Skip to content

Pull request for 10 rules ESS-ENN #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 37 commits into from
Sep 13, 2024
Merged

Pull request for 10 rules ESS-ENN #5

Show file tree
Hide file tree
Changes from 11 commits
Commits
Show all changes
37 commits
Select commit Hold shift + click to select a range
4208c3d
insecure-biometrics-swift
ESS-ENN Sep 5, 2024
2d4ea63
plaintext-http-link-html
ESS-ENN Sep 5, 2024
586888d
desede-is-deprecated-java
ESS-ENN Sep 5, 2024
9015c09
desede-is-deprecated-kotlin
ESS-ENN Sep 5, 2024
68be70d
sizeof-this-c
ESS-ENN Sep 5, 2024
3d453a8
cbc-padding-oracle-java
ESS-ENN Sep 5, 2024
e7b4680
no-null-cipher-java
ESS-ENN Sep 5, 2024
1ba2958
rsa-no-padding-java
ESS-ENN Sep 5, 2024
f182a4b
changed folder position of no-null-cipher-java
ESS-ENN Sep 5, 2024
ac0edaa
rsa-padding-set-scala
ESS-ENN Sep 5, 2024
650b88b
xmlinputfactory-dtd-enabled-scala
ESS-ENN Sep 5, 2024
b0c6e4e
Incorporated changes suggested by CodeRabbit Bot
ESS-ENN Sep 6, 2024
bd0bc1d
httponly-false-csharp
ESS-ENN Sep 6, 2024
5507b0a
reqwest-accept-invalid-rust
ESS-ENN Sep 6, 2024
456f431
libxml2-audit-parser-c
ESS-ENN Sep 6, 2024
30f9ae3
libxml2-audit-parser-cpp
ESS-ENN Sep 7, 2024
0970f4f
oracleconnectionstringbuilder-hardcoded-secret-csharp
ESS-ENN Sep 9, 2024
081bad0
ecb-cipher-java
ESS-ENN Sep 9, 2024
bec0b7e
Changed severity for 3 rules as suggested by Bot
ESS-ENN Sep 10, 2024
472fa36
use-of-weak-rsa-key-java
ESS-ENN Sep 10, 2024
5fea8a2
unencrypted-socket-java
ESS-ENN Sep 10, 2024
a85cbfb
use-of-weak-rsa-key-kotlin
ESS-ENN Sep 10, 2024
22b3dca
removing oracleconnectionstringbuilder-hardcoded-secret-csharp
ESS-ENN Sep 12, 2024
090e6af
use-of-md5-digest-utils-java
ESS-ENN Sep 12, 2024
fc5f3a1
weak-ssl-context-java
ESS-ENN Sep 12, 2024
bf350e6
use-of-rc4-java
ESS-ENN Sep 12, 2024
85c6f95
system-setproperty-hardcoded-secret-java
ESS-ENN Sep 12, 2024
07abf42
rsa-no-padding-kotlin
ESS-ENN Sep 12, 2024
126ec00
des-is-deprecated-java
ESS-ENN Sep 12, 2024
b62d49a
des-is-deprecated-kotlin
ESS-ENN Sep 12, 2024
ae12535
Made changes as per suggestions of coderabbit ai bot
ESS-ENN Sep 13, 2024
1326f4c
use-of-md5-java
ESS-ENN Sep 13, 2024
d26328d
use-of-sha1-java
ESS-ENN Sep 13, 2024
57c1edb
system-setproperty-hardcoded-secret-kotlin
ESS-ENN Sep 13, 2024
b679216
use-of-aes-ecb-java
ESS-ENN Sep 13, 2024
6ff4438
use-of-blowfish-java
ESS-ENN Sep 13, 2024
66dff6f
Update of use-of-md5-java
ESS-ENN Sep 13, 2024
File filter

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions rules/c/security/sizeof-this-c.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
id: sizeof-this-c
language: c
severity: warning
message: >-
Do not use `sizeof(this)` to get the number of bytes of the object in
memory. It returns the size of the pointer, not the size of the object.
note: >-
[CWE-467]: Use of sizeof() on a Pointer Type
[REFERENCES]
- https://wiki.sei.cmu.edu/confluence/display/c/ARR01-C.+Do+not+apply+the+sizeof+operator+to+a+pointer+when+taking+the+size+of+an+array
rule:
any:
- pattern: "sizeof(this)"
15 changes: 15 additions & 0 deletions rules/html/security/plaintext-http-link-html.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
id: plaintext-http-link-html
language: html
severity: info
message: >-
This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL
if possible.
note: >-
[CWE-319] Authentication Bypass by Primary Weakness
[REFERENCES]
- https://cwe.mitre.org/data/definitions/319.html
rule:
pattern: <a $$$ href=$URL>$C</a>
constraints:
URL:
regex: ^['"`]?([Hh][Tt][Tt][Pp]://)
Copy link

@coderabbitai coderabbitai bot Sep 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review of the new security rule for HTML: plaintext HTTP links.

