@appland/scanner 1.64.0 → 1.65.0

package/CHANGELOG.md

@@ -1,3 +1,16 @@
+# [@appland/scanner-v1.65.0](https://github.com/applandinc/appmap-js/compare/@appland/scanner-v1.64.0...@appland/scanner-v1.65.0) (2022-08-08)
+
+
+### Bug Fixes
+
+* Remove an inadvenant console log ([5c11fc7](https://github.com/applandinc/appmap-js/commit/5c11fc77650e105f169ca0bcc4045312578e8881))
+
+
+### Features
+
+* Add unauthenticated-encryption to default rule set ([2e3cf92](https://github.com/applandinc/appmap-js/commit/2e3cf9298b3cfe99b489ab8b2894e913a305fdd0))
+* Check for unauthenticated encryption ([d393951](https://github.com/applandinc/appmap-js/commit/d393951c73c4492f1e95b52a2580fde10b256ee4))
+
 # [@appland/scanner-v1.64.0](https://github.com/applandinc/appmap-js/compare/@appland/scanner-v1.63.0...@appland/scanner-v1.64.0) (2022-08-04)
 
 

package/built/rules/unauthenticated-encryption/metadata.js

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.default = {
+    title: 'Unauthenticated encryption',
+    enumerateScope: true,
+    impactDomain: 'Security',
+    references: {
+        'A02:2021': 'https://owasp.org/Top10/A02_2021-Cryptographic_Failures/',
+    },
+    labels: ['crypto.encrypt', 'crypto.set_auth_data'],
+};

package/built/rules/unauthenticated-encryption/rule.js

@@ -0,0 +1,25 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+function matcher(event, appMapIndex) {
+    if (!event.receiver)
+        return;
+    const objectId = event.receiver.object_id;
+    const setAuthData = appMapIndex.appMap.events
+        .filter((evt) => { var _a; return ((_a = evt.receiver) === null || _a === void 0 ? void 0 : _a.object_id) === objectId; })
+        .find((evt) => evt.labels.has('crypto.set_auth_data'));
+    if (!setAuthData) {
+        return [
+            {
+                event,
+                message: 'Encryption is not authenticated',
+            },
+        ];
+    }
+}
+function rule() {
+    return {
+        matcher,
+        where: (e) => e.labels.has('crypto.encrypt'),
+    };
+}
+exports.default = rule;

package/built/sampleConfig/default.yml

@@ -1,26 +1,27 @@
 checks:
-  - rule: authzBeforeAuthn
-  # - rule: circularDependency
-  - rule: deserializationOfUntrustedData
-  - rule: execOfUntrustedCommand
-  - rule: http500
-  # - rule: illegalPackageDependency
-  # - rule: incompatibleHttpClientRequest
-  # - rule: insecureCompare
-  # - rule: jobNotCancelled
-  - rule: logoutWithoutSessionReset
-  # - rule: missingAuthentication
-  - rule: missingContentType
-  - rule: nPlusOneQuery
-  # - rule: queryFromInvalidPackage
-  # - rule: queryFromView
-  # - rule: rpcWithoutCircuitBreaker
-  # - rule: saveWithoutValidation
-  - rule: secretInLog
-  #  - rule: slowFunctionCall
-  #  - rule: slowHttpServerRequest
-  #  - rule: slowQuery
-  - rule: tooManyJoins
-  - rule: tooManyUpdates
-  # - rule: unbatchedMaterializedQuery
-  - rule: updateInGetRequest
+  - rule: authz-before-authn
+  # - rule: circular-dependency
+  - rule: deserialization-of-untrusted-data
+  - rule: exec-of-untrusted-command
+  - rule: http-500
+  # - rule: illegal-package-dependency
+  # - rule: incompatible-http-client-request
+  # - rule: insecure-compare
+  # - rule: job-not-cancelled
+  - rule: logout-without-session-reset
+  # - rule: missing-authentication
+  - rule: missing-content-type
+  - rule: n-plus-one-query
+  # - rule: query-from-invalid-package
+  # - rule: query-from-view
+  # - rule: rpc-without-circuit-breaker
+  # - rule: save-without-validation
+  - rule: secret-in-log
+  #  - rule: slow-function-call
+  #  - rule: slow-httpServer-request
+  #  - rule: slow-query
+  - rule: too-many-joins
+  - rule: too-many-updates
+  # - rule: unbatched-materialized-query
+  - rule: unauthenticated-encryption
+  - rule: update-in-get-request

package/doc/labels/crypto.encrypt.md

@@ -0,0 +1,7 @@
+---
+name: crypto.encrypt
+rules:
+  - unauthenticated-encryption
+---
+
+A function that performs encryption.

package/doc/labels/crypto.set_auth_data.md

@@ -0,0 +1,7 @@
+---
+name: crypto.set_auth_data
+rules:
+  - unauthenticated-encryption
+---
+
+A function that sets authenticated data for an encryption operation.

package/doc/rules/unauthenticated-encryption.md

@@ -0,0 +1,42 @@
+---
+rule: unauthenticated-encryption
+name: Unauthenticated encryption
+title: Unauthenticated encryption
+references:
+  A02:2021: https://owasp.org/Top10/A02_2021-Cryptographic_Failures/
+impactDomain: Security
+labels:
+  - crypto.encrypt
+  - crypto.set_auth_data
+---
+
+Ensures that encryption operations use authenticated encryption.
+
+### Rule logic
+
+Finds all events labeled `crypto.encrypt`. For each of these events, there should be another event
+in the same AppMap that has the same `receiver.object_id` and also has the label
+`crypto.set_auth_data`.
+
+### Notes
+
+[OWASP recommends against the use of unauthenticated encryption](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/).
+
+### Resolution
+
+Change the encryption code to use a current authenticated encryption algorithm. At the time of this
+writing, an example is `aes-256-gcm`.
+
+Examples:
+
+- [`OpenSSL::Cipher#auth_data=` (Ruby)](https://ruby-doc.org/stdlib-3.1.1/libdoc/openssl/rdoc/OpenSSL/Cipher.html#method-i-auth_data-3D)
+
+### Options
+
+None
+
+### Examples
+
+```yaml
+- rule: unauthenticated-encryption
+```

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@appland/scanner",
-  "version": "1.64.0",
+  "version": "1.65.0",
   "description": "",
   "bin": "built/cli.js",
   "files": [