crash.software
Projects
Pull Requests
Issues
Builds
bearer
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY bearer Commits af2976df
🤬

  • feat(rules): update trigger attributes (#797)

    * chore: update rule files to new syntax

* feat: update rego rules and add default trigger values

feat: add IsLocal flag to rule and update privacy and security reports

* fix: update snapshot for Bugsnag

* docs: update docs for rule trigger changes

* Update docs/guides/custom-rule.md

Co-authored-by: Mark Michon <[email protected]>

* docs: remove trigger from example rule yaml

* feat: fix duplicate detection

* refactor: improve trigger calc in severity calculation

---------

Co-authored-by: Mark Michon <[email protected]>
  • Loading...
  • elsapet committed with GitHub 1 year ago
    af2976df
    1 parent 787a1116
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
  • ■ ■ ■ ■ ■ ■
    docs/guides/custom-rule.md
    skipped 17 lines
    18 18   
    19 19  - `patterns`: See the section below for the Pattern Syntax.
    20 20  - `languages`: An array of the languages the rule applies to. Available values are: `ruby`, `javascript`
    21  -- `trigger`: Defines when the rule should raise a failure. There are four trigger types:
    22  - - `local`: Use this trigger when your rule directly relies on data type detections in the pattern. Some examples are sending data to a logger, or making an HTTP request that includes sensitive data.
    23  - - `global`: Some rules don’t match code with a data type directly, but you want them to trigger if Bearer finds any sensitive data types in the project. One example is password strength, where the rule only triggers if sensitive data types are found in the application.
    24  - - `presence`: Use this trigger when your rule isn’t related to a [data type](/reference/datatypes) detection but on the presence of a pattern. Examples include best practices such as configuration settings like forcing SSL communication.
    25  - - `absence`: Use this trigger when your rule isn’t related to a [data type](/reference/datatypes) detection but on the absence of a pattern (if we have been able to confirm the presence of an auxiliary pattern). Examples include best practices such as missing configuration like forcing SSL communication.
     21 +- `trigger`: Defines under which conditions the rule should raise a failure. Optional.
     22 + - `match_on`: Refers to the rule's pattern matches.
     23 + - `presence`: Triggers if the rule's pattern is detected. (Default)
     24 + - `absence`: Rule triggers on the absence of a pattern, but the presence of a `required_detection`. Examples include best practices such as missing configuration like forcing SSL communication. Note: rules that match on `absence` need a `required_detection` to be set.
     25 + - `required_detection`: Used with the `match_on: absence` trigger. Indicates which rule is required to activate the failure on the absence of the main rule.
     26 + - `data_types_required`: Sometimes we may want a rule to trigger only for applications that process sensitive data. One example is password strength, where the rule only triggers if sensitive data types are found in the application.
     27 + - `false`: Default. Rule triggers whether or not any data types have been detected in the application.
     28 + - `true`: Rule only triggers if at least one data type is detected in the application.
    26 29  - `severity`: This sets the lowest severity level of the rule, by default at `low`. The severity level can automatically increase based on the data type categories (PHI, PD, PDS, PII) detected depending on the rule `trigger` type. A severity level of `warning`, however, will never increase. Bearer groups rule failures by severity, and you can configure the summary report to only fail on specific severity thresholds. Severity is set for each data type group, each of which takes a severity level of `warning`, `low`, `medium`, `high`, or `critical`. A severity level of `warning` won’t cause CI to fail.
    27 30  - `metadata`: Rule metadata is used for output to the summary report, and documentation for the internal rules.
    28 31   - `id`: A unique identifier. Internal rules are named `lang_framework_rule_name`. For rules targeting the language core, `lang` is used instead of a framework name. For example `ruby_lang_logger` and `ruby_rails_logger`. For custom rules, you may consider appending your org name.
    skipped 5 lines
    34 37  - `auxiliary`: Allows you to define helper rules and detectors to make pattern-building more robust. Auxiliary rules contain a unique `id` and their own `patterns` in the same way rules do. You’re unlikely to use this regularly. See the [weak_encryption]({{meta.sourcePath}}/blob/a55ff8cf6334a541300b0e7dc3903d022987afb6/pkg/commands/process/settings/rules/ruby/lang/weak_encryption.yml) rule for examples. (Optional)
    35 38  - `skip_data_types`: Allows you to prevent the specified data types from triggering this rule. Takes an array of strings matching the data type names. Example: “Passwords”. (Optional)
    36 39  - `only_data_types`: Allows you to limit the specified data types that trigger this rule. Takes an array of strings matching the data type names. Example: “Passwords”. (Optional)
    37  -- `trigger_rule_on_presence_of`: Used with the `absence` trigger. Indicates which rule is required to activate the failure on the absence of the main rule.
    38 40   
    39 41   
    40 42  ## Patterns
    skipped 187 lines
    228 230   # YOUR CODE HERE
    229 231  languages:
    230 232   - ruby
    231  -trigger: local
    232 233  severity: high
    233 234  metadata:
    234 235   id: custom_rule_name
    skipped 6 lines
  • ■ ■ ■ ■ ■
    e2e/rules/testdata/rules/auxilary.yml
    skipped 15 lines
    16 16   patterns:
    17 17   - |
    18 18   new StatsD($<...>)
    19  -trigger: local
    20 19  severity: low
    21 20  skip_data_types:
    22 21   - "Unique Identifier"
    skipped 18 lines
  • ■ ■ ■ ■ ■
    e2e/rules/testdata/rules/simple_ruby.yml
    skipped 4 lines
    5 5   end
    6 6  languages:
    7 7   - ruby
    8  -trigger: presence
    9 8  severity: low
    10 9  metadata:
    11 10   description: "Force all incoming communication through SSL."
