This commit is contained in:
Michael Scovetta 2017-08-25 10:00:11 -07:00
Родитель 04f3855383
Коммит 9ce32ecf25
109 изменённых файлов: 2647 добавлений и 1915 удалений

1
.gitignore поставляемый
Просмотреть файл

@ -1 +1,2 @@
DevSkim-Common/*
__common/*

Просмотреть файл

@ -1,239 +0,0 @@
[ {
"id": "DS154189",
"name": "Banned C function detected",
"tags": [
"API.DangerousAPI.BannedFunction"
],
"applies_to": [
"c",
"cpp",
"objective-c"
],
"severity": "moderate",
"description": "These functions are historically error-prone and have been associated with a significant number of vulnerabilities. Most of these functions have safer alternatives, such as replacing 'strcpy' with 'strlcpy' or 'strcpy_s'.",
"replacement": "",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS154189.md",
"patterns": [
{
"pattern": "(sprintf|_getts|_getws|_snprintf|_sntprintf|_snwprintf|_stprintf|_tcsat|_tcscpy|_tcslen|_tcsncpy|_vsnprintf|_vsntprintf|_vsnwprintf|_vstprintf|alloca|asctime|atof|atoi|atoll|bsearch|ctime|fopen|fprintf|freopen|fscanf|fwprintf|fwscanf|getenv|getwd|gmtime|localtime|lstrcat|lstrcpy|mbsrtowcs|mbstowcs|memmove|mktemp|printf|qsort|rewind|scanf|setbuf|sscanf|strcatbuff|strerror|strtok|swprintf|swscanf|tmpnam|vfprintf|vfscanf|vfwscanf|vprintf|vscanf|vsnprintf|vsprintf|vsscanf|vswprintf|vswscanf|vwprintf|vwscanf|wcrtomb|wcrtombs|wcscat|wcscpy|wcslen|wcsncat|wcsncpy|wcsrtombs|wcstok|wctomb|wmemcpy|wmemmove|wnsprintf|wprintf|wscanf|wsprintf|wvnsprintf|wvsprintf)",
"type": "regex-word",
"subtype": [
"function-call"
]
}
],
"fix_it": []
},
{
"id": "DS185832",
"name": "Banned C function detected (strcpy)",
"tags": [
"API.DangerousAPI.BannedFunction"
],
"applies_to": [
"c",
"cpp",
"objective-c"
],
"overrides": [
"DS154189"
],
"severity": "important",
"description": "strcpy is frequently dangerous, as it will cause a buffer overflow if the source is larger than the destination.",
"replacement": "Use strcpy_s or strlcpy if possible. If no safe function is viable, strcpy/strncpy should be proceeded by conditional checks to verify tha that the source string will fit in the destination with a null termnator.",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS185832.md",
"patterns": [
{
"pattern": "\\bstrcpy\\s*\\(([^,]+),([^,]+)\\)",
"type": "regex",
"subtype": [
"function-call"
]
}
],
"fix_it": [
{
"type": "regex-substitute",
"name": "Change to strcpy_s (Recommended for VC++)",
"search": "\\bstrcpy\\s*\\(([^,]+),([^,]+)\\)",
"replace": "strcpy_s($1, <size of $1>, $2)"
},
{
"type": "regex-substitute",
"name": "Change to strlcpy",
"search": "\\bstrcpy\\s*\\(([^,]+),([^,]+)\\)",
"replace": "strlcpy($1, $2, <size of $1>)"
}
]
},
{
"id": "DS111237",
"name": "Banned C function detected (strncpy)",
"tags": [
"API.DangerousAPI.BannedFunction"
],
"applies_to": [
"c",
"cpp",
"objective-c"
],
"overrides": [
"DS154189"
],
"severity": "important",
"description": "strncpy is dangerous, as if the source contains 'n' or more characters, it will not null terminate the destination.",
"replacement": "Use strcpy_s or strlcpy if possible. If no safe function is viable, strcpy/strncpy should be proceeded by conditional checks to verify tha that the source string will fit in the destination with a null termnator.",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS111237.md",
"patterns": [
{
"pattern": "\\bstrncpy\\s*\\(([^,]+),([^,]+),([^,]+)\\)+",
"type": "regex",
"subtype": [
"function-call"
]
}
],
"fix_it": [
{
"type": "regex-substitute",
"name": "Change to strcpy_s (Recommended for VC++)",
"search": "\\bstrncpy\\s*\\(([^,]+),([^,]+),([^,]+)\\)+",
"replace": "strcpy_s($1, $3, $2)"
},
{
"type": "regex-substitute",
"name": "Change to strlcpy",
"search": "\\bstrncpy\\s*\\(([^,]+),([^,]+),([^,]+)\\)+",
"replace": "strlcpy($1, $2, $3)"
}
]
},
{
"id": "DS141863",
"name": "Banned C function detected (strcat)",
"tags": [
"API.DangerousAPI.BannedFunction"
],
"applies_to": [
"c",
"cpp",
"objective-c"
],
"overrides": [
"DS154189"
],
"severity": "important",
"description": "If the combination of strings is larger than the destination buffer, strcat will cbuffer overflow the destination buffer",
"replacement": "Use strcat_s or strlcat if possible. strncat's size parameter excludes the null terminator, which leads to frequent mistakes",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS141863.md",
"patterns": [
{
"pattern": "\\bstrcat\\s*\\(([^,]+),([^,]+)\\)",
"type": "regex",
"subtype": [
"function-call"
]
}
],
"fix_it": [
{
"type": "regex-substitute",
"name": "Change to strcat_s (Recommended for VC++)",
"search": "\\bstrcat\\s*\\(([^,]+),([^,]+)\\)",
"replace": "strcat_s($1, <size of $1>, $2)"
},
{
"type": "regex-substitute",
"name": "Change to strlcat",
"search": "\\bstrcat\\s*\\(([^,]+),([^,]+)\\)",
"replace": "strlcat($1, $2, <size of $1>)"
}
]
},
{
"id": "DS108330",
"name": "Banned C function detected (strncat)",
"tags": [
"API.DangerousAPI.BannedFunction"
],
"applies_to": [
"c",
"cpp",
"objective-c"
],
"overrides": [
"DS154189"
],
"severity": "important",
"description": "strncat adds the null terminator at character 'n + 1', rather than at the nth character. this frequently leads to the null terminator being added in the memory adjacent to the destination buffer, rather than in the destination buffer.",
"replacement": "Use strcat_s or strlcat if possible. ",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS108330.md",
"patterns": [
{
"pattern": "\\bstrncat\\s*\\(([^,]+),([^,]+),([^,]+)\\)+",
"type": "regex",
"subtype": [
"function-call"
]
}
],
"fix_it": [
{
"type": "regex-substitute",
"name": "Change to strcat_s (Recommended for VC++)",
"search": "\\bstrncat\\s*\\(([^,]+),([^,]+),([^,]+)\\)+",
"replace": "strcat_s($1, $3, $2)"
},
{
"type": "regex-substitute",
"name": "Change to strlcat",
"search": "\\bstrncat\\s*\\(([^,]+),([^,]+),([^,]+)\\)+",
"replace": "strlcat($1, $2, $3)"
}
]
},
{
"id": "DS181021",
"name": "Banned C function detected (gets)",
"tags": [
"API.DangerousAPI.BannedFunction"
],
"applies_to": [
"c",
"cpp",
"objective-c"
],
"overrides": [
"DS154189"
],
"severity": "important",
"description": "gets will read in as many bytes as are provided, regardless of the size of buffer recieving the bytes. This allows for conditions that cause a buffer overlow in the destination buffer.",
"replacement": "Use gets_s or fgets if possible. fgets has different behavior from gets (may include newline for example), so care should be taken if it is used.",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS181021.md",
"patterns": [
{
"pattern": "\\bgets\\s*\\(([^,\\)]+)\\)",
"type": "regex",
"subtype": [
"function-call"
]
}
],
"fix_it": [
{
"type": "regex-substitute",
"name": "Change to gets_s (Recommended for VC++)",
"search": "\\bgets\\s*\\(([^,\\)]+)\\)",
"replace": "gets_s($1, <size of $1>)"
},
{
"type": "regex-substitute",
"name": "Change to fgets",
"search": "\\bgets\\s*\\(([^,\\)]+)\\)",
"replace": "fgets($1, <size of $1>, stdin)"
}
]
}
]

Просмотреть файл

@ -1,108 +0,0 @@
[
{
"id": "DS161085",
"name": "Problematic C function detected (malloc)",
"tags": [
"API.DangerousAPI.ProblematicFunction"
],
"applies_to": [
"c",
"cpp",
"objective-c"
],
"severity": "best-practice",
"description": "If the value provided to malloc is the result of unsafe integer math, it can result in an exploitable condition. ",
"replacement": "calloc handles the most common integer math in memory allocation (# of elements * their size) with error handling to prevent overflows in most implementations, and zeros out memory",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS161085.md",
"patterns": [
{
"pattern": "\\bmalloc\\s*\\(([^,\\)]+)\\)",
"type": "regex"
}
],
"fix_it": [
{
"type": "regex-substitute",
"name": "Change to calloc ",
"search": "\\bmalloc\\s*\\(([^,\\)]+)\\)",
"replace": "calloc(<number of elements>, <size of each element>)"
}
]
},
{
"id": "DS121708",
"name": "Problematic C function detected (memcpy)",
"tags": [
"API.DangerousAPI.ProblematicFunction"
],
"applies_to": [
"c",
"cpp",
"objective-c"
],
"severity": "best-practice",
"description": "There are a number of conditions in which memcpy can introduce a vulnerability (mismatched buffer sizes, null pointers, etc.). More secure alternitives perform additional validation of the source and destination buffer",
"replacement": "Use memcpy_s if possible.",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS121708.md",
"patterns": [
{
"pattern": "\\bmemcpy\\s*\\(([^,]+),([^,]+),([^,\\)]+)\\)",
"type": "regex",
"subtype": [
"function-call"
]
}
],
"fix_it": [
{
"type": "regex-substitute",
"name": "Change to memcpy_s (Recommended for VC++)",
"search": "\\bmemcpy\\s*\\(([^,]+),([^,]+),([^,\\)]+)\\)",
"replace": "memcpy_s($1, <size of $1>, $2, $3)"
}
]
},
{
"id": "DS140021",
"name": "Problematic C function detected (strlen)",
"tags": [
"API.DangerousAPI.ProblematicFunction"
],
"applies_to": [
"c",
"cpp",
"objective-c"
],
"overrides": [
"DS154189"
],
"severity": "best-practice",
"description": "If a string is missing a null terminator, strlen will read past the end of the buffer",
"replacement": "In instances where you know the maximum size of a string's buffer, use strlen_s or strnlen to prevent over-reading",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS140021.md",
"patterns": [
{
"pattern": "\\bstrlen\\s*\\(([^,\\)]+)\\)",
"type": "regex",
"subtype": [
"function-call"
]
}
],
"fix_it": [
{
"type": "regex-substitute",
"name": "Change to strlen_s (Recommended for VC++)",
"search": "\\bstrlen\\s*\\(([^,\\)]+)\\)",
"replace": "strlen_s($1, <size of $1>)"
},
{
"type": "regex-substitute",
"name": "Change to strnlen",
"search": "\\bstrlen\\s*\\(([^,\\)]+)\\)",
"replace": "strnlen($1, <size of $1>)"
}
]
}
]

Просмотреть файл

@ -1,57 +0,0 @@
[
{
"id": "DS137038",
"name": "Notice: Outbound HTTP Connection",
"tags": [
"ThreatModel.Integration.HTTP"
],
"severity": "manual-review",
"description": "Inbound HTTP",
"replacement": "",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS137038.md",
"applies_to": [
"ruby"
],
"patterns": [
{
"pattern": "Net::HTTP",
"type": "string"
}
],
"fix_it": []
},
{
"id": "DS137138",
"name": "Insecure URL",
"tags": [
"ThreatModel.Integration.HTTP"
],
"severity": "moderate",
"description": "An HTTP-based URL without TLS was detected.",
"replacement": "Update to an HTTPS-based URL if possible.",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS137138.md",
"applies_to": [
],
"patterns": [
{
"pattern": "http:",
"type": "substring",
"conditions": [
{
"name": "match-prefix-any",
"value": ["xmlns=\""],
"invert": true
}
]
}
],
"fix_it": [
{
"type": "regex-substitute",
"name": "Change to HTTPS ",
"search": "http:",
"replace": "https:"
}
]
}
]

