Add YAML rules and tests for insecure JWT usage detection

[ESS-ENN]

Summary by CodeRabbit

• New Features
  • Added security rules to flag insecure JWT practices—including the use of insecure algorithms and hard-coded secrets—in multiple programming languages.
• Tests
  • Introduced snapshot and unit tests covering valid and invalid JWT scenarios, ensuring robust detection and improved security posture.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ ESS-ENN
❌ Sakshis

---

Sakshis seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

Walkthrough

This pull request introduces new YAML files to define security rules for identifying insecure JWT usage across Go, Kotlin, and Scala projects. The rules target the use of the 'none' signing algorithm and hardcoded secrets. In addition to the configuration files, new snapshot files and test cases have been added to demonstrate and validate the detection of these vulnerabilities through AST parsing and pattern matching.

Changes

File(s)	Summary
rules/go/.../jwt-go-none-algorithm-go.yml, rules/kotlin/.../jwt-hardcode-kotlin.yml, rules/scala/.../jwt-scala-hardcode-scala.yml, rules/scala/.../scala-jwt-hardcoded-secret-scala.yml	New YAML configuration files defining security rules for detecting the use of the 'none' JWT signing algorithm and hardcoded secrets in Go, Kotlin, and Scala.
tests/__snapshots__/jwt-go-none-algorithm-go-snapshot.yml, tests/__snapshots__/jwt-hardcode-kotlin-snapshot.yml, tests/__snapshots__/jwt-scala-hardcode-scala-snapshot.yml, tests/__snapshots__/scala-jwt-hardcoded-secret-scala-snapshot.yml	Snapshot files demonstrating JWT token creation and usage scenarios that trigger the new security rules.
tests/go/.../jwt-go-none-algorithm-go-test.yml, tests/kotlin/.../jwt-hardcode-kotlin-test.yml, tests/scala/.../jwt-scala-hardcode-scala-test.yml, tests/scala/.../scala-jwt-hardcoded-secret-scala-test.yml	Added test configurations with valid and invalid JWT cases to validate the rule implementations and their detection of insecure patterns.

Sequence Diagram(s)

sequenceDiagram
    participant Dev as Developer
    participant Scanner as Security Scanner
    participant AST as AST Parser
    participant Rule as Security Rule Engine
    Dev->>Scanner: Commit new security rule configurations
    Scanner->>AST: Parse source code & snapshots
    AST->>Rule: Evaluate JWT patterns (e.g., 'none' algorithm, hardcoded secrets)
    Rule-->>Scanner: Return vulnerability warnings
    Scanner->>Dev: Report detected security issues

Loading

sequenceDiagram
    participant Tester as Test Runner
    participant Config as Test Config Files
    participant Rule as Security Rule Engine
    Tester->>Config: Load test scenarios
    Config->>Rule: Execute JWT validations
    Rule-->>Tester: Return test outcomes (valid/invalid)
    Tester->>Dev: Output test results and logs

Loading

Suggested reviewers

• ganeshpatro321

Poem

I'm a rabbit with a codey beat,
Hopping through YAML files so neat,
JWT secrets and tokens in a dance,
Alerting flaws at every glance,
With bytes and hops, I cheer this treat!
🐇✨

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai plan to trigger planning for file edits and PR creation.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (21)

tests/kotlin/jwt-hardcode-kotlin-test.yml (2)

7-23: Demonstration of Insecure JWT Creation.
The invalid snippet intentionally shows insecure usage by hardcoding the secret (i.e., using Algorithm.HMAC256("secret")) and employing an empty catch block. This example is appropriate for testing the security rule, but consider adding an inline comment explaining that this insecure pattern is intentional and for demonstration only.

