opensecurity 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (42) hide show
  1. package/README.md +156 -30
  2. package/assets/grammars/README.md +9 -0
  3. package/assets/grammars/tree-sitter-c-sharp.wasm +0 -0
  4. package/assets/grammars/tree-sitter-c.wasm +0 -0
  5. package/assets/grammars/tree-sitter-cpp.wasm +0 -0
  6. package/assets/grammars/tree-sitter-go.wasm +0 -0
  7. package/assets/grammars/tree-sitter-java.wasm +0 -0
  8. package/assets/grammars/tree-sitter-kotlin.wasm +0 -0
  9. package/assets/grammars/tree-sitter-php.wasm +0 -0
  10. package/assets/grammars/tree-sitter-python.wasm +0 -0
  11. package/assets/grammars/tree-sitter-ruby.wasm +0 -0
  12. package/assets/grammars/tree-sitter-rust.wasm +0 -0
  13. package/assets/grammars/tree-sitter-swift.wasm +0 -0
  14. package/dist/adapters/bandit.js +41 -0
  15. package/dist/adapters/brakeman.js +41 -0
  16. package/dist/adapters/gosec.js +49 -0
  17. package/dist/adapters/languages.js +29 -0
  18. package/dist/adapters/runner.js +46 -0
  19. package/dist/adapters/semgrep.js +59 -0
  20. package/dist/adapters/types.js +1 -0
  21. package/dist/adapters/utils.js +52 -0
  22. package/dist/analysis/infraPatterns.js +196 -0
  23. package/dist/analysis/universalPatterns.js +56 -0
  24. package/dist/cli.js +15 -1
  25. package/dist/config.js +2 -1
  26. package/dist/native/languages.js +211 -0
  27. package/dist/native/loader.js +61 -0
  28. package/dist/native/rules.js +14 -0
  29. package/dist/native/taint.js +225 -0
  30. package/dist/scan.js +207 -0
  31. package/package.json +21 -2
  32. package/rules/taint/c.json +47 -0
  33. package/rules/taint/cpp.json +47 -0
  34. package/rules/taint/csharp.json +99 -0
  35. package/rules/taint/go.json +86 -0
  36. package/rules/taint/java.json +101 -0
  37. package/rules/taint/kotlin.json +86 -0
  38. package/rules/taint/php.json +100 -0
  39. package/rules/taint/python.json +108 -0
  40. package/rules/taint/ruby.json +101 -0
  41. package/rules/taint/rust.json +86 -0
  42. package/rules/taint/swift.json +86 -0
package/rules/taint/csharp.json ADDED
@@ -0,0 +1,99 @@
1
+ {
2
+ "language": "csharp",
3
+ "rules": [
4
+ {
5
+ "id": "cs-sqli",
6
+ "title": "SQL Injection",
7
+ "severity": "high",
8
+ "owasp": "A03:2021 Injection",
9
+ "kind": "taint",
10
+ "sources": [
11
+ { "id": "req", "name": "Request.QueryString", "matcher": { "calleePattern": ["Request.QueryString*", "Request.Form*"] } }
12
+ ],
13
+ "sinks": [
14
+ { "id": "sql", "name": "SqlCommand.Execute", "matcher": { "calleePattern": ["*.ExecuteNonQuery", "*.ExecuteReader", "*.ExecuteScalar"] } }
15
+ ]
16
+ },
17
+ {
18
+ "id": "cs-cmd",
19
+ "title": "Command Injection",
20
+ "severity": "high",
21
+ "owasp": "A03:2021 Injection",
22
+ "kind": "taint",
23
+ "sources": [
24
+ { "id": "req", "name": "Request.QueryString", "matcher": { "calleePattern": ["Request.QueryString*", "Request.Form*"] } }
25
+ ],
26
+ "sinks": [
27
+ { "id": "proc", "name": "Process.Start", "matcher": { "calleePattern": ["Process.Start"] } }
28
+ ]
29
+ },
30
+ {
31
+ "id": "cs-path",
32
+ "title": "Path Traversal",
33
+ "severity": "high",
34
+ "owasp": "A01:2021 Broken Access Control",
35
+ "kind": "taint",
