agent-security-scanner-mcp 2.0.7 → 3.0.0

package/rules/python/sqlalchemy/security/audit/avoid-sqlalchemy-text.yaml

@@ -0,0 +1,60 @@
+rules:
+- id: avoid-sqlalchemy-text
+  mode: taint
+  pattern-sinks:
+    - pattern: |
+        sqlalchemy.text(...)
+  pattern-sources:
+    - patterns:
+        - pattern: |
+            $X + $Y
+        - metavariable-type:
+            metavariable: $X
+            type: string
+    - patterns:
+        - pattern: |
+            $X + $Y
+        - metavariable-type:
+            metavariable: $Y
+            type: string
+    - patterns:
+        - pattern: |
+            f"..."
+    - patterns:
+        - pattern: |
+            $X.format(...)
+        - metavariable-type:
+            metavariable: $X
+            type: string
+    - patterns:
+        - pattern: |
+            $X % $Y
+        - metavariable-type:
+            metavariable: $X
+            type: string
+  message: sqlalchemy.text passes the constructed SQL statement to the database mostly unchanged. This
+    means that the usual SQL injection protections are not applied and this function is vulnerable to
+    SQL injection if user input can reach here. Use normal SQLAlchemy operators (such as `or_()`, `and_()`, etc.)
+    to construct SQL.
+  metadata:
+    owasp:
+    - A01:2017 - Injection
+    - A03:2021 - Injection
+    - A05:2025 - Injection
+    cwe:
+    - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
+    category: security
+    technology:
+    - sqlalchemy
+    confidence: MEDIUM
+    references:
+    - https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql
+    cwe2022-top25: true
+    cwe2021-top25: true
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: LOW
+  languages:
+  - python
+  severity: ERROR

package/rules/python/sqlalchemy/security/sqlalchemy-execute-raw-query.yaml

@@ -0,0 +1,67 @@
+rules:
+- id: sqlalchemy-execute-raw-query
+  message: >-
+    Avoiding SQL string concatenation: untrusted input concatenated with raw
+    SQL query can result in SQL Injection. In order to execute raw query
+    safely, prepared statement should be used.
+    SQLAlchemy provides TextualSQL to easily used prepared statement with
+    named parameters. For complex SQL composition, use SQL Expression
+    Language or Schema Definition Language. In most cases, SQLAlchemy ORM
+    will be a better option.
+  metadata:
+    cwe:
+    - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
+    owasp:
+    - A01:2017 - Injection
+    - A03:2021 - Injection
+    - A05:2025 - Injection
+    references:
+    - https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql
+    - https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm
+    - https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column
+    category: security
+    technology:
+    - sqlalchemy
+    cwe2022-top25: true
+    cwe2021-top25: true
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: HIGH
+    confidence: LOW
+  severity: ERROR
+  languages:
+  - python
+  pattern-either:
+  - pattern: |
+      $CONNECTION.execute( $SQL + ..., ... )
+  - pattern: |
+      $CONNECTION.execute( $SQL % (...), ...)
+  - pattern: |
+      $CONNECTION.execute( $SQL.format(...), ... )
+  - pattern: |
+      $CONNECTION.execute(f"...{...}...", ...)
+  - patterns:
+    - pattern-inside: |
+        $QUERY = $SQL + ...
+        ...
+    - pattern: |
+        $CONNECTION.execute($QUERY, ...)
+  - patterns: 
+    - pattern-inside: |
+        $QUERY = $SQL % (...)
+        ...
+    - pattern: |
+        $CONNECTION.execute($QUERY, ...)
+  - patterns:
+    - pattern-inside: |
+        $QUERY = $SQL.format(...)
+        ...
+    - pattern: |
+        $CONNECTION.execute($QUERY, ...)
+  - patterns:
+    - pattern-inside: |
+        $QUERY = f"...{...}..."
+        ...
+    - pattern: |
+        $CONNECTION.execute($QUERY, ...)

