From 9ce32ecf2527dd9089e7a8c927ab5498d04fcbe5 Mon Sep 17 00:00:00 2001 From: Michael Scovetta Date: Fri, 25 Aug 2017 10:00:11 -0700 Subject: [PATCH] Re-sync'ed rules --- .gitignore | 1 + .../default/security/api/dangerous_api.json | 239 --------- .../default/security/api/suggested_api.json | 108 ---- .../attack_surface/outbound_network.json | 57 --- .../control_flow/permission_evelation.json | 88 ---- .../security/cryptography/hash_algorithm.json | 232 --------- .../security/cryptography/protocol.json | 290 ----------- .../default/security/cryptography/random.json | 92 ---- .../default/security/frameworks/aspnet5.json | 34 -- .../default/security/frameworks/php.json | 43 -- .../vulnerable_libraries/microsoft-nuget.json | 206 -------- .../security/xml/external_entities.json | 86 ---- .../CONTRIBUTING.md | 0 .../LICENSE.txt | 0 .../README.md | 4 +- .../guidance/DS101155.md | 0 .../guidance/DS101159.md | 0 .../guidance/DS104456.md | 0 .../guidance/DS106864.md | 0 .../guidance/DS108330.md | 0 .../guidance/DS108647.md | 0 .../guidance/DS109501.md | 0 .../guidance/DS109733.md | 0 .../guidance/DS111237.md | 0 .../guidance/DS112266.md | 0 .../guidance/DS113286.md | 0 .../guidance/DS113853.md | 0 .../guidance/DS114352.md | 0 .../guidance/DS117838.md | 0 .../guidance/DS121708.md | 0 .../guidance/DS126858.md | 0 .../guidance/DS127101.md | 0 .../guidance/DS128921.md | 0 .../guidance/DS132779.md | 0 .../guidance/DS132780.md | 0 .../guidance/DS132790.md | 0 .../guidance/DS134411.md | 0 .../guidance/DS137038.md | 0 .../guidance/DS141863.md | 0 .../guidance/DS144436.md | 0 .../guidance/DS148264.md | 0 .../guidance/DS149435.md | 0 .../guidance/DS154189.md | 0 .../guidance/DS156431.md | 0 .../guidance/DS161085.md | 0 .../guidance/DS162092.md | 0 .../guidance/DS165348.md | 0 .../guidance/DS165746.md | 0 .../guidance/DS168931.md | 0 .../guidance/DS169125.md | 0 .../guidance/DS169126.md | 0 .../guidance/DS173237.md | 0 .../guidance/DS175862.md | 0 .../guidance/DS176209.md | 0 .../guidance/DS179924.md | 0 .../guidance/DS181021.md | 0 .../guidance/DS181731.md | 0 .../guidance/DS181865.md | 0 .../guidance/DS182720.md | 0 .../guidance/DS184626.md | 0 .../guidance/DS185832.md | 0 .../guidance/DS187371.md | 0 .../guidance/DS188250.md | 0 .../guidance/DS189424.md | 0 .../guidance/DS191340.md | 0 .../guidance/DS196098.md | 0 .../guidance/DS197800.md | 0 .../guidance/DS197836.md | 0 .../default/security/api/dangerous_api.json | 329 ++++++++++++ .../default/security/api/misused_api.json | 55 +- .../default/security/api/suggested_api.json | 148 ++++++ .../default/security/api/tests/DS179924.test | 0 .../default/security/api/tests/DS181731.test | 0 .../attack_surface/outbound_network.json | 82 +++ .../control_flow/dynamic_execution.json | 24 +- .../security/control_flow/format_string.json | 37 +- .../control_flow/permission_evelation.json | 140 ++++++ .../security/cryptography/certificate.json | 379 +++++++------- .../security/cryptography/ciphers.json | 139 +++-- .../security/cryptography/general.json | 57 ++- .../security/cryptography/hash_algorithm.json | 363 +++++++++++++ .../cryptography/initialization_vector.json | 60 ++- .../security/cryptography/protocol.json | 475 ++++++++++++++++++ .../default/security/cryptography/random.json | 142 ++++++ .../security/cryptography/tests/DS106864.test | 0 .../security/cryptography/tests/DS109501.test | 0 .../security/cryptography/tests/DS130821.test | 0 .../security/cryptography/tests/DS134411.test | 0 .../security/cryptography/tests/DS148264.test | 0 .../security/cryptography/tests/DS156431.test | 0 .../security/cryptography/tests/DS159369.test | 0 .../security/cryptography/tests/DS169126.test | 0 .../security/cryptography/tests/DS182720.test | 0 .../security/cryptography/underhanded.json | 23 +- .../cryptography/weak_cipher_modes.json | 55 +- .../default/security/frameworks/aspnet5.json | 51 ++ .../default/security/frameworks/php.json | 142 ++++++ .../default/security/hygiene/localhost.json | 30 +- .../security/hygiene/tests/DS162092.test | 0 .../rules/default/security/hygiene/todo.json | 21 +- .../security/manualreview/dynamiccode.json | 84 ++-- .../security/privacy/device_restrictions.json | 24 +- .../default/security/privacy/secrets.json | 36 +- .../security/storage/secure_storage.json | 61 ++- .../vulnerable_libraries/tests/DS378900.test | 0 .../vulnerable_libraries/tests/DS378901.test | 0 .../vulnerable_libraries/tests/DS378902.test | 0 .../security/xml/external_entities.json | 125 +++++ .../default/security/xml/tests/DS132779.test | 0 109 files changed, 2647 insertions(+), 1915 deletions(-) delete mode 100644 DevSkim-Common-Ignore/rules/default/security/api/dangerous_api.json delete mode 100644 DevSkim-Common-Ignore/rules/default/security/api/suggested_api.json delete mode 100644 DevSkim-Common-Ignore/rules/default/security/attack_surface/outbound_network.json delete mode 100644 DevSkim-Common-Ignore/rules/default/security/control_flow/permission_evelation.json delete mode 100644 DevSkim-Common-Ignore/rules/default/security/cryptography/hash_algorithm.json delete mode 100644 DevSkim-Common-Ignore/rules/default/security/cryptography/protocol.json delete mode 100644 DevSkim-Common-Ignore/rules/default/security/cryptography/random.json delete mode 100644 DevSkim-Common-Ignore/rules/default/security/frameworks/aspnet5.json delete mode 100644 DevSkim-Common-Ignore/rules/default/security/frameworks/php.json delete mode 100644 DevSkim-Common-Ignore/rules/default/security/vulnerable_libraries/microsoft-nuget.json delete mode 100644 DevSkim-Common-Ignore/rules/default/security/xml/external_entities.json rename {DevSkim-Common-Ignore => DevSkim-Common}/CONTRIBUTING.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/LICENSE.txt (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/README.md (86%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS101155.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS101159.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS104456.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS106864.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS108330.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS108647.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS109501.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS109733.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS111237.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS112266.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS113286.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS113853.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS114352.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS117838.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS121708.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS126858.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS127101.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS128921.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS132779.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS132780.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS132790.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS134411.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS137038.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS141863.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS144436.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS148264.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS149435.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS154189.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS156431.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS161085.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS162092.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS165348.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS165746.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS168931.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS169125.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS169126.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS173237.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS175862.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS176209.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS179924.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS181021.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS181731.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS181865.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS182720.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS184626.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS185832.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS187371.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS188250.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS189424.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS191340.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS196098.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS197800.md (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/guidance/DS197836.md (100%) create mode 100644 DevSkim-Common/rules/default/security/api/dangerous_api.json rename {DevSkim-Common-Ignore => DevSkim-Common}/rules/default/security/api/misused_api.json (62%) create mode 100644 DevSkim-Common/rules/default/security/api/suggested_api.json rename {DevSkim-Common-Ignore => DevSkim-Common}/rules/default/security/api/tests/DS179924.test (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/rules/default/security/api/tests/DS181731.test (100%) create mode 100644 DevSkim-Common/rules/default/security/attack_surface/outbound_network.json rename {DevSkim-Common-Ignore => DevSkim-Common}/rules/default/security/control_flow/dynamic_execution.json (73%) rename {DevSkim-Common-Ignore => DevSkim-Common}/rules/default/security/control_flow/format_string.json (53%) create mode 100644 DevSkim-Common/rules/default/security/control_flow/permission_evelation.json rename {DevSkim-Common-Ignore => DevSkim-Common}/rules/default/security/cryptography/certificate.json (53%) rename {DevSkim-Common-Ignore => DevSkim-Common}/rules/default/security/cryptography/ciphers.json (50%) rename {DevSkim-Common-Ignore => DevSkim-Common}/rules/default/security/cryptography/general.json (59%) create mode 100644 DevSkim-Common/rules/default/security/cryptography/hash_algorithm.json rename {DevSkim-Common-Ignore => DevSkim-Common}/rules/default/security/cryptography/initialization_vector.json (52%) create mode 100644 DevSkim-Common/rules/default/security/cryptography/protocol.json create mode 100644 DevSkim-Common/rules/default/security/cryptography/random.json rename {DevSkim-Common-Ignore => DevSkim-Common}/rules/default/security/cryptography/tests/DS106864.test (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/rules/default/security/cryptography/tests/DS109501.test (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/rules/default/security/cryptography/tests/DS130821.test (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/rules/default/security/cryptography/tests/DS134411.test (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/rules/default/security/cryptography/tests/DS148264.test (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/rules/default/security/cryptography/tests/DS156431.test (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/rules/default/security/cryptography/tests/DS159369.test (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/rules/default/security/cryptography/tests/DS169126.test (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/rules/default/security/cryptography/tests/DS182720.test (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/rules/default/security/cryptography/underhanded.json (55%) rename {DevSkim-Common-Ignore => DevSkim-Common}/rules/default/security/cryptography/weak_cipher_modes.json (51%) create mode 100644 DevSkim-Common/rules/default/security/frameworks/aspnet5.json create mode 100644 DevSkim-Common/rules/default/security/frameworks/php.json rename {DevSkim-Common-Ignore => DevSkim-Common}/rules/default/security/hygiene/localhost.json (53%) rename {DevSkim-Common-Ignore => DevSkim-Common}/rules/default/security/hygiene/tests/DS162092.test (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/rules/default/security/hygiene/todo.json (62%) rename {DevSkim-Common-Ignore => DevSkim-Common}/rules/default/security/manualreview/dynamiccode.json (59%) rename {DevSkim-Common-Ignore => DevSkim-Common}/rules/default/security/privacy/device_restrictions.json (65%) rename {DevSkim-Common-Ignore => DevSkim-Common}/rules/default/security/privacy/secrets.json (66%) rename {DevSkim-Common-Ignore => DevSkim-Common}/rules/default/security/storage/secure_storage.json (54%) rename {DevSkim-Common-Ignore => DevSkim-Common}/rules/default/security/vulnerable_libraries/tests/DS378900.test (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/rules/default/security/vulnerable_libraries/tests/DS378901.test (100%) rename {DevSkim-Common-Ignore => DevSkim-Common}/rules/default/security/vulnerable_libraries/tests/DS378902.test (100%) create mode 100644 DevSkim-Common/rules/default/security/xml/external_entities.json rename {DevSkim-Common-Ignore => DevSkim-Common}/rules/default/security/xml/tests/DS132779.test (100%) diff --git a/.gitignore b/.gitignore index 934d7bd..7f17b21 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ DevSkim-Common/* +__common/* \ No newline at end of file diff --git a/DevSkim-Common-Ignore/rules/default/security/api/dangerous_api.json b/DevSkim-Common-Ignore/rules/default/security/api/dangerous_api.json deleted file mode 100644 index 1a289e5..0000000 --- a/DevSkim-Common-Ignore/rules/default/security/api/dangerous_api.json +++ /dev/null @@ -1,239 +0,0 @@ -[ { - "id": "DS154189", - "name": "Banned C function detected", - "tags": [ - "API.DangerousAPI.BannedFunction" - ], - "applies_to": [ - "c", - "cpp", - "objective-c" - ], - "severity": "moderate", - "description": "These functions are historically error-prone and have been associated with a significant number of vulnerabilities. Most of these functions have safer alternatives, such as replacing 'strcpy' with 'strlcpy' or 'strcpy_s'.", - "replacement": "", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS154189.md", - "patterns": [ - { - "pattern": "(sprintf|_getts|_getws|_snprintf|_sntprintf|_snwprintf|_stprintf|_tcsat|_tcscpy|_tcslen|_tcsncpy|_vsnprintf|_vsntprintf|_vsnwprintf|_vstprintf|alloca|asctime|atof|atoi|atoll|bsearch|ctime|fopen|fprintf|freopen|fscanf|fwprintf|fwscanf|getenv|getwd|gmtime|localtime|lstrcat|lstrcpy|mbsrtowcs|mbstowcs|memmove|mktemp|printf|qsort|rewind|scanf|setbuf|sscanf|strcatbuff|strerror|strtok|swprintf|swscanf|tmpnam|vfprintf|vfscanf|vfwscanf|vprintf|vscanf|vsnprintf|vsprintf|vsscanf|vswprintf|vswscanf|vwprintf|vwscanf|wcrtomb|wcrtombs|wcscat|wcscpy|wcslen|wcsncat|wcsncpy|wcsrtombs|wcstok|wctomb|wmemcpy|wmemmove|wnsprintf|wprintf|wscanf|wsprintf|wvnsprintf|wvsprintf)", - "type": "regex-word", - "subtype": [ - "function-call" - ] - } - ], - "fix_it": [] - }, - { - "id": "DS185832", - "name": "Banned C function detected (strcpy)", - "tags": [ - "API.DangerousAPI.BannedFunction" - ], - "applies_to": [ - "c", - "cpp", - "objective-c" - ], - "overrides": [ - "DS154189" - ], - "severity": "important", - "description": "strcpy is frequently dangerous, as it will cause a buffer overflow if the source is larger than the destination.", - "replacement": "Use strcpy_s or strlcpy if possible. If no safe function is viable, strcpy/strncpy should be proceeded by conditional checks to verify tha that the source string will fit in the destination with a null termnator.", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS185832.md", - "patterns": [ - { - "pattern": "\\bstrcpy\\s*\\(([^,]+),([^,]+)\\)", - "type": "regex", - "subtype": [ - "function-call" - ] - } - ], - "fix_it": [ - { - "type": "regex-substitute", - "name": "Change to strcpy_s (Recommended for VC++)", - "search": "\\bstrcpy\\s*\\(([^,]+),([^,]+)\\)", - "replace": "strcpy_s($1, , $2)" - }, - { - "type": "regex-substitute", - "name": "Change to strlcpy", - "search": "\\bstrcpy\\s*\\(([^,]+),([^,]+)\\)", - "replace": "strlcpy($1, $2, )" - } - ] - }, - { - "id": "DS111237", - "name": "Banned C function detected (strncpy)", - "tags": [ - "API.DangerousAPI.BannedFunction" - ], - "applies_to": [ - "c", - "cpp", - "objective-c" - ], - "overrides": [ - "DS154189" - ], - "severity": "important", - "description": "strncpy is dangerous, as if the source contains 'n' or more characters, it will not null terminate the destination.", - "replacement": "Use strcpy_s or strlcpy if possible. If no safe function is viable, strcpy/strncpy