npm - @appland/scanner - Versions diffs - 1.64.0 → 1.67.0 - Mend

@appland/scanner 1.64.0 → 1.67.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/CHANGELOG.md +38 -0
package/built/configuration/configurationProvider.js +1 -1
package/built/database/index.js +15 -2
package/built/rules/deprecated-crypto-algorithm/metadata.js +14 -0
package/built/rules/deprecated-crypto-algorithm/rule.js +44 -0
package/built/rules/too-many-joins/metadata.js +10 -0
package/built/rules/too-many-joins/options.js +12 -0
package/built/rules/{tooManyJoins.js → too-many-joins/rule.js} +14 -24
package/built/rules/unauthenticated-encryption/metadata.js +11 -0
package/built/rules/unauthenticated-encryption/rule.js +25 -0
package/built/sampleConfig/default.yml +27 -25
package/doc/labels/crypto.decrypt.md +7 -0
package/doc/labels/crypto.digest.md +7 -0
package/doc/labels/crypto.encrypt.md +8 -0
package/doc/labels/crypto.set_auth_data.md +7 -0
package/doc/rules/deprecated-crypto-algorithm.md +15 -0
package/doc/rules/unauthenticated-encryption.md +42 -0
package/package.json +1 -1

package/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,41 @@
+# [@appland/scanner-v1.67.0](https://github.com/applandinc/appmap-js/compare/@appland/scanner-v1.66.0...@appland/scanner-v1.67.0) (2022-08-10)
+### Bug Fixes
+* Fix Options loading from dir-based rules ([f58ce49](https://github.com/applandinc/appmap-js/commit/f58ce49f22ba4d649e8886d76373cf23d6614b37))
+### Features
+* Ignore schema info tables in too-many-joins ([0cb387d](https://github.com/applandinc/appmap-js/commit/0cb387d74aa7e6edda5e24a88d07fa65b3900966))
+# [@appland/scanner-v1.66.0](https://github.com/applandinc/appmap-js/compare/@appland/scanner-v1.65.0...@appland/scanner-v1.66.0) (2022-08-08)
+### Bug Fixes
+* Fix rule doc ([b99b6ae](https://github.com/applandinc/appmap-js/commit/b99b6aec90186bef312d04fb4f4c95f9b1ee62d5))
+### Features
+* Add deprecated-crypto-algorithm to default rule set ([3034489](https://github.com/applandinc/appmap-js/commit/303448974a73637493a72bea7ab8cfb28ccc8b10))
+* Detect deprecated crypto algorithm ([a17a537](https://github.com/applandinc/appmap-js/commit/a17a537334771a9f2cd64fa73c2396e517ff82ea))
+# [@appland/scanner-v1.65.0](https://github.com/applandinc/appmap-js/compare/@appland/scanner-v1.64.0...@appland/scanner-v1.65.0) (2022-08-08)
+### Bug Fixes
+* Remove an inadvenant console log ([5c11fc7](https://github.com/applandinc/appmap-js/commit/5c11fc77650e105f169ca0bcc4045312578e8881))
+### Features
+* Add unauthenticated-encryption to default rule set ([2e3cf92](https://github.com/applandinc/appmap-js/commit/2e3cf9298b3cfe99b489ab8b2894e913a305fdd0))
+* Check for unauthenticated encryption ([d393951](https://github.com/applandinc/appmap-js/commit/d393951c73c4492f1e95b52a2580fde10b256ee4))
 # [@appland/scanner-v1.64.0](https://github.com/applandinc/appmap-js/compare/@appland/scanner-v1.63.0...@appland/scanner-v1.64.0) (2022-08-04)

package/built/configuration/configurationProvider.js CHANGED Viewed

@@ -83,7 +83,7 @@ function loadFromDir(ruleName) {
         if ((0, util_1.verbose)())
             console.log(`Loaded rule ${ruleName}: ${rule}`);
         try {
-            options = yield Promise.resolve().then(() => __importStar(require(`../rules/${ruleName}/options`)));
+            options = (yield Promise.resolve().then(() => __importStar(require(`../rules/${ruleName}/options`)))).default;
             if ((0, util_1.verbose)())
                 console.log(`Loaded rule ${ruleName} options: ${options}`);
         }

