Merge branch 'develop' into claudio/secure-defaults

LICENSE

@@ -6,6 +6,6 @@ Without limiting other conditions in the License, the grant of rights under the
 
 For purposes of the foregoing, “Sell” means practicing any or all of the rights granted to you under the License to provide to third parties, for a fee or other consideration (including without limitation fees for hosting or consulting/ support services related to the Software), a product or service whose value derives, entirely or substantially, from the functionality of the Software. Any license notice or attribution required by the License must also include this Commons Clause License Condition notice.
 
-Software: semgrep-rules (https://github.com/returntocorp/semgrep-rules)
+Software: semgrep-rules (https://github.com/semgrep/semgrep-rules)
 License: LGPL 2.1 (GNU Lesser General Public License, Version 2.1)
 Licensor: Semgrep, Inc. (https://semgrep.dev)

README.md

@@ -1,21 +1,34 @@
 # semgrep-rules
 
-[![powered by semgrep](https://img.shields.io/badge/powered%20by-semgrep-1B2F3D?labelColor=lightgrey&link=https://semgrep.live/&style=flat-square&logo=data%3Aimage%2Fpng%3Bbase64%2CiVBORw0KGgoAAAANSUhEUgAAAA0AAAAOCAYAAAD0f5bSAAAABmJLR0QA/gD+AP+cH+QUAAAACXBIWXMAAA3XAAAN1wFCKJt4AAAAB3RJTUUH5AYMEy0l8dkqrQAAAvFJREFUKBUB5gIZ/QEAAP8BAAAAAAMG6AD9+hn/GzA//wD//wAAAAD+AAAAAgABAQDl0MEBAwbmAf36GQAAAAAAAQEC9QH//gv/Gi1GFQEC+OoAAAAAAAAAAAABAQAA//8AAAAAAAAAAAD//ggX5tO66gID9AEBFSRxAgYLzRQAAADpAAAAAP7+/gDl0cMPAAAA+wAAAPkbLz39AgICAAAAAAAAAAAs+vU12AEbLz4bAAAA5P8AAAAA//4A5NDDEwEBAO///wABAQEAAP//ABwcMD7hAQEBAAAAAAAAAAAaAgAAAOAAAAAAAQEBAOXRwxUAAADw//8AAgAAAAD//wAAAAAA5OXRwhcAAQEAAAAAAAAAAOICAAAABP3+/gDjzsAT//8A7gAAAAEAAAD+AAAA/wAAAAAAAAAA//8A7ePOwA/+/v4AAAAABAIAAAAAAAAAAAAAAO8AAAABAAAAAAAAAAIAAAABAAAAAAAAAAgAAAD/AAAA8wAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAA8AAAAEAAAA/gAAAP8AAAADAAAA/gAAAP8AAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAA7wAAAPsAAAARAAAABAAAAP4AAAAAAAAAAgAAABYAAAAAAAAAAAIAAAD8AwICAB0yQP78/v4GAAAA/wAAAPAAAAD9AAAA/wAAAPr9//8aHTJA6AICAgAAAAD8AgAAADIAAAAAAP//AB4wPvgAAAARAQEA/gEBAP4BAQABAAAAGB0vPeIA//8AAAAAAAAAABAC+vUz1QAAAA8AAAAAAwMDABwwPu3//wAe//8AAv//ABAcMD7lAwMDAAAAAAAAAAAG+vU0+QEBAvUB//4L/xotRhUBAvjqAAAAAAAAAAAAAQEAAP//AAAAAAAAAAAA//4IF+bTuuoCA/QBAQAA/wEAAAAAAwboAP36Gf8bMD//AP//AAAAAP4AAAACAAEBAOXQwQEDBuYB/foZAAAAAAD4I6qbK3+1zQAAAABJRU5ErkJggg==)](https://semgrep.dev/)
-[![Semgrep community slack](https://img.shields.io/badge/slack-join-green?style=flat-square)](https://go.semgrep.dev/slack)
+[![powered by semgrep](https://img.shields.io/badge/powered%20by%20semgrep-2ACFA6)](https://semgrep.dev/)
+<a href="https://go.semgrep.dev/slack">
+<img src="https://img.shields.io/badge/community%20slack-3.5k%20members-green?style=flat-square" alt="Join Semgrep community Slack" />
+</a>
 
-| branch | using semgrep docker image | test status          |
-| ------------ | ------------------------ | -------------------- |
-| `develop` | `returntocorp/semgrep:develop`  | [![semgrep-rules-test-develop](https://github.com/returntocorp/semgrep-rules/workflows/semgrep-develop/badge.svg)](https://github.com/returntocorp/semgrep-rules/actions?query=workflow%3Asemgrep-develop+branch%3Adevelop) |
+Welcome! This repository is the standard library for open source [Semgrep](https://semgrep.dev/) rules.
 
