diff --git a/c/lang/security/insecure-use-printf-fn.c b/c/lang/security/insecure-use-printf-fn.c index 1515379c0e..131512272d 100644 --- a/c/lang/security/insecure-use-printf-fn.c +++ b/c/lang/security/insecure-use-printf-fn.c @@ -12,7 +12,7 @@ void bad_vsprintf(int argc, char **argv) { vsprintf(buffer, argv[1], args); //ok: insecure-use-printf-fn - vsprintf("%s\n",argv[0]) + vsprintf("%s\n",argv[0]); //ok: insecure-use-printf-fn vsnprintf(buffer, format, args); @@ -34,7 +34,7 @@ void bad_sprintf(int argc, char **argv) { sprintf(buffer, argv[2], a, b, c); //ok: insecure-use-printf-fn - sprintf("%s\n",argv[0]) + sprintf("%s\n",argv[0]); //ok: insecure-use-printf-fn snprintf(buffer, format, a,b,c); @@ -53,7 +53,7 @@ void bad_printf() { printf("hello"); //ok: insecure-use-printf-fn - printf("%s\n",argv[0]) + printf("%s\n",argv[0]); } int main() { diff --git a/contrib/react/react_html_parser.js b/contrib/react/react_html_parser.js index c3518ee3d0..059e282efc 100644 --- a/contrib/react/react_html_parser.js +++ b/contrib/react/react_html_parser.js @@ -2,7 +2,7 @@ import ReactHtmlParser from 'react-html-parser'; -renderContent() { +function renderContent() { let content = this.props.content; if (!content || (typeof content === 'string' && !content.length)) { if (this.props.children) { diff --git a/csharp/dotnet/security/audit/xpath-injection.yaml b/csharp/dotnet/security/audit/xpath-injection.yaml index 2b556d9a35..bec118a122 100644 --- a/csharp/dotnet/security/audit/xpath-injection.yaml +++ b/csharp/dotnet/security/audit/xpath-injection.yaml @@ -25,7 +25,7 @@ rules: pattern-sources: - pattern-either: - pattern: $T $M($INPUT,...) {...} - - pattern: "$T $M(...) {\n ...\n string $INPUT\n}\n" + - pattern: "$T $M(...) {\n ...\n string $INPUT;\n}\n" pattern-sinks: - pattern-either: - pattern: XPathExpression $EXPR = $NAV.Compile("..." + $INPUT + "..."); diff --git a/csharp/lang/security/insecure-deserialization/insecure-typefilterlevel-full.cs b/csharp/lang/security/insecure-deserialization/insecure-typefilterlevel-full.cs index 1e1d6b57d5..a9155d7eb3 100644 --- a/csharp/lang/security/insecure-deserialization/insecure-typefilterlevel-full.cs +++ b/csharp/lang/security/insecure-deserialization/insecure-typefilterlevel-full.cs @@ -15,7 +15,7 @@ public void SetTFL(string json) var dict = new Hashtable(); dict["typeFilterLevel"] = "Full"; // ruleid: insecure-typefilterlevel-full - BinaryServerFormatterSinkProvider serverProvider2 = new BinaryServerFormatterSinkProvider(dict, null) + BinaryServerFormatterSinkProvider serverProvider2 = new BinaryServerFormatterSinkProvider(dict, null); } } } diff --git a/csharp/lang/security/sqli/csharp-sqli.cs b/csharp/lang/security/sqli/csharp-sqli.cs index a507e2c2e3..3dcd387ad6 100644 --- a/csharp/lang/security/sqli/csharp-sqli.cs +++ b/csharp/lang/security/sqli/csharp-sqli.cs @@ -79,7 +79,7 @@ public void sqli6(string sqli) using (SqlConnection connection = new SqlConnection("Data Source=(local);Initial Catalog=Northwind;Integrated Security=SSPI;")) { connection.Open(); // ruleid: csharp-sqli - SqlCommand command = new SqlCommand(sqli) + SqlCommand command = new SqlCommand(sqli); } } diff --git a/dockerfile/audit/dockerfile-source-not-pinned.dockerfile b/dockerfile/audit/dockerfile-source-not-pinned.dockerfile index ec38f55ceb..14bebcc194 100644 --- a/dockerfile/audit/dockerfile-source-not-pinned.dockerfile +++ b/dockerfile/audit/dockerfile-source-not-pinned.dockerfile @@ -17,4 +17,4 @@ FROM python:3.10.1-alpine3.15@v1 FROM python:3.10.1-alpine3.15@sha256 # ok: dockerfile-source-not-pinned -FROM python:3.10.1-alpine3.15@sha256:4be65b406f7402b5c4fd5df7173d2fd7ea3fdaa74d9c43b6ebd896197a45c448 \ No newline at end of file +FROM python:3.10.1-alpine3.15@sha256:4be65b406f7402b5c4fd5df7173d2fd7ea3fdaa74d9c43b6ebd896197a45c448 diff --git a/dockerfile/correctness/missing-assume-yes-switch.dockerfile b/dockerfile/correctness/missing-assume-yes-switch.dockerfile index 4c2aed7f7d..5c857c1307 100644 --- a/dockerfile/correctness/missing-assume-yes-switch.dockerfile +++ b/dockerfile/correctness/missing-assume-yes-switch.dockerfile @@ -63,4 +63,4 @@ RUN apt-get update \ zip \ jq \ && apt-get clean \ - && rm -rf /var/lib/apt/lists/* \ No newline at end of file + && rm -rf /var/lib/apt/lists/* diff --git a/dockerfile/correctness/multiple-entrypoint-instructions.dockerfile b/dockerfile/correctness/multiple-entrypoint-instructions.dockerfile index d616b1d58c..ed4209c11c 100644 --- a/dockerfile/correctness/multiple-entrypoint-instructions.dockerfile +++ b/dockerfile/correctness/multiple-entrypoint-instructions.dockerfile @@ -2,5 +2,6 @@ FROM busybox ENTRYPOINT /bin/true +RUN echo hello # ruleid: multiple-entrypoint-instructions ENTRYPOINT /bin/false diff --git a/dockerfile/correctness/multiple-entrypoint-instructions.yaml b/dockerfile/correctness/multiple-entrypoint-instructions.yaml index 1f5cfbf111..da538e0802 100644 --- a/dockerfile/correctness/multiple-entrypoint-instructions.yaml +++ b/dockerfile/correctness/multiple-entrypoint-instructions.yaml @@ -6,15 +6,18 @@ rules: - pattern: | ENTRYPOINT ... ... - $ENTRYPOINT ... + $ENTRYPOINT_INSTR + # Restrict the match to just the second ENTRYPOINT instruction. + # This avoids producing unstable findings due to capturing + # many lines of irrelevant code with the ellipsis. - metavariable-pattern: - metavariable: $ENTRYPOINT - patterns: - - pattern: | - ENTRYPOINT ... - - focus-metavariable: $ENTRYPOINT + metavariable: $ENTRYPOINT_INSTR + pattern: | + ENTRYPOINT ... + - focus-metavariable: $ENTRYPOINT_INSTR message: >- - Multiple ENTRYPOINT instructions were found. Only the last one will take effect. + Multiple ENTRYPOINT instructions were found. Only the last one + will take effect. metadata: source-rule-url: https://github.com/hadolint/hadolint/wiki/DL4004 references: diff --git a/java/lang/security/audit/formatted-sql-string.java b/java/lang/security/audit/formatted-sql-string.java index 9d49ca77fc..ea6163ee61 100644 --- a/java/lang/security/audit/formatted-sql-string.java +++ b/java/lang/security/audit/formatted-sql-string.java @@ -82,7 +82,7 @@ public class SQLExample3 { public void getAllFields(String tableName) throws SQLException { Connection c = db.getConnection(); // ruleid:formatted-sql-string - ResultSet rs = c.createStatement().execute(String.format("SELECT * FROM %s", tableName); + ResultSet rs = c.createStatement().execute(String.format("SELECT * FROM %s", tableName)); } public void findAccountsById(String id) throws SQLException { @@ -104,7 +104,7 @@ public List findAccountsById(String id) { } public void findAccountsByIdOk() throws SQLException { - String id = "const" + String id = "const"; String sql = String.format("SELECT * FROM accounts WHERE id = '%s'", id); Connection c = db.getConnection(); // ok:formatted-sql-string diff --git a/java/spring/security/audit/spring-sqli.java b/java/spring/security/audit/spring-sqli.java index 9c866eb38e..e16d00546c 100644 --- a/java/spring/security/audit/spring-sqli.java +++ b/java/spring/security/audit/spring-sqli.java @@ -77,7 +77,7 @@ public void queryBatchUpdate(JdbcTemplate jdbcTemplate, String sql, String taint jdbcTemplate.batchUpdate(sql, new ArrayList()); // ok:spring-sqli - jdbcTemplate.batchUpdate("SELECT foo FROM bar WHERE baz = 'biz'", new ArrayList(Arrays.asList(new Object[] {taintedString})); + jdbcTemplate.batchUpdate("SELECT foo FROM bar WHERE baz = 'biz'", new ArrayList(Arrays.asList(new Object[] {taintedString}))); // ruleid:spring-sqli jdbcTemplate.batchUpdate(sql, new ArrayList(), new int[]{Types.INTEGER, Types.VARCHAR, Types.VARCHAR}); } diff --git a/java/spring/security/injection/tainted-sql-string.java b/java/spring/security/injection/tainted-sql-string.java index d7e6824f86..22fa5b3d97 100644 --- a/java/spring/security/injection/tainted-sql-string.java +++ b/java/spring/security/injection/tainted-sql-string.java @@ -218,4 +218,5 @@ public ResultSet ok8(@RequestBody String name, SiteModel sitemodel) { Statement stmt = conn.createStatement(); ResultSet rs = stmt.execute(sql); return rs; + } } diff --git a/ruby/lang/security/hardcoded-secret-rsa-passphrase.rb b/ruby/lang/security/hardcoded-secret-rsa-passphrase.rb index e8fa47c1ae..89d81763ab 100644 --- a/ruby/lang/security/hardcoded-secret-rsa-passphrase.rb +++ b/ruby/lang/security/hardcoded-secret-rsa-passphrase.rb @@ -1,63 +1,64 @@ module Test - require 'openssl' - - class Test - $pass = 'super secret' - - def initialize(key = nil, iv = nil) - @pass1 = 'my secure pass phrase goes here' - @keypem = 'foo.pem' - #ruleid: hardcoded-secret-rsa-passphrase - OpenSSL::PKey::RSA.new(1024).to_pem(cipher, "secret") - bad - bad1 - bad2 - bad3 - ok - end - - - def bad - key_pem = File.read @keypem - #ruleid: hardcoded-secret-rsa-passphrase - key = OpenSSL::PKey::RSA.new key_pem, $pass - end - - def bad1 - key_pem = File.read @keypem - #ruleid: hardcoded-secret-rsa-passphrase - key = OpenSSL::PKey::RSA.new key_pem, @pass1 - $bad0 = 'secret' - end - - def bad2 - key_pem = File.read @keypem - #ruleid: hardcoded-secret-rsa-passphrase - key = OpenSSL::PKey::RSA.new key_pem, 'secret' - #ruleid: hardcoded-secret-rsa-passphrase - key = OpenSSL::PKey::RSA.new key_pem, $bad0 - end - - def bad3 - ca_key = OpenSSL::PKey::RSA.new 2048 - pass_phrase = 'my secure pass phrase goes here' - cipher = OpenSSL::Cipher.new 'AES-256-CBC' - #ruleid: hardcoded-secret-rsa-passphrase - ca_key.export(cipher, pass_phrase) - open 'tmp/ca_key.pem', 'w', 0644 do |io| - #ruleid: hardcoded-secret-rsa-passphrase - io.write ca_key.export(cipher, pass_phrase) - #ruleid: hardcoded-secret-rsa-passphrase - io.write ca_key.export(cipher, $pass) - #ruleid: hardcoded-secret-rsa-passphrase - io.write ca_key.export(cipher, @pass1) - end - end - - def ok - key_pem = File.read @keypem - #ok: hardcoded-secret-rsa-passphrase - key = OpenSSL::PKey::RSA.new key_pem, ENV['SECRET'] - end -end \ No newline at end of file + require 'openssl' + + class Test + $pass = 'super secret' + + def initialize(key = nil, iv = nil) + @pass1 = 'my secure pass phrase goes here' + @keypem = 'foo.pem' + #ruleid: hardcoded-secret-rsa-passphrase + OpenSSL::PKey::RSA.new(1024).to_pem(cipher, "secret") + bad + bad1 + bad2 + bad3 + ok + end + + + def bad + key_pem = File.read @keypem + #ruleid: hardcoded-secret-rsa-passphrase + key = OpenSSL::PKey::RSA.new key_pem, $pass + end + + def bad1 + key_pem = File.read @keypem + #ruleid: hardcoded-secret-rsa-passphrase + key = OpenSSL::PKey::RSA.new key_pem, @pass1 + $bad0 = 'secret' + end + + def bad2 + key_pem = File.read @keypem + #ruleid: hardcoded-secret-rsa-passphrase + key = OpenSSL::PKey::RSA.new key_pem, 'secret' + #ruleid: hardcoded-secret-rsa-passphrase + key = OpenSSL::PKey::RSA.new key_pem, $bad0 + end + + def bad3 + ca_key = OpenSSL::PKey::RSA.new 2048 + pass_phrase = 'my secure pass phrase goes here' + cipher = OpenSSL::Cipher.new 'AES-256-CBC' + #ruleid: hardcoded-secret-rsa-passphrase + ca_key.export(cipher, pass_phrase) + open 'tmp/ca_key.pem', 'w', 0644 do |io| + #ruleid: hardcoded-secret-rsa-passphrase + io.write ca_key.export(cipher, pass_phrase) + #ruleid: hardcoded-secret-rsa-passphrase + io.write ca_key.export(cipher, $pass) + #ruleid: hardcoded-secret-rsa-passphrase + io.write ca_key.export(cipher, @pass1) + end + end + + def ok + key_pem = File.read @keypem + #ok: hardcoded-secret-rsa-passphrase + key = OpenSSL::PKey::RSA.new key_pem, ENV['SECRET'] + end + end +end diff --git a/rust/lang/security/args-os.rs b/rust/lang/security/args-os.rs index acf99badb4..02925fb688 100644 --- a/rust/lang/security/args-os.rs +++ b/rust/lang/security/args-os.rs @@ -1,4 +1,4 @@ use std::env; // ruleid: args-os -let args = env::args_os() +let args = env::args_os(); diff --git a/rust/lang/security/args.rs b/rust/lang/security/args.rs index 78004a13a4..8b34448403 100644 --- a/rust/lang/security/args.rs +++ b/rust/lang/security/args.rs @@ -1,4 +1,4 @@ use std::env; // ruleid: args -let args = env::args() +let args = env::args(); diff --git a/rust/lang/security/current-exe.rs b/rust/lang/security/current-exe.rs index ba4ee599bb..28743f30ef 100644 --- a/rust/lang/security/current-exe.rs +++ b/rust/lang/security/current-exe.rs @@ -1,4 +1,4 @@ use std::env; // ruleid: current-exe -let exe = env::current_exe() +let exe = env::current_exe(); diff --git a/rust/lang/security/temp-dir.rs b/rust/lang/security/temp-dir.rs index 15ea04f1c3..844a5db05b 100644 --- a/rust/lang/security/temp-dir.rs +++ b/rust/lang/security/temp-dir.rs @@ -1,4 +1,4 @@ use std::env; // ruleid: temp-dir -let dir = env::temp_dir() +let dir = env::temp_dir(); diff --git a/terraform/gcp/security/gcp-dataproc-cluster-public-ip.yaml b/terraform/gcp/security/gcp-dataproc-cluster-public-ip.yaml index 6dbbd31d02..506b7647fa 100644 --- a/terraform/gcp/security/gcp-dataproc-cluster-public-ip.yaml +++ b/terraform/gcp/security/gcp-dataproc-cluster-public-ip.yaml @@ -4,18 +4,19 @@ rules: - pattern: resource - pattern-inside: | resource "google_dataproc_cluster" "..." { - ... + ... } - pattern-not-inside: | resource "google_dataproc_cluster" "..." { - ... - cluster_config { - gce_cluster_config { - ... - internal_ip_only = true - ... + ... + cluster_config { + gce_cluster_config { + ... + internal_ip_only = true + ... + } + ... } - ... } message: >- Ensure Dataproc Clusters do not have public IPs