@vigolium/piolium 0.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +117 -0
- package/agents/access-auditor.md +300 -0
- package/agents/assumption-breaker.md +154 -0
- package/agents/attack-designer.md +116 -0
- package/agents/code-scanner.md +139 -0
- package/agents/concurrency-auditor.md +238 -0
- package/agents/confirm-writer.md +257 -0
- package/agents/context-reviewer.md +274 -0
- package/agents/cross-verifier.md +165 -0
- package/agents/cve-scout.md +381 -0
- package/agents/env-builder.md +282 -0
- package/agents/env-profiler.md +205 -0
- package/agents/evidence-collector.md +140 -0
- package/agents/finding-grader.md +142 -0
- package/agents/finding-writer.md +148 -0
- package/agents/flow-tracer.md +106 -0
- package/agents/goal-backtracer.md +146 -0
- package/agents/history-miner.md +467 -0
- package/agents/independent-verifier.md +118 -0
- package/agents/intent-mapper.md +183 -0
- package/agents/longshot-collector.md +128 -0
- package/agents/longshot-prober.md +126 -0
- package/agents/patch-auditor.md +73 -0
- package/agents/poc-author.md +124 -0
- package/agents/poc-runner.md +194 -0
- package/agents/probe-lead.md +269 -0
- package/agents/red-challenger.md +101 -0
- package/agents/report-composer.md +208 -0
- package/agents/review-adjudicator.md +216 -0
- package/agents/spec-auditor.md +155 -0
- package/agents/taint-tracer.md +265 -0
- package/agents/test-locator.md +209 -0
- package/agents/threat-modeler.md +132 -0
- package/agents/variant-scanner.md +108 -0
- package/agents/variant-spotter.md +110 -0
- package/bin/piolium.mjs +376 -0
- package/extensions/piolium/_vendor/yaml.bundle.d.mts +6 -0
- package/extensions/piolium/_vendor/yaml.bundle.mjs +139 -0
- package/extensions/piolium/agent-runner.ts +322 -0
- package/extensions/piolium/agents.ts +266 -0
- package/extensions/piolium/audit-state.ts +522 -0
- package/extensions/piolium/bundled-resources.ts +97 -0
- package/extensions/piolium/candidate-scan.ts +966 -0
- package/extensions/piolium/command-target.ts +177 -0
- package/extensions/piolium/console-stream.ts +57 -0
- package/extensions/piolium/export-results.ts +380 -0
- package/extensions/piolium/findings.ts +448 -0
- package/extensions/piolium/heartbeat.ts +182 -0
- package/extensions/piolium/help.ts +234 -0
- package/extensions/piolium/index.ts +1865 -0
- package/extensions/piolium/longshot.ts +530 -0
- package/extensions/piolium/matcher-suggestions.ts +196 -0
- package/extensions/piolium/matcher-utils.ts +83 -0
- package/extensions/piolium/modes/balanced.ts +750 -0
- package/extensions/piolium/modes/confirm-bootstrap.ts +186 -0
- package/extensions/piolium/modes/confirm.ts +697 -0
- package/extensions/piolium/modes/deep.ts +917 -0
- package/extensions/piolium/modes/diff.ts +177 -0
- package/extensions/piolium/modes/lite.ts +540 -0
- package/extensions/piolium/modes/longshot.ts +595 -0
- package/extensions/piolium/modes/merge.ts +204 -0
- package/extensions/piolium/modes/phase-runner.ts +267 -0
- package/extensions/piolium/modes/reinvest.ts +546 -0
- package/extensions/piolium/modes/revisit.ts +279 -0
- package/extensions/piolium/modes.ts +48 -0
- package/extensions/piolium/phase-labels.ts +123 -0
- package/extensions/piolium/phase-status-strip.ts +92 -0
- package/extensions/piolium/prompt-prefix-editor.ts +39 -0
- package/extensions/piolium/providers/anthropic-vertex.ts +836 -0
- package/extensions/piolium/recon.ts +409 -0
- package/extensions/piolium/result-stats.ts +105 -0
- package/extensions/piolium/retry.ts +120 -0
- package/extensions/piolium/scheduler.ts +212 -0
- package/extensions/piolium/secrets.ts +368 -0
- package/extensions/piolium/tools/web-tools.ts +148 -0
- package/package.json +77 -0
- package/skills/agentic-actions-auditor/SKILL.md +327 -0
- package/skills/agentic-actions-auditor/references/action-profiles.md +186 -0
- package/skills/agentic-actions-auditor/references/cross-file-resolution.md +209 -0
- package/skills/agentic-actions-auditor/references/foundations.md +94 -0
- package/skills/agentic-actions-auditor/references/vector-a-env-var-intermediary.md +77 -0
- package/skills/agentic-actions-auditor/references/vector-b-direct-expression-injection.md +83 -0
- package/skills/agentic-actions-auditor/references/vector-c-cli-data-fetch.md +83 -0
- package/skills/agentic-actions-auditor/references/vector-d-pr-target-checkout.md +88 -0
- package/skills/agentic-actions-auditor/references/vector-e-error-log-injection.md +88 -0
- package/skills/agentic-actions-auditor/references/vector-f-subshell-expansion.md +82 -0
- package/skills/agentic-actions-auditor/references/vector-g-eval-of-ai-output.md +91 -0
- package/skills/agentic-actions-auditor/references/vector-h-dangerous-sandbox-configs.md +102 -0
- package/skills/agentic-actions-auditor/references/vector-i-wildcard-allowlists.md +88 -0
- package/skills/audit/SKILL.md +562 -0
- package/skills/audit/assets/icon.svg +7 -0
- package/skills/audit/hooks/scripts/validate_phase_output.py +550 -0
- package/skills/audit/references/adversarial-review.md +148 -0
- package/skills/audit/references/architecture-aware-sast.md +306 -0
- package/skills/audit/references/audit-workflow.md +737 -0
- package/skills/audit/references/chamber-protocol.md +384 -0
- package/skills/audit/references/creative-attack-modes.md +221 -0
- package/skills/audit/references/deep-analysis.md +273 -0