    skipped 21 lines
  • ■ ■ ■ ■ ■ ■
    new/detector/composition/javascript/javascript.go
    skipped 106 lines
    107 107   
    108 108   presenceRules := map[string]bool{}
    109 109   for _, rule := range jsRules {
    110  - if rule.TriggerRuleOnPresenceOf != "" {
    111  - presenceRules[rule.TriggerRuleOnPresenceOf] = true
     110 + if rule.Trigger.RequiredDetection != nil {
     111 + presenceRules[*rule.Trigger.RequiredDetection] = true
    112 112   }
    113 113   }
    114 114   
    skipped 84 lines
  • ■ ■ ■ ■ ■
    new/detector/composition/javascript/testdata/deconstructing.yml
    skipped 3 lines
    4 4   const { $<!>$<_> } = req.params
    5 5  languages:
    6 6   - javascript
    7  -trigger: presence
    8 7  metadata:
    9 8   id: "javascript_deconstructing"
    10 9   
  • ■ ■ ■ ■ ■ ■
    new/detector/composition/ruby/ruby.go
    skipped 104 lines
    105 105   
    106 106   presenceRules := map[string]bool{}
    107 107   for _, rule := range rubyRules {
    108  - if rule.TriggerRuleOnPresenceOf != "" {
    109  - presenceRules[rule.TriggerRuleOnPresenceOf] = true
     108 + if rule.Trigger.RequiredDetection != nil {
     109 + presenceRules[*rule.Trigger.RequiredDetection] = true
    110 110   }
    111 111   }
    112 112   
    skipped 83 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/built_in_rules/third_party/gitleaks/secret_detection.yml
    1 1  type: risk
    2  -trigger: presence
    3 2  severity: high
    4 3  omit_parent_content: true
    5 4  metadata:
    skipped 16 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/policies/common.rego
    skipped 20 lines
    21 21  }
    22 22   
    23 23  build_local_item(location, data_type) := {
     24 + "is_local": true,
    24 25   "category_groups": groups_for_datatype(data_type),
    25 26   "filename": location.filename,
    26 27   "line_number": location.line_number,
    skipped 48 lines
  • ■ ■ ■ ■ ■ ■
    pkg/commands/process/settings/policies/risk_policy.rego
    skipped 7 lines
    8 8   arr[_] = elem
    9 9  }
    10 10   
    11  -local_failures contains detector if {
    12  - input.rule.trigger == "local"
    13  - some detector in input.dataflow.risks
    14  - detector.detector_id == input.rule.id
    15  -}
     11 +# - presence of pattern & data types required
     12 +global_failures contains detector if {
     13 + input.rule.trigger.match_on == "presence"
     14 + input.rule.trigger.data_types_required
    16 15   
    17  -global_failures contains detector if {
    18  - input.rule.trigger == "global"
    19 16   some detector in input.dataflow.risks
    20 17   detector.detector_id == input.rule.id
    21 18   
    22 19   some data_type in data.bearer.common.global_data_types
    23 20  }
    24 21   
     22 +# - presence of pattern & data types not required
    25 23  presence_failures contains detector if {
    26  - input.rule.trigger == "presence"
     24 + input.rule.trigger.match_on == "presence"
     25 + not input.rule.trigger.data_types_required
     26 + 
    27 27   some detector in input.dataflow.risks
    28 28   detector.detector_id == input.rule.id
    29 29  }
    30 30   
     31 +# - data types detected within pattern ($<DATA_TYPE>)
     32 +local_data_types contains data_type if {
     33 + not input.rule.skip_data_types
     34 + not input.rule.only_data_types
     35 + 
     36 + some detector in presence_failures
     37 + data_type = detector.data_types[_]
     38 +}
     39 + 
     40 +local_data_types contains data_type if {
     41 + not input.rule.only_data_types
     42 + 
     43 + some detector in presence_failures
     44 + data_type = detector.data_types[_]
     45 + not contains(input.rule.skip_data_types, data_type.name)
     46 +}
     47 + 
     48 +local_data_types contains data_type if {
     49 + not input.rule.skip_data_types
     50 + 
     51 + some detector in presence_failures
     52 + data_type = detector.data_types[_]
     53 + contains(input.rule.only_data_types, data_type.name)
     54 +}
     55 + 
     56 +# Build policy failures
    31 57  policy_failure contains item if {
    32  - input.rule.trigger == "absence"
     58 + input.rule.trigger.match_on == "absence"
    33 59   some detector in input.dataflow.risks
    34 60   
    35  - detector.detector_id == input.rule.trigger_rule_on_presence_of
     61 + detector.detector_id == input.rule.trigger.required_detection
    36 62   some init_location in detector.locations
    37 63   
    38 64   x := {other | other := input.dataflow.risks[_]; other.detector_id == input.rule.id}
    skipped 3 lines
    42 68  }
    43 69   
    44 70  policy_failure contains item if {
    45  - input.rule.trigger == "absence"
     71 + input.rule.trigger.match_on == "absence"
    46 72   some detector in input.dataflow.risks
    47 73   
    48  - detector.detector_id == input.rule.trigger_rule_on_presence_of
     74 + detector.detector_id == input.rule.trigger.required_detection
    49 75   
    50 76   some init_location in detector.locations
    51 77   some other_detector in input.dataflow.risks
    skipped 6 lines
    58 84   item := data.bearer.common.build_item(init_location)
    59 85  }
    60 86   
    61  -local_data_types contains data_type if {
    62  - not input.rule.skip_data_types
    63  - not input.rule.only_data_types
    64  - 
    65  - some detector in local_failures
    66  - data_type = detector.data_types[_]
    67  -}
    68  - 
    69  -local_data_types contains data_type if {
    70  - not input.rule.only_data_types
    71  - 
    72  - some detector in local_failures
    73  - data_type = detector.data_types[_]
    74  - not contains(input.rule.skip_data_types, data_type.name)
    75  -}
    76  - 
    77  -local_data_types contains data_type if {
    78  - not input.rule.skip_data_types
    79  - 
    80  - some detector in local_failures
    81  - data_type = detector.data_types[_]
    82  - contains(input.rule.only_data_types, data_type.name)
    83  -}
    84  - 
    85  -# Build policy failures
    86  - 
    87 87  policy_failure contains item if {
    88 88   some data_type in local_data_types
    89 89   
    skipped 10 lines
    100 100   
    101 101  policy_failure contains item if {
    102 102   some detector in presence_failures
     103 + count(local_data_types) == 0 # detector item already included (through local_data_types)
    103 104   
    104  - # Add link to global datatypes here
    105 105   location = detector.locations[_]
    106 106   item := data.bearer.common.build_item(location)
    107 107  }
    108 108   
    109 109  policy_failure contains item if {
    110  - input.rule.trigger == "stored_data_types"
     110 + input.rule.trigger.match_on == "stored_data_types"
    111 111   
    112 112   contains(input.rule.languages, input.dataflow.data_types[_].detectors[_].name)
    113 113   data_type = input.dataflow.data_types[_]
    skipped 19 lines
    133 133   
    134 134  # used by inventory report
    135 135  local_rule_failure contains item if {
    136  - some detector in local_failures
    137  - data_type = detector.data_types[_]
     136 + some detector in presence_failures
     137 + some data_type in detector.data_types
    138 138   
    139 139   location = data_type.locations[_]
    140 140   item := {
    skipped 9 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/aws_lambda/code_injection.yml
    skipped 42 lines
    43 43   - event[$<_>]
    44 44  languages:
    45 45   - javascript
    46  -trigger: presence
    47 46  severity: high
    48 47  metadata:
    49 48   description: "Code injection detected."
