From b68079257e1d52b4a00aa450f6c87523cd640c6d Mon Sep 17 00:00:00 2001 From: Andrea Brancaleoni Date: Tue, 1 Aug 2023 01:16:57 +0200 Subject: [PATCH] update-ruleset.rb: remove deprecated - fake - rules @ nonfree.audit (+0, -49) - html.security.missing-noopener-or-noreferrer.missing-noopener-or-noreferrer - html.security.missing-noopener.missing-noopener - java.lang.security.audit.cookie-missing-samesite.cookie-missing-samesite - java.log4j.security.log4j-message-lookup-injection.log4j-message-lookup-injection - javascript.browser.security.new-function-detected.new-function-detected - javascript.chrome-remote-interface.security.audit.chrome-remote-interface-evaluate-injection.chrome-remote-interface-evaluate-injection - javascript.chrome-remote-interface.security.audit.chrome-remote-interface-navigate-injection.chrome-remote-interface-navigate-injection - javascript.chrome-remote-interface.security.audit.chrome-remote-interface-printtopdf-injection.chrome-remote-interface-printtopdf-injection - javascript.chrome-remote-interface.security.audit.chrome-remote-interface-setdocumentcontent-injection.chrome-remote-interface-setdocumentcontent-injection - javascript.jose.security.jwt-exposed-credentials.jwt-exposed-credentials - javascript.jsonwebtoken.security.jwt-exposed-credentials.jwt-exposed-credentials - javascript.lang.security.audit.non-constant-sql-query.non-constant-sql-query - javascript.lang.security.audit.vm-injection.vm-compilefunction-code-injection - javascript.lang.security.audit.vm-injection.vm-compilefunction-context-injection - javascript.lang.security.audit.vm-injection.vm-runincontext-code-injection - javascript.lang.security.audit.vm-injection.vm-runinnewcontext-code-injection - javascript.lang.security.audit.vm-injection.vm-runinnewcontext-context-injection - javascript.lang.security.audit.vm-injection.vm-runinthiscontext-code-injection - javascript.lang.security.audit.vm-injection.vm-script-code-injection - javascript.lang.security.audit.vm-injection.vm-sourcetextmodule-code-injection - javascript.lang.security.detect-non-literal-require.detect-non-literal-require - php.lang.security.preg-replace-eval.preg-replace-eval - python.django.security.audit.xss.template-translate-no-escape.template-translate-no-escape - python.lang.security.unquoted-csv-writer.unquoted-csv-writer - ruby.lang.security.jruby-xml.jruby-xml - ruby.lang.security.model-attributes-attr-protected.model-attributes-attr-protected - ruby.lang.security.nested-attributes-bypass.nested-attributes-bypass - ruby.lang.security.nested-attributes.nested-attributes - ruby.lang.security.timing-attack.timing-attack - ruby.lang.security.yaml-parsing.yaml-parsing - ruby.rails.security.audit.mail-to-erb.mail-to-erb - ruby.rails.security.audit.mail-to.mail-to - ruby.rails.security.audit.mime-type-dos.mime-type-dos - ruby.rails.security.audit.number-to-currency-erb.number-to-currency-erb - ruby.rails.security.audit.rails-check-header-dos.rails-check-header-dos - ruby.rails.security.audit.rails-check-page-caching-cve.rails-check-page-caching-cve - ruby.rails.security.audit.rails-check-page-caching-gem.rails-check-page-caching-gem - ruby.rails.security.audit.rails-check-render-dos-cve.rails-check-render-dos - ruby.rails.security.audit.rails-check-render-dos-gem.rails-check-render-dos - ruby.rails.security.audit.rails-check-response-splitting.rails-check-response-splitting - ruby.rails.security.injection.rails-check-json-parsing-rce.rails-check-json-parsing-rce - terraform.aws.security.aws-elasticache-replication-group-encrypted-with-cmk.aws-elasticache-replication-group-encrypted-with-cmk - typescript.react.security.audit.react-css-injection.react-css-injection - typescript.react.security.audit.react-http-leak.react-http-leak - typescript.react.security.audit.react-missing-noopener.react-missing-noopener - typescript.react.security.audit.react-props-injection.react-props-injection - typescript.react.security.audit.react-router-redirect.react-router-redirect - typescript.react.security.audit.react-styled-components-injection.react-styled-components-injection - typescript.react.security.react-controlled-component-password.react-controlled-component-password @ nonfree.others (+0, -1) - html.security.missing-noreferrer.missing-noreferrer @ nonfree.security_noaudit_novuln (+0, -0) @ nonfree.vulns (+0, -5) - ruby.lang.security.json-encoding.json-encoding - ruby.rails.security.audit.dynamic-finders.dynamic-finders - ruby.rails.security.audit.number-to-currency.number-to-currency - ruby.rails.security.audit.quote-table-name.quote-table-name - terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket @ oss.audit (+0, -0) @ oss.others (+0, -0) @ oss.security_noaudit_novuln (+0, -0) @ oss.vulns (+0, -0) --- .../generated/nonfree/audit.yaml | 1975 +---------------- .../generated/nonfree/others.yaml | 33 - .../generated/nonfree/vulns.yaml | 196 -- assets/semgrep_rules/update-ruleset.rb | 2 + 4 files changed, 67 insertions(+), 2139 deletions(-) diff --git a/assets/semgrep_rules/generated/nonfree/audit.yaml b/assets/semgrep_rules/generated/nonfree/audit.yaml index 349b259f..6cf83329 100644 --- a/assets/semgrep_rules/generated/nonfree/audit.yaml +++ b/assets/semgrep_rules/generated/nonfree/audit.yaml @@ -6382,82 +6382,6 @@ rules: origin: community languages: - go -- id: html.security.missing-noopener-or-noreferrer.missing-noopener-or-noreferrer - metadata: - category: security - technology: - - html - cwe: - - 'CWE-1022: Use of Web Link to Untrusted Target with window.opener Access' - owasp: - - A05:2017 - Broken Access Control - - A01:2021 - Broken Access Control - confidence: LOW - references: - - https://cwe.mitre.org/data/definitions/1022.html - subcategory: - - audit - likelihood: LOW - impact: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Improper Validation - source: https://semgrep.dev/r/html.security.missing-noopener-or-noreferrer.missing-noopener-or-noreferrer - shortlink: https://sg.run/Ezqo - semgrep.dev: - rule: - rule_id: 8GUvNg - version_id: 1QTj5A - url: https://semgrep.dev/playground/r/1QTj5A/html.security.missing-noopener-or-noreferrer.missing-noopener-or-noreferrer - origin: community - patterns: - - pattern: a() - - pattern: b() - paths: - include: - - "*.html" - message: This rule has been deprecated. - severity: WARNING - languages: - - generic -- id: html.security.missing-noopener.missing-noopener - metadata: - category: security - technology: - - html - cwe: - - 'CWE-1022: Use of Web Link to Untrusted Target with window.opener Access' - owasp: - - A05:2017 - Broken Access Control - - A01:2021 - Broken Access Control - confidence: LOW - references: - - https://cwe.mitre.org/data/definitions/1022.html - subcategory: - - audit - likelihood: LOW - impact: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Improper Validation - source: https://semgrep.dev/r/html.security.missing-noopener.missing-noopener - shortlink: https://sg.run/5Q03 - semgrep.dev: - rule: - rule_id: YGURLJ - version_id: 9lTzZ9 - url: https://semgrep.dev/playground/r/9lTzZ9/html.security.missing-noopener.missing-noopener - origin: community - patterns: - - pattern: a() - - pattern: b() - paths: - include: - - "*.html" - message: This rule has been deprecated. - severity: WARNING - languages: - - generic - id: java.jboss.security.seam-log-injection.seam-log-injection patterns: - pattern: "$LOG.$INFO($X + $Y,...)\n" @@ -7076,47 +7000,6 @@ rules: - pattern-not-inside: "$COOKIE.setHttpOnly(...); ..." - pattern-not-inside: "$COOKIE = ResponseCookie.from(...). ...; ..." - pattern: "$RESPONSE.addCookie($COOKIE);" -- id: java.lang.security.audit.cookie-missing-samesite.cookie-missing-samesite - metadata: - cwe: - - 'CWE-352: Cross-Site Request Forgery (CSRF)' - owasp: - - A01:2021 - Broken Access Control - asvs: - section: 'V3: Session Management Verification Requirements' - control_id: 3.4.3 Missing Cookie Attribute - control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v34-cookie-based-session-management - version: '4' - references: - - https://stackoverflow.com/questions/42717210/samesite-cookie-in-java-application - category: security - technology: - - java - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Cross-Site Request Forgery (CSRF) - source: https://semgrep.dev/r/java.lang.security.audit.cookie-missing-samesite.cookie-missing-samesite - shortlink: https://sg.run/N427 - semgrep.dev: - rule: - rule_id: 7KUQkX - version_id: PkTYxZ - url: https://semgrep.dev/playground/r/PkTYxZ/java.lang.security.audit.cookie-missing-samesite.cookie-missing-samesite - origin: community - message: Detected cookie without the SameSite attribute. - severity: WARNING - languages: - - java - patterns: - - pattern: a() - - pattern: b() - id: java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag metadata: cwe: @@ -10015,44 +9898,6 @@ rules: true); languages: - java -- id: java.log4j.security.log4j-message-lookup-injection.log4j-message-lookup-injection - metadata: - cwe: - - 'CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream - Component (''Injection'')' - owasp: - - A03:2021 - Injection - source-rule-url: https://www.lunasec.io/docs/blog/log4j-zero-day/ - references: - - https://issues.apache.org/jira/browse/LOG4J2-3198 - - https://www.lunasec.io/docs/blog/log4j-zero-day/ - - https://logging.apache.org/log4j/2.x/manual/lookups.html - category: security - technology: - - java - confidence: LOW - subcategory: - - audit - likelihood: LOW - impact: HIGH - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Other - source: https://semgrep.dev/r/java.log4j.security.log4j-message-lookup-injection.log4j-message-lookup-injection - shortlink: https://sg.run/eX1Z - semgrep.dev: - rule: - rule_id: 9AUZeQ - version_id: jQTKw2 - url: https://semgrep.dev/playground/r/jQTKw2/java.log4j.security.log4j-message-lookup-injection.log4j-message-lookup-injection - origin: community - message: This rule is deprecated. - patterns: - - pattern: a() - - pattern: b() - severity: WARNING - languages: - - java - id: java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization severity: WARNING languages: @@ -11151,43 +10996,6 @@ rules: patterns: - pattern-not: "... if (<... $OBJ.origin ...