🧰 Tools

🪛 YAMLlint (1.35.1)

[error] 20-20: trailing spaces

(trailing-spaces)

---

20-20: Remove Trailing Whitespace.
Line 20 appears to have trailing space. Removing these spaces will help you pass YAML linting. For example, change:

-        } 
+        }

🧰 Tools

🪛 YAMLlint (1.35.1)

[error] 20-20: trailing spaces

(trailing-spaces)

tests/__snapshots__/jwt-go-none-algorithm-go-snapshot.yml (1)

17-49: Review Label Definitions.
There are multiple label definitions (e.g., several entries for Algorithm.HMAC256 and "github.com/dgrijalva/jwt-go") which appear redundant. Please verify that these duplicates are intentional for the testing rules; if not, consider consolidating them for clarity.

tests/go/jwt-go-none-algorithm-go-test.yml (3)

4-7: Trim Trailing Spaces in the Valid Block.
Trailing spaces appear on line 7. Removing them will help eliminate YAML linting errors. For example:

-     )  
+     )

🧰 Tools

🪛 YAMLlint (1.35.1)

[error] 7-7: trailing spaces

(trailing-spaces)

---

8-15: Ensure Consistent Variable Declarations in Valid Snippet.
In the valid block, the variables (claims, token, ss, and err) are assigned using = rather than Go’s standard short variable declaration operator (:=). While this might be acceptable if the snippet is solely for pattern matching purposes, consider using proper variable declarations (e.g., :=) for clarity if this code is ever executed.

🧰 Tools

🪛 YAMLlint (1.35.1)

[error] 12-12: trailing spaces

(trailing-spaces)

---

12-12: Remove Trailing Spaces.
Line 12 shows trailing spaces which should be removed to meet YAML lint requirements.

🧰 Tools

🪛 YAMLlint (1.35.1)

[error] 12-12: trailing spaces

(trailing-spaces)

tests/__snapshots__/jwt-hardcode-kotlin-snapshot.yml (1)

4-61: Review of Label Duplications.
The labels section contains several duplicate entries (for example, multiple entries for "secret" and Algorithm.HMAC256). It might be beneficial to consolidate these if they serve the same detection purpose, unless the duplication is required by the downstream processing logic.

rules/scala/security/jwt-scala-hardcode-scala.yml (1)

4-9: Improve Grammar and Clarity in the Message.
The message text could be refined for clarity. For instance, consider revising it to:

"Hardcoded JWT secret or private key is used. This vulnerability leads to insufficiently protected credentials (see CWE-522). Consider using secure mechanisms (e.g., storing secrets in environment variables) to protect credentials."

rules/scala/security/scala-jwt-hardcoded-secret-scala.yml (1)

17-65: Well-Structured AST Utility Configuration

The “utils” section (lines 17–65) defines matchers (for HMAC256 and its no-import counterpart) using precise AST patterns and regex. These definitions seem robust; however, consider adding inline comments for future maintainability and to clarify your choice of regex boundaries.

rules/kotlin/security/jwt-hardcode-kotlin.yml (1)

19-560: Comprehensive AST Utility Configuration for Kotlin

The “utils” section defines numerous matchers for various HMAC algorithms (HMAC256, HMAC384, HMAC512) and covers multiple use cases (with import checks, with identifier patterns, etc.). Although the configuration is very detailed—which is excellent for ensuring coverage—it might benefit from additional inline documentation to ease future updates or debugging.

tests/scala/scala-jwt-hardcoded-secret-scala-test.yml (2)

1-5: Well-Defined Test File Structure

The YAML test file is organized with an “id” and clearly separated “valid” and “invalid” sections. Note that the “valid” section is empty; consider adding positive examples where secure practices are followed to widen test coverage.

---

15-15: Style Improvement: Remove Trailing Spaces

Static analysis has flagged trailing spaces on lines 15, 32, and 49. Please remove these extra spaces to comply with YAML linting guidelines.

Also applies to: 32-32, 49-49

🧰 Tools

🪛 YAMLlint (1.35.1)

[error] 15-15: trailing spaces

(trailing-spaces)

tests/__snapshots__/scala-jwt-hardcoded-secret-scala-snapshot.yml (3)

1-28: [Snapshot "App" Review – Insecure JWT Creation with HMAC256]
This snapshot clearly demonstrates the creation of a JWT in the App class using Algorithm.HMAC256("secret"), which includes a hardcoded secret. The labels pinpoint the exact substring occurrences (e.g. the secret "secret", the entire call, and the import statement).
Suggestion: The labels for the import statement are duplicated. If these duplicates are not intentional (for example, to capture different contexts), consider consolidating them for clarity and maintainability.