    skipped 44 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/aws_lambda/os_command_injection.yml
    skipped 15 lines
    16 16   - event
    17 17  languages:
    18 18   - javascript
    19  -trigger: presence
    20 19  severity: high
    21 20  metadata:
    22 21   description: "OS command injection vulnerability detected."
    skipped 28 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/aws_lambda/query_injection.yml
    skipped 33 lines
    34 34   detection: javascript_aws_lambda_query_injection_hash
    35 35  languages:
    36 36   - javascript
    37  -trigger: presence
    38 37  severity: high
    39 38  metadata:
    40 39   description: "Raw user input in data store query detected."
    skipped 32 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/aws_lambda/sql_injection.yml
    skipped 71 lines
    72 72   detection: javascript_express_sql_injection_mysql_pool
    73 73  languages:
    74 74   - javascript
    75  -trigger: presence
    76 75  severity: high
    77 76  metadata:
    78 77   description: "SQL injection vulnerability detected."
    skipped 32 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/cross_site_scripting.yml
    skipped 31 lines
    32 32   filters:
    33 33   - variable: USER_INPUT
    34 34   detection: javascript_express_cross_site_scripting_request_obj
    35  -trigger: presence
    36 35  severity: high
    37 36  metadata:
    38 37   description: "Cross-site scripting (XSS) vulnerability detected."
    skipped 18 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/default_session_config.yml
    skipped 11 lines
    12 12   patterns:
    13 13   - |
    14 14   { name: $<_> }
    15  -trigger: presence
    16 15  severity: medium
    17 16  metadata:
    18 17   description: "Session cookie with default config detected."
    skipped 14 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/eval_user_input.yml
    skipped 55 lines
    56 56   - req.headers
    57 57  languages:
    58 58   - javascript
    59  -trigger: presence
    60 59  severity: high
    61 60  metadata:
    62 61   description: "Dangerous use of eval with user input detected"
    skipped 46 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/exposed_dir_listing.yml
    skipped 2 lines
    3 3   app.use($<...>serveIndex()$<...>)
    4 4  languages:
    5 5   - javascript
    6  -trigger: presence
    7 6  metadata:
    8 7   description: "Missing access restriction to directory listing detected."
    9 8   remediation_message: |
    skipped 12 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/external_file_upload.yml
    skipped 30 lines
    31 31   - not:
    32 32   variable: OPTIONS
    33 33   detection: javascript_express_external_file_upload_request_obj
    34  -trigger: presence
    35 34  metadata:
    36 35   description: "External control of filename or path detected."
    37 36   remediation_message: |
    skipped 21 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/external_resource.yml
    skipped 28 lines
    29 29   - req.body
    30 30   - req.cookies
    31 31   - req.headers
    32  -trigger: presence
    33 32  metadata:
    34 33   description: "Rendering of resources resolved from external name or reference detected."
    35 34   remediation_message: |
    skipped 20 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/hardcoded_secret.yml
    skipped 19 lines
    20 20   - variable: STRING_LITERAL
    21 21   detection: string_literal
    22 22   contains: false
    23  -trigger: presence
    24 23  severity: high
    25 24  metadata:
    26 25   description: "Hard-coded secret detected."
    skipped 22 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/helmet_missing.yml
    skipped 5 lines
    6 6   detection: javascript_express_helmet_express_init
    7 7   - variable: FUNCTION_CALL
    8 8   detection: javascript_express_helmet_configuration
    9  -trigger_rule_on_presence_of: javascript_express_helmet_express_init
    10 9  auxiliary:
    11 10   - id: javascript_express_helmet_express_init
    12 11   patterns:
    skipped 4 lines
    17 16   - helmet.$<_>()
    18 17  languages:
    19 18   - javascript
    20  -trigger: absence
     19 +trigger:
     20 + match_on: absence
     21 + required_detection: javascript_express_helmet_express_init
    21 22  metadata:
    22 23   description: "Security misconfiguration detected."
    23 24   remediation_message: |
    skipped 20 lines
  • ■ ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/https_protocol_missing.yml
    1 1  patterns:
    2 2   - pattern: |
    3 3   https.createServer()
    4  - filters:
    5  -trigger_rule_on_presence_of: javascript_express_https_protocol_missing_http_server
    6 4  auxiliary:
    7 5   - id: javascript_express_https_protocol_missing_http_server
    8 6   patterns:
    9 7   - $<_>.createServer()
    10 8  languages:
    11 9   - javascript
    12  -trigger: absence
     10 +trigger:
     11 + match_on: absence
     12 + required_detection: javascript_express_https_protocol_missing_http_server
    13 13  metadata:
    14 14   description: "Missing https protocol detected."
    15 15   remediation_message: |
    skipped 21 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/insecure_allow_origin.yml
    skipped 43 lines
    44 44   regex: (?i)['"]access-control-allow-origin["']
    45 45   - variable: USER_INPUT
    46 46   detection: javascript_express_external_resource_req_object
    47  -trigger: presence
    48 47  metadata:
    49 48   description: "Insecure Access-Control-Allow-Origin detected."
    50 49   remediation_message: |
    skipped 14 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/insecure_cookie.yml
    skipped 20 lines
    21 21   })
    22 22  languages:
    23 23   - javascript
    24  -trigger: presence
    25 24  metadata:
    26 25   description: "Missing secure options for cookie detected."
    27 26   remediation_message: |
    skipped 15 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/insecure_template_rendering.yml
    skipped 80 lines
    81 81   - id: javascript_express_insecure_template_rendering_liquid_init
    82 82   patterns:
    83 83   - new Liquid()
    84  -trigger: presence
    85 84  metadata:
    86 85   description: "Insecure template rendering detected."
    87 86   remediation_message: |
    skipped 14 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/jwt_not_revoked.yml
    skipped 20 lines
    21 21   patterns:
    22 22   - pattern: |
    23 23   { $<...>isRevoked: $<_>$<...> }
    24  -trigger: presence
    25 24  severity: low
    26 25  metadata:
    27 26   description: "Unrevoked JWT detected."
    skipped 21 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/open_redirect.yml
    skipped 23 lines
    24 24   - req.headers
    25 25  languages:
    26 26   - javascript
    27  -trigger: presence
    28 27  severity: medium
    29 28  metadata:
    30 29   description: "Open redirect detected."
    skipped 24 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/path_traversal.yml
    skipped 34 lines
    35 35   - $<_>.replace($<_>, '')
    36 36  languages:
    37 37   - javascript
    38  -trigger: presence
    39 38  severity: high
    40 39  metadata:
    41 40   description: "Possible path traversal vulnerability detected."
    skipped 37 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/reduce_fingerprint.yml
    skipped 12 lines
    13 13   detection: javascript_express_reduce_fingerprint_express_init
    14 14   - variable: FUNCTION_CALL
    15 15   detection: javascript_express_reduce_fingerprint_helmet_configuration
    16  -trigger_rule_on_presence_of: javascript_express_reduce_fingerprint_express_init
    17 16  auxiliary:
    18 17   - id: javascript_express_reduce_fingerprint_express_init
    19 18   patterns:
    skipped 3 lines
    23 22   - helmet.hidePoweredBy()
    24 23  languages:
    25 24   - javascript
    26  -trigger: absence
     25 +trigger:
     26 + match_on: absence
     27 + required_detection: javascript_express_reduce_fingerprint_express_init
    27 28  metadata:
    28 29   description: "Security misconfiguration detected."
