-
Notifications
You must be signed in to change notification settings - Fork 356
3.7 Depends On Tags
Gabe Stocco edited this page Mar 8, 2023
·
1 revision
Starting with Application Inspector 1.8 Rules can depend on tags existing in the overall matches from the run.
At the end of an analysis run, matches for Rules with depends_on_tags will be removed unless all their depends_on_tags exist in the overall set of tags for the analysis run.
-
depends_on_tagsis not compatible withTagsOnlymode, which does not collect the full match data necessary to perform the depends on validation at the end of the run. - When
depends_on_tagsis set on a Rule which also overrides another rule with theoverridefield, the overridden rule must have all of the overridersdepends_on_tagsas the overridden rules are not tracked to be restored if the overrider is removed based on itsdepends_on_tags. This restriction is detected by the RulesVerifier.
[
{
"id": "SA000005",
"name": "Testing.Rules.DependsOnTags.OneWay",
"tags": [
"Dependant"
],
"depends_on_tags": ["Dependee"],
"severity": "Critical",
"description": "This rule finds windows 2000",
"patterns": [
{
"pattern": "windows 2000",
"type": "regex",
"confidence": "High",
"modifiers": [
"m"
],
"scopes": [
"code"
]
}
],
"_comment": "This rule depends on the Dependee tag"
},
{
"id": "SA000006",
"name": "Testing.Rules.DependsOnTags.OneWay",
"tags": [
"Dependee"
],
"severity": "Critical",
"description": "This rule finds linux",
"patterns": [
{
"pattern": "linux",
"type": "regex",
"confidence": "High",
"modifiers": [
"m"
],
"scopes": [
"code"
]
}
],
"_comment": "This rule sets the dependee tag"
}
][
{
"id": "SA000005",
"name": "Testing.Rules.DependsOnTags.TwoWay",
"tags": [
"RuleOne"
],
"depends_on_tags": ["RuleTwo"],
"severity": "Critical",
"description": "This rule finds windows 2000",
"patterns": [
{
"pattern": "windows 2000",
"type": "regex",
"confidence": "High",
"modifiers": [
"m"
],
"scopes": [
"code"
]
}
],
"_comment": "This rule depends on the RuleTwo tag"
},
{
"id": "SA000006",
"name": "Testing.Rules.DependsOnTags.TwoWay",
"tags": [
"RuleTwo"
],
"depends_on_tags": ["RuleOne"],
"severity": "Critical",
"description": "This rule finds linux",
"patterns": [
{
"pattern": "linux",
"type": "regex",
"confidence": "High",
"modifiers": [
"m"
],
"scopes": [
"code"
]
}
],
"_comment": "This rule depends on the RuleOne tag"
}
][
{
"id": "SA000001",
"name": "Testing.Rules.DependsOnTags.Chain.A",
"tags": [
"Category.A"
],
"severity": "Critical",
"description": "This rule finds A",
"patterns": [
{
"pattern": "A",
"type": "regex",
"confidence": "High",
"modifiers": [
"m"
],
"scopes": [
"code"
]
}
],
"_comment": ""
},
{
"id": "SA000002",
"name": "Testing.Rules.DependsOnTags.Chain.B",
"tags": [
"Category.B"
],
"depends_on_tags": ["Category.A"],
"severity": "Critical",
"description": "This rule finds B",
"patterns": [
{
"pattern": "B",
"type": "regex",
"confidence": "High",
"modifiers": [
"m"
],
"scopes": [
"code"
]
}
],
"_comment": ""
},
{
"id": "SA000003",
"name": "Testing.Rules.DependsOnTags.Chain.C",
"tags": [
"Category.C"
],
"depends_on_tags": ["Category.B"],
"severity": "Critical",
"description": "This rule finds C",
"patterns": [
{
"pattern": "C",
"type": "regex",
"confidence": "High",
"modifiers": [
"m"
],
"scopes": [
"code"
]
}
],
"_comment": ""
}
]