Просмотреть файл

@ -1,88 +0,0 @@
[
{
"id": "DS113853",
"name": "Do not set a custom execution policy.",
"tags": [
"ControlFlow.Permission.Evalation"
],
"applies_to": [
"powershell"
],
"severity": "moderate",
"description": "The Set-ExecutionPolicy cmdlet has been used to dynamically change the permissions available to PowerShell.",
"replacement": "Avoid elevating privileges if possible.",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS113853.md",
"patterns": [
{
"pattern": "Set-ExecutionPolicy",
"type": "string"
}
],
"fix_it": []
},
{
"id": "DS104456",
"name": "Use of restricted functions.",
"tags": [
"Implementation.Scripting.PowerShell.DangeousFunction"
],
"applies_to": [
"powershell"
],
"severity": "important",
"description": "Use of restricted functions.",
"replacement": "",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS104456.md",
"patterns": [
{
"pattern": "GetDelegateForFunctionPointer",
"type": "string"
},
{
"pattern": "System.Runtime.InteropServices.Marshal",
"type": "string"
},
{
"pattern": "WriteByte",
"type": "string"
},
{
"pattern": "Microsoft.Win32.UnsafeNativeMethods",
"type": "string"
},
{
"pattern": "PtrToStructure",
"type": "string"
},
{
"pattern": "StructureToPtr",
"type": "string"
},
{
"pattern": "(NtCreateThreadEx|CreateRemoteThread)",
"type": "regex-word"
},
{
"pattern": "Invoke",
"type": "string"
},
{
"pattern": "VirtualProtect",
"type": "string"
},
{
"pattern": "iex",
"type": "string"
},
{
"pattern": "&\"",
"type": "string"
},
{
"pattern": "& $",
"type": "string"
}
],
"fix_it": []
}
]

Просмотреть файл

@ -1,232 +0,0 @@
[
{
"id": "DS126858",
"name": "Weak/Broken Hash Algorithm",
"tags": [
"Cryptography.BannedHashAlgorithm"
],
"severity": "critical",
"description": "A weak or broken hash algorithm was detected.",
"replacement": "Consider switching to use SHA-256 or SHA-512 instead.",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS126858.md",
"patterns": [
{
"pattern": "(MD2|MD4|MD5|RIPEMD|RIPEMD(128|256|160|320)|(SHA0|SHA-0|SHA1|SHA-1))",
"type": "regex"
}
],
"fix_it": [
{
"type": "regex-substitute",
"name": "Change to \"SHA256\"",
"search": "(MD2|MD4|MD5|RIPEMD|RIPEMD(128|256|160|320)|(SHA0|SHA-0|SHA1|SHA-1))",
"replace": "SHA256"
},
{
"type": "regex-substitute",
"name": "Change to \"SHA512\"",
"search": "(MD2|MD4|MD5|RIPEMD|RIPEMD(128|256|160|320)|(SHA0|SHA-0|SHA1|SHA-1))",
"replace": "SHA512"
}
]
},
{
"id": "DS197800",
"overrides": [
"DS126858"
],
"name": "Weak/Broken Hash Algorithm",
"tags": [
"Cryptography.HashAlgorithm.BrokenOrWeak"
],
"severity": "critical",
"description": "A weak or broken hash algorithm was detected.",
"replacement": "Use CC_SHA256 or CC_SHA512 instead.",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS197800.md",
"applies_to": [
"objective-c"
],
"patterns": [
{
"pattern": "CC_(MD2|MD4|MD5|SHA1)",
"type": "regex"
}
],
"fix_it": [
{
"type": "regex-substitute",
"name": "Change to SHA-256",
"search": "CC_(MD2|MD4|MD5|SHA1)",
"replace": "CC_SHA256"
},
{
"type": "regex-substitute",
"name": "Change to SHA-512",
"search": "CC_(MD2|MD4|MD5|SHA1)",
"replace": "CC_SHA512"
}
]
},
{
"id": "DS128420",
"overrides": [
"DS126858"
],
"name": "Weak/Broken Hash Algorithm",
"tags": [
"Cryptography.HashAlgorithm.BrokenOrWeak"
],
"severity": "critical",
"description": "A weak or broken hash algorithm was detected.",
"replacement": "When using hash(), use sha256 or sha512 as the algorithms instead",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS128420.md",
"applies_to": [
"php"
],
"patterns": [
{
"pattern": "hash\\s*\\(\\s*[\\'\\\"](md2|md4|md5|sha1|sha224|ripemd128|ripemd160|ripemd256|ripemd320)[\\'\\\"](.*)\\)\\s*;",
"type": "regex"
}
],
"fix_it": [
{
"type": "regex-substitute",
"name": "Change to SHA-256",
"search": "hash\\s*\\(\\s*[\\'\\\"](md2|md4|md5|sha1|sha224|ripemd128|ripemd160|ripemd256|ripemd320)[\\'\\\"](.*)\\)\\s*;",
"replace": "hash('sha256'$2);"
},
{
"type": "regex-substitute",
"name": "Change to SHA-512",
"search": "hash\\s*\\(\\s*[\\'\\\"](md2|md4|md5|sha1|sha224|ripemd128|ripemd160|ripemd256|ripemd320)[\\'\\\"](.*)\\)\\s*;",
"replace": "hash('sha512'$2);"
}
]
},
{
"id": "DS108647",
"name": "Do not use broken/weak cryptographic hash algorithms",
"tags": [
"Cryptography.HashAlgorithm.BrokenOrWeak"
],
"severity": "critical",
"description": "Avoid using broken or weak hash algorithms.",
"replacement": "Use Digest::SHA256 or Digest::SHA512",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS108647.md",
"applies_to": [
"ruby"
],
"patterns": [
{
"pattern": "Digest::(MD5|RMD160|SHA1)",
"type": "regex"
}
],
"fix_it": [
{
"type": "regex-substitute",
"name": "Change to SHA-256",
"search": "Digest::(MD5|RMD160|SHA1)",
"replace": "Digest::SHA256"
},
{
"type": "regex-substitute",
"name": "Change to SHA-512",
"search": "Digest::(MD5|RMD160|SHA1)",
"replace": "Digest::SHA512"
}
]
},
{
"id": "DS196098",
"overrides": [
"DS126858"
],
"name": "Do not use broken/weak cryptographic hash algorithms",
"tags": [
"Cryptography.HashAlgorithm.BrokenOrWeak"
],
"severity": "critical",
"description": "Avoid using broken or weak hash algorithms.",
"replacement": "Use hashlib.sha256 instead.",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS196098.md",
"applies_to": [
"python"
],
"patterns": [
{
"pattern": "(md5|sha)\\.new\\(",
"type": "regex"
}
],
"fix_it": [
{
"type": "regex-substitute",
"name": "Change to hashlib.sha256",
"search": "(md5|sha)\\.new\\(",
"replace": "hashlib.sha256("
},
{
"type": "regex-substitute",
"name": "Change to hashlib.sha512",
"search": "(md5|sha)\\.new\\(",
"replace": "hashlib.sha512("
}
]
},
{
"id": "DS168931",
"overrides": [
"DS126858"
],
"name": "Do not use broken/weak cryptographic hash algorithms",
"tags": [
"Cryptography.HashAlgorithm.BrokenOrWeak"
],
"applies_to": [
"csharp"
],
"severity": "critical",
"description": "A potentially weak hashing algorithm was used.",
"replacement": "Use SHA-256 instead.",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS168931.md",
"patterns": [
{
"pattern": "MD5CryptoServiceProvider",
"type": "substring"
}
],
"fix_it": [
{
"type": "regex-substitute",
"name": "Change to SHA-256",
"search": "MD5CryptoServiceProvider",
"replace": "SHA256CryptoServiceProvider"
},
{
"type": "regex-substitute",
"name": "Change to SHA-512",
"search": "MD5CryptoServiceProvider",
"replace": "SHA512CryptoServiceProvider"
}
]
},
{
"id": "DS197836",
"name": "Do not take the hash of low-entropy content.",
"tags": [
"Cryptography.HashAlgorithm.InsufficientEntropy"
],
"severity": "important",
"description": "Taking a hash of a time value is suspicious, as there is insufficient entropy to protect against brute-force attacks.",
"replacement": "",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS197836.md",
"patterns": [
{
"pattern": "(MD4|MD5|(SHA(1|224|256|384|512))).*Time",
"type": "regex"
}
]
}
]

Просмотреть файл

@ -1,290 +0,0 @@
[
{
"id": "DS144436",
"name": "Do not use outdated SSL/TLS protocols",
"tags": [
"Cryptography.Protocol.TLS"
],
"severity": "important",
"description": "It's usually better to rely on the operating system configuration, rather than hardcoding a specific SecurityProtocolType.",
"replacement": "Either leave off or set to SecurityProtocolType.Tls12;",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS144436.md",
"applies_to": [
"csharp"
],
"patterns": [
{
"pattern": "SecurityProtocolType\\.(Ssl3|Tls|Tls11)",
"type": "regex-word"
}
],
"fix_it": [
{
"type": "regex-substitute",
"name": "Change to SecurityProtocolType.Tls12",
"search": "\\bSecurityProtocolType\\.(Ssl3|Tls|Tls11)\\b",
"replace": "SecurityProtocolType.Tls12"
}
]
},
{
"id": "DS127101",
"name": "Hardcoding TLS protocol version",
"tags": [
"Cryptography.Protocol.TLS"
],
"severity": "moderate",
"description": "It's usually better to rely on the operating system configuration, rather than hardcoding a specific list of protocols.",
"replacement": "",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS127101.md",
"applies_to": [
"cpp"
],
"patterns": [
{
"pattern": "SecPkgCred_SupportedProtocols",
"type": "regex-word"
}
]
},
{
"id": "DS169125",
"name": "Do not use outdated SSL/TLS protocols",
"tags": [
"Cryptography.Protocol.TLS"
],
"severity": "important",
"description": "An outdated SSL/TLS protocol version is specified.",
"replacement": "Use TLS 1.2",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS169125.md",
"applies_to": [
],
"patterns": [
{
"pattern": "(SSLv?2|SSLv?3|TLSv?1|TLSv?10)",
"type": "regex-word"
}
]
},
{
"id": "DS169126",
"name": "An Outdated or Banned SSL/TLS Protocol is Used",
"tags": [
"Cryptography.Protocol.Banned"
],
"severity": "important",
"description": "An Outdated or Banned SSL/TLS Protocol is Used",
"replacement": "Use TLS 1.2",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS169126.md",
"applies_to": [
],
"patterns": [
{
"pattern": "(SSL|TLS)v(2|23|3|1)_(client|server)",
"type": "regex"
},
{
"pattern": "SSLv2",
"type": "string"
},
{
"pattern": "SSLv3",
"type": "string"
},
{
"pattern": "TLSv1",
"type": "string"
},
{
"pattern": "TLSv10",
"type": "string"
}
]
},
{
"id": "DS169127",
"name": "An Outdated or Banned SSL/TLS Protocol is Used",
"tags": [
"Cryptography.Protocol.Banned"
],
"severity": "important",
"description": "An Outdated or Banned SSL/TLS Protocol is Used",
"replacement": "Use TLS 1.2",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS169126.md",
"applies_to": [
"cpp",
"objective-c"
],
"patterns": [
{
"pattern": "SECURITY_FLAG_40BIT",
"type": "string"
},
{
"pattern": "SECURITY_FLAG_56BIT",
"type": "string"
},
{
"pattern": "SECURITY_FLAG_NORMALBITNESS",
"type": "string"
},
{
"pattern": "SECURITY_FLAG_PCT",
"type": "string"
},
{
"pattern": "SECURITY_FLAG_PCT4",
"type": "string"
},
{
"pattern": "SECURITY_FLAG_SSL",
"type": "string"
},
{
"pattern": "SECURITY_FLAG_SSL3",
"type": "string"
},
{
"pattern": "SECURITY_FLAG_STRENGTH_MEDIUM",
"type": "string"
},
{
"pattern": "SECURITY_FLAG_STRENGTH_WEAK",
"type": "string"
},
{
"pattern": "SECURITY_FLAG_UNKNOWNBIT",
"type": "string"
},
{
"pattern": "WINHTTP_FLAG_SECURE_PROTOCOL_SSL2",
"type": "string"
},
{
"pattern": "WINHTTP_FLAG_SECURE_PROTOCOL_SSL3",
"type": "string"
},
{
"pattern": "WINHTTP_FLAG_SECURE_PROTOCOL_TLS1",
"type": "string"
},
{
"pattern": "WINHTTP_FLAG_SECURE_PROTOCOL_ALL",
"type": "string"
},
{
"pattern": "SECURITY_FLAG_STRENGTH_MEDIUM",
"type": "string"
},
{
"pattern": "SECURITY_FLAG_STRENGTH_WEAK",
"type": "string"
},
{
"pattern": "SP_PROT_(PCT1|SSL2|SSL3|TLS1|TLS1_0)_(CLIENT|SERVER)",
"type": "regex"
},
{
"pattern": "NSStreamSocketSecurityLevelNone",
"type": "string"
},
{
"pattern": "NSStreamSocketSecurityLevelSSLv2",
"type": "string"
},
{
"pattern": "NSStreamSocketSecurityLevelSSLv3",
"type": "string"
},
{
"pattern": "NSStreamSocketSecurityLevelTLSv1",
"type": "string"
},
{
"pattern": "kCFStreamSocketSecurityLevelNone",
"type": "string"
},
{
"pattern": "kCFStreamSocketSecurityLevelSSLv2",
"type": "string"
},
{
"pattern": "kCFStreamSocketSecurityLevelSSLv3",
"type": "string"
},
{
"pattern": "kCFStreamSocketSecurityLevelTLSv1",
"type": "string"
},
{
"pattern": "kSSLProtocolUnknown ",
"type": "string"
},
{
"pattern": "kSSLProtocol3",
"type": "string"
},
{
"pattern": "kTLSProtocol1",
"type": "string"
},
{
"pattern": "kDTLSProtocol1",
"type": "string"
},
{
"pattern": "kSSLProtocol2",
"type": "string"
},
{
"pattern": "kSSLProtocol3Only",
"type": "string"
},
{
"pattern": "kTLSProtocol1Only",
"type": "string"
},
{
"pattern": "kSSLProtocolAll",
"type": "string"
}
]
},
{
"id": "DS169128",
"name": "An Outdated or Banned SSL/TLS Protocol is Used",
"tags": [
"Cryptography.Protocol.Banned"
],
"severity": "important",
"description": "An Outdated or Banned SSL/TLS Protocol is Used",
"replacement": "Use TLS 1.2",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS169126.md",
"applies_to": [
"python"
],
"patterns": [
{
"pattern": "PROTOCOL_SSLv2",
"type": "string"
},
{
"pattern": "PROTOCOL_SSLv23",
"type": "string"
},
{
"pattern": "PROTOCOL_SSLv3",
"type": "string"
},
{
"pattern": "PROTOCOL_TLSv1",
"type": "string"
}
]
}
]

