seaworthycode 1.1.1 → 1.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (68) hide show
  1. package/dist/index.js +269 -59
  2. package/dist/index.js.map +1 -1
  3. package/package.json +16 -12
  4. package/rules/external/configuration/insecure-cookie-flags.test.yaml +114 -0
  5. package/rules/external/configuration/insecure-cookie-flags.yaml +77 -0
  6. package/rules/external/configuration/missing-ssl-verification.test.yaml +130 -0
  7. package/rules/external/configuration/missing-ssl-verification.yaml +123 -0
  8. package/rules/external/data-exposure/debug-artifacts.test.yaml +143 -0
  9. package/rules/external/data-exposure/debug-artifacts.yaml +57 -0
  10. package/rules/external/data-exposure/hardcoded-ip.test.yaml +131 -0
  11. package/rules/external/data-exposure/hardcoded-ip.yaml +67 -0
  12. package/rules/external/data-exposure/localstorage-sensitive-data.test.yaml +58 -0
  13. package/rules/external/data-exposure/localstorage-sensitive-data.yaml +60 -0
  14. package/rules/external/dependencies/deprecated-functions.test.yaml +92 -0
  15. package/rules/external/dependencies/deprecated-functions.yaml +66 -0
  16. package/rules/external/ops/hardcoded-port.test.yaml +141 -0
  17. package/rules/external/ops/hardcoded-port.yaml +91 -0
  18. package/rules/external/ops/insecure-file-permissions.test.yaml +111 -0
  19. package/rules/external/ops/insecure-file-permissions.yaml +91 -0
  20. package/rules/external/resilience/missing-memory-limit.test.yaml +54 -0
  21. package/rules/external/resilience/missing-memory-limit.yaml +59 -0
  22. package/rules/external/resilience/missing-timeout-config.test.yaml +179 -0
  23. package/rules/external/resilience/missing-timeout-config.yaml +124 -0
  24. package/rules/external/security/broken-crypto-algorithm.test.yaml +104 -0
  25. package/rules/external/security/broken-crypto-algorithm.yaml +79 -0
  26. package/rules/external/security/http-method-override.test.yaml +40 -0
  27. package/rules/external/security/http-method-override.yaml +35 -0
  28. package/rules/external/security/http-no-tls.test.yaml +115 -0
  29. package/rules/external/security/http-no-tls.yaml +59 -0
  30. package/rules/external/security/path-traversal.test.yaml +188 -0
  31. package/rules/external/security/path-traversal.yaml +210 -0
  32. package/rules/external/security/unsafe-innerhtml.test.yaml +72 -0
  33. package/rules/external/security/unsafe-innerhtml.yaml +46 -0
  34. package/rules/external/security/untrusted-deserialization.test.yaml +79 -0
  35. package/rules/external/security/untrusted-deserialization.yaml +48 -0
  36. package/rules/external/security/weak-encryption-mode.test.yaml +126 -0
  37. package/rules/external/security/weak-encryption-mode.yaml +104 -0
  38. package/rules/external/security/weak-hash-algorithm.test.yaml +121 -0
  39. package/rules/external/security/weak-hash-algorithm.yaml +87 -0
  40. package/rules/external/security/xxe-parsing.test.yaml +76 -0
  41. package/rules/external/security/xxe-parsing.yaml +63 -0
  42. package/rules/internal/security/dangerous-eval.test.yaml +126 -0
  43. package/rules/internal/security/dangerous-eval.yaml +134 -0
  44. package/rules/internal/security/no-document-write.test.yaml +33 -0
  45. package/rules/internal/security/no-document-write.yaml +40 -0
  46. package/rules/internal/taint/MATRIX.md +16 -0
