diff --git a/internal/services/engines/swift/rules.go b/internal/services/engines/swift/rules.go
index c2cdf6774..ff49fcb1b 100644
--- a/internal/services/engines/swift/rules.go
+++ b/internal/services/engines/swift/rules.go
@@ -46,11 +46,13 @@ import (
func NewCoreDataDatabase() *text.Rule {
return &text.Rule{
Metadata: engine.Metadata{
- ID: "HS-SWIFT-2",
- Name: "CoreData Database",
- Description: "App uses CoreData Database. Sensitive Information should be encrypted. For more information checkout the CWE-311 (https://cwe.mitre.org/data/definitions/311.html) advisory.",
- Severity: severities.Medium.ToString(),
- Confidence: confidence.Low.ToString(),
+ ID: "HS-SWIFT-2",
+ Name: "CoreData Database",
+ Description: "App uses CoreData Database. Sensitive Information should be encrypted. For more information checkout the CWE-311 (https://cwe.mitre.org/data/definitions/311.html) advisory.",
+ Severity: severities.Medium.ToString(),
+ Confidence: confidence.Low.ToString(),
+ SafeExample: SampleSafeHSSWIFT2,
+ UnsafeExample: SampleVulnerableHSSWIFT2,
},
Type: text.OrMatch,
Expressions: []*regexp.Regexp{
@@ -62,11 +64,13 @@ func NewCoreDataDatabase() *text.Rule {
func NewDTLS12NotUsed() *text.Rule {
return &text.Rule{
Metadata: engine.Metadata{
- ID: "HS-SWIFT-3",
- Name: "DTLS 1.0 or 1.1 not used",
- Description: "DTLS 1.2 should be used. Detected old version - DTLS 1.0. For more information checkout the CWE-295 (https://cwe.mitre.org/data/definitions/295.html) advisory.",
- Severity: severities.Medium.ToString(),
- Confidence: confidence.Low.ToString(),
+ ID: "HS-SWIFT-3",
+ Name: "DTLS 1.0 or 1.1 not used",
+ Description: "DTLS 1.2 should be used. Detected old version - DTLS 1.0. For more information checkout the CWE-295 (https://cwe.mitre.org/data/definitions/295.html) advisory.",
+ Severity: severities.Medium.ToString(),
+ Confidence: confidence.Low.ToString(),
+ SafeExample: SampleSafeHSSWIFT3,
+ UnsafeExample: SampleVulnerableHSSWIFT3,
},
Type: text.OrMatch,
Expressions: []*regexp.Regexp{
@@ -78,11 +82,13 @@ func NewDTLS12NotUsed() *text.Rule {
func NewTLS13NotUsed() *text.Rule {
return &text.Rule{
Metadata: engine.Metadata{
- ID: "HS-SWIFT-4",
- Name: "TLS 1.0 or TLS 1.1 not be used",
- Description: "TLS 1.2 should be used. Older versions of SSL/TLS protocol like \"SSLv3\" have been proven to be insecure. This rule raises an issue when an SSL/TLS context is created with an insecure protocol version (ie: a protocol different from \"TLSv1.2\", \"TLSv1.3\", \"DTLSv1.2\" or \"DTLSv1.3\"). For more information checkout the CWE-326 (https://cwe.mitre.org/data/definitions/326.html) and CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.",
- Severity: severities.Medium.ToString(),
- Confidence: confidence.Low.ToString(),
+ ID: "HS-SWIFT-4",
+ Name: "TLS 1.0 or TLS 1.1 not be used",
+ Description: "TLS 1.2 should be used. Older versions of SSL/TLS protocol like \"SSLv3\" have been proven to be insecure. This rule raises an issue when an SSL/TLS context is created with an insecure protocol version (ie: a protocol different from \"TLSv1.2\", \"TLSv1.3\", \"DTLSv1.2\" or \"DTLSv1.3\"). For more information checkout the CWE-326 (https://cwe.mitre.org/data/definitions/326.html) and CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.",
+ Severity: severities.Medium.ToString(),
+ Confidence: confidence.Low.ToString(),
+ SafeExample: SampleSafeHSSWIFT4,
+ UnsafeExample: SampleVulnerableHSSWIFT4,
},
Type: text.OrMatch,
Expressions: []*regexp.Regexp{
@@ -94,11 +100,13 @@ func NewTLS13NotUsed() *text.Rule {
func NewReverseEngineering() *text.Rule {
return &text.Rule{
Metadata: engine.Metadata{
- ID: "HS-SWIFT-5",
- Name: "Reverse engineering",
- Description: "This App may have Reverse engineering detection capabilities. For more information checkout the OWASP-M9 (https://owasp.org/www-project-mobile-top-10/2016-risks/m9-reverse-engineering) advisory.",
- Severity: severities.Medium.ToString(),
- Confidence: confidence.Low.ToString(),
+ ID: "HS-SWIFT-5",
+ Name: "Reverse engineering",
+ Description: "This App may have Reverse engineering detection capabilities. For more information checkout the OWASP-M9 (https://owasp.org/www-project-mobile-top-10/2016-risks/m9-reverse-engineering) advisory.",