-Welcome! This repository is the standard library for [Semgrep](https://semgrep.dev/) rules. There are many more rules available in the [Semgrep Registry](https://semgrep.dev/explore) written by [Semgrep, Inc.](https://semgrep.dev/) and other contributors. The [Semgrep Registry](https://semgrep.dev/explore) includes rules from this repository and additional rules that are accessible within [Semgrep Cloud Platform](https://semgrep.dev/pricing). If there is a specific rule you are looking for, see the [Semgrep registry search](https://semgrep.dev/r). To contribute, find details about contributing in the [Contributing to Semgrep rules](https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/) documentation.
+In addition to the rules in this repository, the [Semgrep Registry](https://semgrep.dev/explore) offers proprietary [Pro rules](https://semgrep.dev/products/semgrep-code/pro-rules) that enable interfile and interprocedural analysis.
 
-## Using Semgrep rules repository
+- Find rules: search for open source and Pro rules through the [Semgrep registry search](https://semgrep.dev/r).
+- Use rules: Scan your code with these rules through [Semgrep AppSec Platform](https://semgrep.dev/login)
+- Contribute to rules: see [Contributing to Semgrep rules](https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/) for more information.
 
-Run existing and custom Semgrep rules locally with the Semgrep command line interface (Semgrep CLI) or continuously with Semgrep in CI while using Semgrep App. To start using Semgrep rules, see [Semgrep tutorial](https://semgrep.dev/learn), [Getting started with Semgrep CLI](https://semgrep.dev/docs/getting-started/), and [Getting started with Semgrep App](https://semgrep.dev/docs/semgrep-app/getting-started-with-semgrep-app/).
+## Using the Semgrep rules repository
+
+To start writing and using Semgrep rules, see [Learn Semgrep syntax](https://semgrep.dev/learn) and [Writing rules](https://semgrep.dev/docs/writing-rules/overview/). Then, run existing and custom Semgrep rules locally with the [Semgrep command line interface (Semgrep CLI)](https://semgrep.dev/docs/getting-started/) or [continuously with Semgrep in CI while using Semgrep AppSec Platform](https://semgrep.dev/docs/semgrep-app/getting-started-with-semgrep-app/).
+
+## Writing Semgrep rules
+
+See [Writing rules](https://semgrep.dev/docs/writing-rules/overview/) for information including:
+
+- Pattern syntax, describing what Semgrep patterns can do in detail, and example use cases of the ellipsis operator, metavariables.
+- Rule syntax, describing Semgrep YAML rule files, which can have multiple patterns, detailed output messages, and autofixes. The syntax allows the composition of individual patterns with boolean operators.
+
+You can also learn how to write rules using the [interactive, example-based Semgrep rule tutorial](https://semgrep.dev/learn).
 
 ## Contributing
 
-We welcome Semgrep rule contributions directly to this repository! When you submit your contribution to the `semgrep-rules` repository we’ll ask you to make Semgrep, Inc. a joint owner of your contributions. While you still own copyright rights to your rule, joint ownership allows Semgrep, Inc. to license these contributions to other [Semgrep Registry](https://semgrep.dev/r) users pursuant to the LGPL 2.1 under the [Commons Clause](https://commonsclause.com/). See full [license details](https://github.com/returntocorp/semgrep-rules/blob/develop/LICENSE).
+We welcome Semgrep rule contributions directly to this repository! When submitting your contribution to this repository, we’ll ask you to make Semgrep, Inc. a joint owner of your contributions. While you still own copyright rights to your rule, joint ownership allows Semgrep, Inc. to license these contributions to other [Semgrep Registry](https://semgrep.dev/r) users pursuant to the LGPL 2.1 under the [Commons Clause](https://commonsclause.com/). See full [license details](https://github.com/returntocorp/semgrep-rules/blob/develop/LICENSE).
 