should be proceeded by conditional checks to verify tha that the source string will fit in the destination with a null termnator.", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS111237.md", - "patterns": [ - { - "pattern": "\\bstrncpy\\s*\\(([^,]+),([^,]+),([^,]+)\\)+", - "type": "regex", - "subtype": [ - "function-call" - ] - } - ], - "fix_it": [ - { - "type": "regex-substitute", - "name": "Change to strcpy_s (Recommended for VC++)", - "search": "\\bstrncpy\\s*\\(([^,]+),([^,]+),([^,]+)\\)+", - "replace": "strcpy_s($1, $3, $2)" - }, - { - "type": "regex-substitute", - "name": "Change to strlcpy", - "search": "\\bstrncpy\\s*\\(([^,]+),([^,]+),([^,]+)\\)+", - "replace": "strlcpy($1, $2, $3)" - } - ] - }, - { - "id": "DS141863", - "name": "Banned C function detected (strcat)", - - "tags": [ - "API.DangerousAPI.BannedFunction" - ], - "applies_to": [ - "c", - "cpp", - "objective-c" - ], - "overrides": [ - "DS154189" - ], - "severity": "important", - "description": "If the combination of strings is larger than the destination buffer, strcat will cbuffer overflow the destination buffer", - "replacement": "Use strcat_s or strlcat if possible. strncat's size parameter excludes the null terminator, which leads to frequent mistakes", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS141863.md", - "patterns": [ - { - "pattern": "\\bstrcat\\s*\\(([^,]+),([^,]+)\\)", - "type": "regex", - "subtype": [ - "function-call" - ] - } - ], - "fix_it": [ - { - "type": "regex-substitute", - "name": "Change to strcat_s (Recommended for VC++)", - "search": "\\bstrcat\\s*\\(([^,]+),([^,]+)\\)", - "replace": "strcat_s($1, , $2)" - }, - { - "type": "regex-substitute", - "name": "Change to strlcat", - "search": "\\bstrcat\\s*\\(([^,]+),([^,]+)\\)", - "replace": "strlcat($1, $2, )" - } - ] - }, - { - "id": "DS108330", - "name": "Banned C function detected (strncat)", - - "tags": [ - "API.DangerousAPI.BannedFunction" - ], - "applies_to": [ - "c", - "cpp", - "objective-c" - ], - "overrides": [ - "DS154189" - ], - "severity": "important", - "description": "strncat adds the null terminator at character 'n + 1', rather than at the nth character. this frequently leads to the null terminator being added in the memory adjacent to the destination buffer, rather than in the destination buffer.", - "replacement": "Use strcat_s or strlcat if possible. ", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS108330.md", - "patterns": [ - { - "pattern": "\\bstrncat\\s*\\(([^,]+),([^,]+),([^,]+)\\)+", - "type": "regex", - "subtype": [ - "function-call" - ] - } - ], - "fix_it": [ - { - "type": "regex-substitute", - "name": "Change to strcat_s (Recommended for VC++)", - "search": "\\bstrncat\\s*\\(([^,]+),([^,]+),([^,]+)\\)+", - "replace": "strcat_s($1, $3, $2)" - }, - { - "type": "regex-substitute", - "name": "Change to strlcat", - "search": "\\bstrncat\\s*\\(([^,]+),([^,]+),([^,]+)\\)+", - "replace": "strlcat($1, $2, $3)" - } - ] - }, - { - "id": "DS181021", - "name": "Banned C function detected (gets)", - "tags": [ - "API.DangerousAPI.BannedFunction" - ], - "applies_to": [ - "c", - "cpp", - "objective-c" - ], - "overrides": [ - "DS154189" - ], - "severity": "important", - "description": "gets will read in as many bytes as are provided, regardless of the size of buffer recieving the bytes. This allows for conditions that cause a buffer overlow in the destination buffer.", - "replacement": "Use gets_s or fgets if possible. fgets has different behavior from gets (may include newline for example), so care should be taken if it is used.", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS181021.md", - "patterns": [ - { - "pattern": "\\bgets\\s*\\(([^,\\)]+)\\)", - "type": "regex", - "subtype": [ - "function-call" - ] - } - ], - "fix_it": [ - { - "type": "regex-substitute", - "name": "Change to gets_s (Recommended for VC++)", - "search": "\\bgets\\s*\\(([^,\\)]+)\\)", - "replace": "gets_s($1, )" - }, - { - "type": "regex-substitute", - "name": "Change to fgets", - "search": "\\bgets\\s*\\(([^,\\)]+)\\)", - "replace": "fgets($1, , stdin)" - } - ] - } -] \ No newline at end of file diff --git a/DevSkim-Common-Ignore/rules/default/security/api/suggested_api.json b/DevSkim-Common-Ignore/rules/default/security/api/suggested_api.json deleted file mode 100644 index b3a8473..0000000 --- a/DevSkim-Common-Ignore/rules/default/security/api/suggested_api.json +++ /dev/null @@ -1,108 +0,0 @@ -[ - { - "id": "DS161085", - "name": "Problematic C function detected (malloc)", - "tags": [ - "API.DangerousAPI.ProblematicFunction" - ], - "applies_to": [ - "c", - "cpp", - "objective-c" - ], - "severity": "best-practice", - "description": "If the value provided to malloc is the result of unsafe integer math, it can result in an exploitable condition. ", - "replacement": "calloc handles the most common integer math in memory allocation (# of elements * their size) with error handling to prevent overflows in most implementations, and zeros out memory", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS161085.md", - "patterns": [ - { - "pattern": "\\bmalloc\\s*\\(([^,\\)]+)\\)", - "type": "regex" - } - ], - "fix_it": [ - { - "type": "regex-substitute", - "name": "Change to calloc ", - "search": "\\bmalloc\\s*\\(([^,\\)]+)\\)", - "replace": "calloc(, )" - } - ] - }, -{ - "id": "DS121708", - "name": "Problematic C function detected (memcpy)", - "tags": [ - "API.DangerousAPI.ProblematicFunction" - ], - "applies_to": [ - "c", - "cpp", - "objective-c" - ], - "severity": "best-practice", - "description": "There are a number of conditions in which memcpy can introduce a vulnerability (mismatched buffer sizes, null pointers, etc.). More secure alternitives perform additional validation of the source and destination buffer", - "replacement": "Use memcpy_s if possible.", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS121708.md", - "patterns": [ - { - "pattern": "\\bmemcpy\\s*\\(([^,]+),([^,]+),([^,\\)]+)\\)", - "type": "regex", - "subtype": [ - "function-call" - ] - } - ], - "fix_it": [ - { - "type": "regex-substitute", - "name": "Change to memcpy_s (Recommended for VC++)", - "search": "\\bmemcpy\\s*\\(([^,]+),([^,]+),([^,\\)]+)\\)", - "replace": "memcpy_s($1, , $2, $3)" - } - ] - }, - { - "id": "DS140021", - "name": "Problematic C function detected (strlen)", - "tags": [ - "API.DangerousAPI.ProblematicFunction" - ], - "applies_to": [ - "c", - "cpp", - "objective-c" - ], - "overrides": [ - "DS154189" - ], - "severity": "best-practice", - "description": "If a string is missing a null terminator, strlen will read past the end of the buffer", - "replacement": "In instances where you know the maximum size of a string's buffer, use strlen_s or strnlen to prevent over-reading", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS140021.md", - "patterns": [ - { - "pattern": "\\bstrlen\\s*\\(([^,\\)]+)\\)", - "type": "regex", - "subtype": [ - "function-call" - ] - } - ], - "fix_it": [ - { - "type": "regex-substitute", - "name": "Change to strlen_s (Recommended for VC++)", - "search": "\\bstrlen\\s*\\(([^,\\)]+)\\)", - "replace": "strlen_s($1, )" - }, - { - "type": "regex-substitute", - "name": "Change to strnlen", - "search": "\\bstrlen\\s*\\(([^,\\)]+)\\)", - "replace": "strnlen($1, )" - } - ] - } - -] \ No newline at end of file diff --git a/DevSkim-Common-Ignore/rules/default/security/attack_surface/outbound_network.json b/DevSkim-Common-Ignore/rules/default/security/attack_surface/outbound_network.json deleted file mode 100644 index 445d58b..0000000 --- a/DevSkim-Common-Ignore/rules/default/security/attack_surface/outbound_network.json +++ /dev/null @@ -1,57 +0,0 @@ -[ - { - "id": "DS137038", - "name": "Notice: Outbound HTTP Connection", - "tags": [ - "ThreatModel.Integration.HTTP" - ], - "severity": "manual-review", - "description": "Inbound HTTP", - "replacement": "", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS137038.md", - "applies_to": [ - "ruby" - ], - "patterns": [ - { - "pattern": "Net::HTTP", - "type": "string" - } - ], - "fix_it": [] - }, - { - "id": "DS137138", - "name": "Insecure URL", - "tags": [ - "ThreatModel.Integration.HTTP" - ], - "severity": "moderate", - "description": "An HTTP-based URL without TLS was detected.", - "replacement": "Update to an HTTPS-based URL if possible.", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS137138.md", - "applies_to": [ - ], - "patterns": [ - { - "pattern": "http:", - "type": "substring", - "conditions": [ - { - "name": "match-prefix-any", - "value": ["xmlns=\""], - "invert": true - } - ] - } - ], - "fix_it": [ - { - "type": "regex-substitute", - "name": "Change to HTTPS ", - "search": "http:", - "replace": "https:" - } - ] - } -] \ No newline at end of file diff --git a/DevSkim-Common-Ignore/rules/default/security/control_flow/permission_evelation.json b/DevSkim-Common-Ignore/rules/default/security/control_flow/permission_evelation.json deleted file mode 100644 index 0d20e2a..0000000 --- a/DevSkim-Common-Ignore/rules/default/security/control_flow/permission_evelation.json +++ /dev/null @@ -1,88 +0,0 @@ -[ - { - "id": "DS113853", - "name": "Do not set a custom execution policy.", - "tags": [ - "ControlFlow.Permission.Evalation" - ], - "applies_to": [ - "powershell" - ], - "severity": "moderate", - "description": "The Set-ExecutionPolicy cmdlet has been used to dynamically change the permissions available to PowerShell.", - "replacement": "Avoid elevating privileges if possible.", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS113853.md", - "patterns": [ - { - "pattern": "Set-ExecutionPolicy", - "type": "string" - } - ], - "fix_it": [] - }, - { - "id": "DS104456", - "name": "Use of restricted functions.", - "tags": [ - "Implementation.Scripting.PowerShell.DangeousFunction" - ], - "applies_to": [ - "powershell" - ], - "severity": "important", - "description": "Use of restricted functions.", - "replacement": "", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS104456.md", - "patterns": [ - { - "pattern": "GetDelegateForFunctionPointer", - "type": "string" - }, - { - "pattern": "System.Runtime.InteropServices.Marshal", - "type": "string" - }, - { - "pattern": "WriteByte", - "type": "string" - }, - { - "pattern": "Microsoft.Win32.UnsafeNativeMethods", - "type": "string" - }, - { - "pattern": "PtrToStructure", - "type": "string" - }, - { - "pattern": "StructureToPtr", - "type": "string" - }, - { - "pattern": "(NtCreateThreadEx|CreateRemoteThread)", - "type": "regex-word" - }, - { - "pattern": "Invoke", - "type": "string" - }, - { - "pattern": "VirtualProtect", - "type": "string" - }, - { - "pattern": "iex", - "type": "string" - }, - { - "pattern": "&\"", - "type": "string" - }, - { - "pattern": "& $", - "type": "string" - } - ], - "fix_it": [] - } -] \ No newline at end of file diff --git a/DevSkim-Common-Ignore/rules/default/security/cryptography/hash_algorithm.json b/DevSkim-Common-Ignore/rules/default/security/cryptography/hash_algorithm.json deleted file mode 100644 index 8f9b79b..0000000 --- a/DevSkim-Common-Ignore/rules/default/security/cryptography/hash_algorithm.json +++ /dev/null @@ -1,232 +0,0 @@ -[ - { - "id": "DS126858", - "name": "Weak/Broken Hash Algorithm", - "tags": [ - "Cryptography.BannedHashAlgorithm" - ], - "severity": "critical", - "description": "A weak or broken hash algorithm was detected.", - "replacement": "Consider switching to use SHA-256 or SHA-512 instead.", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS126858.md", - "patterns": [ - { - "pattern": "(MD2|MD4|MD5|RIPEMD|RIPEMD(128|256|160|320)|(SHA0|SHA-0|SHA1|SHA-1))", - "type": "regex" - } - ], - "fix_it": [ - { - "type": "regex-substitute", - "name": "Change to \"SHA256\"", - "search": "(MD2|MD4|MD5|RIPEMD|RIPEMD(128|256|160|320)|(SHA0|SHA-0|SHA1|SHA-1))", - "replace": "SHA256" - }, - { - "type": "regex-substitute", - "name": "Change to \"SHA512\"", - "search": "(MD2|MD4|MD5|RIPEMD|RIPEMD(128|256|160|320)|(SHA0|SHA-0|SHA1|SHA-1))", - "replace": "SHA512" - } - ] - }, - { - "id": "DS197800", - "overrides": [ - "DS126858" - ], - "name": "Weak/Broken Hash Algorithm", - "tags": [ - "Cryptography.HashAlgorithm.BrokenOrWeak" - ], - "severity": "critical", - "description": "A weak or broken hash algorithm was detected.", - "replacement": "Use CC_SHA256 or CC_SHA512 instead.", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS197800.md", - "applies_to": [ - "objective-c" - ], - "patterns": [ - { - "pattern": "CC_(MD2|MD4|MD5|SHA1)", - "type": "regex" - } - ], - "fix_it": [ - { - "type": "regex-substitute", - "name": "Change to SHA-256", - "search": "CC_(MD2|MD4|MD5|SHA1)", - "replace": "CC_SHA256" - }, - { - "type": "regex-substitute", - "name": "Change to SHA-512", - "search": "CC_(MD2|MD4|MD5|SHA1)", - "replace": "CC_SHA512" - } - ] - }, - { - "id": "DS128420", - "overrides": [ - "DS126858" - ], - "name": "Weak/Broken Hash Algorithm", - "tags": [ - "Cryptography.HashAlgorithm.BrokenOrWeak" - ], - "severity": "critical", - "description": "A weak or broken hash algorithm was detected.", - "replacement": "When using hash(), use sha256 or sha512 as the algorithms instead", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS128420.md", - "applies_to": [ - "php" - ], - "patterns": [ - { - "pattern": "hash\\s*\\(\\s*[\\'\\\"](md2|md4|md5|sha1|sha224|ripemd128|ripemd160|ripemd256|ripemd320)[\\'\\\"](.*)\\)\\s*;", - "type": "regex" - } - ], - "fix_it": [ - { - "type": "regex-substitute", - "name": "Change to SHA-256", - "search": "hash\\s*\\(\\s*[\\'\\\"](md2|md4|md5|sha1|sha224|ripemd128|ripemd160|ripemd256|ripemd320)[\\'\\\"](.*)\\)\\s*;", - "replace": "hash('sha256'$2);" - }, - { - "type": "regex-substitute", - "name": "Change to SHA-512", - "search": "hash\\s*\\(\\s*[\\'\\\"](md2|md4|md5|sha1|sha224|ripemd128|ripemd160|ripemd256|ripemd320)[\\'\\\"](.*)\\)\\s*;", - "replace": "hash('sha512'$2);" - } - ] - }, - { - "id": "DS108647", - "name": "Do not use broken/weak cryptographic hash algorithms", - "tags": [ - "Cryptography.HashAlgorithm.BrokenOrWeak" - ], - "severity": "critical", - "description": "Avoid using broken or weak hash algorithms.", - "replacement": "Use Digest::SHA256 or Digest::SHA512", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS108647.md", - "applies_to": [ - "ruby" - ], - "patterns": [ - { - "pattern": "Digest::(MD5|RMD160|SHA1)", - "type": "regex" - } - ], - "fix_it": [ - { - "type": "regex-substitute", - "name": "Change to SHA-256", - "search": "Digest::(MD5|RMD160|SHA1)", - "replace": "Digest::SHA256" - }, - { - "type": "regex-substitute", - "name": "Change to SHA-512", - "search": "Digest::(MD5|RMD160|SHA1)", - "replace": "Digest::SHA512" - } - ] - }, - { - "id": "DS196098", - "overrides": [ - "DS126858" - ], - "name": "Do not use broken/weak cryptographic hash algorithms", - "tags": [ - "Cryptography.HashAlgorithm.BrokenOrWeak" - ], - "severity": "critical", - "description": "Avoid using broken or weak hash algorithms.", - "replacement": "Use hashlib.sha256 instead.", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS196098.md", - "applies_to": [ - "python" - ], - "patterns": [ - { - "pattern": "(md5|sha)\\.new\\(", - "type": "regex" - } - ], - "fix_it": [ - { - "type": "regex-substitute", - "name": "Change to hashlib.sha256", - "search": "(md5|sha)\\.new\\(", - "replace": "hashlib.sha256(" - }, - { - "type": "regex-substitute", - "name": "Change to hashlib.sha512", - "search": "(md5|sha)\\.new\\(", - "replace": "hashlib.sha512(" - } - ] - }, - { - "id": "DS168931", - "overrides": [ - "DS126858" - ], - "name": "Do not use broken/weak cryptographic hash algorithms", - "tags": [ - "Cryptography.HashAlgorithm.BrokenOrWeak" - ], - "applies_to": [ - "csharp" - ], - "severity": "critical", - "description": "A potentially weak hashing algorithm was used.", - "replacement": "Use SHA-256 instead.", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS168931.md", - "patterns": [ - { - "pattern": "MD5CryptoServiceProvider", - "type": "substring" - } - ], - "fix_it": [ - { - "type": "regex-substitute", - "name": "Change to SHA-256", - "search": "MD5CryptoServiceProvider", - "replace": "SHA256CryptoServiceProvider" - }, - { - "type": "regex-substitute", - "name": "Change to SHA-512", - "search": "MD5CryptoServiceProvider", - "replace": "SHA512CryptoServiceProvider" - } - ] - }, - { - "id": "DS197836", - "name": "Do not take the hash of low-entropy content.", - "tags": [ - "Cryptography.HashAlgorithm.InsufficientEntropy" - ], - "severity": "important", - "description": "Taking a hash of a time value is suspicious, as there is insufficient entropy to protect against brute-force attacks.", - "replacement": "", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS197836.md", - "patterns": [ - { - "pattern": "(MD4|MD5|(SHA(1|224|256|384|512))).