+ Severity: severities.Medium.ToString(),
+ Confidence: confidence.Low.ToString(),
+ SafeExample: SampleSafeHSSWIFT5,
+ UnsafeExample: SampleVulnerableHSSWIFT5,
},
Type: text.AndMatch,
Expressions: []*regexp.Regexp{
@@ -112,11 +120,13 @@ func NewReverseEngineering() *text.Rule {
func NewWeakMD5CryptoCipher() *text.Rule {
return &text.Rule{
Metadata: engine.Metadata{
- ID: "HS-SWIFT-6",
- Name: "Weak MD5 hash using",
- Description: "The MD5 hash algorithm that was used is considered weak. It can also cause hash collisions. It is always recommended to use some CHF (Cryptographic Hash Function), which is mathematically strong and not reversible. SHA512 would be the most recommended hash for storing the password and it is also important to adopt some type of Salt, so that the Hash is more secure. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.",
- Severity: severities.Medium.ToString(),
- Confidence: confidence.Low.ToString(),
+ ID: "HS-SWIFT-6",
+ Name: "Weak MD5 hash using",
+ Description: "The MD5 hash algorithm that was used is considered weak. It can also cause hash collisions. It is always recommended to use some CHF (Cryptographic Hash Function), which is mathematically strong and not reversible. SHA512 would be the most recommended hash for storing the password and it is also important to adopt some type of Salt, so that the Hash is more secure. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.",
+ Severity: severities.Medium.ToString(),
+ Confidence: confidence.Low.ToString(),
+ SafeExample: SampleSafeHSSWIFT6,
+ UnsafeExample: SampleVulnerableHSSWIFT6,
},
Type: text.AndMatch,
Expressions: []*regexp.Regexp{
@@ -129,11 +139,13 @@ func NewWeakMD5CryptoCipher() *text.Rule {
func NewWeakCommonDesCryptoCipher() *text.Rule {
return &text.Rule{
Metadata: engine.Metadata{
- ID: "HS-SWIFT-7",
- Name: "Weak DES hash using",
- Description: "DES is considered strong ciphers for modern applications. Currently, NIST recommends the usage of AES block ciphers instead of DES. For more information checkout the CWE-326 (https://cwe.mitre.org/data/definitions/326.html) advisory",
- Severity: severities.Medium.ToString(),
- Confidence: confidence.Low.ToString(),
+ ID: "HS-SWIFT-7",
+ Name: "Weak DES hash using",
+ Description: "DES is considered strong ciphers for modern applications. Currently, NIST recommends the usage of AES block ciphers instead of DES. For more information checkout the CWE-326 (https://cwe.mitre.org/data/definitions/326.html) advisory",
+ Severity: severities.Medium.ToString(),
+ Confidence: confidence.Low.ToString(),
+ SafeExample: SampleSafeHSSWIFT7,
+ UnsafeExample: SampleVulnerableHSSWIFT7,
},
Type: text.AndMatch,
Expressions: []*regexp.Regexp{
@@ -146,11 +158,13 @@ func NewWeakCommonDesCryptoCipher() *text.Rule {
func NewWeakIDZDesCryptoCipher() *text.Rule {
return &text.Rule{
Metadata: engine.Metadata{
- ID: "HS-SWIFT-8",
- Name: "Weak DES hash using",
- Description: "DES is considered strong ciphers for modern applications. Currently, NIST recommends the usage of AES block ciphers instead of DES. For more information checkout the CWE-326 (https://cwe.mitre.org/data/definitions/326.html) advisory",
- Severity: severities.Medium.ToString(),
- Confidence: confidence.Low.ToString(),
+ ID: "HS-SWIFT-8",
+ Name: "Weak DES hash using",
+ Description: "DES is considered strong ciphers for modern applications. Currently, NIST recommends the usage of AES block ciphers instead of DES. For more information checkout the CWE-326 (https://cwe.mitre.org/data/definitions/326.html) advisory",
+ Severity: severities.Medium.ToString(),
+ Confidence: confidence.Low.ToString(),
+ SafeExample: SampleSafeHSSWIFT8,
+ UnsafeExample: SampleVulnerableHSSWIFT8,
},
Type: text.AndMatch,
Expressions: []*regexp.Regexp{
@@ -163,11 +177,13 @@ func NewWeakIDZDesCryptoCipher() *text.Rule {
func NewWeakBlowfishCryptoCipher() *text.Rule {
return &text.Rule{
Metadata: engine.Metadata{
- ID: "HS-SWIFT-9",
- Name: "Weak Cipher Mode",
- Description: "Cipher algorithms should be robust",
- Severity: severities.Medium.ToString(),
- Confidence: confidence.Low.ToString(),
+ ID: "HS-SWIFT-9",
+ Name: "Weak Cipher Mode",
+ Description: "Cipher algorithms should be robust",
+ Severity: severities.Medium.ToString(),
+ Confidence: confidence.Low.ToString(),
+ SafeExample: SampleSafeHSSWIFT9,
+ UnsafeExample: SampleVulnerableHSSWIFT9,
},
Type: text.AndMatch,
Expressions: []*regexp.Regexp{
@@ -180,11 +196,13 @@ func NewWeakBlowfishCryptoCipher() *text.Rule {
func NewMD6Collision() *text.Rule {
return &text.Rule{
Metadata: engine.Metadata{
- ID: "HS-SWIFT-10",
- Name: "Weak MD6 hash using",
- Description: "MD6 is a weak hash, which can generate repeated hashes. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.",
- Severity: severities.Medium.ToString(),
- Confidence: confidence.Low.ToString(),
+ ID: "HS-SWIFT-10",
+ Name: "Weak MD6 hash using",
+ Description: "MD6 is a weak hash, which can generate repeated hashes. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.",
+ Severity: severities.Medium.ToString(),
+ Confidence: confidence.Low.ToString(),
+ SafeExample: SampleSafeHSSWIFT10,
+ UnsafeExample: SampleVulnerableHSSWIFT10,
},
Type: text.OrMatch,
Expressions: []*regexp.Regexp{
@@ -197,11 +215,13 @@ func NewMD6Collision() *text.Rule {
func NewMD5Collision() *text.Rule {
return &text.Rule{
Metadata: engine.Metadata{
- ID: "HS-SWIFT-11",
- Name: "Weak MD5 hash using",
- Description: "MD5 is a weak hash, which can generate repeated hashes. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.",
- Severity: severities.Medium.ToString(),
- Confidence: confidence.Low.ToString(),
+ ID: "HS-SWIFT-11",
+ Name: "Weak MD5 hash using",
+ Description: "MD5 is a weak hash, which can generate repeated hashes. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.",
+ Severity: severities.Medium.ToString(),
+ Confidence: confidence.Low.ToString(),
+ SafeExample: SampleSafeHSSWIFT11,
+ UnsafeExample: SampleVulnerableHSSWIFT11,
},
Type: text.OrMatch,
Expressions: []*regexp.Regexp{
@@ -214,11 +234,13 @@ func NewMD5Collision() *text.Rule {
func NewSha1Collision() *text.Rule {
return &text.Rule{
Metadata: engine.Metadata{
- ID: "HS-SWIFT-12",
- Name: "Weak SHA1 hash using",
- Description: "SHA1 is a weak hash, which can generate repeated hashes. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.",
- Severity: severities.Medium.ToString(),
- Confidence: confidence.Low.ToString(),
+ ID: "HS-SWIFT-12",
+ Name: "Weak SHA1 hash using",
+ Description: "SHA1 is a weak hash, which can generate repeated hashes. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.",
+ Severity: severities.Medium.ToString(),
+ Confidence: confidence.Low.ToString(),
+ SafeExample: SampleSafeHSSWIFT12,
+ UnsafeExample: SampleVulnerableHSSWIFT12,
},
Type: text.OrMatch,
Expressions: []*regexp.Regexp{
@@ -232,11 +254,13 @@ func NewSha1Collision() *text.Rule {
func NewJailbreakDetect() *text.Rule {
return &text.Rule{
Metadata: engine.Metadata{
- ID: "HS-SWIFT-13",
- Name: "Jailbreak detection",
- Description: "This App may have Jailbreak detection capabilities.",
- Severity: severities.Medium.ToString(),
- Confidence: confidence.Low.ToString(),
+ ID: "HS-SWIFT-13",
+ Name: "Jailbreak detection",
+ Description: "This App may have Jailbreak detection capabilities.",
+ Severity: severities.Medium.ToString(),
+ Confidence: confidence.Low.ToString(),
+ SafeExample: SampleSafeHSSWIFT13,
+ UnsafeExample: SampleVulnerableHSSWIFT13,
},
Type: text.OrMatch,
Expressions: []*regexp.Regexp{
@@ -294,11 +318,13 @@ func NewJailbreakDetect() *text.Rule {
func NewLoadHTMLString() *text.Rule {
return &text.Rule{
Metadata: engine.Metadata{
- ID: "HS-SWIFT-14",
- Name: "Javascript injection",
- Description: "User input not sanitized in \"loadHTMLString\" can result in an injection of JavaScript in the context of your application, allowing access to private data. For more information checkout the CWE-95 (https://cwe.mitre.org/data/definitions/95.html) advisory.",
- Severity: severities.Medium.ToString(),
- Confidence: confidence.Low.ToString(),
+ ID: "HS-SWIFT-14",
+ Name: "Javascript injection",
+ Description: "User input not sanitized in \"loadHTMLString\" can result in an injection of JavaScript in the context of your application, allowing access to private data. For more information checkout the CWE-95 (https://cwe.mitre.org/data/definitions/95.html) advisory.",
+ Severity: severities.Medium.ToString(),