package/built/database/index.js CHANGED Viewed

@@ -126,14 +126,27 @@ function* sqlStrings(event, appMapIndex, filter = () => true) {
     }
 }
 exports.sqlStrings = sqlStrings;
-function countJoins(ast) {
+function countJoins(ast, filterTable) {
     if (!ast)
         return 0;
     let joins = 0;
     (0, visit_1.visit)(ast, {
         'map.join': (node) => {
             var _a;
-            joins += ((_a = node.map) !== null && _a !== void 0 ? _a : []).length;
+            const map = (_a = node.map) !== null && _a !== void 0 ? _a : [];
+            const tableCount = filterTable
+                ? map.filter((entry) => {
+                    const source = entry === null || entry === void 0 ? void 0 : entry.source;
+                    if (!source)
+                        return true;
+                    if (source.type !== 'identifier')
+                        return true;
+                    if (source.variant !== 'table')
+                        return true;
+                    return filterTable(source);
+                }).length
+                : map.length;
+            joins += tableCount;
         },
     });
     return joins;

package/built/rules/deprecated-crypto-algorithm/metadata.js ADDED Viewed

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.labels = void 0;
+exports.labels = ['crypto.encrypt', 'crypto.decrypt', 'crypto.digest'];
+exports.default = {
+    title: 'Deprecated cryptographic algorithm',
+    scope: 'root',
+    enumerateScope: true,
+    impactDomain: 'Security',
+    references: {
+        'A02:2021': 'https://owasp.org/Top10/A02_2021-Cryptographic_Failures/',
+    },
+    labels: exports.labels,
+};

package/built/rules/deprecated-crypto-algorithm/rule.js ADDED Viewed

@@ -0,0 +1,44 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.deprecatedAlgorithms = void 0;
+const metadata_1 = require("./metadata");
+exports.deprecatedAlgorithms = [
+    /\bcbc\b/i,
+    /\becb\b/i,
+    /\b3?des\b/i,
+    /\brc\d\b/i,
+    /\bmd\d\b/i,
+    /\bsha-?1\b/i,
+];
+// Also:
+// https://securitymusings.com/article/1587/algorithm-and-key-length-deprecation
+// http://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html
+// Password handling: As soon as you receive a password, hash it using scrypt or PBKDF2 and erase the plaintext password from memory.
+// 1024-bit RSA or DSA
+// 160-bit ECDSA (elliptic curves)
+// 80/112-bit 2TDEA (two key triple DES)
+// PKCS #1 v1.5
+function matcher(event) {
+    if (!event.receiver)
+        return;
+    const receiverLabels = event.receiver.labels || [];
+    const deprecatedAlgorithm = receiverLabels
+        .filter((label) => label.startsWith('crypto.algorithm.'))
+        .map((label) => label.split('.').slice(2).join('.'))
+        .find((label) => exports.deprecatedAlgorithms.find((alg) => alg.test(label)));
+    if (deprecatedAlgorithm) {
+        return [
+            {
+                event,
+                message: `Deprecated crypto algorithm: ${deprecatedAlgorithm}`,
+            },
+        ];
+    }
+}
+function rule() {
+    return {
+        matcher,
+        where: (e) => !!metadata_1.labels.find((label) => e.labels.has(label)),
+    };
+}
+exports.default = rule;

package/built/rules/too-many-joins/metadata.js ADDED Viewed

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.default = {
+    title: 'Too many joins',
+    enumerateScope: false,
+    impactDomain: 'Performance',
+    references: {
+        'CWE-1049': 'https://cwe.mitre.org/data/definitions/1049.html',
+    },
+};

package/built/rules/too-many-joins/options.js ADDED Viewed

@@ -0,0 +1,12 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+class Options {
+    constructor() {
+        this.warningLimit = 5;
+        this.excludeTables = [
+            { match: /^pg_/, ignoreCase: false },
+            { match: /^information_schema$/, ignoreCase: true },
+        ];
+    }
+}
+exports.default = Options;