36
+ "sources": [
37
+ { "id": "req", "name": "Request.QueryString", "matcher": { "calleePattern": ["Request.QueryString*", "Request.Form*"] } }
38
+ ],
39
+ "sinks": [
40
+ { "id": "file", "name": "File.ReadAllText", "matcher": { "calleePattern": ["File.ReadAllText", "File.ReadAllBytes", "File.OpenRead"] } }
41
+ ]
42
+ },
43
+ {
44
+ "id": "cs-ssrf",
45
+ "title": "Server-Side Request Forgery",
46
+ "severity": "high",
47
+ "owasp": "A10:2021 Server-Side Request Forgery",
48
+ "kind": "taint",
49
+ "sources": [
50
+ { "id": "req", "name": "Request.QueryString", "matcher": { "calleePattern": ["Request.QueryString*", "Request.Form*"] } }
51
+ ],
52
+ "sinks": [
53
+ { "id": "http", "name": "HttpClient", "matcher": { "calleePattern": ["HttpClient.GetAsync", "HttpClient.PostAsync", "WebClient.DownloadString"] } }
54
+ ]
55
+ },
56
+ {
57
+ "id": "cs-deser",
58
+ "title": "Unsafe Deserialization",
59
+ "severity": "high",
60
+ "owasp": "A08:2021 Software and Data Integrity Failures",
61
+ "kind": "taint",
62
+ "sources": [
63
+ { "id": "req", "name": "Request.QueryString", "matcher": { "calleePattern": ["Request.QueryString*", "Request.Form*"] } }
64
+ ],
65
+ "sinks": [
66
+ { "id": "binary", "name": "BinaryFormatter.Deserialize", "matcher": { "calleePattern": ["BinaryFormatter.Deserialize"] } }
67
+ ]
68
+ },
69
+ {
70
+ "id": "cs-xss-template",
71
+ "title": "Server Template XSS",
72
+ "severity": "medium",
73
+ "owasp": "A03:2021 Injection",
74
+ "kind": "taint",
75
+ "sources": [
76
+ { "id": "req", "name": "Request.QueryString", "matcher": { "calleePattern": ["Request.QueryString*", "Request.Form*"] } }
77
+ ],
78
+ "sinks": [
79
+ { "id": "write", "name": "Response.Write", "matcher": { "calleePattern": ["Response.Write"] } }
80
+ ]
81
+ },
82
+ {
83
+ "id": "cs-weak-crypto",
84
+ "title": "Weak Crypto",
85
+ "severity": "medium",
86
+ "owasp": "A02:2021 Cryptographic Failures",
87
+ "kind": "direct",
88
+ "calleePattern": ["MD5.Create", "SHA1.Create", "*MD5*", "*SHA1*"]
89
+ },
90
+ {
91
+ "id": "cs-hardcoded-secret",
92
+ "title": "Hardcoded Secret",
93
+ "severity": "medium",
94
+ "owasp": "A02:2021 Cryptographic Failures",
95
+ "kind": "secret",
96
+ "literalPattern": "(api|secret|token|password|passwd|pwd|key)[^\\n\\r]{0,20}[\"'][A-Za-z0-9_\\-]{8,}[\"']"
97
+ }
98
+ ]
99
+ }
package/rules/taint/go.json ADDED
@@ -0,0 +1,86 @@
1
+ {
2
+ "language": "go",
3
+ "rules": [
4
+ {
5
+ "id": "go-sqli",
6
+ "title": "SQL Injection",
7
+ "severity": "high",
8
+ "owasp": "A03:2021 Injection",
9
+ "kind": "taint",
10
+ "sources": [
11
+ { "id": "query", "name": "r.URL.Query", "matcher": { "calleePattern": ["*.Query", "*.Query().Get", "*.FormValue"] } }
12
+ ],
13
+ "sinks": [
14
+ { "id": "sql-exec", "name": "db.Exec", "matcher": { "calleePattern": ["*.Exec", "*.Query", "*.QueryRow"] } }
15
+ ]
16
+ },
17
+ {
18
+ "id": "go-cmd",
19
+ "title": "Command Injection",
20
+ "severity": "high",
21
+ "owasp": "A03:2021 Injection",
22
+ "kind": "taint",
23
+ "sources": [
24
+ { "id": "query", "name": "r.URL.Query", "matcher": { "calleePattern": ["*.Query", "*.Query().Get", "*.FormValue"] } }
25
+ ],
26
+ "sinks": [
27
