npm - @appland/scanner - Versions diffs - 1.60.0 → 1.61.0 - Mend

@appland/scanner 1.60.0 → 1.61.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/CHANGELOG.md +7 -0
package/built/analyzer/recordSecrets.js +1 -1
package/built/ruleChecker.js +16 -7
package/built/rules/circularDependency.js +2 -1
package/built/rules/illegalPackageDependency.js +5 -2
package/built/rules/insecureCompare.js +8 -2
package/built/rules/jobNotCancelled.js +5 -8
package/built/rules/nPlusOneQuery.js +1 -0
package/built/rules/queryFromInvalidPackage.js +6 -3
package/built/rules/secretInLog.js +27 -12
package/package.json +1 -1

package/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,10 @@
+# [@appland/scanner-v1.61.0](https://github.com/applandinc/appmap-js/compare/@appland/scanner-v1.60.0...@appland/scanner-v1.61.0) (2022-07-11)
+### Features
+* Add participating events to each finding ([f3e8033](https://github.com/applandinc/appmap-js/commit/f3e80332833ec3305ef530d89b12763781a8c85b))
 # [@appland/scanner-v1.60.0](https://github.com/applandinc/appmap-js/compare/@appland/scanner-v1.59.2...@appland/scanner-v1.60.0) (2022-06-30)

package/built/analyzer/recordSecrets.js CHANGED Viewed

@@ -14,7 +14,7 @@ function default_1(secrets, e) {
         if ((0, util_1.verbose)()) {
             console.warn(`Secret generated: ${secret}`);
         }
-        secrets.add(secret);
+        secrets.push({ generatorEvent: e, value: secret });
     }
 }
 exports.default = default_1;

package/built/ruleChecker.js CHANGED Viewed

@@ -94,8 +94,9 @@ class RuleChecker {
             if (!checkInstance.filterEvent(event, appMapIndex)) {
                 return;
             }
-            const buildFinding = (matchEvent, message, groupMessage, occurranceCount,
-            // matchEvent will be added to additionalEvents to create the relatedEvents array
+            const buildFinding = (matchEvent, participatingEvents, message, groupMessage, occurranceCount,
+            // matchEvent will be added to additionalEvents and participatingEvents.values
+            // to create the relatedEvents array
             additionalEvents) => {
                 const findingEvent = matchEvent || event;
                 // Fixes:
@@ -118,12 +119,19 @@ class RuleChecker {
                         return;
                     }
                     uniqueEvents.add(event.id);
-                    relatedEvents.push(event);
+                    relatedEvents.push((0, eventUtil_1.cloneEvent)(event));
                 });
                 // Update event hash with unique hashes of related events
                 new Set(relatedEvents.map((e) => e.hash)).forEach((eventHash) => {
                     hash.update(eventHash);
                 });
+                Object.values(participatingEvents).forEach((event) => {
+                    if (uniqueEvents.has(event.id)) {
+                        return;
+                    }
+                    uniqueEvents.add(event.id);
+                    relatedEvents.push((0, eventUtil_1.cloneEvent)(event));
+                });
                 return {
                     appMapFile,
                     checkId: checkInstance.checkId,
@@ -138,6 +146,7 @@ class RuleChecker {
                     occurranceCount,
                     relatedEvents: relatedEvents.sort((event) => event.id),
                     impactDomain: checkInstance.checkImpactDomain,
+                    participatingEvents: Object.fromEntries(Object.entries(participatingEvents).map(([k, v]) => [k, (0, eventUtil_1.cloneEvent)(v)])),
                 };
             };
             const matchResult = yield checkInstance.ruleLogic.matcher(event, appMapIndex, checkInstance.filterEvent.bind(checkInstance));
@@ -146,21 +155,21 @@ class RuleChecker {
                 let finding;
                 if (checkInstance.ruleLogic.message) {
                     const message = checkInstance.ruleLogic.message(scope, event);
-                    finding = buildFinding(event, message);
+                    finding = buildFinding(event, {}, message);
                 }
                 else {
-                    finding = buildFinding(event);
+                    finding = buildFinding(event, {});
                 }
                 findings.push(finding);
             }
             else if (typeof matchResult === 'string') {
-                const finding = buildFinding(event, matchResult);
+                const finding = buildFinding(event, {}, matchResult);
                 finding.message = matchResult;
                 findings.push(finding);
             }
             else if (matchResult) {
                 matchResult.forEach((mr) => {
-                    const finding = buildFinding(mr.event, mr.message, mr.groupMessage, mr.occurranceCount, mr.relatedEvents);
+                    const finding = buildFinding(mr.event, mr.participatingEvents || {}, mr.message, mr.groupMessage, mr.occurranceCount, mr.relatedEvents);
                     findings.push(finding);
                 });
             }

package/built/rules/circularDependency.js CHANGED Viewed

@@ -173,13 +173,14 @@ function build(options) {
             .map((cycle) => searchForCycle(cycle, ignoredPackages))
             .filter((path) => path)
             .map((path) => {
+            path = path;
             return {
                 event: path[0],
                 message: [
                     'Cycle in package dependency graph',
                     path.map((event) => event.codeObject.packageOf).join(' -> '),
                 ].join(': '),
-                relatedEvents: path,
+                participatingEvents: Object.fromEntries(path.map((event, index) => [`path[${index}]`, event])),
             };
         });
     }

package/built/rules/illegalPackageDependency.js CHANGED Viewed

@@ -19,18 +19,21 @@ function build(options) {
         return !!e.parent && !!e.parent.codeObject.packageOf && calleePattern(e.codeObject.packageOf);
     }
     function matcher(e) {
+        const parent = e.parent;
+        if (!parent)
+            return;
         const packageNamesStr = options.callerPackages
             .map((config) => config.equal || config.include || config.match)
             .map(String)
             .join(' or ');
-        const parentPackage = e.parent.codeObject.packageOf;
+        const parentPackage = parent.codeObject.packageOf;
         if (!(e.codeObject.packageOf === parentPackage ||
             callerPatterns.some((pattern) => pattern(parentPackage)))) {
             return [
                 {
                     event: e,
                     message: `Code object ${e.codeObject.id} was invoked from ${parentPackage}, not from ${packageNamesStr}`,
-                    relatedEvents: [e.parent],
+                    participatingEvents: { parent },
                 },
             ];
         }

package/built/rules/insecureCompare.js CHANGED Viewed

@@ -8,7 +8,8 @@ const recordSecrets_1 = __importDefault(require("../analyzer/recordSecrets"));
 const secretsRegexes_1 = require("../analyzer/secretsRegexes");
 const parseRuleDescription_1 = __importDefault(require("./lib/parseRuleDescription"));
 const BCRYPT_REGEXP = /^[$]2[abxy]?[$](?:0[4-9]|[12][0-9]|3[01])[$][./0-9a-zA-Z]{53}$/;
-const secrets = new Set();
+const secrets = [];
+const secretStrings = new Set();
 function stringEquals(e) {
     if (!e.parameters || !e.receiver || e.parameters.length !== 1) {
         return false;
@@ -18,7 +19,7 @@ function stringEquals(e) {
         return BCRYPT_REGEXP.test(str);
     }
     function isSecret(str) {
-        return secrets.has(str) || (0, secretsRegexes_1.looksSecret)(str);
+        return secretStrings.has(str) || (0, secretsRegexes_1.looksSecret)(str);
     }
     // BCrypted strings are safe to compare using equals()
     return args.some(isSecret) && !args.some(isBcrypt);
@@ -26,7 +27,12 @@ function stringEquals(e) {
 function build() {
     function matcher(e) {
         if (e.codeObject.labels.has(Secret)) {
+            const numSecrets = secrets.length;
             (0, recordSecrets_1.default)(secrets, e);
+            for (let index = numSecrets; index < secrets.length; index++) {
+                const secret = secrets[index];
+                secretStrings.add(secret.value);
+            }
         }
         if (e.codeObject.labels.has(StringEquals)) {
             return stringEquals(e);

package/built/rules/jobNotCancelled.js CHANGED Viewed

@@ -18,14 +18,11 @@ function build() {
         const missing = creationEvents.length - cancellationEvents.length;
         if (missing === 0)
             return;
-        const result = {
-            event: event,
-            message: `${missing} jobs created but not cancelled in this rolled back transaction`,
-            // if there's a mismatch and there are cancellations we can't tell
-            // for sure which creations they match, so return everything
-            relatedEvents: [...creationEvents, ...cancellationEvents],
-        };
-        return [result];
+        return creationEvents.map((jobCreationEvent) => ({
+            event: jobCreationEvent,
+            message: `Job created by ${jobCreationEvent.codeObject.prettyName} was not cancelled when the enclosing transaction rolled back`,
+            participatingEvents: { beginTransaction: event },
+        }));
     }
     return {
         matcher,

package/built/rules/nPlusOneQuery.js CHANGED Viewed

@@ -43,6 +43,7 @@ function build(options) {
                             groupMessage: sql,
                             occurranceCount: occurranceCount,
                             relatedEvents: events.map((e) => e.event),
+                            participatingEvents: { commonAncestor: ancestor },
                         };
                     };
                     if (occurranceCount >= options.errorLimit) {

package/built/rules/queryFromInvalidPackage.js CHANGED Viewed

@@ -18,12 +18,15 @@ function build(options) {
     const allowedPackages = (0, matchPattern_1.buildFilters)(options.allowedPackages);
     const allowedQueries = (0, matchPattern_1.buildFilters)(options.allowedQueries);
     function matcher(e) {
-        if (!allowedPackages.some((filter) => filter(e.parent.codeObject.packageOf))) {
+        if (!e.parent)
+            return;
+        const parent = e.parent;
+        if (!allowedPackages.some((filter) => filter(parent.codeObject.packageOf))) {
             return [
                 {
                     event: e,
-                    message: `${e.codeObject.id} is invoked from illegal package ${e.parent.codeObject.packageOf}`,
-                    relatedEvents: [e.parent],
+                    message: `${e.codeObject.id} is invoked from illegal package ${parent.codeObject.packageOf}`,
+                    participatingEvents: { parent: parent },
                 },
             ];
         }

package/built/rules/secretInLog.js CHANGED Viewed

@@ -32,12 +32,19 @@ const recordSecrets_1 = __importDefault(require("../analyzer/recordSecrets"));
 const url_1 = require("url");
 const parseRuleDescription_1 = __importDefault(require("./lib/parseRuleDescription"));
 class Match {
-    constructor(pattern, value) {
+    constructor(pattern, value, generatorEvent) {
         this.pattern = pattern;
         this.value = value;
+        this.generatorEvent = generatorEvent;
+    }
+    static fromPattern(pattern, value) {
+        return new Match(pattern, value);
+    }
+    static fromSecret(secret, value) {
+        return new Match(secret.value, value, secret.generatorEvent);
     }
 }
-const secrets = new Set();
+const secrets = [];
 const findInLog = (event) => {
     if (!event.parameters)
         return;
@@ -45,24 +52,32 @@ const findInLog = (event) => {
     for (const { value } of event.parameters) {
         if ((0, util_1.emptyValue)(value))
             continue;
-        const patterns = [];
         if ((0, secretsRegexes_1.looksSecret)(value)) {
             // Only look for the exact matching regexes if it matches the catchall regex
-            patterns.push(...Object.values(secretsRegexes_1.default)
+            matches.push(...Object.values(secretsRegexes_1.default)
                 .flat()
-                .filter((re) => re.test(value)));
+                .filter((re) => re.test(value))
+                .map((re) => Match.fromPattern(re, value)));
         }
         for (const secret of secrets) {
-            if (value.includes(secret))
-                patterns.push(secret);
+            if (value.includes(secret.value)) {
+                matches.push(Match.fromSecret(secret, value));
+            }
         }
-        matches.push(...patterns.map((pattern) => new Match(pattern, value)));
     }
     if (matches.length > 0) {
-        return matches.map((match) => ({
-            event,
-            message: `Log event contains secret data: ${match.value}`,
-        }));
+        return matches.map((match) => {
+            const { pattern, value } = match;
+            const participatingEvents = { logEvent: event };
+            if (match.generatorEvent) {
+                participatingEvents.generatorEvent = match.generatorEvent;
+            }
+            return {
+                event,
+                message: `Log message contains secret ${match.generatorEvent ? match.generatorEvent.codeObject.prettyName || 'data' : 'data'} "${pattern}": ${value}`,
+                participatingEvents,
+            };
+        });
     }
 };
 function build() {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@appland/scanner",
-  "version": "1.60.0",
+  "version": "1.61.0",
   "description": "",
   "bin": "built/cli.js",
   "files": [