+ Confidence: confidence.Low.ToString(),
+ SafeExample: SampleSafeHSSWIFT14,
+ UnsafeExample: SampleVulnerableHSSWIFT14,
},
Type: text.OrMatch,
Expressions: []*regexp.Regexp{
@@ -310,11 +336,13 @@ func NewLoadHTMLString() *text.Rule {
func NewWeakDesCryptoCipher() *text.Rule {
return &text.Rule{
Metadata: engine.Metadata{
- ID: "HS-SWIFT-15",
- Name: "Weak Cipher Mode",
- Description: "DES is considered strong ciphers for modern applications. Currently, NIST recommends the usage of AES block ciphers instead of DES. For more information checkout the CWE-326 (https://cwe.mitre.org/data/definitions/326.html) advisory",
- Severity: severities.Medium.ToString(),
- Confidence: confidence.Low.ToString(),
+ ID: "HS-SWIFT-15",
+ Name: "Weak Cipher Mode",
+ Description: "DES is considered strong ciphers for modern applications. Currently, NIST recommends the usage of AES block ciphers instead of DES. For more information checkout the CWE-326 (https://cwe.mitre.org/data/definitions/326.html) advisory",
+ Severity: severities.Medium.ToString(),
+ Confidence: confidence.Low.ToString(),
+ SafeExample: SampleSafeHSSWIFT15,
+ UnsafeExample: SampleVulnerableHSSWIFT15,
},
Type: text.OrMatch,
Expressions: []*regexp.Regexp{
@@ -327,11 +355,13 @@ func NewWeakDesCryptoCipher() *text.Rule {
func NewRealmDatabase() *text.Rule {
return &text.Rule{
Metadata: engine.Metadata{
- ID: "HS-SWIFT-16",
- Name: "Realm Database",
- Description: "App uses Realm Database. Sensitive Information should be encrypted.",
- Severity: severities.Medium.ToString(),
- Confidence: confidence.Low.ToString(),
+ ID: "HS-SWIFT-16",
+ Name: "Realm Database",
+ Description: "App uses Realm Database. Sensitive Information should be encrypted.",
+ Severity: severities.Medium.ToString(),
+ Confidence: confidence.Low.ToString(),
+ SafeExample: SampleSafeHSSWIFT16,
+ UnsafeExample: SampleVulnerableHSSWIFT16,
},
Type: text.OrMatch,
Expressions: []*regexp.Regexp{
@@ -343,11 +373,13 @@ func NewRealmDatabase() *text.Rule {
func NewTLSMinimum() *text.Rule {
return &text.Rule{
Metadata: engine.Metadata{
- ID: "HS-SWIFT-17",
- Name: "Deperected tls property",
- Description: "Use of deprecated property tlsMinimumSupportedProtocol. To avoid potential security risks, use tlsMinimumSupportedProtocolVersion",
- Severity: severities.Medium.ToString(),
- Confidence: confidence.Low.ToString(),
+ ID: "HS-SWIFT-17",
+ Name: "Deperected tls property",
+ Description: "Use of deprecated property tlsMinimumSupportedProtocol. To avoid potential security risks, use tlsMinimumSupportedProtocolVersion",
+ Severity: severities.Medium.ToString(),
+ Confidence: confidence.Low.ToString(),
+ SafeExample: SampleSafeHSSWIFT17,
+ UnsafeExample: SampleVulnerableHSSWIFT17,
},
Type: text.OrMatch,
Expressions: []*regexp.Regexp{
@@ -359,11 +391,13 @@ func NewTLSMinimum() *text.Rule {
func NewUIPasteboard() *text.Rule {
return &text.Rule{
Metadata: engine.Metadata{
- ID: "HS-SWIFT-18",
- Name: "UIPasteboard",
- Description: "This application uses UIPasteboard, improper use of this class can lead to security issues.",
- Severity: severities.Medium.ToString(),
- Confidence: confidence.Low.ToString(),
+ ID: "HS-SWIFT-18",
+ Name: "UIPasteboard",
+ Description: "This application uses UIPasteboard, improper use of this class can lead to security issues.",
+ Severity: severities.Medium.ToString(),
+ Confidence: confidence.Low.ToString(),
+ SafeExample: SampleSafeHSSWIFT18,
+ UnsafeExample: SampleVulnerableHSSWIFT18,
},
Type: text.OrMatch,
Expressions: []*regexp.Regexp{
@@ -375,11 +409,13 @@ func NewUIPasteboard() *text.Rule {
func NewFileProtection() *text.Rule {
return &text.Rule{
Metadata: engine.Metadata{
- ID: "HS-SWIFT-19",
- Name: "File protection",
- Description: "The file has no special protections associated with it.",
- Severity: severities.Medium.ToString(),
- Confidence: confidence.Low.ToString(),
+ ID: "HS-SWIFT-19",
+ Name: "File protection",
+ Description: "The file has no special protections associated with it.",
+ Severity: severities.Medium.ToString(),
+ Confidence: confidence.Low.ToString(),
+ SafeExample: SampleSafeHSSWIFT19,
+ UnsafeExample: SampleVulnerableHSSWIFT19,
},
Type: text.OrMatch,
Expressions: []*regexp.Regexp{
@@ -391,11 +427,13 @@ func NewFileProtection() *text.Rule {