+ { "id": "exec", "name": "exec.Command", "matcher": { "calleePattern": ["exec.Command"] } }
28
+ ]
29
+ },
30
+ {
31
+ "id": "go-path",
32
+ "title": "Path Traversal",
33
+ "severity": "high",
34
+ "owasp": "A01:2021 Broken Access Control",
35
+ "kind": "taint",
36
+ "sources": [
37
+ { "id": "query", "name": "r.URL.Query", "matcher": { "calleePattern": ["*.Query", "*.Query().Get", "*.FormValue"] } }
38
+ ],
39
+ "sinks": [
40
+ { "id": "os-open", "name": "os.Open", "matcher": { "calleePattern": ["os.Open", "os.OpenFile", "ioutil.ReadFile", "os.ReadFile"] } }
41
+ ]
42
+ },
43
+ {
44
+ "id": "go-ssrf",
45
+ "title": "Server-Side Request Forgery",
46
+ "severity": "high",
47
+ "owasp": "A10:2021 Server-Side Request Forgery",
48
+ "kind": "taint",
49
+ "sources": [
50
+ { "id": "query", "name": "r.URL.Query", "matcher": { "calleePattern": ["*.Query", "*.Query().Get", "*.FormValue"] } }
51
+ ],
52
+ "sinks": [
53
+ { "id": "http", "name": "http.Get", "matcher": { "calleePattern": ["http.Get", "http.Post", "http.NewRequest"] } }
54
+ ]
55
+ },
56
+ {
57
+ "id": "go-xss-template",
58
+ "title": "Server Template XSS",
59
+ "severity": "medium",
60
+ "owasp": "A03:2021 Injection",
61
+ "kind": "taint",
62
+ "sources": [
63
+ { "id": "query", "name": "r.URL.Query", "matcher": { "calleePattern": ["*.Query", "*.Query().Get", "*.FormValue"] } }
64
+ ],
65
+ "sinks": [
66
+ { "id": "tmpl", "name": "template.Execute", "matcher": { "calleePattern": ["*.Execute", "*.ExecuteTemplate"] } }
67
+ ]
68
+ },
69
+ {
70
+ "id": "go-weak-crypto",
71
+ "title": "Weak Crypto",
72
+ "severity": "medium",
73
+ "owasp": "A02:2021 Cryptographic Failures",
74
+ "kind": "direct",
75
+ "calleePattern": ["*md5*", "*sha1*"]
76
+ },
77
+ {
78
+ "id": "go-hardcoded-secret",
79
+ "title": "Hardcoded Secret",
80
+ "severity": "medium",
81
+ "owasp": "A02:2021 Cryptographic Failures",
82
+ "kind": "secret",
83
+ "literalPattern": "(api|secret|token|password|passwd|pwd|key)[^\\n\\r]{0,20}[\"'][A-Za-z0-9_\\-]{8,}[\"']"
84
+ }
85
+ ]
86
+ }
package/rules/taint/java.json ADDED
@@ -0,0 +1,101 @@
1
+ {
2
+ "language": "java",
3
+ "rules": [
4
+ {
5
+ "id": "java-sqli",
6
+ "title": "SQL Injection",
7
+ "severity": "high",
8
+ "owasp": "A03:2021 Injection",
9
+ "kind": "taint",
10
+ "sources": [
11
+ { "id": "param", "name": "request.getParameter", "matcher": { "calleePattern": ["*.getParameter", "*.getHeader"] } }
12
+ ],
13
+ "sinks": [
14
+ { "id": "jdbc", "name": "Statement.execute", "matcher": { "calleePattern": ["*.execute", "*.executeQuery", "*.executeUpdate"] } }
15
+ ]
16
+ },
17
+ {
18
+ "id": "java-cmd",
19
+ "title": "Command Injection",
20
+ "severity": "high",
21
+ "owasp": "A03:2021 Injection",
22
+ "kind": "taint",
23
+ "sources": [
24
+ { "id": "param", "name": "request.getParameter", "matcher": { "calleePattern": ["*.getParameter", "*.getHeader"] } }
25
+ ],
26
+ "sinks": [
27
+ { "id": "runtime", "name": "Runtime.exec", "matcher": { "calleePattern": ["Runtime.getRuntime.exec", "*.exec"] } },
28
+ { "id": "process", "name": "ProcessBuilder", "matcher": { "calleePattern": ["ProcessBuilder"] } }
29
+ ]
30
+ },
31
+ {
32
+ "id": "java-path",
33
+ "title": "Path Traversal",
34
+ "severity": "high",
35
