From d53e57e1c9feda6c62b3e573e16982289a3b6454 Mon Sep 17 00:00:00 2001 From: "r2c-argo[bot]" <89167470+r2c-argo[bot]@users.noreply.github.com> Date: Wed, 13 Nov 2024 09:14:46 +0100 Subject: [PATCH] Merge Develop into Release (#3515) * Allow OWASP Top 10 references from Kubernetes and LLM Top 10 (#3499) Co-authored-by: Berne Campbell <3227426+berney@users.noreply.github.com> Co-authored-by: Pieter De Cremer (Semgrep) * Add literal pattern (#3507) Co-authored-by: Pieter De Cremer (Semgrep) --------- Co-authored-by: berney Co-authored-by: Berne Campbell <3227426+berney@users.noreply.github.com> Co-authored-by: Pieter De Cremer (Semgrep) Co-authored-by: QU35T-code <51704860+QU35T-code@users.noreply.github.com> --- .../security/audit/sequelize-raw-query.yaml | 12 ++++++++++++ yaml/semgrep/metadata-owasp.test.yaml | 18 ++++++++++++++++++ yaml/semgrep/metadata-owasp.yaml | 8 ++++---- 3 files changed, 34 insertions(+), 4 deletions(-) diff --git a/javascript/sequelize/security/audit/sequelize-raw-query.yaml b/javascript/sequelize/security/audit/sequelize-raw-query.yaml index 368c91473c..176dfe59a3 100644 --- a/javascript/sequelize/security/audit/sequelize-raw-query.yaml +++ b/javascript/sequelize/security/audit/sequelize-raw-query.yaml @@ -40,3 +40,15 @@ rules: $QUERY = $SQL + $VALUE ... $DATABASE.sequelize.query($QUERY, ...) + - pattern: | + Sequelize.literal(`...${...}...`) + - pattern: | + $QUERY = `...${...}...` + ... + Sequelize.literal($QUERY) + - pattern: | + Sequelize.literal($SQL + $VALUE) + - pattern: | + $QUERY = $SQL + $VALUE + ... + Sequelize.literal($QUERY) diff --git a/yaml/semgrep/metadata-owasp.test.yaml b/yaml/semgrep/metadata-owasp.test.yaml index 0f1946b24f..b7d264c4db 100644 --- a/yaml/semgrep/metadata-owasp.test.yaml +++ b/yaml/semgrep/metadata-owasp.test.yaml @@ -15,6 +15,22 @@ rules: metadata: # ok: metadata-owasp owasp: A05:2021 - Security Misconfiguration + - id: example-k8s-1 + message: Example + severity: ERROR + languages: [json, yaml] + pattern: "..." + metadata: + # ok: metadata-owasp + owasp: "K1: Insecure Workload Configurations" + - id: example-k8s-1b + message: Example + severity: ERROR + languages: [json, yaml] + pattern: "..." + metadata: + # ok: metadata-owasp + owasp: K01:2022 - Insecure Workload Configurations - id: example-bad-zero message: Example severity: ERROR @@ -75,6 +91,8 @@ rules: - A05:2021 - Security Misconfiguration # ok: metadata-owasp - A06:2017 - Security Misconfiguration + # ok: metadata-owasp + - K01:2022 - Insecure Workload Configurations - id: example-bad-list message: Example severity: ERROR diff --git a/yaml/semgrep/metadata-owasp.yaml b/yaml/semgrep/metadata-owasp.yaml index a0dec878cc..510a3018ee 100644 --- a/yaml/semgrep/metadata-owasp.yaml +++ b/yaml/semgrep/metadata-owasp.yaml @@ -2,7 +2,7 @@ rules: - id: metadata-owasp message: >- The `owasp` tag in Semgrep rule metadata should start with the format "A00:YYYY", - where A00 is the OWASP top ten number and YYYY is the OWASP top ten year. + where A00 is the OWASP Top 10 number and YYYY is the OWASP Top 10 year. severity: ERROR languages: [json, yaml] patterns: @@ -13,13 +13,13 @@ rules: # If there's a year, need leading zero, e.g. `A01:2021 blah` rather than `A1:2021 blah`. - patterns: - pattern: 'owasp: "..."' - - pattern-not: 'owasp: "=~/^A(0?[1-9]|10):\s+.+$/"' - - pattern-not: 'owasp: "=~/^A(0[1-9]|10):([0-9]{4})?\s+.+$/"' + - pattern-not: 'owasp: "=~/^(A|K|LLM)(0?[1-9]|10):\s+.+$/"' + - pattern-not: 'owasp: "=~/^(A|K|LLM)(0[1-9]|10):([0-9]{4})?\s+.+$/"' # A list, must have the year, e.g. `- A01:2021 blah` - patterns: - pattern-inside: "owasp: [...]" - pattern: '"$ANYTHING"' - - pattern-not-regex: .*A(0[1-9]|10):[0-9]{4}\s+.* + - pattern-not-regex: .*(A|K|LLM)(0[1-9]|10):[0-9]{4}\s+.* - pattern-not-regex: "owasp:" metadata: category: best-practice