From e37dfb41fb4047439032809a2f6a12d04725f402 Mon Sep 17 00:00:00 2001 From: yql70 Date: Tue, 16 Aug 2022 14:35:28 +0800 Subject: [PATCH 1/2] :art:add semgrep rules --- .../management/commands/open_source/semgrep.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/server/projects/main/apps/scan_conf/management/commands/open_source/semgrep.json b/server/projects/main/apps/scan_conf/management/commands/open_source/semgrep.json index ebc0995dc..e50462d9d 100644 --- a/server/projects/main/apps/scan_conf/management/commands/open_source/semgrep.json +++ b/server/projects/main/apps/scan_conf/management/commands/open_source/semgrep.json @@ -15438,6 +15438,20 @@ ], "labels": [] }, + { + "real_name": "owasp.java.xxe.org.xml.sax.XMLReader", + "display_name": "Owasp.java.xxe.org.xml.sax.xmlreader", + "severity": "error", + "category": "security", + "rule_title": "contrib.owasp: owasp.java.xxe.org.xml.sax.XMLReader", + "description": "XMLReader being instantiated without calling the setFeature functions that are generally used for disabling entity processing\n", + "rule_params": null, + "solution": null, + "languages": [ + "java" + ], + "labels": [] + }, { "real_name": "insecure-pickle-use", "display_name": "InsecurePickleUse", From 4e5a901317f76cab78a46f77f4b8617677665195 Mon Sep 17 00:00:00 2001 From: yql70 Date: Tue, 16 Aug 2022 14:44:15 +0800 Subject: [PATCH 2/2] =?UTF-8?q?:art:=E5=9F=BA=E7=A1=80=E5=AE=89=E5=85=A8?= =?UTF-8?q?=E8=A7=84=E5=88=99=E5=8C=85=E6=96=B0=E5=A2=9E=E8=A7=84=E5=88=99?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../open_source_package/safety_go.json | 14 ++ .../open_source_package/safety_java.json | 147 ++++++++++++++++++ .../open_source_package/safety_php.json | 63 ++++++++ .../open_source_package/safety_python.json | 49 ++++++ 4 files changed, 273 insertions(+) diff --git a/server/projects/main/apps/scan_conf/management/commands/open_source_package/safety_go.json b/server/projects/main/apps/scan_conf/management/commands/open_source_package/safety_go.json index cda9124f5..4c3f25af0 100644 --- a/server/projects/main/apps/scan_conf/management/commands/open_source_package/safety_go.json +++ b/server/projects/main/apps/scan_conf/management/commands/open_source_package/safety_go.json @@ -339,6 +339,20 @@ "severity": "warning", "rule_params": null, "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "use-of-md5", + "severity": "warning", + "rule_params": null, + "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "raw-html-format", + "severity": "warning", + "rule_params": null, + "state": "enabled" } ], "open_saas": true, diff --git a/server/projects/main/apps/scan_conf/management/commands/open_source_package/safety_java.json b/server/projects/main/apps/scan_conf/management/commands/open_source_package/safety_java.json index 9b8e3f3df..7a1a0824f 100644 --- a/server/projects/main/apps/scan_conf/management/commands/open_source_package/safety_java.json +++ b/server/projects/main/apps/scan_conf/management/commands/open_source_package/safety_java.json @@ -235,6 +235,153 @@ "rule_params": null, "state": "enabled" }, + { + "checktool": "semgrep", + "checkrule": "jjwt-none-alg", + "severity": "error", + "rule_params": null, + "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "formatted-sql-string", + "severity": "error", + "rule_params": null, + "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "cookie-missing-secure-flag", + "severity": "warning", + "rule_params": null, + "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "tainted-session-from-http-request", + "severity": "warning", + "rule_params": null, + "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "cookie-missing-httponly", + "severity": "warning", + "rule_params": null, + "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "weak-random", + "severity": "warning", + "rule_params": null, + "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "use-of-md5", + "severity": "warning", + "rule_params": null, + "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "cve-2022-22965", + "severity": "warning", + "rule_params": null, + "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "tainted-sql-string", + "severity": "error", + "rule_params": null, + "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "tainted-file-path", + "severity": "error", + "rule_params": null, + "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "tainted-html-string", + "severity": "error", + "rule_params": null, + "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "owasp.java.ssrf.java.net.url", + "severity": "error", + "rule_params": null, + "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "owasp.java.xxe.javax.xml.stream.XMLInputFactory", + "severity": "warning", + "rule_params": null, + "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "owasp.java.ssrf.org.apache.commons.httpclient", + "severity": "error", + "rule_params": null, + "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "owasp.java.ssrf.org.apache.http.impl.client.CloseableHttpClient", + "severity": "error", + "rule_params": null, + "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "owasp.java.xxe.org.apache.commons.digester3.Digester", + "severity": "error", + "rule_params": null, + "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "owasp.java.xxe.javax.xml.parsers.DocumentBuilderFactory", + "severity": "error", + "rule_params": null, + "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "owasp.java.xxe.org.jdom2.input.SAXBuilder", + "severity": "error", + "rule_params": null, + "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "owasp.java.xxe.org.dom4j.io.SAXReader", + "severity": "error", + "rule_params": null, + "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "owasp.java.xxe.org.xml.sax.XMLReader", + "severity": "error", + "rule_params": null, + "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "owasp.java.xxe.javax.xml.parsers.SAXParserFactory", + "severity": "error", + "rule_params": null, + "state": "enabled" + }, { "checktool": "infer_java", "checkrule": "BUFFER_OVERRUN_L1", diff --git a/server/projects/main/apps/scan_conf/management/commands/open_source_package/safety_php.json b/server/projects/main/apps/scan_conf/management/commands/open_source_package/safety_php.json index 86dc20ace..122c73cd2 100644 --- a/server/projects/main/apps/scan_conf/management/commands/open_source_package/safety_php.json +++ b/server/projects/main/apps/scan_conf/management/commands/open_source_package/safety_php.json @@ -115,6 +115,69 @@ "severity": "warning", "rule_params": null, "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "exec-use", + "severity": "error", + "rule_params": null, + "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "unserialize-use", + "severity": "warning", + "rule_params": null, + "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "eval-use", + "severity": "error", + "rule_params": null, + "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "weak-crypto", + "severity": "error", + "rule_params": null, + "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "md5-loose-equality", + "severity": "error", + "rule_params": null, + "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "file-inclusion", + "severity": "error", + "rule_params": null, + "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "tainted-sql-string", + "severity": "error", + "rule_params": null, + "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "tainted-object-instantiation", + "severity": "warning", + "rule_params": null, + "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "tainted-filename", + "severity": "warning", + "rule_params": null, + "state": "enabled" } ], "open_saas": false, diff --git a/server/projects/main/apps/scan_conf/management/commands/open_source_package/safety_python.json b/server/projects/main/apps/scan_conf/management/commands/open_source_package/safety_python.json index 1a0f94291..4ddcb96c6 100644 --- a/server/projects/main/apps/scan_conf/management/commands/open_source_package/safety_python.json +++ b/server/projects/main/apps/scan_conf/management/commands/open_source_package/safety_python.json @@ -318,6 +318,55 @@ "severity": "error", "rule_params": null, "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "template-href-var", + "severity": "warning", + "rule_params": null, + "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "render-template-string", + "severity": "warning", + "rule_params": null, + "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "raw-html-format", + "severity": "warning", + "rule_params": null, + "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "tainted-sql-string", + "severity": "error", + "rule_params": null, + "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "formatted-sql-query", + "severity": "warning", + "rule_params": null, + "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "md5-used-as-password", + "severity": "warning", + "rule_params": null, + "state": "enabled" + }, + { + "checktool": "semgrep", + "checkrule": "insecure-requests-use", + "severity": "warning", + "rule_params": null, + "state": "enabled" } ], "open_saas": true,