  • ID and Language Specification (Lines 1-2): The ID plaintext-http-link-html and the language specification html are appropriately set for the rule's purpose.
  • Severity Level (Line 3): The severity is set to info. Considering the security implications of using HTTP over HTTPS, this might be too low. It is recommended to increase the severity to at least warning to reflect the potential security risks more accurately.
  • Message (Lines 4-6): The message is clear and instructs the user about the issue with plaintext HTTP links. However, the formatting of the message across multiple lines could be streamlined for better readability.
  • Note (Lines 7-10): The note includes a reference to CWE-319, which is relevant. The inclusion of external references is a good practice as it provides further reading and context.
  • Rule Definition (Lines 11-15): The pattern used to detect plaintext HTTP links is correctly defined using a regex. However, the regex ^['"]?([Hh][Tt][Tt][Pp]://)` might be overly restrictive as it assumes the URL starts immediately at the beginning of the attribute value. Consider modifying it to accommodate potential leading spaces or other characters.

Consider the following improvements:

  1. Increase the severity level: 
    severity: warning
  2. Refine the message formatting: 
    message: "This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible."
  3. Adjust the regex pattern to be less restrictive: 
    regex: ^['"`]?\\s*([Hh][Tt][Tt][Pp]://)
17 changes: 17 additions & 0 deletions rules/java/security/cbc-padding-oracle-java.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
id: cbc-padding-oracle-java
severity: warning
language: java
message: >-
Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A
malicious actor could discern the difference between plaintext with valid
or invalid padding. Further, CBC mode does not include any integrity
checks. Use 'AES/GCM/NoPadding' instead.
note: >-
[CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
[REFERENCES]
- https://capec.mitre.org/data/definitions/463.html
rule:
pattern: Cipher.getInstance($MODE)
constraints:
MODE:
regex: '.*/CBC/PKCS5Padding'
Copy link

@coderabbitai coderabbitai bot Sep 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review of the new security rule file cbc-padding-oracle-java.yml.

  1. Rule ID and Metadata:

    • The rule ID (cbc-padding-oracle-java) is appropriately named, reflecting its purpose.
    • Severity is set to warning, which seems suitable given the security implications of the issue.
    • The language is correctly specified as java.

  2. Rule Message:

    • The message clearly describes the vulnerability and suggests an alternative (AES/GCM/NoPadding), which is good practice.

  3. Rule Note:

    • The note includes a reference to CWE-327 and a link to further information, which is helpful for understanding the context and severity of the issue.

  4. Rule Definition:

    • The pattern Cipher.getInstance($MODE) is correctly targeting the Java method that could lead to vulnerabilities.
    • The constraint uses a regex to specifically identify the use of CBC with PKCS5Padding, which is the exact scenario that can lead to padding oracle attacks.

  5. Static Analysis Issues:

    • Indentation Issues: The indentation warnings from yamllint should be addressed to maintain consistency and readability.
    • Missing Newline: The error about the missing newline at the end of the file is a minor issue but should be fixed to comply with good YAML practices.

Suggested Fixes:

  • Correct the indentation to align with YAML best practices.
  • Add a newline at the end of the file.
- MODE: + MODE: - regex: '.*/CBC/PKCS5Padding' + regex: '.*/CBC/PKCS5Padding' + # Adding a newline at the end of the file +
Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
id: cbc-padding-oracle-java
severity: warning
language: java
message: >-
Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A
malicious actor could discern the difference between plaintext with valid
or invalid padding. Further, CBC mode does not include any integrity
checks. Use 'AES/GCM/NoPadding' instead.
note: >-
[CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
[REFERENCES]
- https://capec.mitre.org/data/definitions/463.html
rule:
pattern: Cipher.getInstance($MODE)
constraints:
MODE:
regex: '.*/CBC/PKCS5Padding'
id: cbc-padding-oracle-java
severity: warning
language: java
message: >-
Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A
malicious actor could discern the difference between plaintext with valid
or invalid padding. Further, CBC mode does not include any integrity
checks. Use 'AES/GCM/NoPadding' instead.
note: >-
[CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
[REFERENCES]
- https://capec.mitre.org/data/definitions/463.html
rule:
pattern: Cipher.getInstance($MODE)
constraints:
MODE:
regex: '.*/CBC/PKCS5Padding'
# Adding a newline at the end of the file
Tools
yamllint

[warning] 16-16: wrong indentation: expected 2 but found 6

(indentation)

[warning] 17-17: wrong indentation: expected 8 but found 10

(indentation)

[error] 17-17: no new line character at the end of file

(new-line-at-end-of-file)
16 changes: 0 additions & 16 deletions rules/java/security/cbc-padding-oracle.yml
View file
Open in desktop

This file was deleted.

16 changes: 16 additions & 0 deletions rules/java/security/desede-is-deprecated-java.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
id: desede-is-deprecated-java
language: java
severity: warning
message: >-
Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES.
note: >-
[CWE-326]: Inadequate Encryption Strength
[OWASP A03:2017]: Sensitive Data Exposure
[OWASP A02:2021]: Cryptographic Failures
[REFERENCES]
- https://find-sec-bugs.github.io/bugs.htm#TDES_USAGE
- https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA
rule:
any:
- pattern: $CIPHER.getInstance("=~/DESede.*/")
- pattern: $CRYPTO.KeyGenerator.getInstance("DES")
Comment on lines +14 to +16
Copy link

@coderabbitai coderabbitai bot Sep 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Refine rule patterns to accurately target deprecated usage.