func NewWebViewSafari() *text.Rule {
return &text.Rule{
Metadata: engine.Metadata{
- ID: "HS-SWIFT-20",
- Name: "WebView Safari",
- Description: "It is recommended to use WKWebView instead of SFSafariViewController or UIWebView to prevent navigating to arbitrary URLs.",
- Severity: severities.Medium.ToString(),
- Confidence: confidence.Low.ToString(),
+ ID: "HS-SWIFT-20",
+ Name: "WebView Safari",
+ Description: "It is recommended to use WKWebView instead of SFSafariViewController or UIWebView to prevent navigating to arbitrary URLs.",
+ Severity: severities.Medium.ToString(),
+ Confidence: confidence.Low.ToString(),
+ SafeExample: SampleSafeHSSWIFT20,
+ UnsafeExample: SampleVulnerableHSSWIFT20,
},
Type: text.OrMatch,
Expressions: []*regexp.Regexp{
@@ -407,11 +445,13 @@ func NewWebViewSafari() *text.Rule {
func NewKeyboardCache() *text.Rule {
return &text.Rule{
Metadata: engine.Metadata{
- ID: "HS-SWIFT-21",
- Name: "Keyboard cache",
- Description: "Keyboard cache should be disabled for all sensitive data inputs.",
- Severity: severities.Medium.ToString(),
- Confidence: confidence.Low.ToString(),
+ ID: "HS-SWIFT-21",
+ Name: "Keyboard cache",
+ Description: "Keyboard cache should be disabled for all sensitive data inputs.",
+ Severity: severities.Medium.ToString(),
+ Confidence: confidence.Low.ToString(),
+ SafeExample: SampleSafeHSSWIFT21,
+ UnsafeExample: SampleVulnerableHSSWIFT21,
},
Type: text.OrMatch,
Expressions: []*regexp.Regexp{
@@ -423,11 +463,13 @@ func NewKeyboardCache() *text.Rule {
func NewMD4Collision() *text.Rule {
return &text.Rule{
Metadata: engine.Metadata{
- ID: "HS-SWIFT-22",
- Name: "Weak MD4 hash using",
- Description: "MD4 is a weak hash, which can generate repeated hashes. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.",
- Severity: severities.Medium.ToString(),
- Confidence: confidence.Low.ToString(),
+ ID: "HS-SWIFT-22",
+ Name: "Weak MD4 hash using",
+ Description: "MD4 is a weak hash, which can generate repeated hashes. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.",
+ Severity: severities.Medium.ToString(),
+ Confidence: confidence.Low.ToString(),
+ SafeExample: SampleSafeHSSWIFT22,
+ UnsafeExample: SampleVulnerableHSSWIFT22,
},
Type: text.OrMatch,
Expressions: []*regexp.Regexp{
@@ -439,11 +481,13 @@ func NewMD4Collision() *text.Rule {
func NewMD2Collision() *text.Rule {
return &text.Rule{
Metadata: engine.Metadata{
- ID: "HS-SWIFT-23",
- Name: "Weak MD2 hash using",
- Description: "MD2 is a weak hash, which can generate repeated hashes. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.",
- Severity: severities.Medium.ToString(),
- Confidence: confidence.Low.ToString(),
+ ID: "HS-SWIFT-23",
+ Name: "Weak MD2 hash using",
+ Description: "MD2 is a weak hash, which can generate repeated hashes. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.",
+ Severity: severities.Medium.ToString(),
+ Confidence: confidence.Low.ToString(),
+ SafeExample: SampleSafeHSSWIFT23,
+ UnsafeExample: SampleVulnerableHSSWIFT23,
},
Type: text.OrMatch,
Expressions: []*regexp.Regexp{
@@ -455,11 +499,13 @@ func NewMD2Collision() *text.Rule {
func NewSQLInjection() *text.Rule {
return &text.Rule{
Metadata: engine.Metadata{
- ID: "HS-SWIFT-24",
- Name: "SQL Injection",
- Description: "The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory.",
- Severity: severities.High.ToString(),
- Confidence: confidence.Low.ToString(),
+ ID: "HS-SWIFT-24",
+ Name: "SQL Injection",
+ Description: "The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory.",
+ Severity: severities.High.ToString(),
+ Confidence: confidence.Low.ToString(),
+ SafeExample: SampleSafeHSSWIFT24,
+ UnsafeExample: SampleVulnerableHSSWIFT24,
},
Type: text.OrMatch,
Expressions: []*regexp.Regexp{
diff --git a/internal/services/engines/swift/samples_test.go b/internal/services/engines/swift/samples.go
similarity index 97%
rename from internal/services/engines/swift/samples_test.go
rename to internal/services/engines/swift/samples.go
index cd1a9a4fd..5bb576662 100644
--- a/internal/services/engines/swift/samples_test.go
+++ b/internal/services/engines/swift/samples.go
@@ -49,132 +49,7 @@ func savePill(pass: String) throws {
}
}
`
- SampleVulnerableHSSWIFT3 = `
-...
