From 8a63b9fcdd1fd5308f1117705cb39a410ee94b94 Mon Sep 17 00:00:00 2001 From: Boris Bakshiyev Date: Mon, 18 Jul 2022 11:35:14 +0300 Subject: [PATCH 01/67] Add code scanner workflow --- .github/scanner.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 .github/scanner.yml diff --git a/.github/scanner.yml b/.github/scanner.yml new file mode 100644 index 00000000..ba43b142 --- /dev/null +++ b/.github/scanner.yml @@ -0,0 +1,10 @@ +name: Code Scanner + +on: + push: + branches: ["*"] + +jobs: + trigger-semgrep: + name: Scan + uses: Zooz/code-scanner/.github/workflows/semgrep.yml@main From c184e5c4e8ed4c24dea5bb7c02f1babc4446c875 Mon Sep 17 00:00:00 2001 From: Boris Bakshiyev Date: Mon, 18 Jul 2022 11:36:23 +0300 Subject: [PATCH 02/67] Add workflows directory --- .github/{ => workflows}/scanner.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/{ => workflows}/scanner.yml (100%) diff --git a/.github/scanner.yml b/.github/workflows/scanner.yml similarity index 100% rename from .github/scanner.yml rename to .github/workflows/scanner.yml From 7f1e7c5e1337d5ad4c2b6f40125d9a203c54ffde Mon Sep 17 00:00:00 2001 From: Boris Bakshiyev Date: Mon, 18 Jul 2022 11:46:07 +0300 Subject: [PATCH 03/67] Try to import files --- .github/workflows/scanner.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scanner.yml b/.github/workflows/scanner.yml index ba43b142..010fc08d 100644 --- a/.github/workflows/scanner.yml +++ b/.github/workflows/scanner.yml @@ -7,4 +7,4 @@ on: jobs: trigger-semgrep: name: Scan - uses: Zooz/code-scanner/.github/workflows/semgrep.yml@main + uses: Zooz/code-scanner/.github/workflows/semgrep.yml@adjust_rulesets From b79bdea22714929ad35bddfbd2c05c822bda86f8 Mon Sep 17 00:00:00 2001 From: Boris Bakshiyev Date: Mon, 18 Jul 2022 12:17:12 +0300 Subject: [PATCH 04/67] Try to import files --- .github/workflows/scanner.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/scanner.yml b/.github/workflows/scanner.yml index 010fc08d..28f56f85 100644 --- a/.github/workflows/scanner.yml +++ b/.github/workflows/scanner.yml @@ -8,3 +8,5 @@ jobs: trigger-semgrep: name: Scan uses: Zooz/code-scanner/.github/workflows/semgrep.yml@adjust_rulesets + with: + codeScannerRef: adjust_rulesets From 4a5836cc0a93dd8094c92eaec1e1053106913e4e Mon Sep 17 00:00:00 2001 From: Boris Bakshiyev Date: Mon, 18 Jul 2022 19:50:26 +0300 Subject: [PATCH 05/67] Test without ref --- .github/workflows/scanner.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scanner.yml b/.github/workflows/scanner.yml index 28f56f85..2e29a9d9 100644 --- a/.github/workflows/scanner.yml +++ b/.github/workflows/scanner.yml @@ -7,6 +7,6 @@ on: jobs: trigger-semgrep: name: Scan - uses: Zooz/code-scanner/.github/workflows/semgrep.yml@adjust_rulesets + uses: Zooz/code-scanner/.github/workflows/semgrep.yml with: codeScannerRef: adjust_rulesets From 0b391e114718b26afe4fa3ef16b03bca5f182e0d Mon Sep 17 00:00:00 2001 From: Boris Bakshiyev Date: Mon, 18 Jul 2022 19:50:47 +0300 Subject: [PATCH 06/67] Test without ref --- .github/workflows/scanner.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scanner.yml b/.github/workflows/scanner.yml index 2e29a9d9..ee8d8cd9 100644 --- a/.github/workflows/scanner.yml +++ b/.github/workflows/scanner.yml @@ -7,6 +7,6 @@ on: jobs: trigger-semgrep: name: Scan - uses: Zooz/code-scanner/.github/workflows/semgrep.yml + uses: Zooz/code-scanner/.github/workflows/semgrep.yml@main with: codeScannerRef: adjust_rulesets From e776580795fa6198783f8cc257189ea9e3b291ba Mon Sep 17 00:00:00 2001 From: Boris Bakshiyev Date: Mon, 18 Jul 2022 19:55:51 +0300 Subject: [PATCH 07/67] Adjust action trigger --- .github/workflows/scanner.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scanner.yml b/.github/workflows/scanner.yml index ee8d8cd9..7dbed7a8 100644 --- a/.github/workflows/scanner.yml +++ b/.github/workflows/scanner.yml @@ -2,8 +2,8 @@ name: Code Scanner on: push: - branches: ["*"] - + branches: + - '*' jobs: trigger-semgrep: name: Scan From 5fff4d77a3495a641de28d8ad28a53d3bf568f60 Mon Sep 17 00:00:00 2001 From: Boris Bakshiyev Date: Mon, 18 Jul 2022 19:56:27 +0300 Subject: [PATCH 08/67] Adjust action trigger --- .github/workflows/scanner.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scanner.yml b/.github/workflows/scanner.yml index 7dbed7a8..23a03dc3 100644 --- a/.github/workflows/scanner.yml +++ b/.github/workflows/scanner.yml @@ -7,6 +7,6 @@ on: jobs: trigger-semgrep: name: Scan - uses: Zooz/code-scanner/.github/workflows/semgrep.yml@main + uses: Zooz/code-scanner/.github/workflows/semgrep.yml@adjust_rulesets with: codeScannerRef: adjust_rulesets From d861a83708d3b87d45197d7bdee4c6583146fd35 Mon Sep 17 00:00:00 2001 From: Boris Bakshiyev Date: Mon, 18 Jul 2022 19:58:08 +0300 Subject: [PATCH 09/67] Adjust action trigger --- .github/workflows/scanner.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scanner.yml b/.github/workflows/scanner.yml index 23a03dc3..7dbed7a8 100644 --- a/.github/workflows/scanner.yml +++ b/.github/workflows/scanner.yml @@ -7,6 +7,6 @@ on: jobs: trigger-semgrep: name: Scan - uses: Zooz/code-scanner/.github/workflows/semgrep.yml@adjust_rulesets + uses: Zooz/code-scanner/.github/workflows/semgrep.yml@main with: codeScannerRef: adjust_rulesets From a93f5aee6d5716e068e6381a9895fcfc37a3e6e8 Mon Sep 17 00:00:00 2001 From: Boris Bakshiyev Date: Mon, 18 Jul 2022 20:01:30 +0300 Subject: [PATCH 10/67] Use main branch --- .github/workflows/scanner.