end: 61 diff --git a/tests/__snapshots__/openssl-cbc-static-iv-php-snapshot.yml b/tests/__snapshots__/openssl-cbc-static-iv-php-snapshot.yml deleted file mode 100644 index de33c39a..00000000 --- a/tests/__snapshots__/openssl-cbc-static-iv-php-snapshot.yml +++ /dev/null @@ -1,357 +0,0 @@ -id: openssl-cbc-static-iv-php -snapshots: - ? | - Astgrep - : labels: - - source: Astgrep - style: primary - start: 0 - end: 52 - - source: a - style: secondary - start: 1 - end: 2 - - source: href - style: secondary - start: 15 - end: 19 - - source: http://astgrep.dev - style: secondary - start: 21 - end: 39 - - source: href="http://astgrep.dev" - style: secondary - start: 15 - end: 40 - - source: - style: secondary - start: 0 - end: 41 - ? | - Astgrep - : labels: - - source: Astgrep - style: primary - start: 0 - end: 52 - - source: a - style: secondary - start: 1 - end: 2 - - source: href - style: secondary - start: 15 - end: 19 - - source: http://astgrep.dev - style: secondary - start: 21 - end: 39 - - source: href='http://astgrep.dev' - style: secondary - start: 15 - end: 40 - - source: - style: secondary - start: 0 - end: 41 - ? | - Astgrep - : labels: - - source: Astgrep - style: primary - start: 0 - end: 48 - - source: a - style: secondary - start: 1 - end: 2 - - source: href - style: secondary - start: 13 - end: 17 - - source: http://astgrep.dev - style: secondary - start: 18 - end: 36 - - source: href=http://astgrep.dev - style: secondary - start: 13 - end: 36 - - source: - style: secondary - start: 0 - end: 37 - ? | - Astgrep - : labels: - - source: Astgrep - style: primary - start: 0 - end: 40 - - source: a - style: secondary - start: 1 - end: 2 - - source: href - style: secondary - start: 3 - end: 7 - - source: HTTP://ASTGREP.DEV - style: secondary - start: 9 - end: 27 - - source: href="HTTP://ASTGREP.DEV" - style: secondary - start: 3 - end: 28 - - source: - style: secondary - start: 0 - end: 29 - ? | - Astgrep - : labels: - - source: Astgrep - style: primary - start: 0 - end: 40 - - source: a - style: secondary - start: 1 - end: 2 - - source: href - style: secondary - start: 3 - end: 7 - - source: http://astgrep.dev - style: secondary - start: 9 - end: 27 - - source: href="http://astgrep.dev" - style: secondary - start: 3 - end: 28 - - source: - style: secondary - start: 0 - end: 29 - ? | - Astgrep - : labels: - - source: Astgrep - style: primary - start: 0 - end: 40 - - source: a - style: secondary - start: 1 - end: 2 - - source: href - style: secondary - start: 3 - end: 7 - - source: http://astgrep.dev - style: secondary - start: 9 - end: 27 - - source: href='http://astgrep.dev' - style: secondary - start: 3 - end: 28 - - source: - style: secondary - start: 0 - end: 29 - ? | - Astgrep - : labels: - - source: Astgrep - style: primary - start: 0 - end: 38 - - source: a - style: secondary - start: 1 - end: 2 - - source: href - style: secondary - start: 3 - end: 7 - - source: http://astgrep.dev - style: secondary - start: 8 - end: 26 - - source: href=http://astgrep.dev - style: secondary - start: 3 - end: 26 - - source: - style: secondary - start: 0 - end: 27 diff --git a/tests/__snapshots__/postgres-empty-password-rust-snapshot.yml b/tests/__snapshots__/postgres-empty-password-rust-snapshot.yml deleted file mode 100644 index 725281f7..00000000 --- a/tests/__snapshots__/postgres-empty-password-rust-snapshot.yml +++ /dev/null @@ -1,461 +0,0 @@ -id: postgres-empty-password-rust -snapshots: - ? | - async fn test2() -> Result<(), anyhow::Error> { - asa = ""; - let (client, connection) = postgres::Config::new() - .host(shard_host_name.as_str()) - .user("postgres") - .password(asa) - .dbname("ninja") - .keepalives_idle(std::time::Duration::from_secs(30)) - .connect(NoTls) - .map_err(|e| { - error!(log, "failed to connect to {}: {}", &shard_host_name, e); - Error::new(ErrorKind::Other, e) - })?; - Ok(()) - } - : labels: - - source: |- - postgres::Config::new() - .host(shard_host_name.as_str()) - .user("postgres") - .password(asa) - style: primary - start: 85 - end: 173 - - source: postgres::Config::new() - style: secondary - start: 85 - end: 108 - - source: |- - postgres::Config::new() - .host - style: secondary - start: 85 - end: 114 - - source: (shard_host_name.as_str()) - style: secondary - start: 114 - end: 140 - - source: |- - postgres::Config::new() - .host(shard_host_name.as_str()) - style: secondary - start: 85 - end: 140 - - source: user - style: secondary - start: 142 - end: 146 - - source: |- - postgres::Config::new() - .host(shard_host_name.as_str()) - .user - style: secondary - start: 85 - end: 146 - - source: ("postgres") - style: secondary - start: 146 - end: 158 - - source: |- - postgres::Config::new() - .host(shard_host_name.as_str()) - .user("postgres") - style: secondary - start: 85 - end: 158 - - source: password - style: secondary - start: 160 - end: 168 - - source: |- - postgres::Config::new() - .host(shard_host_name.as_str()) - .user("postgres") - .password - style: secondary - start: 85 - end: 168 - - source: asa - style: secondary - start: 169 - end: 172 - - source: (asa) - style: secondary - start: 168 - end: 173 - - source: asa - style: secondary - start: 48 - end: 51 - - source: '""' - style: secondary - start: 54 - end: 56 - - source: asa = "" - style: secondary - start: 48 - end: 56 - - source: asa = ""; - style: secondary - start: 48 - end: 57 - - source: |- - let (client, connection) = postgres::Config::new() - .host(shard_host_name.as_str()) - .user("postgres") - .password(asa) - .dbname("ninja") - .keepalives_idle(std::time::Duration::from_secs(30)) - .connect(NoTls) - .map_err(|e| { - error!(log, "failed to connect to {}: {}", &shard_host_name, e); - Error::new(ErrorKind::Other, e) - })?; - style: secondary - start: 58 - end: 382 - ? | - fn test1() { - let mut config = postgres::Config::new(); - as = ""; - config - .host(std::env::var("HOST").expect("set HOST")) - .user(std::env::var("USER").expect("set USER")) - .password(as) - .port(std::env::var("PORT").expect("set PORT")); - let (client, connection) = config.connect(NoTls); - Ok(()) - } - : labels: - - source: |- - config - .host(std::env::var("HOST").expect("set HOST")) - .user(std::env::var("USER").expect("set USER")) - .password(as) - style: primary - start: 64 - end: 183 - - source: config - style: secondary - start: 64 - end: 70 - - source: |- - config - .host - style: secondary - start: 64 - end: 77 - - source: (std::env::var("HOST").expect("set HOST")) - style: secondary - start: 77 - end: 119 - - source: |- - config - .host(std::env::var("HOST").expect("set HOST")) - style: secondary - start: 64 - end: 119 - - source: user - style: secondary - start: 122 - end: 126 - - source: |- - config - .host(std::env::var("HOST").expect("set HOST")) - .user - style: secondary - start: 64 - end: 126 - - source: (std::env::var("USER").expect("set USER")) - style: secondary - start: 126 - end: 168 - - source: |- - config - .host(std::env::var("HOST").expect("set HOST")) - .user(std::env::var("USER").expect("set USER")) - style: secondary - start: 64 - end: 168 - - source: password - style: secondary - start: 171 - end: 179 - - source: |- - config - .host(std::env::var("HOST").expect("set HOST")) - .user(std::env::var("USER").expect("set USER")) - .password - style: secondary - start: 64 - end: 179 - - source: as - style: secondary - start: 180 - end: 182 - - source: (as) - style: secondary - start: 179 - end: 183 - - source: config - style: secondary - start: 21 - end: 27 - - source: postgres::Config::new() - style: secondary - start: 30 - end: 53 - - source: let mut config = postgres::Config::new(); - style: secondary - start: 13 - end: 54 - - source: |- - config - .host(std::env::var("HOST").expect("set HOST")) - .user(std::env::var("USER").expect("set USER")) - .password(as) - .port(std::env::var("PORT").expect("set PORT")); - style: secondary - start: 64 - end: 233 - - source: as - style: secondary - start: 55 - end: 57 - - source: '""' - style: secondary - start: 60 - end: 62 - - source: as = "" - style: secondary - start: 55 - end: 62 - - source: as = ""; - style: secondary - start: 55 - end: 63 - - source: |- - { - let mut config = postgres::Config::new(); - as = ""; - config - .host(std::env::var("HOST").expect("set HOST")) - .user(std::env::var("USER").expect("set USER")) - .password(as) - .port(std::env::var("PORT").expect("set PORT")); - let (client, connection) = config.connect(NoTls); - Ok(()) - } - style: secondary - start: 11 - end: 292 - ? |- - fn test1() { - let mut config = postgres::Config::new(); - config - .host(std::env::var("HOST").expect("set HOST")) - .user(std::env::var("USER").expect("set USER")) - .password("") - .port(std::env::var("PORT").expect("set PORT")); - let (client, connection) = config.connect(NoTls); - Ok(()) - } - : labels: - - source: |- - config - .host(std::env::var("HOST").expect("set HOST")) - .user(std::env::var("USER").expect("set USER")) - .password("") - style: primary - start: 55 - end: 174 - - source: config - style: secondary - start: 55 - end: 61 - - source: |- - config - .host - style: secondary - start: 55 - end: 68 - - source: (std::env::var("HOST").expect("set HOST")) - style: secondary - start: 68 - end: 110 - - source: |- - config - .host(std::env::var("HOST").expect("set HOST")) - style: secondary - start: 55 - end: 110 - - source: user - style: secondary - start: 113 - end: 117 - - source: |- - config - .host(std::env::var("HOST").expect("set HOST")) - .user - style: secondary - start: 55 - end: 117 - - source: (std::env::var("USER").expect("set USER")) - style: secondary - start: 117 - end: 159 - - source: |- - config - .host(std::env::var("HOST").expect("set HOST")) - .user(std::env::var("USER").expect("set USER")) - style: secondary - start: 55 - end: 159 - - source: password - style: secondary - start: 162 - end: 170 - - source: |- - config - .host(std::env::var("HOST").expect("set HOST")) - .user(std::env::var("USER").expect("set USER")) - .password - style: secondary - start: 55 - end: 170 - - source: '""' - style: secondary - start: 171 - end: 173 - - source: ("") - style: secondary - start: 170 - end: 174 - - source: config - style: secondary - start: 21 - end: 27 - - source: postgres::Config::new() - style: secondary - start: 30 - end: 53 - - source: let mut config = postgres::Config::new(); - style: secondary - start: 13 - end: 54 - - source: |- - config - .host(std::env::var("HOST").expect("set HOST")) - .user(std::env::var("USER").expect("set USER")) - .password("") - .port(std::env::var("PORT").expect("set PORT")); - style: secondary - start: 55 - end: 224 - ? | - fn test1() { - let mut config = postgres::Config::new(); - config - .host(std::env::var("HOST").expect("set HOST")) - .user(std::env::var("USER").expect("set USER")) - .password("") - .port(std::env::var("PORT").expect("set PORT")); - let (client, connection) = config.connect(NoTls); - Ok(()) - } - : labels: - - source: |- - config - .host(std::env::var("HOST").expect("set HOST")) - .user(std::env::var("USER").expect("set USER")) - .password("") - style: primary - start: 55 - end: 171 - - source: config - style: secondary - start: 55 - end: 61 - - source: |- - config - .host - style: secondary - start: 55 - end: 67 - - source: (std::env::var("HOST").expect("set HOST")) - style: secondary - start: 67 - end: 109 - - source: |- - config - .host(std::env::var("HOST").expect("set HOST")) - style: secondary - start: 55 - end: 109 - - source: user - style: secondary - start: 111 - end: 115 - - source: |- - config - .host(std::env::var("HOST").expect("set HOST")) - .user - style: secondary - start: 55 - end: 115 - - source: (std::env::var("USER").expect("set USER")) - style: secondary - start: 115 - end: 157 - - source: |- - config - .host(std::env::var("HOST").expect("set HOST")) - .user(std::env::var("USER").expect("set USER")) - style: secondary - start: 55 - end: 157 - - source: password - style: secondary - start: 159 - end: 167 - - source: |- - config - .host(std::env::var("HOST").expect("set HOST")) - .user(std::env::var("USER").expect("set USER")) - .password - style: secondary - start: 55 - end: 167 - - source: '""' - style: secondary - start: 168 - end: 170 - - source: ("") - style: secondary - start: 167 - end: 171 - - source: config - style: secondary - start: 21 - end: 27 - - source: postgres::Config::new() - style: secondary - start: 30 - end: 53 - - source: let mut config = postgres::Config::new(); - style: secondary - start: 13 - end: 54 - - source: |- - config - .host(std::env::var("HOST").expect("set HOST")) - .user(std::env::var("USER").expect("set USER")) - .password("") - .port(std::env::var("PORT").expect("set PORT")); - style: secondary - start: 55 - end: 220 diff --git a/tests/__snapshots__/python-cassandra-empty-password-python-snapshot.yml b/tests/__snapshots__/python-cassandra-empty-password-python-snapshot.yml deleted file mode 100644 index 0f86b2f2..00000000 --- a/tests/__snapshots__/python-cassandra-empty-password-python-snapshot.yml +++ /dev/null @@ -1,98 +0,0 @@ -id: python-cassandra-empty-password-python -snapshots: - ? | - from cassandra.auth import PlainTextAuthProvider - auth_provider = PlainTextAuthProvider('user', '') - : labels: - - source: PlainTextAuthProvider('user', '') - style: primary - start: 65 - end: 98 - - source: '''' - style: secondary - start: 95 - end: 96 - - source: '''' - style: secondary - start: 96 - end: 97 - - source: '''''' - style: secondary - start: 95 - end: 97 - - source: ('user', '') - style: secondary - start: 86 - end: 98 - - source: PlainTextAuthProvider - style: secondary - start: 65 - end: 86 - - source: cassandra.auth - style: secondary - start: 5 - end: 19 - - source: PlainTextAuthProvider - style: secondary - start: 27 - end: 48 - - source: from cassandra.auth import PlainTextAuthProvider - style: secondary - start: 0 - end: 48 - - source: from cassandra.auth import PlainTextAuthProvider - style: secondary - start: 0 - end: 48 - ? | - from cassandra.auth import PlainTextAuthProvider - auth_provider = PlainTextAuthProvider(username='user', password='') - : labels: - - source: PlainTextAuthProvider(username='user', password='') - style: primary - start: 65 - end: 116 - - source: password - style: secondary - start: 104 - end: 112 - - source: '''' - style: secondary - start: 113 - end: 114 - - source: '''' - style: secondary - start: 114 - end: 115 - - source: '''''' - style: secondary - start: 113 - end: 115 - - source: password='' - style: secondary - start: 104 - end: 115 - - source: (username='user', password='') - style: secondary - start: 86 - end: 116 - - source: PlainTextAuthProvider - style: secondary - start: 65 - end: 86 - - source: cassandra.auth - style: secondary - start: 5 - end: 19 - - source: PlainTextAuthProvider - style: secondary - start: 27 - end: 48 - - source: from cassandra.auth import PlainTextAuthProvider - style: secondary - start: 0 - end: 48 - - source: from cassandra.auth import PlainTextAuthProvider - style: secondary - start: 0 - end: 48 diff --git a/tests/__snapshots__/python-cassandra-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-cassandra-hardcoded-secret-python-snapshot.yml deleted file mode 100644 index e90adeab..00000000 --- a/tests/__snapshots__/python-cassandra-hardcoded-secret-python-snapshot.yml +++ /dev/null @@ -1,106 +0,0 @@ -id: python-cassandra-hardcoded-secret-python -snapshots: - ? | - from cassandra.auth import PlainTextAuthProvider - auth_provider = PlainTextAuthProvider('user', 'pass') - : labels: - - source: PlainTextAuthProvider('user', 'pass') - style: primary - start: 65 - end: 102 - - source: '''' - style: secondary - start: 95 - end: 96 - - source: pass - style: secondary - start: 96 - end: 100 - - source: '''' - style: secondary - start: 100 - end: 101 - - source: '''pass''' - style: secondary - start: 95 - end: 101 - - source: ('user', 'pass') - style: secondary - start: 86 - end: 102 - - source: PlainTextAuthProvider - style: secondary - start: 65 - end: 86 - - source: PlainTextAuthProvider - style: secondary - start: 27 - end: 48 - - source: cassandra.auth - style: secondary - start: 5 - end: 19 - - source: from cassandra.auth import PlainTextAuthProvider - style: secondary - start: 0 - end: 48 - - source: from cassandra.auth import PlainTextAuthProvider - style: secondary - start: 0 - end: 48 - ? | - from cassandra.auth import PlainTextAuthProvider - auth_provider = PlainTextAuthProvider(username='user', password='pass') - : labels: - - source: PlainTextAuthProvider(username='user', password='pass') - style: primary - start: 65 - end: 120 - - source: password - style: secondary - start: 104 - end: 112 - - source: '''' - style: secondary - start: 113 - end: 114 - - source: pass - style: secondary - start: 114 - end: 118 - - source: '''' - style: secondary - start: 118 - end: 119 - - source: '''pass''' - style: secondary - start: 113 - end: 119 - - source: password='pass' - style: secondary - start: 104 - end: 119 - - source: (username='user', password='pass') - style: secondary - start: 86 - end: 120 - - source: PlainTextAuthProvider - style: secondary - start: 65 - end: 86 - - source: PlainTextAuthProvider - style: secondary - start: 27 - end: 48 - - source: cassandra.auth - style: secondary - start: 5 - end: 19 - - source: from cassandra.auth import PlainTextAuthProvider - style: secondary - start: 0 - end: 48 - - source: from cassandra.auth import PlainTextAuthProvider - style: secondary - start: 0 - end: 48 diff --git a/tests/__snapshots__/python-couchbase-empty-password-python-snapshot.yml b/tests/__snapshots__/python-couchbase-empty-password-python-snapshot.yml deleted file mode 100644 index fdd4f71e..00000000 --- a/tests/__snapshots__/python-couchbase-empty-password-python-snapshot.yml +++ /dev/null @@ -1,118 +0,0 @@ -id: python-couchbase-empty-password-python -snapshots: - ? | - import os - from couchbase.cluster import Cluster, ClusterOptions - from couchbase_core.cluster import PasswordAuthenticator - PasswordAuthenticator('username', '') - : labels: - - source: PasswordAuthenticator('username', '') - style: primary - start: 121 - end: 158 - - source: PasswordAuthenticator - style: secondary - start: 121 - end: 142 - - source: '''username''' - style: secondary - start: 143 - end: 153 - - source: '''''' - style: secondary - start: 155 - end: 157 - - source: ('username', '') - style: secondary - start: 142 - end: 158 - - source: couchbase_core - style: secondary - start: 69 - end: 83 - - source: cluster - style: secondary - start: 84 - end: 91 - - source: couchbase_core.cluster - style: secondary - start: 69 - end: 91 - - source: PasswordAuthenticator - style: secondary - start: 99 - end: 120 - - source: PasswordAuthenticator - style: secondary - start: 99 - end: 120 - - source: from couchbase_core.cluster import PasswordAuthenticator - style: secondary - start: 64 - end: 120 - - source: | - import os - from couchbase.cluster import Cluster, ClusterOptions - from couchbase_core.cluster import PasswordAuthenticator - PasswordAuthenticator('username', '') - style: secondary - start: 0 - end: 159 - ? | - import os - from couchbase.cluster import Cluster, ClusterOptions - from couchbase_core.cluster import PasswordAuthenticator - cluster = Cluster('couchbase://localhost', ClusterOptions(PasswordAuthenticator('username', ''))) - : labels: - - source: PasswordAuthenticator('username', '') - style: primary - start: 179 - end: 216 - - source: PasswordAuthenticator - style: secondary - start: 179 - end: 200 - - source: '''username''' - style: secondary - start: 201 - end: 211 - - source: '''''' - style: secondary - start: 213 - end: 215 - - source: ('username', '') - style: secondary - start: 200 - end: 216 - - source: couchbase_core - style: secondary - start: 69 - end: 83 - - source: cluster - style: secondary - start: 84 - end: 91 - - source: couchbase_core.cluster - style: secondary - start: 69 - end: 91 - - source: PasswordAuthenticator - style: secondary - start: 99 - end: 120 - - source: PasswordAuthenticator - style: secondary - start: 99 - end: 120 - - source: from couchbase_core.cluster import PasswordAuthenticator - style: secondary - start: 64 - end: 120 - - source: | - import os - from couchbase.cluster import Cluster, ClusterOptions - from couchbase_core.cluster import PasswordAuthenticator - cluster = Cluster('couchbase://localhost', ClusterOptions(PasswordAuthenticator('username', ''))) - style: secondary - start: 0 - end: 219 diff --git a/tests/__snapshots__/python-couchbase-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-couchbase-hardcoded-secret-python-snapshot.yml deleted file mode 100644 index 79ced8e4..00000000 --- a/tests/__snapshots__/python-couchbase-hardcoded-secret-python-snapshot.yml +++ /dev/null @@ -1,106 +0,0 @@ -id: python-couchbase-hardcoded-secret-python -snapshots: - ? | - from couchbase_core.cluster import PasswordAuthenticator - cluster = Cluster('couchbase://localhost', ClusterOptions(PasswordAuthenticator('username', 'password'))) - : labels: - - source: PasswordAuthenticator('username', 'password') - style: primary - start: 115 - end: 160 - - source: '''' - style: secondary - start: 149 - end: 150 - - source: password - style: secondary - start: 150 - end: 158 - - source: '''' - style: secondary - start: 158 - end: 159 - - source: '''password''' - style: secondary - start: 149 - end: 159 - - source: ('username', 'password') - style: secondary - start: 136 - end: 160 - - source: PasswordAuthenticator - style: secondary - start: 115 - end: 136 - - source: PasswordAuthenticator - style: secondary - start: 35 - end: 56 - - source: couchbase_core.cluster - style: secondary - start: 5 - end: 27 - - source: from couchbase_core.cluster import PasswordAuthenticator - style: secondary - start: 0 - end: 56 - - source: from couchbase_core.cluster import PasswordAuthenticator - style: secondary - start: 0 - end: 56 - ? | - from couchbase_core.cluster import PasswordAuthenticator as abc - cluster = Cluster('couchbase://localhost', ClusterOptions(abc('username', 'password'))) - : labels: - - source: abc('username', 'password') - style: primary - start: 122 - end: 149 - - source: '''' - style: secondary - start: 138 - end: 139 - - source: password - style: secondary - start: 139 - end: 147 - - source: '''' - style: secondary - start: 147 - end: 148 - - source: '''password''' - style: secondary - start: 138 - end: 148 - - source: ('username', 'password') - style: secondary - start: 125 - end: 149 - - source: abc - style: secondary - start: 122 - end: 125 - - source: PasswordAuthenticator - style: secondary - start: 35 - end: 56 - - source: abc - style: secondary - start: 60 - end: 63 - - source: PasswordAuthenticator as abc - style: secondary - start: 35 - end: 63 - - source: couchbase_core.cluster - style: secondary - start: 5 - end: 27 - - source: from couchbase_core.cluster import PasswordAuthenticator as abc - style: secondary - start: 0 - end: 63 - - source: from couchbase_core.cluster import PasswordAuthenticator as abc - style: secondary - start: 0 - end: 63 diff --git a/tests/__snapshots__/python-elasticsearch-hardcoded-bearer-auth-python-snapshot.yml b/tests/__snapshots__/python-elasticsearch-hardcoded-bearer-auth-python-snapshot.yml deleted file mode 100644 index efd28d14..00000000 --- a/tests/__snapshots__/python-elasticsearch-hardcoded-bearer-auth-python-snapshot.yml +++ /dev/null @@ -1,44 +0,0 @@ -id: python-elasticsearch-hardcoded-bearer-auth-python -snapshots: - ? | - es = elasticsearch.Elasticsearch( - "https://localhost:9200", - bearer_auth="token-value" - ) - : labels: - - source: |- - elasticsearch.Elasticsearch( - "https://localhost:9200", - bearer_auth="token-value" - ) - style: primary - start: 5 - end: 91 - - source: elasticsearch.Elasticsearch - style: secondary - start: 5 - end: 32 - - source: bearer_auth - style: secondary - start: 64 - end: 75 - - source: token-value - style: secondary - start: 77 - end: 88 - - source: '"token-value"' - style: secondary - start: 76 - end: 89 - - source: bearer_auth="token-value" - style: secondary - start: 64 - end: 89 - - source: |- - ( - "https://localhost:9200", - bearer_auth="token-value" - ) - style: secondary - start: 32 - end: 91 diff --git a/tests/__snapshots__/python-ldap3-empty-password-python-snapshot.yml b/tests/__snapshots__/python-ldap3-empty-password-python-snapshot.yml deleted file mode 100644 index 7f8eec81..00000000 --- a/tests/__snapshots__/python-ldap3-empty-password-python-snapshot.yml +++ /dev/null @@ -1,77 +0,0 @@ -id: python-ldap3-empty-password-python -snapshots: - ? | - ldap3.Connection(password="") - : labels: - - source: ldap3.Connection(password="") - style: primary - start: 0 - end: 29 - - source: ldap3.Connection - style: secondary - start: 0 - end: 16 - - source: password - style: secondary - start: 17 - end: 25 - - source: '""' - style: secondary - start: 26 - end: 28 - - source: password="" - style: secondary - start: 17 - end: 28 - - source: (password="") - style: secondary - start: 16 - end: 29 - ? |- - test = "" - ldap3.Connection(password=test) - : labels: - - source: ldap3.Connection(password=test) - style: primary - start: 10 - end: 41 - - source: ldap3.Connection - style: secondary - start: 10 - end: 26 - - source: password - style: secondary - start: 27 - end: 35 - - source: test - style: secondary - start: 36 - end: 40 - - source: password=test - style: secondary - start: 27 - end: 40 - - source: (password=test) - style: secondary - start: 26 - end: 41 - - source: test - style: secondary - start: 0 - end: 4 - - source: '""' - style: secondary - start: 7 - end: 9 - - source: test = "" - style: secondary - start: 0 - end: 9 - - source: test = "" - style: secondary - start: 0 - end: 9 - - source: test = "" - style: secondary - start: 0 - end: 9 diff --git a/tests/__snapshots__/python-ldap3-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-ldap3-hardcoded-secret-python-snapshot.yml deleted file mode 100644 index 43869edd..00000000 --- a/tests/__snapshots__/python-ldap3-hardcoded-secret-python-snapshot.yml +++ /dev/null @@ -1,101 +0,0 @@ -id: python-ldap3-hardcoded-secret-python -snapshots: - ? | - ldap3.Connection(password="test") - : labels: - - source: ldap3.Connection(password="test") - style: primary - start: 0 - end: 33 - - source: password - style: secondary - start: 17 - end: 25 - - source: '"' - style: secondary - start: 26 - end: 27 - - source: test - style: secondary - start: 27 - end: 31 - - source: '"' - style: secondary - start: 31 - end: 32 - - source: '"test"' - style: secondary - start: 26 - end: 32 - - source: password="test" - style: secondary - start: 17 - end: 32 - - source: (password="test") - style: secondary - start: 16 - end: 33 - - source: ldap3.Connection - style: secondary - start: 0 - end: 16 - ? |- - test = "password" - ldap3.Connection(password=test) - : labels: - - source: ldap3.Connection(password=test) - style: primary - start: 18 - end: 49 - - source: password - style: secondary - start: 35 - end: 43 - - source: test - style: secondary - start: 0 - end: 4 - - source: '"' - style: secondary - start: 7 - end: 8 - - source: password - style: secondary - start: 8 - end: 16 - - source: '"' - style: secondary - start: 16 - end: 17 - - source: '"password"' - style: secondary - start: 7 - end: 17 - - source: test = "password" - style: secondary - start: 0 - end: 17 - - source: test = "password" - style: secondary - start: 0 - end: 17 - - source: test = "password" - style: secondary - start: 0 - end: 17 - - source: test - style: secondary - start: 44 - end: 48 - - source: password=test - style: secondary - start: 35 - end: 48 - - source: (password=test) - style: secondary - start: 34 - end: 49 - - source: ldap3.Connection - style: secondary - start: 18 - end: 34 diff --git a/tests/__snapshots__/python-mariadb-empty-password-python-snapshot.yml b/tests/__snapshots__/python-mariadb-empty-password-python-snapshot.yml deleted file mode 100644 index e4e9328d..00000000 --- a/tests/__snapshots__/python-mariadb-empty-password-python-snapshot.yml +++ /dev/null @@ -1,157 +0,0 @@ -id: python-mariadb-empty-password-python -snapshots: - ? | - PASSWORD1 = "" - conn = mariadb.connect(password=PASSWORD1) - : labels: - - source: mariadb.connect(password=PASSWORD1) - style: primary - start: 22 - end: 57 - - source: password - style: secondary - start: 38 - end: 46 - - source: PASSWORD1 - style: secondary - start: 0 - end: 9 - - source: '"' - style: secondary - start: 12 - end: 13 - - source: '"' - style: secondary - start: 13 - end: 14 - - source: '""' - style: secondary - start: 12 - end: 14 - - source: PASSWORD1 = "" - style: secondary - start: 0 - end: 14 - - source: PASSWORD1 = "" - style: secondary - start: 0 - end: 14 - - source: PASSWORD1 = "" - style: secondary - start: 0 - end: 14 - - source: PASSWORD1 - style: secondary - start: 47 - end: 56 - - source: password=PASSWORD1 - style: secondary - start: 38 - end: 56 - - source: (password=PASSWORD1) - style: secondary - start: 37 - end: 57 - - source: mariadb.connect - style: secondary - start: 22 - end: 37 - ? | - conn = mariadb.connect(password="") - : labels: - - source: mariadb.connect(password="") - style: primary - start: 7 - end: 35 - - source: password - style: secondary - start: 23 - end: 31 - - source: '"' - style: secondary - start: 32 - end: 33 - - source: '"' - style: secondary - start: 33 - end: 34 - - source: '""' - style: secondary - start: 32 - end: 34 - - source: password="" - style: secondary - start: 23 - end: 34 - - source: (password="") - style: secondary - start: 22 - end: 35 - - source: mariadb.connect - style: secondary - start: 7 - end: 22 - ? | - import mariadb as mrdbl123 - mrdbl123.connect(host="this.is.my.host",user="root",passwd="",database="aaa") - : labels: - - source: mrdbl123.connect(host="this.is.my.host",user="root",passwd="",database="aaa") - style: primary - start: 27 - end: 104 - - source: mrdbl123 - style: secondary - start: 27 - end: 35 - - source: connect - style: secondary - start: 36 - end: 43 - - source: passwd - style: secondary - start: 79 - end: 85 - - source: '"' - style: secondary - start: 86 - end: 87 - - source: '"' - style: secondary - start: 87 - end: 88 - - source: '""' - style: secondary - start: 86 - end: 88 - - source: passwd="" - style: secondary - start: 79 - end: 88 - - source: (host="this.is.my.host",user="root",passwd="",database="aaa") - style: secondary - start: 43 - end: 104 - - source: mrdbl123.connect - style: secondary - start: 27 - end: 43 - - source: mariadb - style: secondary - start: 7 - end: 14 - - source: mrdbl123 - style: secondary - start: 18 - end: 26 - - source: mariadb as mrdbl123 - style: secondary - start: 7 - end: 26 - - source: import mariadb as mrdbl123 - style: secondary - start: 0 - end: 26 - - source: import mariadb as mrdbl123 - style: secondary - start: 0 - end: 26 diff --git a/tests/__snapshots__/python-mariadb-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-mariadb-hardcoded-secret-python-snapshot.yml deleted file mode 100644 index 29fe0c7f..00000000 --- a/tests/__snapshots__/python-mariadb-hardcoded-secret-python-snapshot.yml +++ /dev/null @@ -1,169 +0,0 @@ -id: python-mariadb-hardcoded-secret-python -snapshots: - ? | - PASSWORD1 = "test" - conn = mariadb.connect(password=PASSWORD1) - : labels: - - source: mariadb.connect(password=PASSWORD1) - style: primary - start: 26 - end: 61 - - source: password - style: secondary - start: 42 - end: 50 - - source: PASSWORD1 - style: secondary - start: 0 - end: 9 - - source: '"' - style: secondary - start: 12 - end: 13 - - source: test - style: secondary - start: 13 - end: 17 - - source: '"' - style: secondary - start: 17 - end: 18 - - source: '"test"' - style: secondary - start: 12 - end: 18 - - source: PASSWORD1 = "test" - style: secondary - start: 0 - end: 18 - - source: PASSWORD1 = "test" - style: secondary - start: 0 - end: 18 - - source: PASSWORD1 = "test" - style: secondary - start: 0 - end: 18 - - source: PASSWORD1 - style: secondary - start: 51 - end: 60 - - source: password=PASSWORD1 - style: secondary - start: 42 - end: 60 - - source: (password=PASSWORD1) - style: secondary - start: 41 - end: 61 - - source: mariadb.connect - style: secondary - start: 26 - end: 41 - ? | - conn = mariadb.connect(password="test") - : labels: - - source: mariadb.connect(password="test") - style: primary - start: 7 - end: 39 - - source: password - style: secondary - start: 23 - end: 31 - - source: '"' - style: secondary - start: 32 - end: 33 - - source: test - style: secondary - start: 33 - end: 37 - - source: '"' - style: secondary - start: 37 - end: 38 - - source: '"test"' - style: secondary - start: 32 - end: 38 - - source: password="test" - style: secondary - start: 23 - end: 38 - - source: (password="test") - style: secondary - start: 22 - end: 39 - - source: mariadb.connect - style: secondary - start: 7 - end: 22 - ? | - import mariadb as mrdbl123 - mrdbl123.connect(host="this.is.my.host",user="root",passwd="test",database="aaa") - : labels: - - source: mrdbl123.connect(host="this.is.my.host",user="root",passwd="test",database="aaa") - style: primary - start: 27 - end: 108 - - source: mrdbl123 - style: secondary - start: 27 - end: 35 - - source: connect - style: secondary - start: 36 - end: 43 - - source: passwd - style: secondary - start: 79 - end: 85 - - source: '"' - style: secondary - start: 86 - end: 87 - - source: test - style: secondary - start: 87 - end: 91 - - source: '"' - style: secondary - start: 91 - end: 92 - - source: '"test"' - style: secondary - start: 86 - end: 92 - - source: passwd="test" - style: secondary - start: 79 - end: 92 - - source: (host="this.is.my.host",user="root",passwd="test",database="aaa") - style: secondary - start: 43 - end: 108 - - source: mrdbl123.connect - style: secondary - start: 27 - end: 43 - - source: mariadb - style: secondary - start: 7 - end: 14 - - source: mrdbl123 - style: secondary - start: 18 - end: 26 - - source: mariadb as mrdbl123 - style: secondary - start: 7 - end: 26 - - source: import mariadb as mrdbl123 - style: secondary - start: 0 - end: 26 - - source: import mariadb as mrdbl123 - style: secondary - start: 0 - end: 26 diff --git a/tests/__snapshots__/python-mysql-empty-password-python-snapshot.yml b/tests/__snapshots__/python-mysql-empty-password-python-snapshot.yml deleted file mode 100644 index 18c7ac76..00000000 --- a/tests/__snapshots__/python-mysql-empty-password-python-snapshot.yml +++ /dev/null @@ -1,157 +0,0 @@ -id: python-mysql-empty-password-python -snapshots: - ? | - PASSWORD1 = "" - conn = mysql.connector.connect(password=PASSWORD1) - : labels: - - source: mysql.connector.connect(password=PASSWORD1) - style: primary - start: 22 - end: 65 - - source: password - style: secondary - start: 46 - end: 54 - - source: PASSWORD1 - style: secondary - start: 0 - end: 9 - - source: '"' - style: secondary - start: 12 - end: 13 - - source: '"' - style: secondary - start: 13 - end: 14 - - source: '""' - style: secondary - start: 12 - end: 14 - - source: PASSWORD1 = "" - style: secondary - start: 0 - end: 14 - - source: PASSWORD1 = "" - style: secondary - start: 0 - end: 14 - - source: PASSWORD1 = "" - style: secondary - start: 0 - end: 14 - - source: PASSWORD1 - style: secondary - start: 55 - end: 64 - - source: password=PASSWORD1 - style: secondary - start: 46 - end: 64 - - source: (password=PASSWORD1) - style: secondary - start: 45 - end: 65 - - source: mysql.connector.connect - style: secondary - start: 22 - end: 45 - ? |- - import mysql.connector as mysql123 - mysql123.connect(host="localhost",user="root",passwd="",database="aaa") - : labels: - - source: mysql123.connect(host="localhost",user="root",passwd="",database="aaa") - style: primary - start: 35 - end: 106 - - source: mysql123 - style: secondary - start: 35 - end: 43 - - source: connect - style: secondary - start: 44 - end: 51 - - source: passwd - style: secondary - start: 81 - end: 87 - - source: '"' - style: secondary - start: 88 - end: 89 - - source: '"' - style: secondary - start: 89 - end: 90 - - source: '""' - style: secondary - start: 88 - end: 90 - - source: passwd="" - style: secondary - start: 81 - end: 90 - - source: (host="localhost",user="root",passwd="",database="aaa") - style: secondary - start: 51 - end: 106 - - source: mysql123.connect - style: secondary - start: 35 - end: 51 - - source: mysql123 - style: secondary - start: 26 - end: 34 - - source: mysql.connector - style: secondary - start: 7 - end: 22 - - source: mysql.connector as mysql123 - style: secondary - start: 7 - end: 34 - - source: import mysql.connector as mysql123 - style: secondary - start: 0 - end: 34 - - source: import mysql.connector as mysql123 - style: secondary - start: 0 - end: 34 - ? | - mysql.connector.connect(password="") - : labels: - - source: mysql.connector.connect(password="") - style: primary - start: 0 - end: 36 - - source: password - style: secondary - start: 24 - end: 32 - - source: '"' - style: secondary - start: 33 - end: 34 - - source: '"' - style: secondary - start: 34 - end: 35 - - source: '""' - style: secondary - start: 33 - end: 35 - - source: password="" - style: secondary - start: 24 - end: 35 - - source: (password="") - style: secondary - start: 23 - end: 36 - - source: mysql.connector.connect - style: secondary - start: 0 - end: 23 diff --git a/tests/__snapshots__/python-mysql-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-mysql-hardcoded-secret-python-snapshot.yml deleted file mode 100644 index aa616f55..00000000 --- a/tests/__snapshots__/python-mysql-hardcoded-secret-python-snapshot.yml +++ /dev/null @@ -1,169 +0,0 @@ -id: python-mysql-hardcoded-secret-python -snapshots: - ? | - PASSWORD1 = "password" - conn = mysql.connector.connect(password=PASSWORD1) - : labels: - - source: mysql.connector.connect(password=PASSWORD1) - style: primary - start: 30 - end: 73 - - source: password - style: secondary - start: 54 - end: 62 - - source: PASSWORD1 - style: secondary - start: 0 - end: 9 - - source: '"' - style: secondary - start: 12 - end: 13 - - source: password - style: secondary - start: 13 - end: 21 - - source: '"' - style: secondary - start: 21 - end: 22 - - source: '"password"' - style: secondary - start: 12 - end: 22 - - source: PASSWORD1 = "password" - style: secondary - start: 0 - end: 22 - - source: PASSWORD1 = "password" - style: secondary - start: 0 - end: 22 - - source: PASSWORD1 = "password" - style: secondary - start: 0 - end: 22 - - source: PASSWORD1 - style: secondary - start: 63 - end: 72 - - source: password=PASSWORD1 - style: secondary - start: 54 - end: 72 - - source: (password=PASSWORD1) - style: secondary - start: 53 - end: 73 - - source: mysql.connector.connect - style: secondary - start: 30 - end: 53 - ? |- - import mysql.connector as mysql123 - mysql123.connect(host="localhost",user="root",passwd="password",database="aaa") - : labels: - - source: mysql123.connect(host="localhost",user="root",passwd="password",database="aaa") - style: primary - start: 35 - end: 114 - - source: mysql123 - style: secondary - start: 35 - end: 43 - - source: connect - style: secondary - start: 44 - end: 51 - - source: passwd - style: secondary - start: 81 - end: 87 - - source: '"' - style: secondary - start: 88 - end: 89 - - source: password - style: secondary - start: 89 - end: 97 - - source: '"' - style: secondary - start: 97 - end: 98 - - source: '"password"' - style: secondary - start: 88 - end: 98 - - source: passwd="password" - style: secondary - start: 81 - end: 98 - - source: (host="localhost",user="root",passwd="password",database="aaa") - style: secondary - start: 51 - end: 114 - - source: mysql123.connect - style: secondary - start: 35 - end: 51 - - source: mysql123 - style: secondary - start: 26 - end: 34 - - source: mysql.connector - style: secondary - start: 7 - end: 22 - - source: mysql.connector as mysql123 - style: secondary - start: 7 - end: 34 - - source: import mysql.connector as mysql123 - style: secondary - start: 0 - end: 34 - - source: import mysql.connector as mysql123 - style: secondary - start: 0 - end: 34 - ? | - mysql.connector.connect(password="password") - : labels: - - source: mysql.connector.connect(password="password") - style: primary - start: 0 - end: 44 - - source: password - style: secondary - start: 24 - end: 32 - - source: '"' - style: secondary - start: 33 - end: 34 - - source: password - style: secondary - start: 34 - end: 42 - - source: '"' - style: secondary - start: 42 - end: 43 - - source: '"password"' - style: secondary - start: 33 - end: 43 - - source: password="password" - style: secondary - start: 24 - end: 43 - - source: (password="password") - style: secondary - start: 23 - end: 44 - - source: mysql.connector.connect - style: secondary - start: 0 - end: 23 diff --git a/tests/__snapshots__/python-mysqlclient-empty-password-python-snapshot.yml b/tests/__snapshots__/python-mysqlclient-empty-password-python-snapshot.yml deleted file mode 100644 index c54cdb1c..00000000 --- a/tests/__snapshots__/python-mysqlclient-empty-password-python-snapshot.yml +++ /dev/null @@ -1,286 +0,0 @@ -id: python-mysqlclient-empty-password-python -snapshots: - ? | - from MySQLdb import _mysql - db = MySQLdb._mysql.connect('', '', "", '') - : labels: - - source: MySQLdb._mysql.connect('', '', "", '') - style: primary - start: 32 - end: 70 - - source: MySQLdb._mysql - style: secondary - start: 32 - end: 46 - - source: connect - style: secondary - start: 47 - end: 54 - - source: '"' - style: secondary - start: 63 - end: 64 - - source: '"' - style: secondary - start: 64 - end: 65 - - source: '""' - style: secondary - start: 63 - end: 65 - - source: ('', '', "", '') - style: secondary - start: 54 - end: 70 - - source: MySQLdb._mysql.connect - style: secondary - start: 32 - end: 54 - ? | - from MySQLdb import _mysql - db = _mysql.connect( - host=FLAGS.host, user=FLAGS.user, passwd="", db=FLAGS.db - ) - : labels: - - source: |- - _mysql.connect( - host=FLAGS.host, user=FLAGS.user, passwd="", db=FLAGS.db - ) - style: primary - start: 32 - end: 108 - - source: _mysql - style: secondary - start: 20 - end: 26 - - source: MySQLdb - style: secondary - start: 5 - end: 12 - - source: from MySQLdb import _mysql - style: secondary - start: 0 - end: 26 - - source: from MySQLdb import _mysql - style: secondary - start: 0 - end: 26 - - source: _mysql - style: secondary - start: 32 - end: 38 - - source: connect - style: secondary - start: 39 - end: 46 - - source: passwd - style: secondary - start: 84 - end: 90 - - source: '"' - style: secondary - start: 91 - end: 92 - - source: '"' - style: secondary - start: 92 - end: 93 - - source: '""' - style: secondary - start: 91 - end: 93 - - source: passwd="" - style: secondary - start: 84 - end: 93 - - source: |- - ( - host=FLAGS.host, user=FLAGS.user, passwd="", db=FLAGS.db - ) - style: secondary - start: 46 - end: 108 - - source: _mysql.connect - style: secondary - start: 32 - end: 46 - ? | - from MySQLdb import _mysql as mysql - db = mysql.connect( - host=FLAGS.host, user=FLAGS.user, passwd="", db=FLAGS.db - ) - : labels: - - source: |- - mysql.connect( - host=FLAGS.host, user=FLAGS.user, passwd="", db=FLAGS.db - ) - style: primary - start: 41 - end: 116 - - source: _mysql - style: secondary - start: 20 - end: 26 - - source: mysql - style: secondary - start: 30 - end: 35 - - source: _mysql as mysql - style: secondary - start: 20 - end: 35 - - source: MySQLdb - style: secondary - start: 5 - end: 12 - - source: from MySQLdb import _mysql as mysql - style: secondary - start: 0 - end: 35 - - source: from MySQLdb import _mysql as mysql - style: secondary - start: 0 - end: 35 - - source: mysql - style: secondary - start: 41 - end: 46 - - source: connect - style: secondary - start: 47 - end: 54 - - source: passwd - style: secondary - start: 92 - end: 98 - - source: '"' - style: secondary - start: 99 - end: 100 - - source: '"' - style: secondary - start: 100 - end: 101 - - source: '""' - style: secondary - start: 99 - end: 101 - - source: passwd="" - style: secondary - start: 92 - end: 101 - - source: |- - ( - host=FLAGS.host, user=FLAGS.user, passwd="", db=FLAGS.db - ) - style: secondary - start: 54 - end: 116 - - source: mysql.connect - style: secondary - start: 41 - end: 54 - ? | - from MySQLdb import _mysql as mysql - db = mysql.connect("MYSQL_HOST", "MYSQL_USER", "", "MYSQL_DATABASE") - : labels: - - source: mysql.connect("MYSQL_HOST", "MYSQL_USER", "", "MYSQL_DATABASE") - style: primary - start: 41 - end: 104 - - source: _mysql - style: secondary - start: 20 - end: 26 - - source: mysql - style: secondary - start: 30 - end: 35 - - source: _mysql as mysql - style: secondary - start: 20 - end: 35 - - source: MySQLdb - style: secondary - start: 5 - end: 12 - - source: from MySQLdb import _mysql as mysql - style: secondary - start: 0 - end: 35 - - source: from MySQLdb import _mysql as mysql - style: secondary - start: 0 - end: 35 - - source: mysql - style: secondary - start: 41 - end: 46 - - source: connect - style: secondary - start: 47 - end: 54 - - source: '"' - style: secondary - start: 83 - end: 84 - - source: '"' - style: secondary - start: 84 - end: 85 - - source: '""' - style: secondary - start: 83 - end: 85 - - source: ("MYSQL_HOST", "MYSQL_USER", "", "MYSQL_DATABASE") - style: secondary - start: 54 - end: 104 - - source: mysql.connect - style: secondary - start: 41 - end: 54 - ? | - import MySQLdb - db = MySQLdb.Connection(host="127.0.0.1", user="root", passwd="", db="business") - : labels: - - source: MySQLdb.Connection(host="127.0.0.1", user="root", passwd="", db="business") - style: primary - start: 20 - end: 95 - - source: MySQLdb - style: secondary - start: 20 - end: 27 - - source: Connection - style: secondary - start: 28 - end: 38 - - source: passwd - style: secondary - start: 70 - end: 76 - - source: '"' - style: secondary - start: 77 - end: 78 - - source: '"' - style: secondary - start: 78 - end: 79 - - source: '""' - style: secondary - start: 77 - end: 79 - - source: passwd="" - style: secondary - start: 70 - end: 79 - - source: (host="127.0.0.1", user="root", passwd="", db="business") - style: secondary - start: 38 - end: 95 - - source: MySQLdb.Connection - style: secondary - start: 20 - end: 38 diff --git a/tests/__snapshots__/python-mysqlclient-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-mysqlclient-hardcoded-secret-python-snapshot.yml deleted file mode 100644 index 3d0f7efd..00000000 --- a/tests/__snapshots__/python-mysqlclient-hardcoded-secret-python-snapshot.yml +++ /dev/null @@ -1,306 +0,0 @@ -id: python-mysqlclient-hardcoded-secret-python -snapshots: - ? | - from MySQLdb import _mysql - db = MySQLdb._mysql.connect('', '', "password", '') - : labels: - - source: MySQLdb._mysql.connect('', '', "password", '') - style: primary - start: 32 - end: 78 - - source: MySQLdb._mysql - style: secondary - start: 32 - end: 46 - - source: connect - style: secondary - start: 47 - end: 54 - - source: '"' - style: secondary - start: 63 - end: 64 - - source: password - style: secondary - start: 64 - end: 72 - - source: '"' - style: secondary - start: 72 - end: 73 - - source: '"password"' - style: secondary - start: 63 - end: 73 - - source: ('', '', "password", '') - style: secondary - start: 54 - end: 78 - - source: MySQLdb._mysql.connect - style: secondary - start: 32 - end: 54 - ? | - from MySQLdb import _mysql - db = _mysql.connect( - host=FLAGS.host, user=FLAGS.user, passwd="password", db=FLAGS.db - ) - : labels: - - source: |- - _mysql.connect( - host=FLAGS.host, user=FLAGS.user, passwd="password", db=FLAGS.db - ) - style: primary - start: 32 - end: 116 - - source: _mysql - style: secondary - start: 20 - end: 26 - - source: MySQLdb - style: secondary - start: 5 - end: 12 - - source: from MySQLdb import _mysql - style: secondary - start: 0 - end: 26 - - source: from MySQLdb import _mysql - style: secondary - start: 0 - end: 26 - - source: _mysql - style: secondary - start: 32 - end: 38 - - source: connect - style: secondary - start: 39 - end: 46 - - source: passwd - style: secondary - start: 84 - end: 90 - - source: '"' - style: secondary - start: 91 - end: 92 - - source: password - style: secondary - start: 92 - end: 100 - - source: '"' - style: secondary - start: 100 - end: 101 - - source: '"password"' - style: secondary - start: 91 - end: 101 - - source: passwd="password" - style: secondary - start: 84 - end: 101 - - source: |- - ( - host=FLAGS.host, user=FLAGS.user, passwd="password", db=FLAGS.db - ) - style: secondary - start: 46 - end: 116 - - source: _mysql.connect - style: secondary - start: 32 - end: 46 - ? | - from MySQLdb import _mysql as mysql - db = mysql.connect( - host=FLAGS.host, user=FLAGS.user, passwd="password", db=FLAGS.db - ) - : labels: - - source: |- - mysql.connect( - host=FLAGS.host, user=FLAGS.user, passwd="password", db=FLAGS.db - ) - style: primary - start: 41 - end: 124 - - source: _mysql - style: secondary - start: 20 - end: 26 - - source: mysql - style: secondary - start: 30 - end: 35 - - source: _mysql as mysql - style: secondary - start: 20 - end: 35 - - source: MySQLdb - style: secondary - start: 5 - end: 12 - - source: from MySQLdb import _mysql as mysql - style: secondary - start: 0 - end: 35 - - source: from MySQLdb import _mysql as mysql - style: secondary - start: 0 - end: 35 - - source: mysql - style: secondary - start: 41 - end: 46 - - source: connect - style: secondary - start: 47 - end: 54 - - source: passwd - style: secondary - start: 92 - end: 98 - - source: '"' - style: secondary - start: 99 - end: 100 - - source: password - style: secondary - start: 100 - end: 108 - - source: '"' - style: secondary - start: 108 - end: 109 - - source: '"password"' - style: secondary - start: 99 - end: 109 - - source: passwd="password" - style: secondary - start: 92 - end: 109 - - source: |- - ( - host=FLAGS.host, user=FLAGS.user, passwd="password", db=FLAGS.db - ) - style: secondary - start: 54 - end: 124 - - source: mysql.connect - style: secondary - start: 41 - end: 54 - ? | - from MySQLdb import _mysql as mysql - db = mysql.connect("MYSQL_HOST", "MYSQL_USER", "password", "MYSQL_DATABASE") - : labels: - - source: mysql.connect("MYSQL_HOST", "MYSQL_USER", "password", "MYSQL_DATABASE") - style: primary - start: 41 - end: 112 - - source: _mysql - style: secondary - start: 20 - end: 26 - - source: mysql - style: secondary - start: 30 - end: 35 - - source: _mysql as mysql - style: secondary - start: 20 - end: 35 - - source: MySQLdb - style: secondary - start: 5 - end: 12 - - source: from MySQLdb import _mysql as mysql - style: secondary - start: 0 - end: 35 - - source: from MySQLdb import _mysql as mysql - style: secondary - start: 0 - end: 35 - - source: mysql - style: secondary - start: 41 - end: 46 - - source: connect - style: secondary - start: 47 - end: 54 - - source: '"' - style: secondary - start: 83 - end: 84 - - source: password - style: secondary - start: 84 - end: 92 - - source: '"' - style: secondary - start: 92 - end: 93 - - source: '"password"' - style: secondary - start: 83 - end: 93 - - source: ("MYSQL_HOST", "MYSQL_USER", "password", "MYSQL_DATABASE") - style: secondary - start: 54 - end: 112 - - source: mysql.connect - style: secondary - start: 41 - end: 54 - ? | - import MySQLdb - db = MySQLdb.Connection(host="127.0.0.1", user="root", passwd="password", db="business") - : labels: - - source: MySQLdb.Connection(host="127.0.0.1", user="root", passwd="password", db="business") - style: primary - start: 20 - end: 103 - - source: MySQLdb - style: secondary - start: 20 - end: 27 - - source: Connection - style: secondary - start: 28 - end: 38 - - source: passwd - style: secondary - start: 70 - end: 76 - - source: '"' - style: secondary - start: 77 - end: 78 - - source: password - style: secondary - start: 78 - end: 86 - - source: '"' - style: secondary - start: 86 - end: 87 - - source: '"password"' - style: secondary - start: 77 - end: 87 - - source: passwd="password" - style: secondary - start: 70 - end: 87 - - source: (host="127.0.0.1", user="root", passwd="password", db="business") - style: secondary - start: 38 - end: 103 - - source: MySQLdb.Connection - style: secondary - start: 20 - end: 38 diff --git a/tests/__snapshots__/python-neo4j-empty-password-python-snapshot.yml b/tests/__snapshots__/python-neo4j-empty-password-python-snapshot.yml deleted file mode 100644 index 8720890f..00000000 --- a/tests/__snapshots__/python-neo4j-empty-password-python-snapshot.yml +++ /dev/null @@ -1,260 +0,0 @@ -id: python-neo4j-empty-password-python -snapshots: - ? | - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - password = "" - driver = AsyncGraphDatabase.driver(url, auth=basic_auth(username, password)) - : labels: - - source: basic_auth(username, password) - style: primary - start: 143 - end: 173 - - source: password - style: secondary - start: 83 - end: 91 - - source: '"' - style: secondary - start: 94 - end: 95 - - source: '"' - style: secondary - start: 95 - end: 96 - - source: '""' - style: secondary - start: 94 - end: 96 - - source: password = "" - style: secondary - start: 83 - end: 96 - - source: password = "" - style: secondary - start: 83 - end: 96 - - source: password = "" - style: secondary - start: 83 - end: 96 - - source: password - style: secondary - start: 164 - end: 172 - - source: (username, password) - style: secondary - start: 153 - end: 173 - - source: basic_auth - style: secondary - start: 143 - end: 153 - - source: basic_auth - style: secondary - start: 20 - end: 30 - - source: neo4j - style: secondary - start: 5 - end: 10 - - source: |- - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - style: secondary - start: 0 - end: 81 - - source: |- - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - style: secondary - start: 0 - end: 81 - ? | - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - driver = AsyncGraphDatabase.driver(url, auth=basic_auth(username, "")) - : labels: - - source: basic_auth(username, "") - style: primary - start: 127 - end: 151 - - source: '"' - style: secondary - start: 148 - end: 149 - - source: '"' - style: secondary - start: 149 - end: 150 - - source: '""' - style: secondary - start: 148 - end: 150 - - source: (username, "") - style: secondary - start: 137 - end: 151 - - source: basic_auth - style: secondary - start: 127 - end: 137 - - source: basic_auth - style: secondary - start: 20 - end: 30 - - source: neo4j - style: secondary - start: 5 - end: 10 - - source: |- - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - style: secondary - start: 0 - end: 81 - - source: |- - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - style: secondary - start: 0 - end: 81 - ? | - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - driver = GraphDatabase.driver(uri, auth=bearer_auth("")) - : labels: - - source: bearer_auth("") - style: primary - start: 122 - end: 137 - - source: '"' - style: secondary - start: 134 - end: 135 - - source: '"' - style: secondary - start: 135 - end: 136 - - source: '""' - style: secondary - start: 134 - end: 136 - - source: ("") - style: secondary - start: 133 - end: 137 - - source: bearer_auth - style: secondary - start: 122 - end: 133 - - source: bearer_auth - style: secondary - start: 47 - end: 58 - - source: neo4j - style: secondary - start: 5 - end: 10 - - source: |- - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - style: secondary - start: 0 - end: 81 - - source: |- - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - style: secondary - start: 0 - end: 81 - ? "from neo4j import (\nbasic_auth,\nkerberos_auth,\nbearer_auth,\nAsyncGraphDatabase,\n)\nuri = \"neo4j://example.com:7687\" \ndriver = GraphDatabase.driver(uri, auth=kerberos_auth(\"\"))\n" - : labels: - - source: kerberos_auth("") - style: primary - start: 156 - end: 173 - - source: '"' - style: secondary - start: 170 - end: 171 - - source: '"' - style: secondary - start: 171 - end: 172 - - source: '""' - style: secondary - start: 170 - end: 172 - - source: ("") - style: secondary - start: 169 - end: 173 - - source: kerberos_auth - style: secondary - start: 156 - end: 169 - - source: kerberos_auth - style: secondary - start: 32 - end: 45 - - source: neo4j - style: secondary - start: 5 - end: 10 - - source: |- - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - style: secondary - start: 0 - end: 81 - - source: |- - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - style: secondary - start: 0 - end: 81 diff --git a/tests/__snapshots__/python-neo4j-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-neo4j-hardcoded-secret-python-snapshot.yml deleted file mode 100644 index 110188d4..00000000 --- a/tests/__snapshots__/python-neo4j-hardcoded-secret-python-snapshot.yml +++ /dev/null @@ -1,276 +0,0 @@ -id: python-neo4j-hardcoded-secret-python -snapshots: - ? | - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - password = "NEO4J_PASSWORD" - driver = AsyncGraphDatabase.driver(url, auth=basic_auth(username, password)) - : labels: - - source: basic_auth(username, password) - style: primary - start: 157 - end: 187 - - source: password - style: secondary - start: 83 - end: 91 - - source: '"' - style: secondary - start: 94 - end: 95 - - source: NEO4J_PASSWORD - style: secondary - start: 95 - end: 109 - - source: '"' - style: secondary - start: 109 - end: 110 - - source: '"NEO4J_PASSWORD"' - style: secondary - start: 94 - end: 110 - - source: password = "NEO4J_PASSWORD" - style: secondary - start: 83 - end: 110 - - source: password = "NEO4J_PASSWORD" - style: secondary - start: 83 - end: 110 - - source: password = "NEO4J_PASSWORD" - style: secondary - start: 83 - end: 110 - - source: password - style: secondary - start: 178 - end: 186 - - source: (username, password) - style: secondary - start: 167 - end: 187 - - source: basic_auth - style: secondary - start: 157 - end: 167 - - source: basic_auth - style: secondary - start: 20 - end: 30 - - source: neo4j - style: secondary - start: 5 - end: 10 - - source: |- - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - style: secondary - start: 0 - end: 81 - - source: |- - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - style: secondary - start: 0 - end: 81 - ? | - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - driver = AsyncGraphDatabase.driver(url, auth=basic_auth(username, "NEO4J_PASSWORD")) - : labels: - - source: basic_auth(username, "NEO4J_PASSWORD") - style: primary - start: 127 - end: 165 - - source: '"' - style: secondary - start: 148 - end: 149 - - source: NEO4J_PASSWORD - style: secondary - start: 149 - end: 163 - - source: '"' - style: secondary - start: 163 - end: 164 - - source: '"NEO4J_PASSWORD"' - style: secondary - start: 148 - end: 164 - - source: (username, "NEO4J_PASSWORD") - style: secondary - start: 137 - end: 165 - - source: basic_auth - style: secondary - start: 127 - end: 137 - - source: basic_auth - style: secondary - start: 20 - end: 30 - - source: neo4j - style: secondary - start: 5 - end: 10 - - source: |- - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - style: secondary - start: 0 - end: 81 - - source: |- - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - style: secondary - start: 0 - end: 81 - ? |- - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - driver = GraphDatabase.driver(uri, auth=bearer_auth("token")) - : labels: - - source: bearer_auth("token") - style: primary - start: 122 - end: 142 - - source: '"' - style: secondary - start: 134 - end: 135 - - source: token - style: secondary - start: 135 - end: 140 - - source: '"' - style: secondary - start: 140 - end: 141 - - source: '"token"' - style: secondary - start: 134 - end: 141 - - source: ("token") - style: secondary - start: 133 - end: 142 - - source: bearer_auth - style: secondary - start: 122 - end: 133 - - source: bearer_auth - style: secondary - start: 47 - end: 58 - - source: neo4j - style: secondary - start: 5 - end: 10 - - source: |- - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - style: secondary - start: 0 - end: 81 - - source: |- - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - style: secondary - start: 0 - end: 81 - ? "from neo4j import (\nbasic_auth,\nkerberos_auth,\nbearer_auth,\nAsyncGraphDatabase,\n)\nuri = \"neo4j://example.com:7687\" \ndriver = GraphDatabase.driver(uri, auth=kerberos_auth(\"token\"))\n" - : labels: - - source: kerberos_auth("token") - style: primary - start: 156 - end: 178 - - source: '"' - style: secondary - start: 170 - end: 171 - - source: token - style: secondary - start: 171 - end: 176 - - source: '"' - style: secondary - start: 176 - end: 177 - - source: '"token"' - style: secondary - start: 170 - end: 177 - - source: ("token") - style: secondary - start: 169 - end: 178 - - source: kerberos_auth - style: secondary - start: 156 - end: 169 - - source: kerberos_auth - style: secondary - start: 32 - end: 45 - - source: neo4j - style: secondary - start: 5 - end: 10 - - source: |- - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - style: secondary - start: 0 - end: 81 - - source: |- - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - style: secondary - start: 0 - end: 81 diff --git a/tests/__snapshots__/python-peewee-mysql-empty-password-python-snapshot.yml b/tests/__snapshots__/python-peewee-mysql-empty-password-python-snapshot.yml deleted file mode 100644 index 74b6c268..00000000 --- a/tests/__snapshots__/python-peewee-mysql-empty-password-python-snapshot.yml +++ /dev/null @@ -1,28 +0,0 @@ -id: python-peewee-mysql-empty-password-python -snapshots: - ? "mysql_db1 = MySQLDatabase('my_app', user='app', password='', host='10.1.0.8', port=3306) \n" - : labels: - - source: MySQLDatabase('my_app', user='app', password='', host='10.1.0.8', port=3306) - style: primary - start: 12 - end: 88 - - source: MySQLDatabase - style: secondary - start: 12 - end: 25 - - source: password - style: secondary - start: 48 - end: 56 - - source: '''''' - style: secondary - start: 57 - end: 59 - - source: password='' - style: secondary - start: 48 - end: 59 - - source: ('my_app', user='app', password='', host='10.1.0.8', port=3306) - style: secondary - start: 25 - end: 88 diff --git a/tests/__snapshots__/python-peewee-mysql-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-peewee-mysql-hardcoded-secret-python-snapshot.yml deleted file mode 100644 index ff63f255..00000000 --- a/tests/__snapshots__/python-peewee-mysql-hardcoded-secret-python-snapshot.yml +++ /dev/null @@ -1,32 +0,0 @@ -id: python-peewee-mysql-hardcoded-secret-python -snapshots: - 'mysql_db1 = MySQLDatabase(''my_app'', user=''app'', password=''db_password'', host=''10.1.0.8'', port=3306) ': - labels: - - source: MySQLDatabase('my_app', user='app', password='db_password', host='10.1.0.8', port=3306) - style: primary - start: 12 - end: 99 - - source: MySQLDatabase - style: secondary - start: 12 - end: 25 - - source: password - style: secondary - start: 48 - end: 56 - - source: db_password - style: secondary - start: 58 - end: 69 - - source: '''db_password''' - style: secondary - start: 57 - end: 70 - - source: password='db_password' - style: secondary - start: 48 - end: 70 - - source: ('my_app', user='app', password='db_password', host='10.1.0.8', port=3306) - style: secondary - start: 25 - end: 99 diff --git a/tests/__snapshots__/python-peewee-pg-empty-password-python-snapshot.yml b/tests/__snapshots__/python-peewee-pg-empty-password-python-snapshot.yml deleted file mode 100644 index 7d674f39..00000000 --- a/tests/__snapshots__/python-peewee-pg-empty-password-python-snapshot.yml +++ /dev/null @@ -1,29 +0,0 @@ -id: python-peewee-pg-empty-password-python -snapshots: - ? | - pg_db1 = PostgresqlDatabase('my_app', user='postgres', password='', host='10.1.0.9', port=5432) - : labels: - - source: PostgresqlDatabase('my_app', user='postgres', password='', host='10.1.0.9', port=5432) - style: primary - start: 9 - end: 95 - - source: PostgresqlDatabase - style: secondary - start: 9 - end: 27 - - source: password - style: secondary - start: 55 - end: 63 - - source: '''''' - style: secondary - start: 64 - end: 66 - - source: password='' - style: secondary - start: 55 - end: 66 - - source: ('my_app', user='postgres', password='', host='10.1.0.9', port=5432) - style: secondary - start: 27 - end: 95 diff --git a/tests/__snapshots__/python-peewee-pg-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-peewee-pg-hardcoded-secret-python-snapshot.yml deleted file mode 100644 index e1fe3430..00000000 --- a/tests/__snapshots__/python-peewee-pg-hardcoded-secret-python-snapshot.yml +++ /dev/null @@ -1,33 +0,0 @@ -id: python-peewee-pg-hardcoded-secret-python -snapshots: - ? | - pg_db1 = PostgresqlDatabase('my_app', user='postgres', password='password', host='10.1.0.9', port=5432) - : labels: - - source: PostgresqlDatabase('my_app', user='postgres', password='password', host='10.1.0.9', port=5432) - style: primary - start: 9 - end: 103 - - source: PostgresqlDatabase - style: secondary - start: 9 - end: 27 - - source: password - style: secondary - start: 55 - end: 63 - - source: password - style: secondary - start: 65 - end: 73 - - source: '''password''' - style: secondary - start: 64 - end: 74 - - source: password='password' - style: secondary - start: 55 - end: 74 - - source: ('my_app', user='postgres', password='password', host='10.1.0.9', port=5432) - style: secondary - start: 27 - end: 103 diff --git a/tests/__snapshots__/python-pg8000-empty-password-python-snapshot.yml b/tests/__snapshots__/python-pg8000-empty-password-python-snapshot.yml deleted file mode 100644 index 3cfce66b..00000000 --- a/tests/__snapshots__/python-pg8000-empty-password-python-snapshot.yml +++ /dev/null @@ -1,55 +0,0 @@ -id: python-pg8000-empty-password-python -snapshots: - ? | - pg8000.dbapi.connect(user="postgres", password="") - : labels: - - source: pg8000.dbapi.connect(user="postgres", password="") - style: primary - start: 0 - end: 50 - - source: pg8000.dbapi.connect - style: secondary - start: 0 - end: 20 - - source: password - style: secondary - start: 38 - end: 46 - - source: '""' - style: secondary - start: 47 - end: 49 - - source: password="" - style: secondary - start: 38 - end: 49 - - source: (user="postgres", password="") - style: secondary - start: 20 - end: 50 - ? "pg8000.dbapi.connect(user=\"postgres\", password='') \n" - : labels: - - source: pg8000.dbapi.connect(user="postgres", password='') - style: primary - start: 0 - end: 50 - - source: pg8000.dbapi.connect - style: secondary - start: 0 - end: 20 - - source: password - style: secondary - start: 38 - end: 46 - - source: '''''' - style: secondary - start: 47 - end: 49 - - source: password='' - style: secondary - start: 38 - end: 49 - - source: (user="postgres", password='') - style: secondary - start: 20 - end: 50 diff --git a/tests/__snapshots__/python-pg8000-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-pg8000-hardcoded-secret-python-snapshot.yml deleted file mode 100644 index 3207e6da..00000000 --- a/tests/__snapshots__/python-pg8000-hardcoded-secret-python-snapshot.yml +++ /dev/null @@ -1,33 +0,0 @@ -id: python-pg8000-hardcoded-secret-python -snapshots: - ? | - conn = pg8000.dbapi.connect(user="postgres", password="abc") - : labels: - - source: pg8000.dbapi.connect(user="postgres", password="abc") - style: primary - start: 7 - end: 60 - - source: pg8000.dbapi.connect - style: secondary - start: 7 - end: 27 - - source: password - style: secondary - start: 45 - end: 53 - - source: abc - style: secondary - start: 55 - end: 58 - - source: '"abc"' - style: secondary - start: 54 - end: 59 - - source: password="abc" - style: secondary - start: 45 - end: 59 - - source: (user="postgres", password="abc") - style: secondary - start: 27 - end: 60 diff --git a/tests/__snapshots__/python-psycopg2-empty-password-python-snapshot.yml b/tests/__snapshots__/python-psycopg2-empty-password-python-snapshot.yml deleted file mode 100644 index b55cb759..00000000 --- a/tests/__snapshots__/python-psycopg2-empty-password-python-snapshot.yml +++ /dev/null @@ -1,28 +0,0 @@ -id: python-psycopg2-empty-password-python -snapshots: - 'c = psycopg2.connect(user, database=dbname, password="", **params).abc() ': - labels: - - source: psycopg2.connect(user, database=dbname, password="", **params) - style: primary - start: 4 - end: 66 - - source: psycopg2.connect - style: secondary - start: 4 - end: 20 - - source: password - style: secondary - start: 44 - end: 52 - - source: '""' - style: secondary - start: 53 - end: 55 - - source: password="" - style: secondary - start: 44 - end: 55 - - source: (user, database=dbname, password="", **params) - style: secondary - start: 20 - end: 66 diff --git a/tests/__snapshots__/python-psycopg2-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-psycopg2-hardcoded-secret-python-snapshot.yml deleted file mode 100644 index 74208122..00000000 --- a/tests/__snapshots__/python-psycopg2-hardcoded-secret-python-snapshot.yml +++ /dev/null @@ -1,32 +0,0 @@ -id: python-psycopg2-hardcoded-secret-python -snapshots: - 'c = psycopg2.connect(user, database=dbname, password="abc", **params).abc() ': - labels: - - source: psycopg2.connect(user, database=dbname, password="abc", **params) - style: primary - start: 4 - end: 69 - - source: psycopg2.connect - style: secondary - start: 4 - end: 20 - - source: password - style: secondary - start: 44 - end: 52 - - source: abc - style: secondary - start: 54 - end: 57 - - source: '"abc"' - style: secondary - start: 53 - end: 58 - - source: password="abc" - style: secondary - start: 44 - end: 58 - - source: (user, database=dbname, password="abc", **params) - style: secondary - start: 20 - end: 69 diff --git a/tests/__snapshots__/python-pyjwt-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-pyjwt-hardcoded-secret-python-snapshot.yml deleted file mode 100644 index 87a18777..00000000 --- a/tests/__snapshots__/python-pyjwt-hardcoded-secret-python-snapshot.yml +++ /dev/null @@ -1,29 +0,0 @@ -id: python-pyjwt-hardcoded-secret-python -snapshots: - ? | - jwt.encode({"some": "payload"}, "123", algorithm="HS256") - : labels: - - source: 'jwt.encode({"some": "payload"}, "123", algorithm="HS256")' - style: primary - start: 0 - end: 57 - - source: jwt - style: secondary - start: 0 - end: 3 - - source: encode - style: secondary - start: 4 - end: 10 - - source: jwt.encode - style: secondary - start: 0 - end: 10 - - source: '"123"' - style: secondary - start: 32 - end: 37 - - source: '({"some": "payload"}, "123", algorithm="HS256")' - style: secondary - start: 10 - end: 57 diff --git a/tests/__snapshots__/python-pymongo-empty-password-python-snapshot.yml b/tests/__snapshots__/python-pymongo-empty-password-python-snapshot.yml deleted file mode 100644 index e6b3959a..00000000 --- a/tests/__snapshots__/python-pymongo-empty-password-python-snapshot.yml +++ /dev/null @@ -1,29 +0,0 @@ -id: python-pymongo-empty-password-python -snapshots: - ? | - pymongo.MongoClient(password="") - : labels: - - source: pymongo.MongoClient(password="") - style: primary - start: 0 - end: 32 - - source: pymongo.MongoClient - style: secondary - start: 0 - end: 19 - - source: password - style: secondary - start: 20 - end: 28 - - source: '""' - style: secondary - start: 29 - end: 31 - - source: password="" - style: secondary - start: 20 - end: 31 - - source: (password="") - style: secondary - start: 19 - end: 32 diff --git a/tests/__snapshots__/python-pymongo-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-pymongo-hardcoded-secret-python-snapshot.yml deleted file mode 100644 index 473e1741..00000000 --- a/tests/__snapshots__/python-pymongo-hardcoded-secret-python-snapshot.yml +++ /dev/null @@ -1,33 +0,0 @@ -id: python-pymongo-hardcoded-secret-python -snapshots: - ? | - pymongo.MongoClient(password="a") - : labels: - - source: pymongo.MongoClient(password="a") - style: primary - start: 0 - end: 33 - - source: pymongo.MongoClient - style: secondary - start: 0 - end: 19 - - source: password - style: secondary - start: 20 - end: 28 - - source: a - style: secondary - start: 30 - end: 31 - - source: '"a"' - style: secondary - start: 29 - end: 32 - - source: password="a" - style: secondary - start: 20 - end: 32 - - source: (password="a") - style: secondary - start: 19 - end: 33 diff --git a/tests/__snapshots__/python-pymssql-empty-password-python-snapshot.yml b/tests/__snapshots__/python-pymssql-empty-password-python-snapshot.yml deleted file mode 100644 index 6ec5b3d5..00000000 --- a/tests/__snapshots__/python-pymssql-empty-password-python-snapshot.yml +++ /dev/null @@ -1,84 +0,0 @@ -id: python-pymssql-empty-password-python -snapshots: - ? "conn1 = pymssql._mssql.connect(\n server='SQL01',\n user='user',\n password='',\n database='mydatabase',\n) \n" - : labels: - - source: |- - pymssql._mssql.connect( - server='SQL01', - user='user', - password='', - database='mydatabase', - ) - style: primary - start: 8 - end: 106 - - source: pymssql._mssql.connect - style: secondary - start: 8 - end: 30 - - source: password - style: secondary - start: 67 - end: 75 - - source: '''''' - style: secondary - start: 76 - end: 78 - - source: password='' - style: secondary - start: 67 - end: 78 - - source: |- - ( - server='SQL01', - user='user', - password='', - database='mydatabase', - ) - style: secondary - start: 30 - end: 106 - ? | - conn1 = pymssql.connect( - server='SQL01', - user='user', - password='', - database='mydatabase', - ) - : labels: - - source: |- - pymssql.connect( - server='SQL01', - user='user', - password='', - database='mydatabase', - ) - style: primary - start: 8 - end: 99 - - source: pymssql.connect - style: secondary - start: 8 - end: 23 - - source: password - style: secondary - start: 60 - end: 68 - - source: '''''' - style: secondary - start: 69 - end: 71 - - source: password='' - style: secondary - start: 60 - end: 71 - - source: |- - ( - server='SQL01', - user='user', - password='', - database='mydatabase', - ) - style: secondary - start: 23 - end: 99 diff --git a/tests/__snapshots__/python-pymssql-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-pymssql-hardcoded-secret-python-snapshot.yml deleted file mode 100644 index 738d78aa..00000000 --- a/tests/__snapshots__/python-pymssql-hardcoded-secret-python-snapshot.yml +++ /dev/null @@ -1,50 +0,0 @@ -id: python-pymssql-hardcoded-secret-python -snapshots: - ? |- - conn1 = pymssql.connect( - server='SQL01', - user='user', - password='password', - database='mydatabase', - ) - : labels: - - source: |- - pymssql.connect( - server='SQL01', - user='user', - password='password', - database='mydatabase', - ) - style: primary - start: 8 - end: 107 - - source: pymssql.connect - style: secondary - start: 8 - end: 23 - - source: password - style: secondary - start: 60 - end: 68 - - source: password - style: secondary - start: 70 - end: 78 - - source: '''password''' - style: secondary - start: 69 - end: 79 - - source: password='password' - style: secondary - start: 60 - end: 79 - - source: |- - ( - server='SQL01', - user='user', - password='password', - database='mydatabase', - ) - style: secondary - start: 23 - end: 107 diff --git a/tests/__snapshots__/python-pymysql-empty-password-python-snapshot.yml b/tests/__snapshots__/python-pymysql-empty-password-python-snapshot.yml deleted file mode 100644 index 3b9a4505..00000000 --- a/tests/__snapshots__/python-pymysql-empty-password-python-snapshot.yml +++ /dev/null @@ -1,29 +0,0 @@ -id: python-pymysql-empty-password-python -snapshots: - ? | - pymysql.connect(password="") - : labels: - - source: pymysql.connect(password="") - style: primary - start: 0 - end: 28 - - source: pymysql.connect - style: secondary - start: 0 - end: 15 - - source: password - style: secondary - start: 16 - end: 24 - - source: '""' - style: secondary - start: 25 - end: 27 - - source: password="" - style: secondary - start: 16 - end: 27 - - source: (password="") - style: secondary - start: 15 - end: 28 diff --git a/tests/__snapshots__/python-pymysql-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-pymysql-hardcoded-secret-python-snapshot.yml deleted file mode 100644 index edbacdd2..00000000 --- a/tests/__snapshots__/python-pymysql-hardcoded-secret-python-snapshot.yml +++ /dev/null @@ -1,32 +0,0 @@ -id: python-pymysql-hardcoded-secret-python -snapshots: - pymysql.connect(password="a"): - labels: - - source: pymysql.connect(password="a") - style: primary - start: 0 - end: 29 - - source: pymysql.connect - style: secondary - start: 0 - end: 15 - - source: password - style: secondary - start: 16 - end: 24 - - source: a - style: secondary - start: 26 - end: 27 - - source: '"a"' - style: secondary - start: 25 - end: 28 - - source: password="a" - style: secondary - start: 16 - end: 28 - - source: (password="a") - style: secondary - start: 15 - end: 29 diff --git a/tests/__snapshots__/python-redis-empty-password-python-snapshot.yml b/tests/__snapshots__/python-redis-empty-password-python-snapshot.yml deleted file mode 100644 index aefbe6fc..00000000 --- a/tests/__snapshots__/python-redis-empty-password-python-snapshot.yml +++ /dev/null @@ -1,46 +0,0 @@ -id: python-redis-empty-password-python -snapshots: - ? | - redis_client = redis.Redis( - host='localhost', - port=6379, - password='', - db=5 - ) - : labels: - - source: |- - redis.Redis( - host='localhost', - port=6379, - password='', - db=5 - ) - style: primary - start: 15 - end: 84 - - source: redis.Redis - style: secondary - start: 15 - end: 26 - - source: password - style: secondary - start: 63 - end: 71 - - source: '''''' - style: secondary - start: 72 - end: 74 - - source: password='' - style: secondary - start: 63 - end: 74 - - source: |- - ( - host='localhost', - port=6379, - password='', - db=5 - ) - style: secondary - start: 26 - end: 84 diff --git a/tests/__snapshots__/python-redis-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-redis-hardcoded-secret-python-snapshot.yml deleted file mode 100644 index 50c4f423..00000000 --- a/tests/__snapshots__/python-redis-hardcoded-secret-python-snapshot.yml +++ /dev/null @@ -1,50 +0,0 @@ -id: python-redis-hardcoded-secret-python -snapshots: - ? |- - redis_client = redis.Redis( - host='localhost', - port=6379, - password="abc", - db=5 - ) - : labels: - - source: |- - redis.Redis( - host='localhost', - port=6379, - password="abc", - db=5 - ) - style: primary - start: 15 - end: 87 - - source: redis.Redis - style: secondary - start: 15 - end: 26 - - source: password - style: secondary - start: 63 - end: 71 - - source: abc - style: secondary - start: 73 - end: 76 - - source: '"abc"' - style: secondary - start: 72 - end: 77 - - source: password="abc" - style: secondary - start: 63 - end: 77 - - source: |- - ( - host='localhost', - port=6379, - password="abc", - db=5 - ) - style: secondary - start: 26 - end: 87 diff --git a/tests/__snapshots__/python-requests-empty-password-python-snapshot.yml b/tests/__snapshots__/python-requests-empty-password-python-snapshot.yml deleted file mode 100644 index 7d5c779e..00000000 --- a/tests/__snapshots__/python-requests-empty-password-python-snapshot.yml +++ /dev/null @@ -1,56 +0,0 @@ -id: python-requests-empty-password-python -snapshots: - requests.get('https://httpbin.org/basic-auth/user/pass', auth=requests.auth.HTTPBasicAuth('user', '')): - labels: - - source: requests.auth.HTTPBasicAuth('user', '') - style: primary - start: 62 - end: 101 - - source: requests.auth.HTTPBasicAuth - style: secondary - start: 62 - end: 89 - - source: '''''' - style: secondary - start: 98 - end: 100 - - source: ('user', '') - style: secondary - start: 89 - end: 101 - ? "requests.get('https://httpbin.org/basic-auth/user/pass', auth=requests.auth.HTTPBasicAuth('user', '')) \n" - : labels: - - source: requests.auth.HTTPBasicAuth('user', '') - style: primary - start: 62 - end: 101 - - source: requests.auth.HTTPBasicAuth - style: secondary - start: 62 - end: 89 - - source: '''''' - style: secondary - start: 98 - end: 100 - - source: ('user', '') - style: secondary - start: 89 - end: 101 - 'requests.get(''https://httpbin.org/basic-auth/user/pass'', auth=requests.auth.HTTPBasicAuth(''username'', '''')) ': - labels: - - source: requests.auth.HTTPBasicAuth('username', '') - style: primary - start: 62 - end: 105 - - source: requests.auth.HTTPBasicAuth - style: secondary - start: 62 - end: 89 - - source: '''''' - style: secondary - start: 102 - end: 104 - - source: ('username', '') - style: secondary - start: 89 - end: 105 diff --git a/tests/__snapshots__/python-requests-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-requests-hardcoded-secret-python-snapshot.yml deleted file mode 100644 index 561fe2a8..00000000 --- a/tests/__snapshots__/python-requests-hardcoded-secret-python-snapshot.yml +++ /dev/null @@ -1,66 +0,0 @@ -id: python-requests-hardcoded-secret-python -snapshots: - ? | - from requests.auth import HTTPBasicAuth - basic = HTTPBasicAuth('user', 'pass') - : labels: - - source: HTTPBasicAuth('user', 'pass') - style: primary - start: 48 - end: 77 - - source: HTTPBasicAuth - style: secondary - start: 48 - end: 61 - - source: pass - style: secondary - start: 71 - end: 75 - - source: '''pass''' - style: secondary - start: 70 - end: 76 - - source: ('user', 'pass') - style: secondary - start: 61 - end: 77 - - source: from requests.auth import HTTPBasicAuth - style: secondary - start: 0 - end: 39 - - source: from requests.auth import HTTPBasicAuth - style: secondary - start: 0 - end: 39 - ? | - from requests.auth import HTTPDigestAuth - requests.get(url, auth=HTTPDigestAuth('user', 'pass')) - : labels: - - source: HTTPDigestAuth('user', 'pass') - style: primary - start: 64 - end: 94 - - source: HTTPDigestAuth - style: secondary - start: 64 - end: 78 - - source: pass - style: secondary - start: 88 - end: 92 - - source: '''pass''' - style: secondary - start: 87 - end: 93 - - source: ('user', 'pass') - style: secondary - start: 78 - end: 94 - - source: from requests.auth import HTTPDigestAuth - style: secondary - start: 0 - end: 40 - - source: from requests.auth import HTTPDigestAuth - style: secondary - start: 0 - end: 40 diff --git a/tests/__snapshots__/python-requests-oauth-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-requests-oauth-hardcoded-secret-python-snapshot.yml deleted file mode 100644 index b216c317..00000000 --- a/tests/__snapshots__/python-requests-oauth-hardcoded-secret-python-snapshot.yml +++ /dev/null @@ -1,150 +0,0 @@ -id: python-requests-oauth-hardcoded-secret-python -snapshots: - ? | - import requests - import os - from requests_oauthlib import OAuth1, OAuth2Session - auth1 = OAuth1('APP_KEY_HERE', 'APP_SECRET_HERE', 'USER_TOKEN', 'USER_TOKEN_SECRET') - : labels: - - source: OAuth1('APP_KEY_HERE', 'APP_SECRET_HERE', 'USER_TOKEN', 'USER_TOKEN_SECRET') - style: primary - start: 86 - end: 162 - - source: OAuth1 - style: secondary - start: 86 - end: 92 - - source: APP_SECRET_HERE - style: secondary - start: 110 - end: 125 - - source: '''APP_SECRET_HERE''' - style: secondary - start: 109 - end: 126 - - source: ('APP_KEY_HERE', 'APP_SECRET_HERE', 'USER_TOKEN', 'USER_TOKEN_SECRET') - style: secondary - start: 92 - end: 162 - - source: from requests_oauthlib import OAuth1, OAuth2Session - style: secondary - start: 26 - end: 77 - - source: from requests_oauthlib import OAuth1, OAuth2Session - style: secondary - start: 26 - end: 77 - ? | - import requests - import os - from requests_oauthlib import OAuth1, OAuth2Session - auth2 = OAuth1(os.getenv('APP_KEY'), 'HARD_CODED_SECRET', os.getenv('USER_TOKEN'), 'HARD_CODED_TOKEN_SECRET') - : labels: - - source: OAuth1(os.getenv('APP_KEY'), 'HARD_CODED_SECRET', os.getenv('USER_TOKEN'), 'HARD_CODED_TOKEN_SECRET') - style: primary - start: 86 - end: 187 - - source: OAuth1 - style: secondary - start: 86 - end: 92 - - source: HARD_CODED_SECRET - style: secondary - start: 116 - end: 133 - - source: '''HARD_CODED_SECRET''' - style: secondary - start: 115 - end: 134 - - source: (os.getenv('APP_KEY'), 'HARD_CODED_SECRET', os.getenv('USER_TOKEN'), 'HARD_CODED_TOKEN_SECRET') - style: secondary - start: 92 - end: 187 - - source: from requests_oauthlib import OAuth1, OAuth2Session - style: secondary - start: 26 - end: 77 - - source: from requests_oauthlib import OAuth1, OAuth2Session - style: secondary - start: 26 - end: 77 - ? "import requests\nimport os\nfrom requests_oauthlib import OAuth2Session\noauth2 = OAuth2Session(\n client_id=\"MY_CLIENT_ID\", \n redirect_uri=\"https://example.com/callback\", \n scope=[\"profile\", \"email\"]\n)\ntoken = oauth2.fetch_token(\n 'https://accounts.google.com/o/oauth2/token',\n authorization_response='https://example.com/auth_response',\n client_secret=\"HARDCODED_SECRET\"\n)\n" - : labels: - - source: |- - oauth2.fetch_token( - 'https://accounts.google.com/o/oauth2/token', - authorization_response='https://example.com/auth_response', - client_secret="HARDCODED_SECRET" - ) - style: primary - start: 210 - end: 376 - - source: oauth2 - style: secondary - start: 210 - end: 216 - - source: fetch_token - style: secondary - start: 217 - end: 228 - - source: oauth2.fetch_token - style: secondary - start: 210 - end: 228 - - source: client_secret - style: secondary - start: 342 - end: 355 - - source: HARDCODED_SECRET - style: secondary - start: 357 - end: 373 - - source: '"HARDCODED_SECRET"' - style: secondary - start: 356 - end: 374 - - source: client_secret="HARDCODED_SECRET" - style: secondary - start: 342 - end: 374 - - source: |- - ( - 'https://accounts.google.com/o/oauth2/token', - authorization_response='https://example.com/auth_response', - client_secret="HARDCODED_SECRET" - ) - style: secondary - start: 228 - end: 376 - - source: oauth2 - style: secondary - start: 70 - end: 76 - - source: OAuth2Session - style: secondary - start: 79 - end: 92 - - source: "OAuth2Session(\n client_id=\"MY_CLIENT_ID\", \n redirect_uri=\"https://example.com/callback\", \n scope=[\"profile\", \"email\"]\n)" - style: secondary - start: 79 - end: 201 - - source: "oauth2 = OAuth2Session(\n client_id=\"MY_CLIENT_ID\", \n redirect_uri=\"https://example.com/callback\", \n scope=[\"profile\", \"email\"]\n)" - style: secondary - start: 70 - end: 201 - - source: "oauth2 = OAuth2Session(\n client_id=\"MY_CLIENT_ID\", \n redirect_uri=\"https://example.com/callback\", \n scope=[\"profile\", \"email\"]\n)" - style: secondary - start: 70 - end: 201 - - source: "oauth2 = OAuth2Session(\n client_id=\"MY_CLIENT_ID\", \n redirect_uri=\"https://example.com/callback\", \n scope=[\"profile\", \"email\"]\n)" - style: secondary - start: 70 - end: 201 - - source: from requests_oauthlib import OAuth2Session - style: secondary - start: 26 - end: 69 - - source: from requests_oauthlib import OAuth2Session - style: secondary - start: 26 - end: 69 diff --git a/tests/__snapshots__/python-tormysql-empty-password-python-snapshot.yml b/tests/__snapshots__/python-tormysql-empty-password-python-snapshot.yml deleted file mode 100644 index c70582a4..00000000 --- a/tests/__snapshots__/python-tormysql-empty-password-python-snapshot.yml +++ /dev/null @@ -1,128 +0,0 @@ -id: python-tormysql-empty-password-python -snapshots: - ? | - EMPTY_PASSWORD = "" - conn2 = tormysql.ConnectionPool(password=EMPTY_PASSWORD) - : labels: - - source: tormysql.ConnectionPool(password=EMPTY_PASSWORD) - style: primary - start: 28 - end: 76 - - source: tormysql - style: secondary - start: 28 - end: 36 - - source: ConnectionPool - style: secondary - start: 37 - end: 51 - - source: tormysql.ConnectionPool - style: secondary - start: 28 - end: 51 - - source: password - style: secondary - start: 52 - end: 60 - - source: EMPTY_PASSWORD - style: secondary - start: 61 - end: 75 - - source: password=EMPTY_PASSWORD - style: secondary - start: 52 - end: 75 - - source: (password=EMPTY_PASSWORD) - style: secondary - start: 51 - end: 76 - - source: EMPTY_PASSWORD - style: secondary - start: 0 - end: 14 - - source: '""' - style: secondary - start: 17 - end: 19 - - source: EMPTY_PASSWORD = "" - style: secondary - start: 0 - end: 19 - - source: EMPTY_PASSWORD = "" - style: secondary - start: 0 - end: 19 - - source: EMPTY_PASSWORD = "" - style: secondary - start: 0 - end: 19 - ? | - conn1 = tormysql.ConnectionPool(password="") - : labels: - - source: tormysql.ConnectionPool(password="") - style: primary - start: 8 - end: 44 - - source: tormysql - style: secondary - start: 8 - end: 16 - - source: ConnectionPool - style: secondary - start: 17 - end: 31 - - source: tormysql.ConnectionPool - style: secondary - start: 8 - end: 31 - - source: password - style: secondary - start: 32 - end: 40 - - source: '""' - style: secondary - start: 41 - end: 43 - - source: password="" - style: secondary - start: 32 - end: 43 - - source: (password="") - style: secondary - start: 31 - end: 44 - ? | - conn4 = tormysql.ConnectionPool(passwd="") - : labels: - - source: tormysql.ConnectionPool(passwd="") - style: primary - start: 8 - end: 42 - - source: tormysql - style: secondary - start: 8 - end: 16 - - source: ConnectionPool - style: secondary - start: 17 - end: 31 - - source: tormysql.ConnectionPool - style: secondary - start: 8 - end: 31 - - source: passwd - style: secondary - start: 32 - end: 38 - - source: '""' - style: secondary - start: 39 - end: 41 - - source: passwd="" - style: secondary - start: 32 - end: 41 - - source: (passwd="") - style: secondary - start: 31 - end: 42 diff --git a/tests/__snapshots__/python-tormysql-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-tormysql-hardcoded-secret-python-snapshot.yml deleted file mode 100644 index f65e2326..00000000 --- a/tests/__snapshots__/python-tormysql-hardcoded-secret-python-snapshot.yml +++ /dev/null @@ -1,101 +0,0 @@ -id: python-tormysql-hardcoded-secret-python -snapshots: - ? | - HARDCODED_PASSWORD = "123secure" - conn4 = tormysql.ConnectionPool(password=HARDCODED_PASSWORD) - : labels: - - source: tormysql.ConnectionPool(password=HARDCODED_PASSWORD) - style: primary - start: 41 - end: 93 - - source: tormysql - style: secondary - start: 41 - end: 49 - - source: ConnectionPool - style: secondary - start: 50 - end: 64 - - source: tormysql.ConnectionPool - style: secondary - start: 41 - end: 64 - - source: password - style: secondary - start: 65 - end: 73 - - source: HARDCODED_PASSWORD - style: secondary - start: 74 - end: 92 - - source: password=HARDCODED_PASSWORD - style: secondary - start: 65 - end: 92 - - source: (password=HARDCODED_PASSWORD) - style: secondary - start: 64 - end: 93 - - source: HARDCODED_PASSWORD - style: secondary - start: 0 - end: 18 - - source: 123secure - style: secondary - start: 22 - end: 31 - - source: '"123secure"' - style: secondary - start: 21 - end: 32 - - source: HARDCODED_PASSWORD = "123secure" - style: secondary - start: 0 - end: 32 - - source: HARDCODED_PASSWORD = "123secure" - style: secondary - start: 0 - end: 32 - - source: HARDCODED_PASSWORD = "123secure" - style: secondary - start: 0 - end: 32 - ? | - conn1 = tormysql.ConnectionPool(password="hardcoded_password") - : labels: - - source: tormysql.ConnectionPool(password="hardcoded_password") - style: primary - start: 8 - end: 62 - - source: tormysql - style: secondary - start: 8 - end: 16 - - source: ConnectionPool - style: secondary - start: 17 - end: 31 - - source: tormysql.ConnectionPool - style: secondary - start: 8 - end: 31 - - source: password - style: secondary - start: 32 - end: 40 - - source: hardcoded_password - style: secondary - start: 42 - end: 60 - - source: '"hardcoded_password"' - style: secondary - start: 41 - end: 61 - - source: password="hardcoded_password" - style: secondary - start: 32 - end: 61 - - source: (password="hardcoded_password") - style: secondary - start: 31 - end: 62 diff --git a/tests/__snapshots__/python-urllib3-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-urllib3-hardcoded-secret-python-snapshot.yml deleted file mode 100644 index 4af97a08..00000000 --- a/tests/__snapshots__/python-urllib3-hardcoded-secret-python-snapshot.yml +++ /dev/null @@ -1,32 +0,0 @@ -id: python-urllib3-hardcoded-secret-python -snapshots: - urllib3.util.make_headers(basic_auth="user:123"): - labels: - - source: urllib3.util.make_headers(basic_auth="user:123") - style: primary - start: 0 - end: 48 - - source: urllib3.util.make_headers - style: secondary - start: 0 - end: 25 - - source: basic_auth - style: secondary - start: 26 - end: 36 - - source: user:123 - style: secondary - start: 38 - end: 46 - - source: '"user:123"' - style: secondary - start: 37 - end: 47 - - source: basic_auth="user:123" - style: secondary - start: 26 - end: 47 - - source: (basic_auth="user:123") - style: secondary - start: 25 - end: 48 diff --git a/tests/__snapshots__/python-webrepl-empty-password-python-snapshot.yml b/tests/__snapshots__/python-webrepl-empty-password-python-snapshot.yml deleted file mode 100644 index c9e19b40..00000000 --- a/tests/__snapshots__/python-webrepl-empty-password-python-snapshot.yml +++ /dev/null @@ -1,29 +0,0 @@ -id: python-webrepl-empty-password-python -snapshots: - ? | - webrepl.start(password="") - : labels: - - source: webrepl.start(password="") - style: primary - start: 0 - end: 26 - - source: webrepl.start - style: secondary - start: 0 - end: 13 - - source: password - style: secondary - start: 14 - end: 22 - - source: '""' - style: secondary - start: 23 - end: 25 - - source: password="" - style: secondary - start: 14 - end: 25 - - source: (password="") - style: secondary - start: 13 - end: 26 diff --git a/tests/__snapshots__/python-webrepl-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-webrepl-hardcoded-secret-python-snapshot.yml deleted file mode 100644 index a18db1cf..00000000 --- a/tests/__snapshots__/python-webrepl-hardcoded-secret-python-snapshot.yml +++ /dev/null @@ -1,64 +0,0 @@ -id: python-webrepl-hardcoded-secret-python -snapshots: - ? | - webrepl.start(password="12345") - : labels: - - source: webrepl.start(password="12345") - style: primary - start: 0 - end: 31 - - source: webrepl.start - style: secondary - start: 0 - end: 13 - - source: password - style: secondary - start: 14 - end: 22 - - source: '12345' - style: secondary - start: 24 - end: 29 - - source: '"12345"' - style: secondary - start: 23 - end: 30 - - source: password="12345" - style: secondary - start: 14 - end: 30 - - source: (password="12345") - style: secondary - start: 13 - end: 31 - ? | - webrepl.start(password="mypassword") - : labels: - - source: webrepl.start(password="mypassword") - style: primary - start: 0 - end: 36 - - source: webrepl.start - style: secondary - start: 0 - end: 13 - - source: password - style: secondary - start: 14 - end: 22 - - source: mypassword - style: secondary - start: 24 - end: 34 - - source: '"mypassword"' - style: secondary - start: 23 - end: 35 - - source: password="mypassword" - style: secondary - start: 14 - end: 35 - - source: (password="mypassword") - style: secondary - start: 13 - end: 36 diff --git a/tests/__snapshots__/rabbit-hardcoded-secret-swift-snapshot.yml b/tests/__snapshots__/rabbit-hardcoded-secret-swift-snapshot.yml deleted file mode 100644 index c56f9648..00000000 --- a/tests/__snapshots__/rabbit-hardcoded-secret-swift-snapshot.yml +++ /dev/null @@ -1,184 +0,0 @@ -id: rabbit-hardcoded-secret-swift -snapshots: - ? | - Rabbit(key: "hello", iv: "123") - : labels: - - source: 'Rabbit(key: "hello", iv: "123")' - style: primary - start: 0 - end: 31 - - source: Rabbit - style: secondary - start: 0 - end: 6 - - source: key - style: secondary - start: 7 - end: 10 - - source: hello - style: secondary - start: 13 - end: 18 - - source: '"hello"' - style: secondary - start: 12 - end: 19 - - source: 'key: "hello"' - style: secondary - start: 7 - end: 19 - - source: '(key: "hello", iv: "123")' - style: secondary - start: 6 - end: 31 - - source: '(key: "hello", iv: "123")' - style: secondary - start: 6 - end: 31 - ? |- - let password: Array = Array("s33krit".utf8) - Rabbit(key: password, iv: "123") - : labels: - - source: 'Rabbit(key: password, iv: "123")' - style: primary - start: 51 - end: 83 - - source: Rabbit - style: secondary - start: 51 - end: 57 - - source: key - style: secondary - start: 58 - end: 61 - - source: password - style: secondary - start: 63 - end: 71 - - source: 'key: password' - style: secondary - start: 58 - end: 71 - - source: '(key: password, iv: "123")' - style: secondary - start: 57 - end: 83 - - source: '(key: password, iv: "123")' - style: secondary - start: 57 - end: 83 - - source: password - style: secondary - start: 4 - end: 12 - - source: password - style: secondary - start: 4 - end: 12 - - source: Array("s33krit".utf8) - style: secondary - start: 29 - end: 50 - - source: 'let password: Array = Array("s33krit".utf8)' - style: secondary - start: 0 - end: 50 - - source: s33krit - style: secondary - start: 36 - end: 43 - ? | - let password: Array = Array("s33krit".utf8) - try Rabbit(key: password, iv: "123") - : labels: - - source: 'try Rabbit(key: password, iv: "123")' - style: primary - start: 51 - end: 87 - - source: Rabbit - style: secondary - start: 55 - end: 61 - - source: key - style: secondary - start: 62 - end: 65 - - source: password - style: secondary - start: 67 - end: 75 - - source: 'key: password' - style: secondary - start: 62 - end: 75 - - source: '(key: password, iv: "123")' - style: secondary - start: 61 - end: 87 - - source: '(key: password, iv: "123")' - style: secondary - start: 61 - end: 87 - - source: 'Rabbit(key: password, iv: "123")' - style: secondary - start: 55 - end: 87 - - source: password - style: secondary - start: 4 - end: 12 - - source: password - style: secondary - start: 4 - end: 12 - - source: Array("s33krit".utf8) - style: secondary - start: 29 - end: 50 - - source: 'let password: Array = Array("s33krit".utf8)' - style: secondary - start: 0 - end: 50 - - source: s33krit - style: secondary - start: 36 - end: 43 - ? | - try Rabbit(key: "hello", iv: "123") - : labels: - - source: 'try Rabbit(key: "hello", iv: "123")' - style: primary - start: 0 - end: 35 - - source: Rabbit - style: secondary - start: 4 - end: 10 - - source: key - style: secondary - start: 11 - end: 14 - - source: hello - style: secondary - start: 17 - end: 22 - - source: '"hello"' - style: secondary - start: 16 - end: 23 - - source: 'key: "hello"' - style: secondary - start: 11 - end: 23 - - source: '(key: "hello", iv: "123")' - style: secondary - start: 10 - end: 35 - - source: '(key: "hello", iv: "123")' - style: secondary - start: 10 - end: 35 - - source: 'Rabbit(key: "hello", iv: "123")' - style: secondary - start: 4 - end: 35 diff --git a/tests/__snapshots__/reqwest-accept-invalid-rust-snapshot.yml b/tests/__snapshots__/reqwest-accept-invalid-rust-snapshot.yml deleted file mode 100644 index 45eae8b2..00000000 --- a/tests/__snapshots__/reqwest-accept-invalid-rust-snapshot.yml +++ /dev/null @@ -1,29 +0,0 @@ -id: reqwest-accept-invalid-rust -snapshots: - ? | - reqwest::Client::builder().danger_accept_invalid_certs(true) - : labels: - - source: reqwest::Client::builder().danger_accept_invalid_certs(true) - style: primary - start: 0 - end: 60 - ? | - reqwest::Client::builder().danger_accept_invalid_hostnames(true) - : labels: - - source: reqwest::Client::builder().danger_accept_invalid_hostnames(true) - style: primary - start: 0 - end: 64 - 'reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_certs(true) ': - labels: - - source: reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_certs(true) - style: primary - start: 0 - end: 104 - ? | - reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_hostnames(true) - : labels: - - source: reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_hostnames(true) - style: primary - start: 0 - end: 108 diff --git a/tests/__snapshots__/return-c-str-cpp-snapshot.yml b/tests/__snapshots__/return-c-str-cpp-snapshot.yml deleted file mode 100644 index e577adf6..00000000 --- a/tests/__snapshots__/return-c-str-cpp-snapshot.yml +++ /dev/null @@ -1,38 +0,0 @@ -id: return-c-str-cpp -snapshots: - ? | - char *return_basic_string_directly() { - return std::basic_string("foo").c_str(); - } - : labels: - - source: return std::basic_string("foo").c_str(); - style: primary - start: 41 - end: 87 - ? | - char *return_data_directly() { - return std::string("foo").data(); - } - : labels: - - source: return std::string("foo").data(); - style: primary - start: 33 - end: 66 - ? | - char *return_directly() { - return string("foo").c_str(); - } - : labels: - - source: return string("foo").c_str(); - style: primary - start: 28 - end: 57 - ? | - char *return_namespace_directly() { - return std::string("foo").c_str(); - } - : labels: - - source: return std::string("foo").c_str(); - style: primary - start: 38 - end: 72 diff --git a/tests/__snapshots__/rsa-no-padding-java-snapshot.yml b/tests/__snapshots__/rsa-no-padding-java-snapshot.yml deleted file mode 100644 index 5855b041..00000000 --- a/tests/__snapshots__/rsa-no-padding-java-snapshot.yml +++ /dev/null @@ -1,16 +0,0 @@ -id: rsa-no-padding-java -snapshots: - ? | - Cipher.getInstance("RSA/NONE/NoPadding"); - : labels: - - source: Cipher.getInstance("RSA/NONE/NoPadding") - style: primary - start: 0 - end: 40 - ? | - Cipher.getInstance("RSA/None/NoPadding"); - : labels: - - source: Cipher.getInstance("RSA/None/NoPadding") - style: primary - start: 0 - end: 40 diff --git a/tests/__snapshots__/rsa-no-padding-kotlin-snapshot.yml b/tests/__snapshots__/rsa-no-padding-kotlin-snapshot.yml deleted file mode 100644 index 6ac5930a..00000000 --- a/tests/__snapshots__/rsa-no-padding-kotlin-snapshot.yml +++ /dev/null @@ -1,16 +0,0 @@ -id: rsa-no-padding-kotlin -snapshots: - ? | - Cipher.getInstance("RSA/NONE/NoPadding"); - : labels: - - source: Cipher.getInstance("RSA/NONE/NoPadding") - style: primary - start: 0 - end: 40 - ? | - Cipher.getInstance("RSA/None/NoPadding"); - : labels: - - source: Cipher.getInstance("RSA/None/NoPadding") - style: primary - start: 0 - end: 40 diff --git a/tests/__snapshots__/ruby-aws-sdk-hardcoded-secret-ruby-snapshot.yml b/tests/__snapshots__/ruby-aws-sdk-hardcoded-secret-ruby-snapshot.yml deleted file mode 100644 index b364f5e4..00000000 --- a/tests/__snapshots__/ruby-aws-sdk-hardcoded-secret-ruby-snapshot.yml +++ /dev/null @@ -1,107 +0,0 @@ -id: ruby-aws-sdk-hardcoded-secret-ruby -snapshots: - ? | - require 'aws-sdk-core' - Aws.config.update( - region: 'us-west-2', - credentials: Aws::Credentials.new('akid', 'secret') - ) - : labels: - - source: Aws::Credentials.new('akid', 'secret') - style: primary - start: 78 - end: 116 - - source: Aws::Credentials - style: secondary - start: 78 - end: 94 - - source: . - style: secondary - start: 94 - end: 95 - - source: new - style: secondary - start: 95 - end: 98 - - source: '''akid''' - style: secondary - start: 99 - end: 105 - - source: '''secret''' - style: secondary - start: 107 - end: 115 - - source: ('akid', 'secret') - style: secondary - start: 98 - end: 116 - - source: require 'aws-sdk-core' - style: secondary - start: 0 - end: 22 - - source: require 'aws-sdk-core' - style: secondary - start: 0 - end: 22 - ? |- - require 'aws-sdk-core' - secsec = 'secret' - creds = Aws::Credentials.new('akid', secsec) - Aws.config.update(region: 'us-west-2', credentials: creds) - : labels: - - source: Aws::Credentials.new('akid', secsec) - style: primary - start: 49 - end: 85 - - source: Aws::Credentials - style: secondary - start: 49 - end: 65 - - source: . - style: secondary - start: 65 - end: 66 - - source: new - style: secondary - start: 66 - end: 69 - - source: '''akid''' - style: secondary - start: 70 - end: 76 - - source: secsec - style: secondary - start: 78 - end: 84 - - source: ('akid', secsec) - style: secondary - start: 69 - end: 85 - - source: secsec - style: secondary - start: 23 - end: 29 - - source: secret - style: secondary - start: 33 - end: 39 - - source: '''secret''' - style: secondary - start: 32 - end: 40 - - source: secsec = 'secret' - style: secondary - start: 23 - end: 40 - - source: secsec = 'secret' - style: secondary - start: 23 - end: 40 - - source: require 'aws-sdk-core' - style: secondary - start: 0 - end: 22 - - source: require 'aws-sdk-core' - style: secondary - start: 0 - end: 22 diff --git a/tests/__snapshots__/ruby-cassandra-empty-password-ruby-snapshot.yml b/tests/__snapshots__/ruby-cassandra-empty-password-ruby-snapshot.yml deleted file mode 100644 index b0021f62..00000000 --- a/tests/__snapshots__/ruby-cassandra-empty-password-ruby-snapshot.yml +++ /dev/null @@ -1,107 +0,0 @@ -id: ruby-cassandra-empty-password-ruby -snapshots: - ? | - require 'cassandra' - cluster = Cassandra.cluster(username: 'user',password: '') - : labels: - - source: 'Cassandra.cluster(username: ''user'',password: '''')' - style: primary - start: 30 - end: 78 - - source: Cassandra - style: secondary - start: 30 - end: 39 - - source: . - style: secondary - start: 39 - end: 40 - - source: cluster - style: secondary - start: 40 - end: 47 - - source: password - style: secondary - start: 65 - end: 73 - - source: '''''' - style: secondary - start: 75 - end: 77 - - source: 'password: ''''' - style: secondary - start: 65 - end: 77 - - source: '(username: ''user'',password: '''')' - style: secondary - start: 47 - end: 78 - - source: require 'cassandra' - style: secondary - start: 0 - end: 19 - - source: require 'cassandra' - style: secondary - start: 0 - end: 19 - ? | - require 'cassandra' - password = '' - cluster = Cassandra.cluster(username: 'user',password: password) - : labels: - - source: 'Cassandra.cluster(username: ''user'',password: password)' - style: primary - start: 44 - end: 98 - - source: Cassandra - style: secondary - start: 44 - end: 53 - - source: . - style: secondary - start: 53 - end: 54 - - source: cluster - style: secondary - start: 54 - end: 61 - - source: password - style: secondary - start: 79 - end: 87 - - source: password - style: secondary - start: 89 - end: 97 - - source: 'password: password' - style: secondary - start: 79 - end: 97 - - source: '(username: ''user'',password: password)' - style: secondary - start: 61 - end: 98 - - source: require 'cassandra' - style: secondary - start: 0 - end: 19 - - source: require 'cassandra' - style: secondary - start: 0 - end: 19 - - source: password - style: secondary - start: 20 - end: 28 - - source: '''''' - style: secondary - start: 31 - end: 33 - - source: password = '' - style: secondary - start: 20 - end: 33 - - source: password = '' - style: secondary - start: 20 - end: 33 diff --git a/tests/__snapshots__/ruby-cassandra-hardcoded-secret-ruby-snapshot.yml b/tests/__snapshots__/ruby-cassandra-hardcoded-secret-ruby-snapshot.yml deleted file mode 100644 index 6536d106..00000000 --- a/tests/__snapshots__/ruby-cassandra-hardcoded-secret-ruby-snapshot.yml +++ /dev/null @@ -1,115 +0,0 @@ -id: ruby-cassandra-hardcoded-secret-ruby -snapshots: - ? | - require 'cassandra' - cluster = Cassandra.cluster( username: 'user',password: 'password') - : labels: - - source: 'Cassandra.cluster( username: ''user'',password: ''password'')' - style: primary - start: 30 - end: 87 - - source: Cassandra - style: secondary - start: 30 - end: 39 - - source: . - style: secondary - start: 39 - end: 40 - - source: cluster - style: secondary - start: 40 - end: 47 - - source: password - style: secondary - start: 66 - end: 74 - - source: password - style: secondary - start: 77 - end: 85 - - source: '''password''' - style: secondary - start: 76 - end: 86 - - source: 'password: ''password''' - style: secondary - start: 66 - end: 86 - - source: '( username: ''user'',password: ''password'')' - style: secondary - start: 47 - end: 87 - - source: require 'cassandra' - style: secondary - start: 0 - end: 19 - - source: require 'cassandra' - style: secondary - start: 0 - end: 19 - ? | - require 'cassandra' - password = 'password' - cluster = Cassandra.cluster( username: 'user',password: password) - : labels: - - source: 'Cassandra.cluster( username: ''user'',password: password)' - style: primary - start: 52 - end: 107 - - source: Cassandra - style: secondary - start: 52 - end: 61 - - source: . - style: secondary - start: 61 - end: 62 - - source: cluster - style: secondary - start: 62 - end: 69 - - source: password - style: secondary - start: 88 - end: 96 - - source: password - style: secondary - start: 98 - end: 106 - - source: 'password: password' - style: secondary - start: 88 - end: 106 - - source: '( username: ''user'',password: password)' - style: secondary - start: 69 - end: 107 - - source: require 'cassandra' - style: secondary - start: 0 - end: 19 - - source: require 'cassandra' - style: secondary - start: 0 - end: 19 - - source: password - style: secondary - start: 20 - end: 28 - - source: password - style: secondary - start: 32 - end: 40 - - source: '''password''' - style: secondary - start: 31 - end: 41 - - source: password = 'password' - style: secondary - start: 20 - end: 41 - - source: password = 'password' - style: secondary - start: 20 - end: 41 diff --git a/tests/__snapshots__/ruby-excon-hardcoded-secret-ruby-snapshot.yml b/tests/__snapshots__/ruby-excon-hardcoded-secret-ruby-snapshot.yml deleted file mode 100644 index eaaa30d3..00000000 --- a/tests/__snapshots__/ruby-excon-hardcoded-secret-ruby-snapshot.yml +++ /dev/null @@ -1,171 +0,0 @@ -id: ruby-excon-hardcoded-secret-ruby -snapshots: - ? | - require 'excon' - connection = Excon.new('http://secure.geemus.com', :user => 'username', :password => 'pa%%word') - : labels: - - source: Excon.new('http://secure.geemus.com', :user => 'username', :password => 'pa%%word') - style: primary - start: 29 - end: 112 - - source: Excon - style: secondary - start: 29 - end: 34 - - source: . - style: secondary - start: 34 - end: 35 - - source: new - style: secondary - start: 35 - end: 38 - - source: :password - style: secondary - start: 88 - end: 97 - - source: '''pa%%word''' - style: secondary - start: 101 - end: 111 - - source: :password => 'pa%%word' - style: secondary - start: 88 - end: 111 - - source: ('http://secure.geemus.com', :user => 'username', :password => 'pa%%word') - style: secondary - start: 38 - end: 112 - - source: require 'excon' - style: secondary - start: 0 - end: 15 - - source: require 'excon' - style: secondary - start: 0 - end: 15 - ? | - require 'excon' - connection = Excon.new('http://secure.geemus.com', :user => 'username', :password => Excon::Utils.escape_uri('pa%%word')) - : labels: - - source: Excon.new('http://secure.geemus.com', :user => 'username', :password => Excon::Utils.escape_uri('pa%%word')) - style: primary - start: 29 - end: 137 - - source: Excon - style: secondary - start: 29 - end: 34 - - source: . - style: secondary - start: 34 - end: 35 - - source: new - style: secondary - start: 35 - end: 38 - - source: :password - style: secondary - start: 88 - end: 97 - - source: Excon::Utils - style: secondary - start: 101 - end: 113 - - source: . - style: secondary - start: 113 - end: 114 - - source: escape_uri - style: secondary - start: 114 - end: 124 - - source: '''pa%%word''' - style: secondary - start: 125 - end: 135 - - source: ('pa%%word') - style: secondary - start: 124 - end: 136 - - source: Excon::Utils.escape_uri('pa%%word') - style: secondary - start: 101 - end: 136 - - source: :password => Excon::Utils.escape_uri('pa%%word') - style: secondary - start: 88 - end: 136 - - source: ('http://secure.geemus.com', :user => 'username', :password => Excon::Utils.escape_uri('pa%%word')) - style: secondary - start: 38 - end: 137 - - source: require 'excon' - style: secondary - start: 0 - end: 15 - - source: require 'excon' - style: secondary - start: 0 - end: 15 - ? | - require 'excon' - pw = 'password' - connection = Excon.new('http://secure.geemus.com', :user => 'username', :password => pw) - : labels: - - source: Excon.new('http://secure.geemus.com', :user => 'username', :password => pw) - style: primary - start: 45 - end: 120 - - source: Excon - style: secondary - start: 45 - end: 50 - - source: . - style: secondary - start: 50 - end: 51 - - source: new - style: secondary - start: 51 - end: 54 - - source: :password - style: secondary - start: 104 - end: 113 - - source: pw - style: secondary - start: 117 - end: 119 - - source: :password => pw - style: secondary - start: 104 - end: 119 - - source: ('http://secure.geemus.com', :user => 'username', :password => pw) - style: secondary - start: 54 - end: 120 - - source: require 'excon' - style: secondary - start: 0 - end: 15 - - source: require 'excon' - style: secondary - start: 0 - end: 15 - - source: pw - style: secondary - start: 16 - end: 18 - - source: '''password''' - style: secondary - start: 21 - end: 31 - - source: pw = 'password' - style: secondary - start: 16 - end: 31 - - source: pw = 'password' - style: secondary - start: 16 - end: 31 diff --git a/tests/__snapshots__/ruby-faraday-hardcoded-secret-ruby-snapshot.yml b/tests/__snapshots__/ruby-faraday-hardcoded-secret-ruby-snapshot.yml deleted file mode 100644 index 343fb23b..00000000 --- a/tests/__snapshots__/ruby-faraday-hardcoded-secret-ruby-snapshot.yml +++ /dev/null @@ -1,221 +0,0 @@ -id: ruby-faraday-hardcoded-secret-ruby -snapshots: - ? | - require "faraday" - conn.request :basic_auth, 'username', 'password' - : labels: - - source: conn.request :basic_auth, 'username', 'password' - style: primary - start: 18 - end: 66 - - source: request - style: secondary - start: 23 - end: 30 - - source: :basic_auth - style: secondary - start: 31 - end: 42 - - source: password - style: secondary - start: 57 - end: 65 - - source: '''password''' - style: secondary - start: 56 - end: 66 - - source: :basic_auth, 'username', 'password' - style: secondary - start: 31 - end: 66 - - source: require "faraday" - style: secondary - start: 0 - end: 17 - ? | - require "faraday" - conn.request :token_auth, 'authentication-token', **options - : labels: - - source: conn.request :token_auth, 'authentication-token', **options - style: primary - start: 18 - end: 77 - - source: request - style: secondary - start: 23 - end: 30 - - source: :token_auth - style: secondary - start: 31 - end: 42 - - source: authentication-token - style: secondary - start: 45 - end: 65 - - source: '''authentication-token''' - style: secondary - start: 44 - end: 66 - - source: :token_auth, 'authentication-token', **options - style: secondary - start: 31 - end: 77 - - source: require "faraday" - style: secondary - start: 0 - end: 17 - ? | - require "faraday" - f.request :authorization, 'Bearer', 'authentication-token' - : labels: - - source: f.request :authorization, 'Bearer', 'authentication-token' - style: primary - start: 18 - end: 76 - - source: request - style: secondary - start: 20 - end: 27 - - source: :authorization - style: secondary - start: 28 - end: 42 - - source: '''Bearer''' - style: secondary - start: 44 - end: 52 - - source: authentication-token - style: secondary - start: 55 - end: 75 - - source: '''authentication-token''' - style: secondary - start: 54 - end: 76 - - source: :authorization, 'Bearer', 'authentication-token' - style: secondary - start: 28 - end: 76 - - source: require "faraday" - style: secondary - start: 0 - end: 17 - ? |- - require "faraday" - pass = 'authentication-token' - conn.request :token_auth, pass, **options - : labels: - - source: conn.request :token_auth, pass, **options - style: primary - start: 48 - end: 89 - - source: request - style: secondary - start: 53 - end: 60 - - source: :token_auth - style: secondary - start: 61 - end: 72 - - source: pass - style: secondary - start: 74 - end: 78 - - source: :token_auth, pass, **options - style: secondary - start: 61 - end: 89 - - source: require "faraday" - style: secondary - start: 0 - end: 17 - - source: pass = 'authentication-token' - style: secondary - start: 18 - end: 47 - - source: authentication-token - style: secondary - start: 26 - end: 46 - ? | - require "faraday" - pass = 'authentication-token' - f.request :authorization, 'Bearer', pass - : labels: - - source: f.request :authorization, 'Bearer', pass - style: primary - start: 48 - end: 88 - - source: request - style: secondary - start: 50 - end: 57 - - source: :authorization - style: secondary - start: 58 - end: 72 - - source: '''Bearer''' - style: secondary - start: 74 - end: 82 - - source: pass - style: secondary - start: 84 - end: 88 - - source: :authorization, 'Bearer', pass - style: secondary - start: 58 - end: 88 - - source: require "faraday" - style: secondary - start: 0 - end: 17 - - source: pass = 'authentication-token' - style: secondary - start: 18 - end: 47 - - source: authentication-token - style: secondary - start: 26 - end: 46 - ? | - require "faraday" - pw = 'password' - conn.request :authorization, :basic, 'username', pw - : labels: - - source: conn.request :authorization, :basic, 'username', pw - style: primary - start: 34 - end: 85 - - source: request - style: secondary - start: 39 - end: 46 - - source: :authorization - style: secondary - start: 47 - end: 61 - - source: :basic - style: secondary - start: 63 - end: 69 - - source: pw - style: secondary - start: 83 - end: 85 - - source: :authorization, :basic, 'username', pw - style: secondary - start: 47 - end: 85 - - source: require "faraday" - style: secondary - start: 0 - end: 17 - - source: pw = 'password' - style: secondary - start: 18 - end: 33 - - source: password - style: secondary - start: 24 - end: 32 diff --git a/tests/__snapshots__/ruby-mongo-empty-password-ruby-snapshot.yml b/tests/__snapshots__/ruby-mongo-empty-password-ruby-snapshot.yml deleted file mode 100644 index b522ab40..00000000 --- a/tests/__snapshots__/ruby-mongo-empty-password-ruby-snapshot.yml +++ /dev/null @@ -1,170 +0,0 @@ -id: ruby-mongo-empty-password-ruby -snapshots: - ? | - require 'mongo' - module TestMongo - client1 = Mongo::Client.new( - [ '127.0.0.1:27017' ], - user: 'user1', - password: '', - database: 'testdb1' - ) - : labels: - - source: |- - Mongo::Client.new( - [ '127.0.0.1:27017' ], - user: 'user1', - password: '', - database: 'testdb1' - ) - style: primary - start: 43 - end: 143 - - source: Mongo - style: secondary - start: 43 - end: 48 - - source: Client - style: secondary - start: 50 - end: 56 - - source: Mongo::Client - style: secondary - start: 43 - end: 56 - - source: new - style: secondary - start: 57 - end: 60 - - source: password - style: secondary - start: 106 - end: 114 - - source: '''''' - style: secondary - start: 116 - end: 118 - - source: 'password: ''''' - style: secondary - start: 106 - end: 118 - - source: |- - ( - [ '127.0.0.1:27017' ], - user: 'user1', - password: '', - database: 'testdb1' - ) - style: secondary - start: 60 - end: 143 - - source: require - style: secondary - start: 0 - end: 7 - - source: '''mongo''' - style: secondary - start: 8 - end: 15 - - source: '''mongo''' - style: secondary - start: 8 - end: 15 - - source: require 'mongo' - style: secondary - start: 0 - end: 15 - - source: require 'mongo' - style: secondary - start: 0 - end: 15 - ? | - require 'mongo' - pw = '' - client2 = Mongo::Client.new( - [ '127.0.0.1:27017' ], - user: 'user2', - password: pw, - database: 'testdb2' - ) - : labels: - - source: |- - Mongo::Client.new( - [ '127.0.0.1:27017' ], - user: 'user2', - password: pw, - database: 'testdb2' - ) - style: primary - start: 34 - end: 134 - - source: Mongo - style: secondary - start: 34 - end: 39 - - source: Client - style: secondary - start: 41 - end: 47 - - source: Mongo::Client - style: secondary - start: 34 - end: 47 - - source: new - style: secondary - start: 48 - end: 51 - - source: password - style: secondary - start: 97 - end: 105 - - source: pw - style: secondary - start: 107 - end: 109 - - source: 'password: pw' - style: secondary - start: 97 - end: 109 - - source: |- - ( - [ '127.0.0.1:27017' ], - user: 'user2', - password: pw, - database: 'testdb2' - ) - style: secondary - start: 51 - end: 134 - - source: pw - style: secondary - start: 16 - end: 18 - - source: '''''' - style: secondary - start: 21 - end: 23 - - source: require - style: secondary - start: 0 - end: 7 - - source: '''mongo''' - style: secondary - start: 8 - end: 15 - - source: '''mongo''' - style: secondary - start: 8 - end: 15 - - source: require 'mongo' - style: secondary - start: 0 - end: 15 - - source: pw = '' - style: secondary - start: 16 - end: 23 - - source: pw = '' - style: secondary - start: 16 - end: 23 diff --git a/tests/__snapshots__/ruby-mongo-hardcoded-secret-ruby-snapshot.yml b/tests/__snapshots__/ruby-mongo-hardcoded-secret-ruby-snapshot.yml deleted file mode 100644 index 1930d8fb..00000000 --- a/tests/__snapshots__/ruby-mongo-hardcoded-secret-ruby-snapshot.yml +++ /dev/null @@ -1,162 +0,0 @@ -id: ruby-mongo-hardcoded-secret-ruby -snapshots: - ? | - require 'mongo' - Mongo::Client.new( - ['127.0.0.1:27017'], - password: '123456' - ) - : labels: - - source: |- - Mongo::Client.new( - ['127.0.0.1:27017'], - password: '123456' - ) - style: primary - start: 16 - end: 80 - - source: Mongo - style: secondary - start: 16 - end: 21 - - source: Client - style: secondary - start: 23 - end: 29 - - source: Mongo::Client - style: secondary - start: 16 - end: 29 - - source: new - style: secondary - start: 30 - end: 33 - - source: password - style: secondary - start: 60 - end: 68 - - source: '123456' - style: secondary - start: 71 - end: 77 - - source: '''123456''' - style: secondary - start: 70 - end: 78 - - source: 'password: ''123456''' - style: secondary - start: 60 - end: 78 - - source: |- - ( - ['127.0.0.1:27017'], - password: '123456' - ) - style: secondary - start: 33 - end: 80 - - source: require - style: secondary - start: 0 - end: 7 - - source: mongo - style: secondary - start: 9 - end: 14 - - source: '''mongo''' - style: secondary - start: 8 - end: 15 - - source: '''mongo''' - style: secondary - start: 8 - end: 15 - - source: require 'mongo' - style: secondary - start: 0 - end: 15 - ? | - require 'mongo' - client_hardcoded = Mongo::Client.new( - ['127.0.0.1:27017'], - user: 'admin', - password: 'hardcoded-password', - database: 'production' - ) - : labels: - - source: |- - Mongo::Client.new( - ['127.0.0.1:27017'], - user: 'admin', - password: 'hardcoded-password', - database: 'production' - ) - style: primary - start: 35 - end: 154 - - source: Mongo - style: secondary - start: 35 - end: 40 - - source: Client - style: secondary - start: 42 - end: 48 - - source: Mongo::Client - style: secondary - start: 35 - end: 48 - - source: new - style: secondary - start: 49 - end: 52 - - source: password - style: secondary - start: 96 - end: 104 - - source: hardcoded-password - style: secondary - start: 107 - end: 125 - - source: '''hardcoded-password''' - style: secondary - start: 106 - end: 126 - - source: 'password: ''hardcoded-password''' - style: secondary - start: 96 - end: 126 - - source: |- - ( - ['127.0.0.1:27017'], - user: 'admin', - password: 'hardcoded-password', - database: 'production' - ) - style: secondary - start: 52 - end: 154 - - source: require - style: secondary - start: 0 - end: 7 - - source: mongo - style: secondary - start: 9 - end: 14 - - source: '''mongo''' - style: secondary - start: 8 - end: 15 - - source: '''mongo''' - style: secondary - start: 8 - end: 15 - - source: require 'mongo' - style: secondary - start: 0 - end: 15 - - source: require 'mongo' - style: secondary - start: 0 - end: 15 diff --git a/tests/__snapshots__/ruby-mysql2-empty-password-ruby-snapshot.yml b/tests/__snapshots__/ruby-mysql2-empty-password-ruby-snapshot.yml deleted file mode 100644 index 8cd6162a..00000000 --- a/tests/__snapshots__/ruby-mysql2-empty-password-ruby-snapshot.yml +++ /dev/null @@ -1,147 +0,0 @@ -id: ruby-mysql2-empty-password-ruby -snapshots: - ? | - $LOAD_PATH.unshift 'lib' - require 'mysql2' - require 'timeout' - Mysql2::Client.new(host: "localhost", username: "root", password: "").query("SELECT sleep(#{overhead}) as result") - : labels: - - source: 'Mysql2::Client.new(host: "localhost", username: "root", password: "")' - style: primary - start: 60 - end: 129 - - source: Mysql2 - style: secondary - start: 60 - end: 66 - - source: Client - style: secondary - start: 68 - end: 74 - - source: Mysql2::Client - style: secondary - start: 60 - end: 74 - - source: new - style: secondary - start: 75 - end: 78 - - source: password - style: secondary - start: 116 - end: 124 - - source: '""' - style: secondary - start: 126 - end: 128 - - source: 'password: ""' - style: secondary - start: 116 - end: 128 - - source: '(host: "localhost", username: "root", password: "")' - style: secondary - start: 78 - end: 129 - - source: require - style: secondary - start: 25 - end: 32 - - source: mysql2 - style: secondary - start: 34 - end: 40 - - source: '''mysql2''' - style: secondary - start: 33 - end: 41 - - source: '''mysql2''' - style: secondary - start: 33 - end: 41 - - source: require 'mysql2' - style: secondary - start: 25 - end: 41 - - source: require 'mysql2' - style: secondary - start: 25 - end: 41 - ? | - $LOAD_PATH.unshift 'lib' - require 'mysql2' - require 'timeout' - pw = "" - conn1 = Mysql2::Client.new(host: "localhost", username: "root", password: pw) - : labels: - - source: 'Mysql2::Client.new(host: "localhost", username: "root", password: pw)' - style: primary - start: 76 - end: 145 - - source: Mysql2 - style: secondary - start: 76 - end: 82 - - source: Client - style: secondary - start: 84 - end: 90 - - source: Mysql2::Client - style: secondary - start: 76 - end: 90 - - source: new - style: secondary - start: 91 - end: 94 - - source: password - style: secondary - start: 132 - end: 140 - - source: pw - style: secondary - start: 142 - end: 144 - - source: 'password: pw' - style: secondary - start: 132 - end: 144 - - source: '(host: "localhost", username: "root", password: pw)' - style: secondary - start: 94 - end: 145 - - source: pw - style: secondary - start: 60 - end: 62 - - source: '""' - style: secondary - start: 65 - end: 67 - - source: require - style: secondary - start: 25 - end: 32 - - source: mysql2 - style: secondary - start: 34 - end: 40 - - source: '''mysql2''' - style: secondary - start: 33 - end: 41 - - source: '''mysql2''' - style: secondary - start: 33 - end: 41 - - source: require 'mysql2' - style: secondary - start: 25 - end: 41 - - source: pw = "" - style: secondary - start: 60 - end: 67 - - source: pw = "" - style: secondary - start: 60 - end: 67 diff --git a/tests/__snapshots__/ruby-mysql2-hardcoded-secret-ruby-snapshot.yml b/tests/__snapshots__/ruby-mysql2-hardcoded-secret-ruby-snapshot.yml deleted file mode 100644 index 4ebd6b73..00000000 --- a/tests/__snapshots__/ruby-mysql2-hardcoded-secret-ruby-snapshot.yml +++ /dev/null @@ -1,161 +0,0 @@ -id: ruby-mysql2-hardcoded-secret-ruby -snapshots: - ? | - $LOAD_PATH.unshift 'lib' - require 'mysql2' - require 'timeout' - - def connect_to_db - Mysql2::Client.new(host: "localhost", username: "root", password: "complex-hardcoded-password") - end - : labels: - - source: 'Mysql2::Client.new(host: "localhost", username: "root", password: "complex-hardcoded-password")' - style: primary - start: 81 - end: 176 - - source: Mysql2 - style: secondary - start: 81 - end: 87 - - source: Client - style: secondary - start: 89 - end: 95 - - source: Mysql2::Client - style: secondary - start: 81 - end: 95 - - source: new - style: secondary - start: 96 - end: 99 - - source: password - style: secondary - start: 137 - end: 145 - - source: complex-hardcoded-password - style: secondary - start: 148 - end: 174 - - source: '"complex-hardcoded-password"' - style: secondary - start: 147 - end: 175 - - source: 'password: "complex-hardcoded-password"' - style: secondary - start: 137 - end: 175 - - source: '(host: "localhost", username: "root", password: "complex-hardcoded-password")' - style: secondary - start: 99 - end: 176 - - source: require - style: secondary - start: 25 - end: 32 - - source: mysql2 - style: secondary - start: 34 - end: 40 - - source: '''mysql2''' - style: secondary - start: 33 - end: 41 - - source: '''mysql2''' - style: secondary - start: 33 - end: 41 - - source: require 'mysql2' - style: secondary - start: 25 - end: 41 - - source: require 'mysql2' - style: secondary - start: 25 - end: 41 - ? "require 'mysql2'\nclass DatabaseConnection\n def self.connect\n password = \"class-hardcoded-password\"\n Mysql2::Client.new(host: \"localhost\", username: \"admin\", password: password)\n end \nend\n" - : labels: - - source: 'Mysql2::Client.new(host: "localhost", username: "admin", password: password)' - style: primary - start: 107 - end: 183 - - source: Mysql2 - style: secondary - start: 107 - end: 113 - - source: Client - style: secondary - start: 115 - end: 121 - - source: Mysql2::Client - style: secondary - start: 107 - end: 121 - - source: new - style: secondary - start: 122 - end: 125 - - source: password - style: secondary - start: 164 - end: 172 - - source: password - style: secondary - start: 174 - end: 182 - - source: 'password: password' - style: secondary - start: 164 - end: 182 - - source: '(host: "localhost", username: "admin", password: password)' - style: secondary - start: 125 - end: 183 - - source: password - style: secondary - start: 65 - end: 73 - - source: class-hardcoded-password - style: secondary - start: 77 - end: 101 - - source: '"class-hardcoded-password"' - style: secondary - start: 76 - end: 102 - - source: require - style: secondary - start: 0 - end: 7 - - source: mysql2 - style: secondary - start: 9 - end: 15 - - source: '''mysql2''' - style: secondary - start: 8 - end: 16 - - source: '''mysql2''' - style: secondary - start: 8 - end: 16 - - source: require 'mysql2' - style: secondary - start: 0 - end: 16 - - source: require 'mysql2' - style: secondary - start: 0 - end: 16 - - source: |- - def self.connect - password = "class-hardcoded-password" - Mysql2::Client.new(host: "localhost", username: "admin", password: password) - end - style: secondary - start: 44 - end: 189 - - source: password = "class-hardcoded-password" - style: secondary - start: 65 - end: 102 diff --git a/tests/__snapshots__/ruby-octokit-hardcoded-secret-ruby-snapshot.yml b/tests/__snapshots__/ruby-octokit-hardcoded-secret-ruby-snapshot.yml deleted file mode 100644 index c7bbe2ad..00000000 --- a/tests/__snapshots__/ruby-octokit-hardcoded-secret-ruby-snapshot.yml +++ /dev/null @@ -1,232 +0,0 @@ -id: ruby-octokit-hardcoded-secret-ruby -snapshots: - ? | - require 'octokit' - Octokit::Client.new(access_token: "", per_page: 100) - : labels: - - source: 'Octokit::Client.new(access_token: "", per_page: 100)' - style: primary - start: 18 - end: 90 - - source: Octokit::Client - style: secondary - start: 18 - end: 33 - - source: . - style: secondary - start: 33 - end: 34 - - source: new - style: secondary - start: 34 - end: 37 - - source: access_token - style: secondary - start: 38 - end: 50 - - source: '""' - style: secondary - start: 52 - end: 74 - - source: 'access_token: ""' - style: secondary - start: 38 - end: 74 - - source: '(access_token: "", per_page: 100)' - style: secondary - start: 37 - end: 90 - - source: require 'octokit' - style: secondary - start: 0 - end: 17 - ? | - require 'octokit' - client = Octokit::Client.new \ - :client_id => "", - :client_secret => "" - : labels: - - source: |- - Octokit::Client.new \ - :client_id => "", - :client_secret => "" - style: primary - start: 27 - end: 129 - - source: Octokit::Client - style: secondary - start: 27 - end: 42 - - source: . - style: secondary - start: 42 - end: 43 - - source: new - style: secondary - start: 43 - end: 46 - - source: :client_secret - style: secondary - start: 88 - end: 102 - - source: '""' - style: secondary - start: 106 - end: 129 - - source: :client_secret => "" - style: secondary - start: 88 - end: 129 - - source: |- - :client_id => "", - :client_secret => "" - style: secondary - start: 49 - end: 129 - - source: require 'octokit' - style: secondary - start: 0 - end: 17 - - source: require 'octokit' - style: secondary - start: 0 - end: 17 - ? | - require 'octokit' - client = Octokit::Client.new \ - :login => 'defunkt', - :password => 'c0d3b4ssssss!' - : labels: - - source: |- - Octokit::Client.new \ - :login => 'defunkt', - :password => 'c0d3b4ssssss!' - style: primary - start: 27 - end: 101 - - source: Octokit::Client - style: secondary - start: 27 - end: 42 - - source: . - style: secondary - start: 42 - end: 43 - - source: new - style: secondary - start: 43 - end: 46 - - source: :password - style: secondary - start: 73 - end: 82 - - source: '''c0d3b4ssssss!''' - style: secondary - start: 86 - end: 101 - - source: :password => 'c0d3b4ssssss!' - style: secondary - start: 73 - end: 101 - - source: |- - :login => 'defunkt', - :password => 'c0d3b4ssssss!' - style: secondary - start: 49 - end: 101 - - source: require 'octokit' - style: secondary - start: 0 - end: 17 - - source: require 'octokit' - style: secondary - start: 0 - end: 17 - ? | - require 'octokit' - client = Octokit::Client.new(:access_token => "") - : labels: - - source: Octokit::Client.new(:access_token => "") - style: primary - start: 27 - end: 87 - - source: Octokit::Client - style: secondary - start: 27 - end: 42 - - source: . - style: secondary - start: 42 - end: 43 - - source: new - style: secondary - start: 43 - end: 46 - - source: :access_token - style: secondary - start: 47 - end: 60 - - source: '""' - style: secondary - start: 64 - end: 86 - - source: :access_token => "" - style: secondary - start: 47 - end: 86 - - source: (:access_token => "") - style: secondary - start: 46 - end: 87 - - source: require 'octokit' - style: secondary - start: 0 - end: 17 - - source: require 'octokit' - style: secondary - start: 0 - end: 17 - ? | - require 'octokit' - client = Octokit::Client.new(:login => 'defunkt', :password => 'c0d3b4ssssss!') - : labels: - - source: Octokit::Client.new(:login => 'defunkt', :password => 'c0d3b4ssssss!') - style: primary - start: 27 - end: 97 - - source: Octokit::Client - style: secondary - start: 27 - end: 42 - - source: . - style: secondary - start: 42 - end: 43 - - source: new - style: secondary - start: 43 - end: 46 - - source: :password - style: secondary - start: 68 - end: 77 - - source: '''c0d3b4ssssss!''' - style: secondary - start: 81 - end: 96 - - source: :password => 'c0d3b4ssssss!' - style: secondary - start: 68 - end: 96 - - source: (:login => 'defunkt', :password => 'c0d3b4ssssss!') - style: secondary - start: 46 - end: 97 - - source: require 'octokit' - style: secondary - start: 0 - end: 17 - - source: require 'octokit' - style: secondary - start: 0 - end: 17 diff --git a/tests/__snapshots__/ruby-pg-empty-password-ruby-snapshot.yml b/tests/__snapshots__/ruby-pg-empty-password-ruby-snapshot.yml deleted file mode 100644 index 0950774f..00000000 --- a/tests/__snapshots__/ruby-pg-empty-password-ruby-snapshot.yml +++ /dev/null @@ -1,60 +0,0 @@ -id: ruby-pg-empty-password-ruby -snapshots: - ? |- - con1 = PG.connect( - :dbname => 'database', - :host => 'host', - :port => 1234, - :user => 'user', - :password => '', - :sslmode => 'prefer' - ) - : labels: - - source: |- - PG.connect( - :dbname => 'database', - :host => 'host', - :port => 1234, - :user => 'user', - :password => '', - :sslmode => 'prefer' - ) - style: primary - start: 7 - end: 151 - - source: PG - style: secondary - start: 7 - end: 9 - - source: . - style: secondary - start: 9 - end: 10 - - source: connect - style: secondary - start: 10 - end: 17 - - source: :password - style: secondary - start: 110 - end: 119 - - source: '''''' - style: secondary - start: 123 - end: 125 - - source: :password => '' - style: secondary - start: 110 - end: 125 - - source: |- - ( - :dbname => 'database', - :host => 'host', - :port => 1234, - :user => 'user', - :password => '', - :sslmode => 'prefer' - ) - style: secondary - start: 17 - end: 151 diff --git a/tests/__snapshots__/ruby-pg-hardcoded-secret-ruby-snapshot.yml b/tests/__snapshots__/ruby-pg-hardcoded-secret-ruby-snapshot.yml deleted file mode 100644 index a7230acc..00000000 --- a/tests/__snapshots__/ruby-pg-hardcoded-secret-ruby-snapshot.yml +++ /dev/null @@ -1,69 +0,0 @@ -id: ruby-pg-hardcoded-secret-ruby -snapshots: - ? |- - require "pg" - PG.connect( - :dbname => 'database', - :host => 'host', - :port => 1234, - :user => 'user', - :password => 'password', - :sslmode => 'prefer' - ) - : labels: - - source: |- - PG.connect( - :dbname => 'database', - :host => 'host', - :port => 1234, - :user => 'user', - :password => 'password', - :sslmode => 'prefer' - ) - style: primary - start: 13 - end: 171 - - source: PG - style: secondary - start: 13 - end: 15 - - source: . - style: secondary - start: 15 - end: 16 - - source: connect - style: secondary - start: 16 - end: 23 - - source: :password - style: secondary - start: 121 - end: 130 - - source: password - style: secondary - start: 135 - end: 143 - - source: '''password''' - style: secondary - start: 134 - end: 144 - - source: :password => 'password' - style: secondary - start: 121 - end: 144 - - source: |- - ( - :dbname => 'database', - :host => 'host', - :port => 1234, - :user => 'user', - :password => 'password', - :sslmode => 'prefer' - ) - style: secondary - start: 23 - end: 171 - - source: require "pg" - style: secondary - start: 0 - end: 12 diff --git a/tests/__snapshots__/ruby-redis-empty-password-ruby-snapshot.yml b/tests/__snapshots__/ruby-redis-empty-password-ruby-snapshot.yml deleted file mode 100644 index 13324393..00000000 --- a/tests/__snapshots__/ruby-redis-empty-password-ruby-snapshot.yml +++ /dev/null @@ -1,90 +0,0 @@ -id: ruby-redis-empty-password-ruby -snapshots: - ? | - require "redis" - redis = Redis.new(password: "") - : labels: - - source: 'Redis.new(password: "")' - style: primary - start: 24 - end: 47 - - source: Redis - style: secondary - start: 24 - end: 29 - - source: . - style: secondary - start: 29 - end: 30 - - source: new - style: secondary - start: 30 - end: 33 - - source: password - style: secondary - start: 34 - end: 42 - - source: '""' - style: secondary - start: 44 - end: 46 - - source: 'password: ""' - style: secondary - start: 34 - end: 46 - - source: '(password: "")' - style: secondary - start: 33 - end: 47 - - source: require "redis" - style: secondary - start: 0 - end: 15 - - source: require "redis" - style: secondary - start: 0 - end: 15 - ? | - require "redis" - redis1 = Redis.new(username: 'myname', password: '') - : labels: - - source: 'Redis.new(username: ''myname'', password: '''')' - style: primary - start: 25 - end: 68 - - source: Redis - style: secondary - start: 25 - end: 30 - - source: . - style: secondary - start: 30 - end: 31 - - source: new - style: secondary - start: 31 - end: 34 - - source: password - style: secondary - start: 55 - end: 63 - - source: '''''' - style: secondary - start: 65 - end: 67 - - source: 'password: ''''' - style: secondary - start: 55 - end: 67 - - source: '(username: ''myname'', password: '''')' - style: secondary - start: 34 - end: 68 - - source: require "redis" - style: secondary - start: 0 - end: 15 - - source: require "redis" - style: secondary - start: 0 - end: 15 diff --git a/tests/__snapshots__/ruby-redis-hardcoded-secret-ruby-snapshot.yml b/tests/__snapshots__/ruby-redis-hardcoded-secret-ruby-snapshot.yml deleted file mode 100644 index 9c54d5d2..00000000 --- a/tests/__snapshots__/ruby-redis-hardcoded-secret-ruby-snapshot.yml +++ /dev/null @@ -1,98 +0,0 @@ -id: ruby-redis-hardcoded-secret-ruby -snapshots: - ? | - require "redis" - redis = Redis.new(password: "mysecret") - : labels: - - source: 'Redis.new(password: "mysecret")' - style: primary - start: 24 - end: 55 - - source: Redis - style: secondary - start: 24 - end: 29 - - source: . - style: secondary - start: 29 - end: 30 - - source: new - style: secondary - start: 30 - end: 33 - - source: password - style: secondary - start: 34 - end: 42 - - source: mysecret - style: secondary - start: 45 - end: 53 - - source: '"mysecret"' - style: secondary - start: 44 - end: 54 - - source: 'password: "mysecret"' - style: secondary - start: 34 - end: 54 - - source: '(password: "mysecret")' - style: secondary - start: 33 - end: 55 - - source: require "redis" - style: secondary - start: 0 - end: 15 - - source: require "redis" - style: secondary - start: 0 - end: 15 - ? | - require "redis" - redis1 = Redis.new(username: 'myname', password: 'mysecret') - : labels: - - source: 'Redis.new(username: ''myname'', password: ''mysecret'')' - style: primary - start: 25 - end: 76 - - source: Redis - style: secondary - start: 25 - end: 30 - - source: . - style: secondary - start: 30 - end: 31 - - source: new - style: secondary - start: 31 - end: 34 - - source: password - style: secondary - start: 55 - end: 63 - - source: mysecret - style: secondary - start: 66 - end: 74 - - source: '''mysecret''' - style: secondary - start: 65 - end: 75 - - source: 'password: ''mysecret''' - style: secondary - start: 55 - end: 75 - - source: '(username: ''myname'', password: ''mysecret'')' - style: secondary - start: 34 - end: 76 - - source: require "redis" - style: secondary - start: 0 - end: 15 - - source: require "redis" - style: secondary - start: 0 - end: 15 diff --git a/tests/__snapshots__/scala-jwt-hardcoded-secret-scala-snapshot.yml b/tests/__snapshots__/scala-jwt-hardcoded-secret-scala-snapshot.yml deleted file mode 100644 index 0b95154e..00000000 --- a/tests/__snapshots__/scala-jwt-hardcoded-secret-scala-snapshot.yml +++ /dev/null @@ -1,80 +0,0 @@ -id: scala-jwt-hardcoded-secret-scala -snapshots: - ? "import com.auth0.jwt.algorithms.Algorithm\nclass App {\n def bad1(): Unit = {\n try {\n val algorithm = Algorithm.HMAC256(\"secret\")\n val token = JWT.create()\n .withIssuer(\"auth0\")\n .sign(algorithm)\n } catch {\n case exception: JWTCreationException => \n println(s\"Error creating JWT: ${exception.getMessage}\")\n }\n }\n}\n" - : labels: - - source: Algorithm.HMAC256("secret") - style: primary - start: 109 - end: 136 - - source: '"secret"' - style: secondary - start: 127 - end: 135 - - source: ("secret") - style: secondary - start: 126 - end: 136 - - source: Algorithm.HMAC256 - style: secondary - start: 109 - end: 126 - - source: import com.auth0.jwt.algorithms.Algorithm - style: secondary - start: 0 - end: 41 - - source: import com.auth0.jwt.algorithms.Algorithm - style: secondary - start: 0 - end: 41 - ? "import com.auth0.jwt.algorithms.Algorithm\nclass AuthService {\n def createAuthToken(username: String): String = {\n try {\n val algorithm = Algorithm.HMAC384(\"secretKey\")\n val token = JWT.create()\n .withIssuer(\"auth0\")\n .withClaim(\"username\", username)\n .sign(algorithm)\n token\n } catch {\n case e: JWTCreationException => \n }\n }\n}\n" - : labels: - - source: Algorithm.HMAC384("secretKey") - style: primary - start: 146 - end: 176 - - source: '"secretKey"' - style: secondary - start: 164 - end: 175 - - source: ("secretKey") - style: secondary - start: 163 - end: 176 - - source: Algorithm.HMAC384 - style: secondary - start: 146 - end: 163 - - source: import com.auth0.jwt.algorithms.Algorithm - style: secondary - start: 0 - end: 41 - - source: import com.auth0.jwt.algorithms.Algorithm - style: secondary - start: 0 - end: 41 - ? "import com.auth0.jwt.algorithms.Algorithm\nclass SessionService {\n def createSessionToken(userId: String): String = {\n try {\n val algorithm = Algorithm.HMAC512(\"secretKey\")\n val token = JWT.create()\n .withIssuer(\"auth0\")\n .withClaim(\"userId\", userId)\n .sign(algorithm)\n token\n } catch {\n case e: JWTCreationException => \n \"\"\n }\n }\n}\n" - : labels: - - source: Algorithm.HMAC512("secretKey") - style: primary - start: 156 - end: 186 - - source: '"secretKey"' - style: secondary - start: 174 - end: 185 - - source: ("secretKey") - style: secondary - start: 173 - end: 186 - - source: Algorithm.HMAC512 - style: secondary - start: 156 - end: 173 - - source: import com.auth0.jwt.algorithms.Algorithm - style: secondary - start: 0 - end: 41 - - source: import com.auth0.jwt.algorithms.Algorithm - style: secondary - start: 0 - end: 41 diff --git a/tests/__snapshots__/search-active-debug-php-snapshot.yml b/tests/__snapshots__/search-active-debug-php-snapshot.yml deleted file mode 100644 index cbe1b4fc..00000000 --- a/tests/__snapshots__/search-active-debug-php-snapshot.yml +++ /dev/null @@ -1,226 +0,0 @@ -id: search-active-debug-php -snapshots: - ? | - Result<(), reqwest::Error> {\nlet client = reqwest::Client::new();\nlet resp = client.delete(\"http://httpbin.org/delete\")\n.basic_auth(\"admin\", Some(\"hardcoded-password\"))\n.send()\n.await?;\nprintln!(\"body = {:?}\", resp);\nOk(())\n}\n" - : labels: - - source: |- - client.delete("http://httpbin.org/delete") - .basic_auth("admin", Some("hardcoded-password")) - style: primary - start: 119 - end: 210 - - source: client - style: secondary - start: 119 - end: 125 - - source: basic_auth - style: secondary - start: 163 - end: 173 - - source: |- - client.delete("http://httpbin.org/delete") - .basic_auth - style: secondary - start: 119 - end: 173 - - source: Some - style: secondary - start: 183 - end: 187 - - source: hardcoded-password - style: secondary - start: 189 - end: 207 - - source: '"hardcoded-password"' - style: secondary - start: 188 - end: 208 - - source: ("hardcoded-password") - style: secondary - start: 187 - end: 209 - - source: Some("hardcoded-password") - style: secondary - start: 183 - end: 209 - - source: ("admin", Some("hardcoded-password")) - style: secondary - start: 173 - end: 210 - - source: client - style: secondary - start: 75 - end: 81 - - source: reqwest::Client::new() - style: secondary - start: 84 - end: 106 - - source: let client = reqwest::Client::new(); - style: secondary - start: 71 - end: 107 - - source: |- - let resp = client.delete("http://httpbin.org/delete") - .basic_auth("admin", Some("hardcoded-password")) - .send() - .await?; - style: secondary - start: 108 - end: 227 - ? "use reqwest::Client; \nasync fn test2() -> Result<(), reqwest::Error> {\nlet client = reqwest::Client::new();\nlet resp = client.put(\"http://httpbin.org/delete\")\n.bearer_auth(\"hardcoded-token\")\n.send()\n.await?;\nprintln!(\"body = {:?}\", resp);\nOk(())\n}" - : labels: - - source: |- - client.put("http://httpbin.org/delete") - .bearer_auth("hardcoded-token") - style: primary - start: 119 - end: 190 - - source: client - style: secondary - start: 119 - end: 125 - - source: bearer_auth - style: secondary - start: 160 - end: 171 - - source: |- - client.put("http://httpbin.org/delete") - .bearer_auth - style: secondary - start: 119 - end: 171 - - source: client - style: secondary - start: 75 - end: 81 - - source: reqwest::Client::new() - style: secondary - start: 84 - end: 106 - - source: let client = reqwest::Client::new(); - style: secondary - start: 71 - end: 107 - - source: let client = reqwest::Client::new(); - style: secondary - start: 71 - end: 107 - - source: hardcoded-token - style: secondary - start: 173 - end: 188 - - source: '"hardcoded-token"' - style: secondary - start: 172 - end: 189 - - source: ("hardcoded-token") - style: secondary - start: 171 - end: 190 diff --git a/tests/__snapshots__/simple-command-injection-direct-input-java-snapshot.yml b/tests/__snapshots__/simple-command-injection-direct-input-java-snapshot.yml deleted file mode 100644 index 22d0b82e..00000000 --- a/tests/__snapshots__/simple-command-injection-direct-input-java-snapshot.yml +++ /dev/null @@ -1,126 +0,0 @@ -id: simple-command-injection-direct-input-java -snapshots: - ? | - @GetMapping("/run/{command}") - public ResponseEntity run_direct_from_jumbo( - @PathVariable final String command - ) { - ResponseEntity response = ResponseEntity.noContent().build(); - try { - Runtime.getRuntime().exec(command); - } catch (IOException e) { - response = ResponseEntity.badRequest().build(); - } - - return response; - } - : labels: - - source: Runtime.getRuntime().exec(command) - style: primary - start: 208 - end: 242 - - source: PathVariable - style: secondary - start: 83 - end: 95 - - source: '@PathVariable' - style: secondary - start: 82 - end: 95 - - source: command - style: secondary - start: 109 - end: 116 - - source: String - style: secondary - start: 102 - end: 108 - - source: '@PathVariable final' - style: secondary - start: 82 - end: 101 - - source: '@PathVariable final String command' - style: secondary - start: 82 - end: 116 - - source: |- - @GetMapping("/run/{command}") - public ResponseEntity run_direct_from_jumbo( - @PathVariable final String command - ) { - ResponseEntity response = ResponseEntity.noContent().build(); - try { - Runtime.getRuntime().exec(command); - } catch (IOException e) { - response = ResponseEntity.badRequest().build(); - } - - return response; - } - style: secondary - start: 0 - end: 358 - ? | - @GetMapping("/run/{command}") - public ResponseEntity run_direct_from_jumbo( - @PathVariable() final String command - ) { - ResponseEntity response = ResponseEntity.noContent().build(); - try { - Runtime.getRuntime().exec(command); - } catch (IOException e) { - response = ResponseEntity.badRequest().build(); - } - - return response; - } - : labels: - - source: Runtime.getRuntime().exec(command) - style: primary - start: 210 - end: 244 - - source: PathVariable - style: secondary - start: 83 - end: 95 - - source: () - style: secondary - start: 95 - end: 97 - - source: '@PathVariable()' - style: secondary - start: 82 - end: 97 - - source: command - style: secondary - start: 111 - end: 118 - - source: String - style: secondary - start: 104 - end: 110 - - source: '@PathVariable() final' - style: secondary - start: 82 - end: 103 - - source: '@PathVariable() final String command' - style: secondary - start: 82 - end: 118 - - source: |- - @GetMapping("/run/{command}") - public ResponseEntity run_direct_from_jumbo( - @PathVariable() final String command - ) { - ResponseEntity response = ResponseEntity.noContent().build(); - try { - Runtime.getRuntime().exec(command); - } catch (IOException e) { - response = ResponseEntity.badRequest().build(); - } - - return response; - } - style: secondary - start: 0 - end: 360 diff --git a/tests/__snapshots__/sizeof-this-c-snapshot.yml b/tests/__snapshots__/sizeof-this-c-snapshot.yml deleted file mode 100644 index 148c2f8c..00000000 --- a/tests/__snapshots__/sizeof-this-c-snapshot.yml +++ /dev/null @@ -1,26 +0,0 @@ -id: sizeof-this-c -snapshots: - ? | - struct Foo { - uint64_t a; - uint8_t b; - size_t get_size() const { - return sizeof(this); - } - : labels: - - source: sizeof(this) - style: primary - start: 77 - end: 89 - - source: sizeof - style: secondary - start: 77 - end: 83 - - source: this - style: secondary - start: 84 - end: 88 - - source: (this) - style: secondary - start: 83 - end: 89 diff --git a/tests/__snapshots__/sizeof-this-cpp-snapshot.yml b/tests/__snapshots__/sizeof-this-cpp-snapshot.yml deleted file mode 100644 index 16d1c43f..00000000 --- a/tests/__snapshots__/sizeof-this-cpp-snapshot.yml +++ /dev/null @@ -1,13 +0,0 @@ -id: sizeof-this-cpp -snapshots: - ? | - return sizeof(this); - : labels: - - source: sizeof(this) - style: primary - start: 7 - end: 19 - - source: this - style: secondary - start: 14 - end: 18 diff --git a/tests/__snapshots__/small-key-size-c-snapshot.yml b/tests/__snapshots__/small-key-size-c-snapshot.yml deleted file mode 100644 index 75ad82af..00000000 --- a/tests/__snapshots__/small-key-size-c-snapshot.yml +++ /dev/null @@ -1,23 +0,0 @@ -id: small-key-size-c -snapshots: - ? | - void foo() { - DH_generate_parameters_ex(NULL, 1024); - } - : labels: - - source: DH_generate_parameters_ex(NULL, 1024) - style: primary - start: 15 - end: 52 - - source: DH_generate_parameters_ex - style: secondary - start: 15 - end: 40 - - source: '1024' - style: secondary - start: 47 - end: 51 - - source: (NULL, 1024) - style: secondary - start: 40 - end: 52 diff --git a/tests/__snapshots__/small-key-size-cpp-snapshot.yml b/tests/__snapshots__/small-key-size-cpp-snapshot.yml deleted file mode 100644 index b4051940..00000000 --- a/tests/__snapshots__/small-key-size-cpp-snapshot.yml +++ /dev/null @@ -1,23 +0,0 @@ -id: small-key-size-cpp -snapshots: - ? | - void foo() { - DH_generate_parameters_ex(NULL, 1024); - } - : labels: - - source: DH_generate_parameters_ex(NULL, 1024) - style: primary - start: 15 - end: 52 - - source: DH_generate_parameters_ex - style: secondary - start: 15 - end: 40 - - source: '1024' - style: secondary - start: 47 - end: 51 - - source: (NULL, 1024) - style: secondary - start: 40 - end: 52 diff --git a/tests/__snapshots__/sqlconnectionstringbuilder-hardcoded-secret-csharp-snapshot.yml b/tests/__snapshots__/sqlconnectionstringbuilder-hardcoded-secret-csharp-snapshot.yml deleted file mode 100644 index db4a8efd..00000000 --- a/tests/__snapshots__/sqlconnectionstringbuilder-hardcoded-secret-csharp-snapshot.yml +++ /dev/null @@ -1,291 +0,0 @@ -id: sqlconnectionstringbuilder-hardcoded-secret-csharp -snapshots: - ? | - private SqlConnectionStringBuilder GetConnection(args) - { - SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(); - builder.Password = "reee!"; - } - : labels: - - source: builder.Password = "reee!" - style: primary - start: 132 - end: 158 - - source: builder - style: secondary - start: 132 - end: 139 - - source: Password - style: secondary - start: 140 - end: 148 - - source: builder.Password - style: secondary - start: 132 - end: 148 - - source: '"reee!"' - style: secondary - start: 151 - end: 158 - - source: SqlConnectionStringBuilder - style: secondary - start: 59 - end: 85 - - source: builder - style: secondary - start: 86 - end: 93 - - source: SqlConnectionStringBuilder - style: secondary - start: 100 - end: 126 - - source: () - style: secondary - start: 126 - end: 128 - - source: new SqlConnectionStringBuilder() - style: secondary - start: 96 - end: 128 - - source: builder = new SqlConnectionStringBuilder() - style: secondary - start: 86 - end: 128 - - source: SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder() - style: secondary - start: 59 - end: 128 - - source: SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(); - style: secondary - start: 59 - end: 129 - - source: SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(); - style: secondary - start: 59 - end: 129 - ? | - private SqlConnectionStringBuilder GetConnection(args) - { - SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(); - builder["Password"] = "reee!"; - } - : labels: - - source: builder["Password"] = "reee!" - style: primary - start: 132 - end: 161 - - source: builder - style: secondary - start: 132 - end: 139 - - source: Password - style: secondary - start: 141 - end: 149 - - source: '"Password"' - style: secondary - start: 140 - end: 150 - - source: '"Password"' - style: secondary - start: 140 - end: 150 - - source: '["Password"]' - style: secondary - start: 139 - end: 151 - - source: builder["Password"] - style: secondary - start: 132 - end: 151 - - source: '"reee!"' - style: secondary - start: 154 - end: 161 - - source: SqlConnectionStringBuilder - style: secondary - start: 59 - end: 85 - - source: builder - style: secondary - start: 86 - end: 93 - - source: SqlConnectionStringBuilder - style: secondary - start: 100 - end: 126 - - source: () - style: secondary - start: 126 - end: 128 - - source: new SqlConnectionStringBuilder() - style: secondary - start: 96 - end: 128 - - source: builder = new SqlConnectionStringBuilder() - style: secondary - start: 86 - end: 128 - - source: SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder() - style: secondary - start: 59 - end: 128 - - source: SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(); - style: secondary - start: 59 - end: 129 - - source: SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(); - style: secondary - start: 59 - end: 129 - ? | - private SqlConnectionStringBuilder GetConnection(args) - { - string password = "aaaa"; - var cb = new SqlConnectionStringBuilder(); - cb["Password"] = password; - } - : labels: - - source: cb["Password"] = password - style: primary - start: 132 - end: 157 - - source: cb - style: secondary - start: 132 - end: 134 - - source: Password - style: secondary - start: 136 - end: 144 - - source: '"Password"' - style: secondary - start: 135 - end: 145 - - source: '"Password"' - style: secondary - start: 135 - end: 145 - - source: '["Password"]' - style: secondary - start: 134 - end: 146 - - source: cb["Password"] - style: secondary - start: 132 - end: 146 - - source: password - style: secondary - start: 149 - end: 157 - - source: cb - style: secondary - start: 91 - end: 93 - - source: SqlConnectionStringBuilder - style: secondary - start: 100 - end: 126 - - source: () - style: secondary - start: 126 - end: 128 - - source: new SqlConnectionStringBuilder() - style: secondary - start: 96 - end: 128 - - source: cb = new SqlConnectionStringBuilder() - style: secondary - start: 91 - end: 128 - - source: var cb = new SqlConnectionStringBuilder() - style: secondary - start: 87 - end: 128 - - source: var cb = new SqlConnectionStringBuilder(); - style: secondary - start: 87 - end: 129 - - source: password - style: secondary - start: 66 - end: 74 - - source: '"aaaa"' - style: secondary - start: 77 - end: 83 - - source: password = "aaaa" - style: secondary - start: 66 - end: 83 - - source: string password = "aaaa" - style: secondary - start: 59 - end: 83 - - source: string password = "aaaa"; - style: secondary - start: 59 - end: 84 - - source: cb["Password"] = password; - style: secondary - start: 132 - end: 158 - ? | - private SqlConnectionStringBuilder GetConnection(args) - { - var cb = new SqlConnectionStringBuilder(); - cb.Password = "reee!"; - } - : labels: - - source: cb.Password = "reee!" - style: primary - start: 104 - end: 125 - - source: cb - style: secondary - start: 104 - end: 106 - - source: Password - style: secondary - start: 107 - end: 115 - - source: cb.Password - style: secondary - start: 104 - end: 115 - - source: '"reee!"' - style: secondary - start: 118 - end: 125 - - source: cb - style: secondary - start: 63 - end: 65 - - source: SqlConnectionStringBuilder - style: secondary - start: 72 - end: 98 - - source: () - style: secondary - start: 98 - end: 100 - - source: new SqlConnectionStringBuilder() - style: secondary - start: 68 - end: 100 - - source: cb = new SqlConnectionStringBuilder() - style: secondary - start: 63 - end: 100 - - source: var cb = new SqlConnectionStringBuilder() - style: secondary - start: 59 - end: 100 - - source: var cb = new SqlConnectionStringBuilder(); - style: secondary - start: 59 - end: 101 - - source: var cb = new SqlConnectionStringBuilder(); - style: secondary - start: 59 - end: 101 diff --git a/tests/__snapshots__/ssl-v3-is-insecure-go-snapshot.yml b/tests/__snapshots__/ssl-v3-is-insecure-go-snapshot.yml deleted file mode 100644 index befd3680..00000000 --- a/tests/__snapshots__/ssl-v3-is-insecure-go-snapshot.yml +++ /dev/null @@ -1,62 +0,0 @@ -id: ssl-v3-is-insecure-go -snapshots: - ? | - client := &http.Client{ - Transport: &http.Transport{ - TLSClientConfig: &tls.Config{ - KeyLogWriter: w, - MinVersion: tls.VersionSSL30, - Rand: zeroSource{}, // for reproducible output; don't do this. - InsecureSkipVerify: true, // test server certificate is not trusted. - }, - }, - } - : labels: - - source: |- - tls.Config{ - KeyLogWriter: w, - MinVersion: tls.VersionSSL30, - Rand: zeroSource{}, // for reproducible output; don't do this. - InsecureSkipVerify: true, // test server certificate is not trusted. - } - style: primary - start: 74 - end: 325 - - source: tls.Config - style: secondary - start: 74 - end: 84 - - source: MinVersion - style: secondary - start: 119 - end: 129 - - source: tls - style: secondary - start: 139 - end: 142 - - source: VersionSSL30 - style: secondary - start: 143 - end: 155 - - source: tls.VersionSSL30 - style: secondary - start: 139 - end: 155 - - source: tls.VersionSSL30 - style: secondary - start: 139 - end: 155 - - source: 'MinVersion: tls.VersionSSL30' - style: secondary - start: 119 - end: 155 - - source: |- - { - KeyLogWriter: w, - MinVersion: tls.VersionSSL30, - Rand: zeroSource{}, // for reproducible output; don't do this. - InsecureSkipVerify: true, // test server certificate is not trusted. - } - style: secondary - start: 84 - end: 325 diff --git a/tests/__snapshots__/ssl-verify-none-rust-snapshot.yml b/tests/__snapshots__/ssl-verify-none-rust-snapshot.yml deleted file mode 100644 index 520aba33..00000000 --- a/tests/__snapshots__/ssl-verify-none-rust-snapshot.yml +++ /dev/null @@ -1,88 +0,0 @@ -id: ssl-verify-none-rust -snapshots: - ? "use openssl::ssl::{\n SslMethod, \n SslConnectorBuilder, \n SSL_VERIFY_NONE\n};\nconnector.builder_mut().set_verify(SSL_VERIFY_NONE);\n" - : labels: - - source: connector.builder_mut().set_verify(SSL_VERIFY_NONE) - style: primary - start: 79 - end: 130 - - source: SSL_VERIFY_NONE - style: secondary - start: 60 - end: 75 - - source: "{\n SslMethod, \n SslConnectorBuilder, \n SSL_VERIFY_NONE\n}" - style: secondary - start: 18 - end: 77 - - source: openssl::ssl - style: secondary - start: 4 - end: 16 - - source: "use openssl::ssl::{\n SslMethod, \n SslConnectorBuilder, \n SSL_VERIFY_NONE\n};" - style: secondary - start: 0 - end: 78 - - source: "use openssl::ssl::{\n SslMethod, \n SslConnectorBuilder, \n SSL_VERIFY_NONE\n};" - style: secondary - start: 0 - end: 78 - ? | - use openssl::ssl::{SslMethod, SslConnectorBuilder, SSL_VERIFY_NONE}; - connector.builder_mut().set_verify(SSL_VERIFY_NONE); - : labels: - - source: connector.builder_mut().set_verify(SSL_VERIFY_NONE) - style: primary - start: 69 - end: 120 - - source: SSL_VERIFY_NONE - style: secondary - start: 51 - end: 66 - - source: '{SslMethod, SslConnectorBuilder, SSL_VERIFY_NONE}' - style: secondary - start: 18 - end: 67 - - source: openssl::ssl - style: secondary - start: 4 - end: 16 - - source: use openssl::ssl::{SslMethod, SslConnectorBuilder, SSL_VERIFY_NONE}; - style: secondary - start: 0 - end: 68 - - source: use openssl::ssl::{SslMethod, SslConnectorBuilder, SSL_VERIFY_NONE}; - style: secondary - start: 0 - end: 68 - ? | - use openssl::ssl; - connector.builder_mut().set_verify(ssl::SSL_VERIFY_NONE); - : labels: - - source: connector.builder_mut().set_verify(ssl::SSL_VERIFY_NONE) - style: primary - start: 18 - end: 74 - - source: use openssl::ssl; - style: secondary - start: 0 - end: 17 - - source: use openssl::ssl; - style: secondary - start: 0 - end: 17 - ? | - use openssl; - connector.builder_mut().set_verify(openssl::ssl::SSL_VERIFY_NONE); - : labels: - - source: connector.builder_mut().set_verify(openssl::ssl::SSL_VERIFY_NONE) - style: primary - start: 13 - end: 78 - - source: use openssl; - style: secondary - start: 0 - end: 12 - - source: use openssl; - style: secondary - start: 0 - end: 12 diff --git a/tests/__snapshots__/stacktrace-disclosure-csharp-snapshot.yml b/tests/__snapshots__/stacktrace-disclosure-csharp-snapshot.yml deleted file mode 100644 index 41076a93..00000000 --- a/tests/__snapshots__/stacktrace-disclosure-csharp-snapshot.yml +++ /dev/null @@ -1,42 +0,0 @@ -id: stacktrace-disclosure-csharp -snapshots: - ? "if (!env.IsDevelopment()) \n {\n app.UseDeveloperExceptionPage(); \n }\n" - : labels: - - source: app.UseDeveloperExceptionPage(); - style: primary - start: 42 - end: 74 - ? "if (DateTime.Now.DayOfWeek == DayOfWeek.Monday) \n {\n app.UseDeveloperExceptionPage(); \n }\n" - : labels: - - source: app.UseDeveloperExceptionPage(); - style: primary - start: 63 - end: 95 - ? "if (DateTime.Now.DayOfWeek == DayOfWeek.Monday) \n {\n app.UseDeveloperExceptionPage();\n }\n" - : labels: - - source: app.UseDeveloperExceptionPage(); - style: primary - start: 64 - end: 96 - ? "if (env.IsProduction()) \n {\n app.UseDeveloperExceptionPage(); \n }\n" - : labels: - - source: app.UseDeveloperExceptionPage(); - style: primary - start: 40 - end: 72 - ? "if (environment == \"dev\") \n {\n app.UseDeveloperExceptionPage(); \n }\n" - : labels: - - source: app.UseDeveloperExceptionPage(); - style: primary - start: 42 - end: 74 - ? | - public void Configure(IApplicationBuilder app, IWebHostEnvironment env) - { - app.UseDeveloperExceptionPage(); - } - : labels: - - source: app.UseDeveloperExceptionPage(); - style: primary - start: 74 - end: 106 diff --git a/tests/__snapshots__/std-return-data-cpp-snapshot.yml b/tests/__snapshots__/std-return-data-cpp-snapshot.yml deleted file mode 100644 index e6f84d13..00000000 --- a/tests/__snapshots__/std-return-data-cpp-snapshot.yml +++ /dev/null @@ -1,48 +0,0 @@ -id: std-return-data-cpp -snapshots: - ? | - int *return_vector_data() { - std::vector v; - return v.data(); - } - : labels: - - source: return v.data(); - style: primary - start: 50 - end: 66 - - source: int - style: secondary - start: 0 - end: 3 - - source: '*return_vector_data()' - style: secondary - start: 4 - end: 25 - - source: |- - int *return_vector_data() { - std::vector v; - return v.data(); - } - style: secondary - start: 0 - end: 68 - - source: std::vector - style: secondary - start: 29 - end: 45 - - source: v - style: secondary - start: 46 - end: 47 - - source: |- - { - std::vector v; - return v.data(); - } - style: secondary - start: 26 - end: 68 - - source: std::vector v; - style: secondary - start: 29 - end: 48 diff --git a/tests/__snapshots__/std-vector-invalidation-cpp-snapshot.yml b/tests/__snapshots__/std-vector-invalidation-cpp-snapshot.yml deleted file mode 100644 index 5625d46d..00000000 --- a/tests/__snapshots__/std-vector-invalidation-cpp-snapshot.yml +++ /dev/null @@ -1,29 +0,0 @@ -id: std-vector-invalidation-cpp -snapshots: - ? "void loop_variant_5(std::vector &vec) {\n for(std::vector::iterator it = vec.begin(); it != vec.end(); ++it) {\n if (should_erase(*it)) {\n vec.erase(it);\n }\n }\n}\nvoid loop_variant_6(std::vector &vec) {\n for(std::vector::iterator it = vec.begin(); it != vec.end(); it++) {\n if (should_erase(*it)) {\n vec.erase(it);\n }\n }\n}\nvoid loop_variant_7(std::vector &vec) {\n for(std::vector::iterator it = vec.rbegin(); it != vec.rend(); ++it) {\n if (should_erase(*it)) {\n vec.erase(it);\n }\n }\n}\nvoid loop_variant_8(std::vector &vec) {\n for(std::vector::iterator it = vec.rbegin(); it != vec.rend(); it++) {\n if (should_erase(*it)) {\n vec.erase(it);\n }\n }\n}\nvoid loop_variant_9(std::vector &vec) {\n for(std::vector::iterator it = vec.begin(), end = vec.end(); it != end; ++it) {\n if (should_erase(*it)) {\n vec.erase(it);\n }\n }\n}\nvoid loop_variant_10(std::vector &vec) {\n for(std::vector::iterator it = vec.begin(), end = vec.end(); it != end; it++) {\n if (should_erase(*it)) {\n vec.erase(it);\n }\n }\n}\nvoid loop_variant_11(std::vector &vec) {\n for(std::vector::iterator it = vec.rbegin(), end = vec.rend(); it != end; ++it) {\n if (should_erase(*it)) {\n vec.erase(it);\n }\n }\n}\nvoid loop_variant_12(std::vector &vec) {\n for(std::vector::iterator it = vec.rbegin(), end = vec.rend(); it != end; it++) {\n if (should_erase(*it)) {\n vec.erase(it);\n }\n }\n} \nvoid f(std::vector &vec, std::vector &other_vec) {\n for(std::vector::iterator it = vec.begin(); it != vec.end(); it++) {\n if (foo()) {\n vec.push_back(0);\n // Modifying a different container is OK\n other_vec.push_back(0);\n }\n }\n}\n" - : labels: - - source: vec.erase(it) - style: primary - start: 156 - end: 169 - - source: std::vector::iterator it = vec.begin(); - style: secondary - start: 51 - end: 95 - - source: it != vec.end() - style: secondary - start: 96 - end: 111 - - source: ++it - style: secondary - start: 113 - end: 117 - - source: |- - for(std::vector::iterator it = vec.begin(); it != vec.end(); ++it) { - if (should_erase(*it)) { - vec.erase(it); - } - } - style: secondary - start: 47 - end: 180 diff --git a/tests/__snapshots__/string-view-temporary-string-cpp-snapshot.yml b/tests/__snapshots__/string-view-temporary-string-cpp-snapshot.yml deleted file mode 100644 index 3704d557..00000000 --- a/tests/__snapshots__/string-view-temporary-string-cpp-snapshot.yml +++ /dev/null @@ -1,326 +0,0 @@ -id: string-view-temporary-string-cpp -snapshots: - ? | - extern std::string returns_std_string(); - void operator_plus() { - std::string foo = "foo"; - std::string_view view; - view = returns_std_string() + "bar"; - } - : labels: - - source: view = returns_std_string() + "bar"; - style: primary - start: 115 - end: 151 - - source: view - style: secondary - start: 115 - end: 119 - - source: returns_std_string - style: secondary - start: 122 - end: 140 - - source: returns_std_string() + "bar" - style: secondary - start: 122 - end: 150 - - source: view = returns_std_string() + "bar" - style: secondary - start: 115 - end: 150 - - source: std::string - style: secondary - start: 7 - end: 18 - - source: returns_std_string - style: secondary - start: 19 - end: 37 - - source: extern std::string returns_std_string(); - style: secondary - start: 0 - end: 40 - - source: extern std::string returns_std_string(); - style: secondary - start: 0 - end: 40 - - source: std::string_view - style: secondary - start: 91 - end: 107 - - source: view - style: secondary - start: 108 - end: 112 - - source: std::string_view view; - style: secondary - start: 91 - end: 113 - ? | - extern std::string returns_std_string(); - void operator_plus() { - std::string foo = "foo"; - std::string_view view; - view = returns_std_string() + foo; - } - : labels: - - source: view = returns_std_string() + foo; - style: primary - start: 115 - end: 149 - - source: view - style: secondary - start: 115 - end: 119 - - source: returns_std_string - style: secondary - start: 122 - end: 140 - - source: returns_std_string() + foo - style: secondary - start: 122 - end: 148 - - source: view = returns_std_string() + foo - style: secondary - start: 115 - end: 148 - - source: std::string - style: secondary - start: 7 - end: 18 - - source: returns_std_string - style: secondary - start: 19 - end: 37 - - source: extern std::string returns_std_string(); - style: secondary - start: 0 - end: 40 - - source: extern std::string returns_std_string(); - style: secondary - start: 0 - end: 40 - - source: std::string_view - style: secondary - start: 91 - end: 107 - - source: view - style: secondary - start: 108 - end: 112 - - source: std::string_view view; - style: secondary - start: 91 - end: 113 - ? | - void operator_plus() { - std::string foo = "foo"; - std::string_view view; - view = "bar" + foo; - } - : labels: - - source: view = "bar" + foo; - style: primary - start: 74 - end: 93 - - source: view - style: secondary - start: 74 - end: 78 - - source: '"bar"' - style: secondary - start: 81 - end: 86 - - source: foo - style: secondary - start: 89 - end: 92 - - source: '"bar" + foo' - style: secondary - start: 81 - end: 92 - - source: view = "bar" + foo - style: secondary - start: 74 - end: 92 - - source: std::string - style: secondary - start: 24 - end: 35 - - source: foo - style: secondary - start: 36 - end: 39 - - source: std::string foo = "foo"; - style: secondary - start: 24 - end: 48 - - source: std::string_view - style: secondary - start: 50 - end: 66 - - source: view - style: secondary - start: 67 - end: 71 - - source: std::string_view view; - style: secondary - start: 50 - end: 72 - ? | - void operator_plus() { - std::string foo = "foo"; - std::string_view view; - view = foo + "bar"; - } - : labels: - - source: view = foo + "bar"; - style: primary - start: 74 - end: 93 - - source: view - style: secondary - start: 74 - end: 78 - - source: '"bar"' - style: secondary - start: 87 - end: 92 - - source: foo - style: secondary - start: 81 - end: 84 - - source: foo + "bar" - style: secondary - start: 81 - end: 92 - - source: view = foo + "bar" - style: secondary - start: 74 - end: 92 - - source: std::string - style: secondary - start: 24 - end: 35 - - source: foo - style: secondary - start: 36 - end: 39 - - source: std::string foo = "foo"; - style: secondary - start: 24 - end: 48 - - source: std::string_view - style: secondary - start: 50 - end: 66 - - source: view - style: secondary - start: 67 - end: 71 - - source: std::string_view view; - style: secondary - start: 50 - end: 72 - ? | - void operator_plus() { - std::string foo = "foo"; - std::string_view view; - view = foo + "foo" + bar; - } - : labels: - - source: view = foo + "foo" + bar; - style: primary - start: 74 - end: 99 - - source: view - style: secondary - start: 74 - end: 78 - - source: foo - style: secondary - start: 81 - end: 84 - - source: foo + "foo" + bar - style: secondary - start: 81 - end: 98 - - source: view = foo + "foo" + bar - style: secondary - start: 74 - end: 98 - - source: std::string - style: secondary - start: 24 - end: 35 - - source: foo - style: secondary - start: 36 - end: 39 - - source: std::string foo = "foo"; - style: secondary - start: 24 - end: 48 - - source: std::string_view - style: secondary - start: 50 - end: 66 - - source: view - style: secondary - start: 67 - end: 71 - - source: std::string_view view; - style: secondary - start: 50 - end: 72 - ? | - void operator_plus() { - std::string foo = "foo"; - std::string_view view; - view = foo + foo + "bar"; - } - : labels: - - source: view = foo + foo + "bar"; - style: primary - start: 74 - end: 99 - - source: view - style: secondary - start: 74 - end: 78 - - source: foo - style: secondary - start: 81 - end: 84 - - source: foo + foo + "bar" - style: secondary - start: 81 - end: 98 - - source: view = foo + foo + "bar" - style: secondary - start: 74 - end: 98 - - source: std::string - style: secondary - start: 24 - end: 35 - - source: foo - style: secondary - start: 36 - end: 39 - - source: std::string foo = "foo"; - style: secondary - start: 24 - end: 48 - - source: std::string_view - style: secondary - start: 50 - end: 66 - - source: view - style: secondary - start: 67 - end: 71 - - source: std::string_view view; - style: secondary - start: 50 - end: 72 diff --git a/tests/__snapshots__/system-setproperty-hardcoded-secret-java-snapshot.yml b/tests/__snapshots__/system-setproperty-hardcoded-secret-java-snapshot.yml deleted file mode 100644 index 676d8e10..00000000 --- a/tests/__snapshots__/system-setproperty-hardcoded-secret-java-snapshot.yml +++ /dev/null @@ -1,71 +0,0 @@ -id: system-setproperty-hardcoded-secret-java -snapshots: - ? | - System.setProperty("javax.net.ssl.keyStorePassword", "password"); - : labels: - - source: password - style: primary - start: 54 - end: 62 - - source: javax.net.ssl.keyStorePassword - style: secondary - start: 20 - end: 50 - - source: '"javax.net.ssl.keyStorePassword"' - style: secondary - start: 19 - end: 51 - - source: System - style: secondary - start: 0 - end: 6 - - source: setProperty - style: secondary - start: 7 - end: 18 - - source: System.setProperty("javax.net.ssl.keyStorePassword", "password") - style: secondary - start: 0 - end: 64 - - source: ("javax.net.ssl.keyStorePassword", "password") - style: secondary - start: 18 - end: 64 - - source: '"password"' - style: secondary - start: 53 - end: 63 - System.setProperty("javax.net.ssl.trustStorePassword", "password");: - labels: - - source: password - style: primary - start: 56 - end: 64 - - source: javax.net.ssl.trustStorePassword - style: secondary - start: 20 - end: 52 - - source: '"javax.net.ssl.trustStorePassword"' - style: secondary - start: 19 - end: 53 - - source: System - style: secondary - start: 0 - end: 6 - - source: setProperty - style: secondary - start: 7 - end: 18 - - source: System.setProperty("javax.net.ssl.trustStorePassword", "password") - style: secondary - start: 0 - end: 66 - - source: ("javax.net.ssl.trustStorePassword", "password") - style: secondary - start: 18 - end: 66 - - source: '"password"' - style: secondary - start: 55 - end: 65 diff --git a/tests/__snapshots__/system-setproperty-hardcoded-secret-kotlin-snapshot.yml b/tests/__snapshots__/system-setproperty-hardcoded-secret-kotlin-snapshot.yml deleted file mode 100644 index ece4b45f..00000000 --- a/tests/__snapshots__/system-setproperty-hardcoded-secret-kotlin-snapshot.yml +++ /dev/null @@ -1,50 +0,0 @@ -id: system-setproperty-hardcoded-secret-kotlin -snapshots: - ? | - System.setProperty("javax.net.ssl.keyStorePassword", "password"); - System.setProperty("javax.net.ssl.trustStorePassword", "password"); - : labels: - - source: '"password"' - style: primary - start: 53 - end: 63 - - source: System - style: secondary - start: 0 - end: 6 - - source: setProperty - style: secondary - start: 7 - end: 18 - - source: .setProperty - style: secondary - start: 6 - end: 18 - - source: System.setProperty - style: secondary - start: 0 - end: 18 - - source: System.setProperty("javax.net.ssl.keyStorePassword", "password") - style: secondary - start: 0 - end: 64 - - source: ("javax.net.ssl.keyStorePassword", "password") - style: secondary - start: 18 - end: 64 - - source: '"javax.net.ssl.keyStorePassword"' - style: secondary - start: 19 - end: 51 - - source: '"javax.net.ssl.keyStorePassword"' - style: secondary - start: 19 - end: 51 - - source: ("javax.net.ssl.keyStorePassword", "password") - style: secondary - start: 18 - end: 64 - - source: '"password"' - style: secondary - start: 53 - end: 63 diff --git a/tests/__snapshots__/tls-with-insecure-cipher-go-snapshot.yml b/tests/__snapshots__/tls-with-insecure-cipher-go-snapshot.yml deleted file mode 100644 index 25ce56d9..00000000 --- a/tests/__snapshots__/tls-with-insecure-cipher-go-snapshot.yml +++ /dev/null @@ -1,86 +0,0 @@ -id: tls-with-insecure-cipher-go -snapshots: - ? | - tr := &http.Transport{ - TLSClientConfig: &tls.Config{CipherSuites: []uint16{ - tls.TLS_RSA_WITH_RC4_128_SHA, - tls.TLS_RSA_WITH_AES_128_CBC_SHA256, - }}, - } - : labels: - - source: |- - tls.Config{CipherSuites: []uint16{ - tls.TLS_RSA_WITH_RC4_128_SHA, - tls.TLS_RSA_WITH_AES_128_CBC_SHA256, - }} - style: primary - start: 41 - end: 151 - - source: tls.Config - style: secondary - start: 41 - end: 51 - - source: CipherSuites - style: secondary - start: 52 - end: 64 - - source: CipherSuites - style: secondary - start: 52 - end: 64 - - source: tls - style: secondary - start: 78 - end: 81 - - source: TLS_RSA_WITH_RC4_128_SHA - style: secondary - start: 82 - end: 106 - - source: tls.TLS_RSA_WITH_RC4_128_SHA - style: secondary - start: 78 - end: 106 - - source: tls.TLS_RSA_WITH_RC4_128_SHA - style: secondary - start: 78 - end: 106 - - source: |- - { - tls.TLS_RSA_WITH_RC4_128_SHA, - tls.TLS_RSA_WITH_AES_128_CBC_SHA256, - } - style: secondary - start: 74 - end: 150 - - source: |- - []uint16{ - tls.TLS_RSA_WITH_RC4_128_SHA, - tls.TLS_RSA_WITH_AES_128_CBC_SHA256, - } - style: secondary - start: 66 - end: 150 - - source: |- - []uint16{ - tls.TLS_RSA_WITH_RC4_128_SHA, - tls.TLS_RSA_WITH_AES_128_CBC_SHA256, - } - style: secondary - start: 66 - end: 150 - - source: |- - CipherSuites: []uint16{ - tls.TLS_RSA_WITH_RC4_128_SHA, - tls.TLS_RSA_WITH_AES_128_CBC_SHA256, - } - style: secondary - start: 52 - end: 150 - - source: |- - {CipherSuites: []uint16{ - tls.TLS_RSA_WITH_RC4_128_SHA, - tls.TLS_RSA_WITH_AES_128_CBC_SHA256, - }} - style: secondary - start: 51 - end: 151 diff --git a/tests/__snapshots__/tokio-postgres-empty-password-rust-snapshot.yml b/tests/__snapshots__/tokio-postgres-empty-password-rust-snapshot.yml deleted file mode 100644 index 199a0f9e..00000000 --- a/tests/__snapshots__/tokio-postgres-empty-password-rust-snapshot.yml +++ /dev/null @@ -1,54 +0,0 @@ -id: tokio-postgres-empty-password-rust -snapshots: - ? |- - async fn okTest2() -> Result<(), anyhow::Error> { - let (client, connection) = tokio_postgres::Config::new() - .host(shard_host_name.as_str()) - .user("postgres") - .password("") - .dbname("ninja") - .keepalives_idle(std::time::Duration::from_secs(30)) - .connect(NoTls) - .await - .map_err(|e| { - error!(log, "failed to connect to {}: {}", &shard_host_name, e); - Error::new(ErrorKind::Other, e) - })?; - - tokio::spawn(async move { - if let Err(e) = connection.await { - tracing::error!("postgres db connection error: {}", e); - } - }); - - Ok(()) - } - : labels: - - source: |- - tokio_postgres::Config::new() - .host(shard_host_name.as_str()) - .user("postgres") - .password("") - style: primary - start: 79 - end: 184 - - source: tokio_postgres::Config::new - style: secondary - start: 79 - end: 106 - - source: |- - tokio_postgres::Config::new() - .host(shard_host_name.as_str()) - .user("postgres") - .password - style: secondary - start: 79 - end: 180 - - source: '""' - style: secondary - start: 181 - end: 183 - - source: ("") - style: secondary - start: 180 - end: 184 diff --git a/tests/__snapshots__/tokio-postgres-hardcoded-password-rust-snapshot.yml b/tests/__snapshots__/tokio-postgres-hardcoded-password-rust-snapshot.yml deleted file mode 100644 index 211d2a32..00000000 --- a/tests/__snapshots__/tokio-postgres-hardcoded-password-rust-snapshot.yml +++ /dev/null @@ -1,58 +0,0 @@ -id: tokio-postgres-hardcoded-password-rust -snapshots: - ? |- - async fn okTest2() -> Result<(), anyhow::Error> { - let (client, connection) = tokio_postgres::Config::new() - .host(shard_host_name.as_str()) - .user("postgres") - .password("myPassword") - .dbname("ninja") - .keepalives_idle(std::time::Duration::from_secs(30)) - .connect(NoTls) - .await - .map_err(|e| { - error!(log, "failed to connect to {}: {}", &shard_host_name, e); - Error::new(ErrorKind::Other, e) - })?; - - tokio::spawn(async move { - if let Err(e) = connection.await { - tracing::error!("postgres db connection error: {}", e); - } - }); - - Ok(()) - } - : labels: - - source: |- - tokio_postgres::Config::new() - .host(shard_host_name.as_str()) - .user("postgres") - .password("myPassword") - style: primary - start: 79 - end: 194 - - source: tokio_postgres::Config::new - style: secondary - start: 79 - end: 106 - - source: |- - tokio_postgres::Config::new() - .host(shard_host_name.as_str()) - .user("postgres") - .password - style: secondary - start: 79 - end: 180 - - source: myPassword - style: secondary - start: 182 - end: 192 - - source: '"myPassword"' - style: secondary - start: 181 - end: 193 - - source: ("myPassword") - style: secondary - start: 180 - end: 194 diff --git a/tests/__snapshots__/unencrypted-socket-java-snapshot.yml b/tests/__snapshots__/unencrypted-socket-java-snapshot.yml deleted file mode 100644 index e0becd2b..00000000 --- a/tests/__snapshots__/unencrypted-socket-java-snapshot.yml +++ /dev/null @@ -1,58 +0,0 @@ -id: unencrypted-socket-java -snapshots: - ? | - ServerSocket ssoc = new ServerSocket(1234); - : labels: - - source: new ServerSocket(1234) - style: primary - start: 20 - end: 42 - ? | - ServerSocket ssoc1 = new ServerSocket(); - : labels: - - source: new ServerSocket() - style: primary - start: 21 - end: 39 - ? | - ServerSocket ssoc2 = new ServerSocket(1234, 10); - : labels: - - source: new ServerSocket(1234, 10) - style: primary - start: 21 - end: 47 - ? | - ServerSocket ssoc3 = new ServerSocket(1234, 10, InetAddress.getByAddress(address)); - : labels: - - source: new ServerSocket(1234, 10, InetAddress.getByAddress(address)) - style: primary - start: 21 - end: 82 - ? | - Socket soc = new Socket("www.google.com", 80); - : labels: - - source: new Socket("www.google.com", 80) - style: primary - start: 13 - end: 45 - ? | - Socket soc1 = new Socket("www.google.com", 80, true); - : labels: - - source: new Socket("www.google.com", 80, true) - style: primary - start: 14 - end: 52 - ? | - Socket soc2 = new Socket("www.google.com", 80, InetAddress.getByAddress(address), 13337); - : labels: - - source: new Socket("www.google.com", 80, InetAddress.getByAddress(address), 13337) - style: primary - start: 14 - end: 88 - ? | - Socket soc3 = new Socket(InetAddress.getByAddress(remoteAddress), 80); - : labels: - - source: new Socket(InetAddress.getByAddress(remoteAddress), 80) - style: primary - start: 14 - end: 69 diff --git a/tests/__snapshots__/use-ecb-mode-csharp-snapshot.yml b/tests/__snapshots__/use-ecb-mode-csharp-snapshot.yml deleted file mode 100644 index 92b97d4b..00000000 --- a/tests/__snapshots__/use-ecb-mode-csharp-snapshot.yml +++ /dev/null @@ -1,405 +0,0 @@ -id: use-ecb-mode-csharp -snapshots: - ? | - Aes key = Aes.Create(); - TripleDES key = TripleDES.Create(); - var msgText = key.DecryptEcb(cipherText, PaddingMode.PKCS7); - : labels: - - source: key.DecryptEcb(cipherText, PaddingMode.PKCS7) - style: primary - start: 74 - end: 119 - - source: key - style: secondary - start: 74 - end: 77 - - source: DecryptEcb - style: secondary - start: 78 - end: 88 - - source: key.DecryptEcb - style: secondary - start: 74 - end: 88 - - source: (cipherText, PaddingMode.PKCS7) - style: secondary - start: 88 - end: 119 - - source: TripleDES - style: secondary - start: 24 - end: 33 - - source: key - style: secondary - start: 34 - end: 37 - - source: key = TripleDES.Create() - style: secondary - start: 34 - end: 58 - - source: TripleDES key = TripleDES.Create() - style: secondary - start: 24 - end: 58 - - source: TripleDES key = TripleDES.Create(); - style: secondary - start: 24 - end: 59 - - source: TripleDES key = TripleDES.Create(); - style: secondary - start: 24 - end: 59 - - source: TripleDES key = TripleDES.Create(); - style: secondary - start: 24 - end: 59 - ? | - Aes key = Aes.Create(); - byte[] msg = new byte[32]; - var cipherText = key.EncryptEcb(msg, PaddingMode.PKCS7); - : labels: - - source: key.EncryptEcb(msg, PaddingMode.PKCS7) - style: primary - start: 68 - end: 106 - - source: key - style: secondary - start: 68 - end: 71 - - source: EncryptEcb - style: secondary - start: 72 - end: 82 - - source: key.EncryptEcb - style: secondary - start: 68 - end: 82 - - source: (msg, PaddingMode.PKCS7) - style: secondary - start: 82 - end: 106 - - source: Aes - style: secondary - start: 0 - end: 3 - - source: key - style: secondary - start: 4 - end: 7 - - source: key = Aes.Create() - style: secondary - start: 4 - end: 22 - - source: Aes key = Aes.Create() - style: secondary - start: 0 - end: 22 - - source: Aes key = Aes.Create(); - style: secondary - start: 0 - end: 23 - - source: Aes key = Aes.Create(); - style: secondary - start: 0 - end: 23 - - source: Aes key = Aes.Create(); - style: secondary - start: 0 - end: 23 - ? | - Aes key = Aes.Create(); - key.Mode = CipherMode.ECB; - : labels: - - source: key.Mode = CipherMode.ECB; - style: primary - start: 24 - end: 50 - - source: key - style: secondary - start: 24 - end: 27 - - source: Mode - style: secondary - start: 28 - end: 32 - - source: key.Mode - style: secondary - start: 24 - end: 32 - - source: CipherMode - style: secondary - start: 35 - end: 45 - - source: ECB - style: secondary - start: 46 - end: 49 - - source: CipherMode.ECB - style: secondary - start: 35 - end: 49 - - source: key.Mode = CipherMode.ECB - style: secondary - start: 24 - end: 49 - - source: Aes - style: secondary - start: 0 - end: 3 - - source: key - style: secondary - start: 4 - end: 7 - - source: key = Aes.Create() - style: secondary - start: 4 - end: 22 - - source: Aes key = Aes.Create() - style: secondary - start: 0 - end: 22 - - source: Aes key = Aes.Create(); - style: secondary - start: 0 - end: 23 - - source: Aes key = Aes.Create(); - style: secondary - start: 0 - end: 23 - - source: Aes key = Aes.Create(); - style: secondary - start: 0 - end: 23 - ? | - Aes key = Aes.Create(); - var msgText = key.DecryptEcb(cipherText, PaddingMode.PKCS7); - : labels: - - source: key.DecryptEcb(cipherText, PaddingMode.PKCS7) - style: primary - start: 38 - end: 83 - - source: key - style: secondary - start: 38 - end: 41 - - source: DecryptEcb - style: secondary - start: 42 - end: 52 - - source: key.DecryptEcb - style: secondary - start: 38 - end: 52 - - source: (cipherText, PaddingMode.PKCS7) - style: secondary - start: 52 - end: 83 - - source: Aes - style: secondary - start: 0 - end: 3 - - source: key - style: secondary - start: 4 - end: 7 - - source: key = Aes.Create() - style: secondary - start: 4 - end: 22 - - source: Aes key = Aes.Create() - style: secondary - start: 0 - end: 22 - - source: Aes key = Aes.Create(); - style: secondary - start: 0 - end: 23 - - source: Aes key = Aes.Create(); - style: secondary - start: 0 - end: 23 - - source: Aes key = Aes.Create(); - style: secondary - start: 0 - end: 23 - ? | - TripleDES key = TripleDES.Create(); - byte[] msg = new byte[32]; - var cipherText = key.EncryptEcb(msg, PaddingMode.PKCS7); - : labels: - - source: key.EncryptEcb(msg, PaddingMode.PKCS7) - style: primary - start: 80 - end: 118 - - source: key - style: secondary - start: 80 - end: 83 - - source: EncryptEcb - style: secondary - start: 84 - end: 94 - - source: key.EncryptEcb - style: secondary - start: 80 - end: 94 - - source: (msg, PaddingMode.PKCS7) - style: secondary - start: 94 - end: 118 - - source: TripleDES - style: secondary - start: 0 - end: 9 - - source: key - style: secondary - start: 10 - end: 13 - - source: key = TripleDES.Create() - style: secondary - start: 10 - end: 34 - - source: TripleDES key = TripleDES.Create() - style: secondary - start: 0 - end: 34 - - source: TripleDES key = TripleDES.Create(); - style: secondary - start: 0 - end: 35 - - source: TripleDES key = TripleDES.Create(); - style: secondary - start: 0 - end: 35 - - source: TripleDES key = TripleDES.Create(); - style: secondary - start: 0 - end: 35 - ? | - TripleDES key = TripleDES.Create(); - key.Mode = CipherMode.ECB - : labels: - - source: key.Mode = CipherMode.ECB - style: primary - start: 36 - end: 61 - - source: key - style: secondary - start: 36 - end: 39 - - source: Mode - style: secondary - start: 40 - end: 44 - - source: key.Mode - style: secondary - start: 36 - end: 44 - - source: CipherMode - style: secondary - start: 47 - end: 57 - - source: ECB - style: secondary - start: 58 - end: 61 - - source: CipherMode.ECB - style: secondary - start: 47 - end: 61 - - source: key.Mode = CipherMode.ECB - style: secondary - start: 36 - end: 61 - - source: TripleDES - style: secondary - start: 0 - end: 9 - - source: key - style: secondary - start: 10 - end: 13 - - source: key = TripleDES.Create() - style: secondary - start: 10 - end: 34 - - source: TripleDES key = TripleDES.Create() - style: secondary - start: 0 - end: 34 - - source: TripleDES key = TripleDES.Create(); - style: secondary - start: 0 - end: 35 - - source: TripleDES key = TripleDES.Create(); - style: secondary - start: 0 - end: 35 - - source: TripleDES key = TripleDES.Create(); - style: secondary - start: 0 - end: 35 - ? | - TripleDES key = TripleDES.Create(); - key.Mode = CipherMode.ECB; - : labels: - - source: key.Mode = CipherMode.ECB; - style: primary - start: 36 - end: 62 - - source: key - style: secondary - start: 36 - end: 39 - - source: Mode - style: secondary - start: 40 - end: 44 - - source: key.Mode - style: secondary - start: 36 - end: 44 - - source: CipherMode - style: secondary - start: 47 - end: 57 - - source: ECB - style: secondary - start: 58 - end: 61 - - source: CipherMode.ECB - style: secondary - start: 47 - end: 61 - - source: key.Mode = CipherMode.ECB - style: secondary - start: 36 - end: 61 - - source: TripleDES - style: secondary - start: 0 - end: 9 - - source: key - style: secondary - start: 10 - end: 13 - - source: key = TripleDES.Create() - style: secondary - start: 10 - end: 34 - - source: TripleDES key = TripleDES.Create() - style: secondary - start: 0 - end: 34 - - source: TripleDES key = TripleDES.Create(); - style: secondary - start: 0 - end: 35 - - source: TripleDES key = TripleDES.Create(); - style: secondary - start: 0 - end: 35 - - source: TripleDES key = TripleDES.Create(); - style: secondary - start: 0 - end: 35 diff --git a/tests/__snapshots__/use-of-aes-ecb-java-snapshot.yml b/tests/__snapshots__/use-of-aes-ecb-java-snapshot.yml deleted file mode 100644 index bf97a176..00000000 --- a/tests/__snapshots__/use-of-aes-ecb-java-snapshot.yml +++ /dev/null @@ -1,117 +0,0 @@ -id: use-of-aes-ecb-java -snapshots: - ? | - Cipher.getInstance("AES/ECB") - : labels: - - source: Cipher.getInstance("AES/ECB") - style: primary - start: 0 - end: 29 - - source: getInstance - style: secondary - start: 7 - end: 18 - - source: AES/ECB - style: secondary - start: 20 - end: 27 - - source: '"AES/ECB"' - style: secondary - start: 19 - end: 28 - - source: ("AES/ECB") - style: secondary - start: 18 - end: 29 - ? | - Cipher.getInstance("AES/ECB/ISO10126Padding") - : labels: - - source: Cipher.getInstance("AES/ECB/ISO10126Padding") - style: primary - start: 0 - end: 45 - - source: getInstance - style: secondary - start: 7 - end: 18 - - source: AES/ECB/ISO10126Padding - style: secondary - start: 20 - end: 43 - - source: '"AES/ECB/ISO10126Padding"' - style: secondary - start: 19 - end: 44 - - source: ("AES/ECB/ISO10126Padding") - style: secondary - start: 18 - end: 45 - ? | - Cipher.getInstance("AES/ECB/NoPadding") - : labels: - - source: Cipher.getInstance("AES/ECB/NoPadding") - style: primary - start: 0 - end: 39 - - source: getInstance - style: secondary - start: 7 - end: 18 - - source: AES/ECB/NoPadding - style: secondary - start: 20 - end: 37 - - source: '"AES/ECB/NoPadding"' - style: secondary - start: 19 - end: 38 - - source: ("AES/ECB/NoPadding") - style: secondary - start: 18 - end: 39 - ? | - Cipher.getInstance("AES/ECB/PKCS5Padding") - : labels: - - source: Cipher.getInstance("AES/ECB/PKCS5Padding") - style: primary - start: 0 - end: 42 - - source: getInstance - style: secondary - start: 7 - end: 18 - - source: AES/ECB/PKCS5Padding - style: secondary - start: 20 - end: 40 - - source: '"AES/ECB/PKCS5Padding"' - style: secondary - start: 19 - end: 41 - - source: ("AES/ECB/PKCS5Padding") - style: secondary - start: 18 - end: 42 - ? | - Cipher.getInstance("AES/ECB/PKCS7Padding") - : labels: - - source: Cipher.getInstance("AES/ECB/PKCS7Padding") - style: primary - start: 0 - end: 42 - - source: getInstance - style: secondary - start: 7 - end: 18 - - source: AES/ECB/PKCS7Padding - style: secondary - start: 20 - end: 40 - - source: '"AES/ECB/PKCS7Padding"' - style: secondary - start: 19 - end: 41 - - source: ("AES/ECB/PKCS7Padding") - style: secondary - start: 18 - end: 42 diff --git a/tests/__snapshots__/use-of-blowfish-java-snapshot.yml b/tests/__snapshots__/use-of-blowfish-java-snapshot.yml deleted file mode 100644 index 4b759223..00000000 --- a/tests/__snapshots__/use-of-blowfish-java-snapshot.yml +++ /dev/null @@ -1,52 +0,0 @@ -id: use-of-blowfish-java -snapshots: - ? |- - public void useofBlowfish2() { - Cipher.getInstance("Blowfish"); - } - : labels: - - source: Cipher.getInstance("Blowfish") - style: primary - start: 31 - end: 61 - - source: getInstance - style: secondary - start: 38 - end: 49 - - source: Blowfish - style: secondary - start: 51 - end: 59 - - source: '"Blowfish"' - style: secondary - start: 50 - end: 60 - - source: ("Blowfish") - style: secondary - start: 49 - end: 61 - ? | - public void useofBlowfish2() { - useCipher(Cipher.getInstance("Blowfish")); - } - : labels: - - source: Cipher.getInstance("Blowfish") - style: primary - start: 41 - end: 71 - - source: getInstance - style: secondary - start: 48 - end: 59 - - source: Blowfish - style: secondary - start: 61 - end: 69 - - source: '"Blowfish"' - style: secondary - start: 60 - end: 70 - - source: ("Blowfish") - style: secondary - start: 59 - end: 71 diff --git a/tests/__snapshots__/use-of-default-aes-java-snapshot.yml b/tests/__snapshots__/use-of-default-aes-java-snapshot.yml deleted file mode 100644 index f50c332c..00000000 --- a/tests/__snapshots__/use-of-default-aes-java-snapshot.yml +++ /dev/null @@ -1,78 +0,0 @@ -id: use-of-default-aes-java -snapshots: - ? | - import javax.*; - { - crypto.Cipher.getInstance("AES"); - } - : labels: - - source: crypto.Cipher.getInstance("AES") - style: primary - start: 18 - end: 50 - - source: crypto.Cipher - style: secondary - start: 18 - end: 31 - - source: getInstance - style: secondary - start: 32 - end: 43 - - source: '"AES"' - style: secondary - start: 44 - end: 49 - - source: ("AES") - style: secondary - start: 43 - end: 50 - - source: import javax.*; - style: secondary - start: 0 - end: 15 - - source: import javax.*; - style: secondary - start: 0 - end: 15 - - source: AES - style: secondary - start: 45 - end: 48 - ? |- - import javax.crypto.*; - { - useCipher(Cipher.getInstance("AES")); - } - : labels: - - source: Cipher.getInstance("AES") - style: primary - start: 35 - end: 60 - - source: Cipher - style: secondary - start: 35 - end: 41 - - source: getInstance - style: secondary - start: 42 - end: 53 - - source: '"AES"' - style: secondary - start: 54 - end: 59 - - source: ("AES") - style: secondary - start: 53 - end: 60 - - source: import javax.crypto.*; - style: secondary - start: 0 - end: 22 - - source: import javax.crypto.*; - style: secondary - start: 0 - end: 22 - - source: AES - style: secondary - start: 55 - end: 58 diff --git a/tests/__snapshots__/use-of-md5-digest-utils-java-snapshot.yml b/tests/__snapshots__/use-of-md5-digest-utils-java-snapshot.yml deleted file mode 100644 index 2e74b70e..00000000 --- a/tests/__snapshots__/use-of-md5-digest-utils-java-snapshot.yml +++ /dev/null @@ -1,29 +0,0 @@ -id: use-of-md5-digest-utils-java -snapshots: - ? | - byte[] hashValue = DigestUtils.getMd5Digest().digest(password.getBytes()); - : labels: - - source: getMd5Digest - style: primary - start: 31 - end: 43 - - source: digest - style: secondary - start: 46 - end: 52 - - source: (password.getBytes()) - style: secondary - start: 52 - end: 73 - - source: DigestUtils.getMd5Digest().digest(password.getBytes()) - style: secondary - start: 19 - end: 73 - - source: DigestUtils.getMd5Digest() - style: secondary - start: 19 - end: 45 - - source: () - style: secondary - start: 43 - end: 45 diff --git a/tests/__snapshots__/use-of-md5-java-snapshot.yml b/tests/__snapshots__/use-of-md5-java-snapshot.yml deleted file mode 100644 index ee1d6ef8..00000000 --- a/tests/__snapshots__/use-of-md5-java-snapshot.yml +++ /dev/null @@ -1,51 +0,0 @@ -id: use-of-md5-java -snapshots: - ? | - import java.security.MessageDigest; - - public class Bad{ - public byte[] bad1(String password) { - MessageDigest md5Digest = MessageDigest.getInstance("MD5"); - } - } - : labels: - - source: '"MD5"' - style: primary - start: 151 - end: 156 - - source: MessageDigest - style: secondary - start: 125 - end: 138 - - source: getInstance - style: secondary - start: 139 - end: 150 - - source: '"MD5"' - style: secondary - start: 151 - end: 156 - - source: ("MD5") - style: secondary - start: 150 - end: 157 - - source: import java.security.MessageDigest; - style: secondary - start: 0 - end: 35 - - source: import java.security.MessageDigest; - style: secondary - start: 0 - end: 35 - - source: md5Digest = MessageDigest.getInstance("MD5") - style: secondary - start: 113 - end: 157 - - source: MessageDigest.getInstance("MD5") - style: secondary - start: 125 - end: 157 - - source: MD5 - style: secondary - start: 152 - end: 155 diff --git a/tests/__snapshots__/use-of-rc2-java-snapshot.yml b/tests/__snapshots__/use-of-rc2-java-snapshot.yml deleted file mode 100644 index c8361e71..00000000 --- a/tests/__snapshots__/use-of-rc2-java-snapshot.yml +++ /dev/null @@ -1,168 +0,0 @@ -id: use-of-rc2-java -snapshots: - ? | - public void testRC2InMap() { - Map cipherMap = new HashMap<>(); - cipherMap.put("RC2", Cipher.getInstance("RC2")); - } - : labels: - - source: Cipher.getInstance("RC2") - style: primary - start: 99 - end: 124 - - source: Cipher - style: secondary - start: 99 - end: 105 - - source: getInstance - style: secondary - start: 106 - end: 117 - - source: RC2 - style: secondary - start: 119 - end: 122 - - source: ("RC2") - style: secondary - start: 117 - end: 124 - ? |- - public void testRC2InSwitch() { - String algorithm = "RC2"; - switch (algorithm) { - case "RC2": - try { - Cipher.getInstance(algorithm); - } catch (Exception e) { - e.printStackTrace(); - } - break; - } - } - : labels: - - source: Cipher.getInstance(algorithm) - style: primary - start: 109 - end: 138 - - source: Cipher - style: secondary - start: 109 - end: 115 - - source: getInstance - style: secondary - start: 116 - end: 127 - - source: algorithm - style: secondary - start: 128 - end: 137 - - source: (algorithm) - style: secondary - start: 127 - end: 138 - - source: algorithm - style: secondary - start: 39 - end: 48 - - source: RC2 - style: secondary - start: 52 - end: 55 - - source: '"RC2"' - style: secondary - start: 51 - end: 56 - - source: algorithm = "RC2" - style: secondary - start: 39 - end: 56 - - source: String algorithm = "RC2"; - style: secondary - start: 32 - end: 57 - - source: String algorithm = "RC2"; - style: secondary - start: 32 - end: 57 - ? | - public void testRC2InSwitch() { - String algorithm = "RC2"; - switch (algorithm) { - case "RC2": - try { - Cipher.getInstance(algorithm); - } catch (Exception e) { - e.printStackTrace(); - } - break; - } - } - : labels: - - source: Cipher.getInstance(algorithm) - style: primary - start: 109 - end: 138 - - source: Cipher - style: secondary - start: 109 - end: 115 - - source: getInstance - style: secondary - start: 116 - end: 127 - - source: algorithm - style: secondary - start: 128 - end: 137 - - source: (algorithm) - style: secondary - start: 127 - end: 138 - - source: algorithm - style: secondary - start: 39 - end: 48 - - source: RC2 - style: secondary - start: 52 - end: 55 - - source: '"RC2"' - style: secondary - start: 51 - end: 56 - - source: algorithm = "RC2" - style: secondary - start: 39 - end: 56 - - source: String algorithm = "RC2"; - style: secondary - start: 32 - end: 57 - - source: String algorithm = "RC2"; - style: secondary - start: 32 - end: 57 - ? | - useCipher(Cipher.getInstance("RC2")); - Cipher.getInstance("RC2"); - : labels: - - source: Cipher.getInstance("RC2") - style: primary - start: 10 - end: 35 - - source: Cipher - style: secondary - start: 10 - end: 16 - - source: getInstance - style: secondary - start: 17 - end: 28 - - source: RC2 - style: secondary - start: 30 - end: 33 - - source: ("RC2") - style: secondary - start: 28 - end: 35 diff --git a/tests/__snapshots__/use-of-rc4-java-snapshot.yml b/tests/__snapshots__/use-of-rc4-java-snapshot.yml deleted file mode 100644 index 7aa25950..00000000 --- a/tests/__snapshots__/use-of-rc4-java-snapshot.yml +++ /dev/null @@ -1,24 +0,0 @@ -id: use-of-rc4-java -snapshots: - ? | - Cipher.getInstance("RC4"); - : labels: - - source: Cipher.getInstance("RC4") - style: primary - start: 0 - end: 25 - - source: RC4 - style: secondary - start: 20 - end: 23 - ? | - useCipher(Cipher.getInstance("RC4")); - : labels: - - source: Cipher.getInstance("RC4") - style: primary - start: 10 - end: 35 - - source: RC4 - style: secondary - start: 30 - end: 33 diff --git a/tests/__snapshots__/use-of-sha1-java-snapshot.yml b/tests/__snapshots__/use-of-sha1-java-snapshot.yml deleted file mode 100644 index 994f88ec..00000000 --- a/tests/__snapshots__/use-of-sha1-java-snapshot.yml +++ /dev/null @@ -1,82 +0,0 @@ -id: use-of-sha1-java -snapshots: - ? |- - import java.security.MessageDigest; - public byte[] bad1(String password) { - MessageDigest sha1Digest = MessageDigest.getInstance("SHA-1"); - sha1Digest.update(password.getBytes()); - byte[] hashValue = sha1Digest.digest(); - return hashValue; - } - : labels: - - source: MessageDigest.getInstance("SHA-1") - style: primary - start: 101 - end: 135 - - source: MessageDigest - style: secondary - start: 101 - end: 114 - - source: getInstance - style: secondary - start: 115 - end: 126 - - source: SHA-1 - style: secondary - start: 128 - end: 133 - - source: '"SHA-1"' - style: secondary - start: 127 - end: 134 - - source: ("SHA-1") - style: secondary - start: 126 - end: 135 - - source: import java.security.MessageDigest; - style: secondary - start: 0 - end: 35 - - source: import java.security.MessageDigest; - style: secondary - start: 0 - end: 35 - ? | - public byte[] bad2(String password) { - byte[] hashValue = DigestUtils.getSha1Digest().digest(password.getBytes()); - return hashValue; - } - : labels: - - source: DigestUtils.getSha1Digest().digest(password.getBytes()) - style: primary - start: 57 - end: 112 - ? | - public void bad3() { - java.security.MessageDigest md = java.security.MessageDigest.getInstance("SHA1", "SUN"); - } - : labels: - - source: java.security.MessageDigest.getInstance("SHA1", "SUN") - style: primary - start: 54 - end: 108 - - source: java.security.MessageDigest - style: secondary - start: 54 - end: 81 - - source: getInstance - style: secondary - start: 82 - end: 93 - - source: SHA1 - style: secondary - start: 95 - end: 99 - - source: '"SHA1"' - style: secondary - start: 94 - end: 100 - - source: ("SHA1", "SUN") - style: secondary - start: 93 - end: 108 diff --git a/tests/__snapshots__/use-of-weak-rsa-key-go-snapshot.yml b/tests/__snapshots__/use-of-weak-rsa-key-go-snapshot.yml deleted file mode 100644 index 761098a7..00000000 --- a/tests/__snapshots__/use-of-weak-rsa-key-go-snapshot.yml +++ /dev/null @@ -1,109 +0,0 @@ -id: use-of-weak-rsa-key-go -snapshots: - ? | - pvk, err := rsa.GenerateKey(rand.Reader, -1929) - : labels: - - source: '-1929' - style: primary - start: 41 - end: 46 - - source: rsa.GenerateKey - style: secondary - start: 12 - end: 27 - - source: '-1929' - style: secondary - start: 41 - end: 46 - - source: (rand.Reader, -1929) - style: secondary - start: 27 - end: 47 - - source: rsa.GenerateKey(rand.Reader, -1929) - style: secondary - start: 12 - end: 47 - - source: (rand.Reader, -1929) - style: secondary - start: 27 - end: 47 - ? | - pvk, err := rsa.GenerateKey(rand.Reader, 102.5) - : labels: - - source: '102.5' - style: primary - start: 41 - end: 46 - - source: rsa.GenerateKey - style: secondary - start: 12 - end: 27 - - source: '102.5' - style: secondary - start: 41 - end: 46 - - source: (rand.Reader, 102.5) - style: secondary - start: 27 - end: 47 - - source: rsa.GenerateKey(rand.Reader, 102.5) - style: secondary - start: 12 - end: 47 - - source: (rand.Reader, 102.5) - style: secondary - start: 27 - end: 47 - ? | - pvk, err := rsa.GenerateKey(rand.Reader, 1025) - : labels: - - source: '1025' - style: primary - start: 41 - end: 45 - - source: rsa.GenerateKey - style: secondary - start: 12 - end: 27 - - source: '1025' - style: secondary - start: 41 - end: 45 - - source: (rand.Reader, 1025) - style: secondary - start: 27 - end: 46 - - source: rsa.GenerateKey(rand.Reader, 1025) - style: secondary - start: 12 - end: 46 - - source: (rand.Reader, 1025) - style: secondary - start: 27 - end: 46 - pvk, err := rsa.GenerateKey(rand.Reader, 192): - labels: - - source: '192' - style: primary - start: 41 - end: 44 - - source: rsa.GenerateKey - style: secondary - start: 12 - end: 27 - - source: '192' - style: secondary - start: 41 - end: 44 - - source: (rand.Reader, 192) - style: secondary - start: 27 - end: 45 - - source: rsa.GenerateKey(rand.Reader, 192) - style: secondary - start: 12 - end: 45 - - source: (rand.Reader, 192) - style: secondary - start: 27 - end: 45 diff --git a/tests/__snapshots__/weak-ssl-context-java-snapshot.yml b/tests/__snapshots__/weak-ssl-context-java-snapshot.yml deleted file mode 100644 index 1974fd36..00000000 --- a/tests/__snapshots__/weak-ssl-context-java-snapshot.yml +++ /dev/null @@ -1,157 +0,0 @@ -id: weak-ssl-context-java -snapshots: - ? | - SSLContext ctx = SSLContext.getInstance("SSL"); - : labels: - - source: SSLContext.getInstance("SSL") - style: primary - start: 17 - end: 46 - - source: SSLContext - style: secondary - start: 17 - end: 27 - - source: getInstance - style: secondary - start: 28 - end: 39 - - source: SSL - style: secondary - start: 41 - end: 44 - - source: SSL - style: secondary - start: 41 - end: 44 - - source: '"SSL"' - style: secondary - start: 40 - end: 45 - - source: ("SSL") - style: secondary - start: 39 - end: 46 - ? | - SSLContext ctx = SSLContext.getInstance("SSLv3"); - : labels: - - source: SSLContext.getInstance("SSLv3") - style: primary - start: 17 - end: 48 - - source: SSLContext - style: secondary - start: 17 - end: 27 - - source: getInstance - style: secondary - start: 28 - end: 39 - - source: SSLv3 - style: secondary - start: 41 - end: 46 - - source: SSLv3 - style: secondary - start: 41 - end: 46 - - source: '"SSLv3"' - style: secondary - start: 40 - end: 47 - - source: ("SSLv3") - style: secondary - start: 39 - end: 48 - ? | - SSLContext ctx = SSLContext.getInstance("TLS"); - : labels: - - source: SSLContext.getInstance("TLS") - style: primary - start: 17 - end: 46 - - source: SSLContext - style: secondary - start: 17 - end: 27 - - source: getInstance - style: secondary - start: 28 - end: 39 - - source: TLS - style: secondary - start: 41 - end: 44 - - source: TLS - style: secondary - start: 41 - end: 44 - - source: '"TLS"' - style: secondary - start: 40 - end: 45 - - source: ("TLS") - style: secondary - start: 39 - end: 46 - ? | - SSLContext ctx = SSLContext.getInstance("TLSv1"); - : labels: - - source: SSLContext.getInstance("TLSv1") - style: primary - start: 17 - end: 48 - - source: SSLContext - style: secondary - start: 17 - end: 27 - - source: getInstance - style: secondary - start: 28 - end: 39 - - source: TLSv1 - style: secondary - start: 41 - end: 46 - - source: TLSv1 - style: secondary - start: 41 - end: 46 - - source: '"TLSv1"' - style: secondary - start: 40 - end: 47 - - source: ("TLSv1") - style: secondary - start: 39 - end: 48 - ? | - SSLContext ctx = SSLContext.getInstance("TLSv1.1"); - : labels: - - source: SSLContext.getInstance("TLSv1.1") - style: primary - start: 17 - end: 50 - - source: SSLContext - style: secondary - start: 17 - end: 27 - - source: getInstance - style: secondary - start: 28 - end: 39 - - source: TLSv1.1 - style: secondary - start: 41 - end: 48 - - source: TLSv1.1 - style: secondary - start: 41 - end: 48 - - source: '"TLSv1.1"' - style: secondary - start: 40 - end: 49 - - source: ("TLSv1.1") - style: secondary - start: 39 - end: 50 diff --git a/tests/__snapshots__/world-writable-file-c-snapshot.yml b/tests/__snapshots__/world-writable-file-c-snapshot.yml deleted file mode 100644 index 10da9622..00000000 --- a/tests/__snapshots__/world-writable-file-c-snapshot.yml +++ /dev/null @@ -1,79 +0,0 @@ -id: world-writable-file-c -snapshots: - ? | - void test_octal_bad() { - mode_t mode = 0666; - chmod("/tmp/foo", mode); - int fd = open_log(); - fchmod(fd, mode); - int dirfd = open_log_dir(); - fchmodat(dirfd, "log", mode, AT_SYMLINK_NOFOLLOW); - open("log", O_CREAT, mode); - openat(fd, "log", O_CREAT, mode); - creat("log", mode); - } - : labels: - - source: mode - style: primary - start: 66 - end: 70 - - source: mode - style: secondary - start: 33 - end: 37 - - source: '0666' - style: secondary - start: 40 - end: 44 - - source: mode = 0666 - style: secondary - start: 33 - end: 44 - - source: mode_t mode = 0666; - style: secondary - start: 26 - end: 45 - - source: mode_t mode = 0666; - style: secondary - start: 26 - end: 45 - - source: chmod("/tmp/foo", mode) - style: secondary - start: 48 - end: 71 - - source: chmod - style: secondary - start: 48 - end: 53 - - source: ("/tmp/foo", mode) - style: secondary - start: 53 - end: 71 - ? | - void test_symbol_direct_bad() { - chmod("/tmp/foo", S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH); - int fd = open_log(); - fchmod(fd, S_IROTH | S_IWOTH | S_IRUSR | S_IWUSR); - int dirfd = open_log_dir(); - fchmodat(dirfd, "log", S_IWOTH); - open("log", O_CREAT, S_IWUSR | S_IWOTH); - openat(fd, "log", O_CREAT, S_IWOTH | S_IUSR | S_IGRP); - creat("log", S_IWOTH); - } - : labels: - - source: S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH - style: primary - start: 52 - end: 109 - - source: chmod("/tmp/foo", S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH) - style: secondary - start: 34 - end: 110 - - source: chmod - style: secondary - start: 34 - end: 39 - - source: ("/tmp/foo", S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH) - style: secondary - start: 39 - end: 110 diff --git a/tests/__snapshots__/world-writable-file-cpp-snapshot.yml b/tests/__snapshots__/world-writable-file-cpp-snapshot.yml deleted file mode 100644 index 54f1344e..00000000 --- a/tests/__snapshots__/world-writable-file-cpp-snapshot.yml +++ /dev/null @@ -1,79 +0,0 @@ -id: world-writable-file-cpp -snapshots: - ? | - void test_octal_bad() { - mode_t mode = 0666; - chmod("/tmp/foo", mode); - int fd = open_log(); - fchmod(fd, mode); - int dirfd = open_log_dir(); - fchmodat(dirfd, "log", mode, AT_SYMLINK_NOFOLLOW); - open("log", O_CREAT, mode); - openat(fd, "log", O_CREAT, mode); - creat("log", mode); - } - : labels: - - source: mode - style: primary - start: 66 - end: 70 - - source: mode - style: secondary - start: 33 - end: 37 - - source: '0666' - style: secondary - start: 40 - end: 44 - - source: mode = 0666 - style: secondary - start: 33 - end: 44 - - source: mode_t mode = 0666; - style: secondary - start: 26 - end: 45 - - source: mode_t mode = 0666; - style: secondary - start: 26 - end: 45 - - source: chmod("/tmp/foo", mode) - style: secondary - start: 48 - end: 71 - - source: chmod - style: secondary - start: 48 - end: 53 - - source: ("/tmp/foo", mode) - style: secondary - start: 53 - end: 71 - ? | - void test_symbol_direct_bad() { - chmod("/tmp/foo", S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH); - int fd = open_log(); - fchmod(fd, S_IROTH | S_IWOTH | S_IRUSR | S_IWUSR); - int dirfd = open_log_dir(); - fchmodat(dirfd, "log", S_IWOTH); - open("log", O_CREAT, S_IWUSR | S_IWOTH); - openat(fd, "log", O_CREAT, S_IWOTH | S_IUSR | S_IGRP); - creat("log", S_IWOTH); - } - : labels: - - source: S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH - style: primary - start: 52 - end: 109 - - source: chmod("/tmp/foo", S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH) - style: secondary - start: 34 - end: 110 - - source: chmod - style: secondary - start: 34 - end: 39 - - source: ("/tmp/foo", S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH) - style: secondary - start: 39 - end: 110 diff --git a/tests/c/dont-call-system-c-test.yml b/tests/c/dont-call-system-c-test.yml deleted file mode 100644 index 3d482dfc..00000000 --- a/tests/c/dont-call-system-c-test.yml +++ /dev/null @@ -1,34 +0,0 @@ -id: dont-call-system-c -valid: - - | - void test_003(const char *input) - { - storer->store_binary(Clocks->system()); - } -invalid: - - | - void test_002(const char *input) - { - char cmdbuf[BUFFERSIZE]; - int len_wanted = snprintf(cmdbuf, BUFFERSIZE, - "any_cmd '%s'", input); - system(cmdbuf); - } - void test_001(const char *input) - { - char cmdbuf[BUFFERSIZE]; - int len_wanted = snprintf(cmdbuf, BUFFERSIZE, - "any_cmd '%s'", input); - if (len_wanted >= BUFFERSIZE) - { - /* Handle error */ - } - else if (len_wanted < 0) - { - /* Handle error */ - } - else if (system(cmdbuf) == -1) - { - /* Handle error */ - } - } diff --git a/tests/c/file-access-before-action-c-test.yml b/tests/c/file-access-before-action-c-test.yml deleted file mode 100644 index b705bf0f..00000000 --- a/tests/c/file-access-before-action-c-test.yml +++ /dev/null @@ -1,23 +0,0 @@ -id: file-access-before-action-c -valid: - - | - -invalid: - - | - { - const char *original_key = "path/to/file/filename"; - const char *mirror_key = "path/to/another/file/filename"; - - if ((access(original_key, F_OK) == 0) && (access(mirror_key, F_OK) == 0)){ - copy_file("/bin/cp %s %s", original_key, mirror_key); - unlink(original_key); - } - - void test_002(){ - const char *original_key = "path/to/file/filename"; - - if (access(original_key, W_OK) == 0){ - File *fp = fopen(original_key, "wb"); - } - } - } diff --git a/tests/c/file-stat-before-action-c-test.yml