*Time", - "type": "regex" - } - ] - } -] diff --git a/DevSkim-Common-Ignore/rules/default/security/cryptography/protocol.json b/DevSkim-Common-Ignore/rules/default/security/cryptography/protocol.json deleted file mode 100644 index 43d6a38..0000000 --- a/DevSkim-Common-Ignore/rules/default/security/cryptography/protocol.json +++ /dev/null @@ -1,290 +0,0 @@ -[ - { - "id": "DS144436", - "name": "Do not use outdated SSL/TLS protocols", - "tags": [ - "Cryptography.Protocol.TLS" - ], - "severity": "important", - "description": "It's usually better to rely on the operating system configuration, rather than hardcoding a specific SecurityProtocolType.", - "replacement": "Either leave off or set to SecurityProtocolType.Tls12;", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS144436.md", - "applies_to": [ - "csharp" - ], - "patterns": [ - { - "pattern": "SecurityProtocolType\\.(Ssl3|Tls|Tls11)", - "type": "regex-word" - } - ], - "fix_it": [ - { - "type": "regex-substitute", - "name": "Change to SecurityProtocolType.Tls12", - "search": "\\bSecurityProtocolType\\.(Ssl3|Tls|Tls11)\\b", - "replace": "SecurityProtocolType.Tls12" - } - ] - }, - { - "id": "DS127101", - "name": "Hardcoding TLS protocol version", - "tags": [ - "Cryptography.Protocol.TLS" - ], - "severity": "moderate", - "description": "It's usually better to rely on the operating system configuration, rather than hardcoding a specific list of protocols.", - "replacement": "", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS127101.md", - "applies_to": [ - "cpp" - ], - "patterns": [ - { - "pattern": "SecPkgCred_SupportedProtocols", - "type": "regex-word" - } - ] - }, - { - "id": "DS169125", - "name": "Do not use outdated SSL/TLS protocols", - "tags": [ - "Cryptography.Protocol.TLS" - ], - "severity": "important", - "description": "An outdated SSL/TLS protocol version is specified.", - "replacement": "Use TLS 1.2", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS169125.md", - "applies_to": [ - ], - "patterns": [ - { - - "pattern": "(SSLv?2|SSLv?3|TLSv?1|TLSv?10)", - "type": "regex-word" - } - ] - }, - { - "id": "DS169126", - "name": "An Outdated or Banned SSL/TLS Protocol is Used", - "tags": [ - "Cryptography.Protocol.Banned" - ], - "severity": "important", - "description": "An Outdated or Banned SSL/TLS Protocol is Used", - "replacement": "Use TLS 1.2", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS169126.md", - "applies_to": [ - ], - "patterns": [ - { - "pattern": "(SSL|TLS)v(2|23|3|1)_(client|server)", - "type": "regex" - }, - { - - "pattern": "SSLv2", - "type": "string" - }, - { - - "pattern": "SSLv3", - "type": "string" - }, - { - - "pattern": "TLSv1", - "type": "string" - }, - { - - "pattern": "TLSv10", - "type": "string" - } - ] - }, - { - "id": "DS169127", - "name": "An Outdated or Banned SSL/TLS Protocol is Used", - "tags": [ - "Cryptography.Protocol.Banned" - ], - "severity": "important", - "description": "An Outdated or Banned SSL/TLS Protocol is Used", - "replacement": "Use TLS 1.2", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS169126.md", - "applies_to": [ - "cpp", - "objective-c" - ], - "patterns": [ - { - "pattern": "SECURITY_FLAG_40BIT", - "type": "string" - }, - { - "pattern": "SECURITY_FLAG_56BIT", - "type": "string" - }, - { - "pattern": "SECURITY_FLAG_NORMALBITNESS", - "type": "string" - }, - { - "pattern": "SECURITY_FLAG_PCT", - "type": "string" - }, - { - "pattern": "SECURITY_FLAG_PCT4", - "type": "string" - }, - { - "pattern": "SECURITY_FLAG_SSL", - "type": "string" - }, - { - "pattern": "SECURITY_FLAG_SSL3", - "type": "string" - }, - { - "pattern": "SECURITY_FLAG_STRENGTH_MEDIUM", - "type": "string" - }, - { - "pattern": "SECURITY_FLAG_STRENGTH_WEAK", - "type": "string" - }, - { - "pattern": "SECURITY_FLAG_UNKNOWNBIT", - "type": "string" - }, - { - "pattern": "WINHTTP_FLAG_SECURE_PROTOCOL_SSL2", - "type": "string" - }, - { - "pattern": "WINHTTP_FLAG_SECURE_PROTOCOL_SSL3", - "type": "string" - }, - { - "pattern": "WINHTTP_FLAG_SECURE_PROTOCOL_TLS1", - "type": "string" - }, - { - "pattern": "WINHTTP_FLAG_SECURE_PROTOCOL_ALL", - "type": "string" - }, - { - "pattern": "SECURITY_FLAG_STRENGTH_MEDIUM", - "type": "string" - }, - { - "pattern": "SECURITY_FLAG_STRENGTH_WEAK", - "type": "string" - }, - { - "pattern": "SP_PROT_(PCT1|SSL2|SSL3|TLS1|TLS1_0)_(CLIENT|SERVER)", - "type": "regex" - }, - { - "pattern": "NSStreamSocketSecurityLevelNone", - "type": "string" - }, - { - "pattern": "NSStreamSocketSecurityLevelSSLv2", - "type": "string" - }, - { - "pattern": "NSStreamSocketSecurityLevelSSLv3", - "type": "string" - }, - { - "pattern": "NSStreamSocketSecurityLevelTLSv1", - "type": "string" - }, - { - "pattern": "kCFStreamSocketSecurityLevelNone", - "type": "string" - }, - { - "pattern": "kCFStreamSocketSecurityLevelSSLv2", - "type": "string" - }, - { - "pattern": "kCFStreamSocketSecurityLevelSSLv3", - "type": "string" - }, - { - "pattern": "kCFStreamSocketSecurityLevelTLSv1", - "type": "string" - }, - { - "pattern": "kSSLProtocolUnknown ", - "type": "string" - }, - { - "pattern": "kSSLProtocol3", - "type": "string" - }, - { - "pattern": "kTLSProtocol1", - "type": "string" - }, - { - "pattern": "kDTLSProtocol1", - "type": "string" - }, - { - "pattern": "kSSLProtocol2", - "type": "string" - }, - { - "pattern": "kSSLProtocol3Only", - "type": "string" - }, - { - "pattern": "kTLSProtocol1Only", - "type": "string" - }, - { - "pattern": "kSSLProtocolAll", - "type": "string" - } - ] - }, - { - "id": "DS169128", - "name": "An Outdated or Banned SSL/TLS Protocol is Used", - "tags": [ - "Cryptography.Protocol.Banned" - ], - "severity": "important", - "description": "An Outdated or Banned SSL/TLS Protocol is Used", - "replacement": "Use TLS 1.2", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS169126.md", - "applies_to": [ - "python" - ], - "patterns": [ - { - "pattern": "PROTOCOL_SSLv2", - "type": "string" - }, - { - "pattern": "PROTOCOL_SSLv23", - "type": "string" - }, - { - "pattern": "PROTOCOL_SSLv3", - "type": "string" - }, - { - "pattern": "PROTOCOL_TLSv1", - "type": "string" - } - ] - } -] \ No newline at end of file diff --git a/DevSkim-Common-Ignore/rules/default/security/cryptography/random.json b/DevSkim-Common-Ignore/rules/default/security/cryptography/random.json deleted file mode 100644 index 23d1e7f..0000000 --- a/DevSkim-Common-Ignore/rules/default/security/cryptography/random.json +++ /dev/null @@ -1,92 +0,0 @@ -[ - { - "id": "DS148264", - "name": "Do not use weak/non-cryptographic random number generators", - "tags": [ - "Cryptography.PRNG.Weak" - ], - "severity": "important", - "description": "Use cryptographic random numbers generators for anything even close to a security function.", - "replacement": "Replacements depend on language.", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS148264.md", - "patterns": [ - { - "pattern": "DUAL_EC_DRBG", - "type": "string" - }, - { - "applies_to": [ - "javascript" - ], - "pattern": "pseudoRandomBytes", - "type": "string" - }, - { - "pattern": "rand\\(", - "type": "regex" - }, - { - "pattern": "random_shuffle\\(", - "type": "regex" - }, - { - "pattern": "shuffle\\(", - "type": "regex" - }, - { - "pattern": "RAND_MAX", - "type": "string" - }, - { - "pattern": "rand\\(\\s*\\)\\s*%", - "type": "regex" - }, - { - "pattern": "mwc1616", - "type": "string" - }, - { - "pattern": "(32969|18273)", - "type": "regex-word" - }, - { - "pattern": "System.Random", - "type": "string" - }, - { - "pattern": "Random\\(", - "type": "regex-word", - "applies_to": [ - "java" - ] - }, - { - "pattern": "arc4random", - "type": "string" - } - ], - "fix_it": [] - }, - { - "id": "DS149435", - "name": "Do not seed randomness based on system time or a static value.", - "tags": [ - "Cryptography.WeakRandomness" - ], - "severity": "critical", - "description": "Passing a predicable value to srand() is very insecure and should be avoided.", - "replacement": "", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS149435.md", - "patterns": [ - { - "pattern": "srand\\(\\s*time\\(", - "type": "regex" - }, - { - "pattern": "srand\\(\\s*\\d+\\s*\\)", - "type": "regex" - } - ], - "fix_it": [] - } -] \ No newline at end of file diff --git a/DevSkim-Common-Ignore/rules/default/security/frameworks/aspnet5.json b/DevSkim-Common-Ignore/rules/default/security/frameworks/aspnet5.json deleted file mode 100644 index 3af30d6..0000000 --- a/DevSkim-Common-Ignore/rules/default/security/frameworks/aspnet5.json +++ /dev/null @@ -1,34 +0,0 @@ -[ - { - "id": "DS184626", - "name": "All Controllers Should Derive From Controller.", - "tags": [ - "Implementation.Web.ASPNET.ControllerWithoutExtendingController" - ], - "applies_to": [ - "csharp" - ], - "severity": "moderate", - "description": "All Controllers Should Derive From Controller.", - "replacement": "Ensure this class derives from Controller.", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS184626.md", - "patterns": [ - { - "pattern": "class [^\\s]+Controller\\s*:\\s*(?!.*?(Controller)).*", - "type": "regex" - }, - { - "pattern": "class [^\\s]+Controller[\\s{]*$", - "type": "regex" - } - ], - "fix_it": [ - { - "type": "regex-substitute", - "name": "Change to inherit from Controller", - "search": "(class [^\\s]+Controller)(([\\s{]*$)|(\\s*:\\s*(?!.*?(Controller)).*))", - "replace": "$1 : Controller" - } - ] - } -] \ No newline at end of file diff --git a/DevSkim-Common-Ignore/rules/default/security/frameworks/php.json b/DevSkim-Common-Ignore/rules/default/security/frameworks/php.json deleted file mode 100644 index f7b4187..0000000 --- a/DevSkim-Common-Ignore/rules/default/security/frameworks/php.json +++ /dev/null @@ -1,43 +0,0 @@ -[ -{ - "id": "DS144886", - "name": "$_REQUEST should be avoided", - "tags": [ - "Implementation.PHP" - ], - "applies_to": [ - "php" - ], - "severity": "moderate", - "description": "$_REQUEST combines POST, GET, and cookie values in one array, making it easy for an attacker to modify a POST or cookie value by instead putting it in a GET and sending the URL to the victim", - "replacement": "Use $_POST, $_GET, $_COOKIE to scope to the expected delivery method for a value ", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS144886.md", - "patterns": [ - { - "pattern": "\\$_REQUEST", - "type": "regex" - } - ], - "fix_it": [ - { - "type": "regex-substitute", - "name": "Change to $_GET", - "search": "\\$_REQUEST", - "replace": "$$_GET" - }, - { - "type": "regex-substitute", - "name": "Change to $_POST", - "search": "\\$_REQUEST", - "replace": "$$_POST" - }, - { - "type": "regex-substitute", - "name": "Change to $_COOKIE", - "search": "\\$_REQUEST", - "replace": "$$_COOKIE" - } - ] - } - -] diff --git a/DevSkim-Common-Ignore/rules/default/security/vulnerable_libraries/microsoft-nuget.json b/DevSkim-Common-Ignore/rules/default/security/vulnerable_libraries/microsoft-nuget.json deleted file mode 100644 index 2c0eef3..0000000 --- a/DevSkim-Common-Ignore/rules/default/security/vulnerable_libraries/microsoft-nuget.json +++ /dev/null @@ -1,206 +0,0 @@ -[ - { - "description": "Vulnerabilities in .NET Core, ASP.NET Core Could Allow Elevation of Privilege", - "tags": [ - "Vulerable-Dependency.Library.NuGet" - ], - "applies_to": [ - "packages.config" - ], - "name": "Vulnerable NuGet Library", - "severity": "moderate", - "replacement": "Upgrade this package to a later, unaffected version.", - "patterns": [ - { - "pattern": ", $2)", + "pattern": { + "pattern": "\\bstrcpy\\s*\\(([^,]+),([^,]+)\\)", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + }, + { + "name": "Change to strlcpy", + "type": "regex-replace", + "_comment": "", + "replacement": "strlcpy($1, $2, )", + "pattern": { + "pattern": "\\bstrcpy\\s*\\(([^,]+),([^,]+)\\)", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + } + ] + }, + { + "name": "Banned C function detected (strncpy)", + "id": "DS111237", + "description": "strncpy is dangerous, as if the source contains 'n' or more characters, it will not null terminate the destination.", + "recommendation": "Use strcpy_s or strlcpy if possible. If no safe function is viable, strcpy/strncpy should be proceeded by conditional checks to verify tha that the source string will fit in the destination with a null termnator.", + "overrides": [ + "DS154189" + ], + "applies_to": [ + "c", + "cpp", + "objective-c" + ], + "tags": [ + "API.DangerousAPI.BannedFunction" + ], + "severity": "important", + "_comment": "", + "rule_info": "DS111237.md", + "patterns": [ + { + "pattern": "\\bstrncpy\\s*\\(([^,]+),([^,]+),([^,]+)\\)+", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + ], + "fix_its": [ + { + "name": "Change to strcpy_s (Recommended for VC++)", + "type": "regex-replace", + "_comment": "", + "replacement": "strcpy_s($1, $3, $2)", + "pattern": { + "pattern": "\\bstrncpy\\s*\\(([^,]+),([^,]+),([^,]+)\\)+", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + }, + { + "name": "Change to strlcpy", + "type": "regex-replace", + "_comment": "", + "replacement": "strlcpy($1, $2, $3)", + "pattern": { + "pattern": "\\bstrncpy\\s*\\(([^,]+),([^,]+),([^,]+)\\)+", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + } + ] + }, + { + "name": "Banned C function detected (strcat)", + "id": "DS141863", + "description": "If the combination of strings is larger than the destination buffer, strcat will cbuffer overflow the destination buffer", + "recommendation": "Use strcat_s or strlcat if possible. strncat's size parameter excludes the null terminator, which leads to frequent mistakes", + "overrides": [ + "DS154189" + ], + "applies_to": [ + "c", + "cpp", + "objective-c" + ], + "tags": [ + "API.DangerousAPI.BannedFunction" + ], + "severity": "important", + "_comment": "", + "rule_info": "DS141863.md", + "patterns": [ + { + "pattern": "\\bstrcat\\s*\\(([^,]+),([^,]+)\\)", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + ], + "fix_its": [ + { + "name": "Change to strcat_s (Recommended for VC++)", + "type": "regex-replace", + "_comment": "", + "replacement": "strcat_s($1, , $2)", + "pattern": { + "pattern": "\\bstrcat\\s*\\(([^,]+),([^,]+)\\)", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + }, + { + "name": "Change to strlcat", + "type": "regex-replace", + "_comment": "", + "replacement": "strlcat($1, $2, )", + "pattern": { + "pattern": "\\bstrcat\\s*\\(([^,]+),([^,]+)\\)", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + } + ] + }, + { + "name": "Banned C function detected (strncat)", + "id": "DS108330", + "description": "strncat adds the null terminator at character 'n + 1', rather than at the nth character. this frequently leads to the null terminator being added in the memory adjacent to the destination buffer, rather than in the destination buffer.", + "recommendation": "Use strcat_s or strlcat if possible. ", + "overrides": [ + "DS154189" + ], + "applies_to": [ + "c", + "cpp", + "objective-c" + ], + "tags": [ + "API.DangerousAPI.BannedFunction" + ], + "severity": "important", + "_comment": "", + "rule_info": "DS108330.md", + "patterns": [ + { + "pattern": "\\bstrncat\\s*\\(([^,]+),([^,]+),([^,]+)\\)+", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + ], + "fix_its": [ + { + "name": "Change to strcat_s (Recommended for VC++)", + "type": "regex-replace", + "_comment": "", + "replacement": "strcat_s($1, $3, $2)", + "pattern": { + "pattern": "\\bstrncat\\s*\\(([^,]+),([^,]+),([^,]+)\\)+", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + }, + { + "name": "Change to strlcat", + "type": "regex-replace", + "_comment": "", + "replacement": "strlcat($1, $2, $3)", + "pattern": { + "pattern": "\\bstrncat\\s*\\(([^,]+),([^,]+),([^,]+)\\)+", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + } + ] + }, + { + "name": "Banned C function detected (gets)", + "id": "DS181021", + "description": "gets will read in as many bytes as are provided, regardless of the size of buffer recieving the bytes. This allows for conditions that cause a buffer overlow in the destination buffer.", + "recommendation": "Use gets_s or fgets if possible. fgets has different behavior from gets (may include newline for example), so care should be taken if it is used.", + "overrides": [ + "DS154189" + ], + "applies_to": [ + "c", + "cpp", + "objective-c" + ], + "tags": [ + "API.DangerousAPI.BannedFunction" + ], + "severity": "important", + "_comment": "", + "rule_info": "DS181021.md", + "patterns": [ + { + "pattern": "\\bgets\\s*\\(([^,\\)]+)\\)", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + ], + "fix_its": [ + { + "name": "Change to gets_s (Recommended for VC++)", + "type": "regex-replace", + "_comment": "", + "replacement": "gets_s($1, )", + "pattern": { + "pattern": "\\bgets\\s*\\(([^,\\)]+)\\)", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + }, + { + "name": "Change to fgets", + "type": "regex-replace", + "_comment": "", + "replacement": "fgets($1, , stdin)", + "pattern": { + "pattern": "\\bgets\\s*\\(([^,\\)]+)\\)", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + } + ] + } +] \ No newline at end of file diff --git a/DevSkim-Common-Ignore/rules/default/security/api/misused_api.json b/DevSkim-Common/rules/default/security/api/misused_api.json similarity index 62% rename from DevSkim-Common-Ignore/rules/default/security/api/misused_api.json rename to DevSkim-Common/rules/default/security/api/misused_api.json index 4ac0c88..b1b8335 100644 --- a/DevSkim-Common-Ignore/rules/default/security/api/misused_api.json +++ b/DevSkim-Common/rules/default/security/api/misused_api.json @@ -1,45 +1,54 @@ -[ { - "id": "DS179924", +[ + { "name": "Do not copy a FILE object (CERT FIO38-C)", - "tags": [ - "CERT.FIO38-C", - "C.DangerousFunctionCall" - ], + "id": "DS179924", + "description": "The CERT Secure Coding Standard recommends that FILE objects not be copied.", + "recommendation": "Copy a pointer to the FILE object instead.", "applies_to": [ "cpp", "c" ], + "tags": [ + "CERT.FIO38-C", + "C.DangerousFunctionCall" + ], "severity": "important", - "description": "The CERT Secure Coding Standard recommends that FILE objects not be copied.", - "replacement": "Copy a pointer to the FILE object instead.", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS179924.md", + "_comment": "", + "rule_info": "DS179924.md", "patterns": [ { "pattern": "FILE [a-z0-9_][^=]*=\\s*\\*", - "type": "regex" + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" } - ], - "fix_it": [] + ] }, - { - "id": "DS181731", + { "name": "Don't pass user input to this function", - "tags": [ - "PHP.Injection" - ], + "id": "DS181731", + "description": "Don't pass user input to this function.", + "recommendation": "Validate this data before passing it to the function.", "applies_to": [ "php" ], + "tags": [ + "PHP.Injection" + ], "severity": "critical", - "description": "Don't pass user input to this function.", - "replacement": "Validate this data before passing it to the function.", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS181731.md", + "_comment": "", + "rule_info": "DS181731.md", "patterns": [ { "pattern": "(include|require|include_once|require_once|passthru)\\s*\\(.