The first pattern is well-targeted and should effectively catch instances of DESede usage. However, the second pattern might inadvertently flag all DES usages, not just DESede. This could lead to false positives since DES and DESede are related but distinct.

Consider refining the second pattern to specifically include "DESede" to avoid broad matches that could affect the accuracy of the rule.

Suggested change for the second pattern:

- - pattern: $CRYPTO.KeyGenerator.getInstance("DES") + - pattern: $CRYPTO.KeyGenerator.getInstance("=~/DESede.*/")

This change ensures that the pattern only flags the deprecated DESede usage, aligning it with the intent of the rule.

Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
any:
- pattern: $CIPHER.getInstance("=~/DESede.*/")
- pattern: $CRYPTO.KeyGenerator.getInstance("DES")
any:
- pattern: $CIPHER.getInstance("=~/DESede.*/")
- pattern: $CRYPTO.KeyGenerator.getInstance("=~/DESede.*/")
17 changes: 17 additions & 0 deletions rules/java/security/no-null-cipher-java.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
id: no-null-cipher-java
severity: warning
language: java
message: >-
NullCipher was detected. This will not encrypt anything; the cipher
text will be the same as the plain text. Use a valid, secure cipher:
Cipher.getInstance("AES/CBC/PKCS7PADDING"). See
https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions
for more information.
note: >-
[CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
[REFERENCES]
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
rule:
any:
- pattern: new NullCipher($$$)
- pattern: new javax.crypto.NullCipher($$$)
Copy link

@coderabbitai coderabbitai bot Sep 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comprehensive Review of the Security Rule Definition

The YAML file is well-structured and effectively defines a security rule for detecting the use of NullCipher in Java applications. The rule is clear and includes:

  • ID and Severity: Properly defined and appropriate for the rule.
  • Language Specification: Correctly identifies the rule as applicable to Java.
  • Message: Provides a clear explanation of the issue and a recommendation for a secure alternative, which is good for developer guidance.
  • Note: Effectively uses CWE referencing to categorize the cryptographic failure, enhancing the understanding of the rule's importance.
  • Rule Patterns: Covers both the simple and fully qualified use of NullCipher, which is comprehensive.

However, there are a couple of issues identified by static analysis that need addressing:

  1. Indentation Issue: The indentation for the patterns is incorrect.
  2. Missing Newline: There is no newline character at the end of the file.

To address these issues, apply the following changes:

- - pattern: new NullCipher($$$) + - pattern: new NullCipher($$$) - - pattern: new javax.crypto.NullCipher($$$) + - pattern: new javax.crypto.NullCipher($$$) + # Ensure there is a newline at the end of the file
Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
id: no-null-cipher-java
severity: warning
language: java
message: >-
NullCipher was detected. This will not encrypt anything; the cipher
text will be the same as the plain text. Use a valid, secure cipher:
Cipher.getInstance("AES/CBC/PKCS7PADDING"). See
https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions
for more information.
note: >-
[CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
[REFERENCES]
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
rule:
any:
- pattern: new NullCipher($$$)
- pattern: new javax.crypto.NullCipher($$$)
id: no-null-cipher-java
severity: warning
language: java
message: >-
NullCipher was detected. This will not encrypt anything; the cipher
text will be the same as the plain text. Use a valid, secure cipher:
Cipher.getInstance("AES/CBC/PKCS7PADDING"). See
https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions
for more information.
note: >-
[CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
[REFERENCES]
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
rule:
any:
- pattern: new NullCipher($$$)
- pattern: new javax.crypto.NullCipher($$$)
# Ensure there is a newline at the end of the file
Tools
yamllint

[warning] 16-16: wrong indentation: expected 12 but found 10

(indentation)

[error] 17-17: no new line character at the end of file

(new-line-at-end-of-file)
14 changes: 14 additions & 0 deletions rules/java/security/rsa-no-padding-java.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
id: rsa-no-padding-java
severity: warning
language: java
message: >-
Using RSA without OAEP mode weakens the encryption.
note: >-
[CWE-326] Inadequate Encryption Strength
[REFERENCES]
- https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/
rule:
pattern: $YST.getInstance($MODE)
constraints:
MODE:
regex: 'RSA/[Nn][Oo][Nn][Ee]/NoPadding'
Copy link

@coderabbitai coderabbitai bot Sep 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add a newline at the end of the file.

To ensure compatibility with various tools and systems, add a newline character at the end of the file.

Tools
yamllint

[warning] 14-14: wrong indentation: expected 8 but found 10

(indentation)

[error] 14-14: no new line character at the end of file

(new-line-at-end-of-file)
Copy link

@coderabbitai coderabbitai bot Sep 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fix indentation issues.

The indentation for the constraints section does not comply with YAML standards. Correcting this will improve the readability and prevent potential parsing errors.