    29 30   remediation_message: |
    skipped 17 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/server_side_request_forgery.yml
    skipped 40 lines
    41 41   - puppeteer.launch()
    42 42  languages:
    43 43   - javascript
    44  -trigger: presence
    45 44  severity: high
    46 45  metadata:
    47 46   description: "Risk of server-side request forgery detected."
    skipped 30 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/sql_injection.yml
    skipped 82 lines
    83 83   detection: javascript_express_sql_injection_mysql_pool
    84 84  languages:
    85 85   - javascript
    86  -trigger: presence
    87 86  severity: high
    88 87  metadata:
    89 88   description: "SQL injection vulnerability detected."
    skipped 43 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/static_asset_with_session.yml
    skipped 29 lines
    30 30   - express.static()
    31 31  languages:
    32 32   - javascript
    33  -trigger: presence
    34 33  metadata:
    35 34   description: Static asset with active session detected.
    36 35   remediation_message: |
    skipped 20 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/ui_redress.yml
    skipped 25 lines
    26 26   - req.headers
    27 27  languages:
    28 28   - javascript
    29  -trigger: presence
    30 29  metadata:
    31 30   description: "User Interface (UI) redress vulnerability (clickjacking) detected."
    32 31   remediation_message: |
    skipped 31 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/unsafe_deserialization.yml
    skipped 49 lines
    50 50   detection: javascript_express_insecure_deserialization_request_obj
    51 51  languages:
    52 52   - javascript
    53  -trigger: presence
    54 53  severity: high
    55 54  metadata:
    56 55   description: "Deserialization of untrusted data detected."
    skipped 22 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/express/xml_external_entity_vulnerability.yml
    skipped 74 lines
    75 75   - new xml2js.Parser()
    76 76  languages:
    77 77   - javascript
    78  -trigger: presence
    79 78  severity: high
    80 79  metadata:
    81 80   description: "XML External Entity vulnerability detected."
    skipped 19 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/lang/dangerous_insert_html.yml
    skipped 50 lines
    51 51   `$<...>${$<...>$<_>$<...>}$<...>`
    52 52  languages:
    53 53   - javascript
    54  -trigger: presence
    55 54  severity: high
    56 55  metadata:
    57 56   description: "Dangerous dynamic HTML insert detected."
    skipped 20 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/lang/exception.yml
    skipped 24 lines
    25 25   new Promise(function ($<_>, $<!>$<_>) {})
    26 26  languages:
    27 27   - javascript
    28  -trigger: local
    29 28  skip_data_types:
    30 29   - Unique Identifier
    31 30  metadata:
    skipped 27 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/lang/file_generation.yml
    skipped 10 lines
    11 11   detection: datatype
    12 12  languages:
    13 13   - javascript
    14  -trigger: local
    15 14  metadata:
    16 15   description: "Sensitive data detected as part of a dynamic file generation."
    17 16   remediation_message: |
    skipped 16 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/lang/hardcoded_secret.yml
    skipped 22 lines
    23 23   contains: false
    24 24  languages:
    25 25   - javascript
    26  -trigger: presence
    27 26  severity: high
    28 27  metadata:
    29 28   description: "Hardcoded secret detected"
    skipped 30 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/lang/http_insecure.yml
    skipped 43 lines
    44 44   detection: insecure_url
    45 45  languages:
    46 46   - javascript
    47  -trigger: presence
    48 47  severity: low
    49 48  metadata:
    50 49   description: "Connection with an unsecure HTTP communication detected."
    skipped 23 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/lang/jwt.yml
    skipped 6 lines
    7 7   detection: datatype
    8 8  languages:
    9 9   - javascript
    10  -trigger: local
    11 10  skip_data_types:
    12 11   - "Unique Identifier"
    13 12  metadata:
    skipped 28 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/lang/jwt_hardcoded_secret.yml
    skipped 17 lines
    18 18   contains: false
    19 19  languages:
    20 20   - javascript
    21  -trigger: presence
    22 21  severity: high
    23 22  metadata:
    24 23   description: "Hardcoded jwt secret deteted"
    skipped 23 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/lang/jwt_weak_encryption.yml
    skipped 5 lines
    6 6   })
    7 7  languages:
    8 8   - javascript
    9  -trigger: presence
    10 9  metadata:
    11 10   description: "Weak jwt encryption deceted"
    12 11   remediation_message: |
    skipped 22 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/lang/logger.yml
    skipped 61 lines
    62 62   - logger
    63 63  languages:
    64 64   - javascript
    65  -trigger: local
    66 65  skip_data_types:
    67 66   - "Unique Identifier"
    68 67  metadata:
    skipped 26 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/lang/open_redirect.yml
    skipped 25 lines
    26 26   patterns:
    27 27   - window.location
    28 28   - location
    29  -trigger: presence
    30 29  severity: medium
    31 30  metadata:
    32 31   description: "Open redirect detected."
    skipped 14 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/lang/session.yml
    skipped 5 lines
    6 6   detection: datatype
    7 7  languages:
    8 8   - javascript
    9  -trigger: local
    10 9  skip_data_types:
    11 10   - "Unique Identifier"
    12 11  metadata:
    skipped 28 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/lang/weak_encryption.yml
    skipped 44 lines
    45 45   values:
    46 46   - '"md5"'
    47 47   - '"sha1"'
    48  -trigger: local
    49 48  skip_data_types:
    50 49   - "Unique Identifier"
    51 50   - "Passwords" # see javascript_weak_password_encryption
    skipped 26 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/lang/weak_password_encryption.yml
    skipped 55 lines
    56 56   patterns:
    57 57   - |
    58 58   {$<...>type: argon2.argon2i, $<...>}
    59  -trigger: local
    60 59  only_data_types:
    61 60   - "Passwords"
    62 61  metadata:
    skipped 26 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/react/dangerously_set_inner_html.yml
    skipped 17 lines
    18 18   - sanitizeHTML($<_>)
    19 19  languages:
    20 20   - javascript
    21  -trigger: presence
    22 21  severity: high
    23 22  metadata:
    24 23   description: "React's dangerously set inner HTML detected."
    skipped 19 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/react/google_analytics.yml
    skipped 5 lines
    6 6   detection: datatype
    7 7  languages:
    8 8   - javascript
    9  -trigger: local
    10 9  metadata:
    11 10   description: "Sensitive data sent to Google Analytics detected."