Просмотреть файл

@ -1,92 +0,0 @@
[
{
"id": "DS148264",
"name": "Do not use weak/non-cryptographic random number generators",
"tags": [
"Cryptography.PRNG.Weak"
],
"severity": "important",
"description": "Use cryptographic random numbers generators for anything even close to a security function.",
"replacement": "Replacements depend on language.",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS148264.md",
"patterns": [
{
"pattern": "DUAL_EC_DRBG",
"type": "string"
},
{
"applies_to": [
"javascript"
],
"pattern": "pseudoRandomBytes",
"type": "string"
},
{
"pattern": "rand\\(",
"type": "regex"
},
{
"pattern": "random_shuffle\\(",
"type": "regex"
},
{
"pattern": "shuffle\\(",
"type": "regex"
},
{
"pattern": "RAND_MAX",
"type": "string"
},
{
"pattern": "rand\\(\\s*\\)\\s*%",
"type": "regex"
},
{
"pattern": "mwc1616",
"type": "string"
},
{
"pattern": "(32969|18273)",
"type": "regex-word"
},
{
"pattern": "System.Random",
"type": "string"
},
{
"pattern": "Random\\(",
"type": "regex-word",
"applies_to": [
"java"
]
},
{
"pattern": "arc4random",
"type": "string"
}
],
"fix_it": []
},
{
"id": "DS149435",
"name": "Do not seed randomness based on system time or a static value.",
"tags": [
"Cryptography.WeakRandomness"
],
"severity": "critical",
"description": "Passing a predicable value to srand() is very insecure and should be avoided.",
"replacement": "",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS149435.md",
"patterns": [
{
"pattern": "srand\\(\\s*time\\(",
"type": "regex"
},
{
"pattern": "srand\\(\\s*\\d+\\s*\\)",
"type": "regex"
}
],
"fix_it": []
}
]

Просмотреть файл

@ -1,34 +0,0 @@
[
{
"id": "DS184626",
"name": "All Controllers Should Derive From Controller.",
"tags": [
"Implementation.Web.ASPNET.ControllerWithoutExtendingController"
],
"applies_to": [
"csharp"
],
"severity": "moderate",
"description": "All Controllers Should Derive From Controller.",
"replacement": "Ensure this class derives from Controller.",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS184626.md",
"patterns": [
{
"pattern": "class [^\\s]+Controller\\s*:\\s*(?!.*?(Controller)).*",
"type": "regex"
},
{
"pattern": "class [^\\s]+Controller[\\s{]*$",
"type": "regex"
}
],
"fix_it": [
{
"type": "regex-substitute",
"name": "Change to inherit from Controller",
"search": "(class [^\\s]+Controller)(([\\s{]*$)|(\\s*:\\s*(?!.*?(Controller)).*))",
"replace": "$1 : Controller"
}
]
}
]

Просмотреть файл

@ -1,43 +0,0 @@
[
{
"id": "DS144886",
"name": "$_REQUEST should be avoided",
"tags": [
"Implementation.PHP"
],
"applies_to": [
"php"
],
"severity": "moderate",
"description": "$_REQUEST combines POST, GET, and cookie values in one array, making it easy for an attacker to modify a POST or cookie value by instead putting it in a GET and sending the URL to the victim",
"replacement": "Use $_POST, $_GET, $_COOKIE to scope to the expected delivery method for a value ",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS144886.md",
"patterns": [
{
"pattern": "\\$_REQUEST",
"type": "regex"
}
],
"fix_it": [
{
"type": "regex-substitute",
"name": "Change to $_GET",
"search": "\\$_REQUEST",
"replace": "$$_GET"
},
{
"type": "regex-substitute",
"name": "Change to $_POST",
"search": "\\$_REQUEST",
"replace": "$$_POST"
},
{
"type": "regex-substitute",
"name": "Change to $_COOKIE",
"search": "\\$_REQUEST",
"replace": "$$_COOKIE"
}
]
}
]

Просмотреть файл

@ -1,206 +0,0 @@
[
{
"description": "Vulnerabilities in .NET Core, ASP.NET Core Could Allow Elevation of Privilege",
"tags": [
"Vulerable-Dependency.Library.NuGet"
],
"applies_to": [
"packages.config"
],
"name": "Vulnerable NuGet Library",
"severity": "moderate",
"replacement": "Upgrade this package to a later, unaffected version.",
"patterns": [
{
"pattern": "<package id=\"System.Text.Encodings.Web\" version=\"(4\\.0\\.0|4\\.3\\.0)\"",
"type": "regex"
},
{
"pattern": "<package id=\"System.Net.Http\" version=\"(4\\.1\\.1|4\\.3\\.1)\"",
"type": "regex"
},
{
"pattern": "<package id=\"System.Net.Http.WinHttpHandler\" version=\"(4\\.0\\.1|4\\.3\\.0)\"",
"type": "regex"
},
{
"pattern": "<package id=\"System.Net.Security\" version=\"(4\\.0\\.0|4\\.3\\.0)\"",
"type": "regex"
},
{
"pattern": "<package id=\"System.Net.WebSockets.Client\" version=\"(4\\.0\\.0|4\\.3\\.0)\"",
"type": "regex"
},
{
"pattern": "<package id=\"Microsoft.AspNetCore.Mvc\" version=\"(1\\.0\\.0|1\\.0\\.1|1\\.0\\.2|1\\.0\\.3|1\\.1\\.0|1\\.1\\.1|1\\.1\\.2)\"",
"type": "regex"
},
{
"pattern": "<package id=\"Microsoft.AspNetCore.Mvc.Core\" version=\"(1\\.0\\.0|1\\.0\\.1|1\\.0\\.2|1\\.0\\.3|1\\.1\\.0|1\\.1\\.1|1\\.1\\.2)\"",
"type": "regex"
},
{
"pattern": "<package id=\"Microsoft.AspNetCore.Mvc.Abstractions\" version=\"(1\\.0\\.0|1\\.0\\.1|1\\.0\\.2|1\\.0\\.3|1\\.1\\.0|1\\.1\\.1|1\\.1\\.2)\"",
"type": "regex"
},
{
"pattern": "<package id=\"Microsoft.AspNetCore.Mvc.ApiExplorer\" version=\"(1\\.0\\.0|1\\.0\\.1|1\\.0\\.2|1\\.0\\.3|1\\.1\\.0|1\\.1\\.1|1\\.1\\.2)\"",
"type": "regex"
},
{
"pattern": "<package id=\"Microsoft.AspNetCore.Mvc.Cors\" version=\"(1\\.0\\.0|1\\.0\\.1|1\\.0\\.2|1\\.0\\.3|1\\.1\\.0|1\\.1\\.1|1\\.1\\.2)\"",
"type": "regex"
},
{
"pattern": "<package id=\"Microsoft.AspNetCore.Mvc.DataAnnotations\" version=\"(1\\.0\\.0|1\\.0\\.1|1\\.0\\.2|1\\.0\\.3|1\\.1\\.0|1\\.1\\.1|1\\.1\\.2)\"",
"type": "regex"
},
{
"pattern": "<package id=\"Microsoft.AspNetCore.Mvc.Formatters.Json\" version=\"(1\\.0\\.0|1\\.0\\.1|1\\.0\\.2|1\\.0\\.3|1\\.1\\.0|1\\.1\\.1|1\\.1\\.2)\"",
"type": "regex"
},
{
"pattern": "<package id=\"Microsoft.AspNetCore.Mvc.Formatters.Xml\" version=\"(1\\.0\\.0|1\\.0\\.1|1\\.0\\.2|1\\.0\\.3|1\\.1\\.0|1\\.1\\.1|1\\.1\\.2)\"",
"type": "regex"
},
{
"pattern": "<package id=\"Microsoft.AspNetCore.Mvc.Localization\" version=\"(1\\.0\\.0|1\\.0\\.1|1\\.0\\.2|1\\.0\\.3|1\\.1\\.0|1\\.1\\.1|1\\.1\\.2)\"",
"type": "regex"
},
{
"pattern": "<package id=\"Microsoft.AspNetCore.Mvc.Razor.Host\" version=\"(1\\.0\\.0|1\\.0\\.1|1\\.0\\.2|1\\.0\\.3|1\\.1\\.0|1\\.1\\.1|1\\.1\\.2)\"",
"type": "regex"
},
{
"pattern": "<package id=\"Microsoft.AspNetCore.Mvc.Razor\" version=\"(1\\.0\\.0|1\\.0\\.1|1\\.0\\.2|1\\.0\\.3|1\\.1\\.0|1\\.1\\.1|1\\.1\\.2)\"",
"type": "regex"
},
{
"pattern": "<package id=\"Microsoft.AspNetCore.Mvc.TagHelpers\" version=\"(1\\.0\\.0|1\\.0\\.1|1\\.0\\.2|1\\.0\\.3|1\\.1\\.0|1\\.1\\.1|1\\.1\\.2)\"",
"type": "regex"
},
{
"pattern": "<package id=\"Microsoft.AspNetCore.Mvc.ViewFeatures\" version=\"(1\\.0\\.0|1\\.0\\.1|1\\.0\\.2|1\\.0\\.3|1\\.1\\.0|1\\.1\\.1|1\\.1\\.2)\"",
"type": "regex"
},
{
"pattern": "<package id=\"Microsoft.AspNetCore.Mvc.WebApiCompatShim\" version=\"(1\\.0\\.0|1\\.0\\.1|1\\.0\\.2|1\\.0\\.3|1\\.1\\.0|1\\.1\\.1|1\\.1\\.2)\"",
"type": "regex"
}
],
"rule_info": "https://technet.microsoft.com/library/security/4021279",
"id": "DS300001"
},
{
"description": "Vulnerability in ASP.NET Core MVC 1.1.0 Could Allow Denial of Service",
"tags": [
"Vulerable-Dependency.Library.NuGet"
],
"applies_to": [
"packages.config"
],
"name": "Vulnerable NuGet Library",
"severity": "moderate",
"replacement": "Upgrade this package to a later, unaffected version.",
"patterns": [
{
"pattern": "<package id=\"Microsoft.AspNetCore.Mvc.Core\" version=\"(1\\.1\\.0)\"",
"type": "regex"
}
],
"rule_info": "https://technet.microsoft.com/library/security/4010983",
"id": "DS300004"
},
{
"description": " Vulnerabilities in Identity Model Extensions Token Signing Verification Could Allow Elevation of Privilege",
"tags": [
"Vulerable-Dependency.Library.NuGet"
],
"applies_to": [
"packages.config"
],
"name": "Vulnerable NuGet Library",
"severity": "moderate",
"replacement": "Upgrade this package to a later, unaffected version.",
"patterns": [
{
"pattern": "<package id=\"Microsoft.IdentityModel.Tokens\" version=\"(5\\.1\\.0)\"",
"type": "regex"
}
],
"rule_info": "https://technet.microsoft.com/library/security/3214296",
"id": "DS300005"
},
{
"description": "Vulnerabilities in ASP.NET Core View Components Could Allow Elevation of Privilege",
"tags": [
"Vulerable-Dependency.Library.NuGet"
],
"applies_to": [
"packages.config"
],
"name": "Vulnerable NuGet Library",
"severity": "moderate",
"replacement": "Upgrade this package to a later, unaffected version.",
"patterns": [
{
"pattern": "<package id=\"Microsoft.AspNetCore.Mvc\" version=\"(1\\.0\\.0)\"",
"type": "regex"
},
{
"pattern": "<package id=\"Microsoft.AspNetCore.Mvc.Abstractions\" version=\"(1\\.0\\.0)\"",
"type": "regex"
},
{
"pattern": "<package id=\"Microsoft.AspNetCore.Mvc.ApiExplorer\" version=\"(1\\.0\\.0)\"",
"type": "regex"
},
{
"pattern": "<package id=\"Microsoft.AspNetCore.Mvc.Core\" version=\"(1\\.0\\.0)\"",
"type": "regex"
},
{
"pattern": "<package id=\"Microsoft.AspNetCore.Mvc.Cors\" version=\"(1\\.0\\.0)\"",
"type": "regex"
},
{
"pattern": "<package id=\"Microsoft.AspNetCore.Mvc.DataAnnotations\" version=\"(1\\.0\\.0)\"",
"type": "regex"
},
{
"pattern": "<package id=\"Microsoft.AspNetCore.Mvc.Formatters.Json\" version=\"(1\\.0\\.0)\"",
"type": "regex"
},
{
"pattern": "<package id=\"Microsoft.AspNetCore.Mvc.Formatters.Xml\" version=\"(1\\.0\\.0)\"",
"type": "regex"
},
{
"pattern": "<package id=\"Microsoft.AspNetCore.Mvc.Localization\" version=\"(1\\.0\\.0)\"",
"type": "regex"
},
{
"pattern": "<package id=\"Microsoft.AspNetCore.Mvc.Razor\" version=\"(1\\.0\\.0)\"",
"type": "regex"
},
{
"pattern": "<package id=\"Microsoft.AspNetCore.Mvc.Razor.Host\" version=\"(1\\.0\\.0)\"",
"type": "regex"
},
{
"pattern": "<package id=\"Microsoft.AspNetCore.Mvc.TagHelpers\" version=\"(1\\.0\\.0)\"",
"type": "regex"
},
{
"pattern": "<package id=\"Microsoft.AspNetCore.Mvc.ViewFeatures\" version=\"(1\\.0\\.0)\"",
"type": "regex"
},
{
"pattern": "<package id=\"Microsoft.AspNetCore.Mvc.WebApiCompatShim\" version=\"(1\\.0\\.0)\"",
"type": "regex"
}
],
"rule_info": "https://technet.microsoft.com/library/security/3181759",
"id": "DS300006"
}
]