b/tests/c/file-stat-before-action-c-test.yml deleted file mode 100644 index a808cde4..00000000 --- a/tests/c/file-stat-before-action-c-test.yml +++ /dev/null @@ -1,37 +0,0 @@ -id: file-stat-before-action-c -valid: - - | - -invalid: - - | - if (stat(file.c_str(), &buf) == 0){ - // Open the file for reading - fp = fopen(file.c_str(), "r"); - if (fp == NULL){ - char message[2560]; - sprintf(message, "File '%s' Cound Not be Opened", file.c_str()); - // DISPLAY_MSG_ERROR( this, message, "GetFileContents", "System" ); - throw message; - } - - // Read the file - MvString s, ss; - while (fgets(data, sizeof(data), fp) != (char *)0){ - s = data; - s.trimBoth(); - if (s.compare(0, 5, "GROUP") == 0){ - // size_t t = s.find_last_of( ":" ); - size_t t = s.find(":"); - - if (t != string::npos){ - ss = s.substr(t + 1).c_str(); - ss.trimBoth(); - ss = ss.substr(1, ss.length() - 3).c_str(); - group_list.push_back(ss); - } - } - } - - // Close the file - fclose(fp); - } diff --git a/tests/c/insecure-hash-c-test.yml b/tests/c/insecure-hash-c-test.yml deleted file mode 100644 index aecf1786..00000000 --- a/tests/c/insecure-hash-c-test.yml +++ /dev/null @@ -1,29 +0,0 @@ -id: insecure-hash-c -valid: - - | - MD5Final(digest,ctx); -invalid: - - | - EVP_MD_fetch(NULL, "MD2", NULL); - - | - EVP_get_digestbyname("MD2"); - - | - EVP_MD_fetch(NULL, "MD4", NULL); - - | - EVP_get_digestbyname("MD4"); - - | - EVP_MD_fetch(NULL, "MD5", NULL); - - | - EVP_get_digestbyname("MD5"); - - | - MD2_Init(ctx); - - | - MD5_Init(ctx); - - | - MD2_Update(ctx, data, size); - - | - gcry_md_open(handle, GCRY_MD_MD2, 0); - - | - gcry_md_extract(handle, GCRY_MD_SHA1, output); - - | - gcry_md_hash_buffer(GCRY_MD_MD4, data, size); diff --git a/tests/c/libxml2-audit-parser-c-test.yml b/tests/c/libxml2-audit-parser-c-test.yml deleted file mode 100644 index 4ed1eeee..00000000 --- a/tests/c/libxml2-audit-parser-c-test.yml +++ /dev/null @@ -1,25 +0,0 @@ -id: libxml2-audit-parser-c -valid: - - | - xmlCtxtReadMemory(); -invalid: - - | - xmlParseInNodeContext(cur_node->parent, xml_filtered.c_str(), - (int)xml_filtered.length(), 0, &pNewNode); - - | - xmlReadDoc((xmlChar *)ptr, "", NULL, 0); - - | - xmlReadFd(f, NULL, NULL, XML_PARSE_NOBLANKS); - - | - doc = xmlReadFile(xmlFilename.c_str(), NULL, 0); - - | - xmlDocPtr xml = xmlReadIO(readStream, closeStream, static_cast(&stream), fileName.c_str(), 0, options); - - | - mPimpl->mXmlDocPtr = xmlCtxtReadDoc(context, reinterpret_cast(input.c_str()), "/", nullptr, 0); - - | - xmlDocPtr doc = xmlCtxtReadFd(ctx_, fd, url_, encoding_, options_); - load(doc, node); - - | - doc = xmlCtxtReadMemory(ctxt, (char *)string, len, NULL, NULL, 0); - - | - xmlDocPtr const pDoc = xmlCtxtReadIO(pContext.get(), xmlIO_read_func, xmlIO_close_func, &c, nullptr, nullptr, 0); diff --git a/tests/c/null-library-function-c-test.yml b/tests/c/null-library-function-c-test.yml deleted file mode 100644 index d5fbbf3a..00000000 --- a/tests/c/null-library-function-c-test.yml +++ /dev/null @@ -1,29 +0,0 @@ -id: null-library-function-c -valid: - - | - errno = 0; - fwrite(data, len, 1, f); - if (errno) { - ERRS("unable to write output file"); - goto out_flush; - } - -invalid: - - | - void f() { - char buf[128]; - strcpy(buf, getenv("FOO")); - } - - | - { - fwrite("foo", 3, 1, fopen("foo.txt", "w")); - } - - | - { - FILE *fptr; - fwrite("foo", 3, 1, fptr = fopen("foo.txt", "w")); - } - - | - void test_getc() { - int c = getc(fptr = fopen(file_name, "r")); - } \ No newline at end of file diff --git a/tests/c/sizeof-this-c-test.yml b/tests/c/sizeof-this-c-test.yml deleted file mode 100644 index 8c862897..00000000 --- a/tests/c/sizeof-this-c-test.yml +++ /dev/null @@ -1,12 +0,0 @@ -id: sizeof-this-c -valid: - - | - sizeof(*this); -invalid: - - | - struct Foo { - uint64_t a; - uint8_t b; - size_t get_size() const { - return sizeof(this); - } diff --git a/tests/c/small-key-size-c-test.yml b/tests/c/small-key-size-c-test.yml deleted file mode 100644 index 053e0974..00000000 --- a/tests/c/small-key-size-c-test.yml +++ /dev/null @@ -1,14 +0,0 @@ -id: small-key-size-c -valid: - - | - void foo() { - DH_generate_parameters_ex(NULL, 2049); - } - -invalid: - - | - void foo() { - DH_generate_parameters_ex(NULL, 1024); - } - - diff --git a/tests/c/world-writable-file-c-test.yml b/tests/c/world-writable-file-c-test.yml deleted file mode 100644 index 5053e399..00000000 --- a/tests/c/world-writable-file-c-test.yml +++ /dev/null @@ -1,37 +0,0 @@ -id: world-writable-file-c -valid: - - | - void test_symbol_direct_good() { - chmod("/tmp/foo", S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH); - int fd = open_log(); - fchmod(fd, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH); - int dirfd = open_log_dir(); - fchmodat(dirfd, "log", S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH, AT_SYMLINK_NOFOLLOW); - open("log", O_CREAT, mode); - openat(fd, "log", O_CREAT, mode); - creat("log", mode); - } -invalid: - - | - void test_octal_bad() { - mode_t mode = 0666; - chmod("/tmp/foo", mode); - int fd = open_log(); - fchmod(fd, mode); - int dirfd = open_log_dir(); - fchmodat(dirfd, "log", mode, AT_SYMLINK_NOFOLLOW); - open("log", O_CREAT, mode); - openat(fd, "log", O_CREAT, mode); - creat("log", mode); - } - - | - void test_symbol_direct_bad() { - chmod("/tmp/foo", S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH); - int fd = open_log(); - fchmod(fd, S_IROTH | S_IWOTH | S_IRUSR | S_IWUSR); - int dirfd = open_log_dir(); - fchmodat(dirfd, "log", S_IWOTH); - open("log", O_CREAT, S_IWUSR | S_IWOTH); - openat(fd, "log", O_CREAT, S_IWOTH | S_IUSR | S_IGRP); - creat("log", S_IWOTH); - } diff --git a/tests/cpp/dont-call-system-cpp-test.yml b/tests/cpp/dont-call-system-cpp-test.yml deleted file mode 100644 index 846b4fcc..00000000 --- a/tests/cpp/dont-call-system-cpp-test.yml +++ /dev/null @@ -1,34 +0,0 @@ -id: dont-call-system-cpp -valid: - - | - void test_003(const char *input) - { - storer->store_binary(Clocks->system()); - } -invalid: - - | - void test_002(const char *input) - { - char cmdbuf[BUFFERSIZE]; - int len_wanted = snprintf(cmdbuf, BUFFERSIZE, - "any_cmd '%s'", input); - system(cmdbuf); - } - void test_001(const char *input) - { - char cmdbuf[BUFFERSIZE]; - int len_wanted = snprintf(cmdbuf, BUFFERSIZE, - "any_cmd '%s'", input); - if (len_wanted >= BUFFERSIZE) - { - /* Handle error */ - } - else if (len_wanted < 0) - { - /* Handle error */ - } - else if (system(cmdbuf) == -1) - { - /* Handle error */ - } - } diff --git a/tests/cpp/file-access-before-action-cpp-test.yml b/tests/cpp/file-access-before-action-cpp-test.yml deleted file mode 100644 index 82424c6a..00000000 --- a/tests/cpp/file-access-before-action-cpp-test.yml +++ /dev/null @@ -1,22 +0,0 @@ -id: file-access-before-action-cpp -valid: - - | - -invalid: - - | - { - const char *original_key = "path/to/file/filename"; - const char *mirror_key = "path/to/another/file/filename"; - - if ((access(original_key, F_OK) == 0) && (access(mirror_key, F_OK) == 0)){ - copy_file("/bin/cp %s %s", original_key, mirror_key); - unlink(original_key); - } - - void test_002(){ - const char *original_key = "path/to/file/filename"; - if (access(original_key, W_OK) == 0){ - FILe *fp = fopen(original_key, "wb"); - } - } - } diff --git a/tests/cpp/file-stat-before-action-cpp-test.yml b/tests/cpp/file-stat-before-action-cpp-test.yml deleted file mode 100644 index fff0b736..00000000 --- a/tests/cpp/file-stat-before-action-cpp-test.yml +++ /dev/null @@ -1,40 +0,0 @@ -id: file-stat-before-action-cpp -valid: - - | - -invalid: - - | - if (stat(file.c_str(), &buf) == 0){ - // Open the file for reading - fp = fopen(file.c_str(), "r"); - if (fp == NULL) - { - char message[2560]; - sprintf(message, "File '%s' Cound Not be Opened", file.c_str()); - // DISPLAY_MSG_ERROR( this, message, "GetFileContents", "System" ); - throw message; - } - - // Read the file - MvString s, ss; - while (fgets(data, sizeof(data), fp) != (char *)0) - { - s = data; - s.trimBoth(); - if (s.compare(0, 5, "GROUP") == 0) - { - // size_t t = s.find_last_of( ":" ); - size_t t = s.find(":"); - if (t != string::npos) - { - ss = s.substr(t + 1).c_str(); - ss.trimBoth(); - ss = ss.substr(1, ss.length() - 3).c_str(); - group_list.push_back(ss); - } - } - } - - // Close the file - fclose(fp); - } diff --git a/tests/cpp/fix-format-security-error-cpp-test.yml b/tests/cpp/fix-format-security-error-cpp-test.yml deleted file mode 100644 index d58c4d25..00000000 --- a/tests/cpp/fix-format-security-error-cpp-test.yml +++ /dev/null @@ -1,17 +0,0 @@ -id: fix-format-security-error-cpp -valid: - - | - fprintf(stderr, "%s", out); - - | - sprintf(&buffer[2], "%s", obj->Text, a); - - | - sprintf(buf1, "%s", Text_String(TXT_WAITING_FOR_CONNECTIONS)); -invalid: - - | - fprintf(stderr, out); - - | - sprintf(&buffer[2], obj->Text); - - | - sprintf(buf1, Text_String(TXT_WAITING_FOR_CONNECTIONS)); - - diff --git a/tests/cpp/insecure-hash-cpp-test.yml b/tests/cpp/insecure-hash-cpp-test.yml deleted file mode 100644 index 2b2c9076..00000000 --- a/tests/cpp/insecure-hash-cpp-test.yml +++ /dev/null @@ -1,29 +0,0 @@ -id: insecure-hash-cpp -valid: - - | - MD5Final(digest,ctx); -invalid: - - | - EVP_MD_fetch(NULL, "MD2", NULL); - - | - EVP_get_digestbyname("MD2"); - - | - EVP_MD_fetch(NULL, "MD4", NULL); - - | - EVP_get_digestbyname("MD4"); - - | - EVP_MD_fetch(NULL, "MD5", NULL); - - | - EVP_get_digestbyname("MD5"); - - | - MD2_Init(ctx); - - | - MD5_Init(ctx); - - | - MD2_Update(ctx, data, size); - - | - gcry_md_open(handle, GCRY_MD_MD2, 0); - - | - gcry_md_extract(handle, GCRY_MD_SHA1, output); - - | - gcry_md_hash_buffer(GCRY_MD_MD4, data, size); diff --git a/tests/cpp/libxml2-audit-parser-cpp-test.yml b/tests/cpp/libxml2-audit-parser-cpp-test.yml deleted file mode 100644 index a1570af2..00000000 --- a/tests/cpp/libxml2-audit-parser-cpp-test.yml +++ /dev/null @@ -1,25 +0,0 @@ -id: libxml2-audit-parser-cpp -valid: - - | - xmlCtxtReadMemory(); -invalid: - - | - xmlParseInNodeContext(cur_node->parent, xml_filtered.c_str(), - (int)xml_filtered.length(), 0, &pNewNode); - - | - xmlReadDoc((xmlChar *)ptr, "", NULL, 0); - - | - xmlReadFd(f, NULL, NULL, XML_PARSE_NOBLANKS); - - | - doc = xmlReadFile(xmlFilename.c_str(), NULL, 0); - - | - xmlDocPtr xml = xmlReadIO(readStream, closeStream, static_cast(&stream), fileName.c_str(), 0, options); - - | - mPimpl->mXmlDocPtr = xmlCtxtReadDoc(context, reinterpret_cast(input.c_str()), "/", nullptr, 0); - - | - xmlDocPtr doc = xmlCtxtReadFd(ctx_, fd, url_, encoding_, options_); - load(doc, node); - - | - doc = xmlCtxtReadMemory(ctxt, (char *)string, len, NULL, NULL, 0); - - | - xmlDocPtr const pDoc = xmlCtxtReadIO(pContext.get(), xmlIO_read_func, xmlIO_close_func, &c, nullptr, nullptr, 0); diff --git a/tests/cpp/missing-nul-cpp-string-memcpy-cpp-test.yml b/tests/cpp/missing-nul-cpp-string-memcpy-cpp-test.yml deleted file mode 100644 index e0aa67dc..00000000 --- a/tests/cpp/missing-nul-cpp-string-memcpy-cpp-test.yml +++ /dev/null @@ -1,43 +0,0 @@ -id: missing-nul-cpp-string-memcpy-copy-cpp -valid: - - | - void test_001() - { - string from = "hello"; - char to[20]; - size_t len_001 = strlen(from.c_str()+1); - memcpy(to, from.c_str(), len_001); - } - - | - void test_002() - { - string from = "hello"; - char to[20]; - size_t len_002 = from.size()+1; - memcpy(to, from.c_str(), len_002); - } -invalid: - - | - void test_001() - { - string from = "hello"; - char to[20]; - size_t len_001 = strlen(from.c_str()); - memcpy(to, from.c_str(), len_001); - } - - | - void test_002() - { - string from = "hello"; - char to[20]; - size_t len_002 = from.size(); - memcpy(to, from.c_str(), len_002); - } - - | - void test_003() - { - string from = "hello"; - char to[20]; - size_t len_003 = from.length(); - memcpy(to, from.c_str(), len_003); - } diff --git a/tests/cpp/null-library-function-cpp-test.yml b/tests/cpp/null-library-function-cpp-test.yml deleted file mode 100644 index ac8f268e..00000000 --- a/tests/cpp/null-library-function-cpp-test.yml +++ /dev/null @@ -1,29 +0,0 @@ -id: null-library-function-cpp -valid: - - | - errno = 0; - fwrite(data, len, 1, f); - if (errno) { - ERRS("unable to write output file"); - goto out_flush; - } - -invalid: - - | - void f() { - char buf[128]; - strcpy(buf, getenv("FOO")); - } - - | - { - fwrite("foo", 3, 1, fopen("foo.txt", "w")); - } - - | - { - FILE *fptr; - fwrite("foo", 3, 1, fptr = fopen("foo.txt", "w")); - } - - | - void test_getc() { - int c = getc(fptr = fopen(file_name, "r")); - } \ No newline at end of file diff --git a/tests/cpp/return-c-str-cpp-test.yml b/tests/cpp/return-c-str-cpp-test.yml deleted file mode 100644 index ea31a57f..00000000 --- a/tests/cpp/return-c-str-cpp-test.yml +++ /dev/null @@ -1,23 +0,0 @@ -id: return-c-str-cpp -valid: - - | - std::string return_directly() { - return std::string("foo"); - } -invalid: - - | - char *return_namespace_directly() { - return std::string("foo").c_str(); - } - - | - char *return_directly() { - return string("foo").c_str(); - } - - | - char *return_basic_string_directly() { - return std::basic_string("foo").c_str(); - } - - | - char *return_data_directly() { - return std::string("foo").data(); - } diff --git a/tests/cpp/size-of-this-test.yml b/tests/cpp/size-of-this-test.yml deleted file mode 100644 index 343b2a66..00000000 --- a/tests/cpp/size-of-this-test.yml +++ /dev/null @@ -1,7 +0,0 @@ -id: sizeof-this-cpp -valid: - - | - return sizeof(*this); -invalid: - - | - return sizeof(this); diff --git a/tests/cpp/small-key-size-cpp-test.yml b/tests/cpp/small-key-size-cpp-test.yml deleted file mode 100644 index 25513102..00000000 --- a/tests/cpp/small-key-size-cpp-test.yml +++ /dev/null @@ -1,14 +0,0 @@ -id: small-key-size-cpp -valid: - - | - void foo() { - DH_generate_parameters_ex(NULL, 2049); - } - -invalid: - - | - void foo() { - DH_generate_parameters_ex(NULL, 1024); - } - - diff --git a/tests/cpp/std-return-data-cpp-test.yml b/tests/cpp/std-return-data-cpp-test.yml deleted file mode 100644 index cc161c40..00000000 --- a/tests/cpp/std-return-data-cpp-test.yml +++ /dev/null @@ -1,15 +0,0 @@ -id: std-return-data-cpp -valid: - - | - class Wrapper { - std::vector v; - int *return_vector_begin_iterator() { - return v.data(); - } - } -invalid: - - | - int *return_vector_data() { - std::vector v; - return v.data(); - } diff --git a/tests/cpp/std-vector-invalidation-cpp-test.yml b/tests/cpp/std-vector-invalidation-cpp-test.yml deleted file mode 100644 index f83005e2..00000000 --- a/tests/cpp/std-vector-invalidation-cpp-test.yml +++ /dev/null @@ -1,90 +0,0 @@ -id: std-vector-invalidation-cpp -valid: - - | - void f(std::vector &vec) { - for (std::vector::iterator it = vec.begin(); it != vec.end(); ++it) { - if (should_erase(*it)) { - // This is the correct way to iterate while erasing - it = vec.erase(it); - } else { - ++it; - } - } - } - bool isInList(const TCHAR *token2Find, std::vector ¶ms, bool eraseArg = true){ - for (std::vector::iterator = params.begin(); it != params.end(); ++it) - { - if (lstrcmp(token2Find, it->c_str()) == 0){ - if (eraseArg) params.erase(it); - return true; - } - } - return false; - } -invalid: - - | - void loop_variant_5(std::vector &vec) { - for(std::vector::iterator it = vec.begin(); it != vec.end(); ++it) { - if (should_erase(*it)) { - vec.erase(it); - } - } - } - void loop_variant_6(std::vector &vec) { - for(std::vector::iterator it = vec.begin(); it != vec.end(); it++) { - if (should_erase(*it)) { - vec.erase(it); - } - } - } - void loop_variant_7(std::vector &vec) { - for(std::vector::iterator it = vec.rbegin(); it != vec.rend(); ++it) { - if (should_erase(*it)) { - vec.erase(it); - } - } - } - void loop_variant_8(std::vector &vec) { - for(std::vector::iterator it = vec.rbegin(); it != vec.rend(); it++) { - if (should_erase(*it)) { - vec.erase(it); - } - } - } - void loop_variant_9(std::vector &vec) { - for(std::vector::iterator it = vec.begin(), end = vec.end(); it != end; ++it) { - if (should_erase(*it)) { - vec.erase(it); - } - } - } - void loop_variant_10(std::vector &vec) { - for(std::vector::iterator it = vec.begin(), end = vec.end(); it != end; it++) { - if (should_erase(*it)) { - vec.erase(it); - } - } - } - void loop_variant_11(std::vector &vec) { - for(std::vector::iterator it = vec.rbegin(), end = vec.rend(); it != end; ++it) { - if (should_erase(*it)) { - vec.erase(it); - } - } - } - void loop_variant_12(std::vector &vec) { - for(std::vector::iterator it = vec.rbegin(), end = vec.rend(); it != end; it++) { - if (should_erase(*it)) { - vec.erase(it); - } - } - } - void f(std::vector &vec, std::vector &other_vec) { - for(std::vector::iterator it = vec.begin(); it != vec.end(); it++) { - if (foo()) { - vec.push_back(0); - // Modifying a different container is OK - other_vec.push_back(0); - } - } - } diff --git a/tests/cpp/string-view-temporary-string-cpp-test.yml b/tests/cpp/string-view-temporary-string-cpp-test.yml deleted file mode 100644 index 0ebc90ce..00000000 --- a/tests/cpp/string-view-temporary-string-cpp-test.yml +++ /dev/null @@ -1,47 +0,0 @@ -id: string-view-temporary-string-cpp -valid: - - | - void operator_plus() { - std::string foo = "foo"; - std::string_view view; - std::string other = foo + "bar"; - } -invalid: - - | - void operator_plus() { - std::string foo = "foo"; - std::string_view view; - view = foo + "bar"; - } - - | - void operator_plus() { - std::string foo = "foo"; - std::string_view view; - view = "bar" + foo; - } - - | - void operator_plus() { - std::string foo = "foo"; - std::string_view view; - view = foo + foo + "bar"; - } - - | - void operator_plus() { - std::string foo = "foo"; - std::string_view view; - view = foo + "foo" + bar; - } - - | - extern std::string returns_std_string(); - void operator_plus() { - std::string foo = "foo"; - std::string_view view; - view = returns_std_string() + foo; - } - - | - extern std::string returns_std_string(); - void operator_plus() { - std::string foo = "foo"; - std::string_view view; - view = returns_std_string() + "bar"; - } diff --git a/tests/cpp/world-writable-file-cpp-test.yml b/tests/cpp/world-writable-file-cpp-test.yml deleted file mode 100644 index 9892771a..00000000 --- a/tests/cpp/world-writable-file-cpp-test.yml +++ /dev/null @@ -1,37 +0,0 @@ -id: world-writable-file-cpp -valid: - - | - void test_symbol_direct_good() { - chmod("/tmp/foo", S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH); - int fd = open_log(); - fchmod(fd, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH); - int dirfd = open_log_dir(); - fchmodat(dirfd, "log", S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH, AT_SYMLINK_NOFOLLOW); - open("log", O_CREAT, mode); - openat(fd, "log", O_CREAT, mode); - creat("log", mode); - } -invalid: - - | - void test_octal_bad() { - mode_t mode = 0666; - chmod("/tmp/foo", mode); - int fd = open_log(); - fchmod(fd, mode); - int dirfd = open_log_dir(); - fchmodat(dirfd, "log", mode, AT_SYMLINK_NOFOLLOW); - open("log", O_CREAT, mode); - openat(fd, "log", O_CREAT, mode); - creat("log", mode); - } - - | - void test_symbol_direct_bad() { - chmod("/tmp/foo", S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH); - int fd = open_log(); - fchmod(fd, S_IROTH | S_IWOTH | S_IRUSR | S_IWUSR); - int dirfd = open_log_dir(); - fchmodat(dirfd, "log", S_IWOTH); - open("log", O_CREAT, S_IWUSR | S_IWOTH); - openat(fd, "log", O_CREAT, S_IWOTH | S_IUSR | S_IGRP); - creat("log", S_IWOTH); - } diff --git a/tests/csharp/httponly-false-csharp-test.yml b/tests/csharp/httponly-false-csharp-test.yml deleted file mode 100644 index e29a7eab..00000000 --- a/tests/csharp/httponly-false-csharp-test.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: httponly-false-csharp -valid: - - | - myHttpOnlyCookie.HttpOnly = true; - - | - options.Cookie.HttpOnly = true; -invalid: - - | - options.Cookie.HttpOnly = false; diff --git a/tests/csharp/insecure-binaryformatter-deserialization-csharp-test.yml b/tests/csharp/insecure-binaryformatter-deserialization-csharp-test.yml deleted file mode 100644 index 8f2d1289..00000000 --- a/tests/csharp/insecure-binaryformatter-deserialization-csharp-test.yml +++ /dev/null @@ -1,26 +0,0 @@ -id: insecure-binaryformatter-deserialization-csharp - -invalid: - - | - using System.Runtime.Serialization.Formatters.Binary; - namespace InsecureDeserialization - { - public class InsecureBinaryFormatterDeserialization - { - public void BinaryFormatterDeserialization(string json) - { - try - { - BinaryFormatter binaryFormatter = new BinaryFormatter(); - - MemoryStream memoryStream = new MemoryStream(Encoding.UTF8.GetBytes(json)); - binaryFormatter.Deserialize(memoryStream); - memoryStream.Close(); - } - catch (Exception e) - { - Console.WriteLine(e); - } - } - } - } diff --git a/tests/csharp/jwt-decode-without-verify-csharp-test.yml b/tests/csharp/jwt-decode-without-verify-csharp-test.yml deleted file mode 100644 index 1d419c16..00000000 --- a/tests/csharp/jwt-decode-without-verify-csharp-test.yml +++ /dev/null @@ -1,262 +0,0 @@ -id: jwt-decode-without-verify-csharp -valid: - - | - using JWT; - using JWT.Builder; - using Microsoft.IdentityModel.Tokens; - namespace Example.Foobar - { - public class JwtTestPatterns{ - public void OkJwtTest2() - { - var json = JwtBuilder.Create() - .WithAlgorithm(new HMACSHA256Algorithm()) - .MustVerifySignature() - .WithSecret(key) - .Decode(token); - Console.WriteLine(json); - } - } - } -invalid: - - | - using JWT; - using JWT.Builder; - using Microsoft.IdentityModel.Tokens; - namespace Example.Foobar - { - public class JwtTestPatterns{ - public void JwtTest7(){ - IJsonSerializer serializer = new JsonNetSerializer(); - IDateTimeProvider provider = new UtcDateTimeProvider(); - IJwtValidator validator = new JwtValidator(serializer, provider); - IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); - IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); - IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); - var json = decoder.Decode(token, verify: false); - Console.WriteLine(json); - } - } - } - - | - using JWT; - using JWT.Builder; - using Microsoft.IdentityModel.Tokens; - namespace Example.Foobar - { - public class JwtTestPatterns{ - public void JwtTest9(){ - var decoder = new JwtDecoder(new JsonNetSerializer(), new JwtValidator(new JsonNetSerializer(), new UtcDateTimeProvider()), new JwtBase64UrlEncoder(), new HMACSHA256Algorithm()); - var json = decoder.Decode(token, null, false); // decode with no signature verification - Console.WriteLine(json); - } - } - } - - | - using JWT; - using JWT.Builder; - using Microsoft.IdentityModel.Tokens; - namespace Example.Foobar - { - public class JwtTestPatterns{ - public void JwtTest10(){ - var builder = JwtBuilder.Create(); - var json = builder.WithAlgorithm(new HMACSHA256Algorithm()) - .WithSecret(key) - .Decode(token); - Console.WriteLine(json); - } - } - } - - | - using JWT; - using JWT.Builder; - using Microsoft.IdentityModel.Tokens; - namespace Example.Foobar - { - public class JwtTestPatterns{ - public void JwtTest11(){ - var builder = JwtBuilder.Create(); - var json = builder.WithAlgorithm(new HMACSHA256Algorithm()) - .WithSecret(key) - .Decode(token, verify: false); - Console.WriteLine(json); - } - } - } - - | - using JWT; - using JWT.Builder; - using Microsoft.IdentityModel.Tokens; - namespace Example.Foobar - { - public class JwtTestPatterns{ - public void JwtTest13(){ - var validationParameters = new ValidationParameters - { - ValidateSignature = false, - ValidateExpirationTime = false, - ValidateIssuedTime = false, - TimeMargin = 100 - }; - } - } - } - - | - using JWT; - using JWT.Builder; - using Microsoft.IdentityModel.Tokens; - namespace Example.Foobar - { - public class JwtTestPatterns{ - public void JwtTest15(){ - var builder = JwtBuilder.Create() - .WithAlgorithm(new HMACSHA256Algorithm()) - .WithSecret(key); - var json = builder.Decode(token); - Console.WriteLine(json); - } - } - } - - | - using JWT; - using JWT.Builder; - using Microsoft.IdentityModel.Tokens; - namespace Example.Foobar - { - public class JwtTestPatterns{ - public void JwtTest17(){ - var options = new JwtAuthenticationOptions - { - VerifySignature = false - }; - Console.WriteLine("JWT Authentication setup with signature verification disabled."); - } - } - } - - | - using JWT; - using JWT.Builder; - using Microsoft.IdentityModel.Tokens; - namespace Example.Foobar - { - public class JwtTestPatterns{ - public void JwtTest18(){ - var validationParameters = new TokenValidationParameters - { - ValidateIssuerSigningKey = false, - ValidateIssuer = true, - ValidateAudience = true - }; - var tokenHandler = new JwtSecurityTokenHandler(); - var json = tokenHandler.ValidateToken(token, validationParameters, out var validatedToken); - Console.WriteLine(json); - } - } - } - - | - using JWT; - using JWT.Builder; - using Microsoft.IdentityModel.Tokens; - namespace Example.Foobar - { - public class JwtTestPatterns{ - public void JwtTest19(){ - var validationParameters = new TokenValidationParameters - { - ValidateIssuerSigningKey = false, - ValidateIssuer = true, - ValidateAudience = true - }; - Console.WriteLine("JWT decode with validation params where signature validation is disabled."); - } - } - } - - | - using JWT; - using JWT.Builder; - using Microsoft.IdentityModel.Tokens; - namespace Example.Foobar - { - public class JwtTestPatterns{ - public void JwtTest19(){ - var validationParameters = new TokenValidationParameters - { - ValidateIssuerSigningKey = false, - ValidateIssuer = true, - ValidateAudience = true - }; - Console.WriteLine("JWT decode with validation params where signature validation is disabled."); - } - } - } - - | - using JWT; - using JWT.Builder; - using Microsoft.IdentityModel.Tokens; - namespace Example.Foobar - { - public class JwtTestPatterns{ - public void JwtTest1(){ - IJsonSerializer serializer = new JsonNetSerializer(); - IDateTimeProvider provider = new UtcDateTimeProvider(); - IJwtValidator validator = new JwtValidator(serializer, provider); - IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); - IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); - IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); - var json1 = decoder.Decode(token, verify: false); - } - } - } - - | - using JWT; - using JWT.Builder; - using Microsoft.IdentityModel.Tokens; - namespace Example.Foobar - { - public class JwtTestPatterns{ - public void JwtTest1(){ - IJsonSerializer serializer = new JsonNetSerializer(); - IDateTimeProvider provider = new UtcDateTimeProvider(); - IJwtValidator validator = new JwtValidator(serializer, provider); - IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); - IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); - IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); - var json2 = decoder.Decode(token, null, false); - Console.WriteLine(json); - } - } - } - - | - using JWT; - using JWT.Builder; - using Microsoft.IdentityModel.Tokens; - namespace Example.Foobar - { - public class JwtTestPatterns{ - public void JwtTest2(){ - var json = JwtBuilder.Create() - .WithAlgorithm(new HMACSHA256Algorithm()) - .WithSecret(key) - .Decode(token); - Console.WriteLine(json); - } - } - } - - | - using JWT; - using JWT.Builder; - using Microsoft.IdentityModel.Tokens; - namespace Example.Foobar - { - public class JwtTestPatterns{ - public void JwtTest3(){ - var builder = JwtBuilder.Create(); - var json = builder - .WithAlgorithm(new HMACSHA256Algorithm()) - .WithSecret(key) - .Decode(token); - Console.WriteLine(json); - } - } - } diff --git a/tests/csharp/jwt-hardcoded-secret-csharp-test.yml b/tests/csharp/jwt-hardcoded-secret-csharp-test.yml deleted file mode 100644 index 6cfdcae2..00000000 --- a/tests/csharp/jwt-hardcoded-secret-csharp-test.yml +++ /dev/null @@ -1,105 +0,0 @@ -id: jwt-hardcoded-secret-csharp -valid: - - | - public void OkJwtTest6(){ - string secret = GetSecretFromEnvironmentVariable(); - var token = JwtBuilder.Create() - .WithAlgorithm(new HMACSHA256Algorithm()) - .WithSecret(secret) - .AddClaim("user", "george") - .AddClaim("permissions", "full_access") - .Encode(); - Console.WriteLine(token); - } -invalid: - - | - using JWT; - using JWT.Builder; - namespace Example.Foobar; - public class Foobar{ - public void JwtTest13(){ - IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); - IJsonSerializer serializer = new JsonNetSerializer(); - IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); - IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); - var token = encoder.Encode(new Dictionary - { - { "user", "alice" }, - { "permissions", "read, write" } - }, "hardcodedJWTSecret987"); - Console.WriteLine(token); - } - } - - | - using JWT; - using JWT.Builder; - namespace Example.Foobar; - public class Foobar{ - public void JwtTest17(){ - IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); - IJsonSerializer serializer = new JsonNetSerializer(); - IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); - IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); - var token = encoder.Encode(new Dictionary - { - { "sub", "user123" }, - { "scope", "admin" } - }, "secretkey2024"); - - Console.WriteLine(token); - } - } - - | - using JWT; - using JWT.Builder; - namespace Example.Foobar; - public class Foobar{ - public void JwtTest20(){ - IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); - IJsonSerializer serializer = new JsonNetSerializer(); - IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); - IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); - var token = encoder.Encode(new Dictionary - { - { "userId", "999" }, - { "role", "admin" } - }, "hardcodedTokenSecret987"); - Console.WriteLine(token); - } - } - - | - using JWT; - using JWT.Builder; - namespace Example.Foobar; - public class Foobar{ - public void JwtTest1(){ - var payload = new Dictionary - { - { "claim1", 0 }, - { "claim2", "claim2-value" } - }; - IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); - IJsonSerializer serializer = new JsonNetSerializer(); - IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); - IJwtEncoder encoder = new JwtEncoder(algorithm, serializer, urlEncoder); - const string key = "razdvatri"; - var token = encoder.Encode(payload, key); - Console.WriteLine(token); - } - } - - | - using JWT; - using JWT.Builder; - namespace Example.Foobar; - public class Foobar{ - public void JwtTest2(){ - IJsonSerializer serializer = new JsonNetSerializer(); - IDateTimeProvider provider = new UtcDateTimeProvider(); - IJwtValidator validator = new JwtValidator(serializer, provider); - IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder(); - IJwtAlgorithm algorithm = new HMACSHA256Algorithm(); - IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm); - var json = decoder.Decode(token, "secret123"); - Console.WriteLine(json); - } - } diff --git a/tests/csharp/jwt-tokenvalidationparameters-no-expiry-validation-csharp-test.yml b/tests/csharp/jwt-tokenvalidationparameters-no-expiry-validation-csharp-test.yml deleted file mode 100644 index c6a2689d..00000000 --- a/tests/csharp/jwt-tokenvalidationparameters-no-expiry-validation-csharp-test.yml +++ /dev/null @@ -1,42 +0,0 @@ -id: jwt-tokenvalidationparameters-no-expiry-validation-csharp -valid: - - | - parameters.ValidateLifetime = true; - parameters.RequireExpirationTime = true -invalid: - - | - options.TokenValidationParameters = new TokenValidationParameters - { - ValidateLifetime = false, - RequireSignedTokens = true, - ValidateIssuer = false, - ValidateAudience = false, - RequireExpirationTime = false - }; - TokenValidationParameters parameters = new TokenValidationParameters(); - parameters.RequireExpirationTime = false; - parameters.ValidateLifetime = false; - - | - TokenValidationParameters parameters = new TokenValidationParameters - { - ValidateLifetime = false, - RequireExpirationTime = false, - ValidateIssuer = false, - ValidateAudience = false - }; - - | - options.TokenValidationParameters = new TokenValidationParameters - { - ValidateLifetime = true, - RequireExpirationTime = false, - ValidateIssuer = false, - ValidateAudience = false - }; - - | - TokenValidationParameters parameters = new TokenValidationParameters - { - ValidateLifetime = false, - RequireExpirationTime = false, - ValidateIssuer = false, - ValidateAudience = false - }; diff --git a/tests/csharp/networkcredential-hardcoded-secret-python-test.yml b/tests/csharp/networkcredential-hardcoded-secret-python-test.yml deleted file mode 100644 index 351587ee..00000000 --- a/tests/csharp/networkcredential-hardcoded-secret-python-test.yml +++ /dev/null @@ -1,37 +0,0 @@ -id: networkcredential-hardcoded-secret-csharp -valid: - - | - private A GetConnection(args) - { - new NetworkCredential("username", args[1]); - } - - | - private A GetConnection(args) - { - cre.Password = args[1]; - } -invalid: - - | - private A GetConnection(args) - { - new NetworkCredential("username", "password"); - } - - | - private A GetConnection(args) - { - NetworkCredential cre = new NetworkCredential(); - cre.Password = "aaaa"; - } - - | - private A GetConnection(args) - { - string password = "aaa"; - new NetworkCredential("username", password); - } - - | - private A GetConnection(args) - { - NetworkCredential cre = new NetworkCredential(); - string password = "aaa"; - cre.Password = password; - } diff --git a/tests/csharp/npgsqlconnectionstringbuilder-hardcoded-secret-csharp-test.yml b/tests/csharp/npgsqlconnectionstringbuilder-hardcoded-secret-csharp-test.yml deleted file mode 100644 index 8f5112d3..00000000 --- a/tests/csharp/npgsqlconnectionstringbuilder-hardcoded-secret-csharp-test.yml +++ /dev/null @@ -1,52 +0,0 @@ -id: npgsqlconnectionstringbuilder-hardcoded-secret-csharp -valid: - - | - urlBuilder.Password = args[1]; - - | - urlBuilder["Password"] = args[1]; -invalid: - - | - using System; - using Npgsql; - namespace a - { - class Program - { - static void Main(string[] args) - { - NpgsqlConnectionStringBuilder urlBuilder = new NpgsqlConnectionStringBuilder(); - string password = "aaa"; - urlBuilder.Password = "aaaa"; - } - } - } - - | - using System; - using Npgsql; - namespace a - { - class Program - { - static void Main(string[] args) - { - NpgsqlConnectionStringBuilder urlBuilder = new NpgsqlConnectionStringBuilder(); - string password = "aaa"; - urlBuilder["Password"] = "aaaa"; - } - } - } - - | - using System; - using Npgsql; - namespace a - { - class Program - { - static void Main(string[] args) - { - NpgsqlConnectionStringBuilder urlBuilder = new NpgsqlConnectionStringBuilder(); - string password = "aaa"; - urlBuilder["Password"] = password; - } - } - } diff --git a/tests/csharp/oracleconnectionstringbuilder-hardcoded-secret-csharp-test.yml b/tests/csharp/oracleconnectionstringbuilder-hardcoded-secret-csharp-test.yml deleted file mode 100644 index c5c5e2e4..00000000 --- a/tests/csharp/oracleconnectionstringbuilder-hardcoded-secret-csharp-test.yml +++ /dev/null @@ -1,29 +0,0 @@ -id: oracleconnectionstringbuilder-hardcoded-secret-csharp -valid: - - | - builder.Password = args[1]; -invalid: - - | - private OracleConnectionStringBuilder GetConnection(args) - { - OracleConnectionStringBuilder builder = new OracleConnectionStringBuilder(); - builder.Password = "reee!"; - } - - | - private OracleConnectionStringBuilder GetConnection(args) - { - OracleConnectionStringBuilder builder = new OracleConnectionStringBuilder(); - builder["Password"] = "reee!"; - } - - | - private OracleConnectionStringBuilder GetConnection(args) - { - var cb = new OracleConnectionStringBuilder(); - cb["Password"] = "reee!"; - } - - | - private OracleConnectionStringBuilder GetConnection(args) - { - var cb = new OracleConnectionStringBuilder(); - cb.Password = "reee!"; - } diff --git a/tests/csharp/sqlconnectionstringbuilder-hardcoded-secret-csharp-test.yml b/tests/csharp/sqlconnectionstringbuilder-hardcoded-secret-csharp-test.yml deleted file mode 100644 index 318e93e2..00000000 --- a/tests/csharp/sqlconnectionstringbuilder-hardcoded-secret-csharp-test.yml +++ /dev/null @@ -1,30 +0,0 @@ -id: sqlconnectionstringbuilder-hardcoded-secret-csharp -valid: - - | - builder.Password = args[1]; -invalid: - - | - private SqlConnectionStringBuilder GetConnection(args) - { - SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(); - builder.Password = "reee!"; - } - - | - private SqlConnectionStringBuilder GetConnection(args) - { - SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(); - builder["Password"] = "reee!"; - } - - | - private SqlConnectionStringBuilder GetConnection(args) - { - string password = "aaaa"; - var cb = new SqlConnectionStringBuilder(); - cb["Password"] = password; - } - - | - private SqlConnectionStringBuilder GetConnection(args) - { - var cb = new SqlConnectionStringBuilder(); - cb.Password = "reee!"; - } diff --git a/tests/csharp/stacktrace-disclosure-csharp-test.yml b/tests/csharp/stacktrace-disclosure-csharp-test.yml deleted file mode 100644 index 1f8b2277..00000000 --- a/tests/csharp/stacktrace-disclosure-csharp-test.yml +++ /dev/null @@ -1,38 +0,0 @@ -id: stacktrace-disclosure-csharp -valid: - - | - if (env.IsDevelopment()) - { - app.UseExceptionHandler("/Error"); - } -invalid: - - | - if (env.IsProduction()) - { - app.UseDeveloperExceptionPage(); - } - - | - public void Configure(IApplicationBuilder app, IWebHostEnvironment env) - { - app.UseDeveloperExceptionPage(); - } - - | - if (!env.IsDevelopment()) - { - app.UseDeveloperExceptionPage(); - } - - | - if (DateTime.Now.DayOfWeek == DayOfWeek.Monday) - { - app.UseDeveloperExceptionPage(); - } - - | - if (DateTime.Now.DayOfWeek == DayOfWeek.Monday) - { - app.UseDeveloperExceptionPage(); - } - - | - if (environment == "dev") - { - app.UseDeveloperExceptionPage(); - } diff --git a/tests/csharp/use-ecb-mode-csharp-test.yml b/tests/csharp/use-ecb-mode-csharp-test.yml deleted file mode 100644 index 75bc33e4..00000000 --- a/tests/csharp/use-ecb-mode-csharp-test.yml +++ /dev/null @@ -1,42 +0,0 @@ -id: use-ecb-mode-csharp -valid: - - | - Aes key = Aes.Create(); - key.Mode = CipherMode.CBC; - - | - Aes key = Aes.Create(); - var cipherText = key.EncryptCbc(msg, iv, PaddingMode.PKCS7); - - | - Aes key = Aes.Create(); - key.Mode = CipherMode.CBC; - - | - Aes key = Aes.Create(); - var msgText = key.DecryptCbc(cipherText, iv, PaddingMode.PKCS7); -invalid: - - | - Aes key = Aes.Create(); - key.Mode = CipherMode.ECB; - - | - Aes key = Aes.Create(); - byte[] msg = new byte[32]; - var cipherText = key.EncryptEcb(msg, PaddingMode.PKCS7); - - | - Aes key = Aes.Create(); - key.Mode = CipherMode.ECB; - - | - Aes key = Aes.Create(); - var msgText = key.DecryptEcb(cipherText, PaddingMode.PKCS7); - - | - TripleDES key = TripleDES.Create(); - key.Mode = CipherMode.ECB; - - | - TripleDES key = TripleDES.Create(); - byte[] msg = new byte[32]; - var cipherText = key.EncryptEcb(msg, PaddingMode.PKCS7); - - | - TripleDES key = TripleDES.Create(); - key.Mode = CipherMode.ECB - - | - Aes key = Aes.Create(); - TripleDES key = TripleDES.Create(); - var msgText = key.DecryptEcb(cipherText, PaddingMode.PKCS7); diff --git a/tests/go/avoid-bind-to-all-interfaces-go-test.yml b/tests/go/avoid-bind-to-all-interfaces-go-test.yml deleted file mode 100644 index 4aebe122..00000000 --- a/tests/go/avoid-bind-to-all-interfaces-go-test.