    12 11   remediation_message: |
    skipped 16 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/third_parties/airbrake.yml
    skipped 12 lines
    13 13   patterns:
    14 14   - |
    15 15   new Notifier($<...>)
    16  -trigger: local
    17 16  skip_data_types:
    18 17   - "Unique Identifier"
    19 18  metadata:
    skipped 26 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/third_parties/algolia.yml
    skipped 36 lines
    37 37   filters:
    38 38   - variable: CLIENT
    39 39   detection: javascript_third_parties_algolia_client
    40  -trigger: local
    41 40  skip_data_types:
    42 41   - "Unique Identifier"
    43 42  metadata:
    skipped 22 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/third_parties/bugsnag.yml
    skipped 32 lines
    33 33   filters:
    34 34   - variable: CLIENT
    35 35   detection: javascript_third_parties_bugsnag_client
    36  -trigger: local
    37 36  skip_data_types:
    38 37   - "Unique Identifier"
    39 38  metadata:
    skipped 26 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/third_parties/datadog.yml
    skipped 18 lines
    19 19   patterns:
    20 20   - |
    21 21   new StatsD($<...>)
    22  -trigger: local
    23 22  skip_data_types:
    24 23   - "Unique Identifier"
    25 24  metadata:
    skipped 31 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/third_parties/datadog_browser.yml
    skipped 8 lines
    9 9   })
    10 10  languages:
    11 11   - javascript
    12  -trigger: presence
    13 12  metadata:
    14 13   description: "Sensitive data sent to Datadog detected."
    15 14   remediation_message: |
    skipped 15 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/third_parties/dom_purify.yml
    skipped 13 lines
    14 14   { RETURN_DOM_IMPORT: true }
    15 15  languages:
    16 16   - javascript
    17  -trigger: presence
    18 17  severity: high
    19 18  metadata:
    20 19   description: "Unsecure use of DOMPurify detected."
    skipped 23 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/third_parties/elasticsearch.yml
    skipped 10 lines
    11 11   - es
    12 12  languages:
    13 13   - javascript
    14  -trigger: local
    15 14  metadata:
    16 15   description: "Sensitive data sent to ElasticSearch detected."
    17 16   remediation_message: |
    skipped 14 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/third_parties/google_analytics.yml
    skipped 7 lines
    8 8   - javascript
    9 9  skip_data_types:
    10 10   - "Unique Identifier"
    11  -trigger: local
    12 11  metadata:
    13 12   description: "Sensitive data sent to Google Analytic detected."
    14 13   remediation_message: |
    skipped 25 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/third_parties/google_tag_manager.yml
    skipped 12 lines
    13 13   - javascript
    14 14  skip_data_types:
    15 15   - "Unique Identifier"
    16  -trigger: local
    17 16  metadata:
    18 17   description: "Sensitive data sent to Google Tag Manager detected."
    19 18   remediation_message: |
    skipped 31 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/third_parties/honeybadger.yml
    skipped 16 lines
    17 17   - javascript
    18 18  skip_data_types:
    19 19   - "Unique Identifier"
    20  -trigger: local
    21 20  metadata:
    22 21   description: "Sensitive data sent to Honeybadger detected."
    23 22   remediation_message: |
    skipped 24 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/third_parties/new_relic.yml
    skipped 45 lines
    46 46   - newrelic
    47 47   - newRelic
    48 48   - client
    49  -trigger: local
    50 49  metadata:
    51 50   description: "Sensitive data sent to New Relic detected."
    52 51   remediation_message: |
    skipped 14 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/third_parties/open_telemetry.yml
    skipped 18 lines
    19 19   patterns:
    20 20   - opentelemetry.trace.getSpan()
    21 21   - span
    22  -trigger: local
    23 22  skip_data_types:
    24 23   - "Unique Identifier"
    25 24  metadata:
    skipped 15 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/third_parties/passport_hardcoded_secret.yml
    skipped 50 lines
    51 51   - passport.use
    52 52  languages:
    53 53   - javascript
    54  -trigger: presence
    55 54  severity: high
    56 55  metadata:
    57 56   description: "Hardcoded passport secret detected"
    skipped 22 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/third_parties/rollbar.yml
    skipped 18 lines
    19 19   - javascript
    20 20  skip_data_types:
    21 21   - "Unique Identifier"
    22  -trigger: local
    23 22  metadata:
    24 23   description: "Sensitive data sent to Rollbar detected."
    25 24   remediation_message: |
    skipped 21 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/third_parties/segment.yml
    skipped 21 lines
    22 22   AnalyticsBrowser.load()
    23 23  languages:
    24 24   - javascript
    25  -trigger: local
    26 25  skip_data_types:
    27 26   - "Unique Identifier"
    28 27  metadata:
    skipped 17 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/javascript/third_parties/sentry.yml
    skipped 28 lines
    29 29   Sentry.configureScope(($<!>$<_>) => {})
    30 30  languages:
    31 31   - javascript
    32  -trigger: local
    33 32  skip_data_types:
    34 33   - "Unique Identifier"
    35 34  metadata:
    skipped 16 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/lang/cookies.yml
    skipped 24 lines
    25 25   detection: datatype
    26 26  languages:
    27 27   - ruby
    28  -trigger: local
    29 28  metadata:
    30 29   description: "Sensitive data stored in a cookie detected."
    31 30   remediation_message: |
    skipped 27 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/lang/deserialization_of_user_input.yml
    skipped 49 lines
    50 50   - cookies
    51 51  languages:
    52 52   - ruby
    53  -trigger: presence
    54 53  severity: high
    55 54  metadata:
    56 55   description: "User input detected in an unsafe deserialization method."
    skipped 25 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/lang/eval_using_user_input.yml
    skipped 36 lines
    37 37   end
    38 38  languages:
    39 39   - ruby
    40  -trigger: presence
    41 40  severity: high
    42 41  metadata:
    43 42   description: "Potential command injection with user input detected."
    skipped 26 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/lang/exception.yml
    skipped 5 lines
    6 6   detection: datatype
    7 7  languages:
    8 8   - ruby
    9  -trigger: local
    10 9  skip_data_types:
    11 10   - Unique Identifier
    12 11  metadata:
    skipped 23 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/lang/exec_using_user_input.yml
    skipped 109 lines
    110 110   - variable: SHELL
    111 111   detection: ruby_lang_exec_using_user_input_shell
    112 112   - Shell::CommandProcessor.new$<...>
    113  -trigger: presence
    114 113  severity: high
    115 114  metadata:
    116 115   description: "Execution of OS command formed with user input detected."
    skipped 35 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/lang/file_generation.yml
    skipped 37 lines
    38 38   IO.open()
    39 39   - |
    40 40   IO.open() { |$<!>$<_:identifier>| }
    41  -trigger: local
    42 41  metadata:
    43 42   description: "Sensitive data detected as part of a dynamic file generation."
