Merge Develop into Release

.codemapignore

@@ -0,0 +1,19 @@
+# -*- sh -*-
+# gitignore-like file for Codemap (see https://github.com/aryx/codemap)
+# The goal here is to just show and count the rules in codemap
+
+# skipping all files, targets and rules (but rules will be restored below)
+[a-z]*/**/*.*
+
+# restore directories which are not languages
+# coupling: see scripts/run-test rule_folders variable
+!libsonnet/
+!scripts/
+!stats/
+# restore also fingerprints/ ? trusted_python/ ? 
+
+# do not skip the rules
+![a-z]*/**/*.yaml
+
+# pad stuff
+/TODO/

.github/workflows/update-semgrep-dev.yml

@@ -7,9 +7,9 @@ on:
 
 jobs:
   do-update:
-    if: github.repository == 'returntocorp/semgrep-rules'
+    if: github.repository == 'semgrep/semgrep-rules'
     name: Update semgrep.dev
     runs-on: ubuntu-latest
     steps:
     - name: update semgrep.dev
-      run: curl --fail -X POST -L https://semgrep.dev/api/admin/update-registry
+      run: curl --fail -X POST -L https://semgrep.dev/api/admin/update-registry?rule_type=sast

.github/workflows/update-semgrep-staging-dev.yml

@@ -7,12 +7,12 @@ on:
 
 jobs:
   do-update:
-    if: github.repository == 'returntocorp/semgrep-rules'
+    if: github.repository == 'semgrep/semgrep-rules'
     name: Update semgrep.dev
     runs-on: ubuntu-latest
     steps:
     - name: update dev.semgrep.dev
-      run: curl --fail -X POST -L https://dev.semgrep.dev/api/admin/update-registry
+      run: curl --fail -X POST -L https://dev.semgrep.dev/api/admin/update-registry?rule_type=sast
       continue-on-error: true
     - name: update staging.semgrep.dev
-      run: curl --fail -X POST -L https://staging.semgrep.dev/api/admin/update-registry
+      run: curl --fail -X POST -L https://staging.semgrep.dev/api/admin/update-registry?rule_type=sast

generic/secrets/gitleaks/aws-access-token.yaml

@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}
+    - pattern-regex: (?:A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}

generic/secrets/gitleaks/hashicorp-tf-password.txt

@@ -0,0 +1,2 @@
+// ruleid: hashicorp-tf-password
+administrator_login_password = "thisIsDog11"

generic/secrets/gitleaks/hashicorp-tf-password.yaml

@@ -0,0 +1,26 @@
+rules:
+- id: hashicorp-tf-password
+  message: A gitleaks hashicorp-tf-password was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
+  languages:
+    - regex
+  severity: INFO
+  metadata:
+      likelihood: LOW
+      impact: MEDIUM
+      confidence: LOW
+      category: security
+      cwe:
+        - "CWE-798: Use of Hard-coded Credentials"
+      cwe2021-top25: true
+      cwe2022-top25: true
+      owasp:
+        - A07:2021 - Identification and Authentication Failures
+      references:
+        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+      source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
+      subcategory:
+        - vuln
+      technology:
+        - gitleaks
+  patterns:
+    - pattern-regex: (?i)(?:administrator_login_password|password)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}("[a-z0-9=_\-]{8,20}")(?:['|\"|\n|\r|\s|\x60|;]|$)

generic/secrets/security/detected-aws-access-key-id-value.yaml

@@ -1,7 +1,7 @@
 rules:
 - id: detected-aws-access-key-id-value
   patterns:
-  - pattern-regex: (A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}
+  - pattern-regex: \b(A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}\b
   - pattern-not-regex: (?i)example|sample|test|fake
   languages: [regex]
   message: AWS Access Key ID Value detected. This is a sensitive credential and should not be hardcoded

java/servlets/security/cookie-issecure-false.java

@@ -3,12 +3,6 @@ public void bad1() {
               // ruleid: cookie-issecure-false
               Cookie cookie = new Cookie("name", "value");
           }
-
-          public void bad2() {
-              // ruleid: cookie-issecure-false
-              Cookie cookie = new Cookie("name", "value");
-              cookie.setSecure(false);
-          }
    }
 