Просмотреть файл

@ -1,86 +0,0 @@
[
{
"id": "DS132779",
"name": "Do not enable external entity resolution.",
"tags": [
"Implementation.iOS.XML.DTDEntityResolution"
],
"applies_to": [
"objective-c"
],
"severity": "moderate",
"description": "Do not enable external entity resolution.",
"replacement": "Set shouldResolveExternalEntities to NO.",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS132779.md",
"patterns": [
{
"pattern": "shouldResolveExternalEntities\\s*=\\s*YES",
"type": "regex-word"
}
],
"fix_it": [
{
"type": "regex-substitute",
"name": "Disable external entity resolution",
"search": "(shouldResolveExternalEntities\\s*=\\s*)(YES)",
"replace": "$1NO"
}
]
},
{
"id": "DS132780",
"name": "Do not enable external entity resolution.",
"tags": [
"Implementation.iOS.XML.DTDEntityResolution"
],
"applies_to": [
"swift"
],
"severity": "moderate",
"description": "Do not enable external entity resolution.",
"replacement": "x.setShouldResolveExternalEntities = FALSE;",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS132780.md",
"patterns": [
{
"pattern": "shouldResolveExternalEntities\\s*=\\s*TRUE",
"type": "regex-word"
}
],
"fix_it": [
{
"type": "regex-substitute",
"name": "Disable external entity resolution",
"search": "(shouldResolveExternalEntities\\s*=\\s*)(TRUE)",
"replace": "$1FALSE"
}
]
},
{
"id": "DS132790",
"name": "Do not enable external entity resolution.",
"tags": [
"Implementation.iOS.XML.DTDEntityResolution"
],
"applies_to": [
"objective-c"
],
"severity": "moderate",
"description": "Do not enable external entity resolution.",
"replacement": "[x setShouldResolveExternalEntities: NO];",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS132790.md",
"patterns": [
{
"pattern": "setShouldResolveExternalEntities:\\s*YES",
"type": "regex-word"
}
],
"fix_it": [
{
"type": "regex-substitute",
"name": "Disable external entity resolution",
"search": "(setShouldResolveExternalEntities:\\s*)(YES)",
"replace": "$1NO"
}
]
}
]

Просмотреть файл

Просмотреть файл

Просмотреть файл

@ -1,6 +1,6 @@
# DevSkim
DevSkim is a framework of IDE plugins and Language analyzers that provide inline security analysis
DevSkim is a framework of IDE extensions and Language analyzers that provide inline security analysis
in the dev environment as the developer writes code. It is designed to work with multiple IDEs
(VS, VS Code, Sublime Text, etc.), and has a flexible rule model that supports multiple programming
languages. The idea is to give the developer notification as they are introducing a security
@ -18,7 +18,7 @@ and contributions!
DevSkim consists of multiple repositories (one for the rules, and one per plugin):
* [DevSkim](https://github.com/Microsoft/DevSkim/) - This repository, plus common rules and guidance
* [DevSkim-VisualStudio-Plugin](https://github.com/Microsoft/DevSkim-VisualStudio-Plugin/) - Visual Studio Plugin
* [DevSkim-VisualStudio-Extension](https://github.com/Microsoft/DevSkim-VisualStudio-Extension/) - Visual Studio Extension
* [DevSkim-Sublime-Plugin](https://github.com/Microsoft/DevSkim-Sublime-Plugin/) - Sublime Text Plugin
* [DevSkim-VSCode-Plugin](https://github.com/Microsoft/DevSkim-VSCode-Plugin/) - VS Code Plugin

Просмотреть файл

@ -0,0 +1,329 @@
[
{
"name": "Banned C function detected",
"id": "DS154189",
"description": "These functions are historically error-prone and have been associated with a significant number of vulnerabilities. Most of these functions have safer alternatives, such as replacing 'strcpy' with 'strlcpy' or 'strcpy_s'.",
"recommendation": "",
"applies_to": [
"c",
"cpp",
"objective-c"
],
"tags": [
"API.DangerousAPI.BannedFunction"
],
"severity": "moderate",
"_comment": "",
"rule_info": "DS154189.md",
"patterns": [
{
"pattern": "(sprintf|_getts|_getws|_snprintf|_sntprintf|_snwprintf|_stprintf|_tcsat|_tcscpy|_tcslen|_tcsncpy|_vsnprintf|_vsntprintf|_vsnwprintf|_vstprintf|alloca|asctime|atof|atoi|atoll|bsearch|ctime|fopen|fprintf|freopen|fscanf|fwprintf|fwscanf|getenv|getwd|gmtime|localtime|lstrcat|lstrcpy|mbsrtowcs|mbstowcs|memmove|mktemp|printf|qsort|rewind|scanf|setbuf|sscanf|strcatbuff|strerror|strtok|swprintf|swscanf|tmpnam|vfprintf|vfscanf|vfwscanf|vprintf|vscanf|vsnprintf|vsprintf|vsscanf|vswprintf|vswscanf|vwprintf|vwscanf|wcrtomb|wcrtombs|wcscat|wcscpy|wcslen|wcsncat|wcsncpy|wcsrtombs|wcstok|wctomb|wmemcpy|wmemmove|wnsprintf|wprintf|wscanf|wsprintf|wvnsprintf|wvsprintf)",
"type": "regex-word",
"scopes": [
"code"
],
"_comment": ""
}
]
},
{
"name": "Banned C function detected (strcpy)",
"id": "DS185832",
"description": "strcpy is frequently dangerous, as it will cause a buffer overflow if the source is larger than the destination.",
"recommendation": "Use strcpy_s or strlcpy if possible. If no safe function is viable, strcpy/strncpy should be proceeded by conditional checks to verify tha that the source string will fit in the destination with a null termnator.",
"overrides": [
"DS154189"
],
"applies_to": [
"c",
"cpp",
"objective-c"
],
"tags": [
"API.DangerousAPI.BannedFunction"
],
"severity": "important",
"_comment": "",
"rule_info": "DS185832.md",
"patterns": [
{
"pattern": "\\bstrcpy\\s*\\(([^,]+),([^,]+)\\)",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_its": [
{
"name": "Change to strcpy_s (Recommended for VC++)",
"type": "regex-replace",
"_comment": "",
"replacement": "strcpy_s($1, <size of $1>, $2)",
"pattern": {
"pattern": "\\bstrcpy\\s*\\(([^,]+),([^,]+)\\)",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
},
{
"name": "Change to strlcpy",
"type": "regex-replace",
"_comment": "",
"replacement": "strlcpy($1, $2, <size of $1>)",
"pattern": {
"pattern": "\\bstrcpy\\s*\\(([^,]+),([^,]+)\\)",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
}
]
},
{
"name": "Banned C function detected (strncpy)",
"id": "DS111237",
"description": "strncpy is dangerous, as if the source contains 'n' or more characters, it will not null terminate the destination.",
"recommendation": "Use strcpy_s or strlcpy if possible. If no safe function is viable, strcpy/strncpy should be proceeded by conditional checks to verify tha that the source string will fit in the destination with a null termnator.",
"overrides": [
"DS154189"
],
"applies_to": [
"c",
"cpp",
"objective-c"
],
"tags": [
"API.DangerousAPI.BannedFunction"
],
"severity": "important",
"_comment": "",
"rule_info": "DS111237.md",
"patterns": [
{
"pattern": "\\bstrncpy\\s*\\(([^,]+),([^,]+),([^,]+)\\)+",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_its": [
{
"name": "Change to strcpy_s (Recommended for VC++)",
"type": "regex-replace",
"_comment": "",
"replacement": "strcpy_s($1, $3, $2)",
"pattern": {
"pattern": "\\bstrncpy\\s*\\(([^,]+),([^,]+),([^,]+)\\)+",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
},
{
"name": "Change to strlcpy",
"type": "regex-replace",
"_comment": "",
"replacement": "strlcpy($1, $2, $3)",
"pattern": {
"pattern": "\\bstrncpy\\s*\\(([^,]+),([^,]+),([^,]+)\\)+",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
}
]
},
{
"name": "Banned C function detected (strcat)",
"id": "DS141863",
"description": "If the combination of strings is larger than the destination buffer, strcat will cbuffer overflow the destination buffer",
"recommendation": "Use strcat_s or strlcat if possible. strncat's size parameter excludes the null terminator, which leads to frequent mistakes",
"overrides": [
"DS154189"
],
"applies_to": [
"c",
"cpp",
"objective-c"
],
"tags": [
"API.DangerousAPI.BannedFunction"
],
"severity": "important",
"_comment": "",
"rule_info": "DS141863.md",
"patterns": [
{
"pattern": "\\bstrcat\\s*\\(([^,]+),([^,]+)\\)",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_its": [
{
"name": "Change to strcat_s (Recommended for VC++)",
"type": "regex-replace",
"_comment": "",
"replacement": "strcat_s($1, <size of $1>, $2)",
"pattern": {
"pattern": "\\bstrcat\\s*\\(([^,]+),([^,]+)\\)",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
},
{
"name": "Change to strlcat",
"type": "regex-replace",
"_comment": "",
"replacement": "strlcat($1, $2, <size of $1>)",
"pattern": {
"pattern": "\\bstrcat\\s*\\(([^,]+),([^,]+)\\)",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
}
]
},
{
"name": "Banned C function detected (strncat)",
"id": "DS108330",
"description": "strncat adds the null terminator at character 'n + 1', rather than at the nth character. this frequently leads to the null terminator being added in the memory adjacent to the destination buffer, rather than in the destination buffer.",
"recommendation": "Use strcat_s or strlcat if possible. ",
"overrides": [
"DS154189"
],
"applies_to": [
"c",
"cpp",
"objective-c"
],
"tags": [
"API.DangerousAPI.BannedFunction"
],
"severity": "important",
"_comment": "",
"rule_info": "DS108330.md",
"patterns": [
{
"pattern": "\\bstrncat\\s*\\(([^,]+),([^,]+),([^,]+)\\)+",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_its": [
{
"name": "Change to strcat_s (Recommended for VC++)",
"type": "regex-replace",
"_comment": "",
"replacement": "strcat_s($1, $3, $2)",
"pattern": {
"pattern": "\\bstrncat\\s*\\(([^,]+),([^,]+),([^,]+)\\)+",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
},
{
"name": "Change to strlcat",
"type": "regex-replace",
"_comment": "",
"replacement": "strlcat($1, $2, $3)",
"pattern": {
"pattern": "\\bstrncat\\s*\\(([^,]+),([^,]+),([^,]+)\\)+",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
}
]
},
{
"name": "Banned C function detected (gets)",
"id": "DS181021",
"description": "gets will read in as many bytes as are provided, regardless of the size of buffer recieving the bytes. This allows for conditions that cause a buffer overlow in the destination buffer.",
"recommendation": "Use gets_s or fgets if possible. fgets has different behavior from gets (may include newline for example), so care should be taken if it is used.",
"overrides": [
"DS154189"
],
"applies_to": [
"c",
"cpp",
"objective-c"
],
"tags": [
"API.DangerousAPI.BannedFunction"
],
"severity": "important",
"_comment": "",
"rule_info": "DS181021.md",
"patterns": [
{
"pattern": "\\bgets\\s*\\(([^,\\)]+)\\)",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_its": [
{
"name": "Change to gets_s (Recommended for VC++)",
"type": "regex-replace",
"_comment": "",
"replacement": "gets_s($1, <size of $1>)",
"pattern": {
"pattern": "\\bgets\\s*\\(([^,\\)]+)\\)",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
},
{
"name": "Change to fgets",
"type": "regex-replace",
"_comment": "",
"replacement": "fgets($1, <size of $1>, stdin)",
"pattern": {
"pattern": "\\bgets\\s*\\(([^,\\)]+)\\)",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
}
]
}
]