>) { ... } ...\n" metavariable: "$CONTEXT" -- id: javascript.browser.security.new-function-detected.new-function-detected - message: this rule has been deprecated. - metadata: - deprecated: true - cwe: - - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code - (''Eval Injection'')' - owasp: - - A03:2021 - Injection - category: security - technology: - - browser - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - references: - - https://owasp.org/Top10/A03_2021-Injection - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Code Injection - source: https://semgrep.dev/r/javascript.browser.security.new-function-detected.new-function-detected - shortlink: https://sg.run/Q5Pk - semgrep.dev: - rule: - rule_id: DbUp0q - version_id: pZTry6 - url: https://semgrep.dev/playground/r/pZTry6/javascript.browser.security.new-function-detected.new-function-detected - origin: community - languages: - - javascript - - typescript - severity: WARNING - patterns: - - pattern: a() - - pattern: b() - id: javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration message: The target origin of the window.postMessage() API is set to "*". This could allow for information disclosure due to the possibility of any origin allowed @@ -11223,154 +11031,6 @@ rules: - typescript severity: WARNING pattern: "$OBJECT.postMessage(...,'*')" -- id: javascript.chrome-remote-interface.security.audit.chrome-remote-interface-evaluate-injection.chrome-remote-interface-evaluate-injection - message: this rule has been deprecated. - metadata: - owasp: - - A10:2021 - Server-Side Request Forgery (SSRF) - cwe: - - 'CWE-918: Server-Side Request Forgery (SSRF)' - category: security - technology: - - chrome-remote-interface - references: - - https://github.com/cyrus-and/chrome-remote-interface - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Server-Side Request Forgery (SSRF) - source: https://semgrep.dev/r/javascript.chrome-remote-interface.security.audit.chrome-remote-interface-evaluate-injection.chrome-remote-interface-evaluate-injection - shortlink: https://sg.run/5QBD - semgrep.dev: - rule: - rule_id: lBU9O8 - version_id: rxTxLj - url: https://semgrep.dev/playground/r/rxTxLj/javascript.chrome-remote-interface.security.audit.chrome-remote-interface-evaluate-injection.chrome-remote-interface-evaluate-injection - origin: community - languages: - - javascript - - typescript - severity: INFO - patterns: - - pattern: a() - - pattern: b() -- id: javascript.chrome-remote-interface.security.audit.chrome-remote-interface-navigate-injection.chrome-remote-interface-navigate-injection - message: this rule has been deprecated. - metadata: - owasp: - - A10:2021 - Server-Side Request Forgery (SSRF) - cwe: - - 'CWE-918: Server-Side Request Forgery (SSRF)' - category: security - technology: - - chrome-remote-interface - references: - - https://github.com/cyrus-and/chrome-remote-interface - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Server-Side Request Forgery (SSRF) - source: https://semgrep.dev/r/javascript.chrome-remote-interface.security.audit.chrome-remote-interface-navigate-injection.chrome-remote-interface-navigate-injection - shortlink: https://sg.run/Gery - semgrep.dev: - rule: - rule_id: YGUR0A - version_id: bZTG1X - url: https://semgrep.dev/playground/r/bZTG1X/javascript.chrome-remote-interface.security.audit.chrome-remote-interface-navigate-injection.chrome-remote-interface-navigate-injection - origin: community - languages: - - javascript - - typescript - severity: INFO - patterns: - - pattern: a() - - pattern: b() -- id: javascript.chrome-remote-interface.security.audit.chrome-remote-interface-printtopdf-injection.chrome-remote-interface-printtopdf-injection - message: this rule has been deprecated. - metadata: - owasp: - - A10:2021 - Server-Side Request Forgery (SSRF) - cwe: - - 'CWE-918: Server-Side Request Forgery (SSRF)' - category: security - technology: - - chrome-remote-interface - references: - - https://github.com/cyrus-and/chrome-remote-interface - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Server-Side Request Forgery (SSRF) - source: https://semgrep.dev/r/javascript.chrome-remote-interface.security.audit.chrome-remote-interface-printtopdf-injection.chrome-remote-interface-printtopdf-injection - shortlink: https://sg.run/RoJg - semgrep.dev: - rule: - rule_id: 6JUjgD - version_id: NdT1dd - url: https://semgrep.dev/playground/r/NdT1dd/javascript.chrome-remote-interface.security.audit.chrome-remote-interface-printtopdf-injection.chrome-remote-interface-printtopdf-injection - origin: community - languages: - - javascript - - typescript - severity: INFO - patterns: - - pattern: a() - - pattern: b() -- id: javascript.chrome-remote-interface.security.audit.chrome-remote-interface-setdocumentcontent-injection.chrome-remote-interface-setdocumentcontent-injection - message: this rule has been deprecated. - metadata: - owasp: - - A10:2021 - Server-Side Request Forgery (SSRF) - cwe: - - 'CWE-918: Server-Side Request Forgery (SSRF)' - category: security - technology: - - chrome-remote-interface - references: - - https://github.com/cyrus-and/chrome-remote-interface - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Server-Side Request Forgery (SSRF) - source: https://semgrep.dev/r/javascript.chrome-remote-interface.security.audit.chrome-remote-interface-setdocumentcontent-injection.chrome-remote-interface-setdocumentcontent-injection - shortlink: https://sg.run/Av2L - semgrep.dev: - rule: - rule_id: oqUeEK - version_id: kbT7xL - url: https://semgrep.dev/playground/r/kbT7xL/javascript.chrome-remote-interface.security.audit.chrome-remote-interface-setdocumentcontent-injection.chrome-remote-interface-setdocumentcontent-injection - origin: community - languages: - - javascript - - typescript - severity: INFO - patterns: - - pattern: a() - - pattern: b() - id: javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage message: A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or @@ -12357,60 +12017,22 @@ rules: - pattern-either: - pattern: "$JOSE.JWT.sign($INPUT,...)" - pattern: "$JWT.sign($INPUT,...)" -- id: javascript.jose.security.jwt-exposed-credentials.jwt-exposed-credentials - message: this rule has been deprecated. +- id: javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify + message: Detected the decoding of a JWT token without a verify step. JWT tokens + must be verified before use, otherwise the token's integrity is unknown. This + means a malicious actor could forge a JWT token with any claims. Call '.verify()' + before using the token. metadata: cwe: - - 'CWE-798: Use of Hard-coded Credentials' - references: - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_CheatSheet.html + - 'CWE-345: Insufficient Verification of Data Authenticity' owasp: - - A07:2021 - Identification and Authentication Failures - category: security - technology: - - jose - - jwt - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Hard-coded Secrets - source: https://semgrep.dev/r/javascript.jose.security.jwt-exposed-credentials.jwt-exposed-credentials - shortlink: https://sg.run/GeKy - semgrep.dev: - rule: - rule_id: PeUZG0 - version_id: 3ZTdrZ - url: https://semgrep.dev/playground/r/3ZTdrZ/javascript.jose.security.jwt-exposed-credentials.jwt-exposed-credentials - origin: community - languages: - - javascript - - typescript - severity: INFO - patterns: - - pattern: a() - - pattern: b() -- id: javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify - message: Detected the decoding of a JWT token without a verify step. JWT tokens - must be verified before use, otherwise the token's integrity is unknown. This - means a malicious actor could forge a JWT token with any claims. Call '.verify()' - before using the token. - metadata: - cwe: - - 'CWE-345: Insufficient Verification of Data Authenticity' - owasp: - - A08:2021 - Software and Data Integrity Failures - source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ - asvs: - section: 'V3: Session Management Verification Requirements' - control_id: 3.5.3 Insecue Stateless Session Tokens - control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management - version: '4' + - A08:2021 - Software and Data Integrity Failures + source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ + asvs: + section: 'V3: Session Management Verification Requirements' + control_id: 3.5.3 Insecue Stateless Session Tokens + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management + version: '4' category: security technology: - jwt @@ -12498,49 +12120,6 @@ rules: - pattern-inside: function (...,$INPUT,...) {...