Replace guardrail subcategory with secure default (#3425)

* Replace guardrail with secure default * Fix subcategory --------- Co-authored-by: Pieter De Cremer (Semgrep) <pieter@r2c.dev>
semgrep · Jul 8, 2024 · 74d025f · 74d025f
1 parent aa66e52
commit 74d025f
Show file tree

Hide file tree

Showing 9 changed files with 33 additions and 22 deletions.
diff --git a/.github/scripts/validate-metadata.py b/.github/scripts/validate-metadata.py
@@ -15,7 +15,6 @@
 
 
 class RegistryMetadataValidator(Draft7Validator):
-
     required_property_messages = {
         "references": "Please include at least one URL with more information about this rule in a metadata field called 'references'.",
         "technology": "Please include a metadata field called 'technology' that is a list of relevent tech stacks. For example: [python, flask], or [javascript, jwt].",
@@ -24,12 +23,12 @@ class RegistryMetadataValidator(Draft7Validator):
         "likelihood": "Please include a 'likelihood' metadata field for security rules that is one of that is one of ['LOW', 'MEDIUM', 'HIGH'], See https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository for more info.",
         "impact": "Please include a 'impact' metadata field for security rules that is one of that is one of ['LOW', 'MEDIUM', 'HIGH'], See https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository for more info.",
         "confidence": "Please include a 'confidence' metadata field for security rules that is one of that is one of ['LOW', 'MEDIUM', 'HIGH'], See https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository for more info.",
-        "subcategory": "Please include a 'subcategory' metadata field for security rules that is one of that is one of ['audit', 'vuln', 'guardrail'], See https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository for more info.",
+        "subcategory": "Please include a 'subcategory' metadata field for security rules that is one of that is one of ['audit', 'vuln', 'secure default'], See https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository for more info.",
     }
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
-        #self.category_enum = self.schema.get('properties', {}).get('category', {}).get('enum', [])
+        # self.category_enum = self.schema.get('properties', {}).get('category', {}).get('enum', [])
         self.category_enum = {}
 
     def _extend_message(self, error: ValidationError) -> None:
@@ -59,7 +58,11 @@ def get_errors(self, instance: dict) -> list[ValidationError]:
         return errors
 
 
-def validate_config_file_metadata(config_path: Path, validator: Draft7Validator, invalid_configs: Optional[list] = None):
+def validate_config_file_metadata(
+    config_path: Path,
+    validator: Draft7Validator,
+    invalid_configs: Optional[list] = None,
+):
     with open(config_path) as fin:
         config = yaml.safe_load(fin)
 
@@ -83,10 +86,12 @@ def validate_config_file_metadata(config_path: Path, validator: Draft7Validator,
         else:
             logger.warning(f"Invalid config {str(config_path)}: {ve.message}")
 
+
 def is_rule(path: Path) -> bool:
     with open(path) as fin:
         return fin.readlines()[0].startswith("rules:")
 
+
 if __name__ == "__main__":
     import argparse
 
@@ -111,7 +116,11 @@ def is_rule(path: Path) -> bool:
     invalid_configs = []
     for config_item in args.config:
         config_path = Path(config_item)
-        if config_path.is_file() and config_path.suffix == ".yaml" and is_rule(config_path):
+        if (
+            config_path.is_file()
+            and config_path.suffix == ".yaml"
+            and is_rule(config_path)
+        ):
             validate_config_file_metadata(config_path, v, invalid_configs)
         elif config_path.is_dir():
             for config_file in config_path.glob("**/*.yaml"):
@@ -122,4 +131,3 @@ def is_rule(path: Path) -> bool:
         for invalid_config in sorted(invalid_configs, key=lambda t: t[0]):
             print(invalid_config)
         sys.exit(1)
-
diff --git a/go/lang/security/audit/crypto/missing-ssl-minversion.yaml b/go/lang/security/audit/crypto/missing-ssl-minversion.yaml
@@ -23,7 +23,7 @@ rules:
     - go
     confidence: HIGH
     subcategory:
-    - guardrail
+    - audit
     likelihood: MEDIUM
     impact: LOW
   languages: [go]