---

29-54: [Snapshot "AuthService" Review – Insecure JWT Creation with HMAC384]
The snapshot for the AuthService class properly illustrates the insecure use of a hardcoded secret via Algorithm.HMAC384("secretKey"). The labels correctly capture both the primary insecure pattern and secondary details (such as the literal "secretKey").
Observation: Similar to the previous snapshot, there are multiple identical labels for the import statement. Reviewing whether the redundancy is needed could simplify the snapshot file.

---

55-81: [Snapshot "SessionService" Review – Insecure JWT Creation with HMAC512]
This snapshot demonstrates the creation of a session token in the SessionService class using Algorithm.HMAC512("secretKey"). The error handling (returning an empty string on exception) is also captured. The labels accurately mark the occurrence of the hardcoded secret and the algorithm call.
Suggestion: As before, if the repeated import labels are not serving different identification purposes, consider deduplication for improved clarity.

tests/__snapshots__/jwt-scala-hardcode-scala-snapshot.yml (6)

1-26: [Snapshot "Test6" Review – JWT Encoding with HS256]
The Test6 snapshot illustrates how a JWT token is generated using JwtJson.encode with the HS256 algorithm and a hardcoded secret "secretKey". The JSON claim construction (with fields like "user" and "nbf") is clear and well demonstrated.
Observation: The labels include redundant import definitions. Confirm that these duplicates are intentional; otherwise, remove unnecessary repetitions to reduce noise.

---

27-36: [Snapshot "Test7" Review – JWT Decoding Using decodeJson]
This snapshot for Test7 shows decoding a JWT using JwtJson.decodeJson. The code snippet and the accompanying labels are very detailed—covering the primary call, helper token details, and even providing an alternative code block representation.
Observation: While the comprehensive labeling ensures thorough coverage, the repeated labels (especially the duplicate import lines and multiple entries specifying secretKey) could be streamlined for easier maintenance.

Also applies to: 37-97

---

99-107: [Snapshot "Test9" Review – Decoding Raw JWT]
The Test9 snapshot demonstrates the use of JwtJson.decodeRaw to decode a token using the HS256 algorithm and the same hardcoded secret. The snapshot and its labels (which detail the method call and its parameters) are consistent with other snapshots in terms of structure.
Note: The approach is consistent; only minor style improvements (such as reducing duplicate import label entries) might help maintainability.

Also applies to: 108-168

---

169-222: [Snapshot "Test1" Review – Object-Based JWT Encoding]
This snapshot for Test1 encapsulates JWT encoding within an object using JwtJson.encode. The structure and formatting are clear, and the labels capture all relevant elements such as the encoding call and the hardcoded secret usage.
Suggestion: As in previous snapshots, consider reducing the duplicate import labels and repeated mentions of "secretKey" to improve readability.

---

303-311: [Snapshot "Test2" Review – Decoding JWT to JSON]
The Test2 snapshot shows another instance of JWT decoding using JwtJson.decodeJson with a token and the hardcoded key. The labels again capture all necessary details.
Observation: Consistency is maintained throughout; however, the repeated identical labels (especially for the import statement and secret variable) suggest an opportunity to simplify the snapshot metadata.

Also applies to: 312-372

---

444-452: [Snapshot "Test5" Review – Decoding All with Literal Secret]
This final snapshot for Test5 illustrates the use of JwtJson.decodeAll by providing "secretKey" as a literal directly in the function call. This is slightly different from previous snapshots where the secret was stored in a variable.
Suggestion: For consistency across snapshots, consider standardizing the approach (i.e., always using a variable for the secret). Verify that this divergence is intentional for testing purposes.

Also applies to: 453-485

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 620d83c and c0a0ac6.

