Merge Develop into Release

javascript/sequelize/security/audit/sequelize-raw-query.yaml

@@ -40,3 +40,15 @@ rules:
       $QUERY = $SQL + $VALUE
       ...
       $DATABASE.sequelize.query($QUERY, ...)
+  - pattern: |
+      Sequelize.literal(`...${...}...`)
+  - pattern: |
+      $QUERY = `...${...}...`
+      ...
+      Sequelize.literal($QUERY)
+  - pattern: |
+      Sequelize.literal($SQL + $VALUE)
+  - pattern: |
+      $QUERY = $SQL + $VALUE
+      ...
+      Sequelize.literal($QUERY)

scala/lang/security/audit/tainted-sql-string.scala

@@ -94,4 +94,9 @@ object Smth {
         logWarning(s"Create user $name")
     }
   }
+
+  def throwException(name: String) = {
+    // ok: tainted-sql-string
+    throw new IllegalArgumentException(s"Can't create a ${name}")
+  }
 }

scala/lang/security/audit/tainted-sql-string.yaml

@@ -73,6 +73,7 @@ rules:
         - pattern-regex: |
             .*\b(?i)(select|delete|insert|create|update|alter|drop)\b.*
     - pattern-not-inside: println(...)
+    - pattern-not-inside: throw new $EXCEPTION(...)
   pattern-sanitizers:
   - pattern-either:
     - patterns:

yaml/semgrep/metadata-owasp.test.yaml

@@ -15,6 +15,22 @@ rules:
     metadata:
       # ok: metadata-owasp
       owasp: A05:2021 - Security Misconfiguration
+  - id: example-k8s-1
+    message: Example
+    severity: ERROR
+    languages: [json, yaml]
+    pattern: "..."
+    metadata:
+      # ok: metadata-owasp
+      owasp: "K1: Insecure Workload Configurations"
+  - id: example-k8s-1b
+    message: Example
+    severity: ERROR
+    languages: [json, yaml]
+    pattern: "..."
+    metadata:
+      # ok: metadata-owasp
+      owasp: K01:2022 - Insecure Workload Configurations
   - id: example-bad-zero
     message: Example
     severity: ERROR
@@ -75,6 +91,8 @@ rules:
         - A05:2021 - Security Misconfiguration
         # ok: metadata-owasp
         - A06:2017 - Security Misconfiguration
+        # ok: metadata-owasp
+        - K01:2022 - Insecure Workload Configurations
   - id: example-bad-list
     message: Example
     severity: ERROR

yaml/semgrep/metadata-owasp.yaml

@@ -2,7 +2,7 @@ rules:
   - id: metadata-owasp
     message: >-
       The `owasp` tag in Semgrep rule metadata should start with the format "A00:YYYY",
-      where A00 is the OWASP top ten number and YYYY is the OWASP top ten year.
+      where A00 is the OWASP Top 10 number and YYYY is the OWASP Top 10 year.
     severity: ERROR
     languages: [json, yaml]
     patterns:
@@ -13,13 +13,13 @@ rules:
         # If there's a year, need leading zero, e.g. `A01:2021 blah` rather than `A1:2021 blah`.
           - patterns:
               - pattern: 'owasp: "..."'
-              - pattern-not: 'owasp: "=~/^A(0?[1-9]|10):\s+.+$/"'
-              - pattern-not: 'owasp: "=~/^A(0[1-9]|10):([0-9]{4})?\s+.+$/"'
+              - pattern-not: 'owasp: "=~/^(A|K|LLM)(0?[1-9]|10):\s+.+$/"'
+              - pattern-not: 'owasp: "=~/^(A|K|LLM)(0[1-9]|10):([0-9]{4})?\s+.+$/"'
           # A list, must have the year, e.g. `- A01:2021 blah`
           - patterns:
               - pattern-inside: "owasp: [...]"
               - pattern: '"$ANYTHING"'
-              - pattern-not-regex: .*A(0[1-9]|10):[0-9]{4}\s+.*
+              - pattern-not-regex: .*(A|K|LLM)(0[1-9]|10):[0-9]{4}\s+.*
               - pattern-not-regex: "owasp:"
     metadata:
       category: best-practice