Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Apex and VisualForce rules #3085

Merged
merged 24 commits into from
Oct 19, 2023
Merged

Add Apex and VisualForce rules #3085

merged 24 commits into from
Oct 19, 2023

Conversation

garretpatten-ncino
Copy link
Contributor

@garretpatten-ncino garretpatten-ncino commented Aug 30, 2023
edited
Loading

Changes

  • Add the following Apex rules:
    • GlobalAccessModifiers
    • ApexCSRFConstructor
    • ApexCSRFStaticConstructor
    • DmlNativeStatements
    • BadCrypto
    • InsecureHttpRequest
    • NamedCredentialsConstantMatch
    • NamedCredentialsStringMatch
    • ApexSOQLInjectionFromUnescapedURLParam
    • ApexSOQLInjectionUnescapedParam
    • SpecifySharingLevel
    • SystemDebug
    • UseAssertClass
    • AbsoluteUrls
    • AvoidNativeDmlInLoops
    • AvoidOperationsWithLimitsInLoops
    • AvoidSoqlInLoops
    • AvoidSoslInLoops
  • Add the following VisualForce rules:
    • CSPHeaderAttribute
    • UseSRIForCDNs (also applies to HTML but being added just to VF set here)
    • VisualForceAPIVersion
    • XSSFromUnescapedURLParam

Outstanding Questions

  • We have some rules (Semgrep versions of existing open source PMD rules) around Apex performance and best practices. Not sure if they belonged in this PR or not; for now, they've been included.
  • Guidance was initially given to include technology: ncino in the metadata of each rule, but Apex and VisualForce are Salesforce languages/frameworks. We thought it would be more appropriate to include technology: salesforce. With that, would it make sense to add another metadata entry for contributor: ncino or something like that?

@CLAassistant
Copy link

CLAassistant commented Aug 30, 2023
edited
Loading

CLA assistant check
All committers have signed the CLA.

@garretpatten-ncino garretpatten-ncino changed the title Add apex and VF security rules Add Apex and VisualForce rules Aug 30, 2023
@garretpatten-ncino garretpatten-ncino marked this pull request as ready for review September 19, 2023 18:22
@garretpatten-ncino
Merge branch 'develop' into develop
bb14e74
@p4p3r
Update ids and metadata
86bf953
@p4p3r
Use standard folder structure
3be9d8e
@p4p3r
Update ids and metadata for VF rules
c980c40
@p4p3r
Fix lints
a0d5fd4
@p4p3r
Move best practice rule
93e61c6
@garretpatten-ncino
Merge pull request #1 from garretpatten-ncino/claudio-semgrep/review
1a57109 
Update ids, metadata and folder structure
@garretpatten-ncino
Merge branch 'develop' into develop
dd65caf
@p4p3r
Fix testsuite
f65cc80
@p4p3r
Merge pull request #2 from garretpatten-ncino/claudio-semgrep/fix-tests
0b2b53a 
Fix testsuite
@garretpatten-ncino
Merge branch 'develop' into develop
212cbf8
@p4p3r
Update min-version
7d9a4c1
@p4p3r
Merge pull request #3 from garretpatten-ncino/claudio/min-version
66b88f3 
Update min-version
@p4p3r
Merge remote-tracking branch 'upstream/develop' into claudio/sync-ups…
71c0813 
…tream
@p4p3r
Merge remote-tracking branch 'upstream/develop' into claudio/sync-ups…
cd99d0f 
…tream
@p4p3r
Merge pull request #4 from garretpatten-ncino/claudio/sync-upstream
ffa3eb2 
Sync with upstream semgrep-rules
@p4p3r p4p3r requested a review from a team October 18, 2023 15:33
p4p3r
p4p3r approved these changes Oct 18, 2023
View reviewed changes
Copy link
Contributor

@p4p3r p4p3r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@p4p3r p4p3r requested a review from a team October 18, 2023 18:37
@p4p3r p4p3r merged commit 075ee5c into semgrep:develop Oct 19, 2023
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@p4p3r p4p3r p4p3r approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@garretpatten-ncino @CLAassistant @p4p3r