Skip to content

Commit

Permalink
July Update:
Browse files Browse the repository at this point in the history
vulns:
security noaudit novulns:
audit:

5 -
- javascript.dompurify.harden-dompurify-usage
- raptor-mismatched-memory-management-cpp
- trailofbits.python.numpy-in-torch-datasets.numpy-in-torch-datasets
- trailofbits.python.torch-classes-load-library.torch-classes-load-library
- trailofbits.python.torch-package.torch-package

1 +
+ raptor-suspicious-assert

others:

vulns:

2 -
- trailofbits.python.pickles-in-torch-distributed.pickles-in-torch-distributed
- trailofbits.python.waiting-with-torch-distributed.waiting-with-torch-distributed

1 +
+ yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha.third-party-action-not-pinned-to-commit-sha

security noaudit novulns:
audit:

4 -
- javascript.dompurify.harden-dompurify-usage
- trailofbits.python.numpy-in-torch-datasets.numpy-in-torch-datasets
- trailofbits.python.torch-classes-load-library.torch-classes-load-library
- trailofbits.python.torch-package.torch-package

others:

6 -
- trailofbits.go.iterate-over-empty-map.iterate-over-empty-collection
- trailofbits.go.nondeterministic-select.nondeterministic-select
- trailofbits.go.questionable-assignment.questionable-assignment
- trailofbits.go.sleep-used-for-synchronizations.sleep-used-for-synchronizations
- trailofbits.go.unchecked-type-assertion.unchecked-type-assertion
- trailofbits.python.torch-tensor.torch-tensor
  • Loading branch information
thypon committed Jul 31, 2023
1 parent 5e216bd commit 2232b3f
Show file tree
Hide file tree
Showing 7 changed files with 8,079 additions and 4,626 deletions.
3,936 changes: 2,523 additions & 1,413 deletions assets/semgrep_rules/generated/nonfree/audit.yaml

Large diffs are not rendered by default.

