npm - @appland/scanner - Versions diffs - 1.46.3 → 1.49.0 - Mend

@appland/scanner 1.46.3 → 1.49.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (66) hide show

package/built/analyzer/recordSecrets.js +29 -3
package/built/analyzer/recordSecrets.js.map +1 -1
package/built/ruleChecker.js +44 -18
package/built/ruleChecker.js.map +1 -1
package/built/rules/authzBeforeAuthn.js +0 -1
package/built/rules/authzBeforeAuthn.js.map +1 -1
package/built/rules/circularDependency.js +0 -2
package/built/rules/circularDependency.js.map +1 -1
package/built/rules/deserializationOfUntrustedData.js +12 -82
package/built/rules/deserializationOfUntrustedData.js.map +1 -1
package/built/rules/execOfUntrustedCommand.js +95 -0
package/built/rules/execOfUntrustedCommand.js.map +1 -0
package/built/rules/http500.js +0 -1
package/built/rules/http500.js.map +1 -1
package/built/rules/illegalPackageDependency.js +7 -1
package/built/rules/illegalPackageDependency.js.map +1 -1
package/built/rules/incompatibleHttpClientRequest.js +1 -1
package/built/rules/incompatibleHttpClientRequest.js.map +1 -1
package/built/rules/insecureCompare.js +0 -1
package/built/rules/insecureCompare.js.map +1 -1
package/built/rules/jobNotCancelled.js +0 -1
package/built/rules/jobNotCancelled.js.map +1 -1
package/built/rules/lib/parseRuleDescription.js +4 -3
package/built/rules/lib/parseRuleDescription.js.map +1 -1
package/built/rules/lib/precedingEvents.js +80 -0
package/built/rules/lib/precedingEvents.js.map +1 -0
package/built/rules/lib/sanitizesData.js +10 -0
package/built/rules/lib/sanitizesData.js.map +1 -0
package/built/rules/lib/util.js +18 -2
package/built/rules/lib/util.js.map +1 -1
package/built/rules/logoutWithoutSessionReset.js +0 -1
package/built/rules/logoutWithoutSessionReset.js.map +1 -1
package/built/rules/missingAuthentication.js +3 -3
package/built/rules/missingAuthentication.js.map +1 -1
package/built/rules/queryFromInvalidPackage.js +7 -2
package/built/rules/queryFromInvalidPackage.js.map +1 -1
package/built/rules/queryFromView.js +12 -1
package/built/rules/queryFromView.js.map +1 -1
package/built/rules/secretInLog.js +11 -9
package/built/rules/secretInLog.js.map +1 -1
package/built/rules/tooManyJoins.js +0 -2
package/built/rules/tooManyJoins.js.map +1 -1
package/built/rules/tooManyUpdates.js +0 -1
package/built/rules/tooManyUpdates.js.map +1 -1
package/built/rules/unbatchedMaterializedQuery.js +0 -1
package/built/rules/unbatchedMaterializedQuery.js.map +1 -1
package/built/sampleConfig/default.yml +2 -1
package/built/scope/commandScope.js +2 -3
package/built/scope/commandScope.js.map +1 -1
package/doc/labels/{public.md → access.public.md} +1 -1
package/doc/labels/command.perform.md +7 -0
package/doc/labels/deserialize.safe.md +2 -0
package/doc/labels/deserialize.sanitize.md +22 -0
package/doc/labels/deserialize.unsafe.md +2 -0
package/doc/labels/job.perform.md +6 -0
package/doc/labels/system.exec.md +7 -0
package/doc/labels/system.exec.safe.md +7 -0
package/doc/labels/system.exec.sanitize.md +22 -0
package/doc/rules/circularDependency.md +0 -1
package/doc/rules/deserializationOfUntrustedData.md +1 -1
package/doc/rules/execOfUntrustedCommand.md +16 -0
package/doc/rules/missingAuthentication.md +1 -1
package/doc/rules/tooManyJoins.md +0 -1
package/doc/rules/unbatchedMaterializedQuery.md +0 -1
package/package.json +1 -1
package/doc/labels/sanitize.md +0 -29

package/doc/labels/system.exec.sanitize.md ADDED Viewed

@@ -0,0 +1,22 @@
+---
+name: system.exec.sanitize
+rules:
+  - exec-of-untrusted-command
+---
+Ensures that data is safe and trusted for use as a system command, transforming it if necessary, and
+returning `falsey` or raising an exception if it's impossible to make the data safe.
+A function with this label can be used to convert untrusted data such as direct user input or HTTP
+request parameters into trusted data.
+Note that this is not the same as ensuring that a parameter satisfies business logic constraints -
+such as presence or max length. It's a security check that ensures the data cannot cause harm when
+used as a system command.
+To be considered successful, a `system.exec.sanitize` function must return a `truthy` value.
+## Examples
+- Ensuring that a user-provided file path is a subdirectory of a known allowed directory.
+- Ensuring that a system command string does not have any potential injection or side-effects.

package/doc/rules/circularDependency.md CHANGED Viewed

@@ -5,7 +5,6 @@ title: Circular package dependency
 references:
   CWE-1047: https://cwe.mitre.org/data/definitions/1047.html
 impactDomain: Maintainability
-scope: command
 ---
 Finds cycles in the package dependency graph. Cyclic dependencies make code hard to maintain,

package/doc/rules/deserializationOfUntrustedData.md CHANGED Viewed

@@ -9,7 +9,7 @@ impactDomain: Security
 labels:
   - deserialize.unsafe
   - deserialize.safe
-  - sanitize
+  - deserialize.sanitize
 ---
 Finds occurrances of deserialization in which the mechanism employed is known to be unsafe, and the

package/doc/rules/execOfUntrustedCommand.md ADDED Viewed

@@ -0,0 +1,16 @@
+---
+rule: exec-of-untrusted-command
+name: Exec of untrusted command
+title: Execution of untrusted system command
+references:
+  CWE-78: https://cwe.mitre.org/data/definitions/78.html
+impactDomain: Security
+labels:
+  - system.exec
+  - system.exec.safe
+  - system.exec.sanitize
+---
+Find occurrances of system command execution in which the command string is not guaranteed to be
+safe.

package/doc/rules/missingAuthentication.md CHANGED Viewed

@@ -6,7 +6,7 @@ references:
   CWE-306: https://cwe.mitre.org/data/definitions/306.html
 impactDomain: Security
 labels:
-  - public
+  - access.public
   - security.authentication
 scope: http_server_request
 ---

package/doc/rules/tooManyJoins.md CHANGED Viewed

@@ -5,7 +5,6 @@ title: Too many joins
 references:
   CWE-1049: https://cwe.mitre.org/data/definitions/1049.html
 impactDomain: Performance
-scope: command
 ---
 Verifies that the number of joins in SQL queries does not exceed a threshold.

package/doc/rules/unbatchedMaterializedQuery.md CHANGED Viewed

@@ -7,7 +7,6 @@ references:
 impactDomain: Performance
 labels:
   - dao.materialize
-scope: command
 ---
 Finds large data sets that are queried from the database and loaded into memory.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@appland/scanner",
-  "version": "1.46.3",
+  "version": "1.49.0",
   "description": "",
   "bin": "built/cli.js",
   "files": [

package/doc/labels/sanitize.md DELETED Viewed

@@ -1,29 +0,0 @@
----
-name: sanitize
-rules:
-  - deserialization-of-untrusted-data
----
-Ensures that data is safe and trusted, transforming it if necessary, and returning `falsey` or
-raising an exception if it's impossible to make the data safe.
-A function with this label can be used to convert untrusted data such as direct user input or HTTP
-request parameters into trusted data.
-Note that this is not the same as ensuring that a parameter satisfies business logic constraints -
-such as presence or max length. It's a security check that ensures the data cannot cause downstream
-harm.
-To be considered successful, a `sanitize` function must return a `truthy` value.
-## Examples
-- Sanitizing HTML by removing all potentially harmful elements, such as script tags.
-- Ensuring that SQL queries are properly escaped.
-- Running user-provided YAML through a "safe loader" which discards unsafe syntax such as object
-  class names.
-- Ensuring that a user-provided file path is a subdirectory of a known allowed directory.
-- Ensuring that a system command string does not have any potential injection or side-effects.
-- Ruby -
-  [sanitize_filename](https://github.com/technoweenie/attachment_fu/blob/fa08cb03914b02b66853b4615cd3eca768291ca7/lib/technoweenie/attachment_fu.rb#L410)
-  in `attachment_fu`.