diff --git a/javascript/intercom/security/audit/intercom-settings-user-identifier-without-user-hash.yaml b/javascript/intercom/security/audit/intercom-settings-user-identifier-without-user-hash.yaml
@@ -27,7 +27,7 @@ rules:
           ...
           Intercom('boot', $VAR);
     message: Found an initialization of the Intercom Messenger that identifies a
-      User, but does not specify a `user_hash`.This configuration allows users
+      User, but does not specify a `user_hash`. This configuration allows users
       to impersonate one another. See the Intercom Identity Verification docs
       for more context
       https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile
@@ -37,7 +37,7 @@ rules:
     metadata:
       category: security
       subcategory:
-        - guardrail
+        - audit
       cwe:
         - "CWE-287: Improper Authentication"
       confidence: MEDIUM

diff --git a/metadata-schema.yaml.schm b/metadata-schema.yaml.schm
@@ -51,7 +51,7 @@ schema:
           enum:
           - audit
           - vuln
-          - guardrail
+          - secure default
       cwe:
         type:
         - array
@@ -90,4 +90,4 @@ schema:
       - likelihood
       - impact
       - subcategory
-
+
diff --git a/python/django/security/django-no-csrf-token.yaml b/python/django/security/django-no-csrf-token.yaml
@@ -14,7 +14,7 @@ rules:
           regex: (?i)(post|put|delete|patch)
       - pattern-not-inside: "<form...>...{% csrf_token %}...</form>"
       - pattern-not-inside: "<form...>...{{ $VAR.csrf_token }}...</form>"
-    message: Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks
+    message: Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks.
     languages: [generic]
     severity: WARNING
     metadata:
@@ -26,7 +26,7 @@ rules:
       likelihood: MEDIUM
       impact: MEDIUM
       subcategory:
-        - guardrail
+        - audit
       technology:
         - django
     paths:

diff --git a/python/django/security/django-using-request-post-after-is-valid.yaml b/python/django/security/django-using-request-post-after-is-valid.yaml
@@ -22,6 +22,6 @@ rules:
       likelihood: MEDIUM
       impact: MEDIUM
       subcategory:
-        - guardrail
+        - audit
       technology:
-        - django
+        - django
diff --git a/terraform/aws/security/aws-provisioner-exec.yaml b/terraform/aws/security/aws-provisioner-exec.yaml
@@ -14,7 +14,10 @@ rules:
           ...
       }
   id: aws-provisioner-exec
-  message: Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design.
+  message: >-
+    Provisioners are a tool of last resort and should be avoided where possible.
+    Provisioner behavior cannot be mapped by Terraform as part of a plan,
+    and execute arbitrary shell commands by design.
   languages:
   - terraform
   severity: WARNING
@@ -27,7 +30,7 @@ rules:
     - "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')"
     - "CWE-94: Improper Control of Generation of Code ('Code Injection')"
     subcategory:
-    - guardrail
+    - audit
     confidence: HIGH
     likelihood: HIGH
     impact: MEDIUM

diff --git a/yaml/semgrep/metadata-subcategory-incorrect-value.yaml b/yaml/semgrep/metadata-subcategory-incorrect-value.yaml
@@ -20,10 +20,10 @@ rules:
             - audit
       - pattern-not: |
           subcategory: 
-            - guardrail
+            - secure default
     message: >-
       Semgrep rule likelihood: $VALUE detected, but the value must be vuln,
-      audit, or guardrail. For more information visit:
+      audit, or secure default. For more information visit:
       https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/
     languages:
       - yaml
@@ -33,4 +33,4 @@ rules:
         - https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/
       category: correctness
       technology:
-        - semgrep
+        - semgrep
diff --git a/yaml/semgrep/metadata-subcategory.yaml b/yaml/semgrep/metadata-subcategory.yaml
@@ -15,7 +15,7 @@ rules:
             subcategory: $VALUE
     message: >-
       This Semgrep rule is missing a valid 'subcategory' field in the 'metadata'.
-      which should be either audit, vuln, or guardrail. For more information visit 
+      which should be either audit, vuln, or secure default. For more information visit 
       https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/
     languages:
       - yaml
@@ -25,4 +25,4 @@ rules:
         - https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/
       category: correctness
       technology:
-        - semgrep
+        - semgrep