Merge branch 'develop' into develop

semgrep · Oct 5, 2024 · 6ffec55 · 6ffec55
2 parents 8cf9930 + ecba02c
commit 6ffec55
Show file tree

Hide file tree

Showing 16 changed files with 70 additions and 854 deletions.
diff --git a/.codemapignore b/.codemapignore
@@ -10,7 +10,6 @@
 !libsonnet/
 !scripts/
 !stats/
-# restore also fingerprints/ ? trusted_python/ ? 
 
 # do not skip the rules
 ![a-z]*/**/*.yaml

diff --git a/.github/workflows/semgrep-rule-lints.yaml b/.github/workflows/semgrep-rule-lints.yaml
@@ -45,5 +45,4 @@ jobs:
             --exclude *.test.yaml \
             --exclude contrib/ \
             --exclude stats/ \
-            --exclude fingerprints/ \
             --exclude yaml/semgrep/
diff --git a/.github/workflows/semgrep-rules-test-develop.yml b/.github/workflows/semgrep-rules-test-develop.yml
@@ -1,3 +1,6 @@
+# Running the tests in the repo using `semgrep test --experimental` and
+# the semgrep/semgrep:pro-develop docker image (the bleeding edge!).
+
 name: semgrep-rules-test-develop
 on:
   pull_request:
@@ -9,26 +12,29 @@ on:
     - develop
     - release
 jobs:
-  # Note: if you change this test there will likely need to be a
-  # corresponding change in returntocorp/semgrep
   test-develop:
     name: rules-test-develop
     runs-on: ubuntu-20.04
     steps:
     - uses: actions/checkout@v2
       with:
         path: semgrep-rules
-    - name: delete stats directory
+    - name: run osemgrep validate --pro
+      run: docker run --rm -w /src -v ${GITHUB_WORKSPACE}/semgrep-rules:/src semgrep/semgrep:pro-develop semgrep validate --pro .
+    - name: run osemgrep test --pro
+      run: docker run --rm -w /src -v ${GITHUB_WORKSPACE}/semgrep-rules:/src semgrep/semgrep:pro-develop semgrep test --pro .
+    #TODO: we can delete all the rest below and also scripts/run-tests
+    - name: delete directories not containing rules
       run: rm -rf semgrep-rules/stats
-    - name: delete fingerprints directory
-      run: rm -rf semgrep-rules/fingerprints
     - name: delete rules requiring Semgrep Pro
       run: rm -rf semgrep-rules/apex semgrep-rules/elixir
+    # TODO: this takes 1m20 in CI and could be optimized by switching to osemgrep
     - name: validate rules
       run: |
-        export SEMGREP="docker run --rm -w /src -v ${GITHUB_WORKSPACE}/semgrep-rules:/src returntocorp/semgrep:develop semgrep"
+        export SEMGREP="docker run --rm -w /src -v ${GITHUB_WORKSPACE}/semgrep-rules:/src semgrep/semgrep:pro-develop semgrep"
         make -C "$GITHUB_WORKSPACE"/semgrep-rules validate
-    - name: test with semgrep develop branch
+    # this now takes 21s with osemgrep instead of 3min with pysemgrep
+    - name: test with semgrep pro develop branch and with --experimental
       run: |
-        export SEMGREP="docker run --rm -w /src -v ${GITHUB_WORKSPACE}/semgrep-rules:/src returntocorp/semgrep:develop semgrep"
+        export SEMGREP="docker run --rm -w /src -v ${GITHUB_WORKSPACE}/semgrep-rules:/src semgrep/semgrep:pro-develop semgrep --experimental"
         make -C "$GITHUB_WORKSPACE"/semgrep-rules test-only
diff --git a/.github/workflows/semgrep-rules-test-historical.yml b/.github/workflows/semgrep-rules-test-historical.yml
@@ -32,8 +32,6 @@ jobs:
       run: pip3 install semgrep
     - name: delete stats directory
       run: rm -rf semgrep-rules/stats
-    - name: delete fingerprints directory
-      run: rm -rf semgrep-rules/fingerprints
     - name: delete rules requiring Semgrep Pro
       run: rm -rf semgrep-rules/apex semgrep-rules/elixir
     # TODO: remove this in the future, there was a regression in semgrep that

diff --git a/.github/workflows/semgrep-rules-test.yml b/.github/workflows/semgrep-rules-test.yml
@@ -21,8 +21,6 @@ jobs:
       run: pip3 install semgrep
     - name: remove stats directory
       run: rm -rf stats
-    - name: remove fingerprints from testing
-      run: rm -rf fingerprints
     - name: remove rules requiring Semgrep Pro
       run: rm -rf apex elixir
     - name: validate rules