+ "owasp": "A01:2021 Broken Access Control",
36
+ "kind": "taint",
37
+ "sources": [
38
+ { "id": "param", "name": "request.getParameter", "matcher": { "calleePattern": ["*.getParameter", "*.getHeader"] } }
39
+ ],
40
+ "sinks": [
41
+ { "id": "file", "name": "FileInputStream", "matcher": { "calleePattern": ["FileInputStream", "Files.readAllBytes", "Files.readString"] } }
42
+ ]
43
+ },
44
+ {
45
+ "id": "java-ssrf",
46
+ "title": "Server-Side Request Forgery",
47
+ "severity": "high",
48
+ "owasp": "A10:2021 Server-Side Request Forgery",
49
+ "kind": "taint",
50
+ "sources": [
51
+ { "id": "param", "name": "request.getParameter", "matcher": { "calleePattern": ["*.getParameter", "*.getHeader"] } }
52
+ ],
53
+ "sinks": [
54
+ { "id": "url", "name": "URL.openConnection", "matcher": { "calleePattern": ["*.openConnection"] } },
55
+ { "id": "rest", "name": "RestTemplate", "matcher": { "calleePattern": ["*.getForObject", "*.postForObject", "*.exchange"] } }
56
+ ]
57
+ },
58
+ {
59
+ "id": "java-deser",
60
+ "title": "Unsafe Deserialization",
61
+ "severity": "high",
62
+ "owasp": "A08:2021 Software and Data Integrity Failures",
63
+ "kind": "taint",
64
+ "sources": [
65
+ { "id": "param", "name": "request.getParameter", "matcher": { "calleePattern": ["*.getParameter", "*.getHeader"] } }
66
+ ],
67
+ "sinks": [
68
+ { "id": "ois", "name": "ObjectInputStream.readObject", "matcher": { "calleePattern": ["*.readObject"] } }
69
+ ]
70
+ },
71
+ {
72
+ "id": "java-xss-template",
73
+ "title": "Server Template XSS",
74
+ "severity": "medium",
75
+ "owasp": "A03:2021 Injection",
76
+ "kind": "taint",
77
+ "sources": [
78
+ { "id": "param", "name": "request.getParameter", "matcher": { "calleePattern": ["*.getParameter", "*.getHeader"] } }
79
+ ],
80
+ "sinks": [
81
+ { "id": "model", "name": "ModelAndView", "matcher": { "calleePattern": ["ModelAndView"] } }
82
+ ]
83
+ },
84
+ {
85
+ "id": "java-weak-crypto",
86
+ "title": "Weak Crypto",
87
+ "severity": "medium",
88
+ "owasp": "A02:2021 Cryptographic Failures",
89
+ "kind": "direct",
90
+ "calleePattern": ["MessageDigest.getInstance", "*MD5*", "*SHA1*"]
91
+ },
92
+ {
93
+ "id": "java-hardcoded-secret",
94
+ "title": "Hardcoded Secret",
95
+ "severity": "medium",
96
+ "owasp": "A02:2021 Cryptographic Failures",
97
+ "kind": "secret",
98
+ "literalPattern": "(api|secret|token|password|passwd|pwd|key)[^\\n\\r]{0,20}[\"'][A-Za-z0-9_\\-]{8,}[\"']"
99
+ }
100
+ ]
101
+ }
package/rules/taint/kotlin.json ADDED
@@ -0,0 +1,86 @@
1
+ {
2
+ "language": "kotlin",
3
+ "rules": [
4
+ {
5
+ "id": "kt-sqli",
6
+ "title": "SQL Injection",
7
+ "severity": "high",
8
+ "owasp": "A03:2021 Injection",
9
+ "kind": "taint",
10
+ "sources": [
11
+ { "id": "param", "name": "request.getParameter", "matcher": { "calleePattern": ["*.getParameter", "*.getHeader"] } }
12
+ ],
13
+ "sinks": [
14
+ { "id": "jdbc", "name": "Statement.execute", "matcher": { "calleePattern": ["*.execute", "*.executeQuery", "*.executeUpdate"] } }
15
+ ]
16
+ },
17
+ {
18
+ "id": "kt-cmd",
19
+ "title": "Command Injection",
20
+ "severity": "high",
21
+ "owasp": "A03:2021 Injection",
22
+ "kind": "taint",
23
+ "sources": [
24
