Merge branch 'develop' into develop

semgrep · Nov 12, 2024 · 3fa6bdc · 3fa6bdc
2 parents 13da3bd + 5bfe249
commit 3fa6bdc
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 4 deletions.
diff --git a/yaml/openapi/security/openai-consequential-action-false.yaml b/yaml/openapi/security/openai-consequential-action-false.yaml
@@ -38,6 +38,7 @@ rules:
       likelihood: HIGH
       impact: HIGH
       confidence: HIGH
+      cwe: "CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')"
       owasp:
         - 'A04:2021 Insecure Design'
         - 'LLM08:2023 - Excessive Agency'

diff --git a/yaml/semgrep/metadata-owasp.test.yaml b/yaml/semgrep/metadata-owasp.test.yaml
@@ -15,6 +15,22 @@ rules:
     metadata:
       # ok: metadata-owasp
       owasp: A05:2021 - Security Misconfiguration
+  - id: example-k8s-1
+    message: Example
+    severity: ERROR
+    languages: [json, yaml]
+    pattern: "..."
+    metadata:
+      # ok: metadata-owasp
+      owasp: "K1: Insecure Workload Configurations"
+  - id: example-k8s-1b
+    message: Example
+    severity: ERROR
+    languages: [json, yaml]
+    pattern: "..."
+    metadata:
+      # ok: metadata-owasp
+      owasp: K01:2022 - Insecure Workload Configurations
   - id: example-bad-zero
     message: Example
     severity: ERROR
@@ -75,6 +91,8 @@ rules:
         - A05:2021 - Security Misconfiguration
         # ok: metadata-owasp
         - A06:2017 - Security Misconfiguration
+        # ok: metadata-owasp
+        - K01:2022 - Insecure Workload Configurations
   - id: example-bad-list
     message: Example
     severity: ERROR

diff --git a/yaml/semgrep/metadata-owasp.yaml b/yaml/semgrep/metadata-owasp.yaml
@@ -2,7 +2,7 @@ rules:
   - id: metadata-owasp
     message: >-
       The `owasp` tag in Semgrep rule metadata should start with the format "A00:YYYY",
-      where A00 is the OWASP top ten number and YYYY is the OWASP top ten year.
+      where A00 is the OWASP Top 10 number and YYYY is the OWASP Top 10 year.
     severity: ERROR
     languages: [json, yaml]
     patterns:
@@ -13,13 +13,13 @@ rules:
         # If there's a year, need leading zero, e.g. `A01:2021 blah` rather than `A1:2021 blah`.
           - patterns:
               - pattern: 'owasp: "..."'
-              - pattern-not: 'owasp: "=~/^A(0?[1-9]|10):\s+.+$/"'
-              - pattern-not: 'owasp: "=~/^A(0[1-9]|10):([0-9]{4})?\s+.+$/"'
+              - pattern-not: 'owasp: "=~/^(A|K|LLM)(0?[1-9]|10):\s+.+$/"'
+              - pattern-not: 'owasp: "=~/^(A|K|LLM)(0[1-9]|10):([0-9]{4})?\s+.+$/"'
           # A list, must have the year, e.g. `- A01:2021 blah`
           - patterns:
               - pattern-inside: "owasp: [...]"
               - pattern: '"$ANYTHING"'
-              - pattern-not-regex: .*A(0[1-9]|10):[0-9]{4}\s+.*
+              - pattern-not-regex: .*(A|K|LLM)(0[1-9]|10):[0-9]{4}\s+.*
               - pattern-not-regex: "owasp:"
     metadata:
       category: best-practice