Apply this diff to fix the indentation:

- MODE: - regex: 'RSA/[Nn][Oo][Nn][Ee]/NoPadding' + MODE: + regex: 'RSA/[Nn][Oo][Nn][Ee]/NoPadding'
Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
MODE:
regex: 'RSA/[Nn][Oo][Nn][Ee]/NoPadding'
MODE:
regex: 'RSA/[Nn][Oo][Nn][Ee]/NoPadding'
Tools
yamllint

[warning] 13-13: wrong indentation: expected 2 but found 6

(indentation)

[warning] 14-14: wrong indentation: expected 8 but found 10

(indentation)

[error] 14-14: no new line character at the end of file

(new-line-at-end-of-file)
16 changes: 16 additions & 0 deletions rules/kotlin/security/desede-is-deprecated-kotlin.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
id: desede-is-deprecated-kotlin
language: kotlin
severity: warning
message: >-
Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES.
note: >-
[CWE-326]: Inadequate Encryption Strength
[OWASP A03:2017]: Sensitive Data Exposure
[OWASP A02:2021]: Cryptographic Failures
[REFERENCES]
- https://find-sec-bugs.github.io/bugs.htm#TDES_USAGE
- https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA
rule:
any:
- pattern: $CIPHER.getInstance("=~/DESede.*/")
- pattern: $CRYPTO.KeyGenerator.getInstance("DES")
15 changes: 15 additions & 0 deletions rules/scala/security/rsa-padding-set-scala.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
id: rsa-padding-set-scala
language: scala
severity: warning
message: >-
Usage of RSA without OAEP (Optimal Asymmetric Encryption Padding) may.
Copy link

@coderabbitai coderabbitai bot Sep 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Complete the warning message.

The message appears to be incomplete and ends abruptly. Consider completing it to clearly convey the risk associated with the use of RSA without OAEP.
note: >-
[CWE-780] Use of RSA Algorithm without OAEP
[REFERENCES]
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
rule:
any:
- pattern: $CIPHER.getInstance($MODE)
constraints:
MODE:
regex: '.*RSA/.*/NoPadding.*'
Copy link

@coderabbitai coderabbitai bot Sep 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add a newline at the end of the file.

To comply with UNIX and version control system standards, add a newline character at the end of the file.

Tools
yamllint

[warning] 15-15: wrong indentation: expected 8 but found 10

(indentation)

[error] 15-15: no new line character at the end of file

(new-line-at-end-of-file)
Copy link

@coderabbitai coderabbitai bot Sep 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct indentation issues.

Adjust the indentation to align with YAML standards:

  • Line 14 should have 2 spaces of indentation.
  • Line 15 should have 8 spaces of indentation.

Apply this diff to correct the indentation:

- MODE: - regex: '.*RSA/.*/NoPadding.*' + MODE: + regex: '.*RSA/.*/NoPadding.*'
Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
any:
- pattern: $CIPHER.getInstance($MODE)
constraints:
MODE:
regex: '.*RSA/.*/NoPadding.*'
any:
- pattern: $CIPHER.getInstance($MODE)
constraints:
MODE:
regex: '.*RSA/.*/NoPadding.*'
Tools
yamllint

[warning] 14-14: wrong indentation: expected 2 but found 6

(indentation)

[warning] 15-15: wrong indentation: expected 8 but found 10

(indentation)

[error] 15-15: no new line character at the end of file

(new-line-at-end-of-file)
25 changes: 25 additions & 0 deletions rules/scala/security/xmlinputfactory-dtd-enabled-scala.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
id: xmlinputfactory-dtd-enabled-scala
language: scala
severity: warning
message: >-
XMLInputFactory being instantiated without calling the setProperty
functions that are generally used for disabling entity processing. User
controlled data in XML Document builder can result in XML Internal Entity
Processing vulnerabilities like the disclosure of confidential data,
denial of service, Server Side Request Forgery (SSRF), port scanning. Make
sure to disable entity processing functionality.
note: >-
[CWE-611] Improper Restriction of XML External Entity.
[REFERENCES]
- https://owasp.org/Top10/A05_2021-Security_Misconfiguration
rule:
any:
- pattern: XMLInputFactory.newFactory($$$)
- pattern: XMLInputFactory.newInstance($$$)
- pattern: new XMLInputFactory($$$)
precedes:
not:
pattern: $XMLFACTORY.setProperty($MODE, false)
constraints:
MODE:
regex: 'javax.xml.stream.isSupportingExternalEntities'
Copy link

@coderabbitai coderabbitai bot Sep 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review of the entire YAML file for the new Scala security rule.

General Observations:

  • The rule is well-defined with clear identifiers, language specification, severity, and detailed messages.
  • The rule patterns are designed to catch instances of XMLInputFactory being used without proper security settings.

Specific Issues and Suggestions:

  1. Indentation Issues:

    • Lines 17, 21, 22, and 24 have incorrect indentation levels according to yamllint warnings. Proper YAML formatting is crucial for the correct parsing and functioning of automated tools that might use this file.

  2. Trailing Spaces and New Line Character:

    • Line 20 has trailing spaces, and line 25 lacks a new line at the end of the file. These formatting issues can lead to parsing errors or unwanted behaviors in some environments.