*\\$\\_(GET|POST|REQUEST|COOKIES|FILES)", - "type": "regex" + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" } - ], - "fix_it": [] + ] } ] \ No newline at end of file diff --git a/DevSkim-Common/rules/default/security/api/suggested_api.json b/DevSkim-Common/rules/default/security/api/suggested_api.json new file mode 100644 index 0000000..7e78bbd --- /dev/null +++ b/DevSkim-Common/rules/default/security/api/suggested_api.json @@ -0,0 +1,148 @@ +[ + { + "name": "Problematic C function detected (malloc)", + "id": "DS161085", + "description": "If the value provided to malloc is the result of unsafe integer math, it can result in an exploitable condition. ", + "recommendation": "calloc handles the most common integer math in memory allocation (# of elements * their size) with error handling to prevent overflows in most implementations, and zeros out memory", + "applies_to": [ + "c", + "cpp", + "objective-c" + ], + "tags": [ + "API.DangerousAPI.ProblematicFunction" + ], + "severity": "best-practice", + "_comment": "", + "rule_info": "DS161085.md", + "patterns": [ + { + "pattern": "\\bmalloc\\s*\\(([^,\\)]+)\\)", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + ], + "fix_its": [ + { + "name": "Change to calloc ", + "type": "regex-replace", + "_comment": "", + "replacement": "calloc(, )", + "pattern": { + "pattern": "\\bmalloc\\s*\\(([^,\\)]+)\\)", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + } + ] + }, + { + "name": "Problematic C function detected (memcpy)", + "id": "DS121708", + "description": "There are a number of conditions in which memcpy can introduce a vulnerability (mismatched buffer sizes, null pointers, etc.). More secure alternitives perform additional validation of the source and destination buffer", + "recommendation": "Use memcpy_s if possible.", + "applies_to": [ + "c", + "cpp", + "objective-c" + ], + "tags": [ + "API.DangerousAPI.ProblematicFunction" + ], + "severity": "best-practice", + "_comment": "", + "rule_info": "DS121708.md", + "patterns": [ + { + "pattern": "\\bmemcpy\\s*\\(([^,]+),([^,]+),([^,\\)]+)\\)", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + ], + "fix_its": [ + { + "name": "Change to memcpy_s (Recommended for VC++)", + "type": "regex-replace", + "_comment": "", + "replacement": "memcpy_s($1, , $2, $3)", + "pattern": { + "pattern": "\\bmemcpy\\s*\\(([^,]+),([^,]+),([^,\\)]+)\\)", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + } + ] + }, + { + "name": "Problematic C function detected (strlen)", + "id": "DS140021", + "description": "If a string is missing a null terminator, strlen will read past the end of the buffer", + "recommendation": "In instances where you know the maximum size of a string's buffer, use strlen_s or strnlen to prevent over-reading", + "overrides": [ + "DS154189" + ], + "applies_to": [ + "c", + "cpp", + "objective-c" + ], + "tags": [ + "API.DangerousAPI.ProblematicFunction" + ], + "severity": "best-practice", + "_comment": "", + "rule_info": "DS140021.md", + "patterns": [ + { + "pattern": "\\bstrlen\\s*\\(([^,\\)]+)\\)", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + ], + "fix_its": [ + { + "name": "Change to strlen_s (Recommended for VC++)", + "type": "regex-replace", + "_comment": "", + "replacement": "strlen_s($1, )", + "pattern": { + "pattern": "\\bstrlen\\s*\\(([^,\\)]+)\\)", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + }, + { + "name": "Change to strnlen", + "type": "regex-replace", + "_comment": "", + "replacement": "strnlen($1, )", + "pattern": { + "pattern": "\\bstrlen\\s*\\(([^,\\)]+)\\)", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + } + ] + } +] \ No newline at end of file diff --git a/DevSkim-Common-Ignore/rules/default/security/api/tests/DS179924.test b/DevSkim-Common/rules/default/security/api/tests/DS179924.test similarity index 100% rename from DevSkim-Common-Ignore/rules/default/security/api/tests/DS179924.test rename to DevSkim-Common/rules/default/security/api/tests/DS179924.test diff --git a/DevSkim-Common-Ignore/rules/default/security/api/tests/DS181731.test b/DevSkim-Common/rules/default/security/api/tests/DS181731.test similarity index 100% rename from DevSkim-Common-Ignore/rules/default/security/api/tests/DS181731.test rename to DevSkim-Common/rules/default/security/api/tests/DS181731.test diff --git a/DevSkim-Common/rules/default/security/attack_surface/outbound_network.json b/DevSkim-Common/rules/default/security/attack_surface/outbound_network.json new file mode 100644 index 0000000..7855725 --- /dev/null +++ b/DevSkim-Common/rules/default/security/attack_surface/outbound_network.json @@ -0,0 +1,82 @@ +[ + { + "name": "Notice: Outbound HTTP Connection", + "id": "DS137038", + "description": "Inbound HTTP", + "recommendation": "", + "applies_to": [ + "ruby" + ], + "tags": [ + "ThreatModel.Integration.HTTP" + ], + "severity": "manual-review", + "_comment": "", + "rule_info": "DS137038.md", + "patterns": [ + { + "pattern": "Net::HTTP", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + } + ] + }, + { + "name": "Insecure URL", + "id": "DS137138", + "description": "An HTTP-based URL without TLS was detected.", + "recommendation": "Update to an HTTPS-based URL if possible.", + "tags": [ + "ThreatModel.Integration.HTTP" + ], + "severity": "moderate", + "_comment": "", + "rule_info": "DS137138.md", + "patterns": [ + { + "pattern": "http:", + "type": "substring", + "scopes": [ + "code" + ], + "modifiers": ["i"], + "_comment": "" + } + ], + "conditions" : [ + { + "pattern" : + { + "pattern": "xmlns", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + "negate_finding": true, + "_comment": "" + } + ], + "fix_its": [ + { + "name": "Change to HTTPS ", + "type": "regex-replace", + "_comment": "", + "replacement": "https:", + "pattern": { + "pattern": "http:", + "type": "regex", + "scopes": [ + "code" + ], + "modifiers": ["i"], + "_comment": "" + } + } + ] + } +] \ No newline at end of file diff --git a/DevSkim-Common-Ignore/rules/default/security/control_flow/dynamic_execution.json b/DevSkim-Common/rules/default/security/control_flow/dynamic_execution.json similarity index 73% rename from DevSkim-Common-Ignore/rules/default/security/control_flow/dynamic_execution.json rename to DevSkim-Common/rules/default/security/control_flow/dynamic_execution.json index 8fcdb8f..d52cc95 100644 --- a/DevSkim-Common-Ignore/rules/default/security/control_flow/dynamic_execution.json +++ b/DevSkim-Common/rules/default/security/control_flow/dynamic_execution.json @@ -1,23 +1,27 @@ [ { - "id": "DS165746", "name": "Do not execute user-provided JavaScript", - "tags": [ - "Design.Mobile.iOS.WebView.DynamicJavaScript" - ], + "id": "DS165746", + "description": "This line of code shows the dynamic evaluation of JavaScript, sourced from a string. It's important that this string not contain unsanitized user-supplied data, as it could be a vector for a cross-site scripting (XSS) attack.", + "recommendation": "", "applies_to": [ "objective-c" ], + "tags": [ + "Design.Mobile.iOS.WebView.DynamicJavaScript" + ], "severity": "important", - "description": "This line of code shows the dynamic evaluation of JavaScript, sourced from a string. It's important that this string not contain unsanitized user-supplied data, as it could be a vector for a cross-site scripting (XSS) attack.", - "replacement": "", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS165746.md", + "_comment": "", + "rule_info": "DS165746.md", "patterns": [ { "pattern": "stringByEvaluatingJavaScriptFromString", - "type": "string" + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" } - ], - "fix_it": [] + ] } ] \ No newline at end of file diff --git a/DevSkim-Common-Ignore/rules/default/security/control_flow/format_string.json b/DevSkim-Common/rules/default/security/control_flow/format_string.json similarity index 53% rename from DevSkim-Common-Ignore/rules/default/security/control_flow/format_string.json rename to DevSkim-Common/rules/default/security/control_flow/format_string.json index 8c55a4d..ab10c95 100644 --- a/DevSkim-Common-Ignore/rules/default/security/control_flow/format_string.json +++ b/DevSkim-Common/rules/default/security/control_flow/format_string.json @@ -1,30 +1,43 @@ [ { - "id": "DS113286", "name": "Do not include user-input directoy in format strings", + "id": "DS113286", + "description": "Do not create NSString objects using a user-provided format string, as this could lead to a security vulnerability. https://www.securecoding.cert.org/confluence/display/c/FIO30-C.+Exclude+user+input+from+format+strings", + "recommendation": "", + "applies_to": [ + "objective-c" + ], "tags": [ "ControlFlow.Injection.FormatString", "cert:FIO30-C" ], - "applies_to": [ - "objective-c" - ], "severity": "important", - "description": "Do not create NSString objects using a user-provided format string, as this could lead to a security vulnerability. https://www.securecoding.cert.org/confluence/display/c/FIO30-C.+Exclude+user+input+from+format+strings", - "replacement": "", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS113286.md", + "_comment": "", + "rule_info": "DS113286.md", "patterns": [ { "pattern": "\\[NSString stringWithFormat:\\s*([^@\\\"\\]]+\\])", - "type": "regex" + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" } ], - "fix_it": [ + "fix_its": [ { - "type": "regex-substitute", "name": "Use a predefined format string", - "search": "\\[NSString stringWithFormat:\\s*([^@\\\"\\]]+\\])", - "replace": "[NSString stringWithFormat:@\"%@\", $1" + "type": "regex-replace", + "_comment": "", + "replacement": "[NSString stringWithFormat:@\"%@\", $1", + "pattern": { + "pattern": "\\[NSString stringWithFormat:\\s*([^@\\\"\\]]+\\])", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } } ] } diff --git a/DevSkim-Common/rules/default/security/control_flow/permission_evelation.json b/DevSkim-Common/rules/default/security/control_flow/permission_evelation.json new file mode 100644 index 0000000..9ec7ffb --- /dev/null +++ b/DevSkim-Common/rules/default/security/control_flow/permission_evelation.json @@ -0,0 +1,140 @@ +[ + { + "name": "Do not set a custom execution policy.", + "id": "DS113853", + "description": "The Set-ExecutionPolicy cmdlet has been used to dynamically change the permissions available to PowerShell.", + "recommendation": "Avoid elevating privileges if possible.", + "applies_to": [ + "powershell" + ], + "tags": [ + "ControlFlow.Permission.Evalation" + ], + "severity": "moderate", + "_comment": "", + "rule_info": "DS113853.md", + "patterns": [ + { + "pattern": "Set-ExecutionPolicy", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + } + ] + }, + { + "name": "Use of restricted functions.", + "id": "DS104456", + "description": "Use of restricted functions.", + "recommendation": "", + "applies_to": [ + "powershell" + ], + "tags": [ + "Implementation.Scripting.PowerShell.DangeousFunction" + ], + "severity": "important", + "_comment": "", + "rule_info": "DS104456.md", + "patterns": [ + { + "pattern": "GetDelegateForFunctionPointer", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "System.Runtime.InteropServices.Marshal", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "WriteByte", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "Microsoft.Win32.UnsafeNativeMethods", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "PtrToStructure", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "StructureToPtr", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "(NtCreateThreadEx|CreateRemoteThread)", + "type": "regex-word", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "Invoke", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "VirtualProtect", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "iex", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "&\"", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "& $", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + } + ] + } +] \ No newline at end of file diff --git a/DevSkim-Common-Ignore/rules/default/security/cryptography/certificate.json b/DevSkim-Common/rules/default/security/cryptography/certificate.json similarity index 53% rename from DevSkim-Common-Ignore/rules/default/security/cryptography/certificate.json rename to DevSkim-Common/rules/default/security/cryptography/certificate.json index ba019d8..68e0a0e 100644 --- a/DevSkim-Common-Ignore/rules/default/security/cryptography/certificate.json +++ b/DevSkim-Common/rules/default/security/cryptography/certificate.json @@ -1,327 +1,360 @@ [ { - "id": "DS114352", "name": "Encryption Marked 'Optional'", + "id": "DS114352", + "description": "Optional encryption or integrity checking can be dangerous.", + "recommendation": "As a best practice, always enable strong encryption and integrity checking.", "tags": [ "Cryptography.Optional" ], "severity": "important", - "description": "Optional encryption or integrity checking can be dangerous.", - "replacement": "As a best practice, always enable strong encryption and integrity checking.", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS114352.md", + "_comment": "", + "rule_info": "DS114352.md", "patterns": [ { "pattern": "Integrity.*optional", - "type": "regex" + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" }, { "pattern": "Encryption.