diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 0f16fd8..ec65fdb 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -2,9 +2,9 @@ name: Run rule tests on: push: - branches: [ "v2" ] + branches: [ "main" ] pull_request: - branches: [ "v2" ] + branches: [ "main" ] jobs: run-test: @@ -22,10 +22,10 @@ jobs: token: ${{ secrets.SEQRA_GITHUB_TOKEN }} latest: true fileName: seqra_linux_amd64.tar.gz - out-file-path: seqra-cli + out-file-path: cli - run: | - cd seqra-cli + cd cli tar -xzf seqra_linux_amd64.tar.gz - uses: robinraju/release-downloader@v1.12 @@ -58,7 +58,7 @@ jobs: - name: Seqra compile test project run: | - seqra-cli/seqra compile test --github-token ${{ secrets.SEQRA_GITHUB_TOKEN }} --compile-type native --output ./seqra-project --verbosity debug + cli/seqra compile test --github-token ${{ secrets.SEQRA_GITHUB_TOKEN }} --output ./seqra-project --verbosity debug - name: Run Seqra analyzer run: | diff --git a/CHANGELOG.md b/CHANGELOG.md index 998da33..ec2f4d6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +## v2.1.1 +### fix: Correct CI trigger and branch name; fix OWASP rules +- fix: Fix sqli and crypto rules ## v2.1.0 ### feat: Add JSP source and sink - feat: Add jsp source and sink diff --git a/rules/java/lib/generic/servlet-sqli-sinks.yaml b/rules/java/lib/generic/servlet-sqli-sinks.yaml deleted file mode 100644 index 8d89ec7..0000000 --- a/rules/java/lib/generic/servlet-sqli-sinks.yaml +++ /dev/null @@ -1,48 +0,0 @@ -rules: - - id: java-servlet-sqli-sink - options: - lib: true - severity: NOTE - message: SQL query with unescaped untrusted data - metadata: - license: LGPL 2.1 (GNU Lesser General Public License, Version 2.1) - provenance: - - https://find-sec-bugs.github.io/bugs.htm#SQL_INJECTION - - https://gitlab.com/gitlab-org/security-products/sast-rules/-/blob/main/rules/lgpl-cc/java/inject/rule-SqlInjection.yml - languages: - - java - mode: taint - pattern-sanitizers: - - pattern: (CriteriaBuilder $CB).$ANY(...) - pattern-sinks: - - patterns: - - pattern-either: - - pattern: (javax.jdo.PersistenceManager $PM).newQuery($UNTRUSTED) - - pattern: (javax.jdo.PersistenceManager $PM).newQuery(..., $UNTRUSTED) - - pattern: (javax.jdo.Query $Q).setFilter($UNTRUSTED) - - pattern: (javax.jdo.Query $Q).setGrouping($UNTRUSTED) - - pattern: (Statement $S).$SQLFUNC(..., $UNTRUSTED, ...) - - pattern: (CallableStatement $S).$SQLFUNC(..., $UNTRUSTED, ...) - - pattern: (PreparedStatement $P).$SQLFUNC(..., $UNTRUSTED, ...) - - pattern: (Connection $C).createStatement(...).$SQLFUNC(..., $UNTRUSTED, ...) - - pattern: (Connection $C).prepareStatement(...).$SQLFUNC(..., $UNTRUSTED, ...) - - pattern: (io.vertx.sqlclient.SqlClient $O).query($UNTRUSTED, ...) - - pattern: (io.vertx.sqlclient.SqlClient $O).preparedQuery($UNTRUSTED, ...) - - pattern: (io.vertx.sqlclient.SqlConnection $O).prepare($UNTRUSTED, ...) - - pattern: (org.apache.turbine.om.peer.BasePeer $O).executeQuery($UNTRUSTED, ...) - - pattern: org.apache.torque.util.BasePeer.executeQuery($UNTRUSTED, ...) - - pattern: org.apache.torque.util.BasePeer.executeStatement($UNTRUSTED, ...) - - pattern: (javax.persistence.EntityManager $O).createQuery($UNTRUSTED, ...) - - pattern: (javax.persistence.EntityManager $O).createNativeQuery($UNTRUSTED, ...) - - pattern: (org.jdbi.v3.core.Handle $H).createQuery($UNTRUSTED, ...) - - pattern: (org.jdbi.v3.core.Handle $H).createScript($UNTRUSTED, ...) - - pattern: (org.jdbi.v3.core.Handle $H).createUpdate($UNTRUSTED, ...) - - pattern: (org.jdbi.v3.core.Handle $H).execute($UNTRUSTED, ...) - - pattern: (org.jdbi.v3.core.Handle $H).prepareBatch($UNTRUSTED, ...) - - pattern: (org.jdbi.v3.core.Handle $H).select($UNTRUSTED, ...) - - pattern: new org.jdbi.v3.core.statement.Script($H, $UNTRUSTED) - - pattern: new org.jdbi.v3.core.statement.Update($H, $UNTRUSTED) - - pattern: new org.jdbi.v3.core.statement.PreparedBatch($H, $UNTRUSTED) - - metavariable-regex: - metavariable: $SQLFUNC - regex: execute|executeQuery|createQuery|query|addBatch|nativeSQL|create|prepare diff --git a/rules/java/lib/spring/jdbc-sqli-sinks.yaml b/rules/java/lib/spring/jdbc-sqli-sinks.yaml index b7bd4a5..ed9ab91 100644 --- a/rules/java/lib/spring/jdbc-sqli-sinks.yaml +++ b/rules/java/lib/spring/jdbc-sqli-sinks.yaml @@ -23,8 +23,8 @@ rules: - pattern: (Statement $S).$SQLFUNC(..., $UNTRUSTED, ...) - pattern: (CallableStatement $S).$SQLFUNC(..., $UNTRUSTED, ...) - pattern: (PreparedStatement $P).$SQLFUNC(..., $UNTRUSTED, ...) - - pattern: (Connection $C).createStatement(...).$SQLFUNC(..., $UNTRUSTED, ...) - - pattern: (Connection $C).prepareStatement(...).$SQLFUNC(..., $UNTRUSTED, ...) + - pattern: (Connection $C).prepareStatement($UNTRUSTED, ...).$SQLFUNC(...) + - pattern: (Connection $C).prepareCall($UNTRUSTED, ...).$SQLFUNC(...) - pattern: (io.vertx.sqlclient.SqlClient $O).query($UNTRUSTED, ...) - pattern: (io.vertx.sqlclient.SqlClient $O).preparedQuery($UNTRUSTED, ...) - pattern: (io.vertx.sqlclient.SqlConnection $O).prepare($UNTRUSTED, ...) @@ -58,7 +58,6 @@ rules: - pattern: org.hibernate.criterion.Restrictions.sqlRestriction($UNTRUSTED, ...) - pattern: (org.hibernate.Session $S).createQuery((String $UNTRUSTED), ...) - pattern: (org.hibernate.Session $S).createSQLQuery($UNTRUSTED, ...) - - pattern: (org.hibernate.Session $S).connection().prepareStatement($UNTRUSTED) - pattern: (io.vertx.sqlclient.SqlClient $O).query($UNTRUSTED, ...) - pattern: (io.vertx.sqlclient.SqlClient $O).preparedQuery($UNTRUSTED, ...) - pattern: (io.vertx.sqlclient.SqlConnection $O).prepare($UNTRUSTED, ...) diff --git a/rules/java/security/crypto.yaml b/rules/java/security/crypto.yaml index 540ca7c..f92be0b 100644 --- a/rules/java/security/crypto.yaml +++ b/rules/java/security/crypto.yaml @@ -321,7 +321,7 @@ rules: javax.crypto.Cipher.getInstance($PROP, ...); - metavariable-regex: metavariable: $ALG - regex: .*ECB.* + regex: (?i).*ECB.* - id: gcm-detection severity: NOTE @@ -346,10 +346,14 @@ rules: - java - kt patterns: - - pattern-either: - - pattern: javax.crypto.Cipher.getInstance("AES/GCM/NoPadding") - - pattern: (javax.crypto.Cipher $CIPHER).getInstance("AES/GCM/NoPadding") - - pattern: new GCMParameterSpec(...); + - patterns: + - metavariable-regex: + metavariable: $ALGO + regex: (?i)AES/GCM/NoPadding + - pattern-either: + - pattern: javax.crypto.Cipher.getInstance("$ALGO", ...) + - pattern: (javax.crypto.Cipher $CIPHER).getInstance("$ALGO", ...) + - pattern: new GCMParameterSpec(...); - id: gcm-nonce-reuse severity: WARNING @@ -442,7 +446,7 @@ rules: javax.crypto.Cipher.getInstance($PROP, ...); - metavariable-regex: metavariable: $ALG - regex: /?RSA/[Nn][Oo][Nn][Ee]/NoPadding/? + regex: (?i)RSA/NONE/NoPadding/? - id: cbc-padding-oracle severity: WARNING @@ -464,10 +468,10 @@ rules: - java - kt patterns: - - pattern: javax.crypto.Cipher.getInstance("$MODE") + - pattern: javax.crypto.Cipher.getInstance("$MODE", ...) - metavariable-regex: metavariable: $MODE - regex: .*/CBC/PKCS5Padding/? + regex: (?i).*/CBC/PKCS5Padding/? - id: use-of-blowfish severity: WARNING @@ -487,8 +491,8 @@ rules: - java - kt pattern-either: - - pattern: javax.crypto.Cipher.getInstance("Blowfish") - - pattern: (javax.crypto.Cipher $CIPHER).getInstance("Blowfish") + - pattern: javax.crypto.Cipher.getInstance("Blowfish", ...) + - pattern: (javax.crypto.Cipher $CIPHER).getInstance("Blowfish", ...) - id: use-of-default-aes severity: WARNING @@ -508,8 +512,8 @@ rules: - java - kt pattern-either: - - pattern: javax.crypto.Cipher.getInstance("AES") - - pattern: (javax.crypto.Cipher $CIPHER).getInstance("AES") + - pattern: javax.crypto.Cipher.getInstance("AES", ...) + - pattern: (javax.crypto.Cipher $CIPHER).getInstance("AES", ...) - id: aes-hardcoded-key severity: WARNING @@ -573,7 +577,7 @@ rules: languages: - java - kt - pattern: $CIPHER.getInstance("RC2") + pattern: $CIPHER.getInstance("RC2", ...) - id: use-of-rc4 severity: WARNING @@ -593,7 +597,7 @@ rules: languages: - java - kt - pattern: $CIPHER.getInstance("RC4") + pattern: $CIPHER.getInstance("RC4", ...) - id: use-of-sha1 severity: WARNING diff --git a/rules/java/security/sensitive-data-exposure.yaml b/rules/java/security/sensitive-data-exposure.yaml index 1bc6454..09f6f8d 100644 --- a/rules/java/security/sensitive-data-exposure.yaml +++ b/rules/java/security/sensitive-data-exposure.yaml @@ -6,7 +6,8 @@ rules: This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks. metadata: cwe: - - CWE-319: + - CWE-319 + - CWE-614 short-description: Cleartext transmission of sensitive cookie value references: - https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setSecure(boolean) @@ -19,7 +20,7 @@ rules: - pattern-not-inside: | $COOKIE = new Cookie(...); ... - $COOKIE.setSecure(...); + $COOKIE.setSecure(true); - pattern-not-inside: | $COOKIE.setValue(""); diff --git a/rules/java/security/sqli.yaml b/rules/java/security/sqli.yaml index e4cdb42..9c0d0e8 100644 --- a/rules/java/security/sqli.yaml +++ b/rules/java/security/sqli.yaml @@ -92,7 +92,7 @@ rules: refs: - rule: java/lib/generic/servlet-untrusted-data-source.yaml#java-servlet-untrusted-data-source as: untrusted-data - - rule: java/lib/generic/servlet-sqli-sinks.yaml#java-servlet-sqli-sink + - rule: java/lib/spring/jdbc-sqli-sinks.yaml#spring-sqli-sink as: sink on: - 'untrusted-data.$UNTRUSTED -> sink.$UNTRUSTED'