Proposed Fixes:

 
     
  • Adjust the indentation for the above lines to match the expected levels.
    •  
  • Remove trailing spaces on line 20.
    •  
  • Ensure a newline character at the end of the file.
    •  
 
Enhancements:
 
     
  • Consider adding more examples or a detailed description in the note section to provide better guidance on how to mitigate the issues once detected.
    •  
 
 Tools 
 yamllint
 
[warning] 17-17: wrong indentation: expected 8 but found 7
 
(indentation)
 
 
[error] 20-20: trailing spaces
 
(trailing-spaces)
 
 
[warning] 21-21: wrong indentation: expected 4 but found 5
 
(indentation)
 
 
[warning] 22-22: wrong indentation: expected 9 but found 6
 
(indentation)
 
 
[warning] 24-24: wrong indentation: expected 4 but found 6
 
(indentation)
 
 
[error] 25-25: no new line character at the end of file
 
(new-line-at-end-of-file)
 
 
 
  
 
  
  
 
 
 
 
 
 
   
 		 
  
  
 
 
   
 
 
   18 changes: 18 additions & 0 deletions    rules/swift/security/insecure-biometrics-swift.yml      
   
 
 
 
  
    
    
  View file    
   Open in desktop   
 
 
 
 
 
    
  
 Original file line number Diff line number Diff line change 
   
   @@ -0,0 +1,18 @@ 
 
    id: insecure-biometrics-swift 
 
    language: swift 
 
    severity: info 
 
    message: >- 
 
     The application was observed to leverage biometrics via Local 
 
     Authentication, which returns a simple boolean result for authentication. 
 
     This design is subject to bypass with runtime tampering tools such as 
 
     Frida, Substrate, and others. Although this is limited to rooted 
 
     (jailbroken) devices, consider implementing biometric authentication the 
 
     reliable way - via Keychain Services. 
 
    note: >- 
 
     [CWE-305] Authentication Bypass by Primary Weakness 
 
     [REFERENCES] 
 
     - https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication 
 
     - https://shirazkhan030.medium.com/biometric-authentication-in-ios-6c53c54f17df 
 
    rule: 
 
     pattern: | 
 
     $X.evaluatePolicy 
 
  
    
  
 
 
 
 
 
 
 
 
           Copy link  
   
 
 
 
 
 
 
  @coderabbitai   coderabbitai bot  Sep 5, 2024 
 
 
 
 
 
  
  
Choose a reason for hiding this comment
 
 The reason will be displayed to describe this comment to others. Learn more. 
  
  
 
Detection Pattern
 
The pattern $X.evaluatePolicy is intended to match Swift code where the evaluatePolicy method is used. This is a key method in the Local Authentication context. However, the pattern is quite broad and might match more instances than those that are actually insecure.
 
Consider refining the pattern to more specifically target insecure usage scenarios, possibly by including additional context in the pattern to reduce false positives.
 
- pattern: | - $X.evaluatePolicy + pattern: | + $X.evaluatePolicy(..., $Y) where $Y does not include secure settings
 
 
Committable suggestion was skipped due to low confidence.
 
 
  
 
  
  
 
 
 
 
 
 
   
 		 
  
  
 
 
   
 
 
   8 changes: 8 additions & 0 deletions    tests/__snapshots__/cbc-padding-oracle-java-snapshot.yml      
   
 
 
 
  
    
    
  View file    
   Open in desktop   
 
 
 
 
 
    
  
 Original file line number Diff line number Diff line change 
   
   @@ -0,0 +1,8 @@ 
 
    id: cbc-padding-oracle-java 
 
    snapshots: 
 
     Cipher.getInstance("AES/CBC/PKCS5Padding");: 
 
     labels: 
 
     - source: Cipher.getInstance("AES/CBC/PKCS5Padding") 
 
     style: primary 
 
     start: 0 
 
     end: 42 
  
  
 
 
   
 
 
   10 changes: 10 additions & 0 deletions    tests/__snapshots__/desede-is-deprecated-java-snapshot.yml      
   
 
 
 
  
    
    
  View file    
   Open in desktop   
 
 
 
 
 
    
  
 Original file line number Diff line number Diff line change 
   
   @@ -0,0 +1,10 @@ 
 
    id: desede-is-deprecated-java 
 
    snapshots: 
 
     ? | 
 
     Cipher.getInstance("DESede/ECB/PKCS5Padding"); 
 
     javax.crypto.KeyGenerator.getInstance("DES") 
 
     : labels: 
 
     - source: javax.crypto.KeyGenerator.getInstance("DES") 
 
     style: primary 
 
     start: 47 
 
     end: 91 
  
  
 
 
   
 
 
   10 changes: 10 additions & 0 deletions    tests/__snapshots__/desede-is-deprecated-kotlin-snapshot.yml      
   
 
 
 
  
    
    
  View file    
   Open in desktop   
 
 
 
 
 
    
  
 Original file line number Diff line number Diff line change 
   
   @@ -0,0 +1,10 @@ 
 
    id: desede-is-deprecated-kotlin 
 
    snapshots: 
 
