* Fix#589
Convert user provided relative paths into absolute paths before scanning for consistent file name regex behavior in rules.
* Also use absolute path in error message
* Add Basic Socket and HTTP Listener Rules
Language specific rules for C#, C, C++, Javascript, Java and Python. Generic Socket rule for all other languages.
* Bump dependencies.
* Embed remote resources in html report
Fix#450
* Replace D3+C3 with Charts.Js
* Restore static 200px width to charts.
* Add Datalabels to charts
* Fix tabs on summary page
Fix for new bootstrap mechanisms
* Fix Source Code Modal for BootStrap 5
* Swap Ace for Prism highlighting
* Make modal a bit wider
* Unescape HTML sequences to render in pre tag
* Add initial set of PQ and AI checks, auth'n/z updates
* Add Python semantic_kernel.
* Add AI tag group to html report
* Remove code scope definition from txt rules
---------
Co-authored-by: Gabe Stocco <98900+gfs@users.noreply.github.com>
* Fixes an issue with setting correct index values when matching a property of an xml tag with an xpath
* Update comments
* Improve robustness of new test cases.
Also check value and index location of matches.
The Sarif.Sdk package depends on Newtonsoft.Json 9.0.1+, and NuGet chooses the oldest version by default. This change pushes us up to 13.0.3 (latest current).
Ref: https://github.com/microsoft/sarif-sdk/issues/2673
Co-authored-by: Gabe Stocco <98900+gfs@users.noreply.github.com>
* Fixes JSONPath boundary finding for booleans
Boundary detection for boolean values was off because proper JSON requires booleans to be lower case in the raw text, but JsonElement.ToString() returns capitalized boolean names.
* Adds a test case
* Update XmlAndJsonTests.cs
* Bump dependencies
* Update OAT
* remove unused rule_info field
* change typo to proper modifiers field
* remove unused and wrong fields
* remove unused rule_info field
* remove VoipInfo field which is not valid
* remove duplicate modifiers field
* confidence is a field for patterns not the rule itself
* Add detections for some SAAS services
* Improve comment detection for urls with protocol specification in languages with // as the comment format
* Update font awesome reference
* Update tagreportgroups.json
* Update test cases for multiline strings
* Remove unused imports
* Remove legacy files from separate rules repo
* Switch Tag Detection for Features page to Regex
And update all search patterns to be regular expression istead of exact match
* Update Dependencies
* Add rule verifier check to require a description.
GitHub Sarif Upload Action requires the Help.Text property of each Rule object in the sarif to be populated. We populate this in DevSkim with either the Recommendation, if present, or the Description, if not present. However, previously it was possible to have neither. This adds a verification step to require a description to ensure there is a value to use for sarif export.
* Adds test to fail on rules without description
* Description is now a required field in each rule, SemVer relevant
* Description field may not be null
* Automatically populate git repository information
Populates based on the repository information detected for the first source location argument.
* Report auto gathered git information in sarif report
* Include LibGit2Sharp dependency
* Update comment on CreateFresh
This internal method is used to create a refreshed metadata object after depends on removes invalidated records.
* Only create a fresh metadata object when needed
Fix#533
* Adds DependsOnTags field to Rule
After processing of rules DependsOnTags will be checked and then matches whose matching rule have required tags which are not all present in the UniqueTags will be removed before returning results. Adds tests for new functionality and rule verifier will check to make sure all tags which are depended on are present in the rule set.
SemVer changes. Public properties in the Rule object have been changed to IList from a combination of Array and List.
* Fix query for rules with null depends on field
* Formatting: Add Missing Braces Back
* Revert "Formatting: Add Missing Braces Back"
This reverts commit d6dc1fc5a7.
* Set beta flag
* Fix Verification message for missing depends_on_tags
Change a few more List to IList.
Improve edge case in verification where if two rules shared the same id they would both receive the error message about depends_on_tags.
* Improve description for test rules
* Formatting and additional comments on the Rule and AnalyzeCommand objects
* Catch edge case in verification where an overridden rule doesn't have the depends on of its overrider
This verification step prevents a potential issue if a ruleset contains Rule A, which is Overridden by Rule B which depends on TagX.
If RuleA and RuleB match, but TagX is not present, no results would be returned. This is because overrides are performed on a file by file basis, as the last step in processing each file. Depends on tags are checked after all files have been processed, and so the overridden matches are no longer tracked.
* Adds Support for Chained Dependent Rules
And tests for same.
* Typo in test rule description
* Small refactor to deduplicate logic
* Improve variable names
* Use System.Text.Json instead of Newtonsoft.Json. Approximately 2x faster result output serialization with significantly reduced memory usage (for JSON format).
* Adds simple benchmark for json writer.
---------
Co-authored-by: Gabe Stocco <98900+gfs@users.noreply.github.com>
* Refactor to include yamlpath directly in rule engine nupkg
* Fix Yaml Tests
Restore some missing braces mistakenly stripped by previous format run.
Adds locks to constructing structured data query objs (like the YamlDocument) to avoid thread collisions.
Should fix supporting disabling parallelized Analyzer
* Fix#511Fixes#511.
AI was not appropriately adjusting the Index of the pattern match by the index of the yaml element like it did for XML and JSON.
Adds a new test case to ensure the index matched is correct using sample from the linked bug.
* Support multiple Yaml documents in a single file.
Check all documents listed in the stream rather than just the first.