} - pattern-inside: function $F(...,$INPUT,...) {...} - pattern: "$JWT.sign($INPUT,...)" -- id: javascript.jsonwebtoken.security.jwt-exposed-credentials.jwt-exposed-credentials - message: this rule has been deprecated. - metadata: - cwe: - - 'CWE-798: Use of Hard-coded Credentials' - references: - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_CheatSheet.html - owasp: - - A07:2021 - Identification and Authentication Failures - asvs: - section: 'V3: Session Management Verification Requirements' - control_id: 3.5.2 Static API keys or secret - control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management - version: '4' - category: security - technology: - - jwt - - secrets - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Hard-coded Secrets - source: https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-exposed-credentials.jwt-exposed-credentials - shortlink: https://sg.run/Kl6L - semgrep.dev: - rule: - rule_id: DbUpyk - version_id: BjTEpZ - url: https://semgrep.dev/playground/r/BjTEpZ/javascript.jsonwebtoken.security.jwt-exposed-credentials.jwt-exposed-credentials - origin: community - languages: - - javascript - - typescript - severity: ERROR - patterns: - - pattern: a() - - pattern: b() - id: javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key message: Detected a hardcoded hmac key. Avoid hardcoding secrets and consider using an alternate option such as reading the secret from a config file or using an @@ -12627,46 +12206,6 @@ rules: - metavariable-regex: metavariable: "$CHAR" regex: ^[\"\']([\'\"\<\>\*\|\{\}\[\]\%\$]{1}|\\n|\\r|\\t|\\&)[\"\']$ -- id: javascript.lang.security.audit.non-constant-sql-query.non-constant-sql-query - message: This rule has been deprecated. It duplicates `javascript/sequelize/security/audit/sequelize-raw-query` - rule. - metadata: - owasp: - - A01:2017 - Injection - - A03:2021 - Injection - cwe: - - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command - (''SQL Injection'')' - category: security - technology: - - sequelize - references: - - https://sequelize.org/docs/v6/core-concepts/raw-queries/ - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - SQL Injection - source: https://semgrep.dev/r/javascript.lang.security.audit.non-constant-sql-query.non-constant-sql-query - shortlink: https://sg.run/jRKP - semgrep.dev: - rule: - rule_id: x8Unr5 - version_id: A8TRgz - url: https://semgrep.dev/playground/r/A8TRgz/javascript.lang.security.audit.non-constant-sql-query.non-constant-sql-query - origin: community - languages: - - javascript - - typescript - severity: INFO - patterns: - - pattern: a() - - pattern: b() - id: javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop message: 'Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist @@ -12901,114 +12440,6 @@ rules: $UTIL = require('util') ... - pattern: "$UTIL.format($STR,$PARAM,...)\n" -- id: javascript.lang.security.audit.vm-injection.vm-compilefunction-code-injection - message: this rule has been deprecated. - severity: INFO - languages: - - javascript - - typescript - metadata: - owasp: - - A03:2021 - Injection - cwe: - - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' - category: security - technology: - - javascript - references: - - https://nodejs.org/dist/latest-v16.x/docs/api/vm.html - cwe2022-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Code Injection - source: https://semgrep.dev/r/javascript.lang.security.audit.vm-injection.vm-compilefunction-code-injection - shortlink: https://sg.run/x17y - semgrep.dev: - rule: - rule_id: L1Uyg7 - version_id: NdT1z0 - url: https://semgrep.dev/playground/r/NdT1z0/javascript.lang.security.audit.vm-injection.vm-compilefunction-code-injection - origin: community - patterns: - - pattern: a() - - pattern: b() -- id: javascript.lang.security.audit.vm-injection.vm-compilefunction-context-injection - message: this rule has been deprecated. - severity: INFO - languages: - - javascript - - typescript - metadata: - owasp: - - A03:2021 - Injection - cwe: - - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' - category: security - technology: - - javascript - references: - - https://nodejs.org/dist/latest-v16.x/docs/api/vm.html - cwe2022-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Code Injection - source: https://semgrep.dev/r/javascript.lang.security.audit.vm-injection.vm-compilefunction-context-injection - shortlink: https://sg.run/rd2J - semgrep.dev: - rule: - rule_id: d8UjgD - version_id: jQTKnN - url: https://semgrep.dev/playground/r/jQTKnN/javascript.lang.security.audit.vm-injection.vm-compilefunction-context-injection - origin: community - patterns: - - pattern: a() - - pattern: b() -- id: javascript.lang.security.audit.vm-injection.vm-runincontext-code-injection - message: this rule has been deprecated. - severity: INFO - languages: - - javascript - - typescript - metadata: - owasp: - - A03:2021 - Injection - cwe: - - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' - category: security - technology: - - javascript - references: - - https://nodejs.org/dist/latest-v16.x/docs/api/vm.html - cwe2022-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Code Injection - source: https://semgrep.dev/r/javascript.lang.security.audit.vm-injection.vm-runincontext-code-injection - shortlink: https://sg.run/N4pN - semgrep.dev: - rule: - rule_id: nJUzNq - version_id: yeTXxz - url: https://semgrep.dev/playground/r/yeTXxz/javascript.lang.security.audit.vm-injection.vm-runincontext-code-injection - origin: community - patterns: - - pattern: a() - - pattern: b() - id: javascript.lang.security.audit.vm-injection.vm-runincontext-context-injection message: Make sure that unverified user data can not reach vm.runInContext. severity: WARNING @@ -13092,261 +12523,81 @@ rules: - pattern: new vm.Script($INPUT,...) - pattern: new vm.SourceTextModule($INPUT,...) - focus-metavariable: "$INPUT" -- id: javascript.lang.security.audit.vm-injection.vm-runinnewcontext-code-injection - message: this rule has been deprecated. - severity: INFO - languages: - - javascript - - typescript +- id: javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert + message: Detected usage of noassert in Buffer API, which allows the offset the be + beyond the end of the buffer. This could result in writing or reading beyond the + end of the buffer. metadata: - owasp: - - A03:2021 - Injection cwe: - - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + - 'CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer' + source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-buffer-noassert.js category: security technology: - javascript - references: - - https://nodejs.org/dist/latest-v16.x/docs/api/vm.html cwe2022-top25: true + cwe2021-top25: true subcategory: - audit likelihood: LOW - impact: LOW + impact: HIGH confidence: LOW + references: + - https://cwe.mitre.org/data/definitions/119.html license: Commons Clause License Condition v1.0[LGPL-2.1-only] vulnerability_class: - - Code Injection - source: https://semgrep.dev/r/javascript.lang.security.audit.vm-injection.vm-runinnewcontext-code-injection - shortlink: https://sg.run/kX7A + - Memory Issues + source: https://semgrep.dev/r/javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert + shortlink: https://sg.run/qxpO semgrep.dev: rule: - rule_id: EwU2x8 - version_id: rxTxAB - url: https://semgrep.dev/playground/r/rxTxAB/javascript.lang.security.audit.vm-injection.vm-runinnewcontext-code-injection + rule_id: j2Uvj8 + version_id: kbT7zy + url: https://semgrep.dev/playground/r/kbT7zy/javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert origin: community - patterns: - - pattern: a() - - pattern: b() -- id: javascript.lang.security.audit.vm-injection.vm-runinnewcontext-context-injection - message: this rule has been deprecated. - severity: INFO languages: - javascript - typescript + severity: WARNING + patterns: + - pattern: "$OBJ.