- package/skills/audit/references/domain-attack-playbooks.md +1129 -0
- package/skills/audit/references/knowledge-base-template.md +513 -0
- package/skills/audit/references/real-env-validation.md +191 -0
- package/skills/audit/references/report-templates.md +417 -0
- package/skills/audit/references/triage-and-prereqs.md +134 -0
- package/skills/audit/scripts/consolidate_drafts.py +554 -0
- package/skills/audit/scripts/partition_findings.py +152 -0
- package/skills/audit/scripts/rg-hotspots.sh +121 -0
- package/skills/audit/scripts/stamp_file_state.py +349 -0
- package/skills/code-reviewer/SKILL.md +65 -0
- package/skills/codeql/SKILL.md +281 -0
- package/skills/codeql/references/build-fixes.md +90 -0
- package/skills/codeql/references/diagnostic-query-templates.md +339 -0
- package/skills/codeql/references/extension-yaml-format.md +209 -0
- package/skills/codeql/references/important-only-suite.md +153 -0
- package/skills/codeql/references/language-details.md +207 -0
- package/skills/codeql/references/macos-arm64e-workaround.md +179 -0
- package/skills/codeql/references/performance-tuning.md +111 -0
- package/skills/codeql/references/quality-assessment.md +172 -0
- package/skills/codeql/references/ruleset-catalog.md +63 -0
- package/skills/codeql/references/run-all-suite.md +92 -0
- package/skills/codeql/references/sarif-processing.md +79 -0
- package/skills/codeql/references/threat-models.md +51 -0
- package/skills/codeql/workflows/build-database.md +280 -0
- package/skills/codeql/workflows/create-data-extensions.md +261 -0
- package/skills/codeql/workflows/run-analysis.md +301 -0
- package/skills/differential-review/SKILL.md +220 -0
- package/skills/differential-review/adversarial.md +203 -0
- package/skills/differential-review/methodology.md +234 -0
- package/skills/differential-review/patterns.md +300 -0
- package/skills/differential-review/reporting.md +369 -0
- package/skills/fp-check/SKILL.md +125 -0
- package/skills/fp-check/references/bug-class-verification.md +114 -0
- package/skills/fp-check/references/deep-verification.md +143 -0
- package/skills/fp-check/references/evidence-templates.md +91 -0
- package/skills/fp-check/references/false-positive-patterns.md +115 -0
- package/skills/fp-check/references/gate-reviews.md +27 -0
- package/skills/fp-check/references/standard-verification.md +78 -0
- package/skills/insecure-defaults/SKILL.md +117 -0
- package/skills/insecure-defaults/references/examples.md +409 -0
- package/skills/last30days/SKILL.md +444 -0
- package/skills/sarif-parsing/SKILL.md +483 -0
- package/skills/sarif-parsing/resources/jq-queries.md +162 -0
- package/skills/sarif-parsing/resources/sarif_helpers.py +331 -0
- package/skills/security-threat-model/LICENSE.txt +201 -0
- package/skills/security-threat-model/SKILL.md +81 -0
- package/skills/security-threat-model/agents/openai.yaml +4 -0
- package/skills/security-threat-model/references/prompt-template.md +255 -0
- package/skills/security-threat-model/references/security-controls-and-assets.md +32 -0
- package/skills/semgrep/SKILL.md +212 -0
- package/skills/semgrep/references/rulesets.md +162 -0
- package/skills/semgrep/references/scan-modes.md +110 -0
- package/skills/semgrep/references/scanner-task-prompt.md +140 -0
- package/skills/semgrep/scripts/merge_sarif.py +203 -0
- package/skills/semgrep/workflows/scan-workflow.md +311 -0
- package/skills/semgrep-rule-creator/SKILL.md +168 -0
- package/skills/semgrep-rule-creator/references/quick-reference.md +202 -0
- package/skills/semgrep-rule-creator/references/workflow.md +240 -0
- package/skills/semgrep-rule-variant-creator/SKILL.md +205 -0
- package/skills/semgrep-rule-variant-creator/references/applicability-analysis.md +250 -0
- package/skills/semgrep-rule-variant-creator/references/language-syntax-guide.md +324 -0
- package/skills/semgrep-rule-variant-creator/references/workflow.md +518 -0
- package/skills/sharp-edges/SKILL.md +292 -0
- package/skills/sharp-edges/references/auth-patterns.md +252 -0
- package/skills/sharp-edges/references/case-studies.md +274 -0
- package/skills/sharp-edges/references/config-patterns.md +333 -0
- package/skills/sharp-edges/references/crypto-apis.md +190 -0
- package/skills/sharp-edges/references/lang-c.md +205 -0
- package/skills/sharp-edges/references/lang-csharp.md +285 -0
- package/skills/sharp-edges/references/lang-go.md +270 -0
- package/skills/sharp-edges/references/lang-java.md +263 -0
- package/skills/sharp-edges/references/lang-javascript.md +269 -0
- package/skills/sharp-edges/references/lang-kotlin.md +265 -0
- package/skills/sharp-edges/references/lang-php.md +245 -0
- package/skills/sharp-edges/references/lang-python.md +274 -0
- package/skills/sharp-edges/references/lang-ruby.md +273 -0
- package/skills/sharp-edges/references/lang-rust.md +272 -0
- package/skills/sharp-edges/references/lang-swift.md +287 -0
- package/skills/sharp-edges/references/language-specific.md +588 -0
- package/skills/spec-to-code-compliance/SKILL.md +357 -0
- package/skills/spec-to-code-compliance/resources/COMPLETENESS_CHECKLIST.md +69 -0
- package/skills/spec-to-code-compliance/resources/IR_EXAMPLES.md +417 -0
- package/skills/spec-to-code-compliance/resources/OUTPUT_REQUIREMENTS.md +105 -0
- package/skills/supply-chain-risk-auditor/SKILL.md +67 -0