Просмотреть файл

@ -1,45 +1,54 @@
[ {
"id": "DS179924",
[
{
"name": "Do not copy a FILE object (CERT FIO38-C)",
"tags": [
"CERT.FIO38-C",
"C.DangerousFunctionCall"
],
"id": "DS179924",
"description": "The CERT Secure Coding Standard recommends that FILE objects not be copied.",
"recommendation": "Copy a pointer to the FILE object instead.",
"applies_to": [
"cpp",
"c"
],
"tags": [
"CERT.FIO38-C",
"C.DangerousFunctionCall"
],
"severity": "important",
"description": "The CERT Secure Coding Standard recommends that FILE objects not be copied.",
"replacement": "Copy a pointer to the FILE object instead.",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS179924.md",
"_comment": "",
"rule_info": "DS179924.md",
"patterns": [
{
"pattern": "FILE [a-z0-9_][^=]*=\\s*\\*",
"type": "regex"
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_it": []
]
},
{
"id": "DS181731",
{
"name": "Don't pass user input to this function",
"tags": [
"PHP.Injection"
],
"id": "DS181731",
"description": "Don't pass user input to this function.",
"recommendation": "Validate this data before passing it to the function.",
"applies_to": [
"php"
],
"tags": [
"PHP.Injection"
],
"severity": "critical",
"description": "Don't pass user input to this function.",
"replacement": "Validate this data before passing it to the function.",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS181731.md",
"_comment": "",
"rule_info": "DS181731.md",
"patterns": [
{
"pattern": "(include|require|include_once|require_once|passthru)\\s*\\(.*\\$\\_(GET|POST|REQUEST|COOKIES|FILES)",
"type": "regex"
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_it": []
]
}
]

Просмотреть файл

@ -0,0 +1,148 @@
[
{
"name": "Problematic C function detected (malloc)",
"id": "DS161085",
"description": "If the value provided to malloc is the result of unsafe integer math, it can result in an exploitable condition. ",
"recommendation": "calloc handles the most common integer math in memory allocation (# of elements * their size) with error handling to prevent overflows in most implementations, and zeros out memory",
"applies_to": [
"c",
"cpp",
"objective-c"
],
"tags": [
"API.DangerousAPI.ProblematicFunction"
],
"severity": "best-practice",
"_comment": "",
"rule_info": "DS161085.md",
"patterns": [
{
"pattern": "\\bmalloc\\s*\\(([^,\\)]+)\\)",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_its": [
{
"name": "Change to calloc ",
"type": "regex-replace",
"_comment": "",
"replacement": "calloc(<number of elements>, <size of each element>)",
"pattern": {
"pattern": "\\bmalloc\\s*\\(([^,\\)]+)\\)",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
}
]
},
{
"name": "Problematic C function detected (memcpy)",
"id": "DS121708",
"description": "There are a number of conditions in which memcpy can introduce a vulnerability (mismatched buffer sizes, null pointers, etc.). More secure alternitives perform additional validation of the source and destination buffer",
"recommendation": "Use memcpy_s if possible.",
"applies_to": [
"c",
"cpp",
"objective-c"
],
"tags": [
"API.DangerousAPI.ProblematicFunction"
],
"severity": "best-practice",
"_comment": "",
"rule_info": "DS121708.md",
"patterns": [
{
"pattern": "\\bmemcpy\\s*\\(([^,]+),([^,]+),([^,\\)]+)\\)",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_its": [
{
"name": "Change to memcpy_s (Recommended for VC++)",
"type": "regex-replace",
"_comment": "",
"replacement": "memcpy_s($1, <size of $1>, $2, $3)",
"pattern": {
"pattern": "\\bmemcpy\\s*\\(([^,]+),([^,]+),([^,\\)]+)\\)",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
}
]
},
{
"name": "Problematic C function detected (strlen)",
"id": "DS140021",
"description": "If a string is missing a null terminator, strlen will read past the end of the buffer",
"recommendation": "In instances where you know the maximum size of a string's buffer, use strlen_s or strnlen to prevent over-reading",
"overrides": [
"DS154189"
],
"applies_to": [
"c",
"cpp",
"objective-c"
],
"tags": [
"API.DangerousAPI.ProblematicFunction"
],
"severity": "best-practice",
"_comment": "",
"rule_info": "DS140021.md",
"patterns": [
{
"pattern": "\\bstrlen\\s*\\(([^,\\)]+)\\)",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_its": [
{
"name": "Change to strlen_s (Recommended for VC++)",
"type": "regex-replace",
"_comment": "",
"replacement": "strlen_s($1, <size of $1>)",
"pattern": {
"pattern": "\\bstrlen\\s*\\(([^,\\)]+)\\)",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
},
{
"name": "Change to strnlen",
"type": "regex-replace",
"_comment": "",
"replacement": "strnlen($1, <size of $1>)",
"pattern": {
"pattern": "\\bstrlen\\s*\\(([^,\\)]+)\\)",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
}
]
}
]

Просмотреть файл

@ -0,0 +1,82 @@
[
{
"name": "Notice: Outbound HTTP Connection",
"id": "DS137038",
"description": "Inbound HTTP",
"recommendation": "",
"applies_to": [
"ruby"
],
"tags": [
"ThreatModel.Integration.HTTP"
],
"severity": "manual-review",
"_comment": "",
"rule_info": "DS137038.md",
"patterns": [
{
"pattern": "Net::HTTP",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
}
]
},
{
"name": "Insecure URL",
"id": "DS137138",
"description": "An HTTP-based URL without TLS was detected.",
"recommendation": "Update to an HTTPS-based URL if possible.",
"tags": [
"ThreatModel.Integration.HTTP"
],
"severity": "moderate",
"_comment": "",
"rule_info": "DS137138.md",
"patterns": [
{
"pattern": "http:",
"type": "substring",
"scopes": [
"code"
],
"modifiers": ["i"],
"_comment": ""
}
],
"conditions" : [
{
"pattern" :
{
"pattern": "xmlns",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
},
"negate_finding": true,
"_comment": ""
}
],
"fix_its": [
{
"name": "Change to HTTPS ",
"type": "regex-replace",
"_comment": "",
"replacement": "https:",
"pattern": {
"pattern": "http:",
"type": "regex",
"scopes": [
"code"
],
"modifiers": ["i"],
"_comment": ""
}
}
]
}
]

Просмотреть файл

@ -1,23 +1,27 @@
[
{
"id": "DS165746",
"name": "Do not execute user-provided JavaScript",
"tags": [
"Design.Mobile.iOS.WebView.DynamicJavaScript"
],
"id": "DS165746",
"description": "This line of code shows the dynamic evaluation of JavaScript, sourced from a string. It's important that this string not contain unsanitized user-supplied data, as it could be a vector for a cross-site scripting (XSS) attack.",
"recommendation": "",
"applies_to": [
"objective-c"
],
"tags": [
"Design.Mobile.iOS.WebView.DynamicJavaScript"
],
"severity": "important",
"description": "This line of code shows the dynamic evaluation of JavaScript, sourced from a string. It's important that this string not contain unsanitized user-supplied data, as it could be a vector for a cross-site scripting (XSS) attack.",
"replacement": "",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS165746.md",
"_comment": "",
"rule_info": "DS165746.md",
"patterns": [
{
"pattern": "stringByEvaluatingJavaScriptFromString",
"type": "string"
"type": "string",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_it": []
]
}
]

Просмотреть файл

@ -1,30 +1,43 @@
[
{
"id": "DS113286",
"name": "Do not include user-input directoy in format strings",
"id": "DS113286",
"description": "Do not create NSString objects using a user-provided format string, as this could lead to a security vulnerability. https://www.securecoding.cert.org/confluence/display/c/FIO30-C.+Exclude+user+input+from+format+strings",
"recommendation": "",
"applies_to": [
"objective-c"
],
"tags": [
"ControlFlow.Injection.FormatString",
"cert:FIO30-C"
],
"applies_to": [
"objective-c"
],
"severity": "important",
"description": "Do not create NSString objects using a user-provided format string, as this could lead to a security vulnerability. https://www.securecoding.cert.org/confluence/display/c/FIO30-C.+Exclude+user+input+from+format+strings",
"replacement": "",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS113286.md",
"_comment": "",
"rule_info": "DS113286.md",
"patterns": [
{
"pattern": "\\[NSString stringWithFormat:\\s*([^@\\\"\\]]+\\])",
"type": "regex"
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_it": [
"fix_its": [
{
"type": "regex-substitute",
"name": "Use a predefined format string",
"search": "\\[NSString stringWithFormat:\\s*([^@\\\"\\]]+\\])",
"replace": "[NSString stringWithFormat:@\"%@\", $1"
"type": "regex-replace",
"_comment": "",
"replacement": "[NSString stringWithFormat:@\"%@\", $1",
"pattern": {
"pattern": "\\[NSString stringWithFormat:\\s*([^@\\\"\\]]+\\])",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
}
]
}

Просмотреть файл

@ -0,0 +1,140 @@
[
{
"name": "Do not set a custom execution policy.",
"id": "DS113853",
"description": "The Set-ExecutionPolicy cmdlet has been used to dynamically change the permissions available to PowerShell.",
"recommendation": "Avoid elevating privileges if possible.",
"applies_to": [
"powershell"
],
"tags": [
"ControlFlow.Permission.Evalation"
],
"severity": "moderate",
"_comment": "",
"rule_info": "DS113853.md",
"patterns": [
{
"pattern": "Set-ExecutionPolicy",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
}
]
},
{
"name": "Use of restricted functions.",
"id": "DS104456",
"description": "Use of restricted functions.",
"recommendation": "",
"applies_to": [
"powershell"
],
"tags": [
"Implementation.Scripting.PowerShell.DangeousFunction"
],
"severity": "important",
"_comment": "",
"rule_info": "DS104456.md",
"patterns": [
{
"pattern": "GetDelegateForFunctionPointer",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "System.Runtime.InteropServices.Marshal",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "WriteByte",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "Microsoft.Win32.UnsafeNativeMethods",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "PtrToStructure",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "StructureToPtr",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "(NtCreateThreadEx|CreateRemoteThread)",
"type": "regex-word",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "Invoke",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "VirtualProtect",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "iex",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "&\"",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "& $",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
}
]
}
]