    44 43   remediation_message: |
    skipped 23 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/lang/ftp_using_user_input.yml
    skipped 31 lines
    32 32   - Net::FTP.open() { |$<!>$<_:identifier>| }
    33 33  languages:
    34 34   - ruby
    35  -trigger: presence
    36 35  severity: high
    37 36  metadata:
    38 37   description: "Do not use user input with FTP."
    skipped 28 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/lang/hardcoded_secret.yml
    skipped 40 lines
    41 41   contains: false
    42 42  languages:
    43 43   - ruby
    44  -trigger: presence
    45 44  severity: high
    46 45  metadata:
    47 46   description: "Hard-coded secret detected."
    skipped 17 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/lang/http_get_params.yml
    skipped 25 lines
    26 26   - Typhoeus
    27 27   - variable: DATA_TYPE
    28 28   detection: datatype
    29  -trigger: local
    30 29  metadata:
    31 30   description: "Sensitive data communicated through GET parameters detected."
    32 31   remediation_message: |
    skipped 45 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/lang/http_insecure.yml
    skipped 164 lines
    165 165   filters:
    166 166   - variable: INSECURE_URL
    167 167   detection: insecure_url
    168  -trigger: presence
    169 168  severity: low
    170 169  metadata:
    171 170   description: "Connection through an unsecure HTTP communication detected."
    skipped 25 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/lang/http_post_insecure_with_data.yml
    skipped 24 lines
    25 25   detection: insecure_url
    26 26   - variable: DATA_TYPE
    27 27   detection: datatype
    28  -trigger: local
    29 28  metadata:
    30 29   description: "Sensitive data sent through an unsecure HTTP communication detected."
    31 30   remediation_message: |
    skipped 37 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/lang/http_url_using_user_input.yml
    skipped 305 lines
    306 306   - | # AWS lambda
    307 307   def $<_>($<!>event:, context:)
    308 308   end
    309  -trigger: presence
    310 309  severity: high
    311 310  metadata:
    312 311   description: "HTTP communication with user-controlled destination detected."
    skipped 31 lines
  • ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/lang/insecure_ftp/.snapshots/TestRubyLangInsecureFtp--ftp_open_with_datatype.yml
    skipped 4 lines
    5 5   id: ruby_lang_insecure_ftp
    6 6   description: Communication with an unsecure FTP server detected.
    7 7   documentation_url: https://docs.bearer.com/reference/rules/ruby_lang_insecure_ftp
    8  - line_number: 3
     8 + line_number: 6
    9 9   filename: ftp_open_with_datatype.rb
    10 10   category_groups:
    11 11   - PII
    skipped 16 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/lang/insecure_ftp.yml
    skipped 11 lines
    12 12   Net::FTP.open()$<...>
    13 13  languages:
    14 14   - ruby
    15  -trigger: presence
    16 15  severity: low
    17 16  metadata:
    18 17   description: "Communication with an unsecure FTP server detected."
    skipped 22 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/lang/jwt.yml
    skipped 5 lines
    6 6   detection: datatype
    7 7  languages:
    8 8   - ruby
    9  -trigger: local
    10 9  metadata:
    11 10   description: "Sensitive data in a JWT detected."
    12 11   remediation_message: |
    skipped 23 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/lang/logger.yml
    skipped 13 lines
    14 14   - log
    15 15  languages:
    16 16   - ruby
    17  -trigger: local
    18 17  skip_data_types:
    19 18   - "Unique Identifier"
    20 19  metadata:
    skipped 27 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/lang/path_using_user_input.yml
    skipped 218 lines
    219 219   detection: ruby_lang_path_using_user_input_user_input
    220 220  languages:
    221 221   - ruby
    222  -trigger: presence
    223 222  severity: high
    224 223  metadata:
    225 224   description: "Do not use user input to form file paths."
    skipped 26 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/lang/reflection_using_user_input.yml
    skipped 86 lines
    87 87   - | # AWS lambda
    88 88   def $<_>($<!>event:, context:)
    89 89   end
    90  -trigger: presence
    91 90  severity: high
    92 91  metadata:
    93 92   description: "Use of reflection influenced by user input detected."
    skipped 33 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/lang/regex_using_user_input.yml
    skipped 28 lines
    29 29   end
    30 30  languages:
    31 31   - ruby
    32  -trigger: presence
    33 32  metadata:
    34 33   description: "Regular expression built from user input detected."
    35 34   remediation_message: |
    skipped 22 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/lang/ssl_verification.yml
    skipped 6 lines
    7 7   $<_>.verify_mode = OpenSSL::SSL::VERIFY_NONE
    8 8  languages:
    9 9   - ruby
    10  -trigger: presence
    11 10  severity: medium
    12 11  metadata:
    13 12   description: "Missing SSL certificate verification detected."
    skipped 31 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/lang/weak_encryption.yml
    skipped 87 lines
    88 88   patterns:
    89 89   - |
    90 90   Crypt::Blowfish.new()
    91  -trigger: presence
    92 91  metadata:
    93 92   description: "Weak encryption library usage detected."
    94 93   remediation_message: |
    skipped 31 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/lang/weak_encryption_with_data.yml
    skipped 114 lines
    115 115   patterns:
    116 116   - |
    117 117   Crypt::Blowfish.new()
    118  -trigger: local
    119 118  metadata:
    120 119   description: "Sensitive data encrypted with a weak encryption library detected."
    121 120   remediation_message: |
    skipped 31 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/rails/default_encryption.yml
    skipped 14 lines
    15 15   - Unique Identifier
    16 16   - Passwords
    17 17  auto_encrypt_prefix: encrypted_
    18  -trigger: stored_data_types
     18 +trigger:
     19 + match_on: stored_data_types
    19 20  severity: warning
    20 21  metadata:
    21 22   description: "Missing application-level encryption of sensitive data detected."
    skipped 13 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/rails/http_verb_confusion.yml
    skipped 9 lines
    10 10   end
    11 11   - pattern: |
    12 12   $<_> unless request.get?
    13  -trigger: presence
    14 13  severity: medium
    15 14  metadata:
    16 15   description: "Potential for HTTP verb confusion detected."
    skipped 21 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/rails/insecure_communication.yml
    skipped 4 lines
    5 5   end
    6 6  languages:
    7 7   - ruby
    8  -trigger: presence
    9 8  severity: high
    10 9  metadata:
    11 10   description: "Missing force SSL configuration for incoming communication detected."
    skipped 21 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/rails/insecure_disabling_of_callback.yml
    skipped 16 lines
    17 17   values:
    18 18   - except
    19 19   - unless
    20  -trigger: presence
    21 20  metadata:
    22 21   description: "Insecure disabling of callback detected."