- package/skills/supply-chain-risk-auditor/resources/results-template.md +41 -0
- package/skills/variant-analysis/METHODOLOGY.md +327 -0
- package/skills/variant-analysis/SKILL.md +142 -0
- package/skills/variant-analysis/resources/codeql/cpp.ql +119 -0
- package/skills/variant-analysis/resources/codeql/go.ql +69 -0
- package/skills/variant-analysis/resources/codeql/java.ql +71 -0
- package/skills/variant-analysis/resources/codeql/javascript.ql +63 -0
- package/skills/variant-analysis/resources/codeql/python.ql +80 -0
- package/skills/variant-analysis/resources/semgrep/cpp.yaml +98 -0
- package/skills/variant-analysis/resources/semgrep/go.yaml +63 -0
- package/skills/variant-analysis/resources/semgrep/java.yaml +61 -0
- package/skills/variant-analysis/resources/semgrep/javascript.yaml +60 -0
- package/skills/variant-analysis/resources/semgrep/python.yaml +72 -0
- package/skills/variant-analysis/resources/variant-report-template.md +75 -0
- package/skills/vuln-report/SKILL.md +137 -0
- package/skills/vuln-report/agents/openai.yaml +4 -0
- package/skills/vuln-report/references/report-template.md +135 -0
- package/skills/wooyun-legacy/SKILL.md +367 -0
- package/skills/wooyun-legacy/references/bank-penetration.md +222 -0
- package/skills/wooyun-legacy/references/checklists/command-execution-checklist.md +119 -0
- package/skills/wooyun-legacy/references/checklists/csrf-checklist.md +74 -0
- package/skills/wooyun-legacy/references/checklists/file-upload-checklist.md +108 -0
- package/skills/wooyun-legacy/references/checklists/info-disclosure-checklist.md +114 -0
- package/skills/wooyun-legacy/references/checklists/logic-flaws-checklist.md +95 -0
- package/skills/wooyun-legacy/references/checklists/misconfig-checklist.md +124 -0
- package/skills/wooyun-legacy/references/checklists/path-traversal-checklist.md +87 -0
- package/skills/wooyun-legacy/references/checklists/rce-checklist.md +93 -0
- package/skills/wooyun-legacy/references/checklists/sql-injection-checklist.md +97 -0
- package/skills/wooyun-legacy/references/checklists/ssrf-checklist.md +99 -0
- package/skills/wooyun-legacy/references/checklists/unauthorized-access-checklist.md +89 -0
- package/skills/wooyun-legacy/references/checklists/weak-password-checklist.md +115 -0
- package/skills/wooyun-legacy/references/checklists/xss-checklist.md +103 -0
- package/skills/wooyun-legacy/references/checklists/xxe-checklist.md +130 -0
- package/skills/wooyun-legacy/references/info-disclosure.md +975 -0
- package/skills/wooyun-legacy/references/logic-flaws.md +721 -0
- package/skills/wooyun-legacy/references/path-traversal.md +1191 -0
- package/skills/wooyun-legacy/references/telecom-penetration.md +156 -0
- package/skills/wooyun-legacy/references/unauthorized-access.md +980 -0
- package/skills/wooyun-legacy/references/xss.md +746 -0
- package/skills/zeroize-audit/SKILL.md +371 -0
- package/skills/zeroize-audit/configs/c.yaml +21 -0
- package/skills/zeroize-audit/configs/default.yaml +128 -0
- package/skills/zeroize-audit/configs/rust.yaml +83 -0
- package/skills/zeroize-audit/prompts/report_template.md +238 -0
- package/skills/zeroize-audit/prompts/system.md +163 -0
- package/skills/zeroize-audit/prompts/task.md +97 -0
- package/skills/zeroize-audit/references/compile-commands.md +231 -0
- package/skills/zeroize-audit/references/detection-strategy.md +191 -0
- package/skills/zeroize-audit/references/ir-analysis.md +252 -0
- package/skills/zeroize-audit/references/mcp-analysis.md +221 -0
- package/skills/zeroize-audit/references/poc-generation.md +470 -0
- package/skills/zeroize-audit/references/rust-zeroization-patterns.md +867 -0
- package/skills/zeroize-audit/schemas/input.json +83 -0
- package/skills/zeroize-audit/schemas/output.json +140 -0
- package/skills/zeroize-audit/tools/analyze_asm.sh +202 -0
- package/skills/zeroize-audit/tools/analyze_cfg.py +381 -0
- package/skills/zeroize-audit/tools/analyze_heap.sh +211 -0
- package/skills/zeroize-audit/tools/analyze_ir_semantic.py +429 -0
- package/skills/zeroize-audit/tools/diff_ir.sh +135 -0
- package/skills/zeroize-audit/tools/diff_rust_mir.sh +189 -0
- package/skills/zeroize-audit/tools/emit_asm.sh +67 -0
- package/skills/zeroize-audit/tools/emit_ir.sh +77 -0
- package/skills/zeroize-audit/tools/emit_rust_asm.sh +178 -0
- package/skills/zeroize-audit/tools/emit_rust_ir.sh +150 -0
- package/skills/zeroize-audit/tools/emit_rust_mir.sh +158 -0
- package/skills/zeroize-audit/tools/extract_compile_flags.py +284 -0
- package/skills/zeroize-audit/tools/generate_poc.py +1329 -0
- package/skills/zeroize-audit/tools/mcp/apply_confidence_gates.py +113 -0
- package/skills/zeroize-audit/tools/mcp/check_mcp.sh +68 -0
- package/skills/zeroize-audit/tools/mcp/normalize_mcp_evidence.py +125 -0
- package/skills/zeroize-audit/tools/scripts/check_llvm_patterns.py +481 -0
- package/skills/zeroize-audit/tools/scripts/check_mir_patterns.py +554 -0
- package/skills/zeroize-audit/tools/scripts/check_rust_asm.py +424 -0
- package/skills/zeroize-audit/tools/scripts/check_rust_asm_aarch64.py +300 -0
- package/skills/zeroize-audit/tools/scripts/check_rust_asm_x86.py +283 -0
- package/skills/zeroize-audit/tools/scripts/find_dangerous_apis.py +375 -0
- package/skills/zeroize-audit/tools/scripts/semantic_audit.py +923 -0
- package/skills/zeroize-audit/tools/track_dataflow.sh +196 -0
