From aa66e523dc1a2ee09740c495ad486d95dbe1e3c5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Jul 2024 10:34:55 +0200 Subject: [PATCH 1/2] Bump certifi from 2023.7.22 to 2024.7.4 (#3423) Bumps [certifi](https://github.com/certifi/python-certifi) from 2023.7.22 to 2024.7.4. - [Commits](https://github.com/certifi/python-certifi/compare/2023.07.22...2024.07.04) --- updated-dependencies: - dependency-name: certifi dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Pipfile.lock | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Pipfile.lock b/Pipfile.lock index 55076b4c69..2e4915aae3 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -26,11 +26,12 @@ }, "certifi": { "hashes": [ - "sha256:0569859f95fc761b18b45ef421b1290a0f65f147e92a1e5eb3e635f9a5e4e66f", - "sha256:dc383c07b76109f368f6106eee2b593b04a011ea4d55f652c6ca24a754d1cdd1" + "sha256:5a1e7645bc0ec61a09e26c36f6106dd4cf40c6db3a1fb6352b0244e7fb057c7b", + "sha256:c198e21b1289c2ab85ee4e67bb4b4ef3ead0892059901a8d5b622f24a1101e90" ], + "index": "pypi", "markers": "python_version >= '3.6'", - "version": "==2024.2.2" + "version": "==2024.7.4" }, "charset-normalizer": { "hashes": [ From 74d025f63a20c64ec1cc3ad32662817f8c78f4b9 Mon Sep 17 00:00:00 2001 From: Claudio Date: Mon, 8 Jul 2024 09:49:58 -0700 Subject: [PATCH 2/2] Replace guardrail subcategory with secure default (#3425) * Replace guardrail with secure default * Fix subcategory --------- Co-authored-by: Pieter De Cremer (Semgrep) --- .github/scripts/validate-metadata.py | 20 +++++++++++++------ .../audit/crypto/missing-ssl-minversion.yaml | 2 +- ...ngs-user-identifier-without-user-hash.yaml | 4 ++-- metadata-schema.yaml.schm | 4 ++-- .../django/security/django-no-csrf-token.yaml | 4 ++-- ...ngo-using-request-post-after-is-valid.yaml | 4 ++-- .../aws/security/aws-provisioner-exec.yaml | 7 +++++-- .../metadata-subcategory-incorrect-value.yaml | 6 +++--- yaml/semgrep/metadata-subcategory.yaml | 4 ++-- 9 files changed, 33 insertions(+), 22 deletions(-) diff --git a/.github/scripts/validate-metadata.py b/.github/scripts/validate-metadata.py index 247b8dde3f..04dc554f6d 100644 --- a/.github/scripts/validate-metadata.py +++ b/.github/scripts/validate-metadata.py @@ -15,7 +15,6 @@ class RegistryMetadataValidator(Draft7Validator): - required_property_messages = { "references": "Please include at least one URL with more information about this rule in a metadata field called 'references'.", "technology": "Please include a metadata field called 'technology' that is a list of relevent tech stacks. For example: [python, flask], or [javascript, jwt].", @@ -24,12 +23,12 @@ class RegistryMetadataValidator(Draft7Validator): "likelihood": "Please include a 'likelihood' metadata field for security rules that is one of that is one of ['LOW', 'MEDIUM', 'HIGH'], See https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository for more info.", "impact": "Please include a 'impact' metadata field for security rules that is one of that is one of ['LOW', 'MEDIUM', 'HIGH'], See https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository for more info.", "confidence": "Please include a 'confidence' metadata field for security rules that is one of that is one of ['LOW', 'MEDIUM', 'HIGH'], See https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository for more info.", - "subcategory": "Please include a 'subcategory' metadata field for security rules that is one of that is one of ['audit', 'vuln', 'guardrail'], See https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository for more info.", + "subcategory": "Please include a 'subcategory' metadata field for security rules that is one of that is one of ['audit', 'vuln', 'secure default'], See https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository for more info.", } def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) - #self.category_enum = self.schema.get('properties', {}).get('category', {}).get('enum', []) + # self.category_enum = self.schema.get('properties', {}).get('category', {}).get('enum', []) self.category_enum = {} def _extend_message(self, error: ValidationError) -> None: @@ -59,7 +58,11 @@ def get_errors(self, instance: dict) -> list[ValidationError]: return errors -def validate_config_file_metadata(config_path: Path, validator: Draft7Validator, invalid_configs: Optional[list] = None): +def validate_config_file_metadata( + config_path: Path, + validator: Draft7Validator, + invalid_configs: Optional[list] = None, +): with open(config_path) as fin: config = yaml.safe_load(fin) @@ -83,10 +86,12 @@ def validate_config_file_metadata(config_path: Path, validator: Draft7Validator, else: logger.warning(f"Invalid config {str(config_path)}: {ve.message}") + def is_rule(path: Path) -> bool: with open(path) as fin: return fin.readlines()[0].startswith("rules:") + if __name__ == "__main__": import argparse @@ -111,7 +116,11 @@ def is_rule(path: Path) -> bool: invalid_configs = [] for config_item in args.config: config_path = Path(config_item) - if config_path.is_file() and config_path.suffix == ".yaml" and is_rule(config_path): + if ( + config_path.is_file() + and config_path.suffix == ".yaml" + and is_rule(config_path) + ): validate_config_file_metadata(config_path, v, invalid_configs) elif config_path.is_dir(): for config_file in config_path.glob("**/*.yaml"): @@ -122,4 +131,3 @@ def is_rule(path: Path) -> bool: for invalid_config in