@appland/scanner 1.70.2 → 1.70.4

package/CHANGELOG.md

@@ -1,3 +1,18 @@
+# [@appland/scanner-v1.70.4](https://github.com/getappmap/appmap-js/compare/@appland/scanner-v1.70.3...@appland/scanner-v1.70.4) (2022-09-27)
+
+
+### Bug Fixes
+
+* Add excludeTables option for too-many-joins ([ad8b97d](https://github.com/getappmap/appmap-js/commit/ad8b97d4ca47ea7a6a0c9fc31560a42351ba0b94))
+* Add missing JWT algorithm docs ([328f0a7](https://github.com/getappmap/appmap-js/commit/328f0a7e14e419a843c8deb4efd7b2cc56ddad8b))
+
+# [@appland/scanner-v1.70.3](https://github.com/applandinc/appmap-js/compare/@appland/scanner-v1.70.2...@appland/scanner-v1.70.3) (2022-09-21)
+
+
+### Bug Fixes
+
+* Scan existing files in scan --watch ([3a3138d](https://github.com/applandinc/appmap-js/commit/3a3138d2018e0ff96eed68e1125eb99fc2cb98f1)), closes [#727](https://github.com/applandinc/appmap-js/issues/727)
+
 # [@appland/scanner-v1.70.2](https://github.com/applandinc/appmap-js/compare/@appland/scanner-v1.70.1...@appland/scanner-v1.70.2) (2022-09-19)
 
 

package/built/algorithms/hash/hashV1.js

@@ -1,10 +1,50 @@
 "use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
+const models_1 = require("@appland/models");
+const sha256_1 = __importDefault(require("crypto-js/sha256"));
+const assert_1 = __importDefault(require("assert"));
 const crypto_1 = require("crypto");
+// BEGIN COMMENT
+// Moved here from packages/models, in order to retain backwards compatibility with Hash v1
+// as the Event algoritms hash and identityHash are updated.
+function qualifiedMethodId(event) {
+    const { definedClass, isStatic, methodId } = event;
+    (0, assert_1.default)(definedClass, 'Event.definedClass');
+    return `${definedClass}${isStatic ? '.' : '#'}${methodId}`;
+}
+// Returns a string suitable for durable identification of a call event
+// that's independent of parameters and return values.
+// For SQL queries, it's a JSON of abstract query AST.
+// For HTTP queries, it's the method plus normalized path info.
+// For function calls it's the qualified function id.
+// TODO: This can be removed/deprecated when the current hash algorithm is removed.
+function callEventToString(event) {
+    const { sqlQuery, route } = event;
+    if (sqlQuery)
+        return (0, models_1.abstractSqlAstJSON)(sqlQuery, event.sql.database_type);
+    if (route)
+        return route;
+    return qualifiedMethodId(event);
+}
+// Returns a short string (hash) suitable for durable identification
+// of a call event that's independent of parameters and return values.
+// For SQL queries, it considers the abstract query (ignoring differences in literal values).
+// For HTTP queries, it considers the method plus normalized path info.
+// For function calls it's the qualified function id.
+// Non-call events will throw an error.
+function hashEvent(event) {
+    if (event.event !== 'call')
+        throw new Error('tried to hash a non-call event');
+    return (0, sha256_1.default)(callEventToString(event)).toString();
+}
+// END COMMENT
 class HashV1 {
     constructor(ruleId, findingEvent, relatedEvents) {
         this.hash = (0, crypto_1.createHash)('sha256');
-        this.hash.update(findingEvent.hash);
+        this.hash.update(hashEvent(findingEvent));
         this.hash.update(ruleId);
         // Admittedly odd, this implementation matches the original hash algorithm.
         const uniqueEvents = new Set();
@@ -18,7 +58,7 @@ class HashV1 {
         });
         // This part where the hashes go into a Set, and there is some kind of ordering as a side-
         // effect, is particularly weird.
-        new Set(hashEvents.map((e) => e.hash)).forEach((eventHash) => {
+        new Set(hashEvents.map((e) => hashEvent(e))).forEach((eventHash) => {
             this.hash.update(eventHash);
         });
     }

package/built/cli/scan/watchScan.js

@@ -61,7 +61,7 @@ class Watcher {
             // Chokidar struggles with relative paths. Make sure the watch pattern is absolute.
             const watchPattern = path_1.default.resolve(this.options.appmapDir, '**', 'mtime');
             this.appmapWatcher = chokidar.watch(watchPattern, {
-                ignoreInitial: true,
+                ignoreInitial: false,
             });
             this.appmapWatcher
                 .on('add', (filePath) => this.scan(filePath))

package/built/configuration/schema/options.json

@@ -173,12 +173,18 @@
         },
         "TooManyJoins.Options": {
             "type": "object",
-            "additionalProperties": false,
             "properties": {
                 "warningLimit": {
                     "type": "number"
+                },
+                "excludeTables": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "https://appland.com/schemas/scanner/match-pattern-config.json"
+                    }
                 }
-            }
+            },
+            "additionalProperties": false
         },
         "TooManyUpdates.Options": {
             "type": "object",