+ { "id": "param", "name": "request.getParameter", "matcher": { "calleePattern": ["*.getParameter", "*.getHeader"] } }
25
+ ],
26
+ "sinks": [
27
+ { "id": "runtime", "name": "Runtime.exec", "matcher": { "calleePattern": ["Runtime.getRuntime.exec", "*.exec"] } }
28
+ ]
29
+ },
30
+ {
31
+ "id": "kt-path",
32
+ "title": "Path Traversal",
33
+ "severity": "high",
34
+ "owasp": "A01:2021 Broken Access Control",
35
+ "kind": "taint",
36
+ "sources": [
37
+ { "id": "param", "name": "request.getParameter", "matcher": { "calleePattern": ["*.getParameter", "*.getHeader"] } }
38
+ ],
39
+ "sinks": [
40
+ { "id": "file", "name": "Files.readAllBytes", "matcher": { "calleePattern": ["Files.readAllBytes", "Files.readString", "FileInputStream"] } }
41
+ ]
42
+ },
43
+ {
44
+ "id": "kt-ssrf",
45
+ "title": "Server-Side Request Forgery",
46
+ "severity": "high",
47
+ "owasp": "A10:2021 Server-Side Request Forgery",
48
+ "kind": "taint",
49
+ "sources": [
50
+ { "id": "param", "name": "request.getParameter", "matcher": { "calleePattern": ["*.getParameter", "*.getHeader"] } }
51
+ ],
52
+ "sinks": [
53
+ { "id": "url", "name": "URL.openConnection", "matcher": { "calleePattern": ["*.openConnection"] } }
54
+ ]
55
+ },
56
+ {
57
+ "id": "kt-xss-template",
58
+ "title": "Server Template XSS",
59
+ "severity": "medium",
60
+ "owasp": "A03:2021 Injection",
61
+ "kind": "taint",
62
+ "sources": [
63
+ { "id": "param", "name": "request.getParameter", "matcher": { "calleePattern": ["*.getParameter", "*.getHeader"] } }
64
+ ],
65
+ "sinks": [
66
+ { "id": "tmpl", "name": "render", "matcher": { "calleePattern": ["render", "*.render"] } }
67
+ ]
68
+ },
69
+ {
70
+ "id": "kt-weak-crypto",
71
+ "title": "Weak Crypto",
72
+ "severity": "medium",
73
+ "owasp": "A02:2021 Cryptographic Failures",
74
+ "kind": "direct",
75
+ "calleePattern": ["*MD5*", "*SHA1*"]
76
+ },
77
+ {
78
+ "id": "kt-hardcoded-secret",
79
+ "title": "Hardcoded Secret",
80
+ "severity": "medium",
81
+ "owasp": "A02:2021 Cryptographic Failures",
82
+ "kind": "secret",
83
+ "literalPattern": "(api|secret|token|password|passwd|pwd|key)[^\\n\\r]{0,20}[\"'][A-Za-z0-9_\\-]{8,}[\"']"
84
+ }
85
+ ]
86
+ }
package/rules/taint/php.json ADDED
@@ -0,0 +1,100 @@
1
+ {
2
+ "language": "php",
3
+ "rules": [
4
+ {
5
+ "id": "php-sqli",
6
+ "title": "SQL Injection",
7
+ "severity": "high",
8
+ "owasp": "A03:2021 Injection",
9
+ "kind": "taint",
10
+ "sources": [
11
+ { "id": "get", "name": "$_GET", "matcher": { "calleePattern": ["$_GET*", "$_POST*", "$_REQUEST*"] } }
12
+ ],
13
+ "sinks": [
14
+ { "id": "query", "name": "query", "matcher": { "calleePattern": ["*.query", "*.exec"] } }
15
+ ]
16
+ },
17
+ {
18
+ "id": "php-cmd",
19
+ "title": "Command Injection",
20
+ "severity": "high",
21
+ "owasp": "A03:2021 Injection",
22
+ "kind": "taint",
23
+ "sources": [
24
+ { "id": "get", "name": "$_GET", "matcher": { "calleePattern": ["$_GET*", "$_POST*", "$_REQUEST*"] } }
25
+ ],
26
+ "sinks": [
27
+ { "id": "system", "name": "system", "matcher": { "callee": ["system", "exec", "shell_exec", "passthru"] } }
28
+ ]
29
+ },
30
+ {
31
+ "id": "php-path",
32
+ "title": "Path Traversal",
33
+ "severity": "high",
34
+ "owasp": "A01:2021 Broken Access Control",
35
+ "kind": "taint",