  47. package/rules/internal/taint/bash.test.yaml +84 -0
  48. package/rules/internal/taint/bash.yaml +166 -0
  49. package/rules/internal/taint/dvwa.test.yaml +217 -0
  50. package/rules/internal/taint/go.test.yaml +207 -0
  51. package/rules/internal/taint/go.yaml +325 -0
  52. package/rules/internal/taint/java.test.yaml +158 -0
  53. package/rules/internal/taint/java.yaml +318 -0
  54. package/rules/internal/taint/javascript.test.yaml +374 -0
  55. package/rules/internal/taint/javascript.yaml +439 -0
  56. package/rules/internal/taint/php.test.yaml +134 -0
  57. package/rules/internal/taint/php.yaml +331 -0
  58. package/rules/internal/taint/python.test.yaml +427 -0
  59. package/rules/internal/taint/python.yaml +636 -0
  60. package/rules/internal/taint/ruby.test.yaml +148 -0
  61. package/rules/internal/taint/ruby.yaml +233 -0
  62. package/rules/internal/taint/rust.test.yaml +585 -0
  63. package/rules/internal/taint/rust.yaml +483 -0
  64. package/rules/internal/taint/tsx.test.yaml +140 -0
  65. package/rules/internal/taint/tsx.yaml +51 -0
  66. package/rules/internal/taint/typescript.test.yaml +393 -0
  67. package/rules/internal/taint/typescript.yaml +660 -0
  68. package/wasm/tree-sitter-sql.wasm +0 -0
@@ -0,0 +1,210 @@
1
+ # source: clean-room
2
+ # licence: MIT
3
+ # vendored-at: 2026-05-20
4
+ # verified-by: Seaworthy team
5
+ # attribution: CWE-22
6
+ id: security.path-traversal
7
+ severity: high
8
+ category: security
9
+ min-tier: free
10
+ languages: [javascript, typescript, tsx, python, bash, rust, java, ruby]
11
+
12
+ copy:
13
+ name-key: checks.path-traversal.name
14
+ description-key: checks.path-traversal.description
15
+ message-key: checks.path-traversal.message
16
+ degraded-key: checks.path-traversal.degraded
17
+ remediation-key: remediation.security.path-traversal
18
+
19
+ confidence: medium
20
+
21
+ filters:
22
+ exclude-captures:
23
+ path:
24
+ - CONFIG_PATH
25
+ - BASE_DIR
26
+ - UPLOAD_DIR
27
+
28
+ queries:
29
+ javascript: |
30
+ (call_expression
31
+ function: (member_expression
32
+ object: (identifier) @obj
33
+ property: (property_identifier) @method)
34
+ arguments: (arguments
35
+ (binary_expression
36
+ left: (string) @left
37
+ operator: "+"
38
+ right: (identifier) @right))
39
+ (#eq? @obj "fs")
40
+ (#match? @method "^(readFile|readFileSync|writeFile|writeFileSync|appendFile|appendFileSync|open|readdir|unlink|mkdir|access|stat|createReadStream|createWriteStream)$")) @match
41
+
42
+ (call_expression
43
+ function: (member_expression
44
+ object: (identifier) @obj
45
+ property: (property_identifier) @method)
46
+ arguments: (arguments . (template_string) @path)
47
+ (#eq? @obj "fs")
48
+ (#match? @method "^(readFile|readFileSync|writeFile|writeFileSync|appendFile|appendFileSync|open|readdir|unlink|mkdir|access|stat|createReadStream|createWriteStream)$")) @match
49
+
50
+ (call_expression
51
+ function: (member_expression
52
+ object: (identifier) @obj
53
+ property: (property_identifier) @method
54
+ (#eq? @obj "res")
55
+ (#match? @method "^(sendFile|download)$"))
56
+ arguments: (arguments . [
57
+ (identifier) @path
58
+ (member_expression) @path
59
+ ])) @match
60
+
61
+ typescript: |
62
+ (call_expression
63
+ function: (member_expression
64
+ object: (identifier) @obj
65
+ property: (property_identifier) @method)
66
+ arguments: (arguments
67
+ (binary_expression