📒 Files selected for processing (12)

• rules/go/security/jwt-go-none-algorithm-go.yml (1 hunks)
• rules/kotlin/security/jwt-hardcode-kotlin.yml (1 hunks)
• rules/scala/security/jwt-scala-hardcode-scala.yml (1 hunks)
• rules/scala/security/scala-jwt-hardcoded-secret-scala.yml (1 hunks)
• tests/__snapshots__/jwt-go-none-algorithm-go-snapshot.yml (1 hunks)
• tests/__snapshots__/jwt-hardcode-kotlin-snapshot.yml (1 hunks)
• tests/__snapshots__/jwt-scala-hardcode-scala-snapshot.yml (1 hunks)
• tests/__snapshots__/scala-jwt-hardcoded-secret-scala-snapshot.yml (1 hunks)
• tests/go/jwt-go-none-algorithm-go-test.yml (1 hunks)
• tests/kotlin/jwt-hardcode-kotlin-test.yml (1 hunks)
• tests/scala/jwt-scala-hardcode-scala-test.yml (1 hunks)
• tests/scala/scala-jwt-hardcoded-secret-scala-test.yml (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.35.1)

tests/kotlin/jwt-hardcode-kotlin-test.yml

[error] 20-20: trailing spaces

(trailing-spaces)

tests/go/jwt-go-none-algorithm-go-test.yml

[error] 7-7: trailing spaces

(trailing-spaces)

---

[error] 12-12: trailing spaces

(trailing-spaces)

tests/scala/jwt-scala-hardcode-scala-test.yml

[error] 16-16: trailing spaces

(trailing-spaces)

tests/scala/scala-jwt-hardcoded-secret-scala-test.yml

[error] 15-15: trailing spaces

(trailing-spaces)

---

[error] 32-32: trailing spaces

(trailing-spaces)

---

[error] 49-49: trailing spaces

(trailing-spaces)

🔇 Additional comments (18)

tests/kotlin/jwt-hardcode-kotlin-test.yml (1)

1-6: Valid Section Configuration Looks Good.
The valid block correctly sets system properties using the provided config variable. Make sure that in production environments sensitive values are managed securely.

tests/__snapshots__/jwt-go-none-algorithm-go-snapshot.yml (1)

1-16: Snapshot Demonstrates Usage of 'none' Algorithm.
This snapshot effectively shows the creation of a JWT token using jwt.NewWithClaims(jwt.SigningMethodNone, claims) together with jwt.UnsafeAllowNoneSignatureType. This insecure pattern is intentionally demonstrated for testing purposes. Ensure that such snapshots remain confined to test environments and are not used in production.

tests/go/jwt-go-none-algorithm-go-test.yml (1)

19-32: Insecure Usage in Invalid Block is Well-Illustrated.
The invalid snippet clearly demonstrates the insecure usage of JWT tokens by invoking jwt.NewWithClaims with SigningMethodNone and signing it using jwt.UnsafeAllowNoneSignatureType. This is consistent with the intended test case.

tests/__snapshots__/jwt-hardcode-kotlin-snapshot.yml (1)

1-3: Snapshot for Hardcoded JWT in Kotlin.
This snapshot correctly illustrates the insecure practice of using a hardcoded secret with Algorithm.HMAC256("secret") in the Kotlin Auth0 JWT library. It aligns with the security rule requirements for detecting hardcoded secrets.

rules/scala/security/jwt-scala-hardcode-scala.yml (1)

15-118: Comprehensive Rule Configuration.
The AST pattern definitions (both PATTERN and PATTERN_with_Instance) are detailed and appear to cover the intended scenarios for detecting JWT usage patterns in Scala code. Ensure you test these patterns thoroughly against your codebase to confirm that they capture all insecure instances without generating false positives.

rules/go/security/jwt-go-none-algorithm-go.yml (2)

1-16: Clear and Comprehensive Security Metadata

The rule’s metadata—including its ID, language, severity, detailed message, and references—is very well articulated. This clearly explains the risks of using the 'none' JWT algorithm and provides actionable recommendations.