$API(..., true)" + - metavariable-regex: + metavariable: "$API" + regex: "(read|write)(U?Int8|(U?Int(16|32)|Float|Double)(LE|BE))" +- id: javascript.lang.security.detect-child-process.detect-child-process + message: 'Detected calls to child_process from a function argument `$FUNC`. This + could lead to a command injection if the input is user controllable. Try to avoid + calls to child_process, and if it is needed ensure user input is correctly sanitized + or sandboxed. ' metadata: + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' owasp: + - A01:2017 - Injection - A03:2021 - Injection - cwe: - - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#do-not-use-dangerous-functions + source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-child-process.js category: security technology: - javascript - references: - - https://nodejs.org/dist/latest-v16.x/docs/api/vm.html + license: Commons Clause License Condition v1.0[LGPL-2.1-only] cwe2022-top25: true + cwe2021-top25: true subcategory: - audit likelihood: LOW - impact: LOW + impact: HIGH confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] vulnerability_class: - - Code Injection - source: https://semgrep.dev/r/javascript.lang.security.audit.vm-injection.vm-runinnewcontext-context-injection - shortlink: https://sg.run/ydbA + - Command Injection + source: https://semgrep.dev/r/javascript.lang.security.detect-child-process.detect-child-process + shortlink: https://sg.run/l2lo semgrep.dev: rule: - rule_id: v8UnQZ - version_id: X0TPzn - url: https://semgrep.dev/playground/r/X0TPzn/javascript.lang.security.audit.vm-injection.vm-runinnewcontext-context-injection - origin: community - patterns: - - pattern: a() - - pattern: b() -- id: javascript.lang.security.audit.vm-injection.vm-runinthiscontext-code-injection - message: this rule has been deprecated. - severity: INFO - languages: - - javascript - - typescript - metadata: - owasp: - - A03:2021 - Injection - cwe: - - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' - category: security - technology: - - javascript - references: - - https://nodejs.org/dist/latest-v16.x/docs/api/vm.html - cwe2022-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Code Injection - source: https://semgrep.dev/r/javascript.lang.security.audit.vm-injection.vm-runinthiscontext-code-injection - shortlink: https://sg.run/we7d - semgrep.dev: - rule: - rule_id: 7KUQ3g - version_id: bZTG5W - url: https://semgrep.dev/playground/r/bZTG5W/javascript.lang.security.audit.vm-injection.vm-runinthiscontext-code-injection - origin: community - patterns: - - pattern: a() - - pattern: b() -- id: javascript.lang.security.audit.vm-injection.vm-script-code-injection - message: this rule has been deprecated. - severity: INFO - languages: - - javascript - - typescript - metadata: - owasp: - - A03:2021 - Injection - cwe: - - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' - category: security - technology: - - javascript - references: - - https://nodejs.org/dist/latest-v16.x/docs/api/vm.html - cwe2022-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Code Injection - source: https://semgrep.dev/r/javascript.lang.security.audit.vm-injection.vm-script-code-injection - shortlink: https://sg.run/b75v - semgrep.dev: - rule: - rule_id: ZqU5dE - version_id: 1QTjyX - url: https://semgrep.dev/playground/r/1QTjyX/javascript.lang.security.audit.vm-injection.vm-script-code-injection - origin: community - patterns: - - pattern: a() - - pattern: b() -- id: javascript.lang.security.audit.vm-injection.vm-sourcetextmodule-code-injection - message: this rule has been deprecated. - severity: INFO - languages: - - javascript - - typescript - metadata: - owasp: - - A03:2021 - Injection - cwe: - - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' - category: security - technology: - - javascript - references: - - https://nodejs.org/dist/latest-v16.x/docs/api/vm.html - cwe2022-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Code Injection - source: https://semgrep.dev/r/javascript.lang.security.audit.vm-injection.vm-sourcetextmodule-code-injection - shortlink: https://sg.run/0ngr - semgrep.dev: - rule: - rule_id: YGUr6P - version_id: 9lTz4E - url: https://semgrep.dev/playground/r/9lTz4E/javascript.lang.security.audit.vm-injection.vm-sourcetextmodule-code-injection - origin: community - patterns: - - pattern: a() - - pattern: b() -- id: javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert - message: Detected usage of noassert in Buffer API, which allows the offset the be - beyond the end of the buffer. This could result in writing or reading beyond the - end of the buffer. - metadata: - cwe: - - 'CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer' - source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-buffer-noassert.js - category: security - technology: - - javascript - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: HIGH - confidence: LOW - references: - - https://cwe.mitre.org/data/definitions/119.html - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Memory Issues - source: https://semgrep.dev/r/javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert - shortlink: https://sg.run/qxpO - semgrep.dev: - rule: - rule_id: j2Uvj8 - version_id: kbT7zy - url: https://semgrep.dev/playground/r/kbT7zy/javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert - origin: community - languages: - - javascript - - typescript - severity: WARNING - patterns: - - pattern: "$OBJ.$API(..., true)" - - metavariable-regex: - metavariable: "$API" - regex: "(read|write)(U?Int8|(U?Int(16|32)|Float|Double)(LE|BE))" -- id: javascript.lang.security.detect-child-process.detect-child-process - message: 'Detected calls to child_process from a function argument `$FUNC`. This - could lead to a command injection if the input is user controllable. Try to avoid - calls to child_process, and if it is needed ensure user input is correctly sanitized - or sandboxed. ' - metadata: - cwe: - - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS - Command Injection'')' - owasp: - - A01:2017 - Injection - - A03:2021 - Injection - references: - - https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#do-not-use-dangerous-functions - source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-child-process.js - category: security - technology: - - javascript - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: HIGH - confidence: LOW - vulnerability_class: - - Command Injection - source: https://semgrep.dev/r/javascript.lang.security.detect-child-process.detect-child-process - shortlink: https://sg.run/l2lo - semgrep.dev: - rule: - rule_id: 10UKNB - version_id: w8T3RP - url: https://semgrep.dev/playground/r/w8T3RP/javascript.lang.security.detect-child-process.detect-child-process + rule_id: 10UKNB + version_id: w8T3RP + url: https://semgrep.dev/playground/r/w8T3RP/javascript.lang.security.detect-child-process.detect-child-process origin: community languages: - javascript @@ -13517,43 +12768,6 @@ rules: express.csrf(); ... express.methodOverride(); -- id: javascript.lang.security.detect-non-literal-require.detect-non-literal-require - message: This rule is deprecated. - metadata: - cwe: - - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code - (''Eval Injection'')' - owasp: - - A03:2021 - Injection - source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-non-literal-require.js - references: - - https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-non-literal-require.js - category: security - technology: - - javascript - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Code Injection - source: https://semgrep.dev/r/javascript.lang.security.detect-non-literal-require.detect-non-literal-require - shortlink: https://sg.run/zvNn - semgrep.dev: - rule: - rule_id: bwUwoj - version_id: d6TDyJ - url: https://semgrep.dev/playground/r/d6TDyJ/javascript.lang.security.detect-non-literal-require.detect-non-literal-require - origin: community - languages: - - javascript - - typescript - severity: WARNING - patterns: - - pattern: a() - - pattern: b() - id: javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes message: Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers. @@ -16345,44 +15559,6 @@ rules: languages: - php severity: WARNING -- id: php.lang.security.preg-replace-eval.preg-replace-eval - patterns: - - pattern: a() - - pattern: b() - message: This rule has been deprecated, see https://github.com/returntocorp/semgrep-rules/issues/2506. - metadata: - cwe: - - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' - references: - - https://www.php.net/manual/en/function.preg-replace.php - - https://www.php.net/manual/en/reference.pcre.pattern.modifiers.php - - https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/PregReplaceSniff.php - category: security - deprecated: true - technology: - - php - owasp: - - A03:2021 - Injection - cwe2022-top25: true - subcategory: - - audit - likelihood: LOW - impact: HIGH - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Code Injection - source: https://semgrep.dev/r/php.lang.security.preg-replace-eval.preg-replace-eval - shortlink: https://sg.run/0Qzw - semgrep.dev: - rule: - rule_id: AbUz2Z - version_id: YDTowj - url: https://semgrep.dev/playground/r/YDTowj/php.lang.security.preg-replace-eval.preg-replace-eval - origin: community - languages: - - php - severity: ERROR - id: php.lang.security.unlink-use.unlink-use patterns: - pattern: unlink(...) @@ -18662,46 +17838,6 @@ rules: version_id: d6TDpy url: https://semgrep.dev/playground/r/d6TDpy/python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape origin: community -- id: python.django.security.audit.xss.template-translate-no-escape.template-translate-no-escape - languages: - - generic - severity: INFO - message: This rule is deprecated. It will no longer produce findings. - patterns: - - pattern: a() - - pattern: b() - metadata: - cwe: - - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site - Scripting'')' - owasp: - - A07:2017 - Cross-Site Scripting (XSS) - - A03:2021 - Injection - references: - - https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates - - https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code - category: security - technology: - - django - deprecated: true - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Cross-Site-Scripting (XSS) - source: https://semgrep.dev/r/python.django.security.audit.xss.template-translate-no-escape.template-translate-no-escape - shortlink: https://sg.run/J9Jy - semgrep.dev: - rule: - rule_id: 0oU5AN - version_id: ZRTwX2 - url: https://semgrep.dev/playground/r/ZRTwX2/python.django.security.audit.xss.template-translate-no-escape.template-translate-no-escape - origin: community - id: python.django.security.audit.xss.template-var-unescaped-with-safeseq.template-var-unescaped-with-safeseq message: Detected a template variable where autoescaping is explicitly disabled with '| safeseq' filter. This allows rendering of raw HTML in this segment. Ensure @@ -23223,43 +22359,6 @@ rules: pattern-either: - pattern: hashlib.new("=~/[M|m][D|d][4|5]/", ...) - pattern: hashlib.new(..., name="=~/[M|m][D|d][4|5]/", ...) -- id: python.lang.security.unquoted-csv-writer.unquoted-csv-writer - patterns: - - pattern: a() - - pattern: b() - message: This rule is deprecated. - metadata: - cwe: - - 'CWE-1236: Improper Neutralization of Formula Elements in a CSV File' - owasp: A01:2017 - Injection - references: - - https://github.com/returntocorp/semgrep-rules/issues/2351 - category: security - technology: - - python - deprecated: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Improper Validation - source: https://semgrep.dev/r/python.lang.security.unquoted-csv-writer.unquoted-csv-writer - shortlink: https://sg.run/b7vp - semgrep.dev: - rule: - rule_id: eqU8dk - version_id: JdTqO6 - url: https://semgrep.dev/playground/r/JdTqO6/python.lang.security.unquoted-csv-writer.unquoted-csv-writer - origin: community - fix-regex: - regex: "(.