From 9e13edafbfd20457eaf24d50f4a0720ed4bd441c Mon Sep 17 00:00:00 2001 From: htrgouvea Date: Sun, 28 Jan 2024 08:24:24 -0300 Subject: [PATCH 1/4] update description --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 9369c2e..a97ccb0 100644 --- a/action.yml +++ b/action.yml @@ -1,5 +1,5 @@ name: zarn-sast -description: A lightweight static security analysis tool for modern Perl Apps +description: A lightweight static security analysis tool (SAST) for modern Perl Apps author: Heitor GouvĂȘa branding: icon: "shield" From 2e12309a8305a5b6ef02be760a6bf80c2db5a6c1 Mon Sep 17 00:00:00 2001 From: htrgouvea Date: Sun, 28 Jan 2024 08:24:48 -0300 Subject: [PATCH 2/4] add message to the rules --- rules/default.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/default.yml b/rules/default.yml index 4b25f0f..2ea2884 100644 --- a/rules/default.yml +++ b/rules/default.yml @@ -3,13 +3,13 @@ rules: - id: '0001' category: info name: Debug module enabled - message: + message: Debug modules can expose sensitive information and potentially create security vulnerabilities. sample: - Dumper - id: '0002' category: vuln name: Code Injection - message: + message: Occur when untrusted data is executed as code, allowing attackers to run arbitrary commands on the server. sample: - system - eval @@ -18,12 +18,12 @@ rules: - id: '0003' category: vuln name: Path Traversal - message: + message: Occur when user input is not properly sanitized, allowing attackers to access files and directories outside of the intended directory structure. sample: - open - id: '0004' category: vuln name: Weak Criptography Algorithm - message: + message: Weak algorithms like MD5 are susceptible to various attacks and should be avoided in favor of stronger alternatives to ensure the security of sensitive data. sample: - md5 \ No newline at end of file From 971b4878f31dc85fd4b14db248eaea9d59790c0c Mon Sep 17 00:00:00 2001 From: htrgouvea Date: Sun, 28 Jan 2024 08:25:07 -0300 Subject: [PATCH 3/4] start to considerate message in the sarif output file --- lib/Zarn/AST.pm | 2 ++ lib/Zarn/Sarif.pm | 5 ++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/Zarn/AST.pm b/lib/Zarn/AST.pm index de22300..573b35e 100644 --- a/lib/Zarn/AST.pm +++ b/lib/Zarn/AST.pm @@ -28,6 +28,7 @@ package Zarn::AST { my @sample = $rule -> {sample} -> @*; my $category = $rule -> {category}; my $title = $rule -> {name}; + my $message = $rule -> {message}; if (grep {my $content = $_; scalar(grep {$content =~ m/$_/xms} @sample)} $token -> content()) { my $next_element = $token -> snext_sibling; @@ -50,6 +51,7 @@ package Zarn::AST { category => $category, file => $file, title => $title, + message => $message, line => $line, rowchar => $rowchar }; diff --git a/lib/Zarn/Sarif.pm b/lib/Zarn/Sarif.pm index e9e4dbb..f529931 100644 --- a/lib/Zarn/Sarif.pm +++ b/lib/Zarn/Sarif.pm @@ -25,8 +25,11 @@ package Zarn::Sarif { foreach my $info (@vulnerabilities) { my $result = { ruleId => $info -> {title}, + properties => { + title => $info -> {title} + }, message => { - text => $info -> {title} + text => $info -> {message} }, locations => [{ physicalLocation => { From 9c0970d6e1e62fca26739dab12a073a9c55a7122 Mon Sep 17 00:00:00 2001 From: htrgouvea Date: Sun, 28 Jan 2024 08:27:17 -0300 Subject: [PATCH 4/4] change severity from 5 to 4 --- .perlcriticrc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.perlcriticrc b/.perlcriticrc index 8fe04ee..722782a 100644 --- a/.perlcriticrc +++ b/.perlcriticrc @@ -1,3 +1,4 @@ -severity = 5 +severity = 4 -[-TestingAndDebugging::RequireUseStrict] \ No newline at end of file +[-TestingAndDebugging::RequireUseStrict] +[-TestingAndDebugging::RequireUseWarnings] \ No newline at end of file