Просмотреть файл

@ -1,327 +1,360 @@
[
{
"id": "DS114352",
"name": "Encryption Marked 'Optional'",
"id": "DS114352",
"description": "Optional encryption or integrity checking can be dangerous.",
"recommendation": "As a best practice, always enable strong encryption and integrity checking.",
"tags": [
"Cryptography.Optional"
],
"severity": "important",
"description": "Optional encryption or integrity checking can be dangerous.",
"replacement": "As a best practice, always enable strong encryption and integrity checking.",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS114352.md",
"_comment": "",
"rule_info": "DS114352.md",
"patterns": [
{
"pattern": "Integrity.*optional",
"type": "regex"
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "Encryption.*optional",
"type": "regex"
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_it": []
]
},
{
"id": "DS181865",
"name": "Disabled certificate validation",
"tags": [
"Cryptography.Certificate.Validation"
],
"severity": "critical",
"id": "DS181865",
"description": "Extend default certificate validation, but do not disable or override default rules.",
"replacement": "Always use a valid certificate, even during testing.",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS181865.md",
"recommendation": "Always use a valid certificate, even during testing.",
"applies_to": [
"objective-c"
],
"tags": [
"Cryptography.Certificate.Validation"
],
"severity": "critical",
"_comment": "",
"rule_info": "DS181865.md",
"patterns": [
{
"pattern": "setValidatesSecureCertificate:\\s*NO",
"type": "regex"
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "setAllowsAnyHTTPSCertificate:\\s*YES",
"type": "regex"
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "allowsAnyHTTPSCertificate\\s*=\\s*YES",
"type": "regex"
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "setValidatesSecureCertificate:\\s*NO",
"type": "regex"
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "validatesSecureCertificate\\s*=\\s*NO",
"type": "regex"
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "continueWithoutCredentialForAuthenticationChallenge",
"type": "string"
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "kCFStreamSSL(Level|AllowsExpiredCertificates|AllowsExpiredRoots|AllowsAnyRoot|ValidatesCertificateChain|PeerName)",
"type": "regex"
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "kCFStreamPropertySSLSettings",
"type": "string"
"type": "string",
"scopes": [
"code"
],
"_comment": ""
}
]
},
{
"id": "DS134411",
"name": "Disabled certificate validation",
"tags": [
"Cryptography.Certificate.Validation"
],
"severity": "critical",
"description": "Extend default certificate validation, but do not disable or override default rules.",
"replacement": "Always use a valid certificate, even during testing.",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS134411.md",
"applies_to": [
"csharp"
],
"patterns": [
{
"pattern": ".IgnorableServerCertificateErrors.",
"type": "string"
},
{
"pattern": "\\.ServerCertificateValidationCallback\\s*\\+?=\\s*delegate\\s*{\\s*return true;\\s*};",
"type": "regex"
},
{
"pattern": "ServerCertificateValidationCallback\\s*\\+?=\\s*delegate\\([^\\)]*\\)\\s*{\\s+return[\\s\\(]?true[\\s\\)]?",
"type": "regex",
"modifiers": ["DOTALL", "MULTILINE", "IGNORECASE"]
},
{
"pattern": "ServerCertificateValidationCallback\\s*\\+?=\\s*\\([^\\)]*\\)\\s*=>\\s*true",
"type": "regex",
"modifiers": ["DOTALL", "MULTILINE", "IGNORECASE"]
},
{
"pattern": "RemoteCertificateValidationCallback\\(delegate\\s*{\\s*return true;\\s*}\\);",
"type": "regex"
},
{
"pattern": "RemoteCertificateValidationCallback\\(\\s*\\([^\\)]*\\)\\s*=>\\s*{\\s*return true;\\s*}\\s*\\)",
"type": "regex"
}
]
},
{
"id": "DS176603",
"name": "Disabled certificate validation",
"tags": [
"Cryptography.Certificate.Validation"
],
"severity": "critical",
"description": "Extend default certificate validation, but do not disable or override default rules.",
"replacement": "Always use a valid certificate, even during testing.",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS114352.md",
"recommendation": "Always use a valid certificate, even during testing.",
"applies_to": [
"ruby"
],
"patterns": [
{
"pattern": "OpenSSL::SSL::VERIFY_NONE",
"type": "string"
}
],
"fix_it": []
},
{
"id": "DS130821",
"name": "Disabled certificate validation",
"tags": [
"Cryptography.Certificate.Validation"
],
"severity": "critical",
"description": "Extend default certificate validation, but do not disable or override default rules.",
"replacement": "Always use a valid certificate, even during testing.",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS114352.md",
"applies_to": [
"python"
],
"_comment": "",
"rule_info": "DS114352.md",
"patterns": [
{
"pattern": "requests\\.(get|post|head|patch|delete|options)\\([^\\)]*\\s+verify\\s*=\\s*False\\)",
"type": "regex",
"modifiers": ["DOTALL", "MULTILINE", "IGNORECASE"]
}
],
"fix_it": [
{
"type": "regex-substitute",
"modifiers": ["DOTALL", "MULTILINE", "IGNORECASE"],
"name": "Set verify to True",
"search": "False",
"replace": "True"
"pattern": "OpenSSL::SSL::VERIFY_NONE",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
}
]
},
{
"id": "DS130822",
"name": "Disabled certificate validation",
"tags": [
"Cryptography.Certificate.Validation"
],
"severity": "critical",
"id": "DS130822",
"description": "Extend default certificate validation, but do not disable or override default rules.",
"replacement": "Always use a valid certificate, even during testing.",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS130822.md",
"recommendation": "Always use a valid certificate, even during testing.",
"applies_to": [
"python"
],
"tags": [
"Cryptography.Certificate.Validation"
],
"severity": "critical",
"_comment": "",
"rule_info": "DS130822.md",
"patterns": [
{
"pattern": "\\.check_hostname\\s*=\\s*False",
"type": "regex"
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "disable_ssl_certificate_validation\\s*=\\s*True",
"type": "string"
"type": "string",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_it": []
]
},
{
"id": "DS159369",
"name": "Disabled certificate validation",
"tags": [
"Cryptography.Certificate.Validation"
],
"severity": "critical",
"id": "DS159369",
"description": "Extend default certificate validation, but do not disable or override default rules.",
"replacement": "Always use a valid certificate, even during testing.",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS114352.md",
"recommendation": "Always use a valid certificate, even during testing.",
"applies_to": [
"cpp"
],
"tags": [
"Cryptography.Certificate.Validation"
],
"severity": "critical",
"_comment": "",
"rule_info": "DS114352.md",
"patterns": [
{
"pattern": "SECURITY_FLAG_IGNORE_CERT_CN_INVALID",
"type": "string"
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "SECURITY_FLAG_IGNORE_CERT_DATE_INVALID",
"type": "string"
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "SECURITY_FLAG_IGNORE_REVOCATION",
"type": "string"
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "SECURITY_FLAG_IGNORE_UNKNOWN_CA",
"type": "string"
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "SECURITY_FLAG_IGNORE_WRONG_USAGE",
"type": "string"
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE",
"type": "string"
"type": "string",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_it": []
]
},
{
"id": "DS101940",
"name": "Disabled certificate validation",
"tags": [
"Cryptography.Certificate.Validation"
],
"severity": "critical",
"id": "DS101940",
"description": "Extend default certificate validation, but do not disable or override default rules.",
"replacement": "Always use a valid certificate, even during testing.",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS114352.md",
"recommendation": "Always use a valid certificate, even during testing.",
"applies_to": [
".config"
],
"tags": [
"Cryptography.Certificate.Validation"
],
"severity": "critical",
"_comment": "",
"rule_info": "DS114352.md",
"patterns": [
{
"pattern": "certificateValidationMode=\"None\"",
"type": "string"
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "checkCertificateName=\"false\"",
"type": "string"
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "checkCertificateRevocationList=\"false\"",
"type": "string"
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "encryptionPolicy=\"(AllowNoEncryption|NoEncryption)",
"type": "regex"
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_it": []
]
},
{
"id": "DS125134",
"name": "Disabled certificate validation",
"tags": [
"Cryptography.Certificate.Validation"
],
"severity": "critical",
"id": "DS125134",
"description": "Extend default certificate validation, but do not disable or override default rules.",
"replacement": "Always use a valid certificate, even during testing.",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS114352.md",
"recommendation": "Always use a valid certificate, even during testing.",
"applies_to": [
"javascript"
],
"tags": [
"Cryptography.Certificate.Validation"
],
"severity": "critical",
"_comment": "",
"rule_info": "DS114352.md",
"patterns": [
{
"pattern": "NODE_TLS_REJECT_UNAUTHORIZED|rejectUnauthorized",
"type": "regex"
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_it": []
]
},
{
"id": "DS152094",
"name": "Disabled certificate validation",
"tags": [
"Cryptography.Certificate.Validation"
],
"severity": "critical",
"id": "DS152094",
"description": "Extend default certificate validation, but do not disable or override default rules.",
"replacement": "Always use a valid certificate, even during testing.",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS114352.md",
"recommendation": "Always use a valid certificate, even during testing.",
"applies_to": [
"java"
],
"patterns": [
{
"pattern": "(TrustManager|getInsecure|HostnameVerifier|AbstractVerifier|AllowAllHostnameVerifier|BrowserCompatHostnameVerifier|StrictHostnameVerifier|onReceivedSslError|insecuresocketfactory|customhostnameverifier)",
"type": "regex"
}
],
"fix_it": []
},
{
"id": "DS126185",
"name": "Disabled certificate validation",
"tags": [
"Cryptography.Certificate.Validation"
],
"severity": "critical",
"_comment": "",
"rule_info": "DS114352.md",
"patterns": [
{
"pattern": "(TrustManager|getInsecure|HostnameVerifier|AbstractVerifier|AllowAllHostnameVerifier|BrowserCompatHostnameVerifier|StrictHostnameVerifier|onReceivedSslError|insecuresocketfactory|customhostnameverifier)",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
]
},
{
"name": "Disabled certificate validation",
"id": "DS126185",
"description": "Extend default certificate validation, but do not disable or override default rules.",
"replacement": "Always use a valid certificate, even during testing.",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS114352.md",
"recommendation": "Always use a valid certificate, even during testing.",
"applies_to": [
"powershell"
],
"tags": [
"Cryptography.Certificate.Validation"
],
"severity": "critical",
"_comment": "",
"rule_info": "DS114352.md",
"patterns": [
{
"pattern": "::ServerCertificateValidationCallback\\s*=\\s*{\\s*\\$true\\s*}",
"type": "regex"
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_it": []
]
}
]
]

Просмотреть файл

@ -1,114 +1,153 @@
[
{
"id": "DS175862",
"name": "Do not use the mcrypt module, use OpenSSL instead.",
"tags": [
"Cryptography.Library.Abandoned"
],
"id": "DS175862",
"description": "The PHP mcrypt module is based on libmcrypt, which has been abanonded since 2007.",
"recommendation": "OpenSSL",
"applies_to": [
"php"
],
"tags": [
"Cryptography.Library.Abandoned"
],
"severity": "moderate",
"description": "The PHP mcrypt module is based on libmcrypt, which has been abanonded since 2007.",
"replacement": "OpenSSL",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS175862.md",
"_comment": "",
"rule_info": "DS175862.md",
"patterns": [
{
"pattern": "mcrypt",
"type": "string"
"type": "string",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_it": [
]
},
{
"name": "Do not use the 3DES symmetric block cipher.",
"id": "DS109501",
"description": "The 3DES cipher was found, which is only secure if three independent keys are used.",
"recommendation": "Use AES instead.",
"overrides": [
"DS106864"
],
"name": "Do not use the 3DES symmetric block cipher.",
"applies_to": [
"csharp"
],
"tags": [
"Cryptography.Symmetric.PotentiallyWeakAlgorithm"
],
"applies_to": [
"csharp"
],
"severity": "moderate",
"description": "The 3DES cipher was found, which is only secure if three independent keys are used.",
"replacement": "Use AES instead.",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS109501.md",
"_comment": "",
"rule_info": "DS109501.md",
"patterns": [
{
"pattern": "TripleDESCryptoServiceProvider",
"type": "string"
"type": "string",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_it": [
"fix_its": [
{
"type": "regex-substitute",
"name": "Change to AESCryptoServiceProvider",
"search": "TripleDESCryptoServiceProvider",
"replace": "AESCryptoServiceProvider"
"type": "regex-replace",
"_comment": "",
"replacement": "AESCryptoServiceProvider",
"pattern": {
"pattern": "TripleDESCryptoServiceProvider",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
}
]
},
{
"id": "DS106864",
"name": "Do not use the DES symmetric block cipher.",
"tags": [
"Cryptography.Symmetric.WeakOrBrokenAlgorithm"
],
"id": "DS106864",
"description": "The DES cipher was found, which is widely considered to be broken.",
"recommendation": "Use AES instead.",
"applies_to": [
"csharp"
],
"tags": [
"Cryptography.Symmetric.WeakOrBrokenAlgorithm"
],
"severity": "critical",
"description": "The DES cipher was found, which is widely considered to be broken.",
"replacement": "Use AES instead.",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS106864.md",
"_comment": "",
"rule_info": "DS106864.md",
"patterns": [
{
"pattern": "DESCryptoServiceProvider",
"type": "string"
"type": "string",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_it": [
"fix_its": [
{
"type": "regex-substitute",
"name": "Change to AESCryptoServiceProvider",
"search": "DESCryptoServiceProvider",
"replace": "AESCryptoServiceProvider"
"type": "regex-replace",
"_comment": "",
"replacement": "AESCryptoServiceProvider",
"pattern": {
"pattern": "DESCryptoServiceProvider",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
}
]
},
{
"id": "DS156431",
"name": "Do not use the RC2 symmetric block cipher.",
"tags": [
"Cryptography.Symmetric.WeakOrBrokenAlgorithm"
],
"id": "DS156431",
"description": "The RC2 cipher was found, which is considered to be broken.",
"recommendation": "Use AES instead.",
"applies_to": [
"csharp"
],
"tags": [
"Cryptography.Symmetric.WeakOrBrokenAlgorithm"
],
"severity": "critical",
"description": "The RC2 cipher was found, which is considered to be broken.",
"replacement": "Use AES instead.",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS156431.md",
"_comment": "",
"rule_info": "DS156431.md",
"patterns": [
{
"pattern": "RC2CryptoServiceProvider",
"type": "string"
"type": "string",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_it": [
"fix_its": [
{
"type": "regex-substitute",
"name": "Change to AESCryptoServiceProvider",
"search": "RC2CryptoServiceProvider",
"replace": "AESCryptoServiceProvider"
"type": "regex-replace",
"_comment": "",
"replacement": "AESCryptoServiceProvider",
"pattern": {
"pattern": "RC2CryptoServiceProvider",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
}
]
}
]
]