  public class Ok {

java/servlets/security/cookie-issecure-false.yaml

@@ -1,36 +1,36 @@
 rules:
-- id: cookie-issecure-false
-  patterns:
-  - pattern: |
-      $COOKIE = new Cookie(...);
-  - pattern-not-inside: |
-      $COOKIE = new Cookie(...);
-      ...
-      $COOKIE.setSecure(true);
-  message: >-
-    Default session middleware settings: `setSecure` not set to true.
-    This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks.
-  fix-regex:
-    regex: setSecure\(false\)
-    replacement: setSecure(true)
-  metadata:
-    vulnerability: Insecure Transport
-    owasp:
-    - A03:2017 - Sensitive Data Exposure
-    - A02:2021 - Cryptographic Failures
-    cwe:
-    - 'CWE-319: Cleartext Transmission of Sensitive Information'
-    references:
-    - https://tomcat.apache.org/tomcat-5.5-doc/servletapi/
-    category: security
-    technology:
-    - servlet
-    - tomcat
-    subcategory:
-    - audit
-    likelihood: LOW
-    impact: LOW
-    confidence: LOW
-  languages:
-  - java
-  severity: WARNING
+  - id: cookie-issecure-false
+    patterns:
+      - pattern: $COOKIE = new Cookie($...ARGS);
+      - pattern-not-inside: |
+          $COOKIE = new Cookie(...);
+          ...
+          $COOKIE.setSecure(...);
+    message: "Default session middleware settings: `setSecure` not set to true. This
+      ensures that the cookie is sent only over HTTPS to prevent cross-site
+      scripting attacks."
+    fix: |
+        $COOKIE = new Cookie($...ARGS);
+        $COOKIE.setSecure(true);
+    metadata:
+      vulnerability: Insecure Transport
+      owasp:
+        - A03:2017 - Sensitive Data Exposure
+        - A02:2021 - Cryptographic Failures
+      cwe:
+        - "CWE-319: Cleartext Transmission of Sensitive Information"
+      references:
+        - https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setSecure(boolean)
+        - https://owasp.org/www-community/controls/SecureCookieAttribute
+      category: security
+      technology: 
+       - java
+       - cookie
+      subcategory:
+        - audit
+      likelihood: LOW
+      impact: LOW
+      confidence: LOW
+    languages:
+      - java
+    severity: WARNING

java/servlets/security/cookie-setSecure.java

@@ -0,0 +1,16 @@
+public class Bad {
+
+          public void bad2() {
+              Cookie cookie = new Cookie("name", "value");
+              // ruleid: cookie-setSecure
+              cookie.setSecure(false);
+          }
+   }
+
+ public class Ok {
+          public void ok1() {
+             // ok: cookie-setSecure
+             Cookie cookie = new Cookie("name", "value");
+             cookie.setSecure(true);
+          }
+}

java/servlets/security/cookie-setSecure.yaml

@@ -0,0 +1,41 @@
+rules:
+  - id: cookie-setSecure
+    patterns:
+      - patterns:
+          - pattern-inside: |
+              $COOKIE = new Cookie(...);
+              ...
+          - pattern: |
+              $COOKIE.setSecure(false);
+      - pattern-not-inside: |
+          $COOKIE = new Cookie(...);
+          ...
+          $COOKIE.setSecure(true);
+    message: "Default session middleware settings: `setSecure` not set to true. This
+      ensures that the cookie is sent only over HTTPS to prevent cross-site
+      scripting attacks."
+    fix-regex:
+      regex: setSecure\(false\)
+      replacement: setSecure(true)
+    metadata:
+      vulnerability: Insecure Transport
+      owasp:
+        - A03:2017 - Sensitive Data Exposure
+        - A02:2021 - Cryptographic Failures
+      cwe:
+        - "CWE-319: Cleartext Transmission of Sensitive Information"
+      references:
+        - https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setSecure(boolean)
+        - https://owasp.org/www-community/controls/SecureCookieAttribute
+      category: security
+      technology: 
+       - java
+       - cookie
+      subcategory:
+        - audit
+      likelihood: LOW
+      impact: LOW
+      confidence: LOW
+    languages:
+      - java
+    severity: WARNING

javascript/jsonwebtoken/security/jwt-hardcode.yaml

@@ -36,28 +36,17 @@ rules:
   severity: WARNING
   mode: taint
   pattern-sources:
-  - patterns:
-    - pattern-either:
-      - patterns:
+    - patterns:
+        - pattern: |
+            $X = '...' 
+        - pattern: |
+            $X = '$Y' 
+    - patterns:
+      - pattern-either: 
         - pattern-inside: |
-            $VALUE = '$Y' 
-            ...
-        - pattern: $VALUE
-      - patterns:
-        - pattern-either:
-          - pattern-inside: $JWT.sign($VALUE, $Y,...)
-          - pattern-inside: $JWT.verify($VALUE, $Y,...)
-        - focus-metavariable: $Y
-        - pattern: >
-            '...'
-      - patterns:
+            $JWT.sign($DATA,"...",...);
         - pattern-inside: |
-            $SECRET = "$Y"
-            ...
-            class $FUNC {
-              ...
-            }
-        - pattern: $SECRET
+            $JWT.verify($DATA,"...",...);
   pattern-sinks:
   - patterns:
     - pattern-either:

