@appland/scanner 1.65.0 → 1.66.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. package/CHANGELOG.md +13 -0
  2. package/built/rules/deprecated-crypto-algorithm/metadata.js +14 -0
  3. package/built/rules/deprecated-crypto-algorithm/rule.js +44 -0
  4. package/built/sampleConfig/default.yml +1 -0
  5. package/doc/labels/crypto.decrypt.md +7 -0
  6. package/doc/labels/crypto.digest.md +7 -0
  7. package/doc/labels/crypto.encrypt.md +1 -0
  8. package/doc/rules/deprecated-crypto-algorithm.md +15 -0
  9. package/package.json +1 -1
package/CHANGELOG.md CHANGED
@@ -1,3 +1,16 @@
1
+ # [@appland/scanner-v1.66.0](https://github.com/applandinc/appmap-js/compare/@appland/scanner-v1.65.0...@appland/scanner-v1.66.0) (2022-08-08)
2
+
3
+
4
+ ### Bug Fixes
5
+
6
+ * Fix rule doc ([b99b6ae](https://github.com/applandinc/appmap-js/commit/b99b6aec90186bef312d04fb4f4c95f9b1ee62d5))
7
+
8
+
9
+ ### Features
10
+
11
+ * Add deprecated-crypto-algorithm to default rule set ([3034489](https://github.com/applandinc/appmap-js/commit/303448974a73637493a72bea7ab8cfb28ccc8b10))
12
+ * Detect deprecated crypto algorithm ([a17a537](https://github.com/applandinc/appmap-js/commit/a17a537334771a9f2cd64fa73c2396e517ff82ea))
13
+
1
14
  # [@appland/scanner-v1.65.0](https://github.com/applandinc/appmap-js/compare/@appland/scanner-v1.64.0...@appland/scanner-v1.65.0) (2022-08-08)
2
15
 
3
16
 
package/built/rules/deprecated-crypto-algorithm/metadata.js ADDED
@@ -0,0 +1,14 @@
1
+ "use strict";
2
+ Object.defineProperty(exports, "__esModule", { value: true });
3
+ exports.labels = void 0;
4
+ exports.labels = ['crypto.encrypt', 'crypto.decrypt', 'crypto.digest'];
5
+ exports.default = {
6
+ title: 'Deprecated cryptographic algorithm',
7
+ scope: 'root',
8
+ enumerateScope: true,
9
+ impactDomain: 'Security',
10
+ references: {
11
+ 'A02:2021': 'https://owasp.org/Top10/A02_2021-Cryptographic_Failures/',
12
+ },
13
+ labels: exports.labels,
14
+ };
package/built/rules/deprecated-crypto-algorithm/rule.js ADDED
@@ -0,0 +1,44 @@
1
+ "use strict";
2
+ Object.defineProperty(exports, "__esModule", { value: true });
3
+ exports.deprecatedAlgorithms = void 0;
4
+ const metadata_1 = require("./metadata");
5
+ exports.deprecatedAlgorithms = [
6
+ /\bcbc\b/i,
7
+ /\becb\b/i,
8
+ /\b3?des\b/i,
9
+ /\brc\d\b/i,
10
+ /\bmd\d\b/i,
11
+ /\bsha-?1\b/i,
12
+ ];
13
+ // Also:
14
+ // https://securitymusings.com/article/1587/algorithm-and-key-length-deprecation
15
+ // http://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html
16
+ // Password handling: As soon as you receive a password, hash it using scrypt or PBKDF2 and erase the plaintext password from memory.
17
+ // 1024-bit RSA or DSA
18
+ // 160-bit ECDSA (elliptic curves)
19
+ // 80/112-bit 2TDEA (two key triple DES)
20
+ // PKCS #1 v1.5
21
+ function matcher(event) {
22
+ if (!event.receiver)
23
+ return;
24
+ const receiverLabels = event.receiver.labels || [];
25
+ const deprecatedAlgorithm = receiverLabels
26
+ .filter((label) => label.startsWith('crypto.algorithm.'))
27
+ .map((label) => label.split('.').slice(2).join('.'))
28
+ .find((label) => exports.deprecatedAlgorithms.find((alg) => alg.test(label)));
29
+ if (deprecatedAlgorithm) {
30
+ return [
31
+ {
32
+ event,
33
+ message: `Deprecated crypto algorithm: ${deprecatedAlgorithm}`,
34
+ },
35
+ ];
36
+ }
37
+ }
38
+ function rule() {
39
+ return {
40
+ matcher,
41
+ where: (e) => !!metadata_1.labels.find((label) => e.labels.has(label)),
42
+ };
43
+ }
44
+ exports.default = rule;
package/built/sampleConfig/default.yml CHANGED
@@ -1,6 +1,7 @@
1
1
  checks:
2
2
  - rule: authz-before-authn
3
3
  # - rule: circular-dependency
4
+ - rule: deprecated-crypto-algorithm
4
5
  - rule: deserialization-of-untrusted-data
5
6
  - rule: exec-of-untrusted-command
6
7
  - rule: http-500
package/doc/labels/crypto.decrypt.md ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ name: crypto.decrypt
3
+ rules:
4
+ - deprecated-crypto-algorithm
5
+ ---
6
+
7
+ A function that performs decryption.
package/doc/labels/crypto.digest.md ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ name: crypto.digest
3
+ rules:
4
+ - deprecated-crypto-algorithm
5
+ ---
6
+
7
+ A function that computes a cryptographic digest (or 'hash') of some data.
package/doc/labels/crypto.encrypt.md CHANGED
@@ -1,6 +1,7 @@
1
1
  ---
2
2
  name: crypto.encrypt
3
3
  rules:
4
+ - deprecated-crypto-algorithm
4
5
  - unauthenticated-encryption
5
6
  ---
6
7
 
package/doc/rules/deprecated-crypto-algorithm.md ADDED
@@ -0,0 +1,15 @@
1
+ ---
2
+ rule: deprecated-crypto-algorithm
3
+ name: Deprecated crypto algorithm
4
+ title: Deprecated cryptographic algorithm
5
+ references:
6
+ A02:2021: https://owasp.org/Top10/A02_2021-Cryptographic_Failures/
7
+ impactDomain: Security
8
+ labels:
9
+ - crypto.encrypt
10
+ - crypto.decrypt
11
+ - crypto.digest
12
+ scope: root
13
+ ---
14
+
15
+ Ensure that cryptographic operations do not use deprecated algorithms.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@appland/scanner",
3
- "version": "1.65.0",
3
+ "version": "1.66.0",
4
4
  "description": "",
5
5
  "bin": "built/cli.js",
6
6
  "files": [