*)\\)" - replacement: "\\1, quoting=csv.QUOTE_ALL)" - languages: - - python - severity: ERROR - id: python.lang.security.unverified-ssl-context.unverified-ssl-context patterns: - pattern-either: @@ -24150,43 +23249,6 @@ rules: origin: community languages: - ruby -- id: ruby.lang.security.jruby-xml.jruby-xml - patterns: - - pattern: a() - - pattern: b() - message: This rule is deprecated. - metadata: - cwe: - - 'CWE-611: Improper Restriction of XML External Entity Reference' - references: - - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_jruby_xml.rb - category: security - technology: - - ruby - owasp: - - A04:2017 - XML External Entities (XXE) - - A05:2021 - Security Misconfiguration - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: MEDIUM - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - XML Injection - source: https://semgrep.dev/r/ruby.lang.security.jruby-xml.jruby-xml - shortlink: https://sg.run/ok07 - semgrep.dev: - rule: - rule_id: j2Uqk5 - version_id: NdT1Ww - url: https://semgrep.dev/playground/r/NdT1Ww/ruby.lang.security.jruby-xml.jruby-xml - origin: community - languages: - - ruby - severity: WARNING - id: ruby.lang.security.json-entity-escape.json-entity-escape pattern-either: - pattern: 'ActiveSupport.escape_html_entities_in_json = false @@ -24430,115 +23492,6 @@ rules: languages: - ruby severity: ERROR -- id: ruby.lang.security.model-attributes-attr-protected.model-attributes-attr-protected - message: This rule is deprecated. - metadata: - cwe: - - 'CWE-284: Improper Access Control' - references: - - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_model_attributes.rb - - https://groups.google.com/g/rubyonrails-security/c/AFBKNY7VSH8/discussion - category: security - technology: - - ruby - owasp: - - A05:2017 - Broken Access Control - - A01:2021 - Broken Access Control - subcategory: - - audit - likelihood: LOW - impact: HIGH - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Improper Authorization - source: https://semgrep.dev/r/ruby.lang.security.model-attributes-attr-protected.model-attributes-attr-protected - shortlink: https://sg.run/9qZk - semgrep.dev: - rule: - rule_id: kxURK4 - version_id: ZRTwRw - url: https://semgrep.dev/playground/r/ZRTwRw/ruby.lang.security.model-attributes-attr-protected.model-attributes-attr-protected - origin: community - languages: - - ruby - severity: WARNING - patterns: - - pattern: a() - - pattern: b() -- id: ruby.lang.security.nested-attributes-bypass.nested-attributes-bypass - message: This rule is deprecated. - metadata: - cwe: - - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object - Attributes' - references: - - https://groups.google.com/g/rubyonrails-security/c/cawsWcQ6c8g/m/tegZtYdbFQAJ - - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_nested_attributes_bypass.rb - category: security - technology: - - ruby - owasp: - - A08:2021 - Software and Data Integrity Failures - subcategory: - - audit - likelihood: LOW - impact: MEDIUM - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Mass Assignment - source: https://semgrep.dev/r/ruby.lang.security.nested-attributes-bypass.nested-attributes-bypass - shortlink: https://sg.run/yzy8 - semgrep.dev: - rule: - rule_id: wdU891 - version_id: nWT7De - url: https://semgrep.dev/playground/r/nWT7De/ruby.lang.security.nested-attributes-bypass.nested-attributes-bypass - origin: community - languages: - - ruby - severity: WARNING - patterns: - - pattern: a() - - pattern: b() -- id: ruby.lang.security.nested-attributes.nested-attributes - message: This rule is deprecated. - metadata: - cwe: - - 'CWE-20: Improper Input Validation' - references: - - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_nested_attributes.rb - - https://groups.google.com/g/rubyonrails-security/c/-fkT0yja_gw/discussion - category: security - technology: - - ruby - owasp: - - A03:2021 - Injection - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: MEDIUM - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Improper Validation - source: https://semgrep.dev/r/ruby.lang.security.nested-attributes.nested-attributes - shortlink: https://sg.run/rA66 - semgrep.dev: - rule: - rule_id: x8UWKK - version_id: ExTn5B - url: https://semgrep.dev/playground/r/ExTn5B/ruby.lang.security.nested-attributes.nested-attributes - origin: community - languages: - - ruby - severity: WARNING - patterns: - - pattern: a() - - pattern: b() - id: ruby.lang.security.no-send.bad-send message: Checks for unsafe use of Object#send, try, __send__, and public_send. These only account for unsafe use of a method, not target. This can lead to arbitrary @@ -24592,39 +23545,6 @@ rules: $PARAM = params[...] ... $RES = $MOD.public_send($PARAM.$FUNC) -- id: ruby.lang.security.timing-attack.timing-attack - message: This rule is deprecated. - metadata: - cwe: - - 'CWE-208: Observable Timing Discrepancy' - references: - - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_basic_auth_timing_attack.rb - - https://groups.google.com/g/rubyonrails-security/c/ANv0HDHEC3k/m/mt7wNGxbFQAJ - category: security - technology: - - ruby - subcategory: - - audit - likelihood: LOW - impact: MEDIUM - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Cryptographic Issues - source: https://semgrep.dev/r/ruby.lang.security.timing-attack.timing-attack - shortlink: https://sg.run/wxdx - semgrep.dev: - rule: - rule_id: d8Uzrz - version_id: gETqGA - url: https://semgrep.dev/playground/r/gETqGA/ruby.lang.security.timing-attack.timing-attack - origin: community - languages: - - ruby - severity: ERROR - patterns: - - pattern: a() - - pattern: b() - id: ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln patterns: - pattern-either: @@ -24670,41 +23590,6 @@ rules: languages: - ruby severity: WARNING -- id: ruby.lang.security.yaml-parsing.yaml-parsing - message: This rule is deprecated. - severity: WARNING - languages: - - ruby - patterns: - - pattern: a() - - pattern: b() - metadata: - cwe: - - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' - category: security - technology: - - ruby - owasp: - - A03:2021 - Injection - references: - - https://owasp.org/Top10/A03_2021-Injection - cwe2022-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Code Injection - source: https://semgrep.dev/r/ruby.lang.security.yaml-parsing.yaml-parsing - shortlink: https://sg.run/v08X - semgrep.dev: - rule: - rule_id: 7KUegx - version_id: jQTZJ8 - url: https://semgrep.dev/playground/r/jQTZJ8/ruby.lang.security.yaml-parsing.yaml-parsing - origin: community - id: ruby.rails.security.audit.detailed-exceptions.detailed-exceptions metadata: owasp: @@ -24754,396 +23639,15 @@ rules: end - pattern: | def show_detailed_exceptions? (...) - ... - return $RETURN - end - - metavariable-pattern: - metavariable: "$RETURN" - patterns: - - pattern-not: 'false - - ' -- id: ruby.rails.security.audit.mail-to-erb.mail-to-erb - metadata: - owasp: - - A07:2017 - Cross-Site Scripting (XSS) - - A03:2021 - Injection - cwe: - - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site - Scripting'')' - source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_mail_to.rb - category: security - technology: - - rails - references: - - https://owasp.org/Top10/A03_2021-Injection - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: MEDIUM - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Cross-Site-Scripting (XSS) - source: https://semgrep.dev/r/ruby.rails.security.audit.mail-to-erb.mail-to-erb - shortlink: https://sg.run/GyBe - semgrep.dev: - rule: - rule_id: QrUn3z - version_id: WrTb28 - url: https://semgrep.dev/playground/r/WrTb28/ruby.rails.security.audit.mail-to-erb.mail-to-erb - origin: community - message: This rule is deprecated. - languages: - - generic - severity: WARNING - patterns: - - pattern: a() - - pattern: b() -- id: ruby.rails.security.audit.mail-to.mail-to - metadata: - owasp: - - A07:2017 - Cross-Site Scripting (XSS) - - A03:2021 - Injection - cwe: - - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site - Scripting'')' - source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_mail_to.rb - category: security - technology: - - rails - references: - - https://owasp.org/Top10/A03_2021-Injection - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: MEDIUM - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Cross-Site-Scripting (XSS) - source: https://semgrep.dev/r/ruby.rails.security.audit.mail-to.mail-to - shortlink: https://sg.run/Ryp8 - semgrep.dev: - rule: - rule_id: 3qU6KB - version_id: 0bTvRG - url: https://semgrep.dev/playground/r/0bTvRG/ruby.rails.security.audit.mail-to.mail-to - origin: community - message: This rule is deprecated. - languages: - - ruby - severity: WARNING - patterns: - - pattern: a() - - pattern: b() -- id: ruby.rails.security.audit.mime-type-dos.mime-type-dos - metadata: - owasp: A05:2021 - Security Misconfiguration - cwe: - - 'CWE-400: Uncontrolled Resource Consumption' - source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_mime_type_dos.rb - category: security - technology: - - rails - references: - - https://cwe.mitre.org/data/definitions/400.html - cwe2022-top25: true - subcategory: - - audit - likelihood: LOW - impact: HIGH - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Denial-of-Service (DoS) - source: https://semgrep.dev/r/ruby.rails.security.audit.mime-type-dos.mime-type-dos - shortlink: https://sg.run/Oy3p - semgrep.dev: - rule: - rule_id: 10U56J - version_id: K3TlB8 - url: https://semgrep.dev/playground/r/K3TlB8/ruby.rails.security.audit.mime-type-dos.mime-type-dos - origin: community - message: This rule is deprecated. - languages: - - ruby - severity: WARNING - patterns: - - pattern: a() - - pattern: b() -- id: ruby.rails.security.audit.number-to-currency-erb.number-to-currency-erb - metadata: - owasp: - - A07:2017 - Cross-Site Scripting (XSS) - - A03:2021 - Injection - cwe: - - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site - Scripting'')' - source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_number_to_currency.rb - category: security - technology: - - rails - references: - - https://owasp.org/Top10/A03_2021-Injection - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: MEDIUM - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Cross-Site-Scripting (XSS) - source: https://semgrep.dev/r/ruby.rails.security.audit.number-to-currency-erb.number-to-currency-erb - shortlink: https://sg.run/eX7l - semgrep.dev: - rule: - rule_id: 9AUZrN - version_id: qkTNzJ - url: https://semgrep.dev/playground/r/qkTNzJ/ruby.rails.security.audit.number-to-currency-erb.number-to-currency-erb - origin: community - message: This rule is deprecated. - languages: - - generic - severity: WARNING - patterns: - - pattern: a() - - pattern: b() -- id: ruby.rails.security.audit.rails-check-header-dos.rails-check-header-dos - languages: - - generic - patterns: - - pattern: a() - - pattern: b() - message: This rule is deprecated. - severity: WARNING - metadata: - technology: - - rails - category: security - cwe: - - 'CWE-20: Improper Input Validation' - owasp: - - A03:2021 - Injection - source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_header_dos.rb - references: - - https://owasp.org/Top10/A03_2021-Injection - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: HIGH - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Improper Validation - source: https://semgrep.dev/r/ruby.rails.security.audit.rails-check-header-dos.rails-check-header-dos - shortlink: https://sg.run/5LY6 - semgrep.dev: - rule: - rule_id: eqUDRY - version_id: JdTqA2 - url: https://semgrep.dev/playground/r/JdTqA2/ruby.rails.security.audit.rails-check-header-dos.rails-check-header-dos - origin: community -- id: ruby.rails.security.audit.rails-check-page-caching-cve.rails-check-page-caching-cve - patterns: - - pattern: a() - - pattern: b() - message: This rule is deprecated. - languages: - - ruby - severity: WARNING - metadata: - cwe: - - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path - Traversal'')' - owasp: - - A05:2017 - Broken Access Control - - A01:2021 - Broken Access Control - technology: - - rails - category: security - source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_page_caching_cve.rb - references: - - https://nvd.nist.gov/vuln/detail/CVE-2020-8159 - - https://groups.google.com/g/rubyonrails-security/c/CFRVkEytdP8 - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Path Traversal - source: https://semgrep.dev/r/ruby.rails.security.audit.rails-check-page-caching-cve.rails-check-page-caching-cve - shortlink: https://sg.run/Gg2B - semgrep.dev: - rule: - rule_id: v8UOrb - version_id: 5PT60x - url: https://semgrep.dev/playground/r/5PT60x/ruby.rails.security.audit.rails-check-page-caching-cve.rails-check-page-caching-cve - origin: community -- id: ruby.rails.security.audit.rails-check-page-caching-gem.rails-check-page-caching-gem - patterns: - - pattern: a() - - pattern: b() - message: This rule is deprecated. - languages: - - generic - severity: WARNING - metadata: - cwe: - - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path - Traversal'')' - owasp: - - A05:2017 - Broken Access Control - - A01:2021 - Broken Access Control - technology: - - rails - category: security - source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_page_caching_cve.rb - references: - - https://nvd.nist.gov/vuln/detail/CVE-2020-8159 - - https://groups.google.com/g/rubyonrails-security/c/CFRVkEytdP8 - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Path Traversal - source: https://semgrep.dev/r/ruby.rails.security.audit.rails-check-page-caching-gem.rails-check-page-caching-gem - shortlink: https://sg.run/RgkE - semgrep.dev: - rule: - rule_id: d8UKw2 - version_id: GxT25b - url: https://semgrep.dev/playground/r/GxT25b/ruby.rails.security.audit.rails-check-page-caching-gem.rails-check-page-caching-gem - origin: community -- id: ruby.rails.security.audit.rails-check-render-dos-cve.rails-check-render-dos - patterns: - - pattern: a() - - pattern: b() - message: This rule is deprecated. - languages: - - generic - severity: WARNING - metadata: - cwe: - - 'CWE-20: Improper Input Validation' - owasp: - - A03:2021 - Injection - technology: - - rails - category: security - source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_render_dos.rb - references: - - https://groups.google.com/g/rubyonrails-security/c/LMxO_3_eCuc/m/ozGBEhKaJbIJ - - https://nvd.nist.gov/vuln/detail/CVE-2014-0082 - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Improper Validation - source: https://semgrep.dev/r/ruby.rails.security.audit.rails-check-render-dos-cve.rails-check-render-dos - shortlink: https://sg.run/A5Yg - semgrep.dev: - rule: - rule_id: ZqUl4v - version_id: RGTbYW - url: https://semgrep.dev/playground/r/RGTbYW/ruby.rails.security.audit.rails-check-render-dos-cve.rails-check-render-dos - origin: community -- id: ruby.rails.security.audit.rails-check-render-dos-gem.rails-check-render-dos - patterns: - - pattern: a() - - pattern: b() - message: This rule is deprecated. - languages: - - generic - severity: WARNING - metadata: - cwe: - - 'CWE-20: Improper Input Validation' - owasp: - - A03:2021 - Injection - source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_render_dos.rb - technology: - - rails - category: security - references: - - https://groups.google.com/g/rubyonrails-security/c/LMxO_3_eCuc/m/ozGBEhKaJbIJ - - https://nvd.nist.gov/vuln/detail/CVE-2014-0082 - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Improper Validation - source: https://semgrep.dev/r/ruby.rails.security.audit.rails-check-render-dos-gem.rails-check-render-dos - shortlink: https://sg.run/BGNb - semgrep.dev: - rule: - rule_id: nJUyWb - version_id: A8TR11 - url: https://semgrep.dev/playground/r/A8TR11/ruby.rails.security.audit.rails-check-render-dos-gem.rails-check-render-dos - origin: community -- id: ruby.rails.security.audit.rails-check-response-splitting.rails-check-response-splitting - patterns: - - pattern: a() - - pattern: b() - message: This rule is deprecated. - languages: - - generic - severity: WARNING - metadata: - cwe: - - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' - owasp: - - A03:2021 - Injection - technology: - - rails - source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_response_splitting.rb - category: security - references: - - https://groups.google.com/d/topic/rubyonrails-security/b_yTveAph2g/discussion - cwe2022-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Code Injection - source: https://semgrep.dev/r/ruby.rails.security.audit.rails-check-response-splitting.rails-check-response-splitting - shortlink: https://sg.run/DAj2 - semgrep.dev: - rule: - rule_id: EwUr8l - version_id: BjTEOn - url: https://semgrep.dev/playground/r/BjTEOn/ruby.rails.security.audit.rails-check-response-splitting.rails-check-response-splitting - origin: community + ... + return $RETURN + end + - metavariable-pattern: + metavariable: "$RETURN" + patterns: + - pattern-not: 'false + + ' - id: ruby.rails.security.audit.rails-skip-forgery-protection.rails-skip-forgery-protection pattern: skip_forgery_protection message: This call turns off CSRF protection allowing CSRF attacks against the application @@ -25981,43 +24485,6 @@ rules: version_id: nWT71p url: https://semgrep.dev/playground/r/nWT71p/ruby.rails.security.brakeman.check-rails-secret-yaml.check-rails-secret-yaml origin: community -- id: ruby.rails.security.injection.rails-check-json-parsing-rce.rails-check-json-parsing-rce - patterns: - - pattern: a() - - pattern: b() - message: This rule is deprecated. - languages: - - generic - severity: WARNING - metadata: - cwe: - - 'CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream - Component (''Injection'')' - owasp: - - A03:2021 - Injection - technology: - - rails - source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_json_parsing.rb - category: security - references: - - https://nvd.nist.gov/vuln/detail/CVE-2013-0333 - - https://groups.google.com/g/rubyonrails-security/c/1h2DR63ViGo - subcategory: - - audit - likelihood: LOW - impact: HIGH - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Other - source: https://semgrep.dev/r/ruby.rails.security.injection.rails-check-json-parsing-rce.rails-check-json-parsing-rce - shortlink: https://sg.run/Wj3y - semgrep.dev: - rule: - rule_id: 7KUxzd - version_id: RGTbZW - url: https://semgrep.dev/playground/r/RGTbZW/ruby.rails.security.injection.rails-check-json-parsing-rce.rails-check-json-parsing-rce - origin: community - id: rust.lang.security.args-os.args-os message: 'args_os should not be used for security operations. From the docs: "The first element is traditionally the path of the executable, but it can be set to @@ -27815,41 +26282,6 @@ rules: languages: - hcl severity: WARNING -- id: terraform.aws.security.aws-elasticache-replication-group-encrypted-with-cmk.aws-elasticache-replication-group-encrypted-with-cmk - patterns: - - pattern: a() - - pattern: b() - message: This rule has been deprecated. - metadata: - category: security - technology: - - terraform - - aws - owasp: - - A03:2017 - Sensitive Data Exposure - cwe: - - 'CWE-320: CWE CATEGORY: Key Management Errors' - references: - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Cryptographic Issues - source: https://semgrep.dev/r/terraform.aws.security.aws-elasticache-replication-group-encrypted-with-cmk.aws-elasticache-replication-group-encrypted-with-cmk - shortlink: https://sg.run/qyAz - semgrep.dev: - rule: - rule_id: QrUnyQ - version_id: 1QTjr4 - url: https://semgrep.dev/playground/r/1QTjr4/terraform.aws.security.aws-elasticache-replication-group-encrypted-with-cmk.aws-elasticache-replication-group-encrypted-with-cmk - origin: community - languages: - - hcl - severity: WARNING - id: terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk patterns: - pattern-inside: | @@ -32565,46 +30997,6 @@ rules: - pattern-not: 'return {url: "..."} ' -- id: typescript.react.security.audit.react-css-injection.react-css-injection - message: this rule has been deprecated. - metadata: - cwe: - - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site - Scripting'')' - owasp: - - A07:2017 - Cross-Site Scripting (XSS) - - A03:2021 - Injection - references: - - https://medium.com/dailyjs/exploiting-script-injection-flaws-in-reactjs-883fb1fe36c1 - category: security - deprecated: true - technology: - - react - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Cross-Site-Scripting (XSS) - source: https://semgrep.dev/r/typescript.react.security.audit.react-css-injection.react-css-injection - shortlink: https://sg.run/yze8 - semgrep.dev: - rule: - rule_id: wdU861 - version_id: l4T5nK - url: https://semgrep.dev/playground/r/l4T5nK/typescript.react.security.audit.react-css-injection.react-css-injection - origin: community - languages: - - typescript - - javascript - severity: INFO - patterns: - - pattern: a() - - pattern: b() - id: typescript.react.security.audit.react-href-var.react-href-var message: Detected a variable used in an anchor tag with the 'href' attribute. A malicious actor may be able to input the 'javascript:' URI, which could cause @@ -32698,43 +31090,6 @@ rules: patterns: - pattern-not-regex: "(?i)(button)" metavariable: "$EL" -- id: typescript.react.security.audit.react-http-leak.react-http-leak - message: this rule has been deprecated. - metadata: - owasp: - - A01:2021 - Broken Access Control - cwe: - - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' - deprecated: true - references: - - https://github.com/cure53/HTTPLeaks - category: security - technology: - - react - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Mishandled Sensitive Information - source: https://semgrep.dev/r/typescript.react.security.audit.react-http-leak.react-http-leak - shortlink: https://sg.run/kLbX - semgrep.dev: - rule: - rule_id: v8U51n - version_id: zyT57z - url: https://semgrep.dev/playground/r/zyT57z/typescript.react.security.audit.react-http-leak.react-http-leak - origin: community - languages: - - typescript - - javascript - severity: INFO - patterns: - - pattern: a() - - pattern: b() - id: typescript.react.security.audit.react-jwt-decoded-property.react-jwt-decoded-property message: Property decoded from JWT token without verifying and cannot be trustworthy. metadata: @@ -32821,206 +31176,6 @@ rules: $DECODED = jwt_decode(...); ... localStorage.setItem($NAME, <... $DECODED ...>); -- id: typescript.react.security.audit.react-missing-noopener.react-missing-noopener - message: This rule has been deprecated - metadata: - cwe: - - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' - owasp: - - A01:2021 - Broken Access Control - references: - - https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer - - https://web.dev/external-anchors-use-rel-noopener/ - - https://owasp.org/www-community/attacks/Reverse_Tabnabbing - category: security - technology: - - react - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Mishandled Sensitive Information - source: https://semgrep.dev/r/typescript.react.security.audit.react-missing-noopener.react-missing-noopener - shortlink: https://sg.run/O19e - semgrep.dev: - rule: - rule_id: nJUYOZ - version_id: X0TP6N - url: https://semgrep.dev/playground/r/X0TP6N/typescript.react.security.audit.react-missing-noopener.react-missing-noopener - origin: community - languages: - - typescript - - javascript - severity: INFO - patterns: - - pattern: a() - - pattern: b() -- id: typescript.react.security.audit.react-props-injection.react-props-injection - message: this rule has been deprecated. - metadata: - cwe: - - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site - Scripting'')' - owasp: - - A07:2017 - Cross-Site Scripting (XSS) - - A03:2021 - Injection - deprecated: true - references: - - https://medium.com/dailyjs/exploiting-script-injection-flaws-in-reactjs-883fb1fe36c1 - category: security - technology: - - react - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Cross-Site-Scripting (XSS) - source: https://semgrep.dev/r/typescript.react.security.audit.react-props-injection.react-props-injection - shortlink: https://sg.run/dg6P - semgrep.dev: - rule: - rule_id: L1U47z - version_id: 9lTzPw - url: https://semgrep.dev/playground/r/9lTzPw/typescript.react.security.audit.react-props-injection.react-props-injection - origin: community - languages: - - typescript - - javascript - severity: INFO - patterns: - - pattern: a() - - pattern: b() -- id: typescript.react.security.audit.react-router-redirect.react-router-redirect - message: this rule has been deprecated. - metadata: - cwe: - - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site - Scripting'')' - owasp: - - A07:2017 - Cross-Site Scripting (XSS) - - A03:2021 - Injection - deprecated: true - category: security - technology: - - react - references: - - https://v5.reactrouter.com/web/api/Redirect - - https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html - - https://semgrep.dev - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Cross-Site-Scripting (XSS) - source: https://semgrep.dev/r/typescript.react.security.audit.react-router-redirect.react-router-redirect - shortlink: https://sg.run/ZeR7 - semgrep.dev: - rule: - rule_id: 8GUE4K - version_id: yeTX7j - url: https://semgrep.dev/playground/r/yeTX7j/typescript.react.security.audit.react-router-redirect.react-router-redirect - origin: community - languages: - - typescript - - javascript - severity: INFO - patterns: - - pattern: a() - - pattern: b() -- id: typescript.react.security.audit.react-styled-components-injection.react-styled-components-injection - message: this rule has been deprecated. - metadata: - cwe: - - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site - Scripting'')' - owasp: - - A07:2017 - Cross-Site Scripting (XSS) - - A03:2021 - Injection - references: - - https://styled-components.com/docs/advanced#security - category: security - deprecated: true - technology: - - react - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Cross-Site-Scripting (XSS) - source: https://semgrep.dev/r/typescript.react.security.audit.react-styled-components-injection.react-styled-components-injection - shortlink: https://sg.run/nqWG - semgrep.dev: - rule: - rule_id: gxUW6x - version_id: rxTx7Z - url: https://semgrep.dev/playground/r/rxTx7Z/typescript.react.security.audit.react-styled-components-injection.react-styled-components-injection - origin: community - languages: - - typescript - - javascript - severity: INFO - patterns: - - pattern: a() - - pattern: b() -- id: typescript.react.security.react-controlled-component-password.react-controlled-component-password - message: this rule has been deprecated. - metadata: - category: security - deprecated: true - technology: - - react - owasp: - - A07:2017 - Cross-Site Scripting (XSS) - - A03:2021 - Injection - cwe: - - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site - Scripting'')' - references: - - https://semgrep.dev - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Cross-Site-Scripting (XSS) - source: https://semgrep.dev/r/typescript.react.security.react-controlled-component-password.react-controlled-component-password - shortlink: https://sg.run/jN2Z - semgrep.dev: - rule: - rule_id: bwUObG - version_id: kbT7nA - url: https://semgrep.dev/playground/r/kbT7nA/typescript.react.security.react-controlled-component-password.react-controlled-component-password - origin: community - languages: - - typescript - - javascript - severity: INFO - patterns: - - pattern: a() - - pattern: b() - id: typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html message: Overwriting `transformLinkUri` or `transformImageUri` to something insecure, or turning `allowDangerousHtml` on, or turning `escapeHtml` off, will open the diff --git a/assets/semgrep_rules/generated/nonfree/others.yaml b/assets/semgrep_rules/generated/nonfree/others.yaml index efde810c..14a6821f 100644 --- a/assets/semgrep_rules/generated/nonfree/others.yaml +++ b/assets/semgrep_rules/generated/nonfree/others.yaml @@ -36,39 +36,6 @@ rules: include: - "*dockerfile*" - "*Dockerfile*" -- id: html.security.missing-noreferrer.missing-noreferrer - metadata: - category: correctness - technology: - - html - cwe: 'CWE-1022: Use of Web Link to Untrusted Target with window.opener Access' - owasp: - - A05:2017 - Broken Access Control - - A01:2021 - Broken Access Control - confidence: MEDIUM - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - references: - - https://chromestatus.com/feature/6140064063029248 - vulnerability_class: - - Improper Validation - source: https://semgrep.dev/r/html.security.missing-noreferrer.missing-noreferrer - shortlink: https://sg.run/Gekn - semgrep.dev: - rule: - rule_id: 6JUjBL - version_id: yeTXA4 - url: https://semgrep.dev/playground/r/yeTXA4/html.security.missing-noreferrer.missing-noreferrer - origin: community - patterns: - - pattern: a() - - pattern: b() - paths: - include: - - "*.html" - message: This rule has been deprecated. - severity: WARNING - languages: - - generic - id: javascript.react.correctness.hooks.set-state-no-op.calling-set-state-on-current-state patterns: - pattern: "$Y($X);" diff --git a/assets/semgrep_rules/generated/nonfree/vulns.yaml b/assets/semgrep_rules/generated/nonfree/vulns.yaml index d58b7f08..41a33ab4 100644 --- a/assets/semgrep_rules/generated/nonfree/vulns.yaml +++ b/assets/semgrep_rules/generated/nonfree/vulns.yaml @@ -35146,45 +35146,6 @@ rules: - metavariable-comparison: metavariable: "$SIZE" comparison: "$SIZE < 2048" -- id: ruby.lang.security.json-encoding.json-encoding - message: This rule is deprecated. - metadata: - cwe: - - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site - Scripting'')' - owasp: - - A07:2017 - Cross-Site Scripting (XSS) - - A03:2021 - Injection - references: - - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_json_encoding.rb - - https://groups.google.com/g/rubyonrails-security/c/7VlB_pck3hU/m/3QZrGIaQW6cJ - category: security - technology: - - ruby - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - vuln - likelihood: HIGH - impact: MEDIUM - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Cross-Site-Scripting (XSS) - source: https://semgrep.dev/r/ruby.lang.security.json-encoding.json-encoding - shortlink: https://sg.run/zkYz - semgrep.dev: - rule: - rule_id: 10UZ8v - version_id: kbT7vl - url: https://semgrep.dev/playground/r/kbT7vl/ruby.lang.security.json-encoding.json-encoding - origin: community - languages: - - ruby - severity: WARNING - patterns: - - pattern: a() - - pattern: b() - id: ruby.lang.security.md5-used-as-password.md5-used-as-password languages: - ruby @@ -35774,123 +35735,6 @@ rules: - pattern: system - pattern: truncate - pattern: unlink -- id: ruby.rails.security.audit.dynamic-finders.dynamic-finders - metadata: - owasp: - - A01:2017 - Injection - - A03:2021 - Injection - cwe: - - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command - (''SQL Injection'')' - source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_dynamic_finders.rb - category: security - technology: - - rails - references: - - https://owasp.org/Top10/A03_2021-Injection - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - vuln - likelihood: HIGH - impact: MEDIUM - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - SQL Injection - source: https://semgrep.dev/r/ruby.rails.security.audit.dynamic-finders.dynamic-finders - shortlink: https://sg.run/5yNW - semgrep.dev: - rule: - rule_id: gxUJ8A - version_id: 1QTxQB - url: https://semgrep.dev/playground/r/1QTxQB/ruby.rails.security.audit.dynamic-finders.dynamic-finders - origin: community - message: This rule is deprecated. - languages: - - ruby - severity: WARNING - patterns: - - pattern: a() - - pattern: b() -- id: ruby.rails.security.audit.number-to-currency.number-to-currency - metadata: - owasp: - - A07:2017 - Cross-Site Scripting (XSS) - - A03:2021 - Injection - cwe: - - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site - Scripting'')' - source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_number_to_currency.rb - category: security - technology: - - rails - references: - - https://owasp.org/Top10/A03_2021-Injection - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - vuln - likelihood: LOW - impact: MEDIUM - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Cross-Site-Scripting (XSS) - source: https://semgrep.dev/r/ruby.rails.security.audit.number-to-currency.number-to-currency - shortlink: https://sg.run/veD4 - semgrep.dev: - rule: - rule_id: yyUAl9 - version_id: l4T5w2 - url: https://semgrep.dev/playground/r/l4T5w2/ruby.rails.security.audit.number-to-currency.number-to-currency - origin: community - message: This rule is deprecated. - languages: - - ruby - severity: WARNING - patterns: - - pattern: a() - - pattern: b() -- id: ruby.rails.security.audit.quote-table-name.quote-table-name - metadata: - owasp: - - A01:2017 - Injection - - A03:2021 - Injection - cwe: - - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command - (''SQL Injection'')' - source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_quote_table_name.rb - category: security - technology: - - rails - references: - - https://owasp.org/Top10/A03_2021-Injection - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - vuln - likelihood: HIGH - impact: MEDIUM - confidence: LOW - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - SQL Injection - source: https://semgrep.dev/r/ruby.rails.security.audit.quote-table-name.quote-table-name - shortlink: https://sg.run/d1dY - semgrep.dev: - rule: - rule_id: r6U2dJ - version_id: YDToj8 - url: https://semgrep.dev/playground/r/YDToj8/ruby.rails.security.audit.quote-table-name.quote-table-name - origin: community - message: This rule is deprecated. - languages: - - ruby - severity: WARNING - patterns: - - pattern: a() - - pattern: b() - id: ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli mode: taint pattern-propagators: @@ -40794,46 +40638,6 @@ rules: version_id: PkTYPz url: https://semgrep.dev/playground/r/PkTYPz/terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket origin: community -- id: terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket - patterns: - - pattern: a - - pattern: b - languages: - - hcl - severity: INFO - message: This rule has been deprecated, as all s3 buckets are encrypted by default - with no way to disable it. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration - for more info. - metadata: - references: - - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#server_side_encryption_configuration - - https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html - cwe: - - 'CWE-311: Missing Encryption of Sensitive Data' - category: security - technology: - - terraform - - aws - owasp: - - A03:2017 - Sensitive Data Exposure - - A04:2021 - Insecure Design - subcategory: - - vuln - likelihood: MEDIUM - impact: MEDIUM - confidence: MEDIUM - deprecated: true - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - vulnerability_class: - - Cryptographic Issues - source: https://semgrep.dev/r/terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket - shortlink: https://sg.run/Jezw - semgrep.dev: - rule: - rule_id: 3qU62L - version_id: JdTq9n - url: https://semgrep.dev/playground/r/JdTq9n/terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket - origin: community - id: trailofbits.go.anonymous-race-condition.anonymous-race-condition message: Possible race condition due to memory aliasing of variable `$X` languages: diff --git a/assets/semgrep_rules/update-ruleset.rb b/assets/semgrep_rules/update-ruleset.rb index 66d50a25..e99c1196 100644 --- a/assets/semgrep_rules/update-ruleset.rb +++ b/assets/semgrep_rules/update-ruleset.rb @@ -245,6 +245,8 @@ def fmt_diff(diff) ret.each do |rule| next if BLOCKLIST.include?(rule['metadata']['source']) + next if rule['patterns'] && rule['patterns'][0]['pattern'] == 'a()' && rule['patterns'][1]['pattern'] == 'b()' + next if rule['patterns'] && rule['patterns'][0]['pattern'] == 'a' && rule['patterns'][1]['pattern'] == 'b' categoriser << rule end