 Note: To contribute, review the **[Contributing to Semgrep rules](https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/)** documentation.
 
@@ -29,8 +42,7 @@ Join [Slack](https://go.semgrep.dev/slack) for the fastest answers to your quest
 
 ### GitHub action to run tests
 
-If you fork this repository or create your own, you can add a special [semgrep
--rules-test](https://github.com/marketplace/actions/semgrep-rules-test) GitHub Action to your workflow that will automatically test your rules using the latest version of Semgrep. See our [semgrep-rules-test](https://github.com/returntocorp/semgrep-rules/blob/develop/.github/workflows/semgrep-rules-test.yml).
+If you fork this repository or create your own, you can add a GitHub Action to your workflow that will automatically test your rules using the latest version of Semgrep. See our [semgrep-rules-test example](https://github.com/returntocorp/semgrep-rules/blob/develop/.github/workflows/semgrep-rules-test.yml).
 
 ### Rulesets
 

ai/csharp/detect-openai.cs

@@ -0,0 +1,11 @@
+// ruleid: detect-openai
+using OpenAI.Chat;
+
+// ruleid: detect-openai
+ChatClient client = new("gpt-3.5-turbo", Environment.GetEnvironmentVariable("OPENAI_API_KEY"));
+
+// ruleid: detect-openai
+ChatCompletion chatCompletion = client.CompleteChat(
+    [
+        new UserChatMessage("Say 'this is a test.'")
+    ]);

ai/csharp/detect-openai.yaml

@@ -0,0 +1,18 @@
+rules:
+  - id: detect-openai
+    languages:
+      - csharp
+    severity: INFO
+    message: "Possibly found usage of AI: OpenAI"
+    pattern-either:
+      - pattern: using OpenAI
+      - pattern: (ChatClient $CLIENT)
+      - pattern: (ChatClient $CLIENT).$FUNC(...)
+    metadata:
+      references:
+        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+      category: maintainability
+      technology:
+        - genAI
+        - LLMs
+      confidence: LOW

ai/dart/detect-gemini.dart

@@ -0,0 +1,12 @@
+// ruleid: detect-gemini
+import 'package:google_generative_ai/google_generative_ai.dart';
+
+// Access your API key as an environment variable (see "Set up your API key" above)
+final apiKey = Platform.environment['API_KEY'];
+if (apiKey == null) {
+  print('No \$API_KEY environment variable');
+  exit(1);
+}
+
+// ruleid: detect-gemini
+final model = GenerativeModel(model: 'gemini-1.5-flash', apiKey: apiKey);

ai/dart/detect-gemini.yaml

@@ -0,0 +1,17 @@
+rules:
+  - id: detect-gemini
+    languages:
+      - dart
+    severity: INFO
+    message: "Possibly found usage of AI: Gemini"
+    pattern-either:
+      - pattern: import 'package:google_generative_ai';
+      - pattern: final $MODEL = GenerativeModel(...);
+    metadata:
+      references:
+        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+      category: maintainability
+      technology:
+        - genAI
+        - LLMs
+      confidence: LOW

ai/generic/detect-generic-ai-anthprop.txt

@@ -0,0 +1,18 @@
+# ruleid: detect-generic-ai-anthprop
+import anthropic
+
+# ruleid: detect-generic-ai-anthprop
+client = anthropic.Anthropic(
+    # defaults to os.environ.get("ANTHROPIC_API_KEY")
+    api_key="my_api_key",
+)
+
+message = client.messages.create(
+	# ruleid: detect-generic-ai-anthprop
+    model="claude-3-opus-20240229",
+    max_tokens=1024,
+    messages=[
+        {"role": "user", "content": "Hello, Claude"}
+    ]
+)
+print(message.content)

ai/generic/detect-generic-ai-anthprop.yaml

@@ -0,0 +1,18 @@
+rules:
+  - id: detect-generic-ai-anthprop
+    languages:
+      - generic
+    severity: INFO
+    message: "Possibly found usage of AI: Anthropic"
+    pattern-either:
+      - pattern: anthropic
+      - pattern: Anthropic
+      - pattern: claude
+    metadata:
+      references:
+        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+      category: maintainability
+      technology:
+        - genAI
+        - LLMs
+      confidence: LOW