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: avoid-bind-to-all-interfaces-go -valid: - - | - l, err := net.Listen("tcp", "192.168.1.101:2000") -invalid: - - | - l, err := net.Listen("tcp", "0.0.0.0:2000") - - | - l, err := net.Listen("tcp", ":2000") diff --git a/tests/go/gorilla-cookie-store-hardcoded-session-key-go-test.yml b/tests/go/gorilla-cookie-store-hardcoded-session-key-go-test.yml deleted file mode 100644 index fb44f605..00000000 --- a/tests/go/gorilla-cookie-store-hardcoded-session-key-go-test.yml +++ /dev/null @@ -1,33 +0,0 @@ -id: gorilla-cookie-store-hardcoded-session-key-go -valid: - - | - var store = sessions.NewCookieStore([]byte(os.Getenv("SESSION_KEY"))) -invalid: - - | - import ( - "github.com/gorilla/sessions" - ) - var store = sessions.NewCookieStore([]byte("hardcoded-session-key-here")) - var store = sessions.NewCookieStore( - []byte("new-authentication-key"), - []byte("new-encryption-key"), - []byte("old-authentication-key"), - []byte("old-encryption-key"), - ) - - | - import ( - "crypto/rand" - "fmt" - "github.com/gorilla/sessions" - ) - var storeHardcoded = sessions.NewCookieStore([]byte("hardcoded-session-key")) - - | - import ( - "crypto/rand" - "fmt" - "github.com/gorilla/sessions" - ) - var storeMultipleHardcoded = sessions.NewCookieStore( - []byte("old-authentication-key"), - []byte("old-encryption-key"), - ) \ No newline at end of file diff --git a/tests/go/gorilla-csrf-hardcoded-auth-key-go-test.yml b/tests/go/gorilla-csrf-hardcoded-auth-key-go-test.yml deleted file mode 100644 index eb070dd1..00000000 --- a/tests/go/gorilla-csrf-hardcoded-auth-key-go-test.yml +++ /dev/null @@ -1,19 +0,0 @@ -id: gorilla-csrf-hardcoded-auth-key-go -valid: - - | - import ( - "github.com/gorilla/csrf" - ) - func main() { - http.ListenAndServe(":8000", - csrf.Protect([]byte(os.Getenv("CSRF_AUTH_KEY")))(r)) - } -invalid: - - | - import ( - "github.com/gorilla/csrf" - ) - func main() { - http.ListenAndServe(":8000", - csrf.Protect([]byte("32-byte-long-auth-key"))(r)) - } \ No newline at end of file diff --git a/tests/go/grpc-client-insecure-connection-go-test.yml b/tests/go/grpc-client-insecure-connection-go-test.yml deleted file mode 100644 index 6002ca6e..00000000 --- a/tests/go/grpc-client-insecure-connection-go-test.yml +++ /dev/null @@ -1,7 +0,0 @@ -id: grpc-client-insecure-connection-go -valid: - - | - conn, err := grpc.Dial(address) -invalid: - - | - conn, err := grpc.Dial(address, grpc.WithInsecure()) \ No newline at end of file diff --git a/tests/go/jwt-go-none-algorithm-go-test.yml b/tests/go/jwt-go-none-algorithm-go-test.yml deleted file mode 100644 index 33dd8c6f..00000000 --- a/tests/go/jwt-go-none-algorithm-go-test.yml +++ /dev/null @@ -1,32 +0,0 @@ -id: jwt-go-none-algorithm-go -valid: - - | - import ( - "fmt" - "github.com/dgrijalva/jwt-go" - ) - func ok1(key []byte){ - claims = jwt.StandardClaims{ - ExpiresAt:15000, - Issuer:"test" - } - token = jwt.NewWithClaims(jwt.SigningMethodHS256, claims) - ss, err = token.SignedString(key) - fmt.Printf("%v %v\n", ss, err) - } - -invalid: - - | - import ( - "fmt" - "github.com/dgrijalva/jwt-go" - ) - func bad1(key []byte) { - claims := jwt.StandardClaims{ - ExpiresAt:15000, - Issuer:"test" - } - token := jwt.NewWithClaims(jwt.SigningMethodNone, claims) - ss, err := token.SignedString(jwt.UnsafeAllowNoneSignatureType) - fmt.Printf("%v %v\n", ss, err) - } diff --git a/tests/go/missing-ssl-minversion-go-test.yml b/tests/go/missing-ssl-minversion-go-test.yml deleted file mode 100644 index 55f34ae6..00000000 --- a/tests/go/missing-ssl-minversion-go-test.yml +++ /dev/null @@ -1,15 +0,0 @@ -id: missing-ssl-minversion-go -valid: - - | - TLSClientConfig: &tls.Config{ - KeyLogWriter: w, - MinVersion: tls.VersionSSL30, - Rand: zeroSource{}, - InsecureSkipVerify: true, - }, - -invalid: - - | - server.TLS = &tls.Config{ Rand: zeroSource{}, } - - diff --git a/tests/go/openai-empty-secret-go-test.yml b/tests/go/openai-empty-secret-go-test.yml deleted file mode 100644 index c0473e03..00000000 --- a/tests/go/openai-empty-secret-go-test.yml +++ /dev/null @@ -1,17 +0,0 @@ -id: openai-empty-secret-go -valid: - - | - import ( - "github.com/sashabaranov/go-openai" - ) - func main() { - client := openai.NewClient("fvgf") - } -invalid: - - | - import ( - "github.com/sashabaranov/go-openai" - ) - func main() { - client := openai.NewClient("") - } diff --git a/tests/go/openai-hardcoded-secret-go-test.yml b/tests/go/openai-hardcoded-secret-go-test.yml deleted file mode 100644 index 8773b869..00000000 --- a/tests/go/openai-hardcoded-secret-go-test.yml +++ /dev/null @@ -1,11 +0,0 @@ -id: openai-hardcoded-secret-go -valid: - - | -invalid: - - | - import ( - "github.com/sashabaranov/go-openai" - ) - func main() { - client := openai.NewClient("my-openai-token") - } diff --git a/tests/go/ssl-v3-is-insecure-go-test.yml b/tests/go/ssl-v3-is-insecure-go-test.yml deleted file mode 100644 index 9e71a1e0..00000000 --- a/tests/go/ssl-v3-is-insecure-go-test.yml +++ /dev/null @@ -1,27 +0,0 @@ -id: ssl-v3-is-insecure-go -valid: - - | - client_good := &http.Client{ - Transport: &http.Transport{ - TLSClientConfig: &tls.Config{ - KeyLogWriter: w, - // OK - MinVersion: tls.VersionTLS10, - Rand: zeroSource{}, // for reproducible output; don't do this. - InsecureSkipVerify: true, // test server certificate is not trusted. - }, - }, - } - -invalid: - - | - client := &http.Client{ - Transport: &http.Transport{ - TLSClientConfig: &tls.Config{ - KeyLogWriter: w, - MinVersion: tls.VersionSSL30, - Rand: zeroSource{}, // for reproducible output; don't do this. - InsecureSkipVerify: true, // test server certificate is not trusted. - }, - }, - } diff --git a/tests/go/tls-with-insecure-cipher-go-test.yml b/tests/go/tls-with-insecure-cipher-go-test.yml deleted file mode 100644 index 771dc011..00000000 --- a/tests/go/tls-with-insecure-cipher-go-test.yml +++ /dev/null @@ -1,20 +0,0 @@ -id: tls-with-insecure-cipher-go -valid: - - | - tr := &http.Transport{ - TLSClientConfig: &tls.Config{CipherSuites: []uint16{ - tls.TLS_AES_128_GCM_SHA256, - tls.TLS_AES_256_GCM_SHA384, - }}, - } - -invalid: - - | - tr := &http.Transport{ - TLSClientConfig: &tls.Config{CipherSuites: []uint16{ - tls.TLS_RSA_WITH_RC4_128_SHA, - tls.TLS_RSA_WITH_AES_128_CBC_SHA256, - }}, - } - - diff --git a/tests/go/use-of-weak-rsa-key-go-test.yml b/tests/go/use-of-weak-rsa-key-go-test.yml deleted file mode 100644 index 8b65375e..00000000 --- a/tests/go/use-of-weak-rsa-key-go-test.yml +++ /dev/null @@ -1,13 +0,0 @@ -id: use-of-weak-rsa-key-go -valid: - - | - rsa.GenerateKey(rand.Reader, 2048) -invalid: - - | - pvk, err := rsa.GenerateKey(rand.Reader, 1025) - - | - pvk, err := rsa.GenerateKey(rand.Reader, -1929) - - | - pvk, err := rsa.GenerateKey(rand.Reader, 102.5) - - | - pvk, err := rsa.GenerateKey(rand.Reader, 192) \ No newline at end of file diff --git a/tests/html/plaintext-http-link-html-test.yml b/tests/html/plaintext-http-link-html-test.yml deleted file mode 100644 index dd6be12e..00000000 --- a/tests/html/plaintext-http-link-html-test.yml +++ /dev/null @@ -1,23 +0,0 @@ -id: plaintext-http-link-html -valid: - - | - Astgrep - - | - Astgrep - - | - Astgrep -invalid: - - | - Astgrep - - | - Astgrep - - | - Astgrep - - | - Astgrep - - | - Astgrep - - | - Astgrep - - | - Astgrep diff --git a/tests/java/cbc-padding-oracle-java-test.yml b/tests/java/cbc-padding-oracle-java-test.yml deleted file mode 100644 index 8a0336cf..00000000 --- a/tests/java/cbc-padding-oracle-java-test.yml +++ /dev/null @@ -1,7 +0,0 @@ -id: cbc-padding-oracle-java -valid: - - | - Cipher.getInstance("AES/GCM/NoPadding"); -invalid: - - | - Cipher.getInstance("AES/CBC/PKCS5Padding"); diff --git a/tests/java/cookie-httponly-false-java-test.yml b/tests/java/cookie-httponly-false-java-test.yml deleted file mode 100644 index 1d1f3397..00000000 --- a/tests/java/cookie-httponly-false-java-test.yml +++ /dev/null @@ -1,20 +0,0 @@ -id: cookie-httponly-false-java -valid: - - | - @RequestMapping(value = "/cookie3", method = "GET") - public void setSecureHttponlyCookie(@RequestParam String value, HttpServletResponse response) { - Cookie cookie = new Cookie("cookie", value); - cookie.setSecure(true); - cookie.setHttpOnly(true); - response.addCookie(cookie); - } -invalid: - - | - - @RequestMapping(value = "/cookie4", method = "GET") - public void explicitDisable(@RequestParam String value, HttpServletResponse response) { - Cookie cookie = new Cookie("cookie", value); - cookie.setSecure(false); - cookie.setHttpOnly(false); - response.addCookie(cookie); - } diff --git a/tests/java/cookie-missing-httponly-java-test.yml b/tests/java/cookie-missing-httponly-java-test.yml deleted file mode 100644 index 18e55379..00000000 --- a/tests/java/cookie-missing-httponly-java-test.yml +++ /dev/null @@ -1,19 +0,0 @@ -id: cookie-missing-httponly-java -valid: - - | - existingCookie.setValue(""); - existingCookie.setMaxAge(0); - response.addCookie(existingCookie); -invalid: - - | - @RequestMapping(value = "/cookie1", method = "GET") - public void setCookie(@RequestParam String value, HttpServletResponse response) { - Cookie cookie = new Cookie("cookie", value); - response.addCookie(cookie); - } - @RequestMapping(value = "/cookie2", method = "GET") - public void setSecureCookie(@RequestParam String value, HttpServletResponse response) { - Cookie cookie = new Cookie("cookie", value); - cookie.setSecure(true); - response.addCookie(cookie); - } diff --git a/tests/java/cookie-missing-samesite-java-test.yml b/tests/java/cookie-missing-samesite-java-test.yml deleted file mode 100644 index f99c859e..00000000 --- a/tests/java/cookie-missing-samesite-java-test.yml +++ /dev/null @@ -1,20 +0,0 @@ -id: cookie-missing-samesite-java -valid: - - | - @RequestMapping(value = "/cookie1", method = "GET") - public void setCookie(@RequestParam String value, HttpServletResponse response) { - response.setHeader("Set-Cookie", "key=value; HttpOnly; SameSite=strict"); - } -invalid: - - | - @RequestMapping(value = "/cookie3", method = "GET") - public void setSecureHttponlyCookie(@RequestParam String value, HttpServletResponse response) { - Cookie cookie = new Cookie("cookie", value); - cookie.setSecure(true); - cookie.setHttpOnly(true); - response.addCookie(cookie); - } - @RequestMapping(value = "/cookie2", method = "GET") - public void setSecureCookie(@RequestParam String value, HttpServletResponse response) { - response.setHeader("Set-Cookie", "key=value; HttpOnly;"); - } diff --git a/tests/java/cookie-missing-secure-flag-java-test.yml b/tests/java/cookie-missing-secure-flag-java-test.yml deleted file mode 100644 index 06940e03..00000000 --- a/tests/java/cookie-missing-secure-flag-java-test.yml +++ /dev/null @@ -1,18 +0,0 @@ -id: cookie-missing-secure-flag-java -valid: - - | - @RequestMapping(value = "/cookie2", method = "GET") - public void setSecureCookie(@RequestParam String value, HttpServletResponse response) { - Cookie cookie = new Cookie("cookie", value); - cookie.setSecure(true); - response.addCookie(cookie); - } -invalid: - - | - public class CookieController { - - @RequestMapping(value = "/cookie1", method = "GET") - public void setCookie(@RequestParam String value, HttpServletResponse response) { - Cookie cookie = new Cookie("cookie", value); - response.addCookie(cookie); - } diff --git a/tests/java/cookie-secure-flag-false-java-test.yml b/tests/java/cookie-secure-flag-false-java-test.yml deleted file mode 100644 index 4d2b0fdb..00000000 --- a/tests/java/cookie-secure-flag-false-java-test.yml +++ /dev/null @@ -1,10 +0,0 @@ -id: cookie-secure-flag-false-java -valid: - - | - response.addCookie(cookie); - cookie.setSecure(true); - cookie.setHttpOnly(true); - response.addCookie(cookie); -invalid: - - | - cookie.setSecure(false); diff --git a/tests/java/datanucleus-hardcoded-connection-password-java-test.yml b/tests/java/datanucleus-hardcoded-connection-password-java-test.yml deleted file mode 100644 index 0fa882aa..00000000 --- a/tests/java/datanucleus-hardcoded-connection-password-java-test.yml +++ /dev/null @@ -1,28 +0,0 @@ -id: datanucleus-hardcoded-connection-password-java -valid: - - | - import org.datanucleus.api.jdo.JDOPersistenceManagerFactory; - public class PeopleTest { - JDOPersistenceManagerFactory pmf = new JDOPersistenceManagerFactory(props); - public void setUp() throws SQLException { - pmf.setConnectionPassword(pw); - } - } -invalid: - - | - import org.datanucleus.api.jdo.JDOPersistenceManagerFactory; - public class PeopleTest { - JDOPersistenceManagerFactory pmf = new JDOPersistenceManagerFactory(props); - public void setUp() throws SQLException { - pmf.setConnectionPassword("asdf"); - } - } - - | - import org.datanucleus.api.jdo.JDOPersistenceManagerFactory; - public class PeopleTest { - JDOPersistenceManagerFactory pmf = new JDOPersistenceManagerFactory(props); - private String pw = "asdf"; - public void setUp() throws SQLException { - pmf.setConnectionPassword(pw); - } - } \ No newline at end of file diff --git a/tests/java/des-is-deprecated-java-test.yml b/tests/java/des-is-deprecated-java-test.yml deleted file mode 100644 index bc26dbd7..00000000 --- a/tests/java/des-is-deprecated-java-test.yml +++ /dev/null @@ -1,7 +0,0 @@ -id: des-is-deprecated-java -valid: - - | - Cipher c = Cipher.getInstance("AES/GCM/NoPadding"); -invalid: - - | - Cipher.getInstance("DES/ECB/PKCS5Padding"); diff --git a/tests/java/desede-is-deprecated-java-test.yml b/tests/java/desede-is-deprecated-java-test.yml deleted file mode 100644 index 73a8d339..00000000 --- a/tests/java/desede-is-deprecated-java-test.yml +++ /dev/null @@ -1,10 +0,0 @@ -id: desede-is-deprecated-java -valid: - - | - Cipher c = Cipher.getInstance("AES/GCM/NoPadding"); -invalid: - - | - Cipher c = Cipher.getInstance("kDESede/ECB/PKCS5Padding"); - c.init(Cipher.ENCRYPT_MODE, k, iv); - - | - javax.crypto.SecretKey key = javax.crypto.KeyGenerator.getInstance("DES").generateKey(); diff --git a/tests/java/documentbuilderfactory-disallow-doctype-decl-false-java-test.yml b/tests/java/documentbuilderfactory-disallow-doctype-decl-false-java-test.yml deleted file mode 100644 index 4b4d4183..00000000 --- a/tests/java/documentbuilderfactory-disallow-doctype-decl-false-java-test.yml +++ /dev/null @@ -1,51 +0,0 @@ -id: documentbuilderfactory-disallow-doctype-decl-false-java -valid: - - | - ParserConfigurationException { - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - } - - | - ParserConfigurationException { - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); - dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - } - - | - ParserConfigurationException { - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); - } - - | - ParserConfigurationException { - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); - dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); - } - - | - ParserConfigurationException { - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); - dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); - } - - | - ParserConfigurationException { - SAXParserFactory spf = SAXParserFactory.newInstance(); - spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - } -invalid: - - | - ParserConfigurationException { - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false); - } - - | - ParserConfigurationException { - SAXParserFactory spf = SAXParserFactory.newInstance(); - spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false); - } diff --git a/tests/java/documentbuilderfactory-external-general-entities-true-java-test.yml b/tests/java/documentbuilderfactory-external-general-entities-true-java-test.yml deleted file mode 100644 index a56a6eb5..00000000 --- a/tests/java/documentbuilderfactory-external-general-entities-true-java-test.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: documentbuilderfactory-external-general-entities-true-java -valid: - - | - dbf.setFeature("http://xml.org/sax/features/external-general-entities" , false); - spf.setFeature("http://xml.org/sax/features/external-general-entities" , false); -invalid: - - | - dbf.setFeature("http://xml.org/sax/features/external-general-entities" , true); - spf.setFeature("http://xml.org/sax/features/external-general-entities" , true); diff --git a/tests/java/documentbuilderfactory-external-parameter-entities-true-java-test.yml b/tests/java/documentbuilderfactory-external-parameter-entities-true-java-test.yml deleted file mode 100644 index 309b83da..00000000 --- a/tests/java/documentbuilderfactory-external-parameter-entities-true-java-test.yml +++ /dev/null @@ -1,8 +0,0 @@ -id: documentbuilderfactory-external-parameter-entities-true-java -valid: - - | - dbf.setFeature("http://xml.org/sax/features/external-parameter-entities" , false); -invalid: - - | - dbf.setFeature("http://xml.org/sax/features/external-parameter-entities" , true); - spf.setFeature("http://xml.org/sax/features/external-parameter-entities" , true); diff --git a/tests/java/dont-call-system-c-test.yml b/tests/java/dont-call-system-c-test.yml deleted file mode 100644 index 89689983..00000000 --- a/tests/java/dont-call-system-c-test.yml +++ /dev/null @@ -1,34 +0,0 @@ -id: dont-call-system-c -valid: - - | - void test_003(const char *input) - { - storer->store_binary(Clocks->system()); - } -invalid: - - | - void test_002(const char *input) - { - char cmdbuf[BUFFERSIZE]; - int len_wanted = snprintf(cmdbuf, BUFFERSIZE, - "any_cmd '%s'", input); - system(cmdbuf); - } - void test_001(const char *input) - { - char cmdbuf[BUFFERSIZE]; - int len_wanted = snprintf(cmdbuf, BUFFERSIZE, - "any_cmd '%s'", input); - if (len_wanted >= BUFFERSIZE) - { - /* Handle error */ - } - else if (len_wanted < 0) - { - /* Handle error */ - } - else if (system(cmdbuf) == -1) - { - /* Handle error */ - } - } diff --git a/tests/java/drivermanager-hardcoded-secret-java-test.yml b/tests/java/drivermanager-hardcoded-secret-java-test.yml deleted file mode 100644 index a49a54db..00000000 --- a/tests/java/drivermanager-hardcoded-secret-java-test.yml +++ /dev/null @@ -1,7 +0,0 @@ -id: drivermanager-hardcoded-secret-java -valid: - - | - Connection conn = DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:o92","a"); -invalid: - - | - Connection conn =DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:o92", "a", "password"); diff --git a/tests/java/ecb-cipher-java-test.yml b/tests/java/ecb-cipher-java-test.yml deleted file mode 100644 index db626ccc..00000000 --- a/tests/java/ecb-cipher-java-test.yml +++ /dev/null @@ -1,7 +0,0 @@ -id: ecb-cipher-java -valid: - - | - Cipher c = Cipher.getInstance("AES/GCM/NoPadding"); -invalid: - - | - Cipher c = Cipher.getInstance("AES/ECB/NoPadding"); \ No newline at end of file diff --git a/tests/java/hardcoded-connection-password-java-test.yml b/tests/java/hardcoded-connection-password-java-test.yml deleted file mode 100644 index a10f982e..00000000 --- a/tests/java/hardcoded-connection-password-java-test.yml +++ /dev/null @@ -1,31 +0,0 @@ -id: hardcoded-connection-password-java -valid: - - | - import org.datanucleus.api.jdo.JDOPersistenceManagerFactory; - import javax.jdo.PersistenceManagerFactory; - public class PeopleTest { - private PersistenceManagerFactory pmf; - public void setUp() throws SQLException { - pmf.setConnectionPassword(pw); - } - } -invalid: - - | - import org.datanucleus.api.jdo.JDOPersistenceManagerFactory; - import javax.jdo.PersistenceManagerFactory; - public class PeopleTest { - private PersistenceManagerFactory pmf; - public void setUp() throws SQLException { - pmf.setConnectionPassword("asdf"); - } - } - - | - import org.datanucleus.api.jdo.JDOPersistenceManagerFactory; - import javax.jdo.PersistenceManagerFactory; - public class PeopleTest { - private PersistenceManagerFactory pmf; - private String pw = "asdf"; - public void setUp() throws SQLException { - pmf.setConnectionPassword(pw); - } - } \ No newline at end of file diff --git a/tests/java/hardcoded-secret-in-credentials-java-test.yml b/tests/java/hardcoded-secret-in-credentials-java-test.yml deleted file mode 100644 index aa8e46b7..00000000 --- a/tests/java/hardcoded-secret-in-credentials-java-test.yml +++ /dev/null @@ -1,20 +0,0 @@ -id: hardcoded-secret-in-credentials-java -valid: - - | - System.setProperty("javax.net.ssl.keyStorePassword", password); -invalid: - - | - import okhttp3.*; - public class OkhttpSecretBasicAuth { - public void run() { - String credential = Credentials.basic(username, "asdf"); - } - } - - | - import okhttp3.*; - public class OkhttpSecretBasicAuth { - private String password = "hi"; - public void run() { - String credential = Credentials.basic(username, password); - } - } \ No newline at end of file diff --git a/tests/java/java-jwt-hardcoded-secret-java-test.yml b/tests/java/java-jwt-hardcoded-secret-java-test.yml deleted file mode 100644 index 4aad76df..00000000 --- a/tests/java/java-jwt-hardcoded-secret-java-test.yml +++ /dev/null @@ -1,46 +0,0 @@ -id: java-jwt-hardcoded-secret-java -valid: - - | - public class App - { - private static void bad1() { - try { - Algorithm algorithm = Algorithm.HMAC256(secret); - String token = JWT.create() - .withIssuer("auth0") - .sign(algorithm); - } catch (JWTCreationException exception){ - //Invalid Signing configuration / Couldn't convert Claims. - } - } -invalid: - - | - import com.auth0.jwt.algorithms.Algorithm; - public class App - { - static String secret = "secret"; - private static void bad1() { - try { - Algorithm algorithm = Algorithm.HMAC256("secret"); - String token = JWT.create() - .withIssuer("auth0") - .sign(algorithm); - } catch (JWTCreationException exception){ - //Invalid Signing configuration / Couldn't convert Claims. - } - } - } - - | - import com.auth0.jwt.algorithms.Algorithm; - public class App - { - static String secret = "secret"; - public void bad2() { - try { - Algorithm algorithm = Algorithm.HMAC256(secret); - String token = JWT.create() - .withIssuer("auth0") - .sign(algorithm); - } catch (JWTCreationException exception){ - } - } \ No newline at end of file diff --git a/tests/java/jedis-jedisclientconfig-hardcoded-password-java-test.yml b/tests/java/jedis-jedisclientconfig-hardcoded-password-java-test.yml deleted file mode 100644 index e4684c5d..00000000 --- a/tests/java/jedis-jedisclientconfig-hardcoded-password-java-test.yml +++ /dev/null @@ -1,55 +0,0 @@ -id: jedis-jedisclientconfig-hardcoded-password-java -valid: - - | - import redis.clients.jedis.JedisClientConfig; - import redis.clients.jedis.DefaultJedisClientConfig; - public class JedisTest { - void run() { - new DefaultJedisClientConfig(connectionTimeoutMillis, socketTimeoutMillis, - blockingSocketTimeoutMillis, user, identifier, database, clientName, ssl, sslSocketFactory, - sslParameters, hostnameVerifier, hostAndPortMapper); - } - } -invalid: - - | - import redis.clients.jedis.JedisClientConfig; - import redis.clients.jedis.DefaultJedisClientConfig; - public class JedisTest { - void run() { - new DefaultJedisClientConfig(connectionTimeoutMillis, socketTimeoutMillis, - blockingSocketTimeoutMillis, user, "identifier", database, clientName, ssl, sslSocketFactory, - sslParameters, hostnameVerifier, hostAndPortMapper); - } - } - - | - import redis.clients.jedis.JedisClientConfig; - import redis.clients.jedis.DefaultJedisClientConfig; - public class JedisTest { - void run() { - JedisClientConfig cc = DefaultJedisClientConfig.builder() - .password("asdf") - .ssl(useSsl) - .build(); - } - } - - | - import redis.clients.jedis.JedisClientConfig; - import redis.clients.jedis.DefaultJedisClientConfig; - public class JedisTest { - void run() { - JedisClientConfig cc = DefaultJedisClientConfig.builder() - .password("asdf") - .ssl(useSsl) - .build(); - cc.updatePassword("hello"); - } - } - - | - import redis.clients.jedis.JedisClientConfig; - import redis.clients.jedis.DefaultJedisClientConfig; - public class JedisTest { - void run() { - DefaultJedisClientConfig.Builder builder = DefaultJedisClientConfig.builder(); - builder.password("asdf"); - } - } \ No newline at end of file diff --git a/tests/java/jedis-jedisfactory-hardcoded-password-java-test.yml b/tests/java/jedis-jedisfactory-hardcoded-password-java-test.yml deleted file mode 100644 index 9ebdc80f..00000000 --- a/tests/java/jedis-jedisfactory-hardcoded-password-java-test.yml +++ /dev/null @@ -1,18 +0,0 @@ -id: jedis-jedisfactory-hardcoded-password-java -valid: - - | - public void notHardcoded(String password) { - JedisFactory jedisFactory = new JedisFactory(); - jedisFactory.setHostName(hostName); - jedisFactory.setPort(port); - jedisFactory.setPassword(password); - } -invalid: - - | - import redis.clients.jedis.JedisFactory; - public void notHardcoded(String password) { - JedisFactory jedisFactory = new JedisFactory(); - jedisFactory.setHostName(hostName); - jedisFactory.setPort(port); - jedisFactory.setPassword("password"); - } diff --git a/tests/java/missing-httponly-java-test.yml b/tests/java/missing-httponly-java-test.yml deleted file mode 100644 index c8839bd2..00000000 --- a/tests/java/missing-httponly-java-test.yml +++ /dev/null @@ -1,90 +0,0 @@ -id: missing-httponly-java -valid: - - | - package com.example; - - import io.micronaut.http.*; - import io.micronaut.http.cookie.Cookie; - import io.micronaut.http.netty.cookies.NettyCookie; - import io.micronaut.http.simple.cookies.SimpleCookie; - import java.io.*; - - @Controller("/hello") - public class HelloController { - - @Post("/test1") - public MutableHttpMessage postTest1() throws FileNotFoundException { - SimpleCookie s = new SimpleCookie("foo", "bar").httpOnly(); - } - } -invalid: - - | - package com.example; - - import io.micronaut.http.*; - import io.micronaut.http.cookie.Cookie; - import io.micronaut.http.netty.cookies.NettyCookie; - import io.micronaut.http.simple.cookies.SimpleCookie; - import java.io.*; - - @Controller("/hello") - public class HelloController { - - @Post("/test1") - public MutableHttpMessage postTest1() throws FileNotFoundException { - SimpleCookie s = new SimpleCookie("foo", "bar"); - } - } - - | - package com.example; - - import io.micronaut.http.*; - import io.micronaut.http.cookie.Cookie; - import io.micronaut.http.netty.cookies.NettyCookie; - import io.micronaut.http.simple.cookies.SimpleCookie; - import java.io.*; - - @Controller("/hello") - public class HelloController { - - @Post("/test1") - public MutableHttpMessage postTest1() throws FileNotFoundException { - Cookie cookie = request.getCookies() - .findCookie( "foobar" ) - .orElse( new NettyCookie( "foo", "bar" ) ); - } - } - - | - package com.example; - - import io.micronaut.http.*; - import io.micronaut.http.cookie.Cookie; - import io.micronaut.http.netty.cookies.NettyCookie; - import io.micronaut.http.simple.cookies.SimpleCookie; - import java.io.*; - - @Controller("/hello") - public class HelloController { - - @Post("/test1") - public MutableHttpMessage postTest1() throws FileNotFoundException { - Cookie z = new NettyCookie("foo", "bar"); - } - } - - | - package com.example; - - import io.micronaut.http.*; - import io.micronaut.http.cookie.Cookie; - import io.micronaut.http.netty.cookies.NettyCookie; - import io.micronaut.http.simple.cookies.SimpleCookie; - import java.io.*; - - @Controller("/hello") - public class HelloController { - - @Post("/test1") - public MutableHttpMessage postTest1() throws FileNotFoundException { - return HttpResponse.ok().cookie(Cookie.of("zzz", "ddd")); - } - } diff --git a/tests/java/missing-secure-java-test.yml b/tests/java/missing-secure-java-test.yml deleted file mode 100644 index 2aa44fee..00000000 --- a/tests/java/missing-secure-java-test.yml +++ /dev/null @@ -1,90 +0,0 @@ -id: missing-secure-java -valid: - - | - package com.example; - - import io.micronaut.http.*; - import io.micronaut.http.cookie.Cookie; - import io.micronaut.http.netty.cookies.NettyCookie; - import io.micronaut.http.simple.cookies.SimpleCookie; - import java.io.*; - - @Controller("/hello") - public class HelloController { - - @Post("/test1") - public MutableHttpMessage postTest1() throws FileNotFoundException { - SimpleCookie s = new SimpleCookie("foo", "bar").secure(); - } - } -invalid: - - | - package com.example; - - import io.micronaut.http.*; - import io.micronaut.http.cookie.Cookie; - import io.micronaut.http.netty.cookies.NettyCookie; - import io.micronaut.http.simple.cookies.SimpleCookie; - import java.io.*; - - @Controller("/hello") - public class HelloController { - - @Post("/test1") - public MutableHttpMessage postTest1() throws FileNotFoundException { - SimpleCookie s = new SimpleCookie("foo", "bar"); - } - } - - | - package com.example; - - import io.micronaut.http.*; - import io.micronaut.http.cookie.Cookie; - import io.micronaut.http.netty.cookies.NettyCookie; - import io.micronaut.http.simple.cookies.SimpleCookie; - import java.io.*; - - @Controller("/hello") - public class HelloController { - - @Post("/test1") - public MutableHttpMessage postTest1() throws FileNotFoundException { - Cookie cookie = request.getCookies() - .findCookie( "foobar" ) - .orElse( new NettyCookie( "foo", "bar" ) ); - } - } - - | - package com.example; - - import io.micronaut.http.*; - import io.micronaut.http.cookie.Cookie; - import io.micronaut.http.netty.cookies.NettyCookie; - import io.micronaut.http.simple.cookies.SimpleCookie; - import java.io.*; - - @Controller("/hello") - public class HelloController { - - @Post("/test1") - public MutableHttpMessage postTest1() throws FileNotFoundException { - Cookie z = new NettyCookie("foo", "bar"); - } - } - - | - package com.example; - - import io.micronaut.http.*; - import io.micronaut.http.cookie.Cookie; - import io.micronaut.http.netty.cookies.NettyCookie; - import io.micronaut.http.simple.cookies.SimpleCookie; - import java.io.*; - - @Controller("/hello") - public class HelloController { - - @Post("/test1") - public MutableHttpMessage postTest1() throws FileNotFoundException { - return HttpResponse.ok().cookie(Cookie.of("zzz", "ddd")); - } - } diff --git a/tests/java/no-null-cipher-java-test.yml b/tests/java/no-null-cipher-java-test.yml deleted file mode 100644 index ef38e9f6..00000000 --- a/tests/java/no-null-cipher-java-test.yml +++ /dev/null @@ -1,8 +0,0 @@ -id: no-null-cipher-java -valid: - - | - Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); -invalid: - - | - Cipher doNothingCihper = new NullCipher(); - new javax.crypto.NullCipher(); diff --git a/tests/java/passwordauthentication-hardcoded-password-java-test.yml b/tests/java/passwordauthentication-hardcoded-password-java-test.yml deleted file mode 100644 index f7ab8806..00000000 --- a/tests/java/passwordauthentication-hardcoded-password-java-test.yml +++ /dev/null @@ -1,60 +0,0 @@ -id: passwordauthentication-hardcoded-password-java -valid: - - | - import java.net.http.HttpRequest; - import java.net.PasswordAuthentication; - public class UhOh { - public void run(){ - String b64token = "d293ZWU6d2Fob28="; - String basictoken = "Basic d293ZWU6d2Fob28=" - - var authClient = HttpClient - .newBuilder() - .authenticator(new Authenticator() { - @Override - protected PasswordAuthentication getPasswordAuthentication() { - - new PasswordAuthentication("postman", "password"); - } - }) - .build(); - } - } -invalid: - - | - import java.net.http.HttpRequest; - import java.net.PasswordAuthentication; - public class UhOh { - public void run(){ - String b64token = "d293ZWU6d2Fob28="; - String basictoken = "Basic d293ZWU6d2Fob28=" - - var authClient = HttpClient - .newBuilder() - .authenticator(new Authenticator() { - @Override - protected PasswordAuthentication getPasswordAuthentication() { - char[] asdf = "password".toCharArray() - new PasswordAuthentication("postman", asdf); - }) - .build(); - } - } - - | - import java.net.http.HttpRequest; - import java.net.PasswordAuthentication; - public class UhOh { - public void run(){ - String b64token = "d293ZWU6d2Fob28="; - String basictoken = "Basic d293ZWU6d2Fob28=" - - var authClient = HttpClient - .newBuilder() - .authenticator(new Authenticator() { - @Override - protected PasswordAuthentication getPasswordAuthentication() { - new PasswordAuthentication("postman", "password".toCharArray()); - }) - .build(); - } - } \ No newline at end of file diff --git a/tests/java/rsa-no-padding-java-test.yml b/tests/java/rsa-no-padding-java-test.yml deleted file mode 100644 index 363baedf..00000000 --- a/tests/java/rsa-no-padding-java-test.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: rsa-no-padding-java -valid: - - | - Cipher.getInstance("RSA/ECB/OAEPWithMD5AndMGF1Padding"); -invalid: - - | - Cipher.getInstance("RSA/None/NoPadding"); - - | - Cipher.getInstance("RSA/NONE/NoPadding"); diff --git a/tests/java/simple-command-injection-direct-input-java-test.yml b/tests/java/simple-command-injection-direct-input-java-test.yml deleted file mode 100644 index cba713e4..00000000 --- a/tests/java/simple-command-injection-direct-input-java-test.yml +++ /dev/null @@ -1,59 +0,0 @@ -id: simple-command-injection-direct-input-java -valid: - - | - @GetMapping("/run/{command}") - public ResponseEntity run1( - @PathVariable final String command - ) { - ResponseEntity response = ResponseEntity.noContent().build(); - try { - String foo = command + "something something..."; - Runtime.getRuntime().exec(foo); - } catch (IOException e) { - response = ResponseEntity.badRequest().build(); - } - return response; - } - - | - @GetMapping("/run/{command}") - public ResponseEntity ok( - @PathVariable final String command - ) { - ResponseEntity response = ResponseEntity.noContent().build(); - try { - Runtime.getRuntime().exec("/bin/ls"); - } catch (IOException e) { - response = ResponseEntity.badRequest().build(); - } - - return response; - } -invalid: - - | - @GetMapping("/run/{command}") - public ResponseEntity run_direct_from_jumbo( - @PathVariable() final String command - ) { - ResponseEntity response = ResponseEntity.noContent().build(); - try { - Runtime.getRuntime().exec(command); - } catch (IOException e) { - response = ResponseEntity.badRequest().build(); - } - - return response; - } - - | - @GetMapping("/run/{command}") - public ResponseEntity run_direct_from_jumbo( - @PathVariable final String command - ) { - ResponseEntity response = ResponseEntity.noContent().build(); - try { - Runtime.getRuntime().exec(command); - } catch (IOException e) { - response = ResponseEntity.badRequest().build(); - } - - return response; - } diff --git a/tests/java/system-setproperty-hardcoded-secret-java-test.yml b/tests/java/system-setproperty-hardcoded-secret-java-test.yml deleted file mode 100644 index 6c0f416b..00000000 --- a/tests/java/system-setproperty-hardcoded-secret-java-test.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: system-setproperty-hardcoded-secret-java -valid: - - | - System.setProperty("javax.net.ssl.keyStorePassword", password); -invalid: - - | - System.setProperty("javax.net.ssl.keyStorePassword", "password"); - - | - System.setProperty("javax.net.ssl.trustStorePassword", "password"); \ No newline at end of file diff --git a/tests/java/unencrypted-socket-java-test.yml b/tests/java/unencrypted-socket-java-test.yml deleted file mode 100644 index d023debf..00000000 --- a/tests/java/unencrypted-socket-java-test.yml +++ /dev/null @@ -1,23 +0,0 @@ -id: unencrypted-socket-java -valid: - - | - Socket soc = SSLSocketFactory.getDefault().createSocket("www.google.com", 443); - - | - ServerSocket ssoc = SSLServerSocketFactory.getDefault().createServerSocket(1234); -invalid: - - | - Socket soc = new Socket("www.google.com", 80); - - | - Socket soc1 = new Socket("www.google.com", 80, true); - - | - Socket soc2 = new Socket("www.google.com", 80, InetAddress.getByAddress(address), 13337); - - | - Socket soc3 = new Socket(InetAddress.getByAddress(remoteAddress), 80); - - | - ServerSocket ssoc = new ServerSocket(1234); - - | - ServerSocket ssoc1 = new ServerSocket(); - - | - ServerSocket ssoc2 = new ServerSocket(1234, 10); - - | - ServerSocket ssoc3 = new ServerSocket(1234, 10, InetAddress.getByAddress(address)); diff --git a/tests/java/use-of-aes-ecb-java-test.yml b/tests/java/use-of-aes-ecb-java-test.yml deleted file mode 100644 index 45419061..00000000 --- a/tests/java/use-of-aes-ecb-java-test.yml +++ /dev/null @@ -1,15 +0,0 @@ -id: use-of-aes-ecb-java -valid: - - | - Cipher.getInstance("AES/CBC/PKCS7PADDING") -invalid: - - | - Cipher.getInstance("AES/ECB/NoPadding") - - | - Cipher.getInstance("AES/ECB/PKCS5Padding") - - | - Cipher.getInstance("AES/ECB/ISO10126Padding") - - | - Cipher.getInstance("AES/ECB/PKCS7Padding") - - | - Cipher.getInstance("AES/ECB") diff --git a/tests/java/use-of-blowfish-java-test.yml b/tests/java/use-of-blowfish-java-test.yml deleted file mode 100644 index b30073d6..00000000 --- a/tests/java/use-of-blowfish-java-test.yml +++ /dev/null @@ -1,13 +0,0 @@ -id: use-of-blowfish-java -valid: - - | - crypto.Cipher.getInstance("AES"); -invalid: - - | - public void useofBlowfish2() { - useCipher(Cipher.getInstance("Blowfish")); - } - - | - public void useofBlowfish2() { - Cipher.getInstance("Blowfish"); - } \ No newline at end of file diff --git a/tests/java/use-of-default-aes-java-test.yml b/tests/java/use-of-default-aes-java-test.yml deleted file mode 100644 index 10e4909f..00000000 --- a/tests/java/use-of-default-aes-java-test.yml +++ /dev/null @@ -1,15 +0,0 @@ -id: use-of-default-aes-java -valid: - - | - crypto.Cipher.getInstance("AES"); -invalid: - - | - import javax.*; - { - crypto.Cipher.getInstance("AES"); - } - - | - import javax.crypto.*; - { - useCipher(Cipher.getInstance("AES")); - } \ No newline at end of file diff --git a/tests/java/use-of-md5-digest-utils-java-test.yml b/tests/java/use-of-md5-digest-utils-java-test.yml deleted file mode 100644 index f6bc228d..00000000 --- a/tests/java/use-of-md5-digest-utils-java-test.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: use-of-md5-digest-utils-java -valid: - - | - MessageDigest md5Digest = MessageDigest.getInstance("MD5"); - - | - byte[] hashValue = DigestUtils.getSha512Digest().digest(password.getBytes()); -invalid: - - | - byte[] hashValue = DigestUtils.getMd5Digest().digest(password.getBytes()); diff --git a/tests/java/use-of-md5-java-test.yml b/tests/java/use-of-md5-java-test.yml deleted file mode 100644 index f7c46817..00000000 --- a/tests/java/use-of-md5-java-test.yml +++ /dev/null @@ -1,20 +0,0 @@ -id: use-of-md5-java -valid: - - | - import java.security.MessageDigest; - - public class Bad{ - public byte[] bad1(String password) { - MessageDigest md5Digest = MessageDigest.getInstance("SHA1"); - } - } - -invalid: - - | - import java.security.MessageDigest; - - public class Bad{ - public byte[] bad1(String password) { - MessageDigest md5Digest = MessageDigest.getInstance("MD5"); - } - } diff --git a/tests/java/use-of-rc2-java-test.yml b/tests/java/use-of-rc2-java-test.yml deleted file mode 100644 index 7b084ff7..00000000 --- a/tests/java/use-of-rc2-java-test.yml +++ /dev/null @@ -1,39 +0,0 @@ -id: use-of-rc2-java -valid: - - | - Cipher.getInstance("AES/CBC/PKCS7PADDING"); -invalid: - - | - useCipher(Cipher.getInstance("RC2")); - Cipher.getInstance("RC2"); - - | - public void testRC2InSwitch() { - String algorithm = "RC2"; - switch (algorithm) { - case "RC2": - try { - Cipher.getInstance(algorithm); - } catch (Exception e) { - e.printStackTrace(); - } - break; - } - } - - | - public void testRC2InMap() { - Map cipherMap = new HashMap<>(); - cipherMap.put("RC2", Cipher.getInstance("RC2")); - } - - | - public void testRC2InSwitch() { - String algorithm = "RC2"; - switch (algorithm) { - case "RC2": - try { - Cipher.getInstance(algorithm); - } catch (Exception e) { - e.printStackTrace(); - } - break; - } - } \ No newline at end of file diff --git a/tests/java/use-of-rc4-java-test.yml b/tests/java/use-of-rc4-java-test.yml deleted file mode 100644 index a82db3b3..00000000 --- a/tests/java/use-of-rc4-java-test.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: use-of-rc4-java -valid: - - | - Cipher.getInstance("AES/CBC/PKCS7PADDING"); -invalid: - - | - Cipher.getInstance("RC4"); - - | - useCipher(Cipher.getInstance("RC4")); diff --git a/tests/java/use-of-sha1-java-test.yml b/tests/java/use-of-sha1-java-test.yml deleted file mode 100644 index 0120d110..00000000 --- a/tests/java/use-of-sha1-java-test.yml +++ /dev/null @@ -1,22 +0,0 @@ -id: use-of-sha1-java -valid: - - | - Cipher.getInstance("AES/GCM/NoPadding"); -invalid: - - | - public byte[] bad2(String password) { - byte[] hashValue = DigestUtils.getSha1Digest().digest(password.getBytes()); - return hashValue; - } - - | - public void bad3() { - java.security.MessageDigest md = java.security.MessageDigest.getInstance("SHA1", "SUN"); - } - - | - import java.security.MessageDigest; - public byte[] bad1(String password) { - MessageDigest sha1Digest = MessageDigest.getInstance("SHA-1"); - sha1Digest.update(password.getBytes()); - byte[] hashValue = sha1Digest.digest(); - return hashValue; - } \ No newline at end of file diff --git a/tests/java/weak-ssl-context-java-test.yml b/tests/java/weak-ssl-context-java-test.yml deleted file mode 100644 index 66505656..00000000 --- a/tests/java/weak-ssl-context-java-test.yml +++ /dev/null @@ -1,19 +0,0 @@ -id: weak-ssl-context-java -valid: - - | - SSLContext ctx = SSLContext.getInstance("TLSv1.2"); - - | - SSLContext ctx = SSLContext.getInstance("TLSv1.3"); - - | - SSLContext ctx = SSLContext.getInstance(getSslContext()); -invalid: - - | - SSLContext ctx = SSLContext.getInstance("SSL"); - - | - SSLContext ctx = SSLContext.getInstance("TLS"); - - | - SSLContext ctx = SSLContext.getInstance("TLSv1"); - - | - SSLContext ctx = SSLContext.getInstance("SSLv3"); - - | - SSLContext ctx = SSLContext.getInstance("TLSv1.1"); diff --git a/tests/javascript/detect-angular-sce-disabled-javascript-test.yml b/tests/javascript/detect-angular-sce-disabled-javascript-test.yml deleted file mode 100644 index 02b587b4..00000000 --- a/tests/javascript/detect-angular-sce-disabled-javascript-test.yml +++ /dev/null @@ -1,7 +0,0 @@ -id: detect-angular-sce-disabled-javascript -valid: - - | - $sceProvider.enabled(true); -invalid: - - | - $sceProvider.enabled(false); diff --git a/tests/javascript/express-jwt-hardcoded-secret-javascript-test.yml b/tests/javascript/express-jwt-hardcoded-secret-javascript-test.yml deleted file mode 100644 index 122ab423..00000000 --- a/tests/javascript/express-jwt-hardcoded-secret-javascript-test.yml +++ /dev/null @@ -1,44 +0,0 @@ -id: express-jwt-hardcoded-secret-javascript -valid: - - | - app.get('/ok-protected', jwt({ secret: process.env.SECRET }), function(req, res) { - if (!req.user.admin) return res.sendStatus(401); - res.sendStatus(200); - }); -invalid: - - | - var jwt = require('express-jwt'); - app.get('/protected', jwt({ secret: 'shhhhhhared-secret' }), function(req, res) { - if (!req.user.admin) return res.sendStatus(401); - res.sendStatus(200); - }); - - | - import express from 'express'; - import jwt from 'express-jwt'; - let hardcodedSecret1 = 'super-secret-key'; - app.get('/protected2', jwt({ secret: hardcodedSecret1 }), function(req, res) { - if (!req.user.admin) return res.sendStatus(401); - res.sendStatus(200); - }); - - | - import express from 'express'; - import jwt from 'express-jwt'; - const secret3 = 'static-secret'; - app.get('/protected4', jwt({ secret: secret3, issuer: 'http://issuer' }), function(req, res) { - if (!req.user.admin) return res.sendStatus(401); - res.sendStatus(200); - }); - - | - import express from 'express'; - import jwt from 'express-jwt'; - app.get('/protected1', jwt({ secret: 'super-secret-key' }), function(req, res) { - if (!req.user.admin) return res.sendStatus(401); - res.sendStatus(200); - }); - - | - import { expressJwt } from 'express-jwt'; - const secret4 = 'jwt-hardcoded-secret'; - app.get('/protected7', expressJwt({ secret: secret4 }), function(req, res) { - if (!req.user.admin) return res.sendStatus(401); - res.sendStatus(200); - }); diff --git a/tests/javascript/express-session-hardcoded-secret-javascript-test.yml b/tests/javascript/express-session-hardcoded-secret-javascript-test.yml deleted file mode 100644 index b5059282..00000000 --- a/tests/javascript/express-session-hardcoded-secret-javascript-test.yml +++ /dev/null @@ -1,31 +0,0 @@ -id: express-session-hardcoded-secret-javascript -valid: - - | - let config1 = { - secret: config.secret, - resave: false, - saveUninitialized: false, - } -invalid: - - | - import * as session from 'express-session' - let config = { - secret: 'a', - resave: false, - saveUninitialized: false, - } - - | - import * as session from 'express-session' - let a = 'a' - app.use(session({ - secret: a, - resave: false, - saveUninitialized: false, - })); - - | - import * as session from 'express-session' - let secret2 = { - resave: false, - secret: 'foo', - saveUninitialized: false, - } \ No newline at end of file diff --git a/tests/javascript/jwt-simple-noverify-javascript-test.yml b/tests/javascript/jwt-simple-noverify-javascript-test.yml deleted file mode 100644 index 071bf0fb..00000000 --- a/tests/javascript/jwt-simple-noverify-javascript-test.yml +++ /dev/null @@ -1,86 +0,0 @@ -id: jwt-simple-noverify-javascript -valid: - - | - const jwt = require('jwt-simple'); - app.get('/protectedRoute4', (req, res) => { - const token = req.headers.authorization; - - if (!token) { - return res.status(401).json({ error: 'Unauthorized. Token missing.' }); - } - - try { - const decoded = jwt.decode(token, secretKey); - res.json({ message: `Hello ${decoded.username}` }); - } catch (error) { - res.status(401).json({ error: 'Unauthorized. Invalid token.' }); - } - }); - - | - const jwt = require('jwt-simple'); - app.get('/protectedRoute5', (req, res) => { - const token = req.headers.authorization; - - if (!token) { - return res.status(401).json({ error: 'Unauthorized. Token missing.' }); - } - - try { - const decoded = jwt.decode(token, secretKey, false); - res.json({ message: `Hello ${decoded.username}` }); - } catch (error) { - res.status(401).json({ error: 'Unauthorized. Invalid token.' }); - } - }); -invalid: - - | - const jwt = require('jwt-simple'); - - app.get('/protectedRoute1', (req, res) => { - const token = req.headers.authorization; - - if (!token) { - return res.status(401).json({ error: 'Unauthorized. Token missing.' }); - } - - try { - const decoded = jwt.decode(token, secretKey, 'HS256', 12); - res.json({ message: `Hello ${decoded.username}` }); - } catch (error) { - res.status(401).json({ error: 'Unauthorized. Invalid token.' }); - } - }); - - | - const jwt = require('jwt-simple'); - - app.get('/protectedRoute2', (req, res) => { - const token = req.headers.authorization; - - if (!token) { - return res.status(401).json({ error: 'Unauthorized. Token missing.' }); - } - - try { - const decoded = jwt.decode(token, secretKey, true); - res.json({ message: `Hello ${decoded.username}` }); - } catch (error) { - res.status(401).json({ error: 'Unauthorized. Invalid token.' }); - } - }); - - | - const jwt = require('jwt-simple'); - - app.get('/protectedRoute3', (req, res) => { - const token = req.headers.authorization; - - if (!token) { - return res.status(401).json({ error: 'Unauthorized. Token missing.' }); - } - - try { - const decoded = jwt.decode(token, secretKey, 'false'); - res.json({ message: `Hello ${decoded.username}` }); - } catch (error) { - res.status(401).json({ error: 'Unauthorized. Invalid token.' }); - } - }); diff --git a/tests/javascript/node-rsa-weak-key-javascript-test.yml b/tests/javascript/node-rsa-weak-key-javascript-test.yml deleted file mode 100644 index 35f3257f..00000000 --- a/tests/javascript/node-rsa-weak-key-javascript-test.yml +++ /dev/null @@ -1,24 +0,0 @@ -id: node-rsa-weak-key-javascript -valid: - - | - const { publicKey, privateKey } = crypto.generateKeyPairSync("rsa", { - modulusLength: 2048, - }); -invalid: - - | - const crypto = require("crypto"); - const { publicKey, privateKey } = crypto.generateKeyPairSync("rsa", { - a: 123, - modulusLength: 512, - }); - - | - const NodeRSA = require('node-rsa'); - const key = new NodeRSA({b: 204}); - - | - const NodeRSA = require('node-rsa'); - const key = new NodeRSA({b: 512}); - - | - const crypto = require("crypto"); - const keypair2 = await util.promisify(crypto.generateKeyPair)("rsa", { - modulusLength: 512, - }); diff --git a/tests/javascript/node-sequelize-empty-password-argument-javascript-test.yml b/tests/javascript/node-sequelize-empty-password-argument-javascript-test.yml deleted file mode 100644 index b0a0e79f..00000000 --- a/tests/javascript/node-sequelize-empty-password-argument-javascript-test.yml +++ /dev/null @@ -1,34 +0,0 @@ -id: node-sequelize-empty-password-argument-javascript -valid: - - | - const Sequelize = require('sequelize'); - const sequelize = new Sequelize({ - database: 'pinche', - username: 'root', - password: '123456789', - dialect: 'mysql' - }); -invalid: - - | - const Sequelize = require('sequelize'); - const sequelize1 = new Sequelize('database', 'username', '', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) - - | - const Sequelize = require('sequelize'); - const passwordFromEnv = ''; - const sequelize2 = new Sequelize('database', 'username', passwordFromEnv, { - host: 'localhost', - port: 5432, - dialect: 'postgres' - }); - - | - const Sequelize = require('sequelize'); - const passwordDynamic = ''; - const sequelize2 = new Sequelize('database', 'username', passwordDynamic, { - host: 'localhost', - port: 5432, - dialect: 'postgres' - }); diff --git a/tests/javascript/node-sequelize-hardcoded-secret-argument-javascript-test.yml b/tests/javascript/node-sequelize-hardcoded-secret-argument-javascript-test.yml deleted file mode 100644 index a6f15374..00000000 --- a/tests/javascript/node-sequelize-hardcoded-secret-argument-javascript-test.yml +++ /dev/null @@ -1,21 +0,0 @@ -id: node-sequelize-hardcoded-secret-argument-javascript -valid: - - | - const Sequelize = require('sequelize'); - const sequelize = new Sequelize({ - database: 'pinche', - username: 'root', - password: '123456789', - dialect: 'mysql' - }) -invalid: - - | - const Sequelize = require('sequelize'); - const sequelize = new Sequelize('database', 'username', 'password', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) - - | - const Sequelize = require('sequelize'); - const sequelize8 = new Sequelize('database', 'username', 'password', options); diff --git a/tests/kotlin/des-is-deprecated-kotlin-test.yml b/tests/kotlin/des-is-deprecated-kotlin-test.yml deleted file mode 100644 index 60949d48..00000000 --- a/tests/kotlin/des-is-deprecated-kotlin-test.yml +++ /dev/null @@ -1,7 +0,0 @@ -id: des-is-deprecated-kotlin -valid: - - | - Cipher c = Cipher.getInstance("AES/GCM/NoPadding"); -invalid: - - | - Cipher.getInstance("DES/ECB/PKCS5Padding"); diff --git a/tests/kotlin/desede-is-deprecated-kotlin-test.yml b/tests/kotlin/desede-is-deprecated-kotlin-test.yml deleted file mode 100644 index 3ad7841c..00000000 --- a/tests/kotlin/desede-is-deprecated-kotlin-test.yml +++ /dev/null @@ -1,10 +0,0 @@ -id: desede-is-deprecated-kotlin -valid: - - | - Cipher c = Cipher.getInstance("AES/GCM/NoPadding"); -invalid: - - | - Cipher c = Cipher.getInstance("kDESede/ECB/PKCS5Padding"); - c.init(Cipher.ENCRYPT_MODE, k, iv); - - | - javax.crypto.SecretKey key = javax.crypto.KeyGenerator.getInstance("DES").generateKey(); diff --git a/tests/kotlin/jwt-hardcode-kotlin-test.yml b/tests/kotlin/jwt-hardcode-kotlin-test.yml deleted file mode 100644 index eb163b6e..00000000 --- a/tests/kotlin/jwt-hardcode-kotlin-test.yml +++ /dev/null @@ -1,23 +0,0 @@ -id: jwt-hardcode-kotlin -valid: - - | - System.setProperty("javax.net.ssl.trustStorePassword", config); - System.setProperty("javax.net.ssl.keyStorePassword", config); -invalid: - - | - package com.foobar.org.configuration - import com.auth0.jwt.JWT - import com.auth0.jwt.algorithms.Algorithm - import com.auth0.jwt.algorithms.Algorithm.HMAC512 - import com.auth0.jwt.exceptions.JWTCreationException - object App { - private fun bad1() { - try { - val algorithm = Algorithm.HMAC256("secret") - val token = JWT.create() - .withIssuer("auth0") - .sign(algorithm) - } - catch (exception: JWTCreationException) {} - } - } diff --git a/tests/kotlin/rsa-no-padding-kotlin-test.yml b/tests/kotlin/rsa-no-padding-kotlin-test.yml deleted file mode 100644 index b5a3fc1a..00000000 --- a/tests/kotlin/rsa-no-padding-kotlin-test.