-var tlsMinimumSupportedProtocolVersion: tls_protocol_version_t.DTLSv11
-`
- SampleVulnerableHSSWIFT4 = `
-...
-var tlsMinimumSupportedProtocolVersion: tls_protocol_version_t.TLSv11
-`
- SampleVulnerableHSSWIFT5 = `import PackageDescription
-let package = Package(name: "Alamofire",
- platforms: [.macOS(.v10_12),
- .iOS(.v10),
- .tvOS(.v10),
- .watchOS(.v3)],
- products: [.library(name: "Alamofire", targets: ["Alamofire"]),
- .library(name: "FridaGadget", targets: ["FridaGadget"]),
- .library(name: "cynject", targets: ["cynject"]),
- .library(name: "libcycript", targets: ["libcycript"])],
- targets: [.target(name: "Alamofire",
- path: "Source",
- exclude: ["Info.plist"],
- linkerSettings: [.linkedFramework("CFNetwork",
- .when(platforms: [.iOS,
- .macOS,
- .tvOS,
- .watchOS]))]),
- .testTarget(name: "AlamofireTests",
- dependencies: ["Alamofire"],
- path: "Tests",
- exclude: ["Resources", "Info.plist"])],
- swiftLanguageVersions: [.v5])`
- SampleVulnerableHSSWIFT6 = `import CryptoSwift
-
- "SwiftSummit".md5()
-`
- SampleVulnerableHSSWIFT7 = `
-import CommonCrypto
-let algorithm = CCAlgorithm(kCCAlgorithmDES) // Noncompliant: 64 bits block size
-`
- SampleVulnerableHSSWIFT8 = `
-import IDZSwiftCommonCrypto
-
-let cryptor = Cryptor(operation: .encrypt, algorithm: .des, options: [.ECBMode, .PKCS7Padding], key: key, iv:[UInt8]())
-`
- SampleVulnerableHSSWIFT9 = `
-import CryptoSwift
-
-Blowfish(key: key, blockMode: CBC(iv: iv), padding: .pkcs7).encrypt(message)
-`
- SampleVulnerableHSSWIFT10 = `
-MD6( cStr, strlen(cStr), result );
-`
- SampleVulnerableHSSWIFT11 = `
-MD5( cStr, strlen(cStr), result );
-`
- SampleVulnerableHSSWIFT12 = `
-let digest = Insecure.SHA1.hash(data: data)
-`
- SampleVulnerableHSSWIFT13 = `
- let fm = FileManager.default
- if(fm.fileExists(atPath: "/private/var/lib/apt")) || (fm.fileExists(atPath: "/Applications/Cydia.app")) {
- ...
- }
-`
- SampleVulnerableHSSWIFT14 = `
-func loadPage(content) {
- let webView1 = UIWebView()
- webView1.loadHTMLString(""+content+"
", baseURL: nil)
-}
-`
- SampleVulnerableHSSWIFT15 = `
- let crypt = CkoCrypt2()
-
- // Specify 3DES for the encryption algorithm:
- crypt.CryptAlgorithm = "3des"
-`
- SampleVulnerableHSSWIFT16 = `
-try! realm.write {
- ...
-}
-`
- SampleVulnerableHSSWIFT17 = `
-let config = URLSessionConfiguration.default
-config.tlsMinimumSupportedProtocol = .tlsProtocol12
-`
- SampleVulnerableHSSWIFT18 = `
-// read from clipboard
-let content = UIPasteboard.general.string
-`
- SampleVulnerableHSSWIFT19 = `
- do {
- try data?.write(to: documentURL, options: .noFileProtection)
- } catch {
- print("Error...Cannot save data!!!See error:(error.localizedDescription)")
- }
-`
- SampleVulnerableHSSWIFT20 = `
-import SafariServices
-func showTutorial(url: String) {
- let config = SFSafariViewController.Configuration()
- config.entersReaderIfAvailable = true
-
- let vc = SFSafariViewController(url: url, configuration: config)
- present(vc, animated: true)
-}
-`
- SampleVulnerableHSSWIFT21 = `
-textField.autocorrectionType = .no
-`
- SampleVulnerableHSSWIFT22 = `
-CC_MD4( cStr, strlen(cStr), result );
-`
- SampleVulnerableHSSWIFT23 = `
-CC_MD2( cStr, strlen(cStr), result );
-`
- SampleVulnerableHSSWIFT24 = `
-let err = SD.executeChange("SELECT * FROM User where user="+ valuesFromInput) {
- //there was an error during the insert, handle it here
-} else {
- //no error, the row was inserted successfully
-}
-`
-)
-
-const (
SampleSafeHSSWIFT2 = `
class CoreDataManager {
static let shared = CoreDataManager()
@@ -208,9 +83,44 @@ func savePill(pass: String) throws {
try context.save()
}
}
+`
+
+ SampleVulnerableHSSWIFT3 = `
+...