ai/generic/detect-generic-ai-api.js

@@ -0,0 +1,18 @@
+const rawRes = await fetchWithTimeout(
+    // ruleid: detect-generic-ai-api
+   `https://${baseURL}/v1/chat/completions`,
+   {
+     headers: {
+       "Content-Type": "application/json",
+       Authorization: `Bearer ${apiKey}`
+     },
+     timeout,
+     method: "POST",
+     body: JSON.stringify({
+       model,
+       messages: messages.map(k => ({ role: k.role, content: k.content })),
+       temperature,
+       stream: true
+     })
+   }
+ )

ai/generic/detect-generic-ai-api.yaml

@@ -0,0 +1,17 @@
+rules:
+  - id: detect-generic-ai-api
+    languages:
+      - generic
+    severity: INFO
+    message: "Possibly found usage of AI: HTTP Request"
+    pattern-either:
+      - pattern: /chat/completions
+      - pattern: api.openai.com
+    metadata:
+      references:
+        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+      category: maintainability
+      technology:
+        - genAI
+        - LLMs
+      confidence: LOW

ai/generic/detect-generic-ai-gem.html

@@ -0,0 +1,20 @@
+<html>
+<body>
+  <!-- ... Your HTML and CSS -->
+  // ruleid: detect-generic-ai-gem
+  <!-- Import @google/generative-ai, as shown above. -->
+  <script type="module">
+  	  // ruleid: detect-generic-ai-gem
+      import { GoogleGenerativeAI } from "@google/generative-ai";
+
+      // Fetch your API_KEY
+      const API_KEY = "...";
+
+      // Access your API key (see "Set up your API key" above)
+	  // ruleid: detect-generic-ai-gem
+      const genAI = new GoogleGenerativeAI(API_KEY);
+
+      const model = genAI.getGenerativeModel({ model: "gemini-1.5-flash"});
+  </script>
+</body>
+</html>

ai/generic/detect-generic-ai-gem.yaml

@@ -0,0 +1,17 @@
+rules:
+  - id: detect-generic-ai-gem
+    languages:
+      - generic
+    severity: INFO
+    message: "Possibly found usage of AI: Gemini"
+    pattern-either:
+      - pattern: google/generative-ai
+      - pattern: GoogleGenerativeAI
+    metadata:
+      references:
+        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+      category: maintainability
+      technology:
+        - genAI
+        - LLMs
+      confidence: LOW

ai/generic/detect-generic-ai-oai.txt

@@ -0,0 +1,7 @@
+OPENAI_API_KEY = "MY_API_KEY"
+# ruleid: detect-generic-ai-oai
+from openai import OpenAI
+# ruleid: detect-generic-ai-oai
+client = OpenAI(
+    # Defaults to os.environ.get("OPENAI_API_KEY")
+)

ai/generic/detect-generic-ai-oai.yaml

@@ -0,0 +1,17 @@
+rules:
+  - id: detect-generic-ai-oai
+    languages:
+      - generic
+    severity: INFO
+    message: "Possibly found usage of AI: OpenAI"
+    pattern-either:
+      - pattern: openai
+      - pattern: OpenAI
+    metadata:
+      references:
+        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+      category: maintainability
+      technology:
+        - genAI
+        - LLMs
+      confidence: LOW

ai/go/detect-gemini.go

@@ -0,0 +1,14 @@
+// ruleid: detect-gemini
+import "github.com/google/generative-ai-go/genai"
+import "google.golang.org/api/option"
+
+ctx := context.Background()
+// Access your API key as an environment variable (see "Set up your API key" above)
+// ruleid: detect-gemini
+client, err := genai.NewClient(ctx, option.WithAPIKey(os.Getenv("API_KEY")))
+if err != nil {
+    log.Fatal(err)
+}
+defer client.Close()
+
+model := client.GenerativeModel("gemini-1.5-flash")

ai/go/detect-gemini.yaml

@@ -0,0 +1,17 @@
+rules:
+  - id: detect-gemini
+    languages:
+      - go
+    severity: INFO
+    message: "Possibly found usage of AI: Gemini"
+    pattern-either:
+      - pattern: import "github.com/google/generative-ai-go"
+      - pattern: genai.NewClient(...)
+    metadata:
+      references:
+        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+      category: maintainability
+      technology:
+        - genAI
+        - LLMs
+      confidence: LOW