- package/skills/zeroize-audit/tools/validate_rust_toolchain.sh +298 -0
- package/skills/zeroize-audit/workflows/phase-0-preflight.md +150 -0
- package/skills/zeroize-audit/workflows/phase-1-source-analysis.md +144 -0
- package/skills/zeroize-audit/workflows/phase-2-compiler-analysis.md +139 -0
- package/skills/zeroize-audit/workflows/phase-3-interim-report.md +46 -0
- package/skills/zeroize-audit/workflows/phase-4-poc-generation.md +46 -0
- package/skills/zeroize-audit/workflows/phase-5-poc-validation.md +136 -0
- package/skills/zeroize-audit/workflows/phase-6-final-report.md +44 -0
- package/skills/zeroize-audit/workflows/phase-7-test-generation.md +42 -0
- package/themes/piolium-srcery.json +94 -0
|
@@ -0,0 +1,71 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @name [VARIANT_NAME]
|
|
3
|
+
* @description Find variants of [ORIGINAL_BUG_ID]
|
|
4
|
+
* @kind path-problem
|
|
5
|
+
* @problem.severity error
|
|
6
|
+
* @tags security variant-analysis
|
|
7
|
+
*/
|
|
8
|
+
|
|
9
|
+
import java
|
|
10
|
+
import semmle.code.java.dataflow.TaintTracking
|
|
11
|
+
import semmle.code.java.dataflow.FlowSources
|
|
12
|
+
import DataFlow::PathGraph
|
|
13
|
+
|
|
14
|
+
module VariantConfig implements DataFlow::ConfigSig {
|
|
15
|
+
predicate isSource(DataFlow::Node source) {
|
|
16
|
+
// HttpServletRequest.getParameter/getHeader
|
|
17
|
+
exists(MethodAccess ma |
|
|
18
|
+
ma.getMethod().getName() in ["getParameter", "getHeader", "getCookies", "getQueryString"] and
|
|
19
|
+
ma.getMethod().getDeclaringType().getASupertype*().hasQualifiedName("javax.servlet", "ServletRequest") and
|
|
20
|
+
source.asExpr() = ma
|
|
21
|
+
)
|
|
22
|
+
or
|
|
23
|
+
// Spring @RequestParam, @PathVariable
|
|
24
|
+
exists(Parameter p |
|
|
25
|
+
p.getAnAnnotation().getType().hasQualifiedName("org.springframework.web.bind.annotation", ["RequestParam", "PathVariable", "RequestBody"]) and
|
|
26
|
+
source.asParameter() = p
|
|
27
|
+
)
|
|
28
|
+
}
|
|
29
|
+
|
|
30
|
+
predicate isSink(DataFlow::Node sink) {
|
|
31
|
+
// Command injection
|
|
32
|
+
exists(MethodAccess ma |
|
|
33
|
+
ma.getMethod().hasQualifiedName("java.lang", "Runtime", "exec") and
|
|
34
|
+
sink.asExpr() = ma.getArgument(0)
|
|
35
|
+
)
|
|
36
|
+
or
|
|
37
|
+
exists(ClassInstanceExpr cie |
|
|
38
|
+
cie.getConstructedType().hasQualifiedName("java.lang", "ProcessBuilder") and
|
|
39
|
+
sink.asExpr() = cie.getArgument(0)
|
|
40
|
+
)
|
|
41
|
+
or
|
|
42
|
+
// SQL injection
|
|
43
|
+
exists(MethodAccess ma |
|
|
44
|
+
ma.getMethod().getName() in ["executeQuery", "executeUpdate", "execute"] and
|
|
45
|
+
ma.getMethod().getDeclaringType().getASupertype*().hasQualifiedName("java.sql", "Statement") and
|
|
46
|
+
sink.asExpr() = ma.getArgument(0)
|
|
47
|
+
)
|
|
48
|
+
or
|
|
49
|
+
// Path traversal
|
|
50
|
+
exists(ClassInstanceExpr cie |
|
|
51
|
+
cie.getConstructedType().hasQualifiedName("java.io", "File") and
|
|
52
|
+
sink.asExpr() = cie.getArgument(0)
|
|
53
|
+
)
|
|
54
|
+
}
|
|
55
|
+
|
|
56
|
+
predicate isBarrier(DataFlow::Node node) {
|
|
57
|
+
exists(MethodAccess ma |
|
|
58
|
+
ma.getMethod().getName() in ["escape", "sanitize", "parseInt", "valueOf"] and
|
|
59
|
+
node.asExpr() = ma
|
|
60
|
+
)
|
|
61
|
+
}
|
|
62
|
+
}
|
|
63
|
+
|
|
64
|
+
module VariantFlow = TaintTracking::Global<VariantConfig>;
|
|
65
|
+
import VariantFlow::PathGraph
|
|
66
|
+
|
|
67
|
+
from VariantFlow::PathNode source, VariantFlow::PathNode sink
|
|
68
|
+
where VariantFlow::flowPath(source, sink)
|
|
69
|
+
select sink.getNode(), source, sink,
|
|
70
|
+
"Tainted data from $@ flows to dangerous sink.",
|
|
71
|
+
source.getNode(), "user input"
|
|
@@ -0,0 +1,63 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @name [VARIANT_NAME]
|
|
3
|
+
* @description Find variants of [ORIGINAL_BUG_ID]
|
|
4
|
+
* @kind path-problem
|
|
5
|
+
* @problem.severity error
|
|
6
|
+
* @tags security variant-analysis
|
|
7
|
+
*/
|
|
8
|
+
|
|
9
|
+
import javascript
|
|
10
|
+
import semmle.javascript.security.dataflow.CommandInjectionQuery
|
|
11
|
+
import DataFlow::PathGraph
|
|
12
|
+
|
|
13
|
+
module VariantConfig implements DataFlow::ConfigSig {
|
|
14
|
+
predicate isSource(DataFlow::Node source) {
|
|
15
|
+
// Express request params
|
|
16
|
+
exists(PropAccess pa |
|
|
17
|
+
pa.getPropertyName() in ["query", "body", "params", "cookies"] and
|
|
18
|
+
source.asExpr() = pa
|
|
19
|
+
)
|
|
20
|
+
or
|
|
21
|
+
// URL/location
|
|
22
|
+
exists(PropAccess pa |
|
|
23
|
+
pa.getBase().toString() in ["window", "document", "location"] and
|
|
24
|
+
source.asExpr() = pa
|
|
25
|
+
)
|
|
26
|
+
}
|
|
27
|
+
|
|
28
|
+
predicate isSink(DataFlow::Node sink) {
|
|
29
|
+
// Command injection
|
|
30
|
+
exists(CallExpr c |
|
|
31
|
+
c.getCalleeName() in ["exec", "execSync", "spawn", "spawnSync"] and
|
|
32
|
+
sink.asExpr() = c.getArgument(0)
|
|
33
|
+
)
|
|
34
|
+
or
|
|
35
|
+
// eval/Function
|
|
36
|
+
exists(CallExpr c |
|
|
37
|
+
c.getCalleeName() in ["eval", "Function"] and
|
|
38
|
+
sink.asExpr() = c.getArgument(0)
|
|
39
|
+
)
|
|
40
|
+
or
|
|
41
|
+
// SQL queries
|
|
42
|
+
exists(CallExpr c |
|
|
43
|
+
c.getCalleeName() in ["query", "raw", "execute"] and
|
|
44
|
+
sink.asExpr() = c.getArgument(0)
|
|
45
|
+
)
|
|
46
|
+
}
|
|
47
|
+
|
|
48
|
+
predicate isBarrier(DataFlow::Node node) {
