opensecurity 0.1.0 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +156 -30
- package/assets/grammars/README.md +9 -0
- package/assets/grammars/tree-sitter-c-sharp.wasm +0 -0
- package/assets/grammars/tree-sitter-c.wasm +0 -0
- package/assets/grammars/tree-sitter-cpp.wasm +0 -0
- package/assets/grammars/tree-sitter-go.wasm +0 -0
- package/assets/grammars/tree-sitter-java.wasm +0 -0
- package/assets/grammars/tree-sitter-kotlin.wasm +0 -0
- package/assets/grammars/tree-sitter-php.wasm +0 -0
- package/assets/grammars/tree-sitter-python.wasm +0 -0
- package/assets/grammars/tree-sitter-ruby.wasm +0 -0
- package/assets/grammars/tree-sitter-rust.wasm +0 -0
- package/assets/grammars/tree-sitter-swift.wasm +0 -0
- package/dist/adapters/bandit.js +41 -0
- package/dist/adapters/brakeman.js +41 -0
- package/dist/adapters/gosec.js +49 -0
- package/dist/adapters/languages.js +29 -0
- package/dist/adapters/runner.js +46 -0
- package/dist/adapters/semgrep.js +59 -0
- package/dist/adapters/types.js +1 -0
- package/dist/adapters/utils.js +52 -0
- package/dist/analysis/infraPatterns.js +196 -0
- package/dist/analysis/universalPatterns.js +56 -0
- package/dist/cli.js +15 -1
- package/dist/config.js +2 -1
- package/dist/native/languages.js +211 -0
- package/dist/native/loader.js +61 -0
- package/dist/native/rules.js +14 -0
- package/dist/native/taint.js +225 -0
- package/dist/scan.js +207 -0
- package/package.json +21 -2
- package/rules/taint/c.json +47 -0
- package/rules/taint/cpp.json +47 -0
- package/rules/taint/csharp.json +99 -0
- package/rules/taint/go.json +86 -0
- package/rules/taint/java.json +101 -0
- package/rules/taint/kotlin.json +86 -0
- package/rules/taint/php.json +100 -0
- package/rules/taint/python.json +108 -0
- package/rules/taint/ruby.json +101 -0
- package/rules/taint/rust.json +86 -0
- package/rules/taint/swift.json +86 -0
|
@@ -0,0 +1,101 @@
|
|
|
1
|
+
{
|
|
2
|
+
"language": "ruby",
|
|
3
|
+
"rules": [
|
|
4
|
+
{
|
|
5
|
+
"id": "rb-sqli",
|
|
6
|
+
"title": "SQL Injection",
|
|
7
|
+
"severity": "high",
|
|
8
|
+
"owasp": "A03:2021 Injection",
|
|
9
|
+
"kind": "taint",
|
|
10
|
+
"sources": [
|
|
11
|
+
{ "id": "params", "name": "params[]", "matcher": { "calleePattern": ["params.*", "params[]"] } }
|
|
12
|
+
],
|
|
13
|
+
"sinks": [
|
|
14
|
+
{ "id": "exec", "name": "execute", "matcher": { "calleePattern": ["*.execute", "*.exec_query"] } }
|
|
15
|
+
]
|
|
16
|
+
},
|
|
17
|
+
{
|
|
18
|
+
"id": "rb-cmd",
|
|
19
|
+
"title": "Command Injection",
|
|
20
|
+
"severity": "high",
|
|
21
|
+
"owasp": "A03:2021 Injection",
|
|
22
|
+
"kind": "taint",
|
|
23
|
+
"sources": [
|
|
24
|
+
{ "id": "params", "name": "params[]", "matcher": { "calleePattern": ["params.*", "params[]"] } }
|
|
25
|
+
],
|
|
26
|
+
"sinks": [
|
|
27
|
+
{ "id": "system", "name": "system", "matcher": { "callee": ["system"] } },
|
|
28
|
+
{ "id": "exec", "name": "exec", "matcher": { "callee": ["exec"] } }
|
|
29
|
+
]
|
|
30
|
+
},
|
|
31
|
+
{
|
|
32
|
+
"id": "rb-path",
|
|
33
|
+
"title": "Path Traversal",
|
|
34
|
+
"severity": "high",
