@appland/scanner 1.70.3 → 1.70.5

package/CHANGELOG.md

@@ -1,3 +1,19 @@
+# [@appland/scanner-v1.70.5](https://github.com/getappmap/appmap-js/compare/@appland/scanner-v1.70.4...@appland/scanner-v1.70.5) (2022-09-27)
+
+
+### Bug Fixes
+
+* Ignore node_modules and .git when watching files ([a53e2a8](https://github.com/getappmap/appmap-js/commit/a53e2a8c0de25e0e7ae7c0515763a9f46d3bc307))
+* More reliable AppMap change detection when scanning ([94a454b](https://github.com/getappmap/appmap-js/commit/94a454b14c3bea4c1c5e0cd81d75e7d919bc8e85))
+
+# [@appland/scanner-v1.70.4](https://github.com/getappmap/appmap-js/compare/@appland/scanner-v1.70.3...@appland/scanner-v1.70.4) (2022-09-27)
+
+
+### Bug Fixes
+
+* Add excludeTables option for too-many-joins ([ad8b97d](https://github.com/getappmap/appmap-js/commit/ad8b97d4ca47ea7a6a0c9fc31560a42351ba0b94))
+* Add missing JWT algorithm docs ([328f0a7](https://github.com/getappmap/appmap-js/commit/328f0a7e14e419a843c8deb4efd7b2cc56ddad8b))
+
 # [@appland/scanner-v1.70.3](https://github.com/applandinc/appmap-js/compare/@appland/scanner-v1.70.2...@appland/scanner-v1.70.3) (2022-09-21)
 
 

package/built/algorithms/hash/hashV1.js

@@ -1,10 +1,50 @@
 "use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
+const models_1 = require("@appland/models");
+const sha256_1 = __importDefault(require("crypto-js/sha256"));
+const assert_1 = __importDefault(require("assert"));
 const crypto_1 = require("crypto");
+// BEGIN COMMENT
+// Moved here from packages/models, in order to retain backwards compatibility with Hash v1
+// as the Event algoritms hash and identityHash are updated.
+function qualifiedMethodId(event) {
+    const { definedClass, isStatic, methodId } = event;
+    (0, assert_1.default)(definedClass, 'Event.definedClass');
+    return `${definedClass}${isStatic ? '.' : '#'}${methodId}`;
+}
+// Returns a string suitable for durable identification of a call event
+// that's independent of parameters and return values.
+// For SQL queries, it's a JSON of abstract query AST.
+// For HTTP queries, it's the method plus normalized path info.
+// For function calls it's the qualified function id.
+// TODO: This can be removed/deprecated when the current hash algorithm is removed.
+function callEventToString(event) {
+    const { sqlQuery, route } = event;
+    if (sqlQuery)
+        return (0, models_1.abstractSqlAstJSON)(sqlQuery, event.sql.database_type);
+    if (route)
+        return route;
+    return qualifiedMethodId(event);
+}
+// Returns a short string (hash) suitable for durable identification
+// of a call event that's independent of parameters and return values.
+// For SQL queries, it considers the abstract query (ignoring differences in literal values).
+// For HTTP queries, it considers the method plus normalized path info.
+// For function calls it's the qualified function id.
+// Non-call events will throw an error.
+function hashEvent(event) {
+    if (event.event !== 'call')
+        throw new Error('tried to hash a non-call event');
+    return (0, sha256_1.default)(callEventToString(event)).toString();
+}
+// END COMMENT
 class HashV1 {
     constructor(ruleId, findingEvent, relatedEvents) {
         this.hash = (0, crypto_1.createHash)('sha256');
-        this.hash.update(findingEvent.hash);
+        this.hash.update(hashEvent(findingEvent));
         this.hash.update(ruleId);
         // Admittedly odd, this implementation matches the original hash algorithm.
         const uniqueEvents = new Set();
@@ -18,7 +58,7 @@ class HashV1 {
         });
         // This part where the hashes go into a Set, and there is some kind of ordering as a side-
         // effect, is particularly weird.
-        new Set(hashEvents.map((e) => e.hash)).forEach((eventHash) => {
+        new Set(hashEvents.map((e) => hashEvent(e))).forEach((eventHash) => {
             this.hash.update(eventHash);
         });
     }