|
|
49
|
+
exists(CallExpr c |
|
|
50
|
+
c.getCalleeName() in ["escape", "sanitize", "parseInt", "encodeURIComponent"] and
|
|
51
|
+
node.asExpr() = c
|
|
52
|
+
)
|
|
53
|
+
}
|
|
54
|
+
}
|
|
55
|
+
|
|
56
|
+
module VariantFlow = TaintTracking::Global<VariantConfig>;
|
|
57
|
+
import VariantFlow::PathGraph
|
|
58
|
+
|
|
59
|
+
from VariantFlow::PathNode source, VariantFlow::PathNode sink
|
|
60
|
+
where VariantFlow::flowPath(source, sink)
|
|
61
|
+
select sink.getNode(), source, sink,
|
|
62
|
+
"Tainted data from $@ flows to dangerous sink.",
|
|
63
|
+
source.getNode(), "user input"
|
|
@@ -0,0 +1,80 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @name [VARIANT_NAME]
|
|
3
|
+
* @description Find variants of [ORIGINAL_BUG_ID]
|
|
4
|
+
* @kind path-problem
|
|
5
|
+
* @problem.severity error
|
|
6
|
+
* @precision high
|
|
7
|
+
* @tags security
|
|
8
|
+
* variant-analysis
|
|
9
|
+
*/
|
|
10
|
+
|
|
11
|
+
import python
|
|
12
|
+
import semmle.python.dataflow.new.DataFlow
|
|
13
|
+
import semmle.python.dataflow.new.TaintTracking
|
|
14
|
+
import semmle.python.ApiGraphs
|
|
15
|
+
|
|
16
|
+
module VariantConfig implements DataFlow::ConfigSig {
|
|
17
|
+
// Sources: where untrusted data originates
|
|
18
|
+
predicate isSource(DataFlow::Node source) {
|
|
19
|
+
// Flask request parameters
|
|
20
|
+
source = API::moduleImport("flask").getMember("request")
|
|
21
|
+
.getMember(["args", "form", "json", "data"])
|
|
22
|
+
.getAUse()
|
|
23
|
+
or
|
|
24
|
+
// Environment variables
|
|
25
|
+
exists(Call c |
|
|
26
|
+
c.getFunc().(Attribute).getObject().(Name).getId() = "os" and
|
|
27
|
+
c.getFunc().(Attribute).getName() in ["getenv", "environ"] and
|
|
28
|
+
source.asExpr() = c
|
|
29
|
+
)
|
|
30
|
+
}
|
|
31
|
+
|
|
32
|
+
// Sinks: where tainted data becomes dangerous
|
|
33
|
+
predicate isSink(DataFlow::Node sink) {
|
|
34
|
+
// os.system()
|
|
35
|
+
exists(Call c |
|
|
36
|
+
c.getFunc().(Attribute).getObject().(Name).getId() = "os" and
|
|
37
|
+
c.getFunc().(Attribute).getName() = "system" and
|
|
38
|
+
sink.asExpr() = c.getArg(0)
|
|
39
|
+
)
|
|
40
|
+
or
|
|
41
|
+
// subprocess with shell=True
|
|
42
|
+
exists(Call c |
|
|
43
|
+
c.getFunc().(Attribute).getName() in ["call", "run", "Popen"] and
|
|
44
|
+
c.getArgByName("shell").(NameConstant).getValue() = true and
|
|
45
|
+
sink.asExpr() = c.getArg(0)
|
|
46
|
+
)
|
|
47
|
+
}
|
|
48
|
+
|
|
49
|
+
// Barriers: sanitization functions
|
|
50
|
+
predicate isBarrier(DataFlow::Node node) {
|
|
51
|
+
exists(Call c |
|
|
52
|
+
c.getFunc().(Attribute).getObject().(Name).getId() = "shlex" and
|
|
53
|
+
c.getFunc().(Attribute).getName() = "quote" and
|
|
54
|
+
node.asExpr() = c
|
|
55
|
+
)
|
|
56
|
+
or
|
|
57
|
+
exists(Call c |
|
|
58
|
+
c.getFunc().(Name).getId() in ["sanitize", "escape", "validate"] and
|
|
59
|
+
node.asExpr() = c
|
|
60
|
+
)
|
|
61
|
+
}
|
|
62
|
+
|
|
63
|
+
// Custom flow steps (optional)
|
|
64
|
+
predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
|
|
65
|
+
exists(Call c |
|
|
66
|
+
c.getFunc().(Attribute).getName() = "format" and
|
|
67
|
+
pred.asExpr() = c.getFunc().(Attribute).getObject() and
|
|
68
|
+
succ.asExpr() = c
|
|
69
|
+
)
|
|
70
|
+
}
|
|
71
|
+
}
|
|
72
|
+
|
|
73
|
+
module VariantFlow = TaintTracking::Global<VariantConfig>;
|
|
74
|
+
import VariantFlow::PathGraph
|
|
75
|
+
|
|
76
|
+
from VariantFlow::PathNode source, VariantFlow::PathNode sink
|
|
77
|
+
where VariantFlow::flowPath(source, sink)
|
|
78
|
+
select sink.getNode(), source, sink,
|
|
79
|
+
"Potential variant: tainted data from $@ flows to dangerous sink.",
|
|
80
|
+
source.getNode(), "user-controlled input"
|
|
@@ -0,0 +1,98 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: variant-taint-cpp
|
|
3
|
+
message: "Potential variant: user input flows to dangerous sink"
|
|
4
|
+
severity: ERROR
|
|
5
|
+
languages: [c, cpp]
|
|
6
|
+
mode: taint
|
|
7
|
+
|
|
8
|
+
pattern-sources:
|
|
9
|
+
# Command line
|
|
10
|
+
- pattern: argv[$IDX]
|
|
11
|
+
# Standard input
|
|
12
|
+
- pattern: gets(...)
|
|
13
|
+
- pattern: fgets($BUF, $SIZE, stdin)
|
|
14
|
+
- pattern: scanf(...)
|
|
15
|
+
- pattern: fscanf(...)
|
|
16
|
+
- pattern: getenv(...)
|
|
17
|
+
# Network
|
|
18
|
+
- pattern: recv($SOCK, $BUF, ...)
|
|
19
|
+
- pattern: recvfrom(...)
|
|
20
|
+
- pattern: read($FD, $BUF, ...)
|
|
21
|
+
|
|
22
|
+
pattern-sinks:
|
|
23
|
+
# Command injection
|
|
24
|
+
- pattern: system($SINK)
|
|
25
|
+
- pattern: popen($SINK, ...)
|
|
26
|
+
- pattern: execl($SINK, ...)
|
|
27
|
+
- pattern: execlp($SINK, ...)
|
|
28
|
+
- pattern: execv($SINK, ...)
|
|
29
|
+
- pattern: execvp($SINK, ...)
|
|
30
|
+
# Buffer overflow
|
|
31
|
+
- pattern: strcpy($DST, $SINK)
|
|
32
|
+
- pattern: strcat($DST, $SINK)
|
|
33
|
+
- pattern: sprintf($DST, $FMT, ..., $SINK, ...)
|
|
34
|
+
- pattern: gets($SINK)
|
|
35
|
+
# Format string
|
|
36
|
+
- pattern: printf($SINK)
|
|
37
|
+
- pattern: fprintf($FILE, $SINK)
|
|
38
|
+
- pattern: sprintf($BUF, $SINK)
|
|
39
|
+
- pattern: syslog($PRI, $SINK)
|
|
40
|
+
# Memory
|
|
41
|
+
- pattern: malloc($SINK)
|
|
42
|
+
- pattern: calloc($SINK, ...)
|
|
43
|
+
- pattern: realloc($PTR, $SINK)
|
|
44
|
+
- pattern: alloca($SINK)
|
|
45
|
+
# File operations
|
|
46
|
+
- pattern: fopen($SINK, ...)
