Make rules supported by sarif generic from external file instead of h…

…ardcoded
radareorg · Mar 10, 2024 · adf9e7a · adf9e7a
1 parent d1f9074
commit adf9e7a
Show file tree

Hide file tree

Showing 4 changed files with 235 additions and 122 deletions.
diff --git a/sarif/README.md b/sarif/README.md
@@ -11,14 +11,44 @@ This plugin for radare2 adds the `sarif` command to the r2 shell which allows to
 ```
 [0x00000000]> sarif?
 sarif [action] [arguments]
-sarif help          - show this help message
-sarif import [file] - import sarif info from given file
-sarif export [file] - export sarif findings into given file or stdout
-sarif script        - generate r2 script with loaded sarif info
-sarif reset         - reset all loaded sarif reports
+sarif -h, help              - show this help message (-h)
+sarif -a, add [r] [c]       - add a new sarif finding
+sarif -aw,-ae,-an [r] [c]   - add warning, error or note
+sarif -i, import [file]     - import sarif info from given file
+sarif -j, json              - print the spotted findings as json to stdout
+sarif -r, r2|script         - generate r2 script with loaded sarif info
+sarif -R, reset             - reset reported findings list
+sarif -l, rules ([file])    - list or load rules from file
 [0x00000000]>
 ```
 
+First you need to load the rules that you plan to report as findings:
+
+```
+[0x00000000]> sarif -l rule.json
+```
+
+Those can be listed with `sarif -l` (note that there's no argument here). At this point you are ready to report your first finding!
+
+* Seek to the offset where the vulnerability is spotted
+* Run `sarif -aw rules.mastg-android-insecure-random-use Do not use this API`
+
+You can now export the sarif file in json using the following command:
+
+```
+[0x00000000]> sarif -j > reports.json
+```
+
+Alternatively you can combine multiple finding documents and load that info inside r2:
+
+```
+[0x00000000]> sarif -i report0.json
+[0x00000000]> sarif -i report1.json
+[0x00000000]> .sarif -r
+```
+
+You will have flags prefixed with `sarif.` to spot them in the binary. `f~^sarif`
+
 ## Links
 
 * https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning?learn=code_security_integration

diff --git a/sarif/rules-test.json b/sarif/rules-test.json
@@ -0,0 +1,46 @@
+{
+  "$schema": "http://json.schemastore.org/sarif-2.1.0",
+  "version": "2.1.0",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "mastg",
+          "semanticVersion": "1.0.0",
+          "rules": [
+            {
+              "id": "VULN-OVERFLOW",
+              "name": "vuln-overflow",
+              "defaultConfiguration": {
+                "level": "warning"
+              },
+              "fullDescription": {
+                "text": "[VULN-1] Potential Buffer Overflow"
+              }
+            },
+            {
+              "id": "VULN-WEAK-CRYPTO",
+              "name": "vuln-weak-crypto",
+              "defaultConfiguration": {
+                "level": "warning"
+              },
+              "fullDescription": {
+                "text": "[VULN-1] Use of weak crypto"
+              }
+            },
+            {
+              "id": "VULN-SQL-INJECTION",
+              "name": "vuln-sql-injection",
+              "defaultConfiguration": {
+                "level": "warning"
+              },
+              "fullDescription": {
+                "text": "[VULN-1] SQL Injection Vulnerability"
+              }
+            }
+          ]
+        }
+      }
+    }
+  ]
+}
diff --git a/sarif/rules.json b/sarif/rules.json
@@ -0,0 +1,58 @@
+{
+  "$schema": "http://json.schemastore.org/sarif-2.1.0",
+  "version": "2.1.0",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "mastg",
+          "semanticVersion": "1.0.0",
+          "rules": [
+            {
+              "id": "rules.mastg-android-insecure-random-use",
+              "name": "rules.mastg-android-insecure-random-use",
+              "defaultConfiguration": {
+                "level": "warning"
+              },
+              "fullDescription": {
+                "text": "[MASVS-CRYPTO-1] The application makes use of insecure random number generator."
+              },
+              "help": {
+                "markdown": "[MASVS-CRYPTO-1] The application makes use of insecure random number generator.",
+                "text": "[MASVS-CRYPTO-1] The application makes use of insecure random number generator."
+              },
+              "properties": {
+                "precision": "very-high",
+                "tags": []
+              },
+              "shortDescription": {
+                "text": "Semgrep Finding: rules.mastg-android-insecure-random-use"
+              }
+            },
+            {
+              "id": "rules.mastg-android-non-random-use",
+              "name": "rules.mastg-android-non-random-use",
+              "defaultConfiguration": {
+                "level": "warning"
+              },
+              "fullDescription": {
+                "text": "[MASVS-CRYPTO-1] The application makes use of non-random sources."
+              },
+              "help": {
+                "markdown": "[MASVS-CRYPTO-1] The application makes use of non-random sources.",
+                "text": "[MASVS-CRYPTO-1] The application makes use of non-random sources."
+              },
+              "properties": {
+                "precision": "very-high",
+                "tags": []
+              },
+              "shortDescription": {
+                "text": "Semgrep Finding: rules.mastg-android-non-random-use"
+              }
+            }
+          ]
+        }
+      }
+    }
+  ]
+}