Просмотреть файл

@ -1,59 +1,72 @@
[
{
"id": "DS101155",
"name": "Disabled certificate validation",
"id": "DS101155",
"description": "Extend default certificate validation, but do not disable or override default rules.",
"recommendation": "Always use a valid certificate, even during testing.",
"tags": [
"Cryptography.Certificate.Validation"
],
"severity": "critical",
"description": "Extend default certificate validation, but do not disable or override default rules.",
"replacement": "Always use a valid certificate, even during testing.",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS101155.md",
"_comment": "",
"rule_info": "DS101155.md",
"patterns": [
{
"pattern": "encrypt=false",
"type": "string",
"subtype": [
"string"
]
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "encryption=false",
"type": "string",
"subtype": [
"string"
]
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "unencrypted.*password",
"type": "regex"
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "TODO.*crypt",
"type": "regex",
"subtype": [
"comment"
]
"scopes": [
"code"
],
"_comment": ""
}
]
},
{
"id": "DS101159",
"name": "Initializing Security Context",
"id": "DS101159",
"description": "SecurityContext initialization, look here for cryptography functions.",
"recommendation": "",
"applies_to": [
"cpp"
],
"tags": [
"Cryptography.SecurityContext.Initialization"
],
"severity": "manual-review",
"description": "SecurityContext initialization, look here for cryptography functions.",
"replacement": "",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS101159.md",
"applies_to": [
"cpp"
],
"_comment": "",
"rule_info": "DS101159.md",
"patterns": [
{
"pattern": "InitializeSecurityContext",
"type": "string"
"type": "string",
"scopes": [
"code"
],
"_comment": ""
}
]
}

Просмотреть файл

@ -0,0 +1,363 @@
[
{
"name": "Weak/Broken Hash Algorithm",
"id": "DS126858",
"description": "A weak or broken hash algorithm was detected.",
"recommendation": "Consider switching to use SHA-256 or SHA-512 instead.",
"tags": [
"Cryptography.BannedHashAlgorithm"
],
"severity": "critical",
"_comment": "",
"rule_info": "DS126858.md",
"patterns": [
{
"pattern": "(MD2|MD4|MD5|RIPEMD|RIPEMD(128|256|160|320)|(SHA0|SHA-0|SHA1|SHA-1))",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_its": [
{
"name": "Change to \"SHA256\"",
"type": "regex-replace",
"_comment": "",
"replacement": "SHA256",
"pattern": {
"pattern": "(MD2|MD4|MD5|RIPEMD|RIPEMD(128|256|160|320)|(SHA0|SHA-0|SHA1|SHA-1))",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
},
{
"name": "Change to \"SHA512\"",
"type": "regex-replace",
"_comment": "",
"replacement": "SHA512",
"pattern": {
"pattern": "(MD2|MD4|MD5|RIPEMD|RIPEMD(128|256|160|320)|(SHA0|SHA-0|SHA1|SHA-1))",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
}
]
},
{
"name": "Weak/Broken Hash Algorithm",
"id": "DS197800",
"description": "A weak or broken hash algorithm was detected.",
"recommendation": "Use CC_SHA256 or CC_SHA512 instead.",
"overrides": [
"DS126858"
],
"applies_to": [
"objective-c"
],
"tags": [
"Cryptography.HashAlgorithm.BrokenOrWeak"
],
"severity": "critical",
"_comment": "",
"rule_info": "DS197800.md",
"patterns": [
{
"pattern": "CC_(MD2|MD4|MD5|SHA1)",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_its": [
{
"name": "Change to SHA-256",
"type": "regex-replace",
"_comment": "",
"replacement": "CC_SHA256",
"pattern": {
"pattern": "CC_(MD2|MD4|MD5|SHA1)",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
},
{
"name": "Change to SHA-512",
"type": "regex-replace",
"_comment": "",
"replacement": "CC_SHA512",
"pattern": {
"pattern": "CC_(MD2|MD4|MD5|SHA1)",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
}
]
},
{
"name": "Weak/Broken Hash Algorithm",
"id": "DS128420",
"description": "A weak or broken hash algorithm was detected.",
"recommendation": "When using hash(), use sha256 or sha512 as the algorithms instead",
"overrides": [
"DS126858"
],
"applies_to": [
"php"
],
"tags": [
"Cryptography.HashAlgorithm.BrokenOrWeak"
],
"severity": "critical",
"_comment": "",
"rule_info": "DS128420.md",
"patterns": [
{
"pattern": "hash\\s*\\(\\s*[\\'\\\"](md2|md4|md5|sha1|sha224|ripemd128|ripemd160|ripemd256|ripemd320)[\\'\\\"](.*)\\)\\s*;",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_its": [
{
"name": "Change to SHA-256",
"type": "regex-replace",
"_comment": "",
"replacement": "hash('sha256'$2);",
"pattern": {
"pattern": "hash\\s*\\(\\s*[\\'\\\"](md2|md4|md5|sha1|sha224|ripemd128|ripemd160|ripemd256|ripemd320)[\\'\\\"](.*)\\)\\s*;",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
},
{
"name": "Change to SHA-512",
"type": "regex-replace",
"_comment": "",
"replacement": "hash('sha512'$2);",
"pattern": {
"pattern": "hash\\s*\\(\\s*[\\'\\\"](md2|md4|md5|sha1|sha224|ripemd128|ripemd160|ripemd256|ripemd320)[\\'\\\"](.*)\\)\\s*;",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
}
]
},
{
"name": "Do not use broken/weak cryptographic hash algorithms",
"id": "DS108647",
"description": "Avoid using broken or weak hash algorithms.",
"recommendation": "Use Digest::SHA256 or Digest::SHA512",
"applies_to": [
"ruby"
],
"tags": [
"Cryptography.HashAlgorithm.BrokenOrWeak"
],
"severity": "critical",
"_comment": "",
"rule_info": "DS108647.md",
"patterns": [
{
"pattern": "Digest::(MD5|RMD160|SHA1)",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_its": [
{
"name": "Change to SHA-256",
"type": "regex-replace",
"_comment": "",
"replacement": "Digest::SHA256",
"pattern": {
"pattern": "Digest::(MD5|RMD160|SHA1)",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
},
{
"name": "Change to SHA-512",
"type": "regex-replace",
"_comment": "",
"replacement": "Digest::SHA512",
"pattern": {
"pattern": "Digest::(MD5|RMD160|SHA1)",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
}
]
},
{
"name": "Do not use broken/weak cryptographic hash algorithms",
"id": "DS196098",
"description": "Avoid using broken or weak hash algorithms.",
"recommendation": "Use hashlib.sha256 instead.",
"overrides": [
"DS126858"
],
"applies_to": [
"python"
],
"tags": [
"Cryptography.HashAlgorithm.BrokenOrWeak"
],
"severity": "critical",
"_comment": "",
"rule_info": "DS196098.md",
"patterns": [
{
"pattern": "(md5|sha)\\.new\\(",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_its": [
{
"name": "Change to hashlib.sha256",
"type": "regex-replace",
"_comment": "",
"replacement": "hashlib.sha256(",
"pattern": {
"pattern": "(md5|sha)\\.new\\(",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
},
{
"name": "Change to hashlib.sha512",
"type": "regex-replace",
"_comment": "",
"replacement": "hashlib.sha512(",
"pattern": {
"pattern": "(md5|sha)\\.new\\(",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
}
]
},
{
"name": "Do not use broken/weak cryptographic hash algorithms",
"id": "DS168931",
"description": "A potentially weak hashing algorithm was used.",
"recommendation": "Use SHA-256 instead.",
"overrides": [
"DS126858"
],
"applies_to": [
"csharp"
],
"tags": [
"Cryptography.HashAlgorithm.BrokenOrWeak"
],
"severity": "critical",
"_comment": "",
"rule_info": "DS168931.md",
"patterns": [
{
"pattern": "MD5CryptoServiceProvider",
"type": "substring",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_its": [
{
"name": "Change to SHA-256",
"type": "regex-replace",
"_comment": "",
"replacement": "SHA256CryptoServiceProvider",
"pattern": {
"pattern": "MD5CryptoServiceProvider",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
},
{
"name": "Change to SHA-512",
"type": "regex-replace",
"_comment": "",
"replacement": "SHA512CryptoServiceProvider",
"pattern": {
"pattern": "MD5CryptoServiceProvider",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
}
]
},
{
"name": "Do not take the hash of low-entropy content.",
"id": "DS197836",
"description": "Taking a hash of a time value is suspicious, as there is insufficient entropy to protect against brute-force attacks.",
"recommendation": "",
"tags": [
"Cryptography.HashAlgorithm.InsufficientEntropy"
],
"severity": "important",
"_comment": "",
"rule_info": "DS197836.md",
"patterns": [
{
"pattern": "(MD4|MD5|(SHA(1|224|256|384|512))).*Time",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
]
}
]

Просмотреть файл

@ -1,52 +1,68 @@
[
{
"id": "DS188250",
"name": "Missing initialization vector",
"tags": [
"Cryptography.Symmetric.InitializationVector.Missing"
],
"id": "DS188250",
"description": "The mcrypt_encrypt function was used without an initialization vector.",
"recommendation": "Add an initialization vector or consider a different cipher mode",
"applies_to": [
"php"
],
"tags": [
"Cryptography.Symmetric.InitializationVector.Missing"
],
"severity": "important",
"description": "The mcrypt_encrypt function was used without an initialization vector.",
"replacement": "Add an initialization vector or consider a different cipher mode",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS188250.md",
"_comment": "",
"rule_info": "DS188250.md",
"patterns": [
{
"pattern": "mcrypt_encrypt\\s*\\([^,]+,[^,]+,[^,]+,[^,]+\\);",
"type": "regex"
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_it": [
"fix_its": [
{
"type": "regex-substitute",
"name": "Add initialization vector",
"search": "(mcrypt_encrypt\\s*\\([^,]+,[^,]+,[^,]+,[^,]+)(\\);)",
"replace": "$1, <$iv>$2"
"type": "regex-replace",
"_comment": "",
"replacement": "$1, <$iv>$2",
"pattern": {
"pattern": "(mcrypt_encrypt\\s*\\([^,]+,[^,]+,[^,]+,[^,]+)(\\);)",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
}
]
},
{
"id": "DS128921",
"name": "Hardcoded initialization vector size",
"tags": [
"Cryptography.Symmetric.InitializationVector.HardcodedSize"
],
"id": "DS128921",
"description": "An initialization vector was created to a static size, rather than determining it based on the encryption algorithm used.",
"recommendation": "Use mcrypt_get_iv_size to get the correct IV size based on the cipher and mode.",
"applies_to": [
"php"
],
"tags": [
"Cryptography.Symmetric.InitializationVector.HardcodedSize"
],
"severity": "moderate",
"description": "An initialization vector was created to a static size, rather than determining it based on the encryption algorithm used.",
"replacement": "Use mcrypt_get_iv_size to get the correct IV size based on the cipher and mode.",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS128921.md",
"_comment": "",
"rule_info": "DS128921.md",
"patterns": [
{
"pattern": "mcrypt_create_iv\\s*\\(\\s*\\d.*",
"type": "regex"
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_it": [
]
}
]