|
|
47
|
+
- pattern: open($SINK, ...)
|
|
48
|
+
|
|
49
|
+
pattern-sanitizers:
|
|
50
|
+
- pattern: strncpy($DST, $SRC, $N)
|
|
51
|
+
- pattern: strncat($DST, $SRC, $N)
|
|
52
|
+
- pattern: snprintf($BUF, $SIZE, ...)
|
|
53
|
+
- pattern: strlcpy(...)
|
|
54
|
+
- pattern: strlcat(...)
|
|
55
|
+
|
|
56
|
+
paths:
|
|
57
|
+
exclude:
|
|
58
|
+
- "**/test/**"
|
|
59
|
+
- "**/*_test.c"
|
|
60
|
+
- "**/*_test.cpp"
|
|
61
|
+
|
|
62
|
+
- id: unsafe-functions-cpp
|
|
63
|
+
message: "Use of unsafe function - consider bounded alternative"
|
|
64
|
+
severity: WARNING
|
|
65
|
+
languages: [c, cpp]
|
|
66
|
+
pattern-either:
|
|
67
|
+
- pattern: gets(...)
|
|
68
|
+
- pattern: strcpy(...)
|
|
69
|
+
- pattern: strcat(...)
|
|
70
|
+
- pattern: sprintf(...)
|
|
71
|
+
- pattern: vsprintf(...)
|
|
72
|
+
|
|
73
|
+
- id: format-string-cpp
|
|
74
|
+
message: "Potential format string vulnerability"
|
|
75
|
+
severity: ERROR
|
|
76
|
+
languages: [c, cpp]
|
|
77
|
+
patterns:
|
|
78
|
+
- pattern-either:
|
|
79
|
+
- pattern: printf($VAR)
|
|
80
|
+
- pattern: fprintf($F, $VAR)
|
|
81
|
+
- pattern: sprintf($B, $VAR)
|
|
82
|
+
- pattern: snprintf($B, $S, $VAR)
|
|
83
|
+
- pattern-not: printf("...")
|
|
84
|
+
- pattern-not: fprintf($F, "...")
|
|
85
|
+
- pattern-not: sprintf($B, "...")
|
|
86
|
+
- pattern-not: snprintf($B, $S, "...")
|
|
87
|
+
|
|
88
|
+
- id: integer-overflow-cpp
|
|
89
|
+
message: "Potential integer overflow before memory allocation"
|
|
90
|
+
severity: WARNING
|
|
91
|
+
languages: [c, cpp]
|
|
92
|
+
patterns:
|
|
93
|
+
- pattern: |
|
|
94
|
+
$SIZE = $X * $Y;
|
|
95
|
+
...
|
|
96
|
+
malloc($SIZE)
|
|
97
|
+
- pattern: malloc($X * $Y)
|
|
98
|
+
- pattern: calloc($X * $Y, ...)
|
|
@@ -0,0 +1,63 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: variant-taint-go
|
|
3
|
+
message: "Potential variant: user input flows to dangerous sink"
|
|
4
|
+
severity: ERROR
|
|
5
|
+
languages: [go]
|
|
6
|
+
mode: taint
|
|
7
|
+
|
|
8
|
+
pattern-sources:
|
|
9
|
+
# net/http
|
|
10
|
+
- pattern: $REQ.URL.Query().Get(...)
|
|
11
|
+
- pattern: $REQ.FormValue(...)
|
|
12
|
+
- pattern: $REQ.PostFormValue(...)
|
|
13
|
+
- pattern: $REQ.Header.Get(...)
|
|
14
|
+
# Gin
|
|
15
|
+
- pattern: $CTX.Query(...)
|
|
16
|
+
- pattern: $CTX.Param(...)
|
|
17
|
+
- pattern: $CTX.PostForm(...)
|
|
18
|
+
- pattern: $CTX.GetHeader(...)
|
|
19
|
+
# Echo
|
|
20
|
+
- pattern: $CTX.QueryParam(...)
|
|
21
|
+
- pattern: $CTX.FormValue(...)
|
|
22
|
+
# os.Args
|
|
23
|
+
- pattern: os.Args[$IDX]
|
|
24
|
+
- pattern: os.Getenv(...)
|
|
25
|
+
|
|
26
|
+
pattern-sinks:
|
|
27
|
+
# Command injection
|
|
28
|
+
- pattern: exec.Command($SINK, ...)
|
|
29
|
+
- pattern: exec.CommandContext($CTX, $SINK, ...)
|
|
30
|
+
# SQL injection
|
|
31
|
+
- pattern: $DB.Query($SINK, ...)
|
|
32
|
+
- pattern: $DB.QueryRow($SINK, ...)
|
|
33
|
+
- pattern: $DB.Exec($SINK, ...)
|
|
34
|
+
# Path traversal
|
|
35
|
+
- pattern: os.Open($SINK)
|
|
36
|
+
- pattern: os.OpenFile($SINK, ...)
|
|
37
|
+
- pattern: os.ReadFile($SINK)
|
|
38
|
+
- pattern: ioutil.ReadFile($SINK)
|
|
39
|
+
# Template injection
|
|
40
|
+
- pattern: template.HTML($SINK)
|
|
41
|
+
|
|
42
|
+
pattern-sanitizers:
|
|
43
|
+
- pattern: strconv.Atoi($X)
|
|
44
|
+
- pattern: strconv.ParseInt($X, ...)
|
|
45
|
+
- pattern: filepath.Clean($X)
|
|
46
|
+
- pattern: filepath.Base($X)
|
|
47
|
+
- pattern: html.EscapeString($X)
|
|
48
|
+
|
|
49
|
+
paths:
|
|
50
|
+
exclude:
|
|
51
|
+
- "**/*_test.go"
|
|
52
|
+
- "**/test/**"
|
|
53
|
+
- "**/vendor/**"
|
|
54
|
+
|
|
55
|
+
- id: variant-pattern-go
|
|
56
|
+
message: "Suspicious pattern matching known vulnerability"
|
|
57
|
+
severity: WARNING
|
|
58
|
+
languages: [go]
|
|
59
|
+
patterns:
|
|
60
|
+
- pattern-either:
|
|
61
|
+
- pattern: exec.Command(...)
|
|
62
|
+
- pattern: $DB.Query($Q, ...)
|
|
63
|
+
- pattern-not: exec.Command("...")
|
|
@@ -0,0 +1,61 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: variant-taint-java
|
|
3
|
+
message: "Potential variant: user input flows to dangerous sink"
|
|
4
|
+
severity: ERROR
|
|
5
|
+
languages: [java]
|
|
6
|
+
mode: taint
|
|
7
|
+
|
|
8
|
+
pattern-sources:
|
|
9
|
+
# Servlet
|
|
10
|
+
- pattern: (HttpServletRequest $REQ).getParameter(...)