---

17-44: Solid AST Parsing & Rule Definition

The AST configuration in the “utils” and “rule” sections is well structured. The regex patterns for detecting both jwt.SigningMethodNone and jwt.UnsafeAllowNoneSignatureType are clear and should effectively catch insecure usages.

tests/scala/jwt-scala-hardcode-scala-test.yml (2)

1-11: Valid Test Case Analysis

The “valid” section contains a test (class Test7) that uses HS256 with a hardcoded secret. Since hardcoded secrets are generally flagged as a vulnerability, please verify that this example is indeed intended to pass under the current security rule. If so, document the rationale to avoid confusion.

---

12-84: Comprehensive Invalid Test Cases

The “invalid” section offers a diverse set of examples (Test1, Test2, Test3, Test5, Test6, Test7, and Test15) that demonstrate insecure JWT practices using hardcoded secrets. This variety will be very helpful for validating the rule. Please ensure that each case triggers the rule as expected.

🧰 Tools

🪛 YAMLlint (1.35.1)

[error] 16-16: trailing spaces

(trailing-spaces)

rules/scala/security/scala-jwt-hardcoded-secret-scala.yml (2)

1-15: Robust Security Rule Metadata for Scala

The header clearly defines the ID, severity, language, and provides a detailed message along with relevant references (e.g., CWE-522). The note solidly frames the issue and recommended guidance for handling secrets.

---

66-150: Effective Aggregated Rule Definition

The aggregated “rule” section skillfully combines multiple AST matchers to catch insecure hardcoded secrets within Scala classes. This comprehensive approach should improve detection accuracy. It would be beneficial to include unit tests (if not already present) to verify all matching scenarios.

rules/kotlin/security/jwt-hardcode-kotlin.yml (2)

1-16: Kotlin Security Rule Header is Well-Defined

The rule’s metadata (ID, language, severity, message, and note) is clear and informative. The message and referenced standards (e.g., CWE-798) provide stakeholders with a solid understanding of the risk.

---

561-575: Aggregated Rule Section is Thorough

The rule aggregation that follows consolidates all defined utility matchers, ensuring that any instance of a hardcoded secret in JWT usage is flagged. This approach is comprehensive and aligns well with the security objective.

tests/scala/scala-jwt-hardcoded-secret-scala-test.yml (3)

6-19: Invalid Test Case: App

The first invalid test case (class App) correctly demonstrates an insecure JWT creation using Algorithm.HMAC256("secret"). Exception handling is implemented (printing the error message), which is acceptable for a test scenario.

🧰 Tools

🪛 YAMLlint (1.35.1)

[error] 15-15: trailing spaces

(trailing-spaces)

---

20-36: Invalid Test Case: SessionService

This test case shows the use of Algorithm.HMAC512 with a hardcoded secret and handles exceptions by returning an empty string. Make sure that the chosen exception handling aligns with the intended behavior in a real-world scenario.

🧰 Tools

🪛 YAMLlint (1.35.1)

[error] 32-32: trailing spaces

(trailing-spaces)

---

37-52: Invalid Test Case: AuthService

The AuthService test case uses Algorithm.HMAC384 and demonstrates an insecure practice; note that the catch block is empty. If the intent is merely to flag the vulnerability, consider returning a default or error value for consistency with other test cases.

🧰 Tools

🪛 YAMLlint (1.35.1)

[error] 49-49: trailing spaces

(trailing-spaces)

tests/__snapshots__/jwt-scala-hardcode-scala-snapshot.yml (2)

223-232: [Snapshot "Test15" Review – Decoding All JWT Claims Using decodeAll]
Here, the snapshot for Test15 demonstrates applying JwtJson.decodeAll on a token with a slightly different approach by using this.secretKey. This variation is interesting as it implies usage within an object context. The detailed labels clearly mark the method call and its parameters.
Request: Please verify that the use of this.secretKey is intentional and that it behaves as expected in the target environment.

Also applies to: 233-301

---

374-382: [Snapshot "Test3" Review – Decoding JWT into JSON Format]
In this snapshot, the Test3 object decodes a JWT into JSON. The snippet and its labels are consistent with the approach used in other snapshots.
Note: Everything appears correct here. The detailed labeling provides good traceability; just consider if some of the repeated information can be consolidated.

Also applies to: 383-443