     ? | 
 
     Cipher.getInstance("DESede/ECB/PKCS5Padding"); 
 
     javax.crypto.KeyGenerator.getInstance("DES") 
 
     : labels: 
 
     - source: javax.crypto.KeyGenerator.getInstance("DES") 
 
     style: primary 
 
     start: 47 
 
     end: 91 
  
  
 
 
   
 
 
   9 changes: 9 additions & 0 deletions    tests/__snapshots__/insecure-biometrics-swift-snapshot.yml      
   
 
 
 
  
    
    
  View file    
   Open in desktop   
 
 
 
 
 
    
  
 Original file line number Diff line number Diff line change 
   
   @@ -0,0 +1,9 @@ 
 
    id: insecure-biometrics-swift 
 
    snapshots: 
 
     ? | 
 
     context.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: "Authenticate to the application" 
 
     : labels: 
 
     - source: context.evaluatePolicy 
 
     style: primary 
 
     start: 0 
 
     end: 22 
  
  
 
 
   
 
 
   10 changes: 10 additions & 0 deletions    tests/__snapshots__/no-null-cipher-java-snapshot.yml      
   
 
 
 
  
    
    
  View file    
   Open in desktop   
 
 
 
 
 
    
  
 Original file line number Diff line number Diff line change 
   
   @@ -0,0 +1,10 @@ 
 
    id: no-null-cipher-java 
 
    snapshots: 
 
     ? |- 
 
     Cipher doNothingCihper = new NullCipher(); 
 
     new javax.crypto.NullCipher(); 
 
     : labels: 
 
     - source: new NullCipher() 
 
     style: primary 
 
     start: 25 
 
     end: 41 
  
  
 
 
   
 
 
   15 changes: 15 additions & 0 deletions    tests/__snapshots__/plaintext-http-link-html-snapshot.yml      
   
 
 
 
  
    
    
  View file    
   Open in desktop   
 
 
 
 
 
    
  
 Original file line number Diff line number Diff line change 
   
   @@ -0,0 +1,15 @@ 
 
    id: plaintext-http-link-html 
 
    snapshots: 
 
     ? | 
 
     <a href="http://astgrep.dev">Astgrep</a> 
 
     <a href='http://astgrep.dev'>Astgrep</a> 
 
     <a href=http://astgrep.dev>Astgrep</a> 
 
     <a class="foo" href="http://astgrep.dev">Astgrep</a> 
 
     <a class='foo' href='http://astgrep.dev'>Astgrep</a> 
 
     <a class=foo href=http://astgrep.dev>Astgrep</a> 
 
     <a href="HTTP://ASTGREP.DEV">Astgrep</a> 
 
     : labels: 
 
     - source: <a href="http://astgrep.dev">Astgrep</a> 
 
     style: primary 
 
     start: 0 
 
     end: 40 
  
  
 
 
   
 
 
   10 changes: 10 additions & 0 deletions    tests/__snapshots__/rsa-no-padding-java-snapshot.yml      
   
 
 
 
  
    
    
  View file    
   Open in desktop   
 
 
 
 
 
    
  
 Original file line number Diff line number Diff line change 
   
   @@ -0,0 +1,10 @@ 
 
    id: rsa-no-padding-java 
 
    snapshots: 
 
     ? |- 
 
     Cipher.getInstance("RSA/None/NoPadding"); 
 
     Cipher.getInstance("RSA/NONE/NoPadding"); 
 
     : labels: 
 
     - source: Cipher.getInstance("RSA/None/NoPadding") 
 
     style: primary 
 
     start: 0 
 
     end: 40 
  
  
 
 
   
 
 
   8 changes: 8 additions & 0 deletions    tests/__snapshots__/rsa-padding-set-scala-snapshot.yml      
   
 
 
 
  
    
    
  View file    
   Open in desktop   
 
 
 
 
 
    
  
 Original file line number Diff line number Diff line change 
   
   @@ -0,0 +1,8 @@ 
 
    id: rsa-padding-set-scala 
 
    snapshots: 
 
     Cipher.getInstance("RSA/ECB/NoPadding"): 
 
     labels: 
 
     - source: Cipher.getInstance("RSA/ECB/NoPadding") 
 
     style: primary 
 
     start: 0 
 
     end: 39 
  
  
 
 
   
 
 
   9 changes: 9 additions & 0 deletions    tests/__snapshots__/sizeof-this-c-snapshot.yml      
   
 
 
 
  
    
    
  View file    
   Open in desktop   
 
 
 
 
 
    
  
 Original file line number Diff line number Diff line change 
   
   @@ -0,0 +1,9 @@ 
 
    id: sizeof-this-c 
 
    snapshots: 
 
     ? | 
 
     return sizeof(this); 
 
     : labels: 
 
     - source: sizeof(this) 
 
     style: primary 
 
     start: 7 
 
     end: 19 
  
  
 
 
   
 
 
   11 changes: 11 additions & 0 deletions    tests/__snapshots__/xmlinputfactory-dtd-enabled-scala-snapshot.yml      
   
 
 
 
  
    
    
  View file    
   Open in desktop   
 
 
 
 
 
    
  