|
|
11
|
+
- pattern: (HttpServletRequest $REQ).getHeader(...)
|
|
12
|
+
- pattern: (HttpServletRequest $REQ).getCookies()
|
|
13
|
+
- pattern: (HttpServletRequest $REQ).getQueryString()
|
|
14
|
+
- pattern: (HttpServletRequest $REQ).getInputStream()
|
|
15
|
+
# Spring
|
|
16
|
+
- pattern: "@RequestParam $TYPE $VAR"
|
|
17
|
+
- pattern: "@PathVariable $TYPE $VAR"
|
|
18
|
+
- pattern: "@RequestBody $TYPE $VAR"
|
|
19
|
+
|
|
20
|
+
pattern-sinks:
|
|
21
|
+
# Command injection
|
|
22
|
+
- pattern: Runtime.getRuntime().exec($SINK, ...)
|
|
23
|
+
- pattern: new ProcessBuilder($SINK, ...)
|
|
24
|
+
# SQL injection
|
|
25
|
+
- pattern: (Statement $S).executeQuery($SINK)
|
|
26
|
+
- pattern: (Statement $S).executeUpdate($SINK)
|
|
27
|
+
- pattern: (Statement $S).execute($SINK)
|
|
28
|
+
- pattern: (Connection $C).prepareStatement($SINK)
|
|
29
|
+
# Path traversal
|
|
30
|
+
- pattern: new File($SINK)
|
|
31
|
+
- pattern: new FileInputStream($SINK)
|
|
32
|
+
- pattern: new FileOutputStream($SINK)
|
|
33
|
+
- pattern: Paths.get($SINK, ...)
|
|
34
|
+
# XXE
|
|
35
|
+
- pattern: (DocumentBuilder $DB).parse($SINK)
|
|
36
|
+
# Deserialization
|
|
37
|
+
- pattern: (ObjectInputStream $OIS).readObject()
|
|
38
|
+
|
|
39
|
+
pattern-sanitizers:
|
|
40
|
+
- pattern: Integer.parseInt($X)
|
|
41
|
+
- pattern: Integer.valueOf($X)
|
|
42
|
+
- pattern: StringEscapeUtils.escapeHtml4($X)
|
|
43
|
+
- pattern: ESAPI.encoder().encodeForSQL(...)
|
|
44
|
+
|
|
45
|
+
paths:
|
|
46
|
+
exclude:
|
|
47
|
+
- "**/test/**"
|
|
48
|
+
- "**/*Test.java"
|
|
49
|
+
|
|
50
|
+
- id: variant-pattern-java
|
|
51
|
+
message: "Suspicious pattern matching known vulnerability"
|
|
52
|
+
severity: WARNING
|
|
53
|
+
languages: [java]
|
|
54
|
+
patterns:
|
|
55
|
+
- pattern-either:
|
|
56
|
+
- pattern: Runtime.getRuntime().exec(...)
|
|
57
|
+
- pattern: new ProcessBuilder(...)
|
|
58
|
+
- pattern-inside: |
|
|
59
|
+
$RET $METHOD(..., HttpServletRequest $REQ, ...) {
|
|
60
|
+
...
|
|
61
|
+
}
|
|
@@ -0,0 +1,60 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: variant-taint-js
|
|
3
|
+
message: "Potential variant: user input flows to dangerous sink"
|
|
4
|
+
severity: ERROR
|
|
5
|
+
languages: [javascript, typescript]
|
|
6
|
+
mode: taint
|
|
7
|
+
|
|
8
|
+
pattern-sources:
|
|
9
|
+
# Express
|
|
10
|
+
- pattern: req.query.$PARAM
|
|
11
|
+
- pattern: req.body.$PARAM
|
|
12
|
+
- pattern: req.params.$PARAM
|
|
13
|
+
- pattern: req.cookies.$PARAM
|
|
14
|
+
# URL/Location
|
|
15
|
+
- pattern: window.location.$PROP
|
|
16
|
+
- pattern: document.location.$PROP
|
|
17
|
+
- pattern: location.search
|
|
18
|
+
- pattern: location.hash
|
|
19
|
+
|
|
20
|
+
pattern-sinks:
|
|
21
|
+
# Command injection
|
|
22
|
+
- pattern: child_process.exec($SINK, ...)
|
|
23
|
+
- pattern: child_process.execSync($SINK, ...)
|
|
24
|
+
- pattern: child_process.spawn($SINK, ...)
|
|
25
|
+
# Code execution
|
|
26
|
+
- pattern: eval($SINK)
|
|
27
|
+
- pattern: Function($SINK)
|
|
28
|
+
- pattern: setTimeout($SINK, ...)
|
|
29
|
+
- pattern: setInterval($SINK, ...)
|
|
30
|
+
# SQL
|
|
31
|
+
- pattern: $DB.query($SINK, ...)
|
|
32
|
+
- pattern: $DB.raw($SINK)
|
|
33
|
+
# XSS
|
|
34
|
+
- pattern: $EL.innerHTML = $SINK
|
|
35
|
+
- pattern: document.write($SINK)
|
|
36
|
+
|
|
37
|
+
pattern-sanitizers:
|
|
38
|
+
- pattern: parseInt($X, ...)
|
|
39
|
+
- pattern: encodeURIComponent($X)
|
|
40
|
+
- pattern: escape($X)
|
|
41
|
+
- pattern: $DB.escape($X)
|
|
42
|
+
|
|
43
|
+
paths:
|
|
44
|
+
exclude:
|
|
45
|
+
- "**/*.test.js"
|
|
46
|
+
- "**/*.spec.js"
|
|
47
|
+
- "**/test/**"
|
|
48
|
+
- "**/node_modules/**"
|
|
49
|
+
|
|
50
|
+
- id: variant-pattern-js
|
|
51
|
+
message: "Suspicious pattern matching known vulnerability"
|
|
52
|
+
severity: WARNING
|
|
53
|
+
languages: [javascript, typescript]
|
|
54
|
+
patterns:
|
|
55
|
+
- pattern-either:
|
|
56
|
+
- pattern: eval(...)
|
|
57
|
+
- pattern: Function(...)
|
|
58
|
+
- pattern: child_process.exec(...)
|
|
59
|
+
- pattern-not: eval("...")
|
|
60
|
+
- pattern-not: Function("...")
|
|
@@ -0,0 +1,72 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: variant-taint-analysis
|
|
3
|
+
message: >-
|
|
4
|
+
Potential variant: user-controlled data flows to dangerous sink.
|
|
5
|
+
Original bug: [DESCRIBE_ORIGINAL_BUG]
|
|
6
|
+
severity: ERROR
|
|
7
|
+
languages: [python]
|
|
8
|
+
mode: taint
|
|
9
|
+
|
|
10
|
+
pattern-sources:
|
|
11
|
+
# Flask
|
|
12
|
+
- pattern: request.args.get(...)