36
+ "sources": [
37
+ { "id": "get", "name": "$_GET", "matcher": { "calleePattern": ["$_GET*", "$_POST*", "$_REQUEST*"] } }
38
+ ],
39
+ "sinks": [
40
+ { "id": "file", "name": "file_get_contents", "matcher": { "callee": ["file_get_contents", "fopen", "readfile"] } }
41
+ ]
42
+ },
43
+ {
44
+ "id": "php-ssrf",
45
+ "title": "Server-Side Request Forgery",
46
+ "severity": "high",
47
+ "owasp": "A10:2021 Server-Side Request Forgery",
48
+ "kind": "taint",
49
+ "sources": [
50
+ { "id": "get", "name": "$_GET", "matcher": { "calleePattern": ["$_GET*", "$_POST*", "$_REQUEST*"] } }
51
+ ],
52
+ "sinks": [
53
+ { "id": "curl", "name": "curl_exec", "matcher": { "callee": ["curl_exec"] } },
54
+ { "id": "fopen", "name": "fopen", "matcher": { "callee": ["fopen", "file_get_contents"] } }
55
+ ]
56
+ },
57
+ {
58
+ "id": "php-deser",
59
+ "title": "Unsafe Deserialization",
60
+ "severity": "high",
61
+ "owasp": "A08:2021 Software and Data Integrity Failures",
62
+ "kind": "taint",
63
+ "sources": [
64
+ { "id": "get", "name": "$_GET", "matcher": { "calleePattern": ["$_GET*", "$_POST*", "$_REQUEST*"] } }
65
+ ],
66
+ "sinks": [
67
+ { "id": "unserialize", "name": "unserialize", "matcher": { "callee": ["unserialize"] } }
68
+ ]
69
+ },
70
+ {
71
+ "id": "php-xss-template",
72
+ "title": "Server Template XSS",
73
+ "severity": "medium",
74
+ "owasp": "A03:2021 Injection",
75
+ "kind": "taint",
76
+ "sources": [
77
+ { "id": "get", "name": "$_GET", "matcher": { "calleePattern": ["$_GET*", "$_POST*", "$_REQUEST*"] } }
78
+ ],
79
+ "sinks": [
80
+ { "id": "echo", "name": "echo", "matcher": { "calleePattern": ["echo", "print"] } }
81
+ ]
82
+ },
83
+ {
84
+ "id": "php-weak-crypto",
85
+ "title": "Weak Crypto",
86
+ "severity": "medium",
87
+ "owasp": "A02:2021 Cryptographic Failures",
88
+ "kind": "direct",
89
+ "calleePattern": ["*md5*", "*sha1*"]
90
+ },
91
+ {
92
+ "id": "php-hardcoded-secret",
93
+ "title": "Hardcoded Secret",
94
+ "severity": "medium",
95
+ "owasp": "A02:2021 Cryptographic Failures",
96
+ "kind": "secret",
97
+ "literalPattern": "(api|secret|token|password|passwd|pwd|key)[^\\n\\r]{0,20}[\"'][A-Za-z0-9_\\-]{8,}[\"']"
98
+ }
99
+ ]
100
+ }
package/rules/taint/python.json ADDED
@@ -0,0 +1,108 @@
1
+ {
2
+ "language": "python",
3
+ "rules": [
4
+ {
5
+ "id": "py-sqli",
6
+ "title": "SQL Injection",
7
+ "severity": "high",
8
+ "owasp": "A03:2021 Injection",
9
+ "kind": "taint",
10
+ "sources": [
11
+ { "id": "req-args", "name": "request.args.get", "matcher": { "calleePrefix": ["request.args.get", "request.form.get", "request.values.get"] } },
12
+ { "id": "input", "name": "input", "matcher": { "callee": ["input", "raw_input"] } }
13
+ ],
14
+ "sinks": [
15
+ { "id": "cursor-exec", "name": "cursor.execute", "matcher": { "calleePattern": ["*.execute", "*.executemany"] } }
16
+ ],
17
+ "sanitizers": [
18
+ { "id": "param", "name": "param", "matcher": { "calleePattern": ["*.execute"] } }
19
+ ]
20
+ },
21
+ {
22
+ "id": "py-cmd",
23
+ "title": "Command Injection",
24
+ "severity": "high",
25
+ "owasp": "A03:2021 Injection",
26
+ "kind": "taint",
27
+ "sources": [
28
+ { "id": "req", "name": "request.args.get", "matcher": { "calleePrefix": ["request.args.get", "request.form.get", "request.values.get"] } },