package/rules/python/sqlalchemy/security/sqlalchemy-sql-injection.yaml

@@ -0,0 +1,59 @@
+rules:
+- id: sqlalchemy-sql-injection
+  patterns:
+  - pattern-either:
+    - pattern: |
+        def $FUNC(...,$VAR,...):
+          ...
+          $SESSION.query(...).$SQLFUNC("...".$FORMATFUNC(...,$VAR,...))
+    - pattern: |
+        def $FUNC(...,$VAR,...):
+          ...
+          $SESSION.query.join(...).$SQLFUNC("...".$FORMATFUNC(...,$VAR,...))
+    - pattern: |
+        def $FUNC(...,$VAR,...):
+          ...
+          $SESSION.query.$SQLFUNC("...".$FORMATFUNC(...,$VAR,...))
+    - pattern: |
+        def $FUNC(...,$VAR,...):
+          ...
+          query.$SQLFUNC("...".$FORMATFUNC(...,$VAR,...))
+  - metavariable-regex:
+      metavariable: $SQLFUNC
+      regex: (group_by|order_by|distinct|having|filter)
+  - metavariable-regex:
+      metavariable: $FORMATFUNC
+      regex: (?!bindparams)
+  message: >-
+    Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause sql injections
+    if the developer inputs raw SQL into the before-mentioned clauses.
+    This pattern captures relevant cases in which the developer inputs raw SQL into the distinct, having,
+    group_by, order_by or filter clauses and
+    injects user-input into the raw SQL with any function besides "bindparams". Use bindParams to securely
+    bind user-input
+    to SQL statements.
+  fix-regex:
+    regex: format
+    replacement: bindparams
+  languages:
+  - python
+  severity: WARNING
+  metadata:
+    cwe:
+    - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
+    category: security
+    technology:
+    - sqlalchemy
+    owasp:
+    - A01:2017 - Injection
+    - A03:2021 - Injection
+    - A05:2025 - Injection
+    references:
+    - https://owasp.org/Top10/A03_2021-Injection
+    cwe2022-top25: true
+    cwe2021-top25: true
+    subcategory:
+    - vuln
+    likelihood: LOW
+    impact: HIGH
+    confidence: MEDIUM

package/rules/python/twilio/security/twiml-injection.yaml

@@ -0,0 +1,50 @@
+rules:
+  - id: twiml-injection
+    languages: [python]
+    severity: WARNING
+    message: >-
+      Using non-constant TwiML (Twilio Markup Language) argument when creating a
+      Twilio conversation could allow the injection of additional TwiML commands
+    metadata:
+      cwe:
+      - "CWE-91: XML Injection"
+      owasp:
+      - "A03:2021 - Injection"
+      - A05:2025 - Injection
+      category: security
+      technology:
+      - python
+      - twilio
+      - twiml
+      confidence: MEDIUM
+      likelihood: HIGH
+      impact: MEDIUM
+      subcategory: 
+        - vuln
+      references:
+      - https://codeberg.org/fennix/funjection
+    mode: taint
+    pattern-sources:
+    - pattern: |
+        f"..."
+    - pattern: |
+        "..." % ...
+    - pattern: |
+        "...".format(...)
+
+    - patterns:
+        - pattern: $ARG
+        - pattern-inside: |
+            def $F(..., $ARG, ...):
+                ...
+
+    pattern-sanitizers:
+    - pattern: xml.sax.saxutils.escape(...)
+    - pattern: html.escape(...)
+
+    pattern-sinks:
+    - patterns:
+      - pattern: |
+          $CLIENT.calls.create(..., twiml=$SINK, ...)
+
+      - focus-metavariable: $SINK