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: rsa-no-padding-kotlin -valid: - - | - Cipher.getInstance("RSA/ECB/OAEPWithMD5AndMGF1Padding"); -invalid: - - | - Cipher.getInstance("RSA/None/NoPadding"); - - | - Cipher.getInstance("RSA/NONE/NoPadding"); diff --git a/tests/kotlin/system-setproperty-hardcoded-secret-kotlin-test.yml b/tests/kotlin/system-setproperty-hardcoded-secret-kotlin-test.yml deleted file mode 100644 index d66da67a..00000000 --- a/tests/kotlin/system-setproperty-hardcoded-secret-kotlin-test.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: system-setproperty-hardcoded-secret-kotlin -valid: - - | - System.setProperty("javax.net.ssl.trustStorePassword", config); - System.setProperty("javax.net.ssl.keyStorePassword", config); -invalid: - - | - System.setProperty("javax.net.ssl.keyStorePassword", "password"); - System.setProperty("javax.net.ssl.trustStorePassword", "password"); diff --git a/tests/php/openssl-cbc-static-iv-php-test.yml b/tests/php/openssl-cbc-static-iv-php-test.yml deleted file mode 100644 index 1c2a0e5a..00000000 --- a/tests/php/openssl-cbc-static-iv-php-test.yml +++ /dev/null @@ -1,63 +0,0 @@ -id: openssl-cbc-static-iv-php -valid: - - | - "dhh", :password => not_a_string, :except => :index - puts "do more stuff" - end - - | - class OkController < ApplicationController - http_basic_authenticate_with :name => "dhh", :password => ads{'not_a_string'}, :except => :index - puts "do more stuff" - end -invalid: - - | - class DangerousController < ApplicationController - http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index - puts "do more stuff" - end \ No newline at end of file diff --git a/tests/ruby/hardcoded-secret-rsa-passphrase-ruby-test.yml b/tests/ruby/hardcoded-secret-rsa-passphrase-ruby-test.yml deleted file mode 100644 index 925582da..00000000 --- a/tests/ruby/hardcoded-secret-rsa-passphrase-ruby-test.yml +++ /dev/null @@ -1,30 +0,0 @@ -id: hardcoded-secret-rsa-passphrase-ruby -valid: - - | - def ok1 - key_data = 'real-key-data' - key = OpenSSL::PKey::RSA.new(key_data, ENV['SECRET_PASSPHRASE']) - end - end - - | - def nested_ok1 - rsa_key = OpenSSL::PKey::RSA.new(4096) - pem = rsa_key.to_pem(OpenSSL::Cipher.new('AES-256-CBC'), ENV['SECURE_KEY']) - end - end -invalid: - - | - module Test - require 'openssl' - class Test - $pass = 'super secret' - def initialize(key = nil, iv = nil) - @pass1 = 'my secure pass phrase goes here' - @keypem = 'foo.pem' - OpenSSL::PKey::RSA.new(1024).to_pem(cipher, "secret") - bad - bad1 - bad2 - bad3 - ok - end diff --git a/tests/ruby/insufficient-rsa-key-size-ruby-test.yml b/tests/ruby/insufficient-rsa-key-size-ruby-test.yml deleted file mode 100644 index 798e95a2..00000000 --- a/tests/ruby/insufficient-rsa-key-size-ruby-test.yml +++ /dev/null @@ -1,7 +0,0 @@ -id: insufficient-rsa-key-size-ruby -valid: - - | - key = OpenSSL::PKey::RSA.new(2048) -invalid: - - | - key = OpenSSL::PKey::RSA.new(204) diff --git a/tests/ruby/ruby-aws-sdk-hardcoded-secret-ruby-test.yml b/tests/ruby/ruby-aws-sdk-hardcoded-secret-ruby-test.yml deleted file mode 100644 index bab7fa0c..00000000 --- a/tests/ruby/ruby-aws-sdk-hardcoded-secret-ruby-test.yml +++ /dev/null @@ -1,16 +0,0 @@ -id: ruby-aws-sdk-hardcoded-secret-ruby -valid: - - | - creds = Aws::Credentials.new('akid', secsec) -invalid: - - | - require 'aws-sdk-core' - Aws.config.update( - region: 'us-west-2', - credentials: Aws::Credentials.new('akid', 'secret') - ) - - | - require 'aws-sdk-core' - secsec = 'secret' - creds = Aws::Credentials.new('akid', secsec) - Aws.config.update(region: 'us-west-2', credentials: creds) \ No newline at end of file diff --git a/tests/ruby/ruby-cassandra-empty-password-ruby-test.yml b/tests/ruby/ruby-cassandra-empty-password-ruby-test.yml deleted file mode 100644 index 3261b17a..00000000 --- a/tests/ruby/ruby-cassandra-empty-password-ruby-test.yml +++ /dev/null @@ -1,12 +0,0 @@ -id: ruby-cassandra-empty-password-ruby -valid: - - | - cluster = Cassandra.cluster(username: 'user',password: '') -invalid: - - | - require 'cassandra' - cluster = Cassandra.cluster(username: 'user',password: '') - - | - require 'cassandra' - password = '' - cluster = Cassandra.cluster(username: 'user',password: password) diff --git a/tests/ruby/ruby-cassandra-hardcoded-secret-ruby-test.yml b/tests/ruby/ruby-cassandra-hardcoded-secret-ruby-test.yml deleted file mode 100644 index 6b68c674..00000000 --- a/tests/ruby/ruby-cassandra-hardcoded-secret-ruby-test.yml +++ /dev/null @@ -1,12 +0,0 @@ -id: ruby-cassandra-hardcoded-secret-ruby -valid: - - | - cluster = Cassandra.cluster(username: 'user',password: '') -invalid: - - | - require 'cassandra' - cluster = Cassandra.cluster( username: 'user',password: 'password') - - | - require 'cassandra' - password = 'password' - cluster = Cassandra.cluster( username: 'user',password: password) diff --git a/tests/ruby/ruby-excon-hardcoded-secret-ruby-test.yml b/tests/ruby/ruby-excon-hardcoded-secret-ruby-test.yml deleted file mode 100644 index 014baff5..00000000 --- a/tests/ruby/ruby-excon-hardcoded-secret-ruby-test.yml +++ /dev/null @@ -1,16 +0,0 @@ -id: ruby-excon-hardcoded-secret-ruby -valid: - - | - cluster = Cassandra.cluster(username: 'user',password: '')pw2 = Excon::Utils.escape_uri('pa%%word') - connection = Excon.new('http://secure.geemus.com', :user => 'username', :password => pw2) -invalid: - - | - require 'excon' - pw = 'password' - connection = Excon.new('http://secure.geemus.com', :user => 'username', :password => pw) - - | - require 'excon' - connection = Excon.new('http://secure.geemus.com', :user => 'username', :password => Excon::Utils.escape_uri('pa%%word')) - - | - require 'excon' - connection = Excon.new('http://secure.geemus.com', :user => 'username', :password => 'pa%%word') diff --git a/tests/ruby/ruby-faraday-hardcoded-secret-ruby-test.yml b/tests/ruby/ruby-faraday-hardcoded-secret-ruby-test.yml deleted file mode 100644 index 26273b35..00000000 --- a/tests/ruby/ruby-faraday-hardcoded-secret-ruby-test.yml +++ /dev/null @@ -1,30 +0,0 @@ -id: ruby-faraday-hardcoded-secret-ruby -valid: - - | - require "faraday" - f.request :authorization, 'Bearer', 'authentication-token', test - - | - require "faraday" - conn.request :basic_auth, 'username', 'password', test -invalid: - - | - require "faraday" - f.request :authorization, 'Bearer', 'authentication-token' - - | - require "faraday" - pw = 'password' - conn.request :authorization, :basic, 'username', pw - - | - require "faraday" - conn.request :token_auth, 'authentication-token', **options - - | - require "faraday" - conn.request :basic_auth, 'username', 'password' - - | - require "faraday" - pass = 'authentication-token' - f.request :authorization, 'Bearer', pass - - | - require "faraday" - pass = 'authentication-token' - conn.request :token_auth, pass, **options \ No newline at end of file diff --git a/tests/ruby/ruby-mongo-empty-password-ruby-test.yml b/tests/ruby/ruby-mongo-empty-password-ruby-test.yml deleted file mode 100644 index 0681bc67..00000000 --- a/tests/ruby/ruby-mongo-empty-password-ruby-test.yml +++ /dev/null @@ -1,30 +0,0 @@ -id: ruby-mongo-empty-password-ruby -valid: - - | - secure_client = Mongo::Client.new( - [ '127.0.0.1:27017' ], - user: 'secure-user', - password: ENV['MONGO_PASSWORD'], - database: 'securedb' - ) - - | - ecure_client_with_password = client3.with(password: ENV['SECURE_PASSWORD']) -invalid: - - | - require 'mongo' - module TestMongo - client1 = Mongo::Client.new( - [ '127.0.0.1:27017' ], - user: 'user1', - password: '', - database: 'testdb1' - ) - - | - require 'mongo' - pw = '' - client2 = Mongo::Client.new( - [ '127.0.0.1:27017' ], - user: 'user2', - password: pw, - database: 'testdb2' - ) diff --git a/tests/ruby/ruby-mongo-hardcoded-secret-ruby-test.yml b/tests/ruby/ruby-mongo-hardcoded-secret-ruby-test.yml deleted file mode 100644 index fc7d32fe..00000000 --- a/tests/ruby/ruby-mongo-hardcoded-secret-ruby-test.yml +++ /dev/null @@ -1,31 +0,0 @@ -id: ruby-mongo-hardcoded-secret-ruby -valid: - - | - require 'mongo' - client_env = Mongo::Client.new( - ['127.0.0.1:27017'], - user: 'admin', - password: ENV['MONGO_SECRET'], - database: 'production' - ) - - | - require 'mongo' - Mongo::Client.new( - ['127.0.0.1:27017'], - database: 'test_db' - ) -invalid: - - | - require 'mongo' - client_hardcoded = Mongo::Client.new( - ['127.0.0.1:27017'], - user: 'admin', - password: 'hardcoded-password', - database: 'production' - ) - - | - require 'mongo' - Mongo::Client.new( - ['127.0.0.1:27017'], - password: '123456' - ) diff --git a/tests/ruby/ruby-mysql2-empty-password-ruby-test.yml b/tests/ruby/ruby-mysql2-empty-password-ruby-test.yml deleted file mode 100644 index d4901df8..00000000 --- a/tests/ruby/ruby-mysql2-empty-password-ruby-test.yml +++ /dev/null @@ -1,18 +0,0 @@ -id: ruby-mysql2-empty-password-ruby -valid: - - | - conn_ok1 = Mysql2::Client.new(host: "localhost", username: "root") - - | - conn_ok3 = Mysql2::Client.new(host: "localhost", username: "root", password: ENV['PASS']) -invalid: - - | - $LOAD_PATH.unshift 'lib' - require 'mysql2' - require 'timeout' - Mysql2::Client.new(host: "localhost", username: "root", password: "").query("SELECT sleep(#{overhead}) as result") - - | - $LOAD_PATH.unshift 'lib' - require 'mysql2' - require 'timeout' - pw = "" - conn1 = Mysql2::Client.new(host: "localhost", username: "root", password: pw) diff --git a/tests/ruby/ruby-mysql2-hardcoded-secret-ruby-test.yml b/tests/ruby/ruby-mysql2-hardcoded-secret-ruby-test.yml deleted file mode 100644 index 2320b1e1..00000000 --- a/tests/ruby/ruby-mysql2-hardcoded-secret-ruby-test.yml +++ /dev/null @@ -1,25 +0,0 @@ -id: ruby-mysql2-hardcoded-secret-ruby -valid: - - | - env_connection_hash = { - host: "localhost", - username: "root", - password: ENV['DB_PASS'] - } -invalid: - - | - $LOAD_PATH.unshift 'lib' - require 'mysql2' - require 'timeout' - - def connect_to_db - Mysql2::Client.new(host: "localhost", username: "root", password: "complex-hardcoded-password") - end - - | - require 'mysql2' - class DatabaseConnection - def self.connect - password = "class-hardcoded-password" - Mysql2::Client.new(host: "localhost", username: "admin", password: password) - end - end diff --git a/tests/ruby/ruby-octokit-hardcoded-secret-ruby-test.yml b/tests/ruby/ruby-octokit-hardcoded-secret-ruby-test.yml deleted file mode 100644 index 7f899608..00000000 --- a/tests/ruby/ruby-octokit-hardcoded-secret-ruby-test.yml +++ /dev/null @@ -1,25 +0,0 @@ -id: ruby-octokit-hardcoded-secret-ruby -valid: - - | - require 'octokit' - Octokit::Client.new(access_token: token, per_page: 100) -invalid: - - | - require 'octokit' - Octokit::Client.new(access_token: "", per_page: 100) - - | - require 'octokit' - client = Octokit::Client.new \ - :client_id => "", - :client_secret => "" - - | - require 'octokit' - client = Octokit::Client.new \ - :login => 'defunkt', - :password => 'c0d3b4ssssss!' - - | - require 'octokit' - client = Octokit::Client.new(:login => 'defunkt', :password => 'c0d3b4ssssss!') - - | - require 'octokit' - client = Octokit::Client.new(:access_token => "") diff --git a/tests/ruby/ruby-pg-empty-password-ruby-test.yml b/tests/ruby/ruby-pg-empty-password-ruby-test.yml deleted file mode 100644 index 5ccb5465..00000000 --- a/tests/ruby/ruby-pg-empty-password-ruby-test.yml +++ /dev/null @@ -1,21 +0,0 @@ -id: ruby-pg-empty-password-ruby -valid: - - | - con1 = PG.connect( - :dbname => 'database', - :host => 'host', - :port => 1234, - :user => 'user', - :password => 'password', - :sslmode => 'prefer' - ) -invalid: - - | - con1 = PG.connect( - :dbname => 'database', - :host => 'host', - :port => 1234, - :user => 'user', - :password => '', - :sslmode => 'prefer' - ) \ No newline at end of file diff --git a/tests/ruby/ruby-pg-hardcoded-secret-ruby-test.yml b/tests/ruby/ruby-pg-hardcoded-secret-ruby-test.yml deleted file mode 100644 index 55f14f1b..00000000 --- a/tests/ruby/ruby-pg-hardcoded-secret-ruby-test.yml +++ /dev/null @@ -1,21 +0,0 @@ -id: ruby-pg-hardcoded-secret-ruby -valid: - - | - require "pg" - con_ok4 = PG::Connection.connect_start( - dbname: 'test', - port: 5432, - user: 'user', - password: ENV['PASS'] - ) -invalid: - - | - require "pg" - PG.connect( - :dbname => 'database', - :host => 'host', - :port => 1234, - :user => 'user', - :password => 'password', - :sslmode => 'prefer' - ) \ No newline at end of file diff --git a/tests/ruby/ruby-redis-empty-password-ruby-test.yml b/tests/ruby/ruby-redis-empty-password-ruby-test.yml deleted file mode 100644 index b76402ae..00000000 --- a/tests/ruby/ruby-redis-empty-password-ruby-test.yml +++ /dev/null @@ -1,11 +0,0 @@ -id: ruby-redis-empty-password-ruby -valid: - - | - redis_ok1 = Redis.new(username: 'myname', password: ENV["PASS"]) -invalid: - - | - require "redis" - redis = Redis.new(password: "") - - | - require "redis" - redis1 = Redis.new(username: 'myname', password: '') diff --git a/tests/ruby/ruby-redis-hardcoded-secret-ruby-test.yml b/tests/ruby/ruby-redis-hardcoded-secret-ruby-test.yml deleted file mode 100644 index 2639a190..00000000 --- a/tests/ruby/ruby-redis-hardcoded-secret-ruby-test.yml +++ /dev/null @@ -1,11 +0,0 @@ -id: ruby-redis-hardcoded-secret-ruby -valid: - - | - redis_ok1 = Redis.new(username: 'myname', password: ENV["PASS"]) -invalid: - - | - require "redis" - redis = Redis.new(password: "mysecret") - - | - require "redis" - redis1 = Redis.new(username: 'myname', password: 'mysecret') diff --git a/tests/rust/empty-password-rust-test.yml b/tests/rust/empty-password-rust-test.yml deleted file mode 100644 index 11c27ab3..00000000 --- a/tests/rust/empty-password-rust-test.yml +++ /dev/null @@ -1,42 +0,0 @@ -id: empty-password-rust -valid: - - | - let conn = MySqlConnectOptions::new() - .host("localhost") - .username("root") - .password("password") - .database("db") - .connect().await?; - - use_connection(conn); - Ok(()) - } -invalid: - - | - use sqlx::mysql::{MySqlConnectOptions, MySqlConnection, MySqlPool, MySqlSslMode}; - async fn test1() -> Result<(), sqlx::Error> { - let conn = MySqlConnectOptions::new() - .host("localhost") - .username("root") - .password("") - .database("db") - .connect().await?; - - use_connection(conn); - Ok(()) - } - - | - use sqlx::postgres::{PgConnectOptions, PgConnection, PgPool, PgSslMode}; - async fn test3() -> Result<(), sqlx::Error> { - let pg = PgConnectOptions::new(); - let conn = pg.host("secret-host") - .port(2525) - .username("secret-user") - .password("") - .ssl_mode(PgSslMode::Require) - .connect() - .await?; - - use_connection(conn); - Ok(()) - } \ No newline at end of file diff --git a/tests/rust/hardcoded-password-rust-test.yml b/tests/rust/hardcoded-password-rust-test.yml deleted file mode 100644 index f639f33f..00000000 --- a/tests/rust/hardcoded-password-rust-test.yml +++ /dev/null @@ -1,42 +0,0 @@ -id: hardcoded-password-rust -valid: - - | - let conn = MySqlConnectOptions::new() - .host("localhost") - .username("root") - .password("password") - .database("db") - .connect().await?; - - use_connection(conn); - Ok(()) - } -invalid: - - | - use sqlx::mysql::{MySqlConnectOptions, MySqlConnection, MySqlPool, MySqlSslMode}; - async fn test1() -> Result<(), sqlx::Error> { - let conn = MySqlConnectOptions::new() - .host("localhost") - .username("root") - .password("password") - .database("db") - .connect().await?; - - use_connection(conn); - Ok(()) - } - - | - use sqlx::postgres::{PgConnectOptions, PgConnection, PgPool, PgSslMode}; - async fn test3() -> Result<(), sqlx::Error> { - let pg = PgConnectOptions::new(); - let conn = pg.host("secret-host") - .port(2525) - .username("secret-user") - .password("secret-password") - .ssl_mode(PgSslMode::Require) - .connect() - .await?; - - use_connection(conn); - Ok(()) - } \ No newline at end of file diff --git a/tests/rust/postgres-empty-password-rust-test.yml b/tests/rust/postgres-empty-password-rust-test.yml deleted file mode 100644 index 247c5bf7..00000000 --- a/tests/rust/postgres-empty-password-rust-test.yml +++ /dev/null @@ -1,68 +0,0 @@ -id: postgres-empty-password-rust -valid: - - | - async fn okTest2() { - let (client, connection) = postgres::Config::new() - .host(shard_host_name.as_str()) - .user("postgres") - .password("postgres") - .dbname("ninja") - .keepalives_idle(std::time::Duration::from_secs(30)) - .connect(NoTls) - .map_err(|e| { - error!(log, "failed to connect to {}: {}", &shard_host_name, e); - Error::new(ErrorKind::Other, e) - })?; - Ok(()) - } -invalid: - - | - fn test1() { - let mut config = postgres::Config::new(); - config - .host(std::env::var("HOST").expect("set HOST")) - .user(std::env::var("USER").expect("set USER")) - .password("") - .port(std::env::var("PORT").expect("set PORT")); - let (client, connection) = config.connect(NoTls); - Ok(()) - } - - | - fn test1() { - let mut config = postgres::Config::new(); - as = ""; - config - .host(std::env::var("HOST").expect("set HOST")) - .user(std::env::var("USER").expect("set USER")) - .password(as) - .port(std::env::var("PORT").expect("set PORT")); - let (client, connection) = config.connect(NoTls); - Ok(()) - } - - | - async fn test2() -> Result<(), anyhow::Error> { - asa = ""; - let (client, connection) = postgres::Config::new() - .host(shard_host_name.as_str()) - .user("postgres") - .password(asa) - .dbname("ninja") - .keepalives_idle(std::time::Duration::from_secs(30)) - .connect(NoTls) - .map_err(|e| { - error!(log, "failed to connect to {}: {}", &shard_host_name, e); - Error::new(ErrorKind::Other, e) - })?; - Ok(()) - } - - | - fn test1() { - let mut config = postgres::Config::new(); - config - .host(std::env::var("HOST").expect("set HOST")) - .user(std::env::var("USER").expect("set USER")) - .password("") - .port(std::env::var("PORT").expect("set PORT")); - let (client, connection) = config.connect(NoTls); - Ok(()) - } \ No newline at end of file diff --git a/tests/rust/reqwest-accept-invalid-rust-test.yml b/tests/rust/reqwest-accept-invalid-rust-test.yml deleted file mode 100644 index f31bbc35..00000000 --- a/tests/rust/reqwest-accept-invalid-rust-test.yml +++ /dev/null @@ -1,13 +0,0 @@ -id: reqwest-accept-invalid-rust -valid: - - | - reqwest::Client::builder().user_agent("USER AGENT") -invalid: - - | - reqwest::Client::builder().danger_accept_invalid_hostnames(true) - - | - reqwest::Client::builder().danger_accept_invalid_certs(true) - - | - reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_hostnames(true) - - | - reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_certs(true) \ No newline at end of file diff --git a/tests/rust/secrets-reqwest-hardcoded-auth-rust-test.yml b/tests/rust/secrets-reqwest-hardcoded-auth-rust-test.yml deleted file mode 100644 index df5952cd..00000000 --- a/tests/rust/secrets-reqwest-hardcoded-auth-rust-test.yml +++ /dev/null @@ -1,36 +0,0 @@ -id: secrets-reqwest-hardcoded-auth-rust -valid: - - | - use reqwest::Client; - async fn test1() -> Result<(), reqwest::Error> { - let client = reqwest::Client::new(); - let resp = client.delete("http://httpbin.org/delete") - .basic_auth("admin", Some(hardcoded-password)) - .send() - .await?; - println!("body = {:?}", resp); - Ok(()) - } -invalid: - - | - use reqwest::Client; - async fn test1() -> Result<(), reqwest::Error> { - let client = reqwest::Client::new(); - let resp = client.delete("http://httpbin.org/delete") - .basic_auth("admin", Some("hardcoded-password")) - .send() - .await?; - println!("body = {:?}", resp); - Ok(()) - } - - | - use reqwest::Client; - async fn test2() -> Result<(), reqwest::Error> { - let client = reqwest::Client::new(); - let resp = client.put("http://httpbin.org/delete") - .bearer_auth("hardcoded-token") - .send() - .await?; - println!("body = {:?}", resp); - Ok(()) - } \ No newline at end of file diff --git a/tests/rust/ssl-verify-none-rust-test.yml b/tests/rust/ssl-verify-none-rust-test.yml deleted file mode 100644 index a5b12049..00000000 --- a/tests/rust/ssl-verify-none-rust-test.yml +++ /dev/null @@ -1,22 +0,0 @@ -id: ssl-verify-none-rust -valid: - - | - use openssl::ssl::SSL_VERIFY_NONE; - connector.builder_mut().set_verify(SSL_VERIFY_PEER); -invalid: - - | - use openssl; - connector.builder_mut().set_verify(openssl::ssl::SSL_VERIFY_NONE); - - | - use openssl::ssl; - connector.builder_mut().set_verify(ssl::SSL_VERIFY_NONE); - - | - use openssl::ssl::{SslMethod, SslConnectorBuilder, SSL_VERIFY_NONE}; - connector.builder_mut().set_verify(SSL_VERIFY_NONE); - - | - use openssl::ssl::{ - SslMethod, - SslConnectorBuilder, - SSL_VERIFY_NONE - }; - connector.builder_mut().set_verify(SSL_VERIFY_NONE); diff --git a/tests/rust/tokio-postgres-empty-password-rust-test.yml b/tests/rust/tokio-postgres-empty-password-rust-test.yml deleted file mode 100644 index 2b85b2c4..00000000 --- a/tests/rust/tokio-postgres-empty-password-rust-test.yml +++ /dev/null @@ -1,50 +0,0 @@ -id: tokio-postgres-empty-password-rust -valid: - - | - async fn okTest2() -> Result<(), anyhow::Error> { - let (client, connection) = tokio_postgres::Config::new() - .host(shard_host_name.as_str()) - .user("postgres") - .password("postgres") - .dbname("ninja") - .keepalives_idle(std::time::Duration::from_secs(30)) - .connect(NoTls) - .await - .map_err(|e| { - error!(log, "failed to connect to {}: {}", &shard_host_name, e); - Error::new(ErrorKind::Other, e) - })?; - - tokio::spawn(async move { - if let Err(e) = connection.await { - tracing::error!("postgres db connection error: {}", e); - } - }); - - Ok(()) - } - -invalid: - - | - async fn okTest2() -> Result<(), anyhow::Error> { - let (client, connection) = tokio_postgres::Config::new() - .host(shard_host_name.as_str()) - .user("postgres") - .password("") - .dbname("ninja") - .keepalives_idle(std::time::Duration::from_secs(30)) - .connect(NoTls) - .await - .map_err(|e| { - error!(log, "failed to connect to {}: {}", &shard_host_name, e); - Error::new(ErrorKind::Other, e) - })?; - - tokio::spawn(async move { - if let Err(e) = connection.await { - tracing::error!("postgres db connection error: {}", e); - } - }); - - Ok(()) - } \ No newline at end of file diff --git a/tests/rust/tokio-postgres-hardcoded-password-rust-test.yml b/tests/rust/tokio-postgres-hardcoded-password-rust-test.yml deleted file mode 100644 index 895e52e4..00000000 --- a/tests/rust/tokio-postgres-hardcoded-password-rust-test.yml +++ /dev/null @@ -1,50 +0,0 @@ -id: tokio-postgres-hardcoded-password-rust -valid: - - | - async fn okTest2() -> Result<(), anyhow::Error> { - let (client, connection) = tokio_postgres::Config::new() - .host(shard_host_name.as_str()) - .user("postgres") - .password("") - .dbname("ninja") - .keepalives_idle(std::time::Duration::from_secs(30)) - .connect(NoTls) - .await - .map_err(|e| { - error!(log, "failed to connect to {}: {}", &shard_host_name, e); - Error::new(ErrorKind::Other, e) - })?; - - tokio::spawn(async move { - if let Err(e) = connection.await { - tracing::error!("postgres db connection error: {}", e); - } - }); - - Ok(()) - } - -invalid: - - | - async fn okTest2() -> Result<(), anyhow::Error> { - let (client, connection) = tokio_postgres::Config::new() - .host(shard_host_name.as_str()) - .user("postgres") - .password("myPassword") - .dbname("ninja") - .keepalives_idle(std::time::Duration::from_secs(30)) - .connect(NoTls) - .await - .map_err(|e| { - error!(log, "failed to connect to {}: {}", &shard_host_name, e); - Error::new(ErrorKind::Other, e) - })?; - - tokio::spawn(async move { - if let Err(e) = connection.await { - tracing::error!("postgres db connection error: {}", e); - } - }); - - Ok(()) - } \ No newline at end of file diff --git a/tests/scala/jwt-scala-hardcode-scala-test.yml b/tests/scala/jwt-scala-hardcode-scala-test.yml deleted file mode 100644 index dd57e368..00000000 --- a/tests/scala/jwt-scala-hardcode-scala-test.yml +++ /dev/null @@ -1,93 +0,0 @@ -id: jwt-scala-hardcode-scala -valid: - - | - class Test7 { - val secretKey = "secretKey" - def run(token: String) = { - val algo = JwtAlgorithm.HS256 - val decoded = JwtJson.decodeJson(token, secretKey, Seq(algo)) - println(decoded) - } - } -invalid: - - | - import pdi.jwt.{JwtJson, JwtAlgorithm, JwtArgonaut} - object Test1 { - val secretKey = "secretKey" - def run() = { - val claim = Json.obj(("user", 1), ("nbf", 1431520421)) - val algo = JwtAlgorithm.HS256 - val token = JwtJson.encode(claim, secretKey, algo) - println(token) - } - } - - | - import pdi.jwt.{JwtJson, JwtAlgorithm, JwtArgonaut} - object Test2 { - val secretKey = "secretKey" - def run(token: String) = { - val algo = JwtAlgorithm.HS256 - val decoded = JwtJson.decodeJson(token, secretKey, Seq(algo)) - println(decoded) - } - } - - | - import pdi.jwt.{JwtJson, JwtAlgorithm, JwtArgonaut} - object Test3 { - val secretKey = "secretKey" - def run(token: String) = { - val algo = JwtAlgorithm.HS256 - val decodedJson = JwtJson.decodeJson(token, secretKey, Seq(algo)) - println(decodedJson) - } - } - - | - import pdi.jwt.{JwtJson, JwtAlgorithm, JwtArgonaut} - object Test5 { - def run(token: String) = { - val algo = JwtAlgorithm.HS256 - val decodedAll = JwtJson.decodeAll(token, "secretKey", Seq(algo)) - println(decodedAll) - } - } - - | - import pdi.jwt.{JwtJson, JwtAlgorithm, JwtArgonaut} - class Test6 { - val secretKey = "secretKey" - def run() = { - val claim = Json.obj(("user", 1), ("nbf", 1431520421)) - val algo = JwtAlgorithm.HS256 - val token = JwtJson.encode(claim, secretKey, algo) - println(token) - } - } - - | - import pdi.jwt.{JwtJson, JwtAlgorithm, JwtArgonaut} - class Test7 { - val secretKey = "secretKey" - def run(token: String) = { - val algo = JwtAlgorithm.HS256 - val decoded = JwtJson.decodeJson(token, secretKey, Seq(algo)) - println(decoded) - } - } - - | - import pdi.jwt.{JwtJson, JwtAlgorithm, JwtArgonaut} - class Test9 { - val secretKey = "secretKey" - def run(token: String) = { - val algo = JwtAlgorithm.HS256 - val decodedRaw = JwtJson.decodeRaw(token, secretKey, Seq(algo)) - println(decodedRaw) - } - } - - | - import pdi.jwt.{JwtJson, JwtAlgorithm, JwtArgonaut} - object Test15 { - val secretKey = "secretKey" - def run(token: String) = { - val algo = JwtAlgorithm.HS256 - val decodedAll = JwtJson.decodeAll(token, this.secretKey, Seq(algo)) - println(decodedAll) - } - } diff --git a/tests/scala/scala-jwt-hardcoded-secret-scala-test.yml b/tests/scala/scala-jwt-hardcoded-secret-scala-test.yml deleted file mode 100644 index 4449ce80..00000000 --- a/tests/scala/scala-jwt-hardcoded-secret-scala-test.yml +++ /dev/null @@ -1,52 +0,0 @@ -id: scala-jwt-hardcoded-secret-scala -valid: - - | -invalid: - - | - import com.auth0.jwt.algorithms.Algorithm - class App { - def bad1(): Unit = { - try { - val algorithm = Algorithm.HMAC256("secret") - val token = JWT.create() - .withIssuer("auth0") - .sign(algorithm) - } catch { - case exception: JWTCreationException => - println(s"Error creating JWT: ${exception.getMessage}") - } - } - } - - | - import com.auth0.jwt.algorithms.Algorithm - class SessionService { - def createSessionToken(userId: String): String = { - try { - val algorithm = Algorithm.HMAC512("secretKey") - val token = JWT.create() - .withIssuer("auth0") - .withClaim("userId", userId) - .sign(algorithm) - token - } catch { - case e: JWTCreationException => - "" - } - } - } - - | - import com.auth0.jwt.algorithms.Algorithm - class AuthService { - def createAuthToken(username: String): String = { - try { - val algorithm = Algorithm.HMAC384("secretKey") - val token = JWT.create() - .withIssuer("auth0") - .withClaim("username", username) - .sign(algorithm) - token - } catch { - case e: JWTCreationException => - } - } - } diff --git a/tests/swift/aes-hardcoded-secret-swift-test.yml b/tests/swift/aes-hardcoded-secret-swift-test.yml deleted file mode 100644 index aa9f359e..00000000 --- a/tests/swift/aes-hardcoded-secret-swift-test.yml +++ /dev/null @@ -1,15 +0,0 @@ -id: aes-hardcoded-secret-swift -valid: - - | - try AES(key: password, iv: "123") -invalid: - - | - try AES(key: "hello", iv: "123") - - | - AES(key: "hello", iv: "123") - - | - let password: Array = Array("s33krit".utf8) - try AES(key: password, iv: "123") - - | - let password: Array = Array("s33krit".utf8) - AES(key: password, iv: "123") diff --git a/tests/swift/blowfish-hardcoded-secret-swift-test.yml b/tests/swift/blowfish-hardcoded-secret-swift-test.yml deleted file mode 100644 index 4f5dcfb4..00000000 --- a/tests/swift/blowfish-hardcoded-secret-swift-test.yml +++ /dev/null @@ -1,15 +0,0 @@ -id: blowfish-hardcoded-secret-swift -valid: - - | - try Blowfish(key: password, iv: "123") -invalid: - - | - try Blowfish(key: "hello", iv: "123") - - | - Blowfish(key: "hello", iv: "123") - - | - let password: Array = Array("s33krit".utf8) - try Blowfish(key: password, iv: "123") - - | - let password: Array = Array("s33krit".utf8) - Blowfish(key: password, iv: "123") \ No newline at end of file diff --git a/tests/swift/chacha20-hardcoded-secret-swift-test.yml b/tests/swift/chacha20-hardcoded-secret-swift-test.yml deleted file mode 100644 index 62ce7b25..00000000 --- a/tests/swift/chacha20-hardcoded-secret-swift-test.yml +++ /dev/null @@ -1,15 +0,0 @@ -id: chacha20-hardcoded-secret-swift -valid: - - | - try ChaCha20(key: password, iv: "123") -invalid: - - | - try ChaCha20(key: "hello", iv: "123") - - | - ChaCha20(key: "hello", iv: "123") - - | - let password: Array = Array("s33krit".utf8) - try ChaCha20(key: password, iv: "123") - - | - let password: Array = Array("s33krit".utf8) - ChaCha20(key: password, iv: "123") \ No newline at end of file diff --git a/tests/swift/insecure-biometrics-swift-test.yml b/tests/swift/insecure-biometrics-swift-test.yml deleted file mode 100644 index 3c6d2c1c..00000000 --- a/tests/swift/insecure-biometrics-swift-test.yml +++ /dev/null @@ -1,7 +0,0 @@ -id: insecure-biometrics-swift -valid: - - | - abc.anyFunc() -invalid: - - | - abc.evaluatePolicy() \ No newline at end of file diff --git a/tests/swift/rabbit-hardcoded-secret-swift-test.yml b/tests/swift/rabbit-hardcoded-secret-swift-test.yml deleted file mode 100644 index 9f1bad27..00000000 --- a/tests/swift/rabbit-hardcoded-secret-swift-test.yml +++ /dev/null @@ -1,15 +0,0 @@ -id: rabbit-hardcoded-secret-swift -valid: - - | - try Rabbit(key: password, iv: "123") -invalid: - - | - try Rabbit(key: "hello", iv: "123") - - | - Rabbit(key: "hello", iv: "123") - - | - let password: Array = Array("s33krit".utf8) - try Rabbit(key: password, iv: "123") - - | - let password: Array = Array("s33krit".utf8) - Rabbit(key: password, iv: "123") \ No newline at end of file diff --git a/tests/typescript/detect-angular-sce-disabled-typescript.yml b/tests/typescript/detect-angular-sce-disabled-typescript.yml deleted file mode 100644 index fdf91998..00000000 --- a/tests/typescript/detect-angular-sce-disabled-typescript.yml +++ /dev/null @@ -1,11 +0,0 @@ -id: detect-angular-sce-disabled-typescript -valid: - - | - $sceProvider.enabled(true); -invalid: - - | - $sceProvider.enabled(false); - - | - $sceProvider.enabled(false).someFunction(true).anything("anything"); - - | - $sceProvider.enabled(false)(false); \ No newline at end of file diff --git a/tests/typescript/express-session-hardcoded-secret-typescript-test.yml b/tests/typescript/express-session-hardcoded-secret-typescript-test.yml deleted file mode 100644 index b6eb4d8f..00000000 --- a/tests/typescript/express-session-hardcoded-secret-typescript-test.yml +++ /dev/null @@ -1,21 +0,0 @@ -id: express-session-hardcoded-secret-typescript -valid: - - | - import express from 'express' - import session from 'express-session' - let secret2 = { - resave: false, - secret: config.secret, - saveUninitialized: false, - } - app.use(session(secret2)); -invalid: - - | - import express from 'express' - import session from 'express-session' - let secret2 = { - resave: false, - secret: 'foo', - saveUninitialized: false, - } - app.use(session(secret2)); diff --git a/tests/typescript/jwt-simple-noverify-typecript-test.yml b/tests/typescript/jwt-simple-noverify-typecript-test.yml deleted file mode 100644 index cd28a149..00000000 --- a/tests/typescript/jwt-simple-noverify-typecript-test.yml +++ /dev/null @@ -1,86 +0,0 @@ -id: jwt-simple-noverify-typescript -valid: - - | - const jwt = require('jwt-simple'); - app.get('/protectedRoute4', (req, res) => { - const token = req.headers.authorization; - - if (!token) { - return res.status(401).json({ error: 'Unauthorized. Token missing.' }); - } - - try { - const decoded = jwt.decode(token, secretKey); - res.json({ message: `Hello ${decoded.username}` }); - } catch (error) { - res.status(401).json({ error: 'Unauthorized. Invalid token.' }); - } - }); - - | - const jwt = require('jwt-simple'); - app.get('/protectedRoute5', (req, res) => { - const token = req.headers.authorization; - - if (!token) { - return res.status(401).json({ error: 'Unauthorized. Token missing.' }); - } - - try { - const decoded = jwt.decode(token, secretKey, false); - res.json({ message: `Hello ${decoded.username}` }); - } catch (error) { - res.status(401).json({ error: 'Unauthorized. Invalid token.' }); - } - }); -invalid: - - | - const jwt = require('jwt-simple'); - - app.get('/protectedRoute1', (req, res) => { - const token = req.headers.authorization; - - if (!token) { - return res.status(401).json({ error: 'Unauthorized. Token missing.' }); - } - - try { - const decoded = jwt.decode(token, secretKey, 'HS256', 12); - res.json({ message: `Hello ${decoded.username}` }); - } catch (error) { - res.status(401).json({ error: 'Unauthorized. Invalid token.' }); - } - }); - - | - const jwt = require('jwt-simple'); - - app.get('/protectedRoute2', (req, res) => { - const token = req.headers.authorization; - - if (!token) { - return res.status(401).json({ error: 'Unauthorized. Token missing.' }); - } - - try { - const decoded = jwt.decode(token, secretKey, true); - res.json({ message: `Hello ${decoded.username}` }); - } catch (error) { - res.status(401).json({ error: 'Unauthorized. Invalid token.' }); - } - }); - - | - const jwt = require('jwt-simple'); - - app.get('/protectedRoute3', (req, res) => { - const token = req.headers.authorization; - - if (!token) { - return res.status(401).json({ error: 'Unauthorized. Token missing.' }); - } - - try { - const decoded = jwt.decode(token, secretKey, 'false'); - res.json({ message: `Hello ${decoded.username}` }); - } catch (error) { - res.status(401).json({ error: 'Unauthorized. Invalid token.' }); - } - }); diff --git a/tests/typescript/node-rsa-weak-key-typescript-test.yml b/tests/typescript/node-rsa-weak-key-typescript-test.yml deleted file mode 100644 index 45850840..00000000 --- a/tests/typescript/node-rsa-weak-key-typescript-test.yml +++ /dev/null @@ -1,24 +0,0 @@ -id: node-rsa-weak-key-typescript -valid: - - | - const { publicKey, privateKey } = crypto.generateKeyPairSync("rsa", { - modulusLength: 2048, - }); -invalid: - - | - const crypto = require("crypto"); - const { publicKey, privateKey } = crypto.generateKeyPairSync("rsa", { - a: 123, - modulusLength: 512, - }); - - | - const NodeRSA = require('node-rsa'); - const key = new NodeRSA({b: 204}); - - | - const NodeRSA = require('node-rsa'); - const key = new NodeRSA({b: 512}); - - | - const crypto = require("crypto"); - const keypair2 = await util.promisify(crypto.generateKeyPair)("rsa", { - modulusLength: 512, - }); diff --git a/tests/typescript/node-sequelize-empty-password-argument-typescript-test.yml b/tests/typescript/node-sequelize-empty-password-argument-typescript-test.yml deleted file mode 100644 index 60d266fc..00000000 --- a/tests/typescript/node-sequelize-empty-password-argument-typescript-test.yml +++ /dev/null @@ -1,34 +0,0 @@ -id: node-sequelize-empty-password-argument-typescript -valid: - - | - const Sequelize = require('sequelize'); - const sequelize = new Sequelize({ - database: 'pinche', - username: 'root', - password: '123456789', - dialect: 'mysql' - }); -invalid: - - | - const Sequelize = require('sequelize'); - const sequelize1 = new Sequelize('database', 'username', '', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) - - | - const Sequelize = require('sequelize'); - const passwordFromEnv = ''; - const sequelize2 = new Sequelize('database', 'username', passwordFromEnv, { - host: 'localhost', - port: 5432, - dialect: 'postgres' - }); - - | - const Sequelize = require('sequelize'); - const passwordDynamic = ''; - const sequelize2 = new Sequelize('database', 'username', passwordDynamic, { - host: 'localhost', - port: 5432, - dialect: 'postgres' - }); diff --git a/tests/typescript/node-sequelize-hardcoded-secret-argument-typescript-test.yml b/tests/typescript/node-sequelize-hardcoded-secret-argument-typescript-test.yml deleted file mode 100644 index 2871d52d..00000000 --- a/tests/typescript/node-sequelize-hardcoded-secret-argument-typescript-test.yml +++ /dev/null @@ -1,26 +0,0 @@ -id: node-sequelize-hardcoded-secret-argument-typescript -valid: - - | - const Sequelize = require('sequelize'); - const sequelize = new Sequelize({ - database: 'pinche', - username: 'root', - password: '123456789', - dialect: 'mysql' - }) -invalid: - - | - const Sequelize = require('sequelize'); - const sequelize = new Sequelize('database', 'username', 'password', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) - - | - const Sequelize = require('sequelize'); - const passwordFromEnv = 'test'; - const sequelize2 = new Sequelize('database', 'username', passwordFromEnv, { - host: 'localhost', - port: 5432, - dialect: 'postgres' - }); \ No newline at end of file diff --git a/utils/.gitkeep b/utils/.gitkeep deleted file mode 100644 index e69de29b..00000000