package/built/rules/{tooManyJoins.js → too-many-joins/rule.js} RENAMED Viewed

@@ -3,24 +3,26 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-const database_1 = require("../database");
-const url_1 = require("url");
-const parseRuleDescription_1 = __importDefault(require("./lib/parseRuleDescription"));
-class Options {
-    constructor() {
-        this.warningLimit = 5;
+const assert_1 = __importDefault(require("assert"));
+const database_1 = require("../../database");
+const matchPattern_1 = require("../lib/matchPattern");
+function rule(options) {
+    const excludeTables = (0, matchPattern_1.buildFilters)(options.excludeTables);
+    function filterTable(table) {
+        (0, assert_1.default)(table.type === 'identifier');
+        (0, assert_1.default)(table.variant === 'table');
+        return !excludeTables.find((filter) => filter(table.name));
     }
-}
-// TODO: clean up (https://github.com/applandinc/scanner/issues/43)
-function build(options = new Options()) {
-    const joinCount = {};
+    // TODO: clean up (https://github.com/applandinc/scanner/issues/43)
     function matcher(command, appMapIndex, eventFilter) {
+        const joinCount = {};
         for (const sqlEvent of (0, database_1.sqlStrings)(command, appMapIndex, eventFilter)) {
             let occurrence = joinCount[sqlEvent.sql];
             if (!occurrence) {
+                const sqlAST = appMapIndex.sqlAST(sqlEvent.event);
                 occurrence = {
                     count: 1,
-                    joins: (0, database_1.countJoins)(appMapIndex.sqlAST(sqlEvent.event)),
+                    joins: (0, database_1.countJoins)(sqlAST, filterTable),
                     events: [sqlEvent.event],
                 };
                 joinCount[sqlEvent.sql] = occurrence;
@@ -46,16 +48,4 @@ function build(options = new Options()) {
         matcher,
     };
 }
-exports.default = {
-    id: 'too-many-joins',
-    title: 'Too many joins',
-    impactDomain: 'Performance',
-    enumerateScope: false,
-    references: {
-        'CWE-1049': new url_1.URL('https://cwe.mitre.org/data/definitions/1049.html'),
-    },
-    description: (0, parseRuleDescription_1.default)('tooManyJoins'),
-    url: 'https://appland.com/docs/analysis/rules-reference.html#too-many-joins',
-    Options,
-    build,
-};
+exports.default = rule;

package/built/rules/unauthenticated-encryption/metadata.js ADDED Viewed

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.default = {
+    title: 'Unauthenticated encryption',
+    enumerateScope: true,
+    impactDomain: 'Security',
+    references: {
+        'A02:2021': 'https://owasp.org/Top10/A02_2021-Cryptographic_Failures/',
+    },
+    labels: ['crypto.encrypt', 'crypto.set_auth_data'],
+};

package/built/rules/unauthenticated-encryption/rule.js ADDED Viewed

@@ -0,0 +1,25 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+function matcher(event, appMapIndex) {
+    if (!event.receiver)
+        return;
+    const objectId = event.receiver.object_id;
+    const setAuthData = appMapIndex.appMap.events
+        .filter((evt) => { var _a; return ((_a = evt.receiver) === null || _a === void 0 ? void 0 : _a.object_id) === objectId; })
+        .find((evt) => evt.labels.has('crypto.set_auth_data'));
+    if (!setAuthData) {
+        return [
+            {
+                event,
+                message: 'Encryption is not authenticated',
+            },
+        ];
+    }
+}
+function rule() {
+    return {
+        matcher,
+        where: (e) => e.labels.has('crypto.encrypt'),
+    };
+}
+exports.default = rule;

