From 5bfe249b5063ea028d66a3783e60e80db35e48e7 Mon Sep 17 00:00:00 2001 From: berney Date: Tue, 12 Nov 2024 19:43:14 +1100 Subject: [PATCH 1/3] Allow OWASP Top 10 references from Kubernetes and LLM Top 10 (#3499) Co-authored-by: Berne Campbell <3227426+berney@users.noreply.github.com> Co-authored-by: Pieter De Cremer (Semgrep) --- yaml/semgrep/metadata-owasp.test.yaml | 18 ++++++++++++++++++ yaml/semgrep/metadata-owasp.yaml | 8 ++++---- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/yaml/semgrep/metadata-owasp.test.yaml b/yaml/semgrep/metadata-owasp.test.yaml index 0f1946b24f..b7d264c4db 100644 --- a/yaml/semgrep/metadata-owasp.test.yaml +++ b/yaml/semgrep/metadata-owasp.test.yaml @@ -15,6 +15,22 @@ rules: metadata: # ok: metadata-owasp owasp: A05:2021 - Security Misconfiguration + - id: example-k8s-1 + message: Example + severity: ERROR + languages: [json, yaml] + pattern: "..." + metadata: + # ok: metadata-owasp + owasp: "K1: Insecure Workload Configurations" + - id: example-k8s-1b + message: Example + severity: ERROR + languages: [json, yaml] + pattern: "..." + metadata: + # ok: metadata-owasp + owasp: K01:2022 - Insecure Workload Configurations - id: example-bad-zero message: Example severity: ERROR @@ -75,6 +91,8 @@ rules: - A05:2021 - Security Misconfiguration # ok: metadata-owasp - A06:2017 - Security Misconfiguration + # ok: metadata-owasp + - K01:2022 - Insecure Workload Configurations - id: example-bad-list message: Example severity: ERROR diff --git a/yaml/semgrep/metadata-owasp.yaml b/yaml/semgrep/metadata-owasp.yaml index a0dec878cc..510a3018ee 100644 --- a/yaml/semgrep/metadata-owasp.yaml +++ b/yaml/semgrep/metadata-owasp.yaml @@ -2,7 +2,7 @@ rules: - id: metadata-owasp message: >- The `owasp` tag in Semgrep rule metadata should start with the format "A00:YYYY", - where A00 is the OWASP top ten number and YYYY is the OWASP top ten year. + where A00 is the OWASP Top 10 number and YYYY is the OWASP Top 10 year. severity: ERROR languages: [json, yaml] patterns: @@ -13,13 +13,13 @@ rules: # If there's a year, need leading zero, e.g. `A01:2021 blah` rather than `A1:2021 blah`. - patterns: - pattern: 'owasp: "..."' - - pattern-not: 'owasp: "=~/^A(0?[1-9]|10):\s+.+$/"' - - pattern-not: 'owasp: "=~/^A(0[1-9]|10):([0-9]{4})?\s+.+$/"' + - pattern-not: 'owasp: "=~/^(A|K|LLM)(0?[1-9]|10):\s+.+$/"' + - pattern-not: 'owasp: "=~/^(A|K|LLM)(0[1-9]|10):([0-9]{4})?\s+.+$/"' # A list, must have the year, e.g. `- A01:2021 blah` - patterns: - pattern-inside: "owasp: [...]" - pattern: '"$ANYTHING"' - - pattern-not-regex: .*A(0[1-9]|10):[0-9]{4}\s+.* + - pattern-not-regex: .*(A|K|LLM)(0[1-9]|10):[0-9]{4}\s+.* - pattern-not-regex: "owasp:" metadata: category: best-practice From aaf727cea513fbbb1b79d746846dc6b31a7ad29e Mon Sep 17 00:00:00 2001 From: QU35T-code <51704860+QU35T-code@users.noreply.github.com> Date: Tue, 12 Nov 2024 09:54:03 +0100 Subject: [PATCH 2/3] Add literal pattern (#3507) Co-authored-by: Pieter De Cremer (Semgrep) --- .../security/audit/sequelize-raw-query.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/javascript/sequelize/security/audit/sequelize-raw-query.yaml b/javascript/sequelize/security/audit/sequelize-raw-query.yaml index 368c91473c..176dfe59a3 100644 --- a/javascript/sequelize/security/audit/sequelize-raw-query.yaml +++ b/javascript/sequelize/security/audit/sequelize-raw-query.yaml @@ -40,3 +40,15 @@ rules: $QUERY = $SQL + $VALUE ... $DATABASE.sequelize.query($QUERY, ...) + - pattern: | + Sequelize.literal(`...${...}...`) + - pattern: | + $QUERY = `...${...}...` + ... + Sequelize.literal($QUERY) + - pattern: | + Sequelize.literal($SQL + $VALUE) + - pattern: | + $QUERY = $SQL + $VALUE + ... + Sequelize.literal($QUERY) From 495df89cd2b3595c41f1e34abad7c465010d30cd Mon Sep 17 00:00:00 2001 From: berney Date: Wed, 13 Nov 2024 19:26:52 +1100 Subject: [PATCH 3/3] Filter exceptions from tainted-sql-string (#3501) Co-authored-by: Berne Campbell <3227426+berney@users.noreply.github.com> Co-authored-by: Pieter De Cremer (Semgrep) --- scala/lang/security/audit/tainted-sql-string.scala | 5 +++++ scala/lang/security/audit/tainted-sql-string.yaml | 1 + 2 files changed, 6 insertions(+) diff --git a/scala/lang/security/audit/tainted-sql-string.scala b/scala/lang/security/audit/tainted-sql-string.scala index 59bd99623c..d1a12cff09 100644 --- a/scala/lang/security/audit/tainted-sql-string.scala +++ b/scala/lang/security/audit/tainted-sql-string.scala @@ -94,4 +94,9 @@ object Smth { logWarning(s"Create user $name") } } + + def throwException(name: String) = { + // ok: tainted-sql-string + throw new IllegalArgumentException(s"Can't create a ${name}") + } } diff --git a/scala/lang/security/audit/tainted-sql-string.yaml b/scala/lang/security/audit/tainted-sql-string.yaml index c02debe264..24805b5acd 100644 --- a/scala/lang/security/audit/tainted-sql-string.yaml +++ b/scala/lang/security/audit/tainted-sql-string.yaml @@ -73,6 +73,7 @@ rules: - pattern-regex: | .*\b(?i)(select|delete|insert|create|update|alter|drop)\b.* - pattern-not-inside: println(...) + - pattern-not-inside: throw new $EXCEPTION(...) pattern-sanitizers: - pattern-either: - patterns: