@appland/scanner 1.63.0 → 1.66.0

package/CHANGELOG.md

@@ -1,3 +1,36 @@
+# [@appland/scanner-v1.66.0](https://github.com/applandinc/appmap-js/compare/@appland/scanner-v1.65.0...@appland/scanner-v1.66.0) (2022-08-08)
+
+
+### Bug Fixes
+
+* Fix rule doc ([b99b6ae](https://github.com/applandinc/appmap-js/commit/b99b6aec90186bef312d04fb4f4c95f9b1ee62d5))
+
+
+### Features
+
+* Add deprecated-crypto-algorithm to default rule set ([3034489](https://github.com/applandinc/appmap-js/commit/303448974a73637493a72bea7ab8cfb28ccc8b10))
+* Detect deprecated crypto algorithm ([a17a537](https://github.com/applandinc/appmap-js/commit/a17a537334771a9f2cd64fa73c2396e517ff82ea))
+
+# [@appland/scanner-v1.65.0](https://github.com/applandinc/appmap-js/compare/@appland/scanner-v1.64.0...@appland/scanner-v1.65.0) (2022-08-08)
+
+
+### Bug Fixes
+
+* Remove an inadvenant console log ([5c11fc7](https://github.com/applandinc/appmap-js/commit/5c11fc77650e105f169ca0bcc4045312578e8881))
+
+
+### Features
+
+* Add unauthenticated-encryption to default rule set ([2e3cf92](https://github.com/applandinc/appmap-js/commit/2e3cf9298b3cfe99b489ab8b2894e913a305fdd0))
+* Check for unauthenticated encryption ([d393951](https://github.com/applandinc/appmap-js/commit/d393951c73c4492f1e95b52a2580fde10b256ee4))
+
+# [@appland/scanner-v1.64.0](https://github.com/applandinc/appmap-js/compare/@appland/scanner-v1.63.0...@appland/scanner-v1.64.0) (2022-08-04)
+
+
+### Features
+
+* Command scope falls back on root events ([3823a1f](https://github.com/applandinc/appmap-js/commit/3823a1f686212db49b87f2995baa2103a4e007d1))
+
 # [@appland/scanner-v1.63.0](https://github.com/applandinc/appmap-js/compare/@appland/scanner-v1.62.2...@appland/scanner-v1.63.0) (2022-07-28)
 
 

package/built/check.js

@@ -9,7 +9,7 @@ class Check {
         }
         this.id = rule.id;
         this.options = options || makeOptions();
-        this.scope = rule.scope || 'root';
+        this.scope = rule.scope || 'command';
         this.includeScope = [];
         this.excludeScope = [];
         this.includeEvent = [];

package/built/ruleChecker.js

@@ -35,14 +35,7 @@ class RuleChecker {
     }
     check(appMapFile, appMapIndex, check, findings) {
         return __awaiter(this, void 0, void 0, function* () {
-            const numScopesChecked = yield this.checkScope(appMapFile, appMapIndex, check, check.scope, findings);
-            if (numScopesChecked === 0 && check.scope === 'command') {
-                yield this.checkScope(appMapFile, appMapIndex, check, 'root', findings);
-            }
-        });
-    }
-    checkScope(appMapFile, appMapIndex, check, scope, findings) {
-        return __awaiter(this, void 0, void 0, function* () {
+            const scope = check.scope;
             if ((0, util_1.verbose)()) {
                 console.warn(`Checking AppMap ${appMapIndex.appMap.name} with scope ${scope}`);
             }
@@ -56,9 +49,7 @@ class RuleChecker {
                     yield events[i];
                 }
             };
-            let numScopes = 0;
             for (const scope of scopeIterator.scopes(callEvents())) {
-                numScopes += 1;
                 if ((0, util_1.verbose)()) {
                     console.warn(`Scope ${scope.scope}`);
                 }
@@ -75,7 +66,6 @@ class RuleChecker {
                     yield this.checkEvent(scope.scope, scope.scope, appMapFile, appMapIndex, checkInstance, findings);
                 }
             }
-            return numScopes;
         });
     }
     checkEvent(event, scope, appMapFile, appMapIndex, checkInstance, findings) {

package/built/rules/deprecated-crypto-algorithm/metadata.js

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.labels = void 0;
+exports.labels = ['crypto.encrypt', 'crypto.decrypt', 'crypto.digest'];
+exports.default = {
+    title: 'Deprecated cryptographic algorithm',
+    scope: 'root',
+    enumerateScope: true,
+    impactDomain: 'Security',
+    references: {
+        'A02:2021': 'https://owasp.org/Top10/A02_2021-Cryptographic_Failures/',
+    },
+    labels: exports.labels,
+};

package/built/rules/deprecated-crypto-algorithm/rule.js

@@ -0,0 +1,44 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.deprecatedAlgorithms = void 0;
+const metadata_1 = require("./metadata");
+exports.deprecatedAlgorithms = [
+    /\bcbc\b/i,
+    /\becb\b/i,
+    /\b3?des\b/i,
+    /\brc\d\b/i,
+    /\bmd\d\b/i,
+    /\bsha-?1\b/i,
+];
+// Also:
+// https://securitymusings.com/article/1587/algorithm-and-key-length-deprecation
+// http://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html
+// Password handling: As soon as you receive a password, hash it using scrypt or PBKDF2 and erase the plaintext password from memory.
+// 1024-bit RSA or DSA
+// 160-bit ECDSA (elliptic curves)
+// 80/112-bit 2TDEA (two key triple DES)
+// PKCS #1 v1.5
+function matcher(event) {
+    if (!event.receiver)
+        return;
+    const receiverLabels = event.receiver.labels || [];
+    const deprecatedAlgorithm = receiverLabels
+        .filter((label) => label.startsWith('crypto.algorithm.'))
+        .map((label) => label.split('.').slice(2).join('.'))
+        .find((label) => exports.deprecatedAlgorithms.find((alg) => alg.test(label)));
+    if (deprecatedAlgorithm) {
+        return [
+            {
+                event,
+                message: `Deprecated crypto algorithm: ${deprecatedAlgorithm}`,
+            },
+        ];
+    }
+}
+function rule() {
+    return {
+        matcher,
+        where: (e) => !!metadata_1.labels.find((label) => e.labels.has(label)),
+    };
+}
+exports.default = rule;

package/built/rules/secretInLog.js

@@ -101,6 +101,7 @@ exports.default = {
     id: 'secret-in-log',
     title: 'Secret in log',
     labels: [Secret, Log],
+    scope: 'root',
     impactDomain: 'Security',
     enumerateScope: true,
     references: {

package/built/rules/slowFunctionCall.js

@@ -30,7 +30,6 @@ function build(options) {
 exports.default = {
     id: 'slow-function-call',
     title: 'Slow function call',
-    scope: 'root',
     impactDomain: 'Performance',
     enumerateScope: true,
     description: (0, parseRuleDescription_1.default)('slowFunctionCall'),

package/built/rules/unauthenticated-encryption/metadata.js

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.default = {
+    title: 'Unauthenticated encryption',
+    enumerateScope: true,
+    impactDomain: 'Security',
+    references: {
+        'A02:2021': 'https://owasp.org/Top10/A02_2021-Cryptographic_Failures/',
+    },
+    labels: ['crypto.encrypt', 'crypto.set_auth_data'],
+};

package/built/rules/unauthenticated-encryption/rule.js

@@ -0,0 +1,25 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+function matcher(event, appMapIndex) {
+    if (!event.receiver)
+        return;
+    const objectId = event.receiver.object_id;
+    const setAuthData = appMapIndex.appMap.events
+        .filter((evt) => { var _a; return ((_a = evt.receiver) === null || _a === void 0 ? void 0 : _a.object_id) === objectId; })
+        .find((evt) => evt.labels.has('crypto.set_auth_data'));
+    if (!setAuthData) {
+        return [
+            {
+                event,
+                message: 'Encryption is not authenticated',
+            },
+        ];
+    }
+}
+function rule() {
+    return {
+        matcher,
+        where: (e) => e.labels.has('crypto.encrypt'),
+    };
+}
+exports.default = rule;

package/built/sampleConfig/default.yml

@@ -1,26 +1,28 @@
 checks:
-  - rule: authzBeforeAuthn
-  # - rule: circularDependency
-  - rule: deserializationOfUntrustedData
-  - rule: execOfUntrustedCommand
-  - rule: http500
-  # - rule: illegalPackageDependency
-  # - rule: incompatibleHttpClientRequest
-  # - rule: insecureCompare
-  # - rule: jobNotCancelled
-  - rule: logoutWithoutSessionReset
-  # - rule: missingAuthentication
-  - rule: missingContentType
-  - rule: nPlusOneQuery
-  # - rule: queryFromInvalidPackage
-  # - rule: queryFromView
-  # - rule: rpcWithoutCircuitBreaker
-  # - rule: saveWithoutValidation
-  - rule: secretInLog
-  #  - rule: slowFunctionCall
-  #  - rule: slowHttpServerRequest
-  #  - rule: slowQuery
-  - rule: tooManyJoins
-  - rule: tooManyUpdates
-  # - rule: unbatchedMaterializedQuery
-  - rule: updateInGetRequest
+  - rule: authz-before-authn
+  # - rule: circular-dependency
+  - rule: deprecated-crypto-algorithm
+  - rule: deserialization-of-untrusted-data
+  - rule: exec-of-untrusted-command
+  - rule: http-500
+  # - rule: illegal-package-dependency
+  # - rule: incompatible-http-client-request
+  # - rule: insecure-compare
+  # - rule: job-not-cancelled
+  - rule: logout-without-session-reset
+  # - rule: missing-authentication
+  - rule: missing-content-type
+  - rule: n-plus-one-query
+  # - rule: query-from-invalid-package
+  # - rule: query-from-view
+  # - rule: rpc-without-circuit-breaker
+  # - rule: save-without-validation
+  - rule: secret-in-log
+  #  - rule: slow-function-call
+  #  - rule: slow-httpServer-request
+  #  - rule: slow-query
+  - rule: too-many-joins
+  - rule: too-many-updates
+  # - rule: unbatched-materialized-query
+  - rule: unauthenticated-encryption
+  - rule: update-in-get-request

package/built/scope/commandScope.js

@@ -21,15 +21,28 @@ const Command = 'command.perform';
 const Job = 'job.perform';
 class CommandScope extends scopeIterator_1.default {
     *scopes(events) {
+        let found = false;
+        const roots = [];
         for (const event of events) {
+            if (event.isCall() && !event.parent) {
+                roots.push(event);
+            }
             if (event.isCall() &&
                 (event.codeObject.labels.has(Command) ||
                     event.codeObject.labels.has(Job) ||
                     event.httpServerRequest)) {
+                found = true;
                 yield new ScopeImpl(event);
                 this.advanceToReturnEvent(event, events);
             }
         }
+        // If no true command is found, yield all root events.
+        if (!found) {
+            for (let index = 0; index < roots.length; index++) {
+                const event = roots[index];
+                yield new ScopeImpl(event);
+            }
+        }
     }
 }
 exports.default = CommandScope;

package/doc/labels/crypto.decrypt.md

@@ -0,0 +1,7 @@
+---
+name: crypto.decrypt
+rules:
+  - deprecated-crypto-algorithm
+---
+
+A function that performs decryption.

package/doc/labels/crypto.digest.md

@@ -0,0 +1,7 @@
+---
+name: crypto.digest
+rules:
+  - deprecated-crypto-algorithm
+---
+
+A function that computes a cryptographic digest (or 'hash') of some data.

package/doc/labels/crypto.encrypt.md

@@ -0,0 +1,8 @@
+---
+name: crypto.encrypt
+rules:
+  - deprecated-crypto-algorithm
+  - unauthenticated-encryption
+---
+
+A function that performs encryption.

package/doc/labels/crypto.set_auth_data.md

@@ -0,0 +1,7 @@
+---
+name: crypto.set_auth_data
+rules:
+  - unauthenticated-encryption
+---
+
+A function that sets authenticated data for an encryption operation.

package/doc/rules/deprecated-crypto-algorithm.md

@@ -0,0 +1,15 @@
+---
+rule: deprecated-crypto-algorithm
+name: Deprecated crypto algorithm
+title: Deprecated cryptographic algorithm
+references:
+  A02:2021: https://owasp.org/Top10/A02_2021-Cryptographic_Failures/
+impactDomain: Security
+labels:
+  - crypto.encrypt
+  - crypto.decrypt
+  - crypto.digest
+scope: root
+---
+
+Ensure that cryptographic operations do not use deprecated algorithms.

package/doc/rules/secret-in-log.md

@@ -8,6 +8,7 @@ impactDomain: Security
 labels:
   - secret
   - log
+scope: root
 ---
 
 Identifies when a known or assumed secret is written to a log. Logs are often transported into other

package/doc/rules/slow-function-call.md

@@ -3,7 +3,6 @@ rule: slow-function-call
 name: Slow function call
 title: Slow function call
 impactDomain: Performance
-scope: root
 ---
 
 Ensures that function elapsed time does not exceed a threshold.

package/doc/rules/unauthenticated-encryption.md

@@ -0,0 +1,42 @@
+---
+rule: unauthenticated-encryption
+name: Unauthenticated encryption
+title: Unauthenticated encryption
+references:
+  A02:2021: https://owasp.org/Top10/A02_2021-Cryptographic_Failures/
+impactDomain: Security
+labels:
+  - crypto.encrypt
+  - crypto.set_auth_data
+---
+
+Ensures that encryption operations use authenticated encryption.
+
+### Rule logic
+
+Finds all events labeled `crypto.encrypt`. For each of these events, there should be another event
+in the same AppMap that has the same `receiver.object_id` and also has the label
+`crypto.set_auth_data`.
+
+### Notes
+
+[OWASP recommends against the use of unauthenticated encryption](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/).
+
+### Resolution
+
+Change the encryption code to use a current authenticated encryption algorithm. At the time of this
+writing, an example is `aes-256-gcm`.
+
+Examples:
+
+- [`OpenSSL::Cipher#auth_data=` (Ruby)](https://ruby-doc.org/stdlib-3.1.1/libdoc/openssl/rdoc/OpenSSL/Cipher.html#method-i-auth_data-3D)
+
+### Options
+
+None
+
+### Examples
+
+```yaml
+- rule: unauthenticated-encryption
+```

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@appland/scanner",
-  "version": "1.63.0",
+  "version": "1.66.0",
   "description": "",
   "bin": "built/cli.js",
   "files": [
@@ -61,7 +61,6 @@
     "@appland/sql-parser": "^1.5.0",
     "@types/cli-progress": "^3.9.2",
     "ajv": "^8.8.2",
-    "ansi-escapes": "^5.0.0",
     "applicationinsights": "^2.1.4",
     "async": "^3.2.3",
     "chalk": "^4.1.2",
@@ -86,16 +85,20 @@
   },
   "pkg": {
     "targets": [
-      "node14-linux-x64",
-      "node14-win-x64",
-      "node14-macos-x64"
+      "node16-linux-x64",
+      "node16-win-x64",
+      "node16-macos-x64",
+      "node16-macos-arm64"
     ],
     "scripts": [
-      "built/scanner/*.js"
+      "built/scanner/*.js",
+      "built/rules/**/*.js"
     ],
     "assets": [
       "built/sampleConfig/*.yml",
-      "built/**/*.json"
+      "built/**/*.json",
+      "package.json",
+      "doc/**/*.md"
     ],
     "outputPath": "dist"
   }