*optional", - "type": "regex" + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" } - ], - "fix_it": [] + ] }, { - "id": "DS181865", "name": "Disabled certificate validation", - "tags": [ - "Cryptography.Certificate.Validation" - ], - "severity": "critical", + "id": "DS181865", "description": "Extend default certificate validation, but do not disable or override default rules.", - "replacement": "Always use a valid certificate, even during testing.", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS181865.md", + "recommendation": "Always use a valid certificate, even during testing.", "applies_to": [ "objective-c" ], + "tags": [ + "Cryptography.Certificate.Validation" + ], + "severity": "critical", + "_comment": "", + "rule_info": "DS181865.md", "patterns": [ { "pattern": "setValidatesSecureCertificate:\\s*NO", - "type": "regex" + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" }, { "pattern": "setAllowsAnyHTTPSCertificate:\\s*YES", - "type": "regex" + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" }, { "pattern": "allowsAnyHTTPSCertificate\\s*=\\s*YES", - "type": "regex" + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" }, { "pattern": "setValidatesSecureCertificate:\\s*NO", - "type": "regex" + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" }, { "pattern": "validatesSecureCertificate\\s*=\\s*NO", - "type": "regex" + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" }, { "pattern": "continueWithoutCredentialForAuthenticationChallenge", - "type": "string" + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" }, { "pattern": "kCFStreamSSL(Level|AllowsExpiredCertificates|AllowsExpiredRoots|AllowsAnyRoot|ValidatesCertificateChain|PeerName)", - "type": "regex" + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" }, { "pattern": "kCFStreamPropertySSLSettings", - "type": "string" + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" } ] }, { - "id": "DS134411", "name": "Disabled certificate validation", - "tags": [ - "Cryptography.Certificate.Validation" - ], - "severity": "critical", - "description": "Extend default certificate validation, but do not disable or override default rules.", - "replacement": "Always use a valid certificate, even during testing.", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS134411.md", - "applies_to": [ - "csharp" - ], - "patterns": [ - { - "pattern": ".IgnorableServerCertificateErrors.", - "type": "string" - }, - { - "pattern": "\\.ServerCertificateValidationCallback\\s*\\+?=\\s*delegate\\s*{\\s*return true;\\s*};", - "type": "regex" - }, - { - "pattern": "ServerCertificateValidationCallback\\s*\\+?=\\s*delegate\\([^\\)]*\\)\\s*{\\s+return[\\s\\(]?true[\\s\\)]?", - "type": "regex", - "modifiers": ["DOTALL", "MULTILINE", "IGNORECASE"] - }, - { - "pattern": "ServerCertificateValidationCallback\\s*\\+?=\\s*\\([^\\)]*\\)\\s*=>\\s*true", - "type": "regex", - "modifiers": ["DOTALL", "MULTILINE", "IGNORECASE"] - }, - { - "pattern": "RemoteCertificateValidationCallback\\(delegate\\s*{\\s*return true;\\s*}\\);", - "type": "regex" - }, - { - "pattern": "RemoteCertificateValidationCallback\\(\\s*\\([^\\)]*\\)\\s*=>\\s*{\\s*return true;\\s*}\\s*\\)", - "type": "regex" - } - ] - }, - { "id": "DS176603", - "name": "Disabled certificate validation", - "tags": [ - "Cryptography.Certificate.Validation" - ], - "severity": "critical", "description": "Extend default certificate validation, but do not disable or override default rules.", - "replacement": "Always use a valid certificate, even during testing.", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS114352.md", + "recommendation": "Always use a valid certificate, even during testing.", "applies_to": [ "ruby" ], - "patterns": [ - { - "pattern": "OpenSSL::SSL::VERIFY_NONE", - "type": "string" - } - ], - "fix_it": [] - }, - { - "id": "DS130821", - "name": "Disabled certificate validation", "tags": [ "Cryptography.Certificate.Validation" ], "severity": "critical", - "description": "Extend default certificate validation, but do not disable or override default rules.", - "replacement": "Always use a valid certificate, even during testing.", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS114352.md", - "applies_to": [ - "python" - ], + "_comment": "", + "rule_info": "DS114352.md", "patterns": [ { - "pattern": "requests\\.(get|post|head|patch|delete|options)\\([^\\)]*\\s+verify\\s*=\\s*False\\)", - "type": "regex", - "modifiers": ["DOTALL", "MULTILINE", "IGNORECASE"] - } - ], - "fix_it": [ - { - "type": "regex-substitute", - "modifiers": ["DOTALL", "MULTILINE", "IGNORECASE"], - "name": "Set verify to True", - "search": "False", - "replace": "True" + "pattern": "OpenSSL::SSL::VERIFY_NONE", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" } ] }, { - "id": "DS130822", "name": "Disabled certificate validation", - "tags": [ - "Cryptography.Certificate.Validation" - ], - "severity": "critical", + "id": "DS130822", "description": "Extend default certificate validation, but do not disable or override default rules.", - "replacement": "Always use a valid certificate, even during testing.", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS130822.md", + "recommendation": "Always use a valid certificate, even during testing.", "applies_to": [ "python" ], + "tags": [ + "Cryptography.Certificate.Validation" + ], + "severity": "critical", + "_comment": "", + "rule_info": "DS130822.md", "patterns": [ { "pattern": "\\.check_hostname\\s*=\\s*False", - "type": "regex" + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" }, { "pattern": "disable_ssl_certificate_validation\\s*=\\s*True", - "type": "string" + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" } - ], - "fix_it": [] + ] }, { - "id": "DS159369", "name": "Disabled certificate validation", - "tags": [ - "Cryptography.Certificate.Validation" - ], - "severity": "critical", + "id": "DS159369", "description": "Extend default certificate validation, but do not disable or override default rules.", - "replacement": "Always use a valid certificate, even during testing.", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS114352.md", + "recommendation": "Always use a valid certificate, even during testing.", "applies_to": [ "cpp" ], + "tags": [ + "Cryptography.Certificate.Validation" + ], + "severity": "critical", + "_comment": "", + "rule_info": "DS114352.md", "patterns": [ { "pattern": "SECURITY_FLAG_IGNORE_CERT_CN_INVALID", - "type": "string" + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" }, { "pattern": "SECURITY_FLAG_IGNORE_CERT_DATE_INVALID", - "type": "string" + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" }, { "pattern": "SECURITY_FLAG_IGNORE_REVOCATION", - "type": "string" + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" }, { "pattern": "SECURITY_FLAG_IGNORE_UNKNOWN_CA", - "type": "string" + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" }, { "pattern": "SECURITY_FLAG_IGNORE_WRONG_USAGE", - "type": "string" + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" }, { "pattern": "SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE", - "type": "string" + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" } - ], - "fix_it": [] + ] }, { - "id": "DS101940", "name": "Disabled certificate validation", - "tags": [ - "Cryptography.Certificate.Validation" - ], - "severity": "critical", + "id": "DS101940", "description": "Extend default certificate validation, but do not disable or override default rules.", - "replacement": "Always use a valid certificate, even during testing.", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS114352.md", + "recommendation": "Always use a valid certificate, even during testing.", "applies_to": [ ".config" ], + "tags": [ + "Cryptography.Certificate.Validation" + ], + "severity": "critical", + "_comment": "", + "rule_info": "DS114352.md", "patterns": [ { "pattern": "certificateValidationMode=\"None\"", - "type": "string" + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" }, { "pattern": "checkCertificateName=\"false\"", - "type": "string" + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" }, { "pattern": "checkCertificateRevocationList=\"false\"", - "type": "string" + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" }, { "pattern": "encryptionPolicy=\"(AllowNoEncryption|NoEncryption)", - "type": "regex" + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" } - ], - "fix_it": [] + ] }, { - "id": "DS125134", "name": "Disabled certificate validation", - "tags": [ - "Cryptography.Certificate.Validation" - ], - "severity": "critical", + "id": "DS125134", "description": "Extend default certificate validation, but do not disable or override default rules.", - "replacement": "Always use a valid certificate, even during testing.", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS114352.md", + "recommendation": "Always use a valid certificate, even during testing.", "applies_to": [ "javascript" ], + "tags": [ + "Cryptography.Certificate.Validation" + ], + "severity": "critical", + "_comment": "", + "rule_info": "DS114352.md", "patterns": [ { "pattern": "NODE_TLS_REJECT_UNAUTHORIZED|rejectUnauthorized", - "type": "regex" + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" } - ], - "fix_it": [] + ] }, { - "id": "DS152094", "name": "Disabled certificate validation", - "tags": [ - "Cryptography.Certificate.Validation" - ], - "severity": "critical", + "id": "DS152094", "description": "Extend default certificate validation, but do not disable or override default rules.", - "replacement": "Always use a valid certificate, even during testing.", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS114352.md", + "recommendation": "Always use a valid certificate, even during testing.", "applies_to": [ "java" ], - "patterns": [ - { - "pattern": "(TrustManager|getInsecure|HostnameVerifier|AbstractVerifier|AllowAllHostnameVerifier|BrowserCompatHostnameVerifier|StrictHostnameVerifier|onReceivedSslError|insecuresocketfactory|customhostnameverifier)", - "type": "regex" - } - ], - "fix_it": [] - }, - { - "id": "DS126185", - "name": "Disabled certificate validation", "tags": [ "Cryptography.Certificate.Validation" ], "severity": "critical", + "_comment": "", + "rule_info": "DS114352.md", + "patterns": [ + { + "pattern": "(TrustManager|getInsecure|HostnameVerifier|AbstractVerifier|AllowAllHostnameVerifier|BrowserCompatHostnameVerifier|StrictHostnameVerifier|onReceivedSslError|insecuresocketfactory|customhostnameverifier)", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + ] + }, + { + "name": "Disabled certificate validation", + "id": "DS126185", "description": "Extend default certificate validation, but do not disable or override default rules.", - "replacement": "Always use a valid certificate, even during testing.", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS114352.md", + "recommendation": "Always use a valid certificate, even during testing.", "applies_to": [ "powershell" ], + "tags": [ + "Cryptography.Certificate.Validation" + ], + "severity": "critical", + "_comment": "", + "rule_info": "DS114352.md", "patterns": [ { "pattern": "::ServerCertificateValidationCallback\\s*=\\s*{\\s*\\$true\\s*}", - "type": "regex" + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" } - ], - "fix_it": [] + ] } -] +] \ No newline at end of file diff --git a/DevSkim-Common-Ignore/rules/default/security/cryptography/ciphers.json b/DevSkim-Common/rules/default/security/cryptography/ciphers.json similarity index 50% rename from DevSkim-Common-Ignore/rules/default/security/cryptography/ciphers.json rename to DevSkim-Common/rules/default/security/cryptography/ciphers.json index e8d0df4..56574e3 100644 --- a/DevSkim-Common-Ignore/rules/default/security/cryptography/ciphers.json +++ b/DevSkim-Common/rules/default/security/cryptography/ciphers.json @@ -1,114 +1,153 @@ [ { - "id": "DS175862", "name": "Do not use the mcrypt module, use OpenSSL instead.", - "tags": [ - "Cryptography.Library.Abandoned" - ], + "id": "DS175862", + "description": "The PHP mcrypt module is based on libmcrypt, which has been abanonded since 2007.", + "recommendation": "OpenSSL", "applies_to": [ "php" ], + "tags": [ + "Cryptography.Library.Abandoned" + ], "severity": "moderate", - "description": "The PHP mcrypt module is based on libmcrypt, which has been abanonded since 2007.", - "replacement": "OpenSSL", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS175862.md", + "_comment": "", + "rule_info": "DS175862.md", "patterns": [ { "pattern": "mcrypt", - "type": "string" + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" } - ], - "fix_it": [ ] }, { + "name": "Do not use the 3DES symmetric block cipher.", "id": "DS109501", + "description": "The 3DES cipher was found, which is only secure if three independent keys are used.", + "recommendation": "Use AES instead.", "overrides": [ "DS106864" ], - "name": "Do not use the 3DES symmetric block cipher.", + "applies_to": [ + "csharp" + ], "tags": [ "Cryptography.Symmetric.PotentiallyWeakAlgorithm" ], - "applies_to": [ - "csharp" - ], "severity": "moderate", - "description": "The 3DES cipher was found, which is only secure if three independent keys are used.", - "replacement": "Use AES instead.", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS109501.md", + "_comment": "", + "rule_info": "DS109501.md", "patterns": [ { "pattern": "TripleDESCryptoServiceProvider", - "type": "string" + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" } ], - "fix_it": [ + "fix_its": [ { - "type": "regex-substitute", "name": "Change to AESCryptoServiceProvider", - "search": "TripleDESCryptoServiceProvider", - "replace": "AESCryptoServiceProvider" + "type": "regex-replace", + "_comment": "", + "replacement": "AESCryptoServiceProvider", + "pattern": { + "pattern": "TripleDESCryptoServiceProvider", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } } ] }, { - "id": "DS106864", "name": "Do not use the DES symmetric block cipher.", - "tags": [ - "Cryptography.Symmetric.WeakOrBrokenAlgorithm" - ], + "id": "DS106864", + "description": "The DES cipher was found, which is widely considered to be broken.", + "recommendation": "Use AES instead.", "applies_to": [ "csharp" ], + "tags": [ + "Cryptography.Symmetric.WeakOrBrokenAlgorithm" + ], "severity": "critical", - "description": "The DES cipher was found, which is widely considered to be broken.", - "replacement": "Use AES instead.", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS106864.md", + "_comment": "", + "rule_info": "DS106864.md", "patterns": [ { "pattern": "DESCryptoServiceProvider", - "type": "string" + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" } ], - "fix_it": [ + "fix_its": [ { - "type": "regex-substitute", "name": "Change to AESCryptoServiceProvider", - "search": "DESCryptoServiceProvider", - "replace": "AESCryptoServiceProvider" + "type": "regex-replace", + "_comment": "", + "replacement": "AESCryptoServiceProvider", + "pattern": { + "pattern": "DESCryptoServiceProvider", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } } ] }, { - "id": "DS156431", "name": "Do not use the RC2 symmetric block cipher.", - "tags": [ - "Cryptography.Symmetric.WeakOrBrokenAlgorithm" - ], + "id": "DS156431", + "description": "The RC2 cipher was found, which is considered to be broken.", + "recommendation": "Use AES instead.", "applies_to": [ "csharp" ], + "tags": [ + "Cryptography.Symmetric.WeakOrBrokenAlgorithm" + ], "severity": "critical", - "description": "The RC2 cipher was found, which is considered to be broken.", - "replacement": "Use AES instead.", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS156431.md", + "_comment": "", + "rule_info": "DS156431.md", "patterns": [ { "pattern": "RC2CryptoServiceProvider", - "type": "string" + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" } ], - "fix_it": [ + "fix_its": [ { - "type": "regex-substitute", "name": "Change to AESCryptoServiceProvider", - "search": "RC2CryptoServiceProvider", - "replace": "AESCryptoServiceProvider" + "type": "regex-replace", + "_comment": "", + "replacement": "AESCryptoServiceProvider", + "pattern": { + "pattern": "RC2CryptoServiceProvider", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } } ] } - - -] - +] \ No newline at end of file diff --git a/DevSkim-Common-Ignore/rules/default/security/cryptography/general.json b/DevSkim-Common/rules/default/security/cryptography/general.json similarity index 59% rename from DevSkim-Common-Ignore/rules/default/security/cryptography/general.json rename to DevSkim-Common/rules/default/security/cryptography/general.json index bceaf33..8c0c426 100644 --- a/DevSkim-Common-Ignore/rules/default/security/cryptography/general.json +++ b/DevSkim-Common/rules/default/security/cryptography/general.json @@ -1,59 +1,72 @@ [ { - "id": "DS101155", "name": "Disabled certificate validation", + "id": "DS101155", + "description": "Extend default certificate validation, but do not disable or override default rules.", + "recommendation": "Always use a valid certificate, even during testing.", "tags": [ "Cryptography.Certificate.Validation" ], "severity": "critical", - "description": "Extend default certificate validation, but do not disable or override default rules.", - "replacement": "Always use a valid certificate, even during testing.", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS101155.md", + "_comment": "", + "rule_info": "DS101155.md", "patterns": [ { "pattern": "encrypt=false", "type": "string", - "subtype": [ - "string" - ] + "scopes": [ + "code" + ], + "_comment": "" }, { "pattern": "encryption=false", "type": "string", - "subtype": [ - "string" - ] + "scopes": [ + "code" + ], + "_comment": "" }, { "pattern": "unencrypted.*password", - "type": "regex" + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" }, { "pattern": "TODO.