    23 22   remediation_message: |
    skipped 15 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/rails/insecure_http_password.yml
    skipped 4 lines
    5 5   end
    6 6  languages:
    7 7   - ruby
    8  -trigger: presence
    9 8  metadata:
    10 9   description: "Insecure HTTP Password."
    11 10   remediation_message: |
    skipped 3 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/rails/insecure_smtp.yml
    skipped 12 lines
    13 13   end
    14 14  languages:
    15 15   - ruby
    16  -trigger: presence
    17 16  metadata:
    18 17   description: "Communication with an unsecure SMTP connection detected."
    19 18   remediation_message: |
    skipped 21 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/rails/logger.yml
    skipped 13 lines
    14 14   - unknown
    15 15  languages:
    16 16   - ruby
    17  -trigger: local
    18 17  skip_data_types:
    19 18   - "Unique Identifier"
    20 19  metadata:
    skipped 25 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/rails/open_redirect.yml
    skipped 11 lines
    12 12   - params
    13 13   - request
    14 14   - cookies
    15  -trigger: presence
    16 15  severity: medium
    17 16  metadata:
    18 17   description: "Open redirect detected"
    skipped 7 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/rails/password_length.yml
    skipped 32 lines
    33 33   - variable: LENGTH
    34 34   less_than: 8
    35 35   match_violation: true
    36  -trigger: global
     36 +trigger:
     37 + match_on: presence
     38 + data_types_required: true
    37 39  severity: high
    38 40  metadata:
    39 41   description: "Password length (< 8) requirement is too short."
    skipped 20 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/rails/permissive_regex_validation.yml
    skipped 16 lines
    17 17   - not:
    18 18   variable: REGEX
    19 19   regex: \A([/'"]|%r.)\\A.*\\[zZ].\z
    20  -trigger: presence
    21 20  metadata:
    22 21   description: "Validation using permissive regular expression detected."
    23 22   remediation_message: |
    skipped 33 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/rails/render_using_user_input.yml
    skipped 32 lines
    33 33   - strip_tags
    34 34   - variable: USER_INPUT
    35 35   detection: ruby_rails_render_using_user_input_user_input
    36  -trigger: presence
    37 36  severity: high
    38 37  metadata:
    39 38   description: "Unsanitized user input detected in response."
    skipped 26 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/rails/session.yml
    skipped 5 lines
    6 6   detection: datatype
    7 7  languages:
    8 8   - ruby
    9  -trigger: local
    10 9  skip_data_types:
    11 10   - "Unique Identifier"
    12 11  metadata:
    skipped 21 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/rails/session_key_using_user_input.yml
    skipped 11 lines
    12 12   - cookies
    13 13  languages:
    14 14   - ruby
    15  -trigger: presence
    16 15  severity: high
    17 16  metadata:
    18 17   description: "User input detected in a session key."
    skipped 13 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/third_parties/airbrake.yml
    skipped 48 lines
    49 49   filters:
    50 50   - variable: DATA_TYPE
    51 51   detection: datatype
    52  -trigger: local
    53 52  skip_data_types:
    54 53   - "Unique Identifier"
    55 54  metadata:
    skipped 16 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/third_parties/algolia.yml
    skipped 23 lines
    24 24   filters:
    25 25   - variable: CLIENT
    26 26   detection: ruby_third_parties_algolia_client
    27  -trigger: local
    28 27  skip_data_types:
    29 28   - "Unique Identifier"
    30 29  metadata:
    skipped 15 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/third_parties/bigquery.yml
    skipped 56 lines
    57 57   filters:
    58 58   - variable: TABLE
    59 59   detection: ruby_third_parties_bigquery_table
    60  -trigger: local
    61 60  skip_data_types:
    62 61   - "Unique Identifier"
    63 62  metadata:
    skipped 15 lines
  • ■ ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/third_parties/bugsnag/.snapshots/TestRubyThirdPartiesBugsnag--bugsnag_notify.yml
    skipped 10 lines
    11 11   - PII
    12 12   parent_line_number: 2
    13 13   parent_content: raise CustomException.new(current_user.email)
     14 + - rule:
     15 + cwe_ids:
     16 + - "201"
     17 + id: ruby_third_parties_bugsnag
     18 + description: Sensitive data sent to Bugsnag detected.
     19 + documentation_url: https://docs.bearer.com/reference/rules/ruby_third_parties_bugsnag
     20 + line_number: 7
     21 + filename: bugsnag_notify.rb
     22 + category_groups:
     23 + - PII
     24 + parent_line_number: 7
     25 + parent_content: |-
     26 + Bugsnag.notify(exception) do |event|
     27 + # Adjust the severity of this error
     28 + event.severity = "warning"
     29 + 
     30 + # Add customer information to this event
     31 + event.add_metadata(:account, {
     32 + user_name: current_user.name,
     33 + paying_customer: true
     34 + })
     35 + end
    14 36   
    15 37   
    16 38   
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/third_parties/bugsnag.yml
    skipped 25 lines
    26 26   end
    27 27  languages:
    28 28   - ruby
    29  -trigger: local
    30 29  skip_data_types:
    31 30   - "Unique Identifier"
    32 31  metadata:
    skipped 16 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/third_parties/clickhouse.yml
    skipped 12 lines
    13 13   patterns:
    14 14   - |
    15 15   Clickhouse.connection.insert_rows() { |$<!>$<_:identifier>| }
    16  -trigger: local
    17 16  skip_data_types:
    18 17   - "Unique Identifier"
    19 18  metadata:
    skipped 16 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/third_parties/datadog.yml
    skipped 28 lines
    29 29   Datadog::Tracing.active_span
    30 30   - |
    31 31   Datadog::Tracing.trace() { |$<!>$<SPAN:identifier>$<...>| }
    32  -trigger: local
    33 32  skip_data_types:
    34 33   - "Unique Identifier"
    35 34  metadata:
    skipped 17 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/third_parties/elasticsearch.yml
    skipped 31 lines
    32 32   Elasticsearch::Client.new()
    33 33   - |
    34 34   Elasticsearch::Client.new
    35  -trigger: local
    36 35  skip_data_types:
    37 36   - "Unique Identifier"
    38 37  metadata:
    skipped 15 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/third_parties/google_analytics.yml
    skipped 19 lines
    20 20   - update!
    21 21  languages:
    22 22   - ruby
    23  -trigger: local
    24 23  skip_data_types:
    25 24   - Unique Identifier
    26 25  metadata:
    skipped 16 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/third_parties/google_dataflow.yml
    skipped 115 lines
    116 116   patterns:
    117 117   - |
    118 118   Google::Cloud::Dataflow::$<_>::TemplateMetadata.new
    119  -trigger: local
    120 119  skip_data_types:
    121 120   - "Unique Identifier"
    122 121  metadata:
    skipped 15 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/third_parties/honeybadger.yml
    skipped 22 lines
    23 23   detection: datatype
    24 24  languages:
    25 25   - ruby
    26  -trigger: local
    27 26  skip_data_types:
    28 27   - "Unique Identifier"
    29 28  metadata:
    skipped 16 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/third_parties/new_relic.yml
    skipped 15 lines
    16 16   detection: datatype
    17 17  languages:
    18 18   - ruby
    19  -trigger: local
    20 19  skip_data_types:
    21 20   - "Unique Identifier"
    22 21  metadata:
    skipped 17 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/third_parties/open_telemetry.yml
    skipped 32 lines
    33 33   OpenTelemetry::Trace.current_span
    34 34   - |
    35 35   $<_>.in_span() { |$<!>$<_:identifier>| }
    36  -trigger: local
    37 36  skip_data_types:
    38 37   - "Unique Identifier"
    39 38  metadata:
    skipped 15 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/third_parties/rollbar.yml
    skipped 41 lines
    42 42   patterns:
    43 43   - |
    44 44   Rollbar.scope()
    45  -trigger: local
    46 45  skip_data_types:
    47 46   - "Unique Identifier"
    48 47  metadata:
    skipped 17 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/third_parties/scout_apm.yml
    skipped 10 lines
    11 11   detection: datatype
    12 12  languages:
    13 13   - ruby
    14  -trigger: local
    15 14  skip_data_types:
    16 15   - "Unique Identifier"
    17 16  metadata:
    skipped 16 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/third_parties/segment.yml
    skipped 19 lines
    20 20   Segment::Analytics.new()
    21 21  languages:
    22 22   - ruby
    23  -trigger: local
    24 23  skip_data_types:
    25 24   - "Unique Identifier"
    26 25  metadata:
    skipped 16 lines
  • ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules/ruby/third_parties/sentry.yml
    skipped 123 lines
    124 124   detection: datatype
    125 125  languages:
    126 126   - ruby
    127  -trigger: local
    128 127  skip_data_types:
    129 128   - "Unique Identifier"
    130 129  metadata:
    skipped 16 lines
  • ■ ■ ■ ■ ■ ■
    pkg/commands/process/settings/rules.go
    skipped 175 lines
    176 176   ruleType = defaultRuleType
    177 177   }
    178 178   
     179 + // build rule trigger
     180 + ruleTrigger := RuleTrigger{
     181 + MatchOn: PRESENCE,
     182 + DataTypesRequired: false,
     183 + }
     184 + if definition.Trigger != nil {
     185 + if definition.Trigger.MatchOn != nil {
     186 + ruleTrigger.MatchOn = *definition.Trigger.MatchOn
     187 + }
     188 + if definition.Trigger.DataTypesRequired != nil {
     189 + ruleTrigger.DataTypesRequired = *definition.Trigger.DataTypesRequired
     190 + }
     191 + if definition.Trigger.RequiredDetection != nil {
     192 + ruleTrigger.RequiredDetection = definition.Trigger.RequiredDetection
     193 + }
     194 + }
     195 + 
     196 + isLocal := false
     197 + for _, rulePattern := range definition.Patterns {
     198 + if strings.Contains(rulePattern.Pattern, "$<DATA_TYPE>") {
     199 + isLocal = true
     200 + break
     201 + }
     202 + }
     203 + 
    179 204   rules[id] = &Rule{
    180  - Id: id,
    181  - Type: ruleType,
    182  - AssociatedRecipe: definition.Metadata.AssociatedRecipe,
    183  - Trigger: definition.Trigger,
    184  - SkipDataTypes: definition.SkipDataTypes,
    185  - OnlyDataTypes: definition.OnlyDataTypes,
    186  - Severity: definition.Severity,
    187  - Description: definition.Metadata.Description,
    188  - RemediationMessage: definition.Metadata.RemediationMessage,
    189  - Stored: definition.Stored,
    190  - Detectors: definition.Detectors,
    191  - Processors: definition.Processors,
    192  - AutoEncrytPrefix: definition.AutoEncrytPrefix,
    193  - CWEIDs: definition.Metadata.CWEIDs,
    194  - Languages: definition.Languages,
    195  - ParamParenting: definition.ParamParenting,
    196  - Patterns: definition.Patterns,
    197  - DocumentationUrl: definition.Metadata.DocumentationUrl,
    198  - OmitParentContent: definition.OmitParentContent,
    199  - TriggerRuleOnPresenceOf: definition.TriggerRuleOnPresenceOf,
     205 + Id: id,
     206 + Type: ruleType,
     207 + AssociatedRecipe: definition.Metadata.AssociatedRecipe,
     208 + Trigger: ruleTrigger,
     209 + IsLocal: isLocal,
     210 + SkipDataTypes: definition.SkipDataTypes,
     211 + OnlyDataTypes: definition.OnlyDataTypes,
     212 + Severity: definition.Severity,
     213 + Description: definition.Metadata.Description,
     214 + RemediationMessage: definition.Metadata.RemediationMessage,
     215 + Stored: definition.Stored,
     216 + Detectors: definition.Detectors,
     217 + Processors: definition.Processors,
     218 + AutoEncrytPrefix: definition.AutoEncrytPrefix,
     219 + CWEIDs: definition.Metadata.CWEIDs,
     220 + Languages: definition.Languages,
     221 + ParamParenting: definition.ParamParenting,
     222 + Patterns: definition.Patterns,
     223 + DocumentationUrl: definition.Metadata.DocumentationUrl,
     224 + OmitParentContent: definition.OmitParentContent,
    200 225   }
    201 226   
    202 227   for _, auxiliaryDefinition := range definition.Auxiliary {
    skipped 14 lines
  • ■ ■ ■ ■ ■ ■
    pkg/commands/process/settings/settings.go
    skipped 61 lines
    62 62   Content string `mapstructure:"content" json:"content" yaml:"content"`
    63 63  }
    64 64   
     65 +type MatchOn string
     66 + 
     67 +const (
     68 + PRESENCE MatchOn = "presence"
     69 + ABSENCE MatchOn = "absence"
     70 + STORED_DATA_TYPES MatchOn = "stored_data_types"
     71 +)
     72 + 
     73 +type RuleTrigger struct {
     74 + MatchOn MatchOn `mapstructure:"match_on" json:"match_on" yaml:"match_on"`
     