package/built/cli/scan/watchScan.js

@@ -61,21 +61,31 @@ class Watcher {
             // Chokidar struggles with relative paths. Make sure the watch pattern is absolute.
             const watchPattern = path_1.default.resolve(this.options.appmapDir, '**', 'mtime');
             this.appmapWatcher = chokidar.watch(watchPattern, {
+                ignoreInitial: true,
+                ignored: ['**/node_modules/**', '**/.git/**'],
+            });
+            this.appmapPoller = chokidar.watch(watchPattern, {
                 ignoreInitial: false,
+                ignored: ['**/node_modules/**', '**/.git/**'],
+                usePolling: true,
+                interval: 1000,
+                persistent: false,
             });
-            this.appmapWatcher
-                .on('add', (filePath) => this.scan(filePath))
-                .on('change', (filePath) => this.scan(filePath));
+            for (const ch of [this.appmapWatcher, this.appmapPoller]) {
+                ch.on('add', (filePath) => this.scan(filePath));
+                ch.on('change', (filePath) => this.scan(filePath));
+            }
         });
     }
     close() {
-        if (!this.appmapWatcher)
-            return;
-        (0, assert_1.default)(this.configWatcher, `configWatcher should always be defined if appmapWatcher is defined`);
-        this.appmapWatcher.close();
-        this.configWatcher.close();
-        this.appmapWatcher = undefined;
-        this.configWatcher = undefined;
+        return __awaiter(this, void 0, void 0, function* () {
+            yield Promise.all(['appmapWatcher', 'appmapPoller', 'configWatcher'].map((k) => {
+                var _a;
+                const closer = (_a = this[k]) === null || _a === void 0 ? void 0 : _a.close();
+                this[k] = undefined;
+                return closer;
+            }));
+        });
     }
     scan(fileName) {
         return __awaiter(this, void 0, void 0, function* () {

package/built/configuration/schema/options.json

@@ -173,12 +173,18 @@
         },
         "TooManyJoins.Options": {
             "type": "object",
-            "additionalProperties": false,
             "properties": {
                 "warningLimit": {
                     "type": "number"
+                },
+                "excludeTables": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "https://appland.com/schemas/scanner/match-pattern-config.json"
+                    }
                 }
-            }
+            },
+            "additionalProperties": false
         },
         "TooManyUpdates.Options": {
             "type": "object",

package/built/rules/jwtAlgorithmNone.js

@@ -3,7 +3,13 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.Labels = void 0;
 const parseRuleDescription_1 = __importDefault(require("./lib/parseRuleDescription"));
+const url_1 = require("url");
+var Labels;
+(function (Labels) {
+    Labels["JwtEncode"] = "jwt.encode";
+})(Labels = exports.Labels || (exports.Labels = {}));
 function getHeader(jwt) {
     try {
         const [header] = jwt.split('.');
@@ -28,7 +34,7 @@ class JwtAlgoritmNoneLogic {
         return matches;
     }
     where(event) {
-        return event.labels.has('jwt.encode');
+        return event.labels.has(Labels.JwtEncode);
     }
 }
 class JwtAlgoritmNone {
@@ -39,6 +45,12 @@ class JwtAlgoritmNone {
         this.enumerateScope = true;
         this.description = (0, parseRuleDescription_1.default)('jwtAlgorithmNone');
         this.url = 'https://appland.com/docs/analysis/rules-reference.html#jwt-algorithm-none';
+        this.labels = [Labels.JwtEncode];
+        this.references = {
+            'CWE-345': new url_1.URL('https://cwe.mitre.org/data/definitions/345.html'),
+            'A02:2021': new url_1.URL('https://owasp.org/Top10/A02_2021-Cryptographic_Failures'),
+            'RFC 7519': new url_1.URL('https://www.rfc-editor.org/rfc/rfc7519'),
+        };
     }
     build() {
         return new JwtAlgoritmNoneLogic();