*crypt", "type": "regex", - "subtype": [ - "comment" - ] + "scopes": [ + "code" + ], + "_comment": "" } ] }, { - "id": "DS101159", "name": "Initializing Security Context", + "id": "DS101159", + "description": "SecurityContext initialization, look here for cryptography functions.", + "recommendation": "", + "applies_to": [ + "cpp" + ], "tags": [ "Cryptography.SecurityContext.Initialization" ], "severity": "manual-review", - "description": "SecurityContext initialization, look here for cryptography functions.", - "replacement": "", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS101159.md", - "applies_to": [ - "cpp" - ], + "_comment": "", + "rule_info": "DS101159.md", "patterns": [ { "pattern": "InitializeSecurityContext", - "type": "string" + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" } ] } diff --git a/DevSkim-Common/rules/default/security/cryptography/hash_algorithm.json b/DevSkim-Common/rules/default/security/cryptography/hash_algorithm.json new file mode 100644 index 0000000..f5a42bb --- /dev/null +++ b/DevSkim-Common/rules/default/security/cryptography/hash_algorithm.json @@ -0,0 +1,363 @@ +[ + { + "name": "Weak/Broken Hash Algorithm", + "id": "DS126858", + "description": "A weak or broken hash algorithm was detected.", + "recommendation": "Consider switching to use SHA-256 or SHA-512 instead.", + "tags": [ + "Cryptography.BannedHashAlgorithm" + ], + "severity": "critical", + "_comment": "", + "rule_info": "DS126858.md", + "patterns": [ + { + "pattern": "(MD2|MD4|MD5|RIPEMD|RIPEMD(128|256|160|320)|(SHA0|SHA-0|SHA1|SHA-1))", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + ], + "fix_its": [ + { + "name": "Change to \"SHA256\"", + "type": "regex-replace", + "_comment": "", + "replacement": "SHA256", + "pattern": { + "pattern": "(MD2|MD4|MD5|RIPEMD|RIPEMD(128|256|160|320)|(SHA0|SHA-0|SHA1|SHA-1))", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + }, + { + "name": "Change to \"SHA512\"", + "type": "regex-replace", + "_comment": "", + "replacement": "SHA512", + "pattern": { + "pattern": "(MD2|MD4|MD5|RIPEMD|RIPEMD(128|256|160|320)|(SHA0|SHA-0|SHA1|SHA-1))", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + } + ] + }, + { + "name": "Weak/Broken Hash Algorithm", + "id": "DS197800", + "description": "A weak or broken hash algorithm was detected.", + "recommendation": "Use CC_SHA256 or CC_SHA512 instead.", + "overrides": [ + "DS126858" + ], + "applies_to": [ + "objective-c" + ], + "tags": [ + "Cryptography.HashAlgorithm.BrokenOrWeak" + ], + "severity": "critical", + "_comment": "", + "rule_info": "DS197800.md", + "patterns": [ + { + "pattern": "CC_(MD2|MD4|MD5|SHA1)", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + ], + "fix_its": [ + { + "name": "Change to SHA-256", + "type": "regex-replace", + "_comment": "", + "replacement": "CC_SHA256", + "pattern": { + "pattern": "CC_(MD2|MD4|MD5|SHA1)", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + }, + { + "name": "Change to SHA-512", + "type": "regex-replace", + "_comment": "", + "replacement": "CC_SHA512", + "pattern": { + "pattern": "CC_(MD2|MD4|MD5|SHA1)", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + } + ] + }, + { + "name": "Weak/Broken Hash Algorithm", + "id": "DS128420", + "description": "A weak or broken hash algorithm was detected.", + "recommendation": "When using hash(), use sha256 or sha512 as the algorithms instead", + "overrides": [ + "DS126858" + ], + "applies_to": [ + "php" + ], + "tags": [ + "Cryptography.HashAlgorithm.BrokenOrWeak" + ], + "severity": "critical", + "_comment": "", + "rule_info": "DS128420.md", + "patterns": [ + { + "pattern": "hash\\s*\\(\\s*[\\'\\\"](md2|md4|md5|sha1|sha224|ripemd128|ripemd160|ripemd256|ripemd320)[\\'\\\"](.*)\\)\\s*;", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + ], + "fix_its": [ + { + "name": "Change to SHA-256", + "type": "regex-replace", + "_comment": "", + "replacement": "hash('sha256'$2);", + "pattern": { + "pattern": "hash\\s*\\(\\s*[\\'\\\"](md2|md4|md5|sha1|sha224|ripemd128|ripemd160|ripemd256|ripemd320)[\\'\\\"](.*)\\)\\s*;", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + }, + { + "name": "Change to SHA-512", + "type": "regex-replace", + "_comment": "", + "replacement": "hash('sha512'$2);", + "pattern": { + "pattern": "hash\\s*\\(\\s*[\\'\\\"](md2|md4|md5|sha1|sha224|ripemd128|ripemd160|ripemd256|ripemd320)[\\'\\\"](.*)\\)\\s*;", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + } + ] + }, + { + "name": "Do not use broken/weak cryptographic hash algorithms", + "id": "DS108647", + "description": "Avoid using broken or weak hash algorithms.", + "recommendation": "Use Digest::SHA256 or Digest::SHA512", + "applies_to": [ + "ruby" + ], + "tags": [ + "Cryptography.HashAlgorithm.BrokenOrWeak" + ], + "severity": "critical", + "_comment": "", + "rule_info": "DS108647.md", + "patterns": [ + { + "pattern": "Digest::(MD5|RMD160|SHA1)", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + ], + "fix_its": [ + { + "name": "Change to SHA-256", + "type": "regex-replace", + "_comment": "", + "replacement": "Digest::SHA256", + "pattern": { + "pattern": "Digest::(MD5|RMD160|SHA1)", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + }, + { + "name": "Change to SHA-512", + "type": "regex-replace", + "_comment": "", + "replacement": "Digest::SHA512", + "pattern": { + "pattern": "Digest::(MD5|RMD160|SHA1)", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + } + ] + }, + { + "name": "Do not use broken/weak cryptographic hash algorithms", + "id": "DS196098", + "description": "Avoid using broken or weak hash algorithms.", + "recommendation": "Use hashlib.sha256 instead.", + "overrides": [ + "DS126858" + ], + "applies_to": [ + "python" + ], + "tags": [ + "Cryptography.HashAlgorithm.BrokenOrWeak" + ], + "severity": "critical", + "_comment": "", + "rule_info": "DS196098.md", + "patterns": [ + { + "pattern": "(md5|sha)\\.new\\(", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + ], + "fix_its": [ + { + "name": "Change to hashlib.sha256", + "type": "regex-replace", + "_comment": "", + "replacement": "hashlib.sha256(", + "pattern": { + "pattern": "(md5|sha)\\.new\\(", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + }, + { + "name": "Change to hashlib.sha512", + "type": "regex-replace", + "_comment": "", + "replacement": "hashlib.sha512(", + "pattern": { + "pattern": "(md5|sha)\\.new\\(", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + } + ] + }, + { + "name": "Do not use broken/weak cryptographic hash algorithms", + "id": "DS168931", + "description": "A potentially weak hashing algorithm was used.", + "recommendation": "Use SHA-256 instead.", + "overrides": [ + "DS126858" + ], + "applies_to": [ + "csharp" + ], + "tags": [ + "Cryptography.HashAlgorithm.BrokenOrWeak" + ], + "severity": "critical", + "_comment": "", + "rule_info": "DS168931.md", + "patterns": [ + { + "pattern": "MD5CryptoServiceProvider", + "type": "substring", + "scopes": [ + "code" + ], + "_comment": "" + } + ], + "fix_its": [ + { + "name": "Change to SHA-256", + "type": "regex-replace", + "_comment": "", + "replacement": "SHA256CryptoServiceProvider", + "pattern": { + "pattern": "MD5CryptoServiceProvider", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + }, + { + "name": "Change to SHA-512", + "type": "regex-replace", + "_comment": "", + "replacement": "SHA512CryptoServiceProvider", + "pattern": { + "pattern": "MD5CryptoServiceProvider", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + } + ] + }, + { + "name": "Do not take the hash of low-entropy content.", + "id": "DS197836", + "description": "Taking a hash of a time value is suspicious, as there is insufficient entropy to protect against brute-force attacks.", + "recommendation": "", + "tags": [ + "Cryptography.HashAlgorithm.InsufficientEntropy" + ], + "severity": "important", + "_comment": "", + "rule_info": "DS197836.md", + "patterns": [ + { + "pattern": "(MD4|MD5|(SHA(1|224|256|384|512))).*Time", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + ] + } +] \ No newline at end of file diff --git a/DevSkim-Common-Ignore/rules/default/security/cryptography/initialization_vector.json b/DevSkim-Common/rules/default/security/cryptography/initialization_vector.json similarity index 52% rename from DevSkim-Common-Ignore/rules/default/security/cryptography/initialization_vector.json rename to DevSkim-Common/rules/default/security/cryptography/initialization_vector.json index 37b12af..d21bc5b 100644 --- a/DevSkim-Common-Ignore/rules/default/security/cryptography/initialization_vector.json +++ b/DevSkim-Common/rules/default/security/cryptography/initialization_vector.json @@ -1,52 +1,68 @@ [ { - "id": "DS188250", "name": "Missing initialization vector", - "tags": [ - "Cryptography.Symmetric.InitializationVector.Missing" - ], + "id": "DS188250", + "description": "The mcrypt_encrypt function was used without an initialization vector.", + "recommendation": "Add an initialization vector or consider a different cipher mode", "applies_to": [ "php" ], + "tags": [ + "Cryptography.Symmetric.InitializationVector.Missing" + ], "severity": "important", - "description": "The mcrypt_encrypt function was used without an initialization vector.", - "replacement": "Add an initialization vector or consider a different cipher mode", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS188250.md", + "_comment": "", + "rule_info": "DS188250.md", "patterns": [ { "pattern": "mcrypt_encrypt\\s*\\([^,]+,[^,]+,[^,]+,[^,]+\\);", - "type": "regex" + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" } ], - "fix_it": [ + "fix_its": [ { - "type": "regex-substitute", "name": "Add initialization vector", - "search": "(mcrypt_encrypt\\s*\\([^,]+,[^,]+,[^,]+,[^,]+)(\\);)", - "replace": "$1, <$iv>$2" + "type": "regex-replace", + "_comment": "", + "replacement": "$1, <$iv>$2", + "pattern": { + "pattern": "(mcrypt_encrypt\\s*\\([^,]+,[^,]+,[^,]+,[^,]+)(\\);)", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } } ] }, { - "id": "DS128921", "name": "Hardcoded initialization vector size", - "tags": [ - "Cryptography.Symmetric.InitializationVector.HardcodedSize" - ], + "id": "DS128921", + "description": "An initialization vector was created to a static size, rather than determining it based on the encryption algorithm used.", + "recommendation": "Use mcrypt_get_iv_size to get the correct IV size based on the cipher and mode.", "applies_to": [ "php" ], + "tags": [ + "Cryptography.Symmetric.InitializationVector.HardcodedSize" + ], "severity": "moderate", - "description": "An initialization vector was created to a static size, rather than determining it based on the encryption algorithm used.", - "replacement": "Use mcrypt_get_iv_size to get the correct IV size based on the cipher and mode.", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS128921.md", + "_comment": "", + "rule_info": "DS128921.md", "patterns": [ { "pattern": "mcrypt_create_iv\\s*\\(\\s*\\d.*", - "type": "regex" + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" } - ], - "fix_it": [ ] } ] \ No newline at end of file diff --git a/DevSkim-Common/rules/default/security/cryptography/protocol.json b/DevSkim-Common/rules/default/security/cryptography/protocol.json new file mode 100644 index 0000000..57229b0 --- /dev/null +++ b/DevSkim-Common/rules/default/security/cryptography/protocol.json @@ -0,0 +1,475 @@ +[ + { + "name": "Do not use outdated SSL/TLS protocols", + "id": "DS144436", + "description": "It's usually better to rely on the operating system configuration, rather than hardcoding a specific SecurityProtocolType.", + "recommendation": "Either leave off or set to SecurityProtocolType.Tls12;", + "applies_to": [ + "csharp" + ], + "tags": [ + "Cryptography.Protocol.TLS" + ], + "severity": "important", + "_comment": "", + "rule_info": "DS144436.md", + "patterns": [ + { + "pattern": "SecurityProtocolType\\.(Ssl3|Tls|Tls11)", + "type": "regex-word", + "scopes": [ + "code" + ], + "_comment": "" + } + ], + "fix_its": [ + { + "name": "Change to SecurityProtocolType.Tls12", + "type": "regex-replace", + "_comment": "", + "replacement": "SecurityProtocolType.Tls12", + "pattern": { + "pattern": "\\bSecurityProtocolType\\.(Ssl3|Tls|Tls11)\\b", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + } + ] + }, + { + "name": "Hardcoding TLS protocol version", + "id": "DS127101", + "description": "It's usually better to rely on the operating system configuration, rather than hardcoding a specific list of protocols.", + "recommendation": "", + "applies_to": [ + "cpp" + ], + "tags": [ + "Cryptography.Protocol.TLS" + ], + "severity": "moderate", + "_comment": "", + "rule_info": "DS127101.md", + "patterns": [ + { + "pattern": "SecPkgCred_SupportedProtocols", + "type": "regex-word", + "scopes": [ + "code" + ], + "_comment": "" + } + ] + }, + { + "name": "Do not use outdated SSL/TLS protocols", + "id": "DS169125", + "description": "An outdated SSL/TLS protocol version is specified.", + "recommendation": "Use TLS 1.2", + "tags": [ + "Cryptography.Protocol.TLS" + ], + "severity": "important", + "_comment": "", + "rule_info": "DS169125.md", + "patterns": [ + { + "pattern": "(SSLv?2|SSLv?3|TLSv?1|TLSv?10)", + "type": "regex-word", + "scopes": [ + "code" + ], + "_comment": "" + } + ] + }, + { + "name": "An Outdated or Banned SSL/TLS Protocol is Used", + "id": "DS169126", + "description": "An Outdated or Banned SSL/TLS Protocol is Used", + "recommendation": "Use TLS 1.2", + "tags": [ + "Cryptography.Protocol.Banned" + ], + "severity": "important", + "_comment": "", + "rule_info": "DS169126.md", + "patterns": [ + { + "pattern": "(SSL|TLS)v(2|23|3|1)_(client|server)", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "SSLv2", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "SSLv3", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "TLSv1", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "TLSv10", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + } + ] + }, + { + "name": "An Outdated or Banned SSL/TLS Protocol is Used", + "id": "DS169127", + "description": "An Outdated or Banned SSL/TLS Protocol is Used", + "recommendation": "Use TLS 1.2", + "applies_to": [ + "cpp", + "objective-c" + ], + "tags": [ + "Cryptography.Protocol.Banned" + ], + "severity": "important", + "_comment": "", + "rule_info": "DS169126.md", + "patterns": [ + { + "pattern": "SECURITY_FLAG_40BIT", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "SECURITY_FLAG_56BIT", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "SECURITY_FLAG_NORMALBITNESS", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "SECURITY_FLAG_PCT", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "SECURITY_FLAG_PCT4", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "SECURITY_FLAG_SSL", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "SECURITY_FLAG_SSL3", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "SECURITY_FLAG_STRENGTH_MEDIUM", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "SECURITY_FLAG_STRENGTH_WEAK", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "SECURITY_FLAG_UNKNOWNBIT", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "WINHTTP_FLAG_SECURE_PROTOCOL_SSL2", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "WINHTTP_FLAG_SECURE_PROTOCOL_SSL3", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "WINHTTP_FLAG_SECURE_PROTOCOL_TLS1", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "WINHTTP_FLAG_SECURE_PROTOCOL_ALL", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "SECURITY_FLAG_STRENGTH_MEDIUM", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "SECURITY_FLAG_STRENGTH_WEAK", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "SP_PROT_(PCT1|SSL2|SSL3|TLS1|TLS1_0)_(CLIENT|SERVER)", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "NSStreamSocketSecurityLevelNone", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "NSStreamSocketSecurityLevelSSLv2", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "NSStreamSocketSecurityLevelSSLv3", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "NSStreamSocketSecurityLevelTLSv1", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "kCFStreamSocketSecurityLevelNone", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "kCFStreamSocketSecurityLevelSSLv2", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "kCFStreamSocketSecurityLevelSSLv3", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "kCFStreamSocketSecurityLevelTLSv1", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "kSSLProtocolUnknown ", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "kSSLProtocol3", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "kTLSProtocol1", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "kDTLSProtocol1", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "kSSLProtocol2", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "kSSLProtocol3Only", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "kTLSProtocol1Only", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "kSSLProtocolAll", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + } + ] + }, + { + "name": "An Outdated or Banned SSL/TLS Protocol is Used", + "id": "DS169128", + "description": "An Outdated or Banned SSL/TLS Protocol is Used", + "recommendation": "Use TLS 1.2", + "applies_to": [ + "python" + ], + "tags": [ + "Cryptography.Protocol.Banned" + ], + "severity": "important", + "_comment": "", + "rule_info": "DS169126.md", + "patterns": [ + { + "pattern": "PROTOCOL_SSLv2", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "PROTOCOL_SSLv23", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "PROTOCOL_SSLv3", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "PROTOCOL_TLSv1", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + } + ] + } +] \ No newline at end of file diff --git a/DevSkim-Common/rules/default/security/cryptography/random.json b/DevSkim-Common/rules/default/security/cryptography/random.json new file mode 100644 index 0000000..2cdf57a --- /dev/null +++ b/DevSkim-Common/rules/default/security/cryptography/random.json @@ -0,0 +1,142 @@ +[ + { + "name": "Do not use weak/non-cryptographic random number generators", + "id": "DS148264", + "description": "Use cryptographic random numbers generators for anything even close to a security function.", + "recommendation": "Replacements depend on language.", + "tags": [ + "Cryptography.PRNG.Weak" + ], + "severity": "important", + "_comment": "", + "rule_info": "DS148264.md", + "patterns": [ + { + "pattern": "DUAL_EC_DRBG", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "pseudoRandomBytes", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "\\brand\\(", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "random_shuffle\\(", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "\\bshuffle\\(", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "RAND_MAX", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "\\brand\\(\\s*\\)\\s*%", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "mwc1616", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "(32969|18273)", + "type": "regex-word", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "System.Random", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "\\bRandom\\(", + "type": "regex-word", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "arc4random", + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" + } + ] + }, + { + "name": "Do not seed randomness based on system time or a static value.", + "id": "DS149435", + "description": "Passing a predicable value to srand() is very insecure and should be avoided.", + "recommendation": "", + "tags": [ + "Cryptography.WeakRandomness" + ], + "severity": "critical", + "_comment": "", + "rule_info": "DS149435.md", + "patterns": [ + { + "pattern": "\\bsrand\\(\\s*time\\(", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "\\bsrand\\(\\s*\\d+\\s*\\)", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + ] + } +] \ No newline at end of file diff --git a/DevSkim-Common-Ignore/rules/default/security/cryptography/tests/DS106864.test b/DevSkim-Common/rules/default/security/cryptography/tests/DS106864.test similarity index 100% rename from DevSkim-Common-Ignore/rules/default/security/cryptography/tests/DS106864.test rename to DevSkim-Common/rules/default/security/cryptography/tests/DS106864.test diff --git a/DevSkim-Common-Ignore/rules/default/security/cryptography/tests/DS109501.test b/DevSkim-Common/rules/default/security/cryptography/tests/DS109501.test similarity index 100% rename from DevSkim-Common-Ignore/rules/default/security/cryptography/tests/DS109501.test rename to DevSkim-Common/rules/default/security/cryptography/tests/DS109501.test diff --git a/DevSkim-Common-Ignore/rules/default/security/cryptography/tests/DS130821.test b/DevSkim-Common/rules/default/security/cryptography/tests/DS130821.test similarity index 100% rename from DevSkim-Common-Ignore/rules/default/security/cryptography/tests/DS130821.test rename to DevSkim-Common/rules/default/security/cryptography/tests/DS130821.test diff --git a/DevSkim-Common-Ignore/rules/default/security/cryptography/tests/DS134411.test b/DevSkim-Common/rules/default/security/cryptography/tests/DS134411.test similarity index 100% rename from DevSkim-Common-Ignore/rules/default/security/cryptography/tests/DS134411.test rename to DevSkim-Common/rules/default/security/cryptography/tests/DS134411.test diff --git a/DevSkim-Common-Ignore/rules/default/security/cryptography/tests/DS148264.test b/DevSkim-Common/rules/default/security/cryptography/tests/DS148264.test similarity index 100% rename from DevSkim-Common-Ignore/rules/default/security/cryptography/tests/DS148264.test rename to DevSkim-Common/rules/default/security/cryptography/tests/DS148264.test diff --git a/DevSkim-Common-Ignore/rules/default/security/cryptography/tests/DS156431.test b/DevSkim-Common/rules/default/security/cryptography/tests/DS156431.test similarity index 100% rename from DevSkim-Common-Ignore/rules/default/security/cryptography/tests/DS156431.test rename to DevSkim-Common/rules/default/security/cryptography/tests/DS156431.test diff --git a/DevSkim-Common-Ignore/rules/default/security/cryptography/tests/DS159369.test b/DevSkim-Common/rules/default/security/cryptography/tests/DS159369.test similarity index 100% rename from DevSkim-Common-Ignore/rules/default/security/cryptography/tests/DS159369.test rename to DevSkim-Common/rules/default/security/cryptography/tests/DS159369.test diff --git a/DevSkim-Common-Ignore/rules/default/security/cryptography/tests/DS169126.test b/DevSkim-Common/rules/default/security/cryptography/tests/DS169126.test similarity index 100% rename from DevSkim-Common-Ignore/rules/default/security/cryptography/tests/DS169126.test rename to DevSkim-Common/rules/default/security/cryptography/tests/DS169126.test diff --git a/DevSkim-Common-Ignore/rules/default/security/cryptography/tests/DS182720.test b/DevSkim-Common/rules/default/security/cryptography/tests/DS182720.test similarity index 100% rename from DevSkim-Common-Ignore/rules/default/security/cryptography/tests/DS182720.test rename to DevSkim-Common/rules/default/security/cryptography/tests/DS182720.test diff --git a/DevSkim-Common-Ignore/rules/default/security/cryptography/underhanded.json b/DevSkim-Common/rules/default/security/cryptography/underhanded.json similarity index 55% rename from DevSkim-Common-Ignore/rules/default/security/cryptography/underhanded.json rename to DevSkim-Common/rules/default/security/cryptography/underhanded.json index 0477b26..f2598d1 100644 --- a/DevSkim-Common-Ignore/rules/default/security/cryptography/underhanded.json +++ b/DevSkim-Common/rules/default/security/cryptography/underhanded.json @@ -1,24 +1,31 @@ [ { - "id": "DS109733", "name": "Source implementation of a weak/broken cryptography hash function", + "id": "DS109733", + "description": "An implementation of a weak/broken hash function was found in source code.", + "recommendation": "Do not use MD5, and always prefer OS- or library-provided cryptography implementations.", "tags": [ "Cryptography.HashAlgorithm.WeakOrBrokenImplementation" ], "severity": "critical", - "description": "An implementation of a weak/broken hash function was found in source code.", - "replacement": "Do not use MD5, and always prefer OS- or library-provided cryptography implementations.", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS109733.md", + "_comment": "", + "rule_info": "DS109733.md", "patterns": [ { - "_comment": "MD5", "pattern": "242070db|02441453|db702024|53144402|3572445317", - "type": "regex" + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "MD5" }, { - "_comment": "SHA-1", "pattern": "98BADCFE|FEDCBC98|C3D2E1F0|F0E1D2C3", - "type": "regex" + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "SHA-1" } ] } diff --git a/DevSkim-Common-Ignore/rules/default/security/cryptography/weak_cipher_modes.json b/DevSkim-Common/rules/default/security/cryptography/weak_cipher_modes.json similarity index 51% rename from DevSkim-Common-Ignore/rules/default/security/cryptography/weak_cipher_modes.json rename to DevSkim-Common/rules/default/security/cryptography/weak_cipher_modes.json index f959110..8b854c9 100644 --- a/DevSkim-Common-Ignore/rules/default/security/cryptography/weak_cipher_modes.json +++ b/DevSkim-Common/rules/default/security/cryptography/weak_cipher_modes.json @@ -1,47 +1,64 @@ [ { - "id": "DS187371", "name": "A weak cipher mode of operation was used", + "id": "DS187371", + "description": "A potentially weak cipher mode of operation was used.", + "recommendation": "Consider using CBC, CTR, or GCM.", "tags": [ "Cryptography.Symmetric.CipherMode.Weak" ], "severity": "important", - "description": "A potentially weak cipher mode of operation was used.", - "replacement": "Consider using CBC, CTR, or GCM.", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS187371.md", + "_comment": "", + "rule_info": "DS187371.md", "patterns": [ { "pattern": "(ECB|OFB|CFB|CTS|PCBC|GMAC|XCBC|IACBC|IAPM|EAX|OCB|CWC|AEAD|LRW|XEX|XTS|CMC|EME|CBCMAC|OMAC|PMAC)", - "type": "regex-word" + "type": "regex-word", + "scopes": [ + "code" + ], + "_comment": "" } - ], - "fix_it": [] + ] }, { - "id": "DS182720", "name": "A weak cipher mode of operation was used", - "tags": [ - "Cryptography.Symmetric.CipherMode.Weak" - ], + "id": "DS182720", + "description": "A potentially weak cipher mode of operation was used.", + "recommendation": "Consider using CBC, CTR, or GCM.", "applies_to": [ "php" ], + "tags": [ + "Cryptography.Symmetric.CipherMode.Weak" + ], "severity": "important", - "description": "A potentially weak cipher mode of operation was used.", - "replacement": "Consider using CBC, CTR, or GCM.", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS182720.md", + "_comment": "", + "rule_info": "DS182720.md", "patterns": [ { "pattern": "MCRYPT_MODE_(ECB|CFB|OFB|NOFB|STREAM)", - "type": "regex-word" + "type": "regex-word", + "scopes": [ + "code" + ], + "_comment": "" } ], - "fix_it": [ + "fix_its": [ { - "type": "regex-substitute", "name": "Change cipher mode to CBC", - "search": "MCRYPT_MODE_(ECB|CFB|OFB|NOFB|STREAM)", - "replace": "MCRYPT_MODE_CBC" + "type": "regex-replace", + "_comment": "", + "replacement": "MCRYPT_MODE_CBC", + "pattern": { + "pattern": "MCRYPT_MODE_(ECB|CFB|OFB|NOFB|STREAM)", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } } ] } diff --git a/DevSkim-Common/rules/default/security/frameworks/aspnet5.json b/DevSkim-Common/rules/default/security/frameworks/aspnet5.json new file mode 100644 index 0000000..1964b95 --- /dev/null +++ b/DevSkim-Common/rules/default/security/frameworks/aspnet5.json @@ -0,0 +1,51 @@ +[ + { + "name": "All Controllers Should Derive From Controller.", + "id": "DS184626", + "description": "All Controllers Should Derive From Controller.", + "recommendation": "Ensure this class derives from Controller.", + "applies_to": [ + "csharp" + ], + "tags": [ + "Implementation.Web.ASPNET.ControllerWithoutExtendingController" + ], + "severity": "moderate", + "_comment": "", + "rule_info": "DS184626.md", + "patterns": [ + { + "pattern": "class [^\\s]+Controller\\s*:\\s*(?!.*?(Controller)).*", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + { + "pattern": "class [^\\s]+Controller[\\s{]*$", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + ], + "fix_its": [ + { + "name": "Change to inherit from Controller", + "type": "regex-replace", + "_comment": "", + "replacement": "$1 : Controller", + "pattern": { + "pattern": "(class [^\\s]+Controller)(([\\s{]*$)|(\\s*:\\s*(?!.*?(Controller)).*))", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + } + ] + } +] \ No newline at end of file diff --git a/DevSkim-Common/rules/default/security/frameworks/php.json b/DevSkim-Common/rules/default/security/frameworks/php.json new file mode 100644 index 0000000..300823e --- /dev/null +++ b/DevSkim-Common/rules/default/security/frameworks/php.json @@ -0,0 +1,142 @@ +[ + { + "name": "$_REQUEST should be avoided", + "id": "DS144886", + "description": "$_REQUEST combines POST, GET, and cookie values in one array, making it easy for an attacker to modify a POST or cookie value by instead putting it in a GET and sending the URL to the victim", + "recommendation": "Use $_POST, $_GET, $_COOKIE to scope to the expected delivery method for a value ", + "applies_to": [ + "php" + ], + "tags": [ + "Implementation.PHP" + ], + "severity": "moderate", + "_comment": "", + "rule_info": "DS144886.md", + "patterns": [ + { + "pattern": "\\$_REQUEST", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + ], + "fix_its": [ + { + "name": "Change to $_GET", + "type": "regex-replace", + "_comment": "", + "replacement": "$$_GET", + "pattern": { + "pattern": "\\$_REQUEST", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + }, + { + "name": "Change to $_POST", + "type": "regex-replace", + "_comment": "", + "replacement": "$$_POST", + "pattern": { + "pattern": "\\$_REQUEST", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + }, + { + "name": "Change to $_COOKIE", + "type": "regex-replace", + "_comment": "", + "replacement": "$$_COOKIE", + "pattern": { + "pattern": "\\$_REQUEST", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + } + ] + }, + { + "name": "XSS: Do not echo unencoded GET/POST/COOKIE values", + "id": "DS163877", + "description": "When using $_GET/POST/COOKIE values via echo, failure to encode the values will lead to Cross Site Scription (XSS), where a malicious party can inject script into the webpage.", + "recommendation": "HTML Entity Encode (for content going into HTML) or URL Encode (for content going into JavaScript variables) the data", + "applies_to": [ + "php" + ], + "tags": [ + "Implementation.PHP" + ], + "severity": "moderate", + "_comment": "", + "rule_info": "DS163877.md", + "patterns": [ + { + "pattern": "\\becho.*(\\$_(POST|GET|REQUEST|COOKIE)\\[.*\\]).*;", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + ], + "conditions" : [ + { + "pattern" : + { + "pattern": "\\b(htmlentities|htmlspecialchars|rawurlencode|urlencode)\\s*\\(.*(\\$_(POST|GET|REQUEST|COOKIE)\\[.*\\]).*\\)", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + }, + "search_in":"finding-only", + "negate_finding": true, + "_comment": "" + } + ], + "fix_its": [ + { + "name": "HTML Entity encode the data", + "type": "regex-replace", + "_comment": "", + "replacement": "htmlentities($1)", + "pattern": { + "pattern": "(\\$_(POST|GET|REQUEST|COOKIE)\\[.*\\])", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + }, + { + "name": "URL encode the data", + "type": "regex-replace", + "_comment": "", + "replacement": "rawurlencode($1)", + "pattern": { + "pattern": "(\\$_(POST|GET|REQUEST|COOKIE)\\[.