|
|
13
|
+
- pattern: request.args[...]
|
|
14
|
+
- pattern: request.form.get(...)
|
|
15
|
+
- pattern: request.form[...]
|
|
16
|
+
- pattern: request.json
|
|
17
|
+
- pattern: request.data
|
|
18
|
+
# Django (uncomment if needed)
|
|
19
|
+
# - pattern: request.GET.get(...)
|
|
20
|
+
# - pattern: request.POST.get(...)
|
|
21
|
+
# General
|
|
22
|
+
- pattern: os.environ.get(...)
|
|
23
|
+
- pattern: input(...)
|
|
24
|
+
|
|
25
|
+
pattern-sinks:
|
|
26
|
+
# Command injection
|
|
27
|
+
- pattern: os.system($SINK)
|
|
28
|
+
- pattern: os.popen($SINK)
|
|
29
|
+
- pattern: subprocess.call($SINK, ...)
|
|
30
|
+
- pattern: subprocess.run($SINK, ...)
|
|
31
|
+
- pattern: subprocess.Popen($SINK, ...)
|
|
32
|
+
# Code execution
|
|
33
|
+
- pattern: eval($SINK)
|
|
34
|
+
- pattern: exec($SINK)
|
|
35
|
+
# SQL (uncomment if needed)
|
|
36
|
+
# - pattern: $CURSOR.execute($SINK)
|
|
37
|
+
# Path traversal (uncomment if needed)
|
|
38
|
+
# - pattern: open($SINK, ...)
|
|
39
|
+
|
|
40
|
+
pattern-sanitizers:
|
|
41
|
+
- pattern: shlex.quote(...)
|
|
42
|
+
- pattern: os.path.basename(...)
|
|
43
|
+
- pattern: int(...)
|
|
44
|
+
- pattern: sanitize(...)
|
|
45
|
+
- pattern: escape(...)
|
|
46
|
+
- pattern: validate(...)
|
|
47
|
+
|
|
48
|
+
paths:
|
|
49
|
+
exclude:
|
|
50
|
+
- "*_test.py"
|
|
51
|
+
- "test_*.py"
|
|
52
|
+
- "tests/"
|
|
53
|
+
- "**/test/**"
|
|
54
|
+
|
|
55
|
+
metadata:
|
|
56
|
+
category: security
|
|
57
|
+
confidence: HIGH
|
|
58
|
+
|
|
59
|
+
# Simple pattern matching variant (non-taint)
|
|
60
|
+
- id: variant-pattern-match
|
|
61
|
+
message: "Suspicious pattern matching known vulnerability signature"
|
|
62
|
+
severity: WARNING
|
|
63
|
+
languages: [python]
|
|
64
|
+
patterns:
|
|
65
|
+
- pattern-either:
|
|
66
|
+
- pattern: dangerous_func($USER_DATA)
|
|
67
|
+
- pattern: risky_operation(..., $USER_DATA, ...)
|
|
68
|
+
- pattern-not: dangerous_func("...")
|
|
69
|
+
paths:
|
|
70
|
+
exclude:
|
|
71
|
+
- "tests/"
|
|
72
|
+
- "*_test.py"
|
|
@@ -0,0 +1,75 @@
|
|
|
1
|
+
# Variant Analysis Report
|
|
2
|
+
|
|
3
|
+
## Summary
|
|
4
|
+
|
|
5
|
+
| Field | Value |
|
|
6
|
+
|-------|-------|
|
|
7
|
+
| **Original Bug** | [BUG_ID / CVE] |
|
|
8
|
+
| **Analysis Date** | [DATE] |
|
|
9
|
+
| **Codebase** | [REPO/PROJECT] |
|
|
10
|
+
| **Variants Found** | [COUNT] |
|
|
11
|
+
|
|
12
|
+
## Original Vulnerability
|
|
13
|
+
|
|
14
|
+
**Root Cause:** [e.g., "User input reaches SQL query without parameterization"]
|
|
15
|
+
|
|
16
|
+
**Location:** `[path/to/file.py:LINE]` in `function_name()`
|
|
17
|
+
|
|
18
|
+
```python
|
|
19
|
+
# Vulnerable code
|
|
20
|
+
```
|
|
21
|
+
|
|
22
|
+
## Search Methodology
|
|
23
|
+
|
|
24
|
+
| Version | Pattern | Tool | Matches | TP | FP |
|
|
25
|
+
|---------|---------|------|---------|----|----|
|
|
26
|
+
| v1 | [exact] | ripgrep | 1 | 1 | 0 |
|
|
27
|
+
| v2 | [abstract] | semgrep | N | N | N |
|
|
28
|
+
|
|
29
|
+
**Final Pattern:**
|
|
30
|
+
```yaml
|
|
31
|
+
# Pattern used
|
|
32
|
+
```
|
|
33
|
+
|
|
34
|
+
## Findings
|
|
35
|
+
|
|
36
|
+
### Variant #1: [BRIEF_TITLE]
|
|
37
|
+
|
|
38
|
+
| Severity | Confidence | Status |
|
|
39
|
+
|----------|------------|--------|
|
|
40
|
+
| High | High | Confirmed |
|
|
41
|
+
|
|
42
|
+
**Location:** `[path/to/file.py:LINE]`
|
|
43
|
+
|
|
44
|
+
```python
|
|
45
|
+
# Vulnerable code
|
|
46
|
+
```
|
|
47
|
+
|
|
48
|
+
**Analysis:** [Why this is a true/false positive]
|
|
49
|
+
|
|
50
|
+
**Exploitability:**
|
|
51
|
+
- [ ] Reachable from external input
|
|
52
|
+
- [ ] User-controlled data
|
|
53
|
+
- [ ] No sanitization
|
|
54
|
+
|
|
55
|
+
---
|
|
56
|
+
|
|
57
|
+
<!-- Copy variant template above for additional findings -->
|
|
58
|
+
|
|
59
|
+
## False Positive Patterns
|
|
60
|
+
|
|
61
|
+
| Pattern | Count | Reason |
|
|
62
|
+
|---------|-------|--------|
|
|
63
|
+
| [pattern] | N | [why safe] |
|
|
64
|
+
|
|
65
|
+
## Recommendations
|
|
66
|
+
|
|
67
|
+
### Immediate
|
|
68
|
+
1. Fix variant in [location]
|
|
69
|
+
|
|
70
|
+
### Preventive
|
|
71
|
+
1. Add Semgrep rule to CI
|
|
72
|
+
|
|
73
|
+
```yaml
|
|
74
|
+
# CI-ready rule
|
|
75
|
+
```
|