+var tlsMinimumSupportedProtocolVersion: tls_protocol_version_t.DTLSv11
`
SampleSafeHSSWIFT3 = `var tlsMinimumSupportedProtocolVersion: tls_protocol_version_t.DTLSv12`
+
+ SampleVulnerableHSSWIFT4 = `
+...
+var tlsMinimumSupportedProtocolVersion: tls_protocol_version_t.TLSv11
+`
SampleSafeHSSWIFT4 = `var tlsMinimumSupportedProtocolVersion: tls_protocol_version_t.TLSv12`
+
+ SampleVulnerableHSSWIFT5 = `import PackageDescription
+let package = Package(name: "Alamofire",
+ platforms: [.macOS(.v10_12),
+ .iOS(.v10),
+ .tvOS(.v10),
+ .watchOS(.v3)],
+ products: [.library(name: "Alamofire", targets: ["Alamofire"]),
+ .library(name: "FridaGadget", targets: ["FridaGadget"]),
+ .library(name: "cynject", targets: ["cynject"]),
+ .library(name: "libcycript", targets: ["libcycript"])],
+ targets: [.target(name: "Alamofire",
+ path: "Source",
+ exclude: ["Info.plist"],
+ linkerSettings: [.linkedFramework("CFNetwork",
+ .when(platforms: [.iOS,
+ .macOS,
+ .tvOS,
+ .watchOS]))]),
+ .testTarget(name: "AlamofireTests",
+ dependencies: ["Alamofire"],
+ path: "Tests",
+ exclude: ["Resources", "Info.plist"])],
+ swiftLanguageVersions: [.v5])
+`
SampleSafeHSSWIFT5 = `import PackageDescription
let package = Package(name: "Alamofire",
platforms: [.macOS(.v10_12),
@@ -230,7 +140,13 @@ let package = Package(name: "Alamofire",
dependencies: ["Alamofire"],
path: "Tests",
exclude: ["Resources", "Info.plist"])],
- swiftLanguageVersions: [.v5])`
+ swiftLanguageVersions: [.v5])
+`
+
+ SampleVulnerableHSSWIFT6 = `import CryptoSwift
+
+ "SwiftSummit".md5()
+`
SampleSafeHSSWIFT6 = `import Foundation
import var CommonCrypto.CC_MD5_DIGEST_LENGTH
import func CommonCrypto.CC_MD5
@@ -254,28 +170,63 @@ func MD5(string: String) -> Data {
}
//Test:
-let md5Data = MD5(string:"Hello")`
+let md5Data = MD5(string:"Hello")
+`
+
+ SampleVulnerableHSSWIFT7 = `
+import CommonCrypto
+
+let algorithm = CCAlgorithm(kCCAlgorithmDES) // Noncompliant: 64 bits block size
+`
SampleSafeHSSWIFT7 = `
import Crypto
-let sealedBox = try AES.GCM.seal(input, using: key) // Compliant`
+let sealedBox = try AES.GCM.seal(input, using: key) // Compliant
+`
+
+ SampleVulnerableHSSWIFT8 = `
+import IDZSwiftCommonCrypto
+
+let cryptor = Cryptor(operation: .encrypt, algorithm: .des, options: [.ECBMode, .PKCS7Padding], key: key, iv:[UInt8]())
+`
SampleSafeHSSWIFT8 = `
import Crypto
-let sealedBox = try AES.GCM.seal(input, using: key) // Compliant`
+let sealedBox = try AES.GCM.seal(input, using: key) // Compliant
+`
+
+ SampleVulnerableHSSWIFT9 = `
+import CryptoSwift
+
+Blowfish(key: key, blockMode: CBC(iv: iv), padding: .pkcs7).encrypt(message)
+`
SampleSafeHSSWIFT9 = `
import Crypto
let encryptedBytes = try AES(key: [1,2,3,...,32], blockMode: CBC(iv: [1,2,3,...,16]), padding: .pkcs7)
+`
+
+ SampleVulnerableHSSWIFT10 = `
+MD6( cStr, strlen(cStr), result );
`
SampleSafeHSSWIFT10 = `
import Crypto
-let encryptedBytes = try AES(key: [1,2,3,...,32], blockMode: CBC(iv: [1,2,3,...,16]), padding: .pkcs7)`
+let encryptedBytes = try AES(key: [1,2,3,...,32], blockMode: CBC(iv: [1,2,3,...,16]), padding: .pkcs7)
+`
+
+ SampleVulnerableHSSWIFT11 = `
+MD5( cStr, strlen(cStr), result );
+`
SampleSafeHSSWIFT11 = `
import Crypto
-let encryptedBytes = try AES(key: [1,2,3,...,32], blockMode: CBC(iv: [1,2,3,...,16]), padding: .pkcs7)`
+let encryptedBytes = try AES(key: [1,2,3,...,32], blockMode: CBC(iv: [1,2,3,...,16]), padding: .pkcs7)
+`
+
+ SampleVulnerableHSSWIFT12 = `
+let digest = Insecure.SHA1.hash(data: data)
+`
SampleSafeHSSWIFT12 = `
func sha256(data : Data) -> Data {
var hash = [UInt8](repeating: 0, count: Int(CC_SHA256_DIGEST_LENGTH))
@@ -284,6 +235,13 @@ func sha256(data : Data) -> Data {
}
return Data(hash)
}
+`
+
+ SampleVulnerableHSSWIFT13 = `
+ let fm = FileManager.default
+ if(fm.fileExists(atPath: "/private/var/lib/apt")) || (fm.fileExists(atPath: "/Applications/Cydia.app")) {
+ ...