 Original file line number Diff line number Diff line change 
   
   @@ -0,0 +1,11 @@ 
 
    id: xmlinputfactory-dtd-enabled-scala 
 
    snapshots: 
 
     ? |- 
 
     val factory = XMLInputFactory.newFactory() 
 
     val fileReader = new FileReader(file) 
 
     val fileReader = new FileReader(file) 
 
     : labels: 
 
     - source: XMLInputFactory.newFactory() 
 
     style: primary 
 
     start: 14 
 
     end: 42 
 
  
    
  
 
 
 Comment on lines  +11  to  +19  
 
 
 
 
 
 
 
 
 
           Copy link  
   
 
 
 
 
 
 
  @coderabbitai   coderabbitai bot  Sep 5, 2024 
 
 
 
 
 
  
  
Choose a reason for hiding this comment
 
 The reason will be displayed to describe this comment to others. Learn more. 
  
  
 
Duplicate line detected.
 
There appears to be a duplicate line for creating a FileReader instance:
 
val fileReader = new FileReader(file)
 
This might be a copy-paste error. Please confirm if this duplication is intentional or if one instance should be removed.
 
  
 
  
  
 
 
 
 
 
 
   
 		 
  
  
 
 
   
 
 
   7 changes: 7 additions & 0 deletions    tests/c/sizeof-this-c-test.yml      
   
 
 
 
  
    
    
  View file    
   Open in desktop   
 
 
 
 
 
    
  
 Original file line number Diff line number Diff line change 
   
   @@ -0,0 +1,7 @@ 
 
    id: sizeof-this-c 
 
    valid: 
 
     - | 
 
     return sizeof(*this); 
 
    invalid: 
 
     - | 
 
     return sizeof(this); 
  
  
 
 
   
 
 
   15 changes: 15 additions & 0 deletions    tests/html/plaintext-http-link-html-test.yml      
   
 
 
 
  
    
    
  View file    
   Open in desktop   
 
 
 
 
 
    
  
 Original file line number Diff line number Diff line change 
   
   @@ -0,0 +1,15 @@ 
 
    id: plaintext-http-link-html 
 
    valid: 
 
     - | 
 
     <a href="https://astgrep.dev">Astgrep</a> 
 
     <a href="https://astgrep.dev/http://">Astgrep</a> 
 
     <a href="javascript:alert(1)">Astgrep</a> 
 
    invalid: 
 
     - | 
 
     <a href="http://astgrep.dev">Astgrep</a> 
 
     <a href='http://astgrep.dev'>Astgrep</a> 
 
     <a href=http://astgrep.dev>Astgrep</a> 
 
     <a class="foo" href="http://astgrep.dev">Astgrep</a> 
 
     <a class='foo' href='http://astgrep.dev'>Astgrep</a> 
 
     <a class=foo href=http://astgrep.dev>Astgrep</a> 
 
     <a href="HTTP://ASTGREP.DEV">Astgrep</a> 
  
  
 
 
   
 
 
   7 changes: 7 additions & 0 deletions    tests/java/cbc-padding-oracle-java-test.yml      
   
 
 
 
  
    
    
  View file    
   Open in desktop   
 
 
 
 
 
    
  
 Original file line number Diff line number Diff line change 
   
   @@ -0,0 +1,7 @@ 
 
    id: cbc-padding-oracle-java 
 
    valid: 
 
     - | 
 
     Cipher.getInstance("AES/GCM/NoPadding"); 
 
    invalid: 
 
     - | 
 
     Cipher.getInstance("AES/CBC/PKCS5Padding");       
 
  
    
  
 
 
 
 
 
 
 
 
           Copy link  
   
 
 
 
 
 
 
  @coderabbitai   coderabbitai bot  Sep 5, 2024 
 
 
 
 
 
  
  
Choose a reason for hiding this comment
 
 The reason will be displayed to describe this comment to others. Learn more. 
  
  
 
Add a newline at the end of the file.
 
The static analysis tool yamllint has flagged the absence of a newline character at the end of this file. It's a good practice to end files with a newline to comply with POSIX standards and to avoid issues in tools that process text files.
 
+ 
 
 Committable suggestion 
 
‼️ IMPORTANT
 Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
 
 
 
 
 Suggested change 
 
 
 
 
   Cipher.getInstance("AES/CBC/PKCS5Padding"); 
 
   Cipher.getInstance("AES/CBC/PKCS5Padding"); 
 
   
 
 
 
 
 
 
 Tools 
 yamllint
 
[error] 7-7: no new line character at the end of file
 
(new-line-at-end-of-file)
 
 
 
  
 
  
  
 
 
 
 
 
 
   
 		 
  
  
 
 
   
 
 
   11 changes: 0 additions & 11 deletions    tests/java/cbc-padding-oracle-test.yml      
   
 
 
 
  
    
    
  View file    
   Open in desktop   
 
 
 
 
 
  
 
 
  
  
 This file was deleted. 
 