sorted(invalid_configs, key=lambda t: t[0]): print(invalid_config) sys.exit(1) - diff --git a/go/lang/security/audit/crypto/missing-ssl-minversion.yaml b/go/lang/security/audit/crypto/missing-ssl-minversion.yaml index c2a9d46741..fdbcf08f88 100644 --- a/go/lang/security/audit/crypto/missing-ssl-minversion.yaml +++ b/go/lang/security/audit/crypto/missing-ssl-minversion.yaml @@ -23,7 +23,7 @@ rules: - go confidence: HIGH subcategory: - - guardrail + - audit likelihood: MEDIUM impact: LOW languages: [go] diff --git a/javascript/intercom/security/audit/intercom-settings-user-identifier-without-user-hash.yaml b/javascript/intercom/security/audit/intercom-settings-user-identifier-without-user-hash.yaml index c7adaef0fb..683a7a6dd2 100644 --- a/javascript/intercom/security/audit/intercom-settings-user-identifier-without-user-hash.yaml +++ b/javascript/intercom/security/audit/intercom-settings-user-identifier-without-user-hash.yaml @@ -27,7 +27,7 @@ rules: ... Intercom('boot', $VAR); message: Found an initialization of the Intercom Messenger that identifies a - User, but does not specify a `user_hash`.This configuration allows users + User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile @@ -37,7 +37,7 @@ rules: metadata: category: security subcategory: - - guardrail + - audit cwe: - "CWE-287: Improper Authentication" confidence: MEDIUM diff --git a/metadata-schema.yaml.schm b/metadata-schema.yaml.schm index 030bb41ca1..5b54082088 100644 --- a/metadata-schema.yaml.schm +++ b/metadata-schema.yaml.schm @@ -51,7 +51,7 @@ schema: enum: - audit - vuln - - guardrail + - secure default cwe: type: - array @@ -90,4 +90,4 @@ schema: - likelihood - impact - subcategory - \ No newline at end of file + diff --git a/python/django/security/django-no-csrf-token.yaml b/python/django/security/django-no-csrf-token.yaml index 945adc69c1..174d640029 100644 --- a/python/django/security/django-no-csrf-token.yaml +++ b/python/django/security/django-no-csrf-token.yaml @@ -14,7 +14,7 @@ rules: regex: (?i)(post|put|delete|patch) - pattern-not-inside: "...{% csrf_token %}..." - pattern-not-inside: "...{{ $VAR.csrf_token }}..." - message: Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks + message: Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks. languages: [generic] severity: WARNING metadata: @@ -26,7 +26,7 @@ rules: likelihood: MEDIUM impact: MEDIUM subcategory: - - guardrail + - audit technology: - django paths: diff --git a/python/django/security/django-using-request-post-after-is-valid.yaml b/python/django/security/django-using-request-post-after-is-valid.yaml index 19f4f2e4bd..425eaa90d5 100644 --- a/python/django/security/django-using-request-post-after-is-valid.yaml +++ b/python/django/security/django-using-request-post-after-is-valid.yaml @@ -22,6 +22,6 @@ rules: likelihood: MEDIUM impact: MEDIUM subcategory: - - guardrail + - audit technology: - - django \ No newline at end of file + - django diff --git a/terraform/aws/security/aws-provisioner-exec.yaml b/terraform/aws/security/aws-provisioner-exec.yaml index bfef15e3ba..d020eb9424 100644 --- a/terraform/aws/security/aws-provisioner-exec.yaml +++ b/terraform/aws/security/aws-provisioner-exec.yaml @@ -14,7 +14,10 @@ rules: ... } id: aws-provisioner-exec - message: Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design. + message: >- + Provisioners are a tool of last resort and should be avoided where possible. + Provisioner behavior cannot be mapped by Terraform as part of a plan, + and execute arbitrary shell commands by design. languages: - terraform severity: WARNING @@ -27,7 +30,7 @@ rules: - "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')" - "CWE-94: Improper Control of Generation of Code ('Code Injection')" subcategory: - - guardrail + - audit confidence: HIGH likelihood: HIGH impact: MEDIUM diff --git a/yaml/semgrep/metadata-subcategory-incorrect-value.yaml b/yaml/semgrep/metadata-subcategory-incorrect-value.yaml index 70966c1a5d..876865420e 100644 --- a/yaml/semgrep/metadata-subcategory-incorrect-value.yaml +++ b/yaml/semgrep/metadata-subcategory-incorrect-value.yaml @@ -20,10 +20,10 @@ rules: - audit - pattern-not: | subcategory: - - guardrail + - secure default message: >- Semgrep rule likelihood: $VALUE detected, but the value must be vuln, - audit, or guardrail. For more information visit: + audit, or secure default. For more information visit: https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/ languages: - yaml @@ -33,4 +33,4 @@ rules: - https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/ category: correctness technology: - - semgrep \ No newline at end of file + - semgrep diff --git a/yaml/semgrep/metadata-subcategory.yaml b/yaml/semgrep/metadata-subcategory.yaml index a65ceb04ca..bd0a9085fa 100644 --- a/yaml/semgrep/metadata-subcategory.yaml +++ b/yaml/semgrep/metadata-subcategory.yaml @@ -15,7 +15,7 @@ rules: subcategory: $VALUE message: >- This Semgrep rule is missing a valid 'subcategory' field in the 'metadata'. - which should be either audit, vuln, or guardrail. For more information visit + which should be either audit, vuln, or secure default. For more information visit https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/ languages: - yaml @@ -25,4 +25,4 @@ rules: - https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/ category: correctness technology: - - semgrep \ No newline at end of file + - semgrep