package/built/rules/jwtUnverifiedSignature.js

@@ -76,6 +76,12 @@ class JwtUnverifiedSignature {
         this.enumerateScope = true;
         this.description = (0, parseRuleDescription_1.default)('jwtUnverifiedSignature');
         this.url = 'https://appland.com/docs/analysis/rules-reference.html#jwt-unverified-signature';
+        this.labels = [Labels.JwtDecode, Labels.SignatureVerify];
+        this.references = {
+            'CWE-345': new URL('https://cwe.mitre.org/data/definitions/345.html'),
+            'A02:2021': new URL('https://owasp.org/Top10/A02_2021-Cryptographic_Failures'),
+            'RFC 7519': new URL('https://www.rfc-editor.org/rfc/rfc7519'),
+        };
     }
     build() {
         return new JwtUnverifiedSignatureLogic();

package/built/rules/too-many-joins/options.js

@@ -5,7 +5,7 @@ class Options {
         this.warningLimit = 5;
         this.excludeTables = [
             { match: /^pg_/, ignoreCase: false },
-            { match: /^information_schema$/, ignoreCase: true },
+            { equal: 'information_schema', ignoreCase: false },
         ];
     }
 }

package/doc/labels/jwt.decode.md

@@ -0,0 +1,7 @@
+---
+name: jwt.decode
+rules:
+  - jwt-unverified-signature
+---
+
+Performs decoding of a JWT token.

package/doc/labels/jwt.encode.md

@@ -0,0 +1,7 @@
+---
+name: jwt.encode
+rules:
+  - jwt-algorithm-none
+---
+
+Performs encoding of a JWT token.

package/doc/labels/jwt.signature.verify.md

@@ -0,0 +1,7 @@
+---
+name: jwt.signature.verify
+rules:
+  - jwt-unverified-signature
+---
+
+Verifies the signature on a JWT token to ensure that it's authentic.

package/doc/rules/jwt-algorithm-none.md

@@ -2,7 +2,13 @@
 rule: jwt-algorithm-none
 name: Jwt algorithm none
 title: JWT 'none' algorithm
+references:
+  CWE-345: https://cwe.mitre.org/data/definitions/345.html
+  A02:2021: https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+  RFC 7519: https://www.rfc-editor.org/rfc/rfc7519
 impactDomain: Security
+labels:
+  - jwt.encode
 ---
 
 Finds usage of unsecured JWTs which use the `none` algorithm. When declaring this algorithm, there

package/doc/rules/jwt-unverified-signature.md

@@ -2,7 +2,14 @@
 rule: jwt-unverified-signature
 name: Jwt unverified signature
 title: Unverified signature
+references:
+  CWE-345: https://cwe.mitre.org/data/definitions/345.html
+  A02:2021: https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+  RFC 7519: https://www.rfc-editor.org/rfc/rfc7519
 impactDomain: Security
+labels:
+  - jwt.decode
+  - jwt.signature.verify
 ---
 
 Finds cases where a JWT is decoded but the signature is never verified. Without proper signature

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@appland/scanner",
-  "version": "1.70.3",
+  "version": "1.70.5",
   "description": "",
   "bin": "built/cli.js",
   "files": [
@@ -26,6 +26,7 @@
     "@semantic-release/changelog": "^6.0.1",
     "@semantic-release/git": "^10.0.1",
     "@types/async": "^3.2.12",
+    "@types/crypto-js": "^4.1.1",
     "@types/fs-extra": "^9.0.13",
     "@types/glob": "^7.2.0",
     "@types/jest": "^27.4.1",
@@ -69,6 +70,7 @@
     "chokidar": "applandinc/chokidar#fix/new-file-new-directory-race-on-linux",
     "cli-progress": "^3.11.0",
     "conf": "^10.0.2",
+    "crypto-js": "^4.0.0",
     "form-data": "^4.0.0",
     "glob": "7.2.3",
     "inquirer": "^8.1.2",