 
   
 
 
   
 
 
   8 changes: 8 additions & 0 deletions    tests/java/desede-is-deprecated-java-test.yml      
   
 
 
 
  
    
    
  View file    
   Open in desktop   
 
 
 
 
 
    
  
 Original file line number Diff line number Diff line change 
   
   @@ -0,0 +1,8 @@ 
 
    id: desede-is-deprecated-java 
 
    valid: 
 
     - | 
 
     Cipher.getInstance("AES/GCM/NoPadding"); 
 
    invalid: 
 
     - | 
 
     Cipher.getInstance("DESede/ECB/PKCS5Padding"); 
 
     javax.crypto.KeyGenerator.getInstance("DES") 
  
  
 
 
   
 
 
   8 changes: 8 additions & 0 deletions    tests/java/no-null-cipher-java-test.yml      
   
 
 
 
  
    
    
  View file    
   Open in desktop   
 
 
 
 
 
    
  
 Original file line number Diff line number Diff line change 
   
   @@ -0,0 +1,8 @@ 
 
    id: no-null-cipher-java 
 
    valid: 
 
     - | 
 
     Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); 
 
    invalid: 
 
     - | 
 
     Cipher doNothingCihper = new NullCipher(); 
 
     new javax.crypto.NullCipher();       
 
  
    
  
 
 
 
 
 
 
 
 
           Copy link  
   
 
 
 
 
 
 
  @coderabbitai   coderabbitai bot  Sep 5, 2024 
 
 
 
 
 
  
  
Choose a reason for hiding this comment
 
 The reason will be displayed to describe this comment to others. Learn more. 
  
  
 
Test Cases Correctly Demonstrated
 
The test cases are well-formed:
 
     
  • The valid test case correctly uses a secure cipher configuration.
    •  
  • The invalid test cases effectively demonstrate the security issue this rule aims to detect.
    •  
 
Static Analysis Hint: Missing New Line at End of File
 
To comply with YAML standards and static analysis tools, add a newline at the end of the file. This can be fixed by ensuring your text editor is configured to automatically add new lines at the end of files or by manually adding a newline.
 
+ 
 
 Committable suggestion 
 
‼️ IMPORTANT
 Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
 
 
 
 
 Suggested change 
 
 
 
 
   Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); 
 
  invalid: 
 
   - | 
 
   Cipher doNothingCihper = new NullCipher(); 
 
   new javax.crypto.NullCipher(); 
 
   Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); 
 
  invalid: 
 
   - | 
 
   Cipher doNothingCihper = new NullCipher(); 
 
   new javax.crypto.NullCipher(); 
 
   
 
 
 
 
 
 
 Tools 
 yamllint
 
[error] 8-8: no new line character at the end of file
 
(new-line-at-end-of-file)
 
 
 
  
 
  
  
 
 
 
 
 
 
   
 		 
  
  
 
 
   
 
 
   8 changes: 8 additions & 0 deletions    tests/java/rsa-no-padding-java-test.yml      
   
 
 
 
  
    
    
  View file    
   Open in desktop   
 
 
 
 
 
    
  
 Original file line number Diff line number Diff line change 
   
   @@ -0,0 +1,8 @@ 
 
    id: rsa-no-padding-java 
 
    valid: 
 
     - | 
 
     Cipher.getInstance("RSA/ECB/OAEPWithMD5AndMGF1Padding"); 
 
    invalid: 
 
     - | 
 
     Cipher.getInstance("RSA/None/NoPadding"); 
 
     Cipher.getInstance("RSA/NONE/NoPadding");       
 
  
    
  
 
 
 
 
 
 
 
 
           Copy link  
   
 
 
 
 
 
 
  @coderabbitai   coderabbitai bot  Sep 5, 2024 
 
 
 
 
 
  
  
Choose a reason for hiding this comment
 
 The reason will be displayed to describe this comment to others. Learn more. 
  
  
 
Add a newline at the end of the file.
 
The static analysis tool flagged the absence of a newline at the end of the file, which is a common practice to ensure proper reading by tools that process text files.
 
Please add a newline at the end of the file to resolve this issue.
 
+ 
 
 Committable suggestion 
 
‼️ IMPORTANT
 Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
 
 
 
 
 Suggested change 
 
 
 
 
   Cipher.getInstance("RSA/NONE/NoPadding"); 
 
   Cipher.getInstance("RSA/NONE/NoPadding"); 
 
   
 
 
 
 
 
 
 Tools 
 yamllint
 
[error] 8-8: no new line character at the end of file
 
(new-line-at-end-of-file)
 
 
 
  
 
  
  
 
 
 
 
 
 
   
 		 
  
  
 
 
   
 
 
   8 changes: 8 additions & 0 deletions    tests/kotlin/desede-is-deprecated-kotlin-test.yml      
   
 
 
 
  
    
    
  View file    
   Open in desktop   
 
 
 
 
 
    
  
 Original file line number Diff line number Diff line change 
   
   @@ -0,0 +1,8 @@ 
 
    id: desede-is-deprecated-kotlin 
 
    valid: 
 
     - | 
 
     Cipher.getInstance("AES/GCM/NoPadding"); 
 
    invalid: 
 
     - | 
 
     Cipher.getInstance("DESede/ECB/PKCS5Padding"); 
 
     javax.crypto.KeyGenerator.getInstance("DES") 
  
  
 
 
  
 
    Loading