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scanner.yml b/.github/workflows/scanner.yml index 7dbed7a8..90c23d37 100644 --- a/.github/workflows/scanner.yml +++ b/.github/workflows/scanner.yml @@ -9,4 +9,4 @@ jobs: name: Scan uses: Zooz/code-scanner/.github/workflows/semgrep.yml@main with: - codeScannerRef: adjust_rulesets + codeScannerRef: main From 211f1c2ae0c835cfb5b4383d88b59161d6f097de Mon Sep 17 00:00:00 2001 From: Boris Bakshiyev Date: Mon, 18 Jul 2022 20:03:43 +0300 Subject: [PATCH 11/67] Test triggering action --- .github/workflows/scanner.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scanner.yml b/.github/workflows/scanner.yml index 90c23d37..28000ba1 100644 --- a/.github/workflows/scanner.yml +++ b/.github/workflows/scanner.yml @@ -9,4 +9,4 @@ jobs: name: Scan uses: Zooz/code-scanner/.github/workflows/semgrep.yml@main with: - codeScannerRef: main + codeScannerRef: main \ No newline at end of file From 3c4d547fca29f5a145ada89665b712aa287b6826 Mon Sep 17 00:00:00 2001 From: Boris Bakshiyev Date: Mon, 18 Jul 2022 20:10:20 +0300 Subject: [PATCH 12/67] Test triggering action --- .github/workflows/scanner.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scanner.yml b/.github/workflows/scanner.yml index 28000ba1..3672bb25 100644 --- a/.github/workflows/scanner.yml +++ b/.github/workflows/scanner.yml @@ -9,4 +9,4 @@ jobs: name: Scan uses: Zooz/code-scanner/.github/workflows/semgrep.yml@main with: - codeScannerRef: main \ No newline at end of file + codeScannerRef: catch_and_alert \ No newline at end of file From d1d2ac23560cee2bec532994dcfe5846c09c7e89 Mon Sep 17 00:00:00 2001 From: Boris Bakshiyev Date: Mon, 18 Jul 2022 20:11:45 +0300 Subject: [PATCH 13/67] Test triggering action --- .github/workflows/scanner.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scanner.yml b/.github/workflows/scanner.yml index 3672bb25..6cdc55fe 100644 --- a/.github/workflows/scanner.yml +++ b/.github/workflows/scanner.yml @@ -7,6 +7,6 @@ on: jobs: trigger-semgrep: name: Scan - uses: Zooz/code-scanner/.github/workflows/semgrep.yml@main + uses: Zooz/code-scanner/.github/workflows/semgrep.yml@catch_and_alert with: codeScannerRef: catch_and_alert \ No newline at end of file From 790ce2057c6efa484ac4653a0d73cc8335ca70fa Mon Sep 17 00:00:00 2001 From: Boris Bakshiyev Date: Tue, 19 Jul 2022 11:51:11 +0300 Subject: [PATCH 14/67] default branch should be main --- .github/workflows/scanner.yml | 2 +- test.json | 2383 +++++++++++++++++++++++++++++++++ 2 files changed, 2384 insertions(+), 1 deletion(-) create mode 100644 test.json diff --git a/.github/workflows/scanner.yml b/.github/workflows/scanner.yml index 6cdc55fe..3672bb25 100644 --- a/.github/workflows/scanner.yml +++ b/.github/workflows/scanner.yml @@ -7,6 +7,6 @@ on: jobs: trigger-semgrep: name: Scan - uses: Zooz/code-scanner/.github/workflows/semgrep.yml@catch_and_alert + uses: Zooz/code-scanner/.github/workflows/semgrep.yml@main with: codeScannerRef: catch_and_alert \ No newline at end of file diff --git a/test.json b/test.json new file mode 100644 index 00000000..b5d0fbb0 --- /dev/null +++ b/test.json @@ -0,0 +1,2383 @@ +{ + "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/schemas/sarif-schema-2.1.0.json", + "runs": [ + { + "invocations": [ + { + "executionSuccessful": true, + "toolExecutionNotifications": [] + } + ], + "results": [ + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/models/runner.js", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "endColumn": 78, + "endLine": 143, + "snippet": { + "text": " const metricsAdapter = require(`../adapters/${metricsPluginName}Adapter`);" + }, + "startColumn": 28, + "startLine": 143 + } + } + } + ], + "message": { + "text": "Detected the use of require(variable). Calling require with a non-literal argument might\nallow an attacker to load an run arbitrary code, or access arbitrary files.\n" + }, + "ruleId": "semgrep_rules.eslint.detect-non-literal-require" + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/app.js", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "endColumn": 63, + "endLine": 20, + "snippet": { + "text": " containerId = marathonAppId[marathonAppId.length - 1];" + }, + "startColumn": 9, + "startLine": 20 + } + } + } + ], + "message": { + "text": "Detected user input used in bracket notation accessor. This could lead to object injection through marathonAppId.length - 1, which could grant access to every property available in the object and therefore sensitive information. Instead, avoid the use of user input in property name fields or create a whitelist of allowed input." + }, + "ruleId": "semgrep_rules.detect-bracket-object-injection" + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/models/runner.js", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "endColumn": 78, + "endLine": 143, + "snippet": { + "text": " const metricsAdapter = require(`../adapters/${metricsPluginName}Adapter`);" + }, + "startColumn": 28, + "startLine": 143 + } + } + } + ], + "message": { + "text": "Detected the use of require(variable). Calling require with a non-literal argument might allow an attacker to load an run arbitrary code, or access arbitrary files." + }, + "ruleId": "semgrep_rules.detect-non-literal-require" + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": ".circleci/config.yml", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "endColumn": 1, + "endLine": 11, + "snippet": { + "text": " - run: npm install\n - save_cache:" + }, + "startColumn": 14, + "startLine": 10 + } + } + } + ], + "message": { + "text": "To ensure reproducable and deterministic builds, use `npm ci` rather than `npm install` in scripts. This will use the lockfile rather than updating it." + }, + "ruleId": "semgrep_rules.use-frozen-lockfile-npm" + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "Dockerfile", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "endColumn": 1, + "endLine": 16, + "snippet": { + "text": "# # npm install\n npm install --production" + }, + "startColumn": 8, + "startLine": 15 + } + } + } + ], + "message": { + "text": "To ensure reproducable and deterministic builds, use `npm ci` rather than `npm install` in scripts. This will use the lockfile rather than updating it." + }, + "ruleId": "semgrep_rules.use-frozen-lockfile-npm" + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "Dockerfile", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "endColumn": 17, + "endLine": 16, + "snippet": { + "text": " npm install --production" + }, + "startColumn": 5, + "startLine": 16 + } + } + } + ], + "message": { + "text": "To ensure reproducable and deterministic builds, use `npm ci` rather than `npm install` in scripts. This will use the lockfile rather than updating it." + }, + "ruleId": "semgrep_rules.use-frozen-lockfile-npm" + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "semgrep_rules/semgrepRulles.yml", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "endColumn": 40, + "endLine": 7535, + "snippet": { + "text": " - pattern-not-regex: npm install [\\w]+" + }, + "startColumn": 28, + "startLine": 7535 + } + } + } + ], + "message": { + "text": "To ensure reproducable and deterministic builds, use `npm ci` rather than `npm install` in scripts. This will use the lockfile rather than updating it." + }, + "ruleId": "semgrep_rules.use-frozen-lockfile-npm" + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "semgrep_rules/test_rules.yml", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "endColumn": 40, + "endLine": 5, + "snippet": { + "text": " - pattern-not-regex: npm install [\\w]+" + }, + "startColumn": 28, + "startLine": 5 + } + } + } + ], + "message": { + "text": "To ensure reproducable and deterministic builds, use `npm ci` rather than `npm install` in scripts. This will use the lockfile rather than updating it." + }, + "ruleId": "semgrep_rules.use-frozen-lockfile-npm" + } + ], + "tool": { + "driver": { + "name": "semgrep", + "rules": [ + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "The RC4 stream-cipher has been cryptographically broken and is unsuitable\nfor use in production. It is recommended that ChaCha20 or Advanced Encryption\nStandard (AES) be used instead.\n" + }, + "id": "semgrep_rules.gosec.G503-1", + "name": "semgrep_rules.gosec.G503-1", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", + "OWASP-A9: Using Components with Known Vulnerabilities" + ] + }, + "shortDescription": { + "text": "The RC4 stream-cipher has been cryptographically broken and is unsuitable\nfor use in production. It is recommended that ChaCha20 or Advanced Encryption\nStandard (AES) be used instead.\n" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Poor file permissions used when creating a directory\n" + }, + "id": "semgrep_rules.gosec.G301-1", + "name": "semgrep_rules.gosec.G301-1", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-732: Incorrect Permission Assignment for Critical Resource", + "OWASP-A6: Security Misconfiguration" + ] + }, + "shortDescription": { + "text": "Poor file permissions used when creating a directory\n" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Go versions < 1.6.3 are vulnerable to Httpoxy attack: (CVE-2016-5386)\n" + }, + "id": "semgrep_rules.gosec.G504-1", + "name": "semgrep_rules.gosec.G504-1", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", + "OWASP-A9: Using Components with Known Vulnerabilities" + ] + }, + "shortDescription": { + "text": "Go versions < 1.6.3 are vulnerable to Httpoxy attack: (CVE-2016-5386)\n" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'." + }, + "id": "semgrep_rules.jwt-none-alg", + "name": "semgrep_rules.jwt-none-alg", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", + "OWASP-A2: Broken Authentication" + ] + }, + "shortDescription": { + "text": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'." + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Missing 'noopener' on an anchor tag where target='_blank'. This could introduce\na reverse tabnabbing vulnerability. Include 'noopener' when using target='_blank'.