Merge branch 'develop' into yosef/saf-1000-naming-regressions

ai/csharp/detect-openai.yaml

@@ -10,7 +10,7 @@ rules:
       - pattern: (ChatClient $CLIENT).$FUNC(...)
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

ai/dart/detect-gemini.yaml

@@ -9,7 +9,7 @@ rules:
       - pattern: final $MODEL = GenerativeModel(...);
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

ai/generic/detect-generic-ai-anthprop.yaml

@@ -10,7 +10,7 @@ rules:
       - pattern: claude
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

ai/generic/detect-generic-ai-api.yaml

@@ -9,7 +9,7 @@ rules:
       - pattern: api.openai.com
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

ai/generic/detect-generic-ai-gem.yaml

@@ -9,7 +9,7 @@ rules:
       - pattern: GoogleGenerativeAI
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

ai/generic/detect-generic-ai-oai.yaml

@@ -9,7 +9,7 @@ rules:
       - pattern: OpenAI
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

ai/go/detect-gemini.yaml

@@ -9,7 +9,7 @@ rules:
       - pattern: genai.NewClient(...)
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

ai/go/detect-openai.yaml

@@ -9,7 +9,7 @@ rules:
       - pattern: gogpt.NewClient(...)
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

ai/kotlin/detect-gemini.yaml

@@ -9,7 +9,7 @@ rules:
       - pattern: GenerativeModel(...)
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

ai/python/detect-anthropic.yaml

@@ -12,7 +12,7 @@ rules:
       - pattern: $CLIENT.messages.$FUNC(...,model=...,...)
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

ai/python/detect-gemini.yaml

@@ -8,7 +8,7 @@ rules:
       - pattern: import google.generativeai
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

ai/python/detect-huggingface.yaml

@@ -8,7 +8,7 @@ rules:
       - pattern: import huggingface_hub
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

ai/python/detect-langchain.yaml

@@ -17,7 +17,7 @@ rules:
       - pattern: import langchain
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

ai/python/detect-mistral.yaml

@@ -10,7 +10,7 @@ rules:
       - pattern: $CLIENT.chat(...,model=...,...)
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

ai/python/detect-openai.yaml

@@ -11,7 +11,7 @@ rules:
       - pattern: $CLIENT.chat.completions.$FUNC(...)
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

ai/python/detect-pytorch.yaml

@@ -9,7 +9,7 @@ rules:
       - pattern: torch.$FUNC(...)
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

ai/python/detect-tensorflow.yaml

@@ -8,7 +8,7 @@ rules:
       - pattern: import tensorflow
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

ai/swift/detect-apple-core-ml.yaml

@@ -9,7 +9,7 @@ rules:
       - pattern: MLModelConfiguration(...)
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

ai/swift/detect-gemini.yaml

@@ -9,7 +9,7 @@ rules:
       - pattern: GenerativeModel(...)
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

ai/typescript/detect-anthropic.yaml

@@ -12,7 +12,7 @@ rules:
       - pattern: anthropic.messages.$FUNC(...)
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

ai/typescript/detect-gemini.yaml

@@ -12,7 +12,7 @@ rules:
       - pattern: $GENAI.getGenerativeModel(...)
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

ai/typescript/detect-mistral.yaml

@@ -12,7 +12,7 @@ rules:
           $CLIENT.chat({model: ...})
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

ai/typescript/detect-openai.yaml

@@ -12,7 +12,7 @@ rules:
       - pattern: $CLIENT.chat.completions.$FUNC(...)
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

ai/typescript/detect-promptfoo.yaml

@@ -10,7 +10,7 @@ rules:
       - pattern: promptfoo.evaluate(...)
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

ai/typescript/detect-vercel-ai.yaml

@@ -12,7 +12,7 @@ rules:
       - pattern: generateText({prompt:...})
     metadata:
       references:
-        - http://semgrep.dev/blog/2024/detecting-shadow-ai
+        - https://semgrep.dev/blog/2024/detecting-shadow-ai
       category: maintainability
       technology:
         - genAI

csharp/lang/security/sqli/csharp-sqli.cs

@@ -135,17 +135,21 @@ public void sqli11(string sqli)
          }
       }
 
-      public void sqli12(string sqli)
-      {
-         using (SqlConnection connection = new SqlConnection("Data Source=(local);Initial Catalog=Northwind;Integrated Security=SSPI;")) {
-            connection.Open();
-            SqlCommand command= connection.CreateCommand();
-            // ruleid: csharp-sqli
-            command.CommandText = sqli;
-            command.CommandTimeout = 15;
-            command.CommandType = CommandType.Text;
-         }
-      }
+        public void sqli2(string sqli)
+        {
+            using (SqlConnection connection = new SqlConnection("Data Source=(local);Initial Catalog=Northwind;Integrated Security=SSPI;")) {
+               connection.Open();
+               SqlCommand command= connection.CreateCommand();
+               // ruleid: csharp-sqli
+               command.CommandText = String.Format("SELECT c.name AS column_name,t.name AS type_name,c.max_length,c.precision,c.scale,             CAST(CASE WHEN EXISTS(SELECT * FROM sys.index_columns AS i WHERE i.object_id=c.object_id AND i.column_id=c.column_id) THEN 1 ELSE 0 END AS BIT) AS column_indexed             FROM sys.columns AS c              JOIN sys.types AS t ON c.user_type_id=t.user_type_id              WHERE c.object_id = OBJECT_ID('{0}')              ORDER BY c.column_id;", sqli);
+               command.CommandTimeout = 15;
+               command.CommandType = CommandType.Text;
+               await using var connection = new SqlConnection(configuration.GetVaultConnectionString(sqli, "B", true));
+               await using var command = connection.CreateCommand();
+               // ok: csharp-sqli
+               command.CommandText = "SELECT 1;";
+            }
+        }
 