package/built/rules/jwtAlgorithmNone.js

@@ -3,7 +3,13 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.Labels = void 0;
 const parseRuleDescription_1 = __importDefault(require("./lib/parseRuleDescription"));
+const url_1 = require("url");
+var Labels;
+(function (Labels) {
+    Labels["JwtEncode"] = "jwt.encode";
+})(Labels = exports.Labels || (exports.Labels = {}));
 function getHeader(jwt) {
     try {
         const [header] = jwt.split('.');
@@ -28,7 +34,7 @@ class JwtAlgoritmNoneLogic {
         return matches;
     }
     where(event) {
-        return event.labels.has('jwt.encode');
+        return event.labels.has(Labels.JwtEncode);
     }
 }
 class JwtAlgoritmNone {
@@ -39,6 +45,12 @@ class JwtAlgoritmNone {
         this.enumerateScope = true;
         this.description = (0, parseRuleDescription_1.default)('jwtAlgorithmNone');
         this.url = 'https://appland.com/docs/analysis/rules-reference.html#jwt-algorithm-none';
+        this.labels = [Labels.JwtEncode];
+        this.references = {
+            'CWE-345': new url_1.URL('https://cwe.mitre.org/data/definitions/345.html'),
+            'A02:2021': new url_1.URL('https://owasp.org/Top10/A02_2021-Cryptographic_Failures'),
+            'RFC 7519': new url_1.URL('https://www.rfc-editor.org/rfc/rfc7519'),
+        };
     }
     build() {
         return new JwtAlgoritmNoneLogic();

package/built/rules/jwtUnverifiedSignature.js

@@ -76,6 +76,12 @@ class JwtUnverifiedSignature {
         this.enumerateScope = true;
         this.description = (0, parseRuleDescription_1.default)('jwtUnverifiedSignature');
         this.url = 'https://appland.com/docs/analysis/rules-reference.html#jwt-unverified-signature';
+        this.labels = [Labels.JwtDecode, Labels.SignatureVerify];
+        this.references = {
+            'CWE-345': new URL('https://cwe.mitre.org/data/definitions/345.html'),
+            'A02:2021': new URL('https://owasp.org/Top10/A02_2021-Cryptographic_Failures'),
+            'RFC 7519': new URL('https://www.rfc-editor.org/rfc/rfc7519'),
+        };
     }
     build() {
         return new JwtUnverifiedSignatureLogic();

package/built/rules/too-many-joins/options.js

@@ -5,7 +5,7 @@ class Options {
         this.warningLimit = 5;
         this.excludeTables = [
             { match: /^pg_/, ignoreCase: false },
-            { match: /^information_schema$/, ignoreCase: true },
+            { equal: 'information_schema', ignoreCase: false },
         ];
     }
 }

package/doc/labels/jwt.decode.md

@@ -0,0 +1,7 @@
+---
+name: jwt.decode
+rules:
+  - jwt-unverified-signature
+---
+
+Performs decoding of a JWT token.

package/doc/labels/jwt.encode.md

@@ -0,0 +1,7 @@
+---
+name: jwt.encode
+rules:
+  - jwt-algorithm-none
+---
+
+Performs encoding of a JWT token.

package/doc/labels/jwt.signature.verify.md

@@ -0,0 +1,7 @@
+---
+name: jwt.signature.verify
+rules:
+  - jwt-unverified-signature
+---
+
+Verifies the signature on a JWT token to ensure that it's authentic.

package/doc/rules/jwt-algorithm-none.md

@@ -2,7 +2,13 @@
 rule: jwt-algorithm-none
 name: Jwt algorithm none
 title: JWT 'none' algorithm
+references:
+  CWE-345: https://cwe.mitre.org/data/definitions/345.html
+  A02:2021: https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+  RFC 7519: https://www.rfc-editor.org/rfc/rfc7519
 impactDomain: Security
+labels:
+  - jwt.encode
 ---
 
 Finds usage of unsecured JWTs which use the `none` algorithm. When declaring this algorithm, there

package/doc/rules/jwt-unverified-signature.md

@@ -2,7 +2,14 @@
 rule: jwt-unverified-signature
 name: Jwt unverified signature
 title: Unverified signature
+references:
+  CWE-345: https://cwe.mitre.org/data/definitions/345.html
+  A02:2021: https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+  RFC 7519: https://www.rfc-editor.org/rfc/rfc7519
 impactDomain: Security
+labels:
+  - jwt.decode
+  - jwt.signature.verify
 ---
 
 Finds cases where a JWT is decoded but the signature is never verified. Without proper signature

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@appland/scanner",
-  "version": "1.70.2",
+  "version": "1.70.4",
   "description": "",
   "bin": "built/cli.js",
   "files": [
@@ -26,6 +26,7 @@
     "@semantic-release/changelog": "^6.0.1",
     "@semantic-release/git": "^10.0.1",
     "@types/async": "^3.2.12",
+    "@types/crypto-js": "^4.1.1",
     "@types/fs-extra": "^9.0.13",
     "@types/glob": "^7.2.0",
     "@types/jest": "^27.4.1",
@@ -69,6 +70,7 @@
     "chokidar": "applandinc/chokidar#fix/new-file-new-directory-race-on-linux",
     "cli-progress": "^3.11.0",
     "conf": "^10.0.2",
+    "crypto-js": "^4.0.0",
     "form-data": "^4.0.0",
     "glob": "7.2.3",
     "inquirer": "^8.1.2",