diff --git a/.github/workflows/trigger-semgrep-scanner-initiate-scan.yaml b/.github/workflows/trigger-semgrep-scanner-initiate-scan.yaml
@@ -21,7 +21,7 @@ jobs:
         env:
           HEAD_REF: ${{ github.head_ref }}
         run: |
-          CHANGED_FILES=$(git diff --name-only origin/develop origin/$HEAD_REF | xargs -0 | sed '/^$/d' | sed -r '/^(.github|bash|contrib|fingerprints|generic|json|problem-based-packs|scripts|stats|trusted_python|yaml)/d' | sed -n '/.*yaml/p' | tr '\n' ' ')
+          CHANGED_FILES=$(git diff --name-only origin/develop origin/$HEAD_REF | xargs -0 | sed '/^$/d' | sed -r '/^(.github|bash|generic|json|problem-based-packs|scripts|stats|trusted_python|yaml)/d' | sed -n '/.*yaml/p' | tr '\n' ' ')
           echo "changed_files=$CHANGED_FILES" >> $GITHUB_ENV
       - id: print-changed-files
         name: debugging step - print changed files

diff --git a/dockerfile/security/dockerd-socket-mount.dockerfile b/dockerfile/security/dockerd-socket-mount.dockerfile
@@ -0,0 +1,11 @@
+FROM docker:latest
+
+WORKDIR /app
+
+# ruleid: dockerfile-dockerd-socket-mount
+VOLUME /var/run/docker.sock:/var/run/docker.sock
+
+# ok: dockerfile-dockerd-socket-mount
+VOLUME ./app/main.py:/main.py
+
+CMD ["docker", "images"]
diff --git a/dockerfile/security/dockerd-socket-mount.yaml b/dockerfile/security/dockerd-socket-mount.yaml
@@ -0,0 +1,36 @@
+rules:
+  - id: dockerfile-dockerd-socket-mount
+    message: >-
+        The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container
+        to escape container and execute arbitrary commands on the host machine.
+    languages:
+      - dockerfile
+      - yaml
+    severity: ERROR
+    metadata:
+      cwe:
+        - "CWE-862: Missing Authorization"
+        - "CWE-269: Improper Privilege Management"
+      confidence: HIGH
+      likelihood: MEDIUM
+      impact: HIGH
+      subcategory:
+        - audit
+      technology:
+        - dockerfile
+      category: security
+      references:
+        - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html
+        - https://redfoxsec.com/blog/insecure-volume-mounts-in-docker/
+        - https://blog.quarkslab.com/why-is-exposing-the-docker-socket-a-really-bad-idea.html
+    pattern-either:
+      - patterns:
+        - pattern: VOLUME $X
+        - metavariable-regex:
+            metavariable: $X
+            regex: "/var/run/docker.sock"
+      - patterns:
+        - pattern-regex: '- "/var/run/docker.sock:.*"'
+        - pattern-inside: |
+            volumes:
+              ...
diff --git a/dockerfile/security/missing-user-entrypoint.dockerfile b/dockerfile/security/missing-user-entrypoint.dockerfile
@@ -9,6 +9,5 @@ RUN pip3 install semgrep
 # ruleid: missing-user-entrypoint
 ENTRYPOINT semgrep -f p/xss
 
-# TODO: metavar bug
-# ok: missing-user-entrypoint
+# ruleid: missing-user-entrypoint
 ENTRYPOINT ["semgrep", "--config", "localfile", "targets"]
diff --git a/dockerfile/security/missing-user-entrypoint.fixed.dockerfile b/dockerfile/security/missing-user-entrypoint.fixed.dockerfile
@@ -10,6 +10,6 @@ RUN pip3 install semgrep
 USER non-root
 ENTRYPOINT semgrep -f p/xss
 
-# TODO: metavar bug
-# ok: missing-user-entrypoint
+# ruleid: missing-user-entrypoint
+USER non-root
 ENTRYPOINT ["semgrep", "--config", "localfile", "targets"]
diff --git a/dockerfile/security/missing-user.dockerfile b/dockerfile/security/missing-user.dockerfile
@@ -12,6 +12,5 @@ CMD semgrep -f p/xss
 # ruleid: missing-user
 CMD semgrep --config localfile targets
 
-# TODO: metavar ellipses bug
-# ok: missing-user
+# ruleid: missing-user
 CMD ["semgrep", "--version"]
diff --git a/dockerfile/security/missing-user.fixed.dockerfile b/dockerfile/security/missing-user.fixed.dockerfile
@@ -14,6 +14,6 @@ CMD semgrep -f p/xss
 USER non-root
 CMD semgrep --config localfile targets
 
-# TODO: metavar ellipses bug
-# ok: missing-user
+# ruleid: missing-user
+USER non-root
 CMD ["semgrep", "--version"]