+ }
`
SampleSafeHSSWIFT13 = `
do {
@@ -292,12 +250,26 @@ do {
} catch {
return false
}
+`
+
+ SampleVulnerableHSSWIFT14 = `
+func loadPage(content) {
+ let webView1 = UIWebView()
+ webView1.loadHTMLString(""+content+"
", baseURL: nil)
+}
`
SampleSafeHSSWIFT14 = `
func loadPage() {
let webView1 = UIWebView()
webView1.loadHTMLString("Hello!
", baseURL: nil)
}
+`
+
+ SampleVulnerableHSSWIFT15 = `
+ let crypt = CkoCrypt2()
+
+ // Specify 3DES for the encryption algorithm:
+ crypt.CryptAlgorithm = "3des"
`
SampleSafeHSSWIFT15 = `
func sha256(data : Data) -> Data {
@@ -307,17 +279,41 @@ func sha256(data : Data) -> Data {
}
return Data(hash)
}
+`
+
+ SampleVulnerableHSSWIFT16 = `
+try! realm.write {
+ ...
+}
`
SampleSafeHSSWIFT16 = `
realm.beginWrite()
...
try! realm.commitWrite()
+`
+
+ SampleVulnerableHSSWIFT17 = `
+let config = URLSessionConfiguration.default
+config.tlsMinimumSupportedProtocol = .tlsProtocol12
`
SampleSafeHSSWIFT17 = `
let config = URLSessionConfiguration.default
+`
+
+ SampleVulnerableHSSWIFT18 = `
+// read from clipboard
+let content = UIPasteboard.general.string
`
SampleSafeHSSWIFT18 = `
let content = "Static content"
+`
+
+ SampleVulnerableHSSWIFT19 = `
+ do {
+ try data?.write(to: documentURL, options: .noFileProtection)
+ } catch {
+ print("Error...Cannot save data!!!See error:(error.localizedDescription)")
+ }
`
SampleSafeHSSWIFT19 = `
do {
@@ -325,24 +321,57 @@ let content = "Static content"
} catch {
print("Error...Cannot save data!!!See error:(error.localizedDescription)")
}
+`
+
+ SampleVulnerableHSSWIFT20 = `
+import SafariServices
+func showTutorial(url: String) {
+ let config = SFSafariViewController.Configuration()
+ config.entersReaderIfAvailable = true
+
+ let vc = SFSafariViewController(url: url, configuration: config)
+ present(vc, animated: true)
+}
`
SampleSafeHSSWIFT20 = `
func showTutorial(url: String) {
let vc = UIApplication.shared.openURL(url)
present(vc, animated: true)
}
+`
+
+ SampleVulnerableHSSWIFT21 = `
+textField.autocorrectionType = .no
`
SampleSafeHSSWIFT21 = `
textField.autocorrectionType = .yes
+`
+
+ SampleVulnerableHSSWIFT22 = `
+CC_MD4( cStr, strlen(cStr), result );
`
SampleSafeHSSWIFT22 = `
import Crypto
-let encryptedBytes = try AES(key: [1,2,3,...,32], blockMode: CBC(iv: [1,2,3,...,16]), padding: .pkcs7)`
+let encryptedBytes = try AES(key: [1,2,3,...,32], blockMode: CBC(iv: [1,2,3,...,16]), padding: .pkcs7)
+`
+
+ SampleVulnerableHSSWIFT23 = `
+CC_MD2( cStr, strlen(cStr), result );
+`
SampleSafeHSSWIFT23 = `
import Crypto
-let encryptedBytes = try AES(key: [1,2,3,...,32], blockMode: CBC(iv: [1,2,3,...,16]), padding: .pkcs7)`
+let encryptedBytes = try AES(key: [1,2,3,...,32], blockMode: CBC(iv: [1,2,3,...,16]), padding: .pkcs7)
+`
+
+ SampleVulnerableHSSWIFT24 = `
+let err = SD.executeChange("SELECT * FROM User where user="+ valuesFromInput) {
+ //there was an error during the insert, handle it here
+} else {
+ //no error, the row was inserted successfully
+}
+`
SampleSafeHSSWIFT24 = `
if let err = SD.executeChange("SELECT * FROM User where user=?", withArgs: [name, population, isWarm, foundedIn]) {
//there was an error during the insert, handle it here
@@ -350,7 +379,6 @@ if let err = SD.executeChange("SELECT * FROM User where user=?", withArgs: [name
//no error, the row was inserted successfully
}
`
-
Sample2SafeHSSWIFT24 = `
public extension Expression {
func observe(