Просмотреть файл

@ -0,0 +1,475 @@
[
{
"name": "Do not use outdated SSL/TLS protocols",
"id": "DS144436",
"description": "It's usually better to rely on the operating system configuration, rather than hardcoding a specific SecurityProtocolType.",
"recommendation": "Either leave off or set to SecurityProtocolType.Tls12;",
"applies_to": [
"csharp"
],
"tags": [
"Cryptography.Protocol.TLS"
],
"severity": "important",
"_comment": "",
"rule_info": "DS144436.md",
"patterns": [
{
"pattern": "SecurityProtocolType\\.(Ssl3|Tls|Tls11)",
"type": "regex-word",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_its": [
{
"name": "Change to SecurityProtocolType.Tls12",
"type": "regex-replace",
"_comment": "",
"replacement": "SecurityProtocolType.Tls12",
"pattern": {
"pattern": "\\bSecurityProtocolType\\.(Ssl3|Tls|Tls11)\\b",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
}
]
},
{
"name": "Hardcoding TLS protocol version",
"id": "DS127101",
"description": "It's usually better to rely on the operating system configuration, rather than hardcoding a specific list of protocols.",
"recommendation": "",
"applies_to": [
"cpp"
],
"tags": [
"Cryptography.Protocol.TLS"
],
"severity": "moderate",
"_comment": "",
"rule_info": "DS127101.md",
"patterns": [
{
"pattern": "SecPkgCred_SupportedProtocols",
"type": "regex-word",
"scopes": [
"code"
],
"_comment": ""
}
]
},
{
"name": "Do not use outdated SSL/TLS protocols",
"id": "DS169125",
"description": "An outdated SSL/TLS protocol version is specified.",
"recommendation": "Use TLS 1.2",
"tags": [
"Cryptography.Protocol.TLS"
],
"severity": "important",
"_comment": "",
"rule_info": "DS169125.md",
"patterns": [
{
"pattern": "(SSLv?2|SSLv?3|TLSv?1|TLSv?10)",
"type": "regex-word",
"scopes": [
"code"
],
"_comment": ""
}
]
},
{
"name": "An Outdated or Banned SSL/TLS Protocol is Used",
"id": "DS169126",
"description": "An Outdated or Banned SSL/TLS Protocol is Used",
"recommendation": "Use TLS 1.2",
"tags": [
"Cryptography.Protocol.Banned"
],
"severity": "important",
"_comment": "",
"rule_info": "DS169126.md",
"patterns": [
{
"pattern": "(SSL|TLS)v(2|23|3|1)_(client|server)",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "SSLv2",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "SSLv3",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "TLSv1",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "TLSv10",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
}
]
},
{
"name": "An Outdated or Banned SSL/TLS Protocol is Used",
"id": "DS169127",
"description": "An Outdated or Banned SSL/TLS Protocol is Used",
"recommendation": "Use TLS 1.2",
"applies_to": [
"cpp",
"objective-c"
],
"tags": [
"Cryptography.Protocol.Banned"
],
"severity": "important",
"_comment": "",
"rule_info": "DS169126.md",
"patterns": [
{
"pattern": "SECURITY_FLAG_40BIT",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "SECURITY_FLAG_56BIT",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "SECURITY_FLAG_NORMALBITNESS",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "SECURITY_FLAG_PCT",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "SECURITY_FLAG_PCT4",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "SECURITY_FLAG_SSL",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "SECURITY_FLAG_SSL3",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "SECURITY_FLAG_STRENGTH_MEDIUM",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "SECURITY_FLAG_STRENGTH_WEAK",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "SECURITY_FLAG_UNKNOWNBIT",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "WINHTTP_FLAG_SECURE_PROTOCOL_SSL2",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "WINHTTP_FLAG_SECURE_PROTOCOL_SSL3",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "WINHTTP_FLAG_SECURE_PROTOCOL_TLS1",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "WINHTTP_FLAG_SECURE_PROTOCOL_ALL",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "SECURITY_FLAG_STRENGTH_MEDIUM",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "SECURITY_FLAG_STRENGTH_WEAK",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "SP_PROT_(PCT1|SSL2|SSL3|TLS1|TLS1_0)_(CLIENT|SERVER)",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "NSStreamSocketSecurityLevelNone",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "NSStreamSocketSecurityLevelSSLv2",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "NSStreamSocketSecurityLevelSSLv3",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "NSStreamSocketSecurityLevelTLSv1",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "kCFStreamSocketSecurityLevelNone",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "kCFStreamSocketSecurityLevelSSLv2",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "kCFStreamSocketSecurityLevelSSLv3",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "kCFStreamSocketSecurityLevelTLSv1",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "kSSLProtocolUnknown ",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "kSSLProtocol3",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "kTLSProtocol1",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "kDTLSProtocol1",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "kSSLProtocol2",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "kSSLProtocol3Only",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "kTLSProtocol1Only",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "kSSLProtocolAll",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
}
]
},
{
"name": "An Outdated or Banned SSL/TLS Protocol is Used",
"id": "DS169128",
"description": "An Outdated or Banned SSL/TLS Protocol is Used",
"recommendation": "Use TLS 1.2",
"applies_to": [
"python"
],
"tags": [
"Cryptography.Protocol.Banned"
],
"severity": "important",
"_comment": "",
"rule_info": "DS169126.md",
"patterns": [
{
"pattern": "PROTOCOL_SSLv2",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "PROTOCOL_SSLv23",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "PROTOCOL_SSLv3",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "PROTOCOL_TLSv1",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
}
]
}
]

Просмотреть файл

@ -0,0 +1,142 @@
[
{
"name": "Do not use weak/non-cryptographic random number generators",
"id": "DS148264",
"description": "Use cryptographic random numbers generators for anything even close to a security function.",
"recommendation": "Replacements depend on language.",
"tags": [
"Cryptography.PRNG.Weak"
],
"severity": "important",
"_comment": "",
"rule_info": "DS148264.md",
"patterns": [
{
"pattern": "DUAL_EC_DRBG",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "pseudoRandomBytes",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "\\brand\\(",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "random_shuffle\\(",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "\\bshuffle\\(",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "RAND_MAX",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "\\brand\\(\\s*\\)\\s*%",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "mwc1616",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "(32969|18273)",
"type": "regex-word",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "System.Random",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "\\bRandom\\(",
"type": "regex-word",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "arc4random",
"type": "string",
"scopes": [
"code"
],
"_comment": ""
}
]
},
{
"name": "Do not seed randomness based on system time or a static value.",
"id": "DS149435",
"description": "Passing a predicable value to srand() is very insecure and should be avoided.",
"recommendation": "",
"tags": [
"Cryptography.WeakRandomness"
],
"severity": "critical",
"_comment": "",
"rule_info": "DS149435.md",
"patterns": [
{
"pattern": "\\bsrand\\(\\s*time\\(",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "\\bsrand\\(\\s*\\d+\\s*\\)",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
]
}
]

Просмотреть файл

@ -1,24 +1,31 @@
[
{
"id": "DS109733",
"name": "Source implementation of a weak/broken cryptography hash function",
"id": "DS109733",
"description": "An implementation of a weak/broken hash function was found in source code.",
"recommendation": "Do not use MD5, and always prefer OS- or library-provided cryptography implementations.",
"tags": [
"Cryptography.HashAlgorithm.WeakOrBrokenImplementation"
],
"severity": "critical",
"description": "An implementation of a weak/broken hash function was found in source code.",
"replacement": "Do not use MD5, and always prefer OS- or library-provided cryptography implementations.",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS109733.md",
"_comment": "",
"rule_info": "DS109733.md",
"patterns": [
{
"_comment": "MD5",
"pattern": "242070db|02441453|db702024|53144402|3572445317",
"type": "regex"
"type": "regex",
"scopes": [
"code"
],
"_comment": "MD5"
},
{
"_comment": "SHA-1",
"pattern": "98BADCFE|FEDCBC98|C3D2E1F0|F0E1D2C3",
"type": "regex"
"type": "regex",
"scopes": [
"code"
],
"_comment": "SHA-1"
}
]
}

Просмотреть файл

@ -1,47 +1,64 @@
[
{
"id": "DS187371",
"name": "A weak cipher mode of operation was used",
"id": "DS187371",
"description": "A potentially weak cipher mode of operation was used.",
"recommendation": "Consider using CBC, CTR, or GCM.",
"tags": [
"Cryptography.Symmetric.CipherMode.Weak"
],
"severity": "important",
"description": "A potentially weak cipher mode of operation was used.",
"replacement": "Consider using CBC, CTR, or GCM.",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS187371.md",
"_comment": "",
"rule_info": "DS187371.md",
"patterns": [
{
"pattern": "(ECB|OFB|CFB|CTS|PCBC|GMAC|XCBC|IACBC|IAPM|EAX|OCB|CWC|AEAD|LRW|XEX|XTS|CMC|EME|CBCMAC|OMAC|PMAC)",
"type": "regex-word"
"type": "regex-word",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_it": []
]
},
{
"id": "DS182720",
"name": "A weak cipher mode of operation was used",
"tags": [
"Cryptography.Symmetric.CipherMode.Weak"
],
"id": "DS182720",
"description": "A potentially weak cipher mode of operation was used.",
"recommendation": "Consider using CBC, CTR, or GCM.",
"applies_to": [
"php"
],
"tags": [
"Cryptography.Symmetric.CipherMode.Weak"
],
"severity": "important",
"description": "A potentially weak cipher mode of operation was used.",
"replacement": "Consider using CBC, CTR, or GCM.",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS182720.md",
"_comment": "",
"rule_info": "DS182720.md",
"patterns": [
{
"pattern": "MCRYPT_MODE_(ECB|CFB|OFB|NOFB|STREAM)",
"type": "regex-word"
"type": "regex-word",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_it": [
"fix_its": [
{
"type": "regex-substitute",
"name": "Change cipher mode to CBC",
"search": "MCRYPT_MODE_(ECB|CFB|OFB|NOFB|STREAM)",
"replace": "MCRYPT_MODE_CBC"
"type": "regex-replace",
"_comment": "",
"replacement": "MCRYPT_MODE_CBC",
"pattern": {
"pattern": "MCRYPT_MODE_(ECB|CFB|OFB|NOFB|STREAM)",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
}
]
}

Просмотреть файл

@ -0,0 +1,51 @@
[
{
"name": "All Controllers Should Derive From Controller.",
"id": "DS184626",
"description": "All Controllers Should Derive From Controller.",
"recommendation": "Ensure this class derives from Controller.",
"applies_to": [
"csharp"
],
"tags": [
"Implementation.Web.ASPNET.ControllerWithoutExtendingController"
],
"severity": "moderate",
"_comment": "",
"rule_info": "DS184626.md",
"patterns": [
{
"pattern": "class [^\\s]+Controller\\s*:\\s*(?!.*?(Controller)).*",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "class [^\\s]+Controller[\\s{]*$",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_its": [
{
"name": "Change to inherit from Controller",
"type": "regex-replace",
"_comment": "",
"replacement": "$1 : Controller",
"pattern": {
"pattern": "(class [^\\s]+Controller)(([\\s{]*$)|(\\s*:\\s*(?!.*?(Controller)).*))",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
}
]
}
]

Просмотреть файл

@ -0,0 +1,142 @@
[
{
"name": "$_REQUEST should be avoided",
"id": "DS144886",
"description": "$_REQUEST combines POST, GET, and cookie values in one array, making it easy for an attacker to modify a POST or cookie value by instead putting it in a GET and sending the URL to the victim",
"recommendation": "Use $_POST, $_GET, $_COOKIE to scope to the expected delivery method for a value ",
"applies_to": [
"php"
],
"tags": [
"Implementation.PHP"
],
"severity": "moderate",
"_comment": "",
"rule_info": "DS144886.md",
"patterns": [
{
"pattern": "\\$_REQUEST",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_its": [
{
"name": "Change to $_GET",
"type": "regex-replace",
"_comment": "",
"replacement": "$$_GET",
"pattern": {
"pattern": "\\$_REQUEST",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
},
{
"name": "Change to $_POST",
"type": "regex-replace",
"_comment": "",
"replacement": "$$_POST",
"pattern": {
"pattern": "\\$_REQUEST",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
},
{
"name": "Change to $_COOKIE",
"type": "regex-replace",
"_comment": "",
"replacement": "$$_COOKIE",
"pattern": {
"pattern": "\\$_REQUEST",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
}
]
},
{
"name": "XSS: Do not echo unencoded GET/POST/COOKIE values",
"id": "DS163877",
"description": "When using $_GET/POST/COOKIE values via echo, failure to encode the values will lead to Cross Site Scription (XSS), where a malicious party can inject script into the webpage.",
"recommendation": "HTML Entity Encode (for content going into HTML) or URL Encode (for content going into JavaScript variables) the data",
"applies_to": [
"php"
],
"tags": [
"Implementation.PHP"
],
"severity": "moderate",
"_comment": "",
"rule_info": "DS163877.md",
"patterns": [
{
"pattern": "\\becho.*(\\$_(POST|GET|REQUEST|COOKIE)\\[.*\\]).*;",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
],
"conditions" : [
{
"pattern" :
{
"pattern": "\\b(htmlentities|htmlspecialchars|rawurlencode|urlencode)\\s*\\(.*(\\$_(POST|GET|REQUEST|COOKIE)\\[.*\\]).*\\)",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
},
"search_in":"finding-only",
"negate_finding": true,
"_comment": ""
}
],
"fix_its": [
{
"name": "HTML Entity encode the data",
"type": "regex-replace",
"_comment": "",
"replacement": "htmlentities($1)",
"pattern": {
"pattern": "(\\$_(POST|GET|REQUEST|COOKIE)\\[.*\\])",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
},
{
"name": "URL encode the data",
"type": "regex-replace",
"_comment": "",
"replacement": "rawurlencode($1)",
"pattern": {
"pattern": "(\\$_(POST|GET|REQUEST|COOKIE)\\[.*\\])",
"type": "regex",
"scopes": [
"code"
],
"_comment": ""
}
}
]
}
]

Просмотреть файл

@ -1,22 +1,32 @@
[{
"id": "DS162092",
[
{
"name": "Do not leave debug code in production",
"id": "DS162092",
"description": "Accessing localhost could indicate debug code, or could hinder scaling.",
"recommendation": "",
"tags": [
"Hygiene.Network.AccessingLocalhost"
],
"severity": "manual-review",
"description": "Accessing localhost could indicate debug code, or could hinder scaling.",
"replacement": "",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS162092.md",
"_comment": "",
"rule_info": "DS162092.md",
"patterns": [
{
"pattern": "localhost",
"type": "string"
"type": "string",
"scopes": [
"code"
],
"_comment": ""
},
{
"pattern": "127.0.0.1",
"type": "string"
"type": "string",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_it": []
}]
]
}
]

Просмотреть файл

@ -1,19 +1,24 @@
[ {
"id": "DS176209",
[
{
"name": "Suspicious comment",
"id": "DS176209",
"description": "A \"TODO\" or similar was left in source code, possibly indicating incomplete functionality",
"recommendation": "",
"tags": [
"Hygiene.Comment.Suspicious"
],
"severity": "manual-review",
"description": "A \"TODO\" or similar was left in source code, possibly indicating incomplete functionality",
"replacement": "",
"rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS176209.md",
"_comment": "",
"rule_info": "DS176209.md",
"patterns": [
{
"pattern": "(TODO|FIXME|REMOVEME|HACK|BLACK MAGIC)",
"type": "regex-word"
"type": "regex-word",
"scopes": [
"code"
],
"_comment": ""
}
],
"fix_it": []
]
}
]

Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше