Граф коммитов

496 Коммитов

Автор SHA1 Сообщение Дата
Gabe Stocco c84796ae81
Bump Dependencies (#594) 2024-11-01 14:36:18 -07:00
Dan Fiedler 6de64f4390
add release to GitHub and NuGet (#592)
* add release to GitHub and NuGet

* switch nuget publish to 1ES output
2024-11-01 12:52:45 -04:00
Dan Fiedler f353f1e4fb
add release stage with new signing (#591) 2024-10-30 05:36:14 -04:00
Gabe Stocco 1a86d81021
Convert user provided relative source paths to absolute paths before analysis (#590)
* Fix #589

Convert user provided relative paths into absolute paths before scanning for consistent file name regex behavior in rules.

* Also use absolute path in error message
2024-07-29 23:06:37 -07:00
Gabe Stocco a7d241ab62
Update appinspector-release.yml (#587)
* Update appinspector-release.yml

* Update appinspector-release.yml
2024-06-26 22:59:42 -07:00
Gabe Stocco e2e13eefa3
Fix off by one error in GetPrefixLocation recursion (#584)
* Fix off by one error in GetPrefixLocation recursion

* Adds new quoted strings test case
2024-04-30 12:12:17 -07:00
Gabe Stocco c8bfea6cb5
Migrate to 1ES Templates (#582)
* Migrate Pipelines to new Templates
2024-03-27 13:02:56 -07:00
Gabe Stocco 911e9d3be0
Add Basic Socket and HTTP Listener Rules (#578)
* Add Basic Socket and HTTP Listener Rules

Language specific rules for C#, C, C++, Javascript, Java and Python. Generic Socket rule for all other languages.

* Bump dependencies.
2024-03-13 14:15:37 -07:00
Gabe Stocco eba5ca46db
Output formatted instead of minified sarif (#577)
Fix #576
2024-02-23 07:48:44 +00:00
Gabe Stocco 044dc12a29
Embed remote resources in html report (#574)
* Embed remote resources in html report

Fix #450

* Replace D3+C3 with Charts.Js

* Restore static 200px width to charts.

* Add Datalabels to charts

* Fix tabs on summary page

Fix for new bootstrap mechanisms

* Fix Source Code Modal for BootStrap 5

* Swap Ace for Prism highlighting

* Make modal a bit wider

* Unescape HTML sequences to render in pre tag
2024-02-22 18:19:06 -08:00
Michael Scovetta 6d539ef691
Add initial set of PQ and AI checks, auth'n/z updates (#573)
* Add initial set of PQ and AI checks, auth'n/z updates

* Add Python semantic_kernel.

* Add AI tag group to html report

* Remove code scope definition from txt rules

---------

Co-authored-by: Gabe Stocco <98900+gfs@users.noreply.github.com>
2024-02-16 08:53:47 -08:00
Gabe Stocco 00ad48b230
Update pipeline template (#572)
* Update pipeline template

* Fix tag version for pipeline templates

* Update dependencies

* Add Pool Name
2024-02-06 16:50:22 -08:00
Gabe Stocco 3a5c3f97bc
Clamp the Excerpt end index to the end of the file (#571)
* Clamp the Excerpt end index to the end of the file

* Add clamping test for Extract Excerpt

* Update dependencies
2024-01-04 15:14:17 -08:00
Gabe Stocco edf169f9fd
Update Dependencies (#569)
* Net 8.0

* Update dependencies

* Update README.md

---------

Co-authored-by: Caleb Queern <cqueern@users.noreply.github.com>
2023-11-30 12:58:39 -08:00
Gabe Stocco 310ac15d45
Fixes an issue with setting correct index values (#567)
* Fixes an issue with setting correct index values when matching a property of an xml tag with an xpath

* Update comments

* Improve robustness of new test cases.

Also check value and index location of matches.
2023-11-09 14:35:16 -08:00
Noah Kreiger c2a091280d
Update index.html (#564)
* Update index.html

* Update index.html
2023-10-04 14:54:57 -07:00
Michael Scovetta ca4423e3f8
Bump Newtonsoft.Json (#562)
The Sarif.Sdk package depends on Newtonsoft.Json 9.0.1+, and NuGet chooses the oldest version by default. This change pushes us up to 13.0.3 (latest current).