ocaml/lang/security/digest.ml

@@ -0,0 +1,3 @@
+(* ruleid:ocamllint-digest *)
+let a = Digest.string "asd" in
+  Printf.printf "%s\n" a

ocaml/lang/security/digest.yaml

@@ -0,0 +1,25 @@
+rules:
+  - id: ocamllint-digest
+    pattern-either: 
+      - pattern: Digest.string
+      - pattern: Digest.bytes
+      - pattern: Digest.substring
+      - pattern: Digest.subbytes
+      - pattern: Digest.channel
+      - pattern: Digest.file
+    message: Digest uses MD5 and should not be used for security purposes. Consider using SHA256 instead.
+    languages: [ocaml]
+    severity: WARNING
+    metadata:
+      category: security
+      references:
+      - https://v2.ocaml.org/api/Digest.html
+      technology:
+        - ocaml
+      cwe: "CWE-328: Use of Weak Hash (4.12)"
+      confidence: LOW
+      likelihood: MEDIUM
+      impact: MEDIUM
+      subcategory:
+        - audit
+

ocaml/lang/security/exec.ml

@@ -0,0 +1,12 @@
+#load "unix.cma";;
+let p = String.concat "ls " [" "; Sys.argv.(1)]
+(* ruleid:ocamllint-exec *)
+let a = Unix.execve p
+(* ruleid:ocamllint-exec *)
+let b = Unix.execvp p
+(* ruleid:ocamllint-exec *)
+let c = Unix.execvpe p
+(* ruleid:ocamllint-exec *)
+let d = Unix.system p
+(* ruleid:ocamllint-exec *)
+let e = Sys.command p

ocaml/lang/security/exec.yaml

@@ -0,0 +1,29 @@
+rules:
+  - id: ocamllint-exec
+    patterns:
+      - pattern-either:
+        - pattern: Unix.execve $STR
+        - pattern: Unix.execvp $STR
+        - pattern: Unix.execvpe $STR
+        - pattern: Unix.system $STR
+        - pattern: Sys.command $STR
+      - pattern-not: Unix.execve "..."
+      - pattern-not: Unix.execvp "..."
+      - pattern-not: Unix.execvpe "..."
+      - pattern-not: Unix.system "..."
+      - pattern-not: Sys.command "..."
+    message: Executing external programs might lead to comand or argument injection vulnerabilities.
+    languages: [ocaml]
+    severity: WARNING
+    metadata:
+      category: security
+      references:
+      - https://v2.ocaml.org/api/Unix.html
+      technology:
+        - ocaml
+      cwe: "CWE-78: OS Command Injection"
+      confidence: LOW
+      likelihood: MEDIUM
+      impact: HIGH
+      subcategory:
+        - audit

ocaml/lang/security/filenameconcat.ml

@@ -0,0 +1,3 @@
+(* ruleid:ocamllint-filenameconcat *)
+let ofile = Filename.concat "test" "../data" in
+Printf.printf "%s\n" ofile

ocaml/lang/security/filenameconcat.yaml

@@ -0,0 +1,18 @@
+rules:
+  - id: ocamllint-filenameconcat
+    pattern: Filename.concat
+    message: When attacker supplied data is passed to Filename.concat directory traversal attacks might be possible.
+    languages: [ocaml]
+    severity: WARNING
+    metadata:
+      category: security
+      references:
+      - https://v2.ocaml.org/api/Filename.html
+      technology:
+        - ocaml
+      cwe: "CWE-35: Path Traversal"
+      confidence: LOW
+      likelihood: MEDIUM
+      impact: MEDIUM
+      subcategory:
+        - audit

ocaml/lang/security/hashtable-dos.ml

@@ -0,0 +1,8 @@
+(* ruleid:ocamllint-hashtable-dos *)
+let h = Hashtbl.create 16 in
+for i = 1 to 1000 do Hashtbl.add h i (i * 2) done;
+Printf.printf "%i elements\n" (Hashtbl.length h);
+
+let j = Hashtbl.create 16 ~random:true in
+for i = 1 to 1000 do Hashtbl.add j i (i * 2) done;
+Printf.printf "%i elements\n" (Hashtbl.length j);