|
|
35
|
+
"owasp": "A01:2021 Broken Access Control",
|
|
36
|
+
"kind": "taint",
|
|
37
|
+
"sources": [
|
|
38
|
+
{ "id": "params", "name": "params[]", "matcher": { "calleePattern": ["params.*", "params[]"] } }
|
|
39
|
+
],
|
|
40
|
+
"sinks": [
|
|
41
|
+
{ "id": "file", "name": "File.read", "matcher": { "calleePattern": ["File.read", "File.open"] } }
|
|
42
|
+
]
|
|
43
|
+
},
|
|
44
|
+
{
|
|
45
|
+
"id": "rb-ssrf",
|
|
46
|
+
"title": "Server-Side Request Forgery",
|
|
47
|
+
"severity": "high",
|
|
48
|
+
"owasp": "A10:2021 Server-Side Request Forgery",
|
|
49
|
+
"kind": "taint",
|
|
50
|
+
"sources": [
|
|
51
|
+
{ "id": "params", "name": "params[]", "matcher": { "calleePattern": ["params.*", "params[]"] } }
|
|
52
|
+
],
|
|
53
|
+
"sinks": [
|
|
54
|
+
{ "id": "nethttp", "name": "Net::HTTP", "matcher": { "calleePattern": ["Net::HTTP.*", "Net.HTTP.*"] } }
|
|
55
|
+
]
|
|
56
|
+
},
|
|
57
|
+
{
|
|
58
|
+
"id": "rb-deser",
|
|
59
|
+
"title": "Unsafe Deserialization",
|
|
60
|
+
"severity": "high",
|
|
61
|
+
"owasp": "A08:2021 Software and Data Integrity Failures",
|
|
62
|
+
"kind": "taint",
|
|
63
|
+
"sources": [
|
|
64
|
+
{ "id": "params", "name": "params[]", "matcher": { "calleePattern": ["params.*", "params[]"] } }
|
|
65
|
+
],
|
|
66
|
+
"sinks": [
|
|
67
|
+
{ "id": "marshal", "name": "Marshal.load", "matcher": { "calleePattern": ["Marshal.load"] } },
|
|
68
|
+
{ "id": "yaml", "name": "YAML.load", "matcher": { "calleePattern": ["YAML.load"] } }
|
|
69
|
+
]
|
|
70
|
+
},
|
|
71
|
+
{
|
|
72
|
+
"id": "rb-xss-template",
|
|
73
|
+
"title": "Server Template XSS",
|
|
74
|
+
"severity": "medium",
|
|
75
|
+
"owasp": "A03:2021 Injection",
|
|
76
|
+
"kind": "taint",
|
|
77
|
+
"sources": [
|
|
78
|
+
{ "id": "params", "name": "params[]", "matcher": { "calleePattern": ["params.*", "params[]"] } }
|
|
79
|
+
],
|
|
80
|
+
"sinks": [
|
|
81
|
+
{ "id": "render", "name": "render", "matcher": { "calleePattern": ["render"] } }
|
|
82
|
+
]
|
|
83
|
+
},
|
|
84
|
+
{
|
|
85
|
+
"id": "rb-weak-crypto",
|
|
86
|
+
"title": "Weak Crypto",
|
|
87
|
+
"severity": "medium",
|
|
88
|
+
"owasp": "A02:2021 Cryptographic Failures",
|
|
89
|
+
"kind": "direct",
|
|
90
|
+
"calleePattern": ["*MD5*", "*SHA1*", "Digest::MD5", "Digest::SHA1"]
|
|
91
|
+
},
|
|
92
|
+
{
|
|
93
|
+
"id": "rb-hardcoded-secret",
|
|
94
|
+
"title": "Hardcoded Secret",
|
|
95
|
+
"severity": "medium",
|
|
96
|
+
"owasp": "A02:2021 Cryptographic Failures",
|
|
97
|
+
"kind": "secret",
|
|
98
|
+
"literalPattern": "(api|secret|token|password|passwd|pwd|key)[^\\n\\r]{0,20}[\"'][A-Za-z0-9_\\-]{8,}[\"']"
|
|
99
|
+
}
|
|
100
|
+
]
|
|
101
|
+
}
|
|
@@ -0,0 +1,86 @@
|
|
|
1
|
+
{
|
|
2
|
+
"language": "rust",
|
|
3
|
+
"rules": [
|
|
4
|
+
{
|
|
5
|
+
"id": "rs-sqli",
|
|
6
|
+
"title": "SQL Injection",
|
|
7
|
+
"severity": "high",
|
|
8
|
+
"owasp": "A03:2021 Injection",
|
|
9
|
+
"kind": "taint",
|
|
10
|
+
"sources": [
|
|
11
|
+
{ "id": "query", "name": "web::Query", "matcher": { "calleePattern": ["Query::*", "Form::*"] } }
|
|
12
|
+
],
|
|
13
|
+
"sinks": [
|
|
14
|
+
{ "id": "sqlx", "name": "query", "matcher": { "calleePattern": ["sqlx::query", "*.execute", "*.query"] } }
|
|
15
|
+
]
|
|
16
|
+
},
|
|
17
|
+
{
|
|
18
|
+
"id": "rs-cmd",
|
|
19
|
+
"title": "Command Injection",
|
|
20
|
+
"severity": "high",
|
|
21
|
+
"owasp": "A03:2021 Injection",
|
|
22
|
+
"kind": "taint",
|
|
23
|
+
"sources": [
|
|
24
|
+
{ "id": "query", "name": "web::Query", "matcher": { "calleePattern": ["Query::*", "Form::*"] } }
|
|
25
|
+
],
|
|
26
|
+
"sinks": [
|
|
27
|
+
{ "id": "cmd", "name": "Command::new", "matcher": { "calleePattern": ["Command::new"] } }
|
|
28
|
+
]
|
|
29
|
+
},
|
|
30
|
+
{
|
|
31
|
+
"id": "rs-path",
|
|
32
|
+
"title": "Path Traversal",
|
|
33
|
+
"severity": "high",
|
|
34
|
+
"owasp": "A01:2021 Broken Access Control",
|
|
35
|
+
"kind": "taint",
|
|
36
|
+
"sources": [
|
|
37
|
+
{ "id": "query", "name": "web::Query", "matcher": { "calleePattern": ["Query::*", "Form::*"] } }
|
|
38
|
+
],
|
|
39
|
+
"sinks": [
|
|
40
|
+
{ "id": "fs", "name": "fs::read", "matcher": { "calleePattern": ["fs::read", "fs::read_to_string", "File::open"] } }
|
|
41
|
+
]
|
|
42
|
+
},
|
|
43
|
+
{
|
|
44
|
+
"id": "rs-ssrf",
|
|
45
|
+
"title": "Server-Side Request Forgery",
|
|
46
|
+
"severity": "high",
|
|
47
|
+
"owasp": "A10:2021 Server-Side Request Forgery",
|
|
48
|
+
"kind": "taint",
|
|
49
|
+
"sources": [
|
|
50
|
+
{ "id": "query", "name": "web::Query", "matcher": { "calleePattern": ["Query::*", "Form::*"] } }
|
|
51
|
+
],
|
|
52
|
+
"sinks": [
|
|
53
|
+
{ "id": "reqwest", "name": "reqwest", "matcher": { "calleePattern": ["reqwest::get", "reqwest::Client.get", "reqwest::Client.post"] } }
|
|
54
|
+
]
|
|
55
|
+
},
|
|
56
|
+
{
|
|
57
|
+
"id": "rs-xss-template",
|
|
58
|
+
"title": "Server Template XSS",
|
|
59
|
+
"severity": "medium",
|
|
60
|
+
"owasp": "A03:2021 Injection",
|
|
61
|
+
"kind": "taint",
|
|
62
|
+
"sources": [
|
|
63
|
+
{ "id": "query", "name": "web::Query", "matcher": { "calleePattern": ["Query::*", "Form::*"] } }
|
|
64
|
+
],
|
|
65
|
+
"sinks": [
|
|
66
|
+
{ "id": "tmpl", "name": "Template.render", "matcher": { "calleePattern": ["*.render"] } }
|
|
67
|
+
]
|
|
68
|
+
},
|
|
69
|
+
{
|
|
70
|
+
"id": "rs-weak-crypto",
|
|
71
|
+
"title": "Weak Crypto",
|
|
72
|
+
"severity": "medium",
|
|
73
|
+
"owasp": "A02:2021 Cryptographic Failures",
|
|
74
|
+
"kind": "direct",
|
|
75
|
+
"calleePattern": ["*md5*", "*sha1*"]
|
|
76
|
+
},
|
|
77
|
+
{
|
|
78
|
+
"id": "rs-hardcoded-secret",
|
|
79
|
+
"title": "Hardcoded Secret",
|
|
80
|
+
"severity": "medium",
|
|
81
|
+
"owasp": "A02:2021 Cryptographic Failures",
|
|
82
|
+
"kind": "secret",
|
|
83
|
+
"literalPattern": "(api|secret|token|password|passwd|pwd|key)[^\\n\\r]{0,20}[\"'][A-Za-z0-9_\\-]{8,}[\"']"
|
|
84
|
+
}
|
|
85
|
+
]
|
|
86
|
+
}
|
|
@@ -0,0 +1,86 @@
|
|
|
1
|
+
{
|
|
2
|
+
"language": "swift",
|
|
3
|
+
"rules": [
|
|
4
|
+
{
|
|
5
|
+
"id": "swift-sqli",
|
|
6
|
+
"title": "SQL Injection",
|
|
7
|
+
"severity": "high",
|
|
8
|
+
"owasp": "A03:2021 Injection",
|
|
9
|
+
"kind": "taint",
|
|
10
|
+
"sources": [
|
|
11
|
+
{ "id": "param", "name": "request.query", "matcher": { "calleePattern": ["request.query*", "request.form*"] } }
|
|
12
|
+
],
|
|
13
|
+
"sinks": [
|
|
14
|
+
{ "id": "sql", "name": "execute", "matcher": { "calleePattern": ["*.execute", "*.executeQuery"] } }
|
|
15
|
+
]
|
|
16
|
+
},
|
|
17
|
+
{
|
|
18
|
+
"id": "swift-cmd",
|
|
19
|
+
"title": "Command Injection",
|
|
20
|
+
"severity": "high",
|
|
21
|
+
"owasp": "A03:2021 Injection",
|
|
22
|
+
"kind": "taint",
|
|
23
|
+
"sources": [
|
|
24
|
+
{ "id": "param", "name": "request.query", "matcher": { "calleePattern": ["request.query*", "request.form*"] } }
|
|
25
|
+
],
|
|
26
|
+
"sinks": [
|
|
27
|
+
{ "id": "process", "name": "Process", "matcher": { "calleePattern": ["Process", "Process.run"] } }
|
|
28
|
+
]
|
|
29
|
+
},
|
|
30
|
+
{
|
|
31
|
+
"id": "swift-path",
|
|
32
|
+
"title": "Path Traversal",
|
|
33
|
+
"severity": "high",
|
|
34
|
+
"owasp": "A01:2021 Broken Access Control",
|
|
35
|
+
"kind": "taint",
|
|
36
|
+
"sources": [
|
|
37
|
+
{ "id": "param", "name": "request.query", "matcher": { "calleePattern": ["request.query*", "request.form*"] } }
|
|
38
|
+
],
|
|
39
|
+
"sinks": [
|
|
40
|
+
{ "id": "file", "name": "FileHandle", "matcher": { "calleePattern": ["FileHandle", "String.init", "Data.init"] } }
|
|
41
|
+
]
|
|
42
|
+
},
|
|
43
|
+
{
|
|
44
|
+
"id": "swift-ssrf",
|
|
45
|
+
"title": "Server-Side Request Forgery",
|
|
46
|
+
"severity": "high",
|
|
47
|
+
"owasp": "A10:2021 Server-Side Request Forgery",
|
|
48
|
+
"kind": "taint",
|
|
49
|
+
"sources": [
|
|
50
|
+
{ "id": "param", "name": "request.query", "matcher": { "calleePattern": ["request.query*", "request.form*"] } }
|
|
51
|
+
],
|
|
52
|
+
"sinks": [
|
|
53
|
+
{ "id": "urlsession", "name": "URLSession", "matcher": { "calleePattern": ["URLSession.shared.dataTask", "URLSession.dataTask"] } }
|
|
54
|
+
]
|
|
55
|
+
},
|
|
56
|
+
{
|
|
57
|
+
"id": "swift-xss-template",
|
|
58
|
+
"title": "Server Template XSS",
|
|
59
|
+
"severity": "medium",
|
|
60
|
+
"owasp": "A03:2021 Injection",
|
|
61
|
+
"kind": "taint",
|
|
62
|
+
"sources": [
|
|
63
|
+
{ "id": "param", "name": "request.query", "matcher": { "calleePattern": ["request.query*", "request.form*"] } }
|
|
64
|
+
],
|
|
65
|
+
"sinks": [
|
|
66
|
+
{ "id": "render", "name": "render", "matcher": { "calleePattern": ["render"] } }
|
|
67
|
+
]
|
|
68
|
+
},
|
|
69
|
+
{
|
|
70
|
+
"id": "swift-weak-crypto",
|
|
71
|
+
"title": "Weak Crypto",
|
|
72
|
+
"severity": "medium",
|
|
73
|
+
"owasp": "A02:2021 Cryptographic Failures",
|
|
74
|
+
"kind": "direct",
|
|
75
|
+
"calleePattern": ["*MD5*", "*SHA1*"]
|
|
76
|
+
},
|
|
77
|
+
{
|
|
78
|
+
"id": "swift-hardcoded-secret",
|
|
79
|
+
"title": "Hardcoded Secret",
|
|
80
|
+
"severity": "medium",
|
|
81
|
+
"owasp": "A02:2021 Cryptographic Failures",
|
|
82
|
+
"kind": "secret",
|
|
83
|
+
"literalPattern": "(api|secret|token|password|passwd|pwd|key)[^\\n\\r]{0,20}[\"'][A-Za-z0-9_\\-]{8,}[\"']"
|
|
84
|
+
}
|
|
85
|
+
]
|
|
86
|
+
}
|