Ref: https://github.com/microsoft/sarif-sdk/issues/2673

Co-authored-by: Gabe Stocco <98900+gfs@users.noreply.github.com>
2023-09-17 10:04:28 -07:00
Gabe Stocco 8a0c9be1ab
Fixes JSONPath boundary finding for booleans (#561)
* Fixes JSONPath boundary finding for booleans

Boundary detection for boolean values was off because proper JSON requires booleans to be lower case in the raw text, but JsonElement.ToString() returns capitalized boolean names.

* Adds a test case

* Update XmlAndJsonTests.cs

* Bump dependencies

* Update OAT
2023-09-15 13:46:15 -07:00
Vincent Berg 1d24f3831e
JSON rules cleanup (#559)
* remove unused rule_info field

* change typo to proper modifiers field

* remove unused and wrong fields

* remove unused rule_info field

* remove VoipInfo field which is not valid

* remove duplicate modifiers field

* confidence is a field for patterns not the rule itself
2023-09-05 11:36:25 -07:00
Gabe Stocco f13cc8abda
Adds numbering to issue results (#558) 2023-08-02 16:12:24 -07:00
Gabe Stocco 1952127168
Adds Always Commented Option to Support DevSkim Scenarios (#555) 2023-07-31 13:54:59 -07:00
Gabe Stocco 8a78a5260c
Add Simple Detections for some common saas (#554)
* Add detections for some SAAS services

* Improve comment detection for urls with protocol specification in languages with // as the comment format

* Update font awesome reference

* Update tagreportgroups.json

* Update test cases for multiline strings

* Remove unused imports
2023-07-27 16:53:35 -07:00
Gabe Stocco 4bb352a0c0
Fix Issues with Confidence Display on Key Features Page of HTML Report (#553)
* Remove legacy files from separate rules repo

* Switch Tag Detection for Features page to Regex

And update all search patterns to be regular expression istead of exact match

* Update Dependencies
2023-07-25 12:37:44 -07:00
Gabe Stocco 774ba6439d
Port DevSkim Sarif Output Workarounds to ApplicationInspector (#551) 2023-06-26 13:32:17 -07:00
Gabe Stocco b830cf902b
Fixes Sarif Output Format (#550) 2023-06-21 22:08:07 -07:00
David Alcantar bd25052fd2
Update Pipelines (#549)
Update PR and Release pipelines
2023-06-19 16:00:01 -07:00
Gabe Stocco 243babc8e1
Incorporate Fix from RE (#547) 2023-06-08 11:16:00 -07:00
Gabe Stocco 2d98196d16
Add Support for Xpath Queries with Namespaces (#546) 2023-06-07 13:15:45 -07:00
Gabe Stocco 95e7eacad2
Add rule verifier check to require a description. (#544)
* Add rule verifier check to require a description.

GitHub Sarif Upload Action requires the Help.Text property of each Rule object in the sarif to be populated. We populate this in DevSkim with either the Recommendation, if present, or the Description, if not present. However, previously it was possible to have neither. This adds a verification step to require a description to ensure there is a value to use for sarif export.

* Adds test to fail on rules without description

* Description is now a required field in each rule, SemVer relevant

* Description field may not be null
2023-05-25 02:02:14 +00:00
Gabe Stocco 5cb7095ea6
Update dependencies (#542) 2023-05-23 19:33:33 +00:00
Gabe Stocco 71042add5d
Provide filepath to the textcontiner for logging messages (#540) 2023-05-04 11:41:26 -07:00
Gabe Stocco 0cacb52a5f
Fixes XPath queries that use @ for attributes (#539) 2023-05-02 15:44:16 -07:00
Gabe Stocco 70f1bcf256
Update version.json (#537) 2023-04-17 14:33:18 -07:00
Gabe Stocco 49e51a974d
Fix override behavior (#538) 2023-03-21 14:15:40 -07:00
Gabe Stocco f591a0acb7
Automatically gather Git information (#534)
* Automatically populate git repository information

Populates based on the repository information detected for the first source location argument.

* Report auto gathered git information in sarif report

* Include LibGit2Sharp dependency

* Update comment on CreateFresh

This internal method is used to create a refreshed metadata object after depends on removes invalidated records.