package/rules/ruby/aws-lambda/security/activerecord-sqli.yaml

@@ -0,0 +1,50 @@
+rules:
+- id: activerecord-sqli
+  languages:
+  - ruby
+  message: >-
+    Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the
+    variable is user-controlled
+    and not properly sanitized. In order to prevent SQL injection,
+    use parameterized queries or prepared statements instead.
+    You can use parameterized statements like so:
+    `Example.find_by_sql ["SELECT title FROM posts WHERE author = ? AND created > ?", author_id, start_date]`
+  mode: taint
+  metadata:
+    references:
+    - https://guides.rubyonrails.org/active_record_querying.html#finding-by-sql
+    category: security
+    owasp:
+    - A01:2017 - Injection
+    - A03:2021 - Injection
+    - A05:2025 - Injection
+    cwe:
+    - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
+    technology:
+    - aws-lambda
+    - active-record
+    cwe2022-top25: true
+    cwe2021-top25: true
+    subcategory:
+    - vuln
+    likelihood: MEDIUM
+    impact: HIGH
+    confidence: MEDIUM
+  pattern-sinks:
+  - patterns:
+    - pattern: $QUERY
+    - pattern-either:
+      - pattern: ActiveRecord::Base.connection.execute($QUERY,...)
+      - pattern: $MODEL.find_by_sql($QUERY,...)
+      - pattern: $MODEL.select_all($QUERY,...)
+    - pattern-inside: |
+        require 'active_record'
+        ...
+  pattern-sources:
+  - patterns:
+    - pattern: event
+    - pattern-inside: |
+        def $HANDLER(event, context)
+          ...
+        end
+  severity: WARNING

package/rules/ruby/aws-lambda/security/mysql2-sqli.yaml

@@ -0,0 +1,50 @@
+rules:
+- id: mysql2-sqli
+  languages:
+  - ruby
+  message: >-
+    Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the
+    variable is user-controlled
+    and not properly sanitized. In order to prevent SQL injection,
+    use parameterized queries or prepared statements instead.
+    You can use sanitize statements like so: `escaped = client.escape(user_input)`
+  mode: taint
+  metadata:
+    references:
+    - https://github.com/brianmario/mysql2
+    category: security
+    owasp:
+    - A01:2017 - Injection
+    - A03:2021 - Injection
+    - A05:2025 - Injection
+    cwe:
+    - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
+    technology:
+    - aws-lambda
+    - mysql2
+    cwe2022-top25: true
+    cwe2021-top25: true
+    subcategory:
+    - vuln
+    likelihood: MEDIUM
+    impact: HIGH
+    confidence: MEDIUM
+  pattern-sinks:
+  - patterns:
+    - pattern: $QUERY
+    - pattern-either:
+      - pattern: $CLIENT.query($QUERY,...)
+      - pattern: $CLIENT.prepare($QUERY,...)
+    - pattern-inside: |
+        require 'mysql2'
+        ...
+  pattern-sanitizers:
+  - pattern: $CLIENT.escape(...)
+  pattern-sources:
+  - patterns:
+    - pattern: event
+    - pattern-inside: |
+        def $HANDLER(event, context)
+          ...
+        end
+  severity: WARNING

package/rules/ruby/aws-lambda/security/pg-sqli.yaml

@@ -0,0 +1,54 @@
+rules:
+- id: pg-sqli
+  languages:
+  - ruby
+  message: >-
+    Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the
+    variable is user-controlled
+    and not properly sanitized. In order to prevent SQL injection,
+    use parameterized queries or prepared statements instead.
+    You can use parameterized statements like so:
+    `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])`
+  mode: taint
+  metadata:
+    references:
+    - https://www.rubydoc.info/gems/pg/PG/Connection
+    category: security
+    owasp:
+    - A01:2017 - Injection
+    - A03:2021 - Injection
+    - A05:2025 - Injection
+    cwe:
+    - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
+    technology:
+    - aws-lambda
+    - postgres
+    - pg
+    cwe2022-top25: true
+    cwe2021-top25: true
+    subcategory:
+    - vuln
+    likelihood: MEDIUM
+    impact: HIGH
+    confidence: MEDIUM
+  pattern-sinks:
+  - patterns:
+    - pattern: $QUERY
+    - pattern-either:
+      - pattern: $CONN.exec($QUERY,...)
+      - pattern: $CONN.exec_params($QUERY,...)
+      - pattern: $CONN.exec_prepared($QUERY,...)
+      - pattern: $CONN.async_exec($QUERY,...)
+      - pattern: $CONN.async_exec_params($QUERY,...)
+      - pattern: $CONN.async_exec_prepared($QUERY,...)
+    - pattern-inside: |
+        require 'pg'
+        ...
+  pattern-sources:
+  - patterns:
+    - pattern: event
+    - pattern-inside: |
+        def $HANDLER(event, context)
+          ...
+        end
+  severity: WARNING