\n" + }, + "id": "semgrep_rules.eslint.react-missing-noopener", + "name": "semgrep_rules.eslint.react-missing-noopener", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", + "OWASP-A3: Sensitive Data Exposure" + ] + }, + "shortDescription": { + "text": "Missing 'noopener' on an anchor tag where target='_blank'. This could introduce\na reverse tabnabbing vulnerability. Include 'noopener' when using target='_blank'.\n" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Missing 'noopener' on an anchor tag where target='_blank'. This could introduce a reverse tabnabbing vulnerability. Include 'noopener' when using target='_blank'." + }, + "id": "semgrep_rules.react-missing-noopener", + "name": "semgrep_rules.react-missing-noopener", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", + "OWASP-A3: Sensitive Data Exposure" + ] + }, + "shortDescription": { + "text": "Missing 'noopener' on an anchor tag where target='_blank'. This could introduce a reverse tabnabbing vulnerability. Include 'noopener' when using target='_blank'." + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers." + }, + "id": "semgrep_rules.detect-pseudoRandomBytes", + "name": "semgrep_rules.detect-pseudoRandomBytes", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)", + "OWASP-A9: Using Components with Known Vulnerabilities" + ] + }, + "shortDescription": { + "text": "Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers." + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "SQL query construction using string concatenation\n" + }, + "id": "semgrep_rules.gosec.G202-1", + "name": "semgrep_rules.gosec.G202-1", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command" + ] + }, + "shortDescription": { + "text": "SQL query construction using string concatenation\n" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Detected the use of require(variable). Calling require with a non-literal argument might\nallow an attacker to load an run arbitrary code, or access arbitrary files.\n" + }, + "id": "semgrep_rules.eslint.detect-non-literal-require", + "name": "semgrep_rules.eslint.detect-non-literal-require", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + "OWASP-A1: Injection" + ] + }, + "shortDescription": { + "text": "Detected the use of require(variable). Calling require with a non-literal argument might\nallow an attacker to load an run arbitrary code, or access arbitrary files.\n" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object." + }, + "id": "semgrep_rules.prototype-pollution-loop", + "name": "semgrep_rules.prototype-pollution-loop", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes" + ] + }, + "shortDescription": { + "text": "Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object." + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "String comparisons using '===', '!==', '!=' and '==' is vulnerable to timing attacks. More info: https://snyk.io/blog/node-js-timing-attack-ccc-ctf/" + }, + "id": "semgrep_rules.eslint.detect-possible-timing-attacks", + "name": "semgrep_rules.eslint.detect-possible-timing-attacks", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-208: Observable Timing Discrepancy" + ] + }, + "shortDescription": { + "text": "String comparisons using '===', '!==', '!=' and '==' is vulnerable to timing attacks. More info: https://snyk.io/blog/node-js-timing-attack-ccc-ctf/" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'." + }, + "id": "semgrep_rules.jwt-none-alg-1", + "name": "semgrep_rules.jwt-none-alg-1", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", + "OWASP-A2: Broken Authentication" + ] + }, + "shortDescription": { + "text": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'." + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Pod is sharing the host IPC namespace. This allows container processes to communicate with processes on the host which reduces isolation and bypasses container protection models. Remove the 'hostIPC' key to disable this functionality." + }, + "id": "semgrep_rules.hostipc-pod", + "name": "semgrep_rules.hostipc-pod", + "properties": { + "precision": "very-high", + "tags": [] + }, + "shortDescription": { + "text": "Pod is sharing the host IPC namespace. This allows container processes to communicate with processes on the host which reduces isolation and bypasses container protection models. Remove the 'hostIPC' key to disable this functionality." + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "CORS rule on bucket permits any origin" + }, + "id": "semgrep_rules.all-origins-allowed", + "name": "semgrep_rules.all-origins-allowed", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-942: Permissive Cross-domain Policy with Untrusted Domains" + ] + }, + "shortDescription": { + "text": "CORS rule on bucket permits any origin" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Pod may use the node network namespace. This gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. Remove the 'hostNetwork' key to disable this functionality." + }, + "id": "semgrep_rules.hostnetwork-pod", + "name": "semgrep_rules.hostnetwork-pod", + "properties": { + "precision": "very-high", + "tags": [] + }, + "shortDescription": { + "text": "Pod may use the node network namespace. This gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. Remove the 'hostNetwork' key to disable this functionality." + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Implicit memory aliasing in for loop.\n" + }, + "id": "semgrep_rules.gosec.G601-1", + "name": "semgrep_rules.gosec.G601-1", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-118: Incorrect Access of Indexable Resource ('Range Error')" + ] + }, + "shortDescription": { + "text": "Implicit memory aliasing in for loop.\n" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Found '$SPAWN' with '{shell: $SHELL}'. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use '{shell: false}' instead." + }, + "id": "semgrep_rules.spawn-shell-true", + "name": "semgrep_rules.spawn-shell-true", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + "OWASP-A1: Injection" + ] + }, + "shortDescription": { + "text": "Found '$SPAWN' with '{shell: $SHELL}'. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use '{shell: false}' instead." + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens." + }, + "id": "semgrep_rules.jwt-exposed-credentials-1", + "name": "semgrep_rules.jwt-exposed-credentials-1", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-522: Insufficiently Protected Credentials", + "OWASP-A2: Broken Authentication" + ] + }, + "shortDescription": { + "text": "Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens." + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Container allows for privilege escalation via setuid or setgid binaries. Add 'allowPrivilegeEscalation: false' in 'securityContext' to prevent this." + }, + "id": "semgrep_rules.allow-privilege-escalation", + "name": "semgrep_rules.allow-privilege-escalation", + "properties": { + "precision": "very-high", + "tags": [] + }, + "shortDescription": { + "text": "Container allows for privilege escalation via setuid or setgid binaries. Add 'allowPrivilegeEscalation: false' in 'securityContext' to prevent this." + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Audit use of command execution\n" + }, + "id": "semgrep_rules.gosec.G204-1", + "name": "semgrep_rules.gosec.G204-1", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + "OWASP-A1: Injection" + ] + }, + "shortDescription": { + "text": "Audit use of command execution\n" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Poor file permissions used when creation file or using chmod\n" + }, + "id": "semgrep_rules.gosec.G302-1", + "name": "semgrep_rules.gosec.G302-1", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-732: Incorrect Permission Assignment for Critical Resource", + "OWASP-A6: Security Misconfiguration" + ] + }, + "shortDescription": { + "text": "Poor file permissions used when creation file or using chmod\n" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers.\n" + }, + "id": "semgrep_rules.eslint.detect-pseudoRandomBytes", + "name": "semgrep_rules.eslint.detect-pseudoRandomBytes", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)" + ] + }, + "shortDescription": { + "text": "Detected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers.\n" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Container is running with a writable root filesystem. This may allow malicious applications to download and run additional payloads, or modify container files. If an application inside a container has to save something temporarily consider using a tmpfs. Add 'readOnlyRootFilesystem: true' to this container to prevent this." + }, + "id": "semgrep_rules.writable-filesystem-container", + "name": "semgrep_rules.writable-filesystem-container", + "properties": { + "precision": "very-high", + "tags": [] + }, + "shortDescription": { + "text": "Container is running with a writable root filesystem. This may allow malicious applications to download and run additional payloads, or modify container files. If an application inside a container has to save something temporarily consider using a tmpfs. Add 'readOnlyRootFilesystem: true' to this container to prevent this." + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Encryption at rest is not enabled for the elastic search domain resource" + }, + "id": "semgrep_rules.elastic-search-encryption-at-rest", + "name": "semgrep_rules.elastic-search-encryption-at-rest", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-311: Missing Encryption of Sensitive Data" + ] + }, + "shortDescription": { + "text": "Encryption at rest is not enabled for the elastic search domain resource" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "The SHA-1 message-digest algorithm has been cryptographically broken and\nis unsuitable for further use. It is recommended that the SHA-3, or BLAKE2 family\nof algorithms be used for non*** cryptographic hashes instead. For\npassword based cryptographic hashes, consider using the bcrypt or Argon2 family\nof cryptographic hashes.\n" + }, + "id": "semgrep_rules.gosec.G505-1", + "name": "semgrep_rules.gosec.G505-1", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", + "OWASP-A9: Using Components with Known Vulnerabilities" + ] + }, + "shortDescription": { + "text": "The SHA-1 message-digest algorithm has been cryptographically broken and\nis unsuitable for further use. It is recommended that the SHA-3, or BLAKE2 family\nof algorithms be used for non*** cryptographic hashes instead. For\npassword based cryptographic hashes, consider using the bcrypt or Argon2 family\nof cryptographic hashes.\n" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables: process.env.SECRET)" + }, + "id": "semgrep_rules.hardcoded-jwt-secret-1", + "name": "semgrep_rules.hardcoded-jwt-secret-1", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-522: Insufficiently Protected Credentials", + "OWASP-A2: Broken Authentication" + ] + }, + "shortDescription": { + "text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables: process.env.SECRET)" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Container or pod is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability." + }, + "id": "semgrep_rules.privileged-container", + "name": "semgrep_rules.privileged-container", + "properties": { + "precision": "very-high", + "tags": [] + }, + "shortDescription": { + "text": "Container or pod is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability." + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables: process.env.SECRET)" + }, + "id": "semgrep_rules.hardcoded-jwt-secret", + "name": "semgrep_rules.hardcoded-jwt-secret", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-522: Insufficiently Protected Credentials", + "OWASP-A2: Broken Authentication" + ] + }, + "shortDescription": { + "text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables: process.env.SECRET)" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "This anchor tag with 'target=\"_blank\"' is missing 'noreferrer'. A page opened with 'target=\"_blank\"' can access the window object of the origin page. This means it can manipulate the 'window.opener' property, which could redirect the origin page to a malicious URL. This is called reverse tabnabbing. To prevent this, include 'rel=noreferrer' on this tag." + }, + "id": "semgrep_rules.react-missing-noreferrer", + "name": "semgrep_rules.react-missing-noreferrer", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", + "OWASP-A3: Sensitive Data Exposure" + ] + }, + "shortDescription": { + "text": "This anchor tag with 'target=\"_blank\"' is missing 'noreferrer'. A page opened with 'target=\"_blank\"' can access the window object of the origin page. This means it can manipulate the 'window.opener' property, which could redirect the origin page to a malicious URL. This is called reverse tabnabbing. To prevent this, include 'rel=noreferrer' on this tag." + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Potential DoS vulnerability via decompression bomb\n" + }, + "id": "semgrep_rules.gosec.G110-1", + "name": "semgrep_rules.gosec.G110-1", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-409: Improper Handling of Highly Compressed Data" + ] + }, + "shortDescription": { + "text": "Potential DoS vulnerability via decompression bomb\n" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Possibility of prototype polluting assignment detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object." + }, + "id": "semgrep_rules.prototype-pollution-assignment", + "name": "semgrep_rules.prototype-pollution-assignment", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes" + ] + }, + "shortDescription": { + "text": "Possibility of prototype polluting assignment detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object." + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "Hardcoded secret used for Passport Strategy. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables: process.env.SECRET)" + }, + "id": "semgrep_rules.hardcoded-passport-secret", + "name": "semgrep_rules.hardcoded-passport-secret", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-522: Insufficiently Protected Credentials", + "OWASP-A2: Broken Authentication" + ] + }, + "shortDescription": { + "text": "Hardcoded secret used for Passport Strategy. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables: process.env.SECRET)" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Pod is sharing the host process ID namespace. When paired with ptrace this can be used to escalate privileges outside of the container. Remove the 'hostPID' key to disable this functionality." + }, + "id": "semgrep_rules.hostpid-pod", + "name": "semgrep_rules.hostpid-pod", + "properties": { + "precision": "very-high", + "tags": [] + }, + "shortDescription": { + "text": "Pod is sharing the host process ID namespace. When paired with ptrace this can be used to escalate privileges outside of the container. Remove the 'hostPID' key to disable this functionality." + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "A variable is present in the filename argument of fs calls, this might allow an attacker to access anything on your system." + }, + "id": "semgrep_rules.detect-non-literal-fs-filename", + "name": "semgrep_rules.detect-non-literal-fs-filename", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" + ] + }, + "shortDescription": { + "text": "A variable is present in the filename argument of fs calls, this might allow an attacker to access anything on your system." + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Audit the use of ssh.InsecureIgnoreHostKey\n" + }, + "id": "semgrep_rules.gosec.G106-1", + "name": "semgrep_rules.gosec.G106-1", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-322: Key Exchange without Entity Authentication" + ] + }, + "shortDescription": { + "text": "Audit the use of ssh.InsecureIgnoreHostKey\n" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Ensure IAM policies don't allow credentials exposure. Credentials exposure actions return credentials as part of the API response, and can possibly lead to leaking important credentials. Instead, use another action that doesn't return sensitive data as part of the API response." + }, + "id": "semgrep_rules.no-iam-creds-exposure", + "name": "semgrep_rules.no-iam-creds-exposure", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor" + ] + }, + "shortDescription": { + "text": "Ensure IAM policies don't allow credentials exposure. Credentials exposure actions return credentials as part of the API response, and can possibly lead to leaking important credentials. Instead, use another action that doesn't return sensitive data as part of the API response." + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Storing JWT tokens in localStorage known to be a bad practice, consider moving your tokens from localStorage to a HTTP cookie." + }, + "id": "semgrep_rules.react-jwt-in-localstorage", + "name": "semgrep_rules.react-jwt-in-localstorage", + "properties": { + "precision": "very-high", + "tags": [] + }, + "shortDescription": { + "text": "Storing JWT tokens in localStorage known to be a bad practice, consider moving your tokens from localStorage to a HTTP cookie." + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "User controlled data in a insertAdjacentHTML, document.write or document.writeln is an anti-pattern that can lead to XSS vulnerabilities" + }, + "id": "semgrep_rules.react-unsanitized-method", + "name": "semgrep_rules.react-unsanitized-method", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "OWASP-A7: Cross-Site Scripting (XSS)" + ] + }, + "shortDescription": { + "text": "User controlled data in a insertAdjacentHTML, document.write or document.writeln is an anti-pattern that can lead to XSS vulnerabilities" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Container allows for running applications as root. This can result in privilege escalation attacks. Add 'runAsNonRoot: true' in 'securityContext' to prevent this." + }, + "id": "semgrep_rules.run-as-non-root", + "name": "semgrep_rules.run-as-non-root", + "properties": { + "precision": "very-high", + "tags": [] + }, + "shortDescription": { + "text": "Container allows for running applications as root. This can result in privilege escalation attacks. Add 'runAsNonRoot: true' in 'securityContext' to prevent this." + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "File open from tainted variable\n" + }, + "id": "semgrep_rules.gosec.G304-1", + "name": "semgrep_rules.gosec.G304-1", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" + ] + }, + "shortDescription": { + "text": "File open from tainted variable\n" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "User controlled data in can lead to unpredicted redirects." + }, + "id": "semgrep_rules.react-router-redirect", + "name": "semgrep_rules.react-router-redirect", + "properties": { + "precision": "very-high", + "tags": [] + }, + "shortDescription": { + "text": "User controlled data in can lead to unpredicted redirects." + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Detected eval(variable), which could allow a malicious actor to run arbitrary code.\n" + }, + "id": "semgrep_rules.eslint.detect-eval-with-expression", + "name": "semgrep_rules.eslint.detect-eval-with-expression", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + "OWASP-A1: Injection" + ] + }, + "shortDescription": { + "text": "Detected eval(variable), which could allow a malicious actor to run arbitrary code.\n" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "S3 bucket with public read access detected." + }, + "id": "semgrep_rules.s3-public-read-bucket", + "name": "semgrep_rules.s3-public-read-bucket", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor" + ] + }, + "shortDescription": { + "text": "S3 bucket with public read access detected." + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "S3 bucket with public read-write access detected." + }, + "id": "semgrep_rules.s3-public-rw-bucket", + "name": "semgrep_rules.s3-public-rw-bucket", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor" + ] + }, + "shortDescription": { + "text": "S3 bucket with public read-write access detected." + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "The object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload." + }, + "id": "semgrep_rules.jose-exposed-data", + "name": "semgrep_rules.jose-exposed-data", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-522: Insufficiently Protected Credentials", + "OWASP-A3: Sensitive Data Exposure" + ] + }, + "shortDescription": { + "text": "The object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload." + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer." + }, + "id": "semgrep_rules.detect-buffer-noassert", + "name": "semgrep_rules.detect-buffer-noassert", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer" + ] + }, + "shortDescription": { + "text": "Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer." + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Detected non-literal calls to $EXEC(). This could lead to a command injection vulnerability." + }, + "id": "semgrep_rules.dangerous-spawn-shell", + "name": "semgrep_rules.dangerous-spawn-shell", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + "OWASP-A1: Injection" + ] + }, + "shortDescription": { + "text": "Detected non-literal calls to $EXEC(). This could lead to a command injection vulnerability." + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload." + }, + "id": "semgrep_rules.jwt-exposed-data", + "name": "semgrep_rules.jwt-exposed-data", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-522: Insufficiently Protected Credentials", + "OWASP-A3: Sensitive Data Exposure" + ] + }, + "shortDescription": { + "text": "The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload." + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Detected usage of noassert in Buffer API, which allows the offset the be beyond the\nend of the buffer. This could result in writing or reading beyond the end of the buffer.\n" + }, + "id": "semgrep_rules.eslint.detect-buffer-noassert", + "name": "semgrep_rules.eslint.detect-buffer-noassert", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer" + ] + }, + "shortDescription": { + "text": "Detected usage of noassert in Buffer API, which allows the offset the be beyond the\nend of the buffer. This could result in writing or reading beyond the end of the buffer.\n" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Ensure IAM policies don't allow resource exposure. These actions can expose AWS resources to the public. For example `ecr:SetRepositoryPolicy` could let an attacker retrieve container images. Instead, use another action that doesn't expose AWS resources." + }, + "id": "semgrep_rules.no-iam-resource-exposure", + "name": "semgrep_rules.no-iam-resource-exposure", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor" + ] + }, + "shortDescription": { + "text": "Ensure IAM policies don't allow resource exposure. These actions can expose AWS resources to the public. For example `ecr:SetRepositoryPolicy` could let an attacker retrieve container images. Instead, use another action that doesn't expose AWS resources." + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Binding to all network interfaces can potentially open up a service to\ntraffic on unintended interfaces, that may not be properly documented or\nsecured. This plugin test looks for a string pattern \u201c0.0.0.0\u201d that may\nindicate a hardcoded binding to all network interfaces.\n" + }, + "id": "semgrep_rules.gosec.G102-1", + "name": "semgrep_rules.gosec.G102-1", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", + "OWASP-A6: Security Misconfiguration" + ] + }, + "shortDescription": { + "text": "Binding to all network interfaces can potentially open up a service to\ntraffic on unintended interfaces, that may not be properly documented or\nsecured. This plugin test looks for a string pattern \u201c0.0.0.0\u201d that may\nindicate a hardcoded binding to all network interfaces.\n" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "User controlled data in a styled component's css is an anti-pattern that can lead to XSS vulnerabilities" + }, + "id": "semgrep_rules.react-styled-components-injection", + "name": "semgrep_rules.react-styled-components-injection", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "OWASP-A7: Cross-Site Scripting (XSS)" + ] + }, + "shortDescription": { + "text": "User controlled data in a styled component's css is an anti-pattern that can lead to XSS vulnerabilities" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "IAM policies that allow full \"*-*\" admin privileges violates the principle of least privilege. This allows an attacker to take full control over all AWS account resources. Instead, give each user more fine-grained control with only the privileges they need. $TYPE" + }, + "id": "semgrep_rules.no-iam-admin-privileges", + "name": "semgrep_rules.no-iam-admin-privileges", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-269: Improper Privilege Management" + ] + }, + "shortDescription": { + "text": "IAM policies that allow full \"*-*\" admin privileges violates the principle of least privilege. This allows an attacker to take full control over all AWS account resources. Instead, give each user more fine-grained control with only the privileges they need. $TYPE" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "A variable is present in the filename argument of fs calls, this might allow an attacker to access anything on your system.\n" + }, + "id": "semgrep_rules.eslint.detect-non-literal-fs-filename", + "name": "semgrep_rules.eslint.detect-non-literal-fs-filename", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" + ] + }, + "shortDescription": { + "text": "A variable is present in the filename argument of fs calls, this might allow an attacker to access anything on your system.\n" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Cannot determine what '$UNK' is and it is used with a '