*\\])", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + } + ] + } +] \ No newline at end of file diff --git a/DevSkim-Common-Ignore/rules/default/security/hygiene/localhost.json b/DevSkim-Common/rules/default/security/hygiene/localhost.json similarity index 53% rename from DevSkim-Common-Ignore/rules/default/security/hygiene/localhost.json rename to DevSkim-Common/rules/default/security/hygiene/localhost.json index dc22927..2ebf27f 100644 --- a/DevSkim-Common-Ignore/rules/default/security/hygiene/localhost.json +++ b/DevSkim-Common/rules/default/security/hygiene/localhost.json @@ -1,22 +1,32 @@ - [{ - "id": "DS162092", +[ + { "name": "Do not leave debug code in production", + "id": "DS162092", + "description": "Accessing localhost could indicate debug code, or could hinder scaling.", + "recommendation": "", "tags": [ "Hygiene.Network.AccessingLocalhost" ], "severity": "manual-review", - "description": "Accessing localhost could indicate debug code, or could hinder scaling.", - "replacement": "", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS162092.md", + "_comment": "", + "rule_info": "DS162092.md", "patterns": [ { "pattern": "localhost", - "type": "string" + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" }, { "pattern": "127.0.0.1", - "type": "string" + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" } - ], - "fix_it": [] - }] \ No newline at end of file + ] + } +] \ No newline at end of file diff --git a/DevSkim-Common-Ignore/rules/default/security/hygiene/tests/DS162092.test b/DevSkim-Common/rules/default/security/hygiene/tests/DS162092.test similarity index 100% rename from DevSkim-Common-Ignore/rules/default/security/hygiene/tests/DS162092.test rename to DevSkim-Common/rules/default/security/hygiene/tests/DS162092.test diff --git a/DevSkim-Common-Ignore/rules/default/security/hygiene/todo.json b/DevSkim-Common/rules/default/security/hygiene/todo.json similarity index 62% rename from DevSkim-Common-Ignore/rules/default/security/hygiene/todo.json rename to DevSkim-Common/rules/default/security/hygiene/todo.json index a46ba74..5e65e33 100644 --- a/DevSkim-Common-Ignore/rules/default/security/hygiene/todo.json +++ b/DevSkim-Common/rules/default/security/hygiene/todo.json @@ -1,19 +1,24 @@ - [ { - "id": "DS176209", +[ + { "name": "Suspicious comment", + "id": "DS176209", + "description": "A \"TODO\" or similar was left in source code, possibly indicating incomplete functionality", + "recommendation": "", "tags": [ "Hygiene.Comment.Suspicious" ], "severity": "manual-review", - "description": "A \"TODO\" or similar was left in source code, possibly indicating incomplete functionality", - "replacement": "", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS176209.md", + "_comment": "", + "rule_info": "DS176209.md", "patterns": [ { "pattern": "(TODO|FIXME|REMOVEME|HACK|BLACK MAGIC)", - "type": "regex-word" + "type": "regex-word", + "scopes": [ + "code" + ], + "_comment": "" } - ], - "fix_it": [] + ] } ] \ No newline at end of file diff --git a/DevSkim-Common-Ignore/rules/default/security/manualreview/dynamiccode.json b/DevSkim-Common/rules/default/security/manualreview/dynamiccode.json similarity index 59% rename from DevSkim-Common-Ignore/rules/default/security/manualreview/dynamiccode.json rename to DevSkim-Common/rules/default/security/manualreview/dynamiccode.json index bede177..662919d 100644 --- a/DevSkim-Common-Ignore/rules/default/security/manualreview/dynamiccode.json +++ b/DevSkim-Common/rules/default/security/manualreview/dynamiccode.json @@ -1,72 +1,86 @@ -[ { - "id": "DS189424", +[ + { "name": "Review eval for untrusted data", - "tags": [ - "Python.DangerousFunctionCall", - "JavaScript.DangerousFunctionCall", - "TypeScript.DangerousFunctionCall", - "PHP.DangerousFunctionCall" - ], + "id": "DS189424", + "description": "If untrusted data (data from HTTP requests, user submitted files, etc.) is included in an eval statement it can allow enable an attacker to inject their own code.", + "recommendation": "Edit the eval so that no untrusted date is included. If untrusted data is absolutely necessary a great deal of care should be taken to ensure it is properly escaped so that it cannot be executed. This is not as simple as just escaping quotes.", "applies_to": [ "python", "javascript", "typescript", "php" ], + "tags": [ + "Python.DangerousFunctionCall", + "JavaScript.DangerousFunctionCall", + "TypeScript.DangerousFunctionCall", + "PHP.DangerousFunctionCall" + ], "severity": "manual-review", - "description": "If untrusted data (data from HTTP requests, user submitted files, etc.) is included in an eval statement it can allow enable an attacker to inject their own code.", - "replacement": "Edit the eval so that no untrusted date is included. If untrusted data is absolutely necessary a great deal of care should be taken to ensure it is properly escaped so that it cannot be executed. This is not as simple as just escaping quotes.", - "rule_info": "https://github.com/microsoft/devskim/blob/master/guidance/DS189424.md", + "_comment": "", + "rule_info": "DS189424.md", "patterns": [ { "pattern": "\\beval\\(([^,]+)\\)", - "type": "regex" + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" } - ], - "fix_it": [] + ] }, { - "id": "DS172411", "name": "Review setTimeout for untrusted data", - "tags": [ - "JavaScript.DangerousFunctionCall", - "TypeScript.DangerousFunctionCall" - ], + "id": "DS172411", + "description": "If untrusted data (data from HTTP requests, user submitted files, etc.) is included in an setTimeout statement it can allow enable an attacker to inject their own code.", + "recommendation": "Edit the setTimeout so that no untrusted date is included. If untrusted data is absolutely necessary a great deal of care should be taken to ensure it is properly escaped so that it cannot be executed. This is not as simple as just escaping quotes.", "applies_to": [ "javascript", "typescript" ], + "tags": [ + "JavaScript.DangerousFunctionCall", + "TypeScript.DangerousFunctionCall" + ], "severity": "manual-review", - "description": "If untrusted data (data from HTTP requests, user submitted files, etc.) is included in an setTimeout statement it can allow enable an attacker to inject their own code.", - "replacement": "Edit the setTimeout so that no untrusted date is included. If untrusted data is absolutely necessary a great deal of care should be taken to ensure it is properly escaped so that it cannot be executed. This is not as simple as just escaping quotes.", - "rule_info": "https://github.com/microsoft/devskim/blob/master/guidance/DS172411.md", + "_comment": "", + "rule_info": "DS172411.md", "patterns": [ { "pattern": "\\bsetTimeout\\(([^,]+)\\)", - "type": "regex" + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" } - ], - "fix_it": [] + ] }, { - "id": "DS172412", "name": "Review unsafe code", - "tags": [ - "Dotnet.Unsafecode" - ], + "id": "DS172412", + "description": "The unsafe keyword denotes an unsafe context, which is required for any operation involving pointers. Unsafe code in is not necessarily dangerous; it is just code whose safety cannot be verified by the CLR.", + "recommendation": "", "applies_to": [ "csharp", "vb" ], + "tags": [ + "Dotnet.Unsafecode" + ], "severity": "manual-review", - "description": "The unsafe keyword denotes an unsafe context, which is required for any operation involving pointers. Unsafe code in is not necessarily dangerous; it is just code whose safety cannot be verified by the CLR.", - "rule_info": "https://github.com/microsoft/devskim/blob/master/guidance/DS172412.md", + "_comment": "", + "rule_info": "DS172412.md", "patterns": [ { "pattern": "unsafe", - "type": "regex-word" + "type": "regex-word", + "scopes": [ + "code" + ], + "_comment": "" } - ], - "fix_it": [] - } + ] + } ] \ No newline at end of file diff --git a/DevSkim-Common-Ignore/rules/default/security/privacy/device_restrictions.json b/DevSkim-Common/rules/default/security/privacy/device_restrictions.json similarity index 65% rename from DevSkim-Common-Ignore/rules/default/security/privacy/device_restrictions.json rename to DevSkim-Common/rules/default/security/privacy/device_restrictions.json index 87c1b27..80d5457 100644 --- a/DevSkim-Common-Ignore/rules/default/security/privacy/device_restrictions.json +++ b/DevSkim-Common/rules/default/security/privacy/device_restrictions.json @@ -1,23 +1,27 @@ [ { - "id": "DS165348", "name": "Do not attempt to access device UDID", - "tags": [ - "Implementation.Mobile.iOS.DataProtection.Privacy.UDID" - ], + "id": "DS165348", + "description": "Access to the device UDID (via [[UIDevice currentDevice] uniqueIdentifier]) is deprecated as of iOS 5 and should not be used or relied upon.", + "recommendation": "[[UIDevice currentDevice] identifierForVendor]", "applies_to": [ "objective-c" ], + "tags": [ + "Implementation.Mobile.iOS.DataProtection.Privacy.UDID" + ], "severity": "important", - "description": "Access to the device UDID (via [[UIDevice currentDevice] uniqueIdentifier]) is deprecated as of iOS 5 and should not be used or relied upon.", - "replacement": "[[UIDevice currentDevice] identifierForVendor]", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS165348.md", + "_comment": "", + "rule_info": "DS165348.md", "patterns": [ { "pattern": "uniqueIdentifier", - "type": "string" + "type": "string", + "scopes": [ + "code" + ], + "_comment": "" } - ], - "fix_it": [] + ] } ] \ No newline at end of file diff --git a/DevSkim-Common-Ignore/rules/default/security/privacy/secrets.json b/DevSkim-Common/rules/default/security/privacy/secrets.json similarity index 66% rename from DevSkim-Common-Ignore/rules/default/security/privacy/secrets.json rename to DevSkim-Common/rules/default/security/privacy/secrets.json index bdd68a8..9d4f6bf 100644 --- a/DevSkim-Common-Ignore/rules/default/security/privacy/secrets.json +++ b/DevSkim-Common/rules/default/security/privacy/secrets.json @@ -1,41 +1,49 @@ [ { - "id": "DS173237", "name": "Do not store tokens or keys in source code.", + "id": "DS173237", + "description": "A token or key was found in source code. If this represents a secret, it should be moved somewhere else.", + "recommendation": "", "tags": [ "Implementation.Privacy.Token" ], "severity": "important", - "description": "A token or key was found in source code. If this represents a secret, it should be moved somewhere else.", - "replacement": "", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS173237.md", + "_comment": "", + "rule_info": "DS173237.md", "patterns": [ { "pattern": "[a-f0-9]{30,}", - "type": "regex" + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" } - ], - "fix_it": [] + ] }, { + "name": "Do not store tokens or keys in source code.", "id": "DS117838", + "description": "A token or key was found in source code. If this represents a secret, it should be moved somewhere else.", + "recommendation": "", "overrides": [ "DS173237" ], - "name": "Do not store tokens or keys in source code.", "tags": [ "Implementation.Privacy.Token" ], "severity": "critical", - "description": "A token or key was found in source code. If this represents a secret, it should be moved somewhere else.", - "replacement": "", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS117838.md", + "_comment": "", + "rule_info": "DS117838.md", "patterns": [ { "pattern": "(secret|license|key|pass).*[a-f0-9]{30,}", - "type": "regex" + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" } - ], - "fix_it": [] + ] } ] \ No newline at end of file diff --git a/DevSkim-Common-Ignore/rules/default/security/storage/secure_storage.json b/DevSkim-Common/rules/default/security/storage/secure_storage.json similarity index 54% rename from DevSkim-Common-Ignore/rules/default/security/storage/secure_storage.json rename to DevSkim-Common/rules/default/security/storage/secure_storage.json index 4a22bbd..c0a4377 100644 --- a/DevSkim-Common-Ignore/rules/default/security/storage/secure_storage.json +++ b/DevSkim-Common/rules/default/security/storage/secure_storage.json @@ -1,51 +1,68 @@ [ { - "id": "DS112266", "name": "ProtectedData used without additional entropy", + "id": "DS112266", + "description": "The ProtectedData class should be used with additional entropy to reduce the risk of other application calling DPAPI to access the data.", + "recommendation": "Add additional entropy (per-application secret).", + "applies_to": [ + "csharp" + ], "tags": [ "Storage.Windows.DPAPI" ], "severity": "moderate", - "description": "The ProtectedData class should be used with additional entropy to reduce the risk of other application calling DPAPI to access the data.", - "replacement": "Add additional entropy (per-application secret).", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS112266.md", - "applies_to": [ - "csharp" - ], + "_comment": "", + "rule_info": "DS112266.md", "patterns": [ { "pattern": "ProtectedData\\.Protect.*,\\s*null.*", - "type": "regex" + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" } ], - "fix_it": [ + "fix_its": [ { - "type": "regex-substitute", "name": "Add entropy placeholder", - "search": "(ProtectedData\\.Protect[^,]+,\\s*)null(.*)", - "replace": "$1$2" + "type": "regex-replace", + "_comment": "", + "replacement": "$1$2", + "pattern": { + "pattern": "(ProtectedData\\.Protect[^,]+,\\s*)null(.*)", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } } ] }, { - "id": "DS191340", "name": "Do not store sensitive data in NSUserDefaults.", - "tags": [ - "Storage.Apple.iOS.UserDefaults.SensitiveData" - ], + "id": "DS191340", + "description": "Do not store sensitive data in NSUserDefaults.", + "recommendation": "Consider another mechanism instead.", "applies_to": [ "objective-c" ], + "tags": [ + "Storage.Apple.iOS.UserDefaults.SensitiveData" + ], "severity": "moderate", - "description": "Do not store sensitive data in NSUserDefaults.", - "replacement": "Consider another mechanism instead.", - "rule_info": "https://github.com/Microsoft/DevSkim/blob/master/guidance/DS191340.md", + "_comment": "", + "rule_info": "DS191340.md", "patterns": [ { "pattern": "NSUserDefaults \\*(.*) = \\[NSUserDefaults standardUserDefaults\\];(\\n.*){1,5}$1 .*setString:(password|key)", - "type": "regex" + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" } - ], - "fix_it": [] + ] } ] \ No newline at end of file diff --git a/DevSkim-Common-Ignore/rules/default/security/vulnerable_libraries/tests/DS378900.test b/DevSkim-Common/rules/default/security/vulnerable_libraries/tests/DS378900.test similarity index 100% rename from DevSkim-Common-Ignore/rules/default/security/vulnerable_libraries/tests/DS378900.test rename to DevSkim-Common/rules/default/security/vulnerable_libraries/tests/DS378900.test diff --git a/DevSkim-Common-Ignore/rules/default/security/vulnerable_libraries/tests/DS378901.test b/DevSkim-Common/rules/default/security/vulnerable_libraries/tests/DS378901.test similarity index 100% rename from DevSkim-Common-Ignore/rules/default/security/vulnerable_libraries/tests/DS378901.test rename to DevSkim-Common/rules/default/security/vulnerable_libraries/tests/DS378901.test diff --git a/DevSkim-Common-Ignore/rules/default/security/vulnerable_libraries/tests/DS378902.test b/DevSkim-Common/rules/default/security/vulnerable_libraries/tests/DS378902.test similarity index 100% rename from DevSkim-Common-Ignore/rules/default/security/vulnerable_libraries/tests/DS378902.test rename to DevSkim-Common/rules/default/security/vulnerable_libraries/tests/DS378902.test diff --git a/DevSkim-Common/rules/default/security/xml/external_entities.json b/DevSkim-Common/rules/default/security/xml/external_entities.json new file mode 100644 index 0000000..e8948ef --- /dev/null +++ b/DevSkim-Common/rules/default/security/xml/external_entities.json @@ -0,0 +1,125 @@ +[ + { + "name": "Do not enable external entity resolution.", + "id": "DS132779", + "description": "Do not enable external entity resolution.", + "recommendation": "Set shouldResolveExternalEntities to NO.", + "applies_to": [ + "objective-c" + ], + "tags": [ + "Implementation.iOS.XML.DTDEntityResolution" + ], + "severity": "moderate", + "_comment": "", + "rule_info": "DS132779.md", + "patterns": [ + { + "pattern": "shouldResolveExternalEntities\\s*=\\s*YES", + "type": "regex-word", + "scopes": [ + "code" + ], + "_comment": "" + } + ], + "fix_its": [ + { + "name": "Disable external entity resolution", + "type": "regex-replace", + "_comment": "", + "replacement": "$1NO", + "pattern": { + "pattern": "(shouldResolveExternalEntities\\s*=\\s*)(YES)", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + } + ] + }, + { + "name": "Do not enable external entity resolution.", + "id": "DS132780", + "description": "Do not enable external entity resolution.", + "recommendation": "x.setShouldResolveExternalEntities = FALSE;", + "applies_to": [ + "swift" + ], + "tags": [ + "Implementation.iOS.XML.DTDEntityResolution" + ], + "severity": "moderate", + "_comment": "", + "rule_info": "DS132780.md", + "patterns": [ + { + "pattern": "shouldResolveExternalEntities\\s*=\\s*TRUE", + "type": "regex-word", + "scopes": [ + "code" + ], + "_comment": "" + } + ], + "fix_its": [ + { + "name": "Disable external entity resolution", + "type": "regex-replace", + "_comment": "", + "replacement": "$1FALSE", + "pattern": { + "pattern": "(shouldResolveExternalEntities\\s*=\\s*)(TRUE)", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + } + ] + }, + { + "name": "Do not enable external entity resolution.", + "id": "DS132790", + "description": "Do not enable external entity resolution.", + "recommendation": "[x setShouldResolveExternalEntities: NO];", + "applies_to": [ + "objective-c" + ], + "tags": [ + "Implementation.iOS.XML.DTDEntityResolution" + ], + "severity": "moderate", + "_comment": "", + "rule_info": "DS132790.md", + "patterns": [ + { + "pattern": "setShouldResolveExternalEntities:\\s*YES", + "type": "regex-word", + "scopes": [ + "code" + ], + "_comment": "" + } + ], + "fix_its": [ + { + "name": "Disable external entity resolution", + "type": "regex-replace", + "_comment": "", + "replacement": "$1NO", + "pattern": { + "pattern": "(setShouldResolveExternalEntities:\\s*)(YES)", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } + } + ] + } +] \ No newline at end of file diff --git a/DevSkim-Common-Ignore/rules/default/security/xml/tests/DS132779.test b/DevSkim-Common/rules/default/security/xml/tests/DS132779.test similarity index 100% rename from DevSkim-Common-Ignore/rules/default/security/xml/tests/DS132779.test rename to DevSkim-Common/rules/default/security/xml/tests/DS132779.test