68
+ left: (string) @left
69
+ operator: "+"
70
+ right: (identifier) @right))
71
+ (#eq? @obj "fs")
72
+ (#match? @method "^(readFile|readFileSync|writeFile|writeFileSync|appendFile|appendFileSync|open|readdir|unlink|mkdir|access|stat|createReadStream|createWriteStream)$")) @match
73
+
74
+ (call_expression
75
+ function: (member_expression
76
+ object: (identifier) @obj
77
+ property: (property_identifier) @method)
78
+ arguments: (arguments . (template_string) @path)
79
+ (#eq? @obj "fs")
80
+ (#match? @method "^(readFile|readFileSync|writeFile|writeFileSync|appendFile|appendFileSync|open|readdir|unlink|mkdir|access|stat|createReadStream|createWriteStream)$")) @match
81
+
82
+ (call_expression
83
+ function: (member_expression
84
+ object: (identifier) @obj
85
+ property: (property_identifier) @method
86
+ (#eq? @obj "res")
87
+ (#match? @method "^(sendFile|download)$"))
88
+ arguments: (arguments . [
89
+ (identifier) @path
90
+ (member_expression) @path
91
+ ])) @match
92
+
93
+ tsx: |
94
+ (call_expression
95
+ function: (member_expression
96
+ object: (identifier) @obj
97
+ property: (property_identifier) @method)
98
+ arguments: (arguments
99
+ (binary_expression
100
+ left: (string) @left
101
+ operator: "+"
102
+ right: (identifier) @right))
103
+ (#eq? @obj "fs")
104
+ (#match? @method "^(readFile|readFileSync|writeFile|writeFileSync|appendFile|appendFileSync|open|readdir|unlink|mkdir|access|stat|createReadStream|createWriteStream)$")) @match
105
+
106
+ (call_expression
107
+ function: (member_expression
108
+ object: (identifier) @obj
109
+ property: (property_identifier) @method)
110
+ arguments: (arguments . (template_string) @path)
111
+ (#eq? @obj "fs")
112
+ (#match? @method "^(readFile|readFileSync|writeFile|writeFileSync|appendFile|appendFileSync|open|readdir|unlink|mkdir|access|stat|createReadStream|createWriteStream)$")) @match
113
+
114
+ (call_expression
115
+ function: (member_expression
116
+ object: (identifier) @obj
117
+ property: (property_identifier) @method
118
+ (#eq? @obj "res")
119
+ (#match? @method "^(sendFile|download)$"))
120
+ arguments: (arguments . [
121
+ (identifier) @path
122
+ (member_expression) @path
123
+ ])) @match
124
+
125
+ python: |
126
+ (call
127
+ function: (identifier) @func
128
+ arguments: (argument_list
129
+ (binary_operator
130
+ left: (string) @left
131
+ operator: "+"
132
+ right: (identifier) @right))
133
+ (#eq? @func "open")) @match
134
+
135
+ bash: |
136
+ (command
137
+ name: (command_name (word) @cmd)
138
+ argument: (simple_expansion) @path
139
+ (#match? @cmd "^(rm|cat|cp|mv|chmod|chown|mkdir|touch)$")) @match
140
+
141
+ (command
142
+ name: (command_name (word) @cmd)
143
+ argument: (concatenation (simple_expansion) @path)
144
+ (#match? @cmd "^(rm|cat|cp|mv|chmod|chown|mkdir|touch)$")) @match
145
+
146
+ rust: |
147
+ (call_expression
148
+ function: [
149
+ (field_expression
150
+ field: (field_identifier) @func
151
+ (#match? @func "^(open|read|read_to_string|write|create_dir_all|remove_file)$"))
152
+ (scoped_identifier
153
+ name: (identifier) @func
154
+ (#match? @func "^(open|read|read_to_string|write|create_dir_all|remove_file)$"))
155
+ ]
156
+ arguments: (arguments . [
157
+ (macro_invocation
158
+ macro: (identifier) @macro
159
+ (#eq? @macro "format"))
160
+ (binary_expression
161
+ operator: "+")
162
+ (field_expression)
163
+ ])) @match
164
+
165
+ java: |
166
+ (object_creation_expression
167
+ type: (type_identifier) @t
168
+ (#match? @t "^(File|FileInputStream)$")
169
+ arguments: (argument_list
170
+ (binary_expression
171
+ operator: "+"))) @match
172
+
173
+ (method_invocation
174
+ object: (identifier) @obj
175
+ name: (identifier) @method
176
+ (#eq? @obj "Paths")
177
+ (#eq? @method "get")
178
+ arguments: (argument_list
179
+ (binary_expression
180
+ operator: "+"))) @match
181
+
182
+ (method_invocation
183
+ object: (identifier) @obj
184
+ name: (identifier) @method
185
+ (#eq? @obj "Files")
186
+ (#match? @method "^(readAllBytes|readString|newInputStream)$")
187
+ arguments: (argument_list
188
+ [
189
+ (identifier) @path
190
+ (binary_expression) @path
191
+ (method_invocation) @path
192
+ ])) @match
193
+
194
+ ruby: |
195
+ (call
196
+ receiver: (constant) @recv (#match? @recv "^(File|IO|Dir)$")
197
+ method: (identifier) @method (#match? @method "^(read|readlines|open)$")
198
+ arguments: (argument_list
199
+ (string
200
+ (interpolation)))) @match
201
+
202
+ (call
203
+ method: (identifier) @method (#eq? @method "send_file")
204
+ arguments: (argument_list
205
+ [
206
+ (identifier) @path
207
+ (call) @path
208
+ ])) @match
209
+
210
+ message-captures: [match]
@@ -0,0 +1,72 @@
1
+ rule-id: security.unsafe-innerhtml
2
+
3
+ cases:
4
+ - name: triggers on innerHTML assignment in javascript
5
+ language: javascript
6
+ code: |
7
+ element.innerHTML = userInput;
8
+ expect:
9
+ count: 1
10
+ severity: high
11
+
12
+ - name: triggers on innerHTML assignment in typescript
13
+ language: typescript
14
+ code: |
15
+ element.innerHTML = userInput;
16
+ expect:
17
+ count: 1
18
+ severity: high
19
+
20
+ - name: triggers on innerHTML assignment in tsx
21
+ language: tsx
22
+ code: |
23
+ element.innerHTML = userInput;
24
+ expect:
25
+ count: 1
26
+ severity: high
27
+
28
+ - name: triggers on dangerouslySetInnerHTML in tsx
29
+ language: tsx
30
+ code: |
31
+ export default function Page() {
32
+ return <div dangerouslySetInnerHTML={{ __html: userInput }} />;
33
+ }
34
+ expect:
35
+ count: 1
36
+ severity: high
37
+
38
+ - name: ignores textContent
39
+ language: javascript
40
+ code: |
41
+ element.textContent = userInput;
42
+ expect:
43
+ count: 0
44
+
45
+ - name: ignores textContent in typescript
46
+ language: typescript
47
+ code: |
48
+ element.textContent = userInput;
49
+ expect:
50
+ count: 0
51
+
52
+ - name: triggers on innerHTML in html script tag
53
+ language: html
54
+ code: |
55
+ <script>document.innerHTML = x;</script>
56
+ expect:
57
+ count: 1
58
+ severity: high
59
+
60
+ - name: ignores safe script in html
61
+ language: html
62
+ code: |
63
+ <script>console.log("ok");</script>
64
+ expect:
65
+ count: 0
66
+
67
+ - name: ignores innerHTML read in html
68
+ language: html
69
+ code: |
70
+ <script>if (el.innerHTML) {}</script>
71
+ expect:
72
+ count: 0
@@ -0,0 +1,46 @@
1
+ # source: clean-room
2
+ # licence: MIT
3
+ # vendored-at: 2026-05-20
4
+ # verified-by: andy
5
+ # attribution: CWE-79
6
+ id: security.unsafe-innerhtml
7
+ severity: high
8
+ category: security
9
+ min-tier: free
10
+ languages: [javascript, typescript, tsx, html]
11
+
12
+ copy:
13
+ name-key: checks.unsafe-innerhtml.name
14
+ description-key: checks.unsafe-innerhtml.description
15
+ message-key: checks.unsafe-innerhtml.message
16
+ degraded-key: checks.unsafe-innerhtml.degraded
17
+ remediation-key: remediation.security.unsafe-innerhtml
18
+
19
+ confidence: high
20
+
21
+ queries:
22
+ javascript: |
23
+ (assignment_expression
24
+ left: (member_expression
25
+ property: (property_identifier) @prop)
26
+ (#eq? @prop "innerHTML")) @match
27
+ typescript: |
28
+ (assignment_expression
29
+ left: (member_expression
30
+ property: (property_identifier) @prop)
31
+ (#eq? @prop "innerHTML")) @match
32
+ tsx: |
33
+ (assignment_expression
34
+ left: (member_expression
35
+ property: (property_identifier) @prop)
36
+ (#eq? @prop "innerHTML")) @match
37
+
38
+ (jsx_attribute
39
+ (property_identifier) @prop
40
+ (#eq? @prop "dangerouslySetInnerHTML")) @match
41
+ html: |
42
+ (script_element
43
+ (raw_text) @match
44
+ (#match? @match "\\.innerHTML\\s*="))
45
+
46
+ message-captures: [match]
@@ -0,0 +1,79 @@
1
+ rule-id: security.untrusted-deserialization
2
+
3
+ cases:
4
+ - name: triggers on pickle.loads in python
5
+ language: python
6
+ code: |
7
+ import pickle
8
+ data = pickle.loads(input_data)
9
+ expect:
10
+ count: 1
11
+ severity: high
12
+
13
+ - name: ignores safe code in python
14
+ language: python
15
+ code: |
16
+ result = str(42)
17
+ expect:
18
+ count: 0
19
+
20
+ - name: triggers on serde_json from_str in rust
21
+ language: rust
22
+ code: |
23
+ let val = serde_json::from_str(input);
24
+ expect:
25
+ count: 1
26
+ severity: high
27
+
28
+ - name: triggers on bincode deserialize in rust
29
+ language: rust
30
+ code: |
31
+ let val = bincode::deserialize(data);
32
+ expect:
33
+ count: 1
34
+ severity: high
35
+
36
+ - name: ignores safe code in rust
37
+ language: rust
38
+ code: |
39
+ let x = 42;
40
+ expect:
41
+ count: 0
42
+
43
+ - name: ignores custom deserialize in rust
44
+ language: rust
45
+ code: |
46
+ let val = my_codec::deserialize(data);
47
+ expect:
48
+ count: 0
49
+
50
+ - name: triggers on ObjectInputStream readObject in java
51
+ language: java
52
+ code: |
53
+ Object obj = ois.readObject();
54
+ expect:
55
+ count: 1
56
+ severity: high
57
+
58
+ - name: ignores safe java code
59
+ language: java
60
+ code: |
61
+ String s = "hello";
62
+ expect:
63
+ count: 0
64
+
65
+ - name: triggers on Marshal.load in ruby
66
+ language: ruby
67
+ code: |
68
+ data = Marshal.load(payload)
69
+ expect:
70
+ count: 1
71
+ severity: high
72
+
73
+ - name: triggers on YAML.load in ruby
74
+ language: ruby
75
+ code: |
76
+ doc = YAML.load(body)
77
+ expect:
78
+ count: 1
79
+ severity: high
@@ -0,0 +1,48 @@
1
+ # source: clean-room
2
+ # licence: MIT
3
+ # vendored-at: 2026-05-20
4
+ # verified-by: Seaworthy team
5
+ # attribution: CWE-502
6
+ id: security.untrusted-deserialization
7
+ severity: high
8
+ category: security
9
+ min-tier: pro
10
+ languages: [python, rust, java, ruby]
11
+
12
+ copy:
13
+ name-key: checks.untrusted-deserialization.name
14
+ description-key: checks.untrusted-deserialization.description
15
+ message-key: checks.untrusted-deserialization.message
16
+ degraded-key: checks.untrusted-deserialization.degraded
17
+ remediation-key: remediation.security.untrusted-deserialization
18
+
19
+ confidence: high
20
+
21
+ queries:
22
+ python: |
23
+ (call
24
+ function: (attribute
25
+ object: (identifier) @obj
26
+ attribute: (identifier) @method)
27
+ (#eq? @obj "pickle")
28
+ (#eq? @method "loads")) @match
29
+ rust: |
30
+ (call_expression
31
+ function: (scoped_identifier
32
+ path: (identifier) @path
33
+ name: (identifier) @func)
34
+ (#match? @path "^(serde_json|bincode)$")
35
+ (#match? @func "^(from_str|deserialize)$")) @match
36
+
37
+ java: |
38
+ (method_invocation
39
+ name: (identifier) @method
40
+ (#eq? @method "readObject")
41
+ arguments: (argument_list)) @match
42
+
43
+ ruby: |
44
+ (call
45
+ receiver: (constant) @recv (#match? @recv "^(Marshal|YAML)$")
46
+ method: (identifier) @method (#eq? @method "load")) @match
47
+
48
+ message-captures: [match]
@@ -0,0 +1,126 @@
1
+ rule-id: security.weak-encryption-mode
2
+
3
+ cases:
4
+ - name: triggers on createCipheriv with weak mode in javascript
5
+ language: javascript
6
+ code: |
7
+ createCipheriv('aes-256-ecb', key, iv)
8
+ expect:
9
+ count: 1
10
+ severity: medium
11
+
12
+ - name: triggers on createCipheriv with weak mode in typescript
13
+ language: typescript
14
+ code: |
15
+ createCipheriv('des', key, iv)
16
+ expect:
17
+ count: 1
18
+ severity: medium
19
+
20
+ - name: triggers on createCipheriv with weak mode in tsx
21
+ language: tsx
22
+ code: |
23
+ createCipheriv('rc4', key, iv)
24
+ expect:
25
+ count: 1
26
+ severity: medium
27
+
28
+ - name: ignores strong encryption mode
29
+ language: javascript
30
+ code: |
31
+ createCipheriv('aes-256-gcm', key, iv)
32
+ expect:
33
+ count: 0
34
+
35
+ - name: ignores strong encryption mode in typescript
36
+ language: typescript
37
+ code: |
38
+ createCipheriv('aes-256-gcm', key, iv)
39
+ expect:
40
+ count: 0
41
+
42
+ - name: ignores hash function
43
+ language: javascript
44
+ code: |
45
+ createHash('sha256')
46
+ expect:
47
+ count: 0
48
+
49
+ - name: ignores hash function in typescript
50
+ language: typescript
51
+ code: |
52
+ createHash('sha256')
53
+ expect:
54
+ count: 0
55
+
56
+ - name: triggers on AES.new with weak mode in python
57
+ language: python
58
+ code: |
59
+ from Crypto.Cipher import AES
60
+ cipher = AES.new(key, AES.MODE_ECB)
61
+ expect:
62
+ count: 1
63
+ severity: medium
64
+ - name: triggers on weak openssl enc mode in bash
65
+ language: bash
66
+ code: |
67
+ openssl enc -des -in plain.txt -out secret.bin
68
+ expect:
69
+ count: 1
70
+ severity: medium
71
+ - name: ignores AES.new with strong mode in python
72
+ language: python
73
+ code: |
74
+ from Crypto.Cipher import AES
75
+ cipher = AES.new(key, AES.MODE_GCM)
76
+ expect:
77
+ count: 0
78
+ - name: ignores strong openssl enc mode in bash
79
+ language: bash
80
+ code: |
81
+ openssl enc -aes-256-gcm -in plain.txt -out secret.bin
82
+ expect:
83
+ count: 0
84
+
85
+ - name: triggers on des in rust
86
+ language: rust
87
+ code: |
88
+ cipher.des()
89
+ expect:
90
+ count: 1
91
+ severity: medium
92
+
93
+ - name: ignores strong mode in rust
94
+ language: rust
95
+ code: |
96
+ cipher.aes_256_gcm()
97
+ expect:
98
+ count: 0
99
+
100
+ - name: triggers on Cipher DES in java
101
+ language: java
102
+ code: |
103
+ class T {
104
+ void f() throws Exception {
105
+ javax.crypto.Cipher.getInstance("DES/ECB/PKCS5Padding");
106
+ }
107
+ }
108
+ expect:
109
+ count: 1
110
+ severity: medium
111
+
112
+ - name: triggers on OpenSSL Cipher DES in ruby
113
+ language: ruby
114
+ code: |
115
+ OpenSSL::Cipher.new('DES')
116
+ expect:
117
+ count: 1
118
+ severity: medium
119
+
120
+ - name: triggers on OpenSSL Cipher DES ECB in ruby
121
+ language: ruby
122
+ code: |
123
+ OpenSSL::Cipher.new('DES-ECB')
124
+ expect:
125
+ count: 1
126
+ severity: medium
@@ -0,0 +1,104 @@
1
+ # source: clean-room
2
+ # licence: MIT
3
+ # vendored-at: 2026-05-20
4
+ # verified-by: Seaworthy team
5
+ # attribution: CWE-326
6
+ id: security.weak-encryption-mode
7
+ severity: medium
8
+ category: security
9
+ min-tier: pro
10
+ languages: [javascript, typescript, tsx, python, bash, rust, java, ruby]
11
+
12
+ copy:
13
+ name-key: checks.weak-encryption-mode.name
14
+ description-key: checks.weak-encryption-mode.description
15
+ message-key: checks.weak-encryption-mode.message
16
+ degraded-key: checks.weak-encryption-mode.degraded
17
+ remediation-key: remediation.security.weak-encryption-mode
18
+
19
+ confidence: high
20
+
21
+ queries:
22
+ javascript: |
23
+ (call_expression
24
+ function: (identifier) @func
25
+ arguments: (arguments
26
+ (string
27
+ (string_fragment) @algo))
28
+ (#eq? @func "createCipheriv")
29
+ (#match? @algo "ecb|des|rc4|3des")) @match
30
+ typescript: |
31
+ (call_expression
32
+ function: (identifier) @func
33
+ arguments: (arguments
34
+ (string
35
+ (string_fragment) @algo))
36
+ (#eq? @func "createCipheriv")
37
+ (#match? @algo "ecb|des|rc4|3des")) @match
38
+ tsx: |
39
+ (call_expression
40
+ function: (identifier) @func
41
+ arguments: (arguments
42
+ (string
43
+ (string_fragment) @algo))
44
+ (#eq? @func "createCipheriv")
45
+ (#match? @algo "ecb|des|rc4|3des")) @match
46
+ python: |
47
+ (call
48
+ function: (attribute
49
+ object: (identifier) @obj
50
+ attribute: (identifier) @method)
51
+ arguments: (argument_list
52
+ (attribute
53
+ object: (identifier) @aes
54
+ attribute: (identifier) @mode))
55
+ (#eq? @obj "AES")
56
+ (#eq? @method "new")
57
+ (#match? @mode "MODE_(ECB|CBC|CFB|OFB)$")) @match
58
+ bash: |
59
+ (command
60
+ name: (command_name (word) @cmd)
61
+ argument: (word) @subcmd
62
+ argument: (word) @mode
63
+ (#eq? @cmd "openssl")
64
+ (#eq? @subcmd "enc")
65
+ (#match? @mode "^-(des|des3|rc4|bf|aes-[0-9]+-ecb)$")) @match
66
+ rust: |
67
+ (call_expression
68
+ function: (field_expression
69
+ field: (field_identifier) @func
70
+ (#match? @func "^(des|rc4)$"))) @match
71
+ java: |
72
+ (method_invocation
73
+ object: (identifier) @obj
74
+ name: (identifier) @method
75
+ (#eq? @obj "Cipher")
76
+ (#eq? @method "getInstance")
77
+ arguments: (argument_list
78
+ (string_literal
79
+ (string_fragment) @algo)
80
+ (#match? @algo ".*(DES|des|RC4|rc4|ECB|ecb).*"))) @match
81
+
82
+ (method_invocation
83
+ object: (field_access
84
+ field: (identifier) @obj)
85
+ name: (identifier) @method
86
+ (#eq? @obj "Cipher")
87
+ (#eq? @method "getInstance")
88
+ arguments: (argument_list
89
+ (string_literal
90
+ (string_fragment) @algo)
91
+ (#match? @algo ".*(DES|des|RC4|rc4|ECB|ecb).*"))) @match
92
+
93
+ ruby: |
94
+ (call
95
+ receiver: (scope_resolution
96
+ scope: (constant) @scope (#eq? @scope "OpenSSL")
97
+ name: (constant) @name (#eq? @name "Cipher"))
98
+ method: (identifier) @method (#eq? @method "new")
99
+ arguments: (argument_list
100
+ (string
101
+ (string_content) @algo
102
+ (#match? @algo ".*(DES|des|RC4|rc4|ECB|ecb).*")))) @match
103
+
104
+ message-captures: [match]