* Only create a fresh metadata object when needed
2023-03-08 15:52:43 -08:00
Dmitry 44933030c4
Support non-backtracking regex (#528) 2023-03-07 13:53:51 -08:00
Gabe Stocco 60f166d8cf
Adds DependsOnTags field to Rule (#533)
Fix #533 

* Adds DependsOnTags field to Rule

After processing of rules DependsOnTags will be checked and then matches whose matching rule have required tags which are not all present in the UniqueTags will be removed before returning results. Adds tests for new functionality and rule verifier will check to make sure all tags which are depended on are present in the rule set.

SemVer changes. Public properties in the Rule object have been changed to IList from a combination of Array and List.

* Fix query for rules with null depends on field

* Formatting: Add Missing Braces Back

* Revert "Formatting: Add Missing Braces Back"

This reverts commit d6dc1fc5a7.

* Set beta flag

* Fix Verification message for missing depends_on_tags

Change a few more List to IList.
Improve edge case in verification where if two rules shared the same id they would both receive the error message about depends_on_tags.

* Improve description for test rules

* Formatting and additional comments on the Rule and AnalyzeCommand objects

* Catch edge case in verification where an overridden rule doesn't have the depends on of its overrider

This verification step prevents a potential issue if a ruleset contains Rule A, which is Overridden by Rule B which depends on TagX.

If RuleA and RuleB match, but TagX is not present, no results would be returned. This is because overrides are performed on a file by file basis, as the last step in processing each file. Depends on tags are checked after all files have been processed, and so the overridden matches are no longer tracked.

* Adds Support for Chained Dependent Rules

And tests for same.

* Typo in test rule description

* Small refactor to deduplicate logic

* Improve variable names
2023-03-07 12:32:59 -08:00
Caleb Queern ec40f38f8b
Update README.md (#532)
corrected spelling
2023-03-01 10:10:33 -08:00
Gabe Stocco 41b9476d7e
Update dependencies. (#530) 2023-02-27 13:32:15 -08:00
Gabe Stocco c187a93438
Fix Validation Messages for XPath and YamlPath (#527) 2023-02-13 16:42:08 -08:00
Gabe Stocco 567833a703
Add YamlPath Validation to RuleValidator (#526)
* Ensure RuleVerifier and Regex Operation use the same Modifiers

* Adds validation of specified YamlPaths.
2023-02-13 14:46:52 -08:00
Dmitry 505942298a
Use System.Text.Json instead of Newton.Json (#525)
* Use System.Text.Json instead of Newtonsoft.Json. Approximately 2x faster result output serialization with significantly reduced memory usage (for JSON format).

* Adds simple benchmark for json writer.

---------

Co-authored-by: Gabe Stocco <98900+gfs@users.noreply.github.com>
2023-02-08 13:24:09 -08:00
Gabe Stocco d39172e72f
Update dependencies (#522)
* Update dependencies

* Improve stability of ClassCleanup
2023-01-13 17:51:18 -08:00
Gabe Stocco 908ee752f1
Use YamlPath Nuget + Update Dependencies (#519) 2022-12-14 11:13:24 -08:00
Gabe Stocco 629dfeb109
Publish .NET 7.0 Version (#516) 2022-11-16 07:44:23 -08:00
Gabe Stocco 4f9900398a
Refactor to include yamlpath directly in rule engine nupkg (#513)
* Refactor to include yamlpath directly in rule engine nupkg

* Fix Yaml Tests

Restore some missing braces mistakenly stripped by previous format run.
Adds locks to constructing structured data query objs (like the YamlDocument) to avoid thread collisions.
Should fix supporting disabling parallelized Analyzer
2022-10-24 11:22:56 -07:00
Gabe Stocco 3cf2f41e35
Fix #511 (#512)
* Fix #511

Fixes #511.

AI was not appropriately adjusting the Index of the pattern match by the index of the yaml element like it did for XML and JSON.
Adds a new test case to ensure the index matched is correct using sample from the linked bug.

* Support multiple Yaml documents in a single file.

Check all documents listed in the stream rather than just the first.
2022-10-11 16:20:34 -07:00
Gabe Stocco b958237a22
Implement YamlPath for YamlDotNet (#509) 2022-09-26 16:20:06 -07:00
Gabe Stocco ef08d62d4e
Create codeql3000.yml (#508)
* Create codeql3000.yml

* Delete codeql-analysis.yml
2022-09-06 11:34:13 -07:00
Gabe Stocco 95e28607c2
Update BUILD.md 2022-09-01 17:27:09 -07:00