29
+ { "id": "input", "name": "input", "matcher": { "callee": ["input", "raw_input"] } }
30
+ ],
31
+ "sinks": [
32
+ { "id": "os-system", "name": "os.system", "matcher": { "callee": ["os.system"] } },
33
+ { "id": "subprocess", "name": "subprocess", "matcher": { "calleePrefix": ["subprocess.run", "subprocess.call", "subprocess.Popen"] } }
34
+ ]
35
+ },
36
+ {
37
+ "id": "py-path",
38
+ "title": "Path Traversal",
39
+ "severity": "high",
40
+ "owasp": "A01:2021 Broken Access Control",
41
+ "kind": "taint",
42
+ "sources": [
43
+ { "id": "req", "name": "request.args.get", "matcher": { "calleePrefix": ["request.args.get", "request.form.get", "request.values.get"] } }
44
+ ],
45
+ "sinks": [
46
+ { "id": "open", "name": "open", "matcher": { "callee": ["open"] } },
47
+ { "id": "os-open", "name": "os.open", "matcher": { "calleePrefix": ["os.open", "os.listdir", "os.remove"] } }
48
+ ]
49
+ },
50
+ {
51
+ "id": "py-ssrf",
52
+ "title": "Server-Side Request Forgery",
53
+ "severity": "high",
54
+ "owasp": "A10:2021 Server-Side Request Forgery",
55
+ "kind": "taint",
56
+ "sources": [
57
+ { "id": "req", "name": "request.args.get", "matcher": { "calleePrefix": ["request.args.get", "request.form.get", "request.values.get"] } }
58
+ ],
59
+ "sinks": [
60
+ { "id": "requests", "name": "requests", "matcher": { "calleePrefix": ["requests.get", "requests.post", "requests.request"] } },
61
+ { "id": "urllib", "name": "urllib.request.urlopen", "matcher": { "calleePrefix": ["urllib.request.urlopen"] } }
62
+ ]
63
+ },
64
+ {
65
+ "id": "py-deser",
66
+ "title": "Unsafe Deserialization",
67
+ "severity": "high",
68
+ "owasp": "A08:2021 Software and Data Integrity Failures",
69
+ "kind": "taint",
70
+ "sources": [
71
+ { "id": "req", "name": "request.args.get", "matcher": { "calleePrefix": ["request.args.get", "request.form.get", "request.values.get"] } }
72
+ ],
73
+ "sinks": [
74
+ { "id": "pickle", "name": "pickle.loads", "matcher": { "calleePrefix": ["pickle.loads", "pickle.load"] } },
75
+ { "id": "yaml", "name": "yaml.load", "matcher": { "calleePrefix": ["yaml.load"] } }
76
+ ]
77
+ },
78
+ {
79
+ "id": "py-xss-template",
80
+ "title": "Server Template XSS",
81
+ "severity": "medium",
82
+ "owasp": "A03:2021 Injection",
83
+ "kind": "taint",
84
+ "sources": [
85
+ { "id": "req", "name": "request.args.get", "matcher": { "calleePrefix": ["request.args.get", "request.form.get", "request.values.get"] } }
86
+ ],
87
+ "sinks": [
88
+ { "id": "render", "name": "render_template", "matcher": { "calleePrefix": ["render_template", "render"] } }
89
+ ]
90
+ },
91
+ {
92
+ "id": "py-weak-crypto",
93
+ "title": "Weak Crypto",
94
+ "severity": "medium",
95
+ "owasp": "A02:2021 Cryptographic Failures",
96
+ "kind": "direct",
97
+ "calleePattern": ["*md5*", "*sha1*", "hashlib.md5", "hashlib.sha1"]
98
+ },
99
+ {
100
+ "id": "py-hardcoded-secret",
101
+ "title": "Hardcoded Secret",
102
+ "severity": "medium",
103
+ "owasp": "A02:2021 Cryptographic Failures",
104
+ "kind": "secret",
105
+ "literalPattern": "(api|secret|token|password|passwd|pwd|key)[^\\n\\r]{0,20}[\"'][A-Za-z0-9_\\-]{8,}[\"']"
106
+ }
107
+ ]
108
+ }