       public void sqli13()
       {

csharp/lang/security/sqli/csharp-sqli.yaml

@@ -18,8 +18,10 @@ rules:
               - pattern: |
                   new $PATTERN($CMD,...)
               - focus-metavariable: $CMD
-            - pattern: |
-                $CMD.$PATTERN = ...;
+            - patterns:
+              - pattern: |
+                  $CMD.$PATTERN = $VALUE;
+              - focus-metavariable: $VALUE
           - metavariable-regex:
               metavariable: $PATTERN
               regex: ^(SqlCommand|CommandText|OleDbCommand|OdbcCommand|OracleCommand)$

python/pycryptodome/security/insecure-cipher-algorithm-blowfish.yaml

@@ -2,7 +2,9 @@ rules:
 - id: insecure-cipher-algorithm-blowfish
   message: >-
     Detected Blowfish cipher algorithm which is considered insecure. This algorithm
-    is not cryptographically secure and can be reversed easily. Use AES instead.
+    is not cryptographically secure and can be reversed easily.
+    Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits.
+    When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.
   metadata:
     source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L84
     cwe:
@@ -13,14 +15,20 @@ rules:
     bandit-code: B304
     references:
     - https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption
+    - https://www.pycryptodome.org/src/cipher/cipher
     category: security
     technology:
     - pycryptodome
     subcategory:
     - vuln
     likelihood: LOW
     impact: MEDIUM
-    confidence: MEDIUM
+    confidence: HIGH
+    functional-categories:
+    - crypto::search::symmetric-algorithm::pycryptodome
+    - crypto::search::symmetric-algorithm::pycryptodomex
+  options:
+    symbolic_propagation: true
   severity: WARNING
   languages:
   - python

python/pycryptodome/security/insecure-cipher-algorithm-des.yaml

@@ -1,8 +1,10 @@
 rules:
 - id: insecure-cipher-algorithm-des
   message: >-
-    Detected DES cipher algorithm which is considered insecure. This algorithm
-    is not cryptographically secure and can be reversed easily. Use AES instead.
+    Detected DES cipher or Triple DES algorithm which is considered insecure. This algorithm
+    is not cryptographically secure and can be reversed easily. Use a secure symmetric cipher from the cryptodome package instead.
+    Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits.
+    When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.
   metadata:
     source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L84
     cwe:
@@ -13,17 +15,25 @@ rules:
     bandit-code: B304
     references:
     - https://cwe.mitre.org/data/definitions/326.html
+    - https://www.pycryptodome.org/src/cipher/cipher
     category: security
     technology:
     - pycryptodome
     subcategory:
     - vuln
     likelihood: LOW
     impact: MEDIUM
-    confidence: MEDIUM
+    confidence: HIGH
+    functional-categories:
+    - crypto::search::symmetric-algorithm::pycryptodome
+    - crypto::search::symmetric-algorithm::pycryptodomex
+  options:
+    symbolic_propagation: true
   severity: WARNING
   languages:
   - python
   pattern-either:
   - pattern: Cryptodome.Cipher.DES.new(...)
   - pattern: Crypto.Cipher.DES.new(...)
+  - pattern: Cryptodome.Cipher.DES3.new(...)
+  - pattern: Crypto.Cipher.DES3.new(...)

python/pycryptodome/security/insecure-cipher-algorithm-rc2.yaml

@@ -2,7 +2,9 @@ rules:
 - id: insecure-cipher-algorithm-rc2
   message: >-
     Detected RC2 cipher algorithm which is considered insecure. This algorithm
-    is not cryptographically secure and can be reversed easily. Use AES instead.
+    is not cryptographically secure and can be reversed easily.
+    Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits.
+    When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.
   metadata:
     source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L84
     cwe:
@@ -13,14 +15,20 @@ rules:
     bandit-code: B304
     references:
     - https://cwe.mitre.org/data/definitions/326.html
+    - https://www.pycryptodome.org/src/cipher/cipher
     category: security
     technology:
     - pycryptodome
     subcategory:
     - vuln
     likelihood: LOW
     impact: MEDIUM
-    confidence: MEDIUM
+    confidence: HIGH
+    functional-categories:
+    - crypto::search::symmetric-algorithm::pycryptodome
+    - crypto::search::symmetric-algorithm::pycryptodomex
+  options:
+    symbolic_propagation: true
   severity: WARNING
   languages:
   - python