package/rules/ruby/aws-lambda/security/sequel-sqli.yaml

@@ -0,0 +1,49 @@
+rules:
+- id: sequel-sqli
+  languages:
+  - ruby
+  message: >-
+    Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the
+    variable is user-controlled
+    and not properly sanitized. In order to prevent SQL injection,
+    use parameterized queries or prepared statements instead.
+    You can use parameterized statements like so:
+    `DB['select * from items where name = ?', name]`
+  mode: taint
+  metadata:
+    references:
+    - https://github.com/jeremyevans/sequel#label-Arbitrary+SQL+queries
+    category: security
+    owasp:
+    - A01:2017 - Injection
+    - A03:2021 - Injection
+    - A05:2025 - Injection
+    cwe:
+    - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
+    technology:
+    - aws-lambda
+    - sequel
+    cwe2022-top25: true
+    cwe2021-top25: true
+    subcategory:
+    - vuln
+    likelihood: MEDIUM
+    impact: HIGH
+    confidence: MEDIUM
+  pattern-sinks:
+  - patterns:
+    - pattern: $QUERY
+    - pattern-either:
+      - pattern: DB[$QUERY,...]
+      - pattern: DB.run($QUERY,...)
+    - pattern-inside: |
+        require 'sequel'
+        ...
+  pattern-sources:
+  - patterns:
+    - pattern: event
+    - pattern-inside: |
+        def $HANDLER(event, context)
+          ...
+        end
+  severity: WARNING

package/rules/ruby/aws-lambda/security/tainted-deserialization.yaml

@@ -0,0 +1,54 @@
+rules:
+- id: tainted-deserialization
+  mode: taint
+  languages: [ruby]
+  message: >-
+    Deserialization of a string tainted by `event` object found. Objects in Ruby can be serialized into
+    strings,
+    then later loaded from strings. However, uses of `load` can cause remote code execution.
+    Loading user input with MARSHAL, YAML or CSV can potentially be dangerous.
+    If you need to deserialize untrusted data, you should use JSON as it is only capable of returning
+    'primitive' types
+    such as strings, arrays, hashes, numbers and nil.
+  metadata:
+    references:
+    - https://ruby-doc.org/core-3.1.2/doc/security_rdoc.html
+    - https://groups.google.com/g/rubyonrails-security/c/61bkgvnSGTQ/m/nehwjA8tQ8EJ
+    - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_deserialize.rb
+    category: security
+    owasp:
+    - A08:2017 - Insecure Deserialization
+    - A08:2021 - Software and Data Integrity Failures
+    - A08:2025 - Software or Data Integrity Failures
+    cwe:
+    - 'CWE-502: Deserialization of Untrusted Data'
+    technology:
+    - ruby
+    - aws-lambda
+    cwe2022-top25: true
+    cwe2021-top25: true
+    subcategory:
+    - vuln
+    likelihood: MEDIUM
+    impact: HIGH
+    confidence: MEDIUM
+  pattern-sinks:
+  - patterns:
+    - pattern: $SINK
+    - pattern-either:
+      - pattern-inside: |
+          YAML.load($SINK,...)
+      - pattern-inside: |
+          CSV.load($SINK,...)
+      - pattern-inside: |
+          Marshal.load($SINK,...)
+      - pattern-inside: |
+          Marshal.restore($SINK,...)
+  pattern-sources:
+  - patterns:
+    - pattern: event
+    - pattern-inside: |
+        def $HANDLER(event, context)
+          ...
+        end
+  severity: WARNING