package/built/sampleConfig/default.yml CHANGED Viewed

@@ -1,26 +1,28 @@
 checks:
-  - rule: authzBeforeAuthn
-  # - rule: circularDependency
-  - rule: deserializationOfUntrustedData
-  - rule: execOfUntrustedCommand
-  - rule: http500
-  # - rule: illegalPackageDependency
-  # - rule: incompatibleHttpClientRequest
-  # - rule: insecureCompare
-  # - rule: jobNotCancelled
-  - rule: logoutWithoutSessionReset
-  # - rule: missingAuthentication
-  - rule: missingContentType
-  - rule: nPlusOneQuery
-  # - rule: queryFromInvalidPackage
-  # - rule: queryFromView
-  # - rule: rpcWithoutCircuitBreaker
-  # - rule: saveWithoutValidation
-  - rule: secretInLog
-  #  - rule: slowFunctionCall
-  #  - rule: slowHttpServerRequest
-  #  - rule: slowQuery
-  - rule: tooManyJoins
-  - rule: tooManyUpdates
-  # - rule: unbatchedMaterializedQuery
-  - rule: updateInGetRequest
+  - rule: authz-before-authn
+  # - rule: circular-dependency
+  - rule: deprecated-crypto-algorithm
+  - rule: deserialization-of-untrusted-data
+  - rule: exec-of-untrusted-command
+  - rule: http-500
+  # - rule: illegal-package-dependency
+  # - rule: incompatible-http-client-request
+  # - rule: insecure-compare
+  # - rule: job-not-cancelled
+  - rule: logout-without-session-reset
+  # - rule: missing-authentication
+  - rule: missing-content-type
+  - rule: n-plus-one-query
+  # - rule: query-from-invalid-package
+  # - rule: query-from-view
+  # - rule: rpc-without-circuit-breaker
+  # - rule: save-without-validation
+  - rule: secret-in-log
+  #  - rule: slow-function-call
+  #  - rule: slow-httpServer-request
+  #  - rule: slow-query
+  - rule: too-many-joins
+  - rule: too-many-updates
+  # - rule: unbatched-materialized-query
+  - rule: unauthenticated-encryption
+  - rule: update-in-get-request

package/doc/labels/crypto.decrypt.md ADDED Viewed

@@ -0,0 +1,7 @@
+---
+name: crypto.decrypt
+rules:
+  - deprecated-crypto-algorithm
+---
+A function that performs decryption.

package/doc/labels/crypto.digest.md ADDED Viewed

@@ -0,0 +1,7 @@
+---
+name: crypto.digest
+rules:
+  - deprecated-crypto-algorithm
+---
+A function that computes a cryptographic digest (or 'hash') of some data.

package/doc/labels/crypto.encrypt.md ADDED Viewed

@@ -0,0 +1,8 @@
+---
+name: crypto.encrypt
+rules:
+  - deprecated-crypto-algorithm
+  - unauthenticated-encryption
+---
+A function that performs encryption.

package/doc/labels/crypto.set_auth_data.md ADDED Viewed

@@ -0,0 +1,7 @@
+---
+name: crypto.set_auth_data
+rules:
+  - unauthenticated-encryption
+---
+A function that sets authenticated data for an encryption operation.

package/doc/rules/deprecated-crypto-algorithm.md ADDED Viewed

@@ -0,0 +1,15 @@
+---
+rule: deprecated-crypto-algorithm
+name: Deprecated crypto algorithm
+title: Deprecated cryptographic algorithm
+references:
+  A02:2021: https://owasp.org/Top10/A02_2021-Cryptographic_Failures/
+impactDomain: Security
+labels:
+  - crypto.encrypt
+  - crypto.decrypt
+  - crypto.digest
+scope: root
+---
+Ensure that cryptographic operations do not use deprecated algorithms.

package/doc/rules/unauthenticated-encryption.md ADDED Viewed

@@ -0,0 +1,42 @@
+---
+rule: unauthenticated-encryption
+name: Unauthenticated encryption
+title: Unauthenticated encryption
+references:
+  A02:2021: https://owasp.org/Top10/A02_2021-Cryptographic_Failures/
+impactDomain: Security
+labels:
+  - crypto.encrypt
+  - crypto.set_auth_data
+---
+Ensures that encryption operations use authenticated encryption.
+### Rule logic
+Finds all events labeled `crypto.encrypt`. For each of these events, there should be another event
+in the same AppMap that has the same `receiver.object_id` and also has the label
+`crypto.set_auth_data`.
+### Notes
+[OWASP recommends against the use of unauthenticated encryption](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/).
+### Resolution
+Change the encryption code to use a current authenticated encryption algorithm. At the time of this
+writing, an example is `aes-256-gcm`.
+Examples:
+- [`OpenSSL::Cipher#auth_data=` (Ruby)](https://ruby-doc.org/stdlib-3.1.1/libdoc/openssl/rdoc/OpenSSL/Cipher.html#method-i-auth_data-3D)
+### Options
+None
+### Examples
+```yaml
+- rule: unauthenticated-encryption
+```

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@appland/scanner",
-  "version": "1.64.0",
+  "version": "1.67.0",
   "description": "",
   "bin": "built/cli.js",
   "files": [