197 changes: 4 additions & 193 deletions assets/semgrep_rules/generated/nonfree/others.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -49,13 +49,15 @@ rules:
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
references:
- https://chromestatus.com/feature/6140064063029248
vulnerability_class:
- Improper Validation
source: https://semgrep.dev/r/html.security.missing-noreferrer.missing-noreferrer
shortlink: https://sg.run/Gekn
semgrep.dev:
rule:
rule_id: 6JUjBL
version_id: 6xTrvK
url: https://semgrep.dev/playground/r/6xTrvK/html.security.missing-noreferrer.missing-noreferrer
version_id: yeTXA4
url: https://semgrep.dev/playground/r/yeTXA4/html.security.missing-noreferrer.missing-noreferrer
origin: community
patterns:
- pattern: a()
Expand Down Expand Up @@ -810,174 +812,6 @@ rules:
languages:
- hcl
severity: INFO
- id: trailofbits.go.iterate-over-empty-map.iterate-over-empty-collection
patterns:
- pattern: |
$C = make(map[$T1] $T2, ...)
...
for $K := range $C { ... }
- pattern-not: |
$C = make(map[$T1] $T2, ...)
...
$C[$X] = $V
...
for $K := range $C { ... }
- pattern-not: |
$C = make(map[$T1] $T2, ...)
...
$C[$X]++
...
for $K := range $C { ... }
- pattern-not: |
$C = make(map[$T1] $T2, ...)
...
$C[$X]--
...
for $K := range $C { ... }
- pattern-not: |
$C = make(map[$T1] $T2, ...)
...
$CODEC.Unmarshal($C)
...
for $K := range $C { ... }
message: 'Iteration over a possibly empty map `$C`. This is likely a bug or redundant
code.
'
languages:
- go
severity: ERROR
metadata:
license: CC-BY-NC-SA-4.0
source: https://semgrep.dev/r/trailofbits.go.iterate-over-empty-map.iterate-over-empty-collection
shortlink: https://sg.run/WOeg
semgrep.dev:
rule:
rule_id: 7KUp1e
version_id: GxTZ6g
url: https://semgrep.dev/playground/r/GxTZ6g/trailofbits.go.iterate-over-empty-map.iterate-over-empty-collection
origin: community
- id: trailofbits.go.nondeterministic-select.nondeterministic-select
patterns:
- pattern: |
$TICKER := time.NewTicker(...)
...
for {
...
select {
case <- $DONECHAN: return
case <- $TICKER.C: ...
}
}
- pattern-not: |
$TICKER := time.NewTicker(...)
...
for {
select {
case <-$DONECHAN: return
default:
}
...
select {
case <- $DONECHAN: return
case <- $TICKER.C: ...
}
}
message: |
Logic executed as a result of ticker `$TICKER` may execute more times than desired.
When both `$TICKER` and `$DONECHAN` are written to at the same time, the scheduler randomly picks a
case to execute. As a result, the `$TICKER.C` may excute one more time than expected.
severity: WARNING
languages:
- go
metadata:
license: CC-BY-NC-SA-4.0
source: https://semgrep.dev/r/trailofbits.go.nondeterministic-select.nondeterministic-select
shortlink: https://sg.run/K8dX
semgrep.dev:
rule:
rule_id: 8GUxqz
version_id: A8TG5P
url: https://semgrep.dev/playground/r/A8TG5P/trailofbits.go.nondeterministic-select.nondeterministic-select
origin: community
- id: trailofbits.go.questionable-assignment.questionable-assignment
patterns:
- pattern-either:
- pattern: "..., $X . $Y, ..., err = ..."
- pattern: "..., $X . $Y, ..., err := ..."
message: Should `$X` be modified when an error could be returned?
languages:
- go
severity: WARNING
metadata:
license: CC-BY-NC-SA-4.0
source: https://semgrep.dev/r/trailofbits.go.questionable-assignment.questionable-assignment
shortlink: https://sg.run/qq6y
semgrep.dev:
rule:
rule_id: gxUYAJ
version_id: BjT7rO
url: https://semgrep.dev/playground/r/BjT7rO/trailofbits.go.questionable-assignment.questionable-assignment
origin: community
- id: trailofbits.go.sleep-used-for-synchronizations.sleep-used-for-synchronizations
patterns:
- pattern-either:
- pattern: |
...
go func(...) {
...
}(...)
time.Sleep(...)
...
- pattern: |
...
go $FOO(...)
time.Sleep(...)
...
- pattern-inside: func $FUNC(...){ ... }
message: Using `time.Sleep` for synchronizations is generally considered bad practice.
languages:
- go
severity: WARNING
metadata:
license: CC-BY-NC-SA-4.0
source: https://semgrep.dev/r/trailofbits.go.sleep-used-for-synchronizations.sleep-used-for-synchronizations
shortlink: https://sg.run/YXK4
semgrep.dev:
rule:
rule_id: 3qUEpL
version_id: K3TYje
url: https://semgrep.dev/playground/r/K3TYje/trailofbits.go.sleep-used-for-synchronizations.sleep-used-for-synchronizations
origin: community
- id: trailofbits.go.unchecked-type-assertion.unchecked-type-assertion
patterns:
- pattern-either:
- patterns:
- pattern: "$FOO, $A := <... $X.($TYPE) ...>\n"
- metavariable-regex:
metavariable: "$A"
regex: "^_$"
- patterns:
- pattern: "$FOO := <... $X.($TYPE) ...>\n"
- metavariable-regex:
metavariable: "$FOO"
regex: "^[^,]*$"
message: 'Unchecked type assertion.
'
severity: ERROR
languages:
- go
metadata:
license: CC-BY-NC-SA-4.0
source: https://semgrep.dev/r/trailofbits.go.unchecked-type-assertion.unchecked-type-assertion
shortlink: https://sg.run/054W
semgrep.dev:
rule:
rule_id: ZqUgpe
version_id: zyT183
url: https://semgrep.dev/playground/r/zyT183/trailofbits.go.unchecked-type-assertion.unchecked-type-assertion
origin: community
- id: trailofbits.python.numpy-in-pytorch-modules.numpy-in-pytorch-modules
message: Usage of NumPy library inside PyTorch `$MODULE` module was found. Avoid
mixing these libraries for efficiency and proper ONNX loading
Expand Down Expand Up @@ -1035,29 +869,6 @@ rules:
url: https://semgrep.dev/playground/r/nWTbb8/trailofbits.python.pytorch-tensor.pytorch-tensor
origin: community
pattern: torch.Tensor(...)
- id: trailofbits.python.torch-tensor.torch-tensor
message: Avoid using `torch.Tensor()` to directly create a tensor for efficiency
and proper parsing
languages:
- python
severity: WARNING
metadata:
category: performance
subcategory:
- audit
confidence: HIGH
references:
- https://pytorch.org/docs/stable/tensors.html
license: CC-BY-NC-SA-4.0
source: https://semgrep.dev/r/trailofbits.python.torch-tensor.torch-tensor
shortlink: https://sg.run/x4zL
semgrep.dev:
rule:
rule_id: ReUqz0
version_id: 7ZTq5z
url: https://semgrep.dev/playground/r/7ZTq5z/trailofbits.python.torch-tensor.torch-tensor
origin: community
pattern: torch.Tensor(...)
- id: typescript.react.best-practice.define-styled-components-on-module-level.define-styled-components-on-module-level
patterns:
- pattern-inside: |
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,13 +18,15 @@ rules:
cwe:
- 'CWE-611: Improper Restriction of XML External Entity Reference'
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- XML Injection
source: https://semgrep.dev/r/contrib.dlint.dlint-equivalent.insecure-xml-use
shortlink: https://sg.run/5QOW
semgrep.dev:
rule:
rule_id: zdUkvA
version_id: 0bToER
url: https://semgrep.dev/playground/r/0bToER/contrib.dlint.dlint-equivalent.insecure-xml-use
version_id: BjT9E3
url: https://semgrep.dev/playground/r/BjT9E3/contrib.dlint.dlint-equivalent.insecure-xml-use
origin: community
pattern-either:
- patterns:
Expand Down Expand Up @@ -62,13 +64,15 @@ rules:
likelihood: MEDIUM
impact: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
source: https://semgrep.dev/r/go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion
shortlink: https://sg.run/oxEN
semgrep.dev:
rule:
rule_id: NbUk4X
version_id: qkT7o6
url: https://semgrep.dev/playground/r/qkT7o6/go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion
version_id: l4T58p
url: https://semgrep.dev/playground/r/l4T58p/go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion
origin: community
languages:
- go
Expand Down Expand Up @@ -201,13 +205,15 @@ rules:
references:
- https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authentication
source: https://semgrep.dev/r/javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash
shortlink: https://sg.run/Eb5w
semgrep.dev:
rule:
rule_id: QrU96W
version_id: BjTPr2
url: https://semgrep.dev/playground/r/BjTPr2/javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash
version_id: gETqOo
url: https://semgrep.dev/playground/r/gETqOo/javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash
origin: community
- id: python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-blowfish
pattern: cryptography.hazmat.primitives.ciphers.algorithms.Blowfish(...)
Expand Down
Loading

0 comments on commit 2232b3f

Please sign in to comment.