package/rules/ruby/aws-lambda/security/tainted-sql-string.yaml

@@ -0,0 +1,57 @@
+rules:
+- id: tainted-sql-string
+  languages: [ruby]
+  severity: ERROR
+  message: >-
+    Detected user input used to manually construct a SQL string. This is usually
+    bad practice because manual construction could accidentally result in a SQL
+    injection. An attacker could use a SQL injection to steal or modify contents
+    of the database. Instead, use a parameterized query which is available
+    by default in most database engines. Alternatively, consider using an
+    object-relational mapper (ORM) such as Sequelize which will protect your queries.
+  metadata:
+    references:
+    - https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet
+    category: security
+    owasp:
+    - A01:2017 - Injection
+    - A03:2021 - Injection
+    - A05:2025 - Injection
+    cwe:
+    - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
+    technology:
+    - aws-lambda
+    cwe2022-top25: true
+    cwe2021-top25: true
+    subcategory:
+    - vuln
+    likelihood: MEDIUM
+    impact: HIGH
+    confidence: MEDIUM
+  mode: taint
+  pattern-sources:
+  - patterns:
+    - pattern: event
+    - pattern-inside: |
+        def $HANDLER(event, context)
+          ...
+        end
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - patterns:
+        - pattern: |
+            "...#{...}..."
+        - pattern-regex: (?i)(select|delete|insert|create|update|alter|drop)\b|\w+\s*!?[<>=].*
+      - patterns:
+        - pattern-either:
+          - pattern: Kernel::sprintf("$SQLSTR", ...)
+          - pattern: |
+              "$SQLSTR" + $EXPR
+          - pattern: |
+              "$SQLSTR" % $EXPR
+        - metavariable-regex:
+            metavariable: $SQLSTR
+            regex: (?i)(select|delete|insert|create|update|alter|drop)\b|\w+\s*!?[<>=].*
+    - pattern-not-inside: |
+        puts(...)

package/rules/ruby/jwt/security/audit/jwt-decode-without-verify.yaml

@@ -0,0 +1,32 @@
+rules:
+- id: ruby-jwt-decode-without-verify
+  message: >-
+    Detected the decoding of a JWT token without a verify step.
+    JWT tokens must be verified before use, otherwise the token's
+    integrity is unknown. This means a malicious actor could forge
+    a JWT token with any claims.
+  metadata:
+    cwe:
+    - 'CWE-345: Insufficient Verification of Data Authenticity'
+    owasp:
+    - A08:2021 - Software and Data Integrity Failures
+    - A08:2025 - Software or Data Integrity Failures
+    source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
+    category: security
+    technology:
+    - jwt
+    references:
+    - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: LOW
+    confidence: LOW
+  languages: [ruby]
+  severity: WARNING
+  patterns:
+  - pattern-inside: |
+      require 'jwt'
+      ...
+  - pattern: |-
+      JWT.decode($PAYLOAD,$SECRET,false,...)

package/rules/ruby/jwt/security/audit/jwt-exposed-data.yaml

@@ -0,0 +1,36 @@
+rules:
+- id: ruby-jwt-exposed-data
+  message: >-
+    The object is passed strictly to jsonwebtoken.sign(...)
+    Make sure that sensitive information is not exposed through JWT token payload.
+  severity: WARNING
+  metadata:
+    owasp:
+    - A02:2017 - Broken Authentication
+    - A04:2021 - Insecure Design
+    - A06:2025 - Insecure Design
+    cwe:
+    - 'CWE-522: Insufficiently Protected Credentials'
+    source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
+    category: security
+    technology:
+    - jwt
+    references:
+    - https://owasp.org/Top10/A04_2021-Insecure_Design
+    cwe2021-top25: true
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: LOW
+    confidence: LOW
+  languages: [ruby]
+  patterns:
+  - pattern-inside: |
+      require 'jwt'
+      ...
+  - pattern-inside: |
+      def $FUNC(...,$INPUT,...)
+        ...
+      end
+  - pattern: |
+      JWT.encode($INPUT,...)

package/rules/ruby/jwt/security/jwt-exposed-credentials.yaml

@@ -0,0 +1,35 @@
+rules:
+- id: ruby-jwt-exposed-credentials
+  languages:
+  - ruby
+  metadata:
+    cwe:
+    - 'CWE-522: Insufficiently Protected Credentials'
+    owasp:
+    - A02:2017 - Broken Authentication
+    - A04:2021 - Insecure Design
+    - A06:2025 - Insecure Design
+    source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/
+    references:
+    - https://cwe.mitre.org/data/definitions/522.html
+    category: security
+    technology:
+    - jwt
+    cwe2021-top25: true
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: LOW
+    confidence: LOW
+  message: >-
+    Password is exposed through JWT token payload. This is not encrypted and
+    the password could be compromised. Do not store passwords in JWT tokens.
+  patterns:
+  - pattern-inside: |
+      require 'jwt'
+      ...
+  - pattern: |
+      $PAYLOAD = {...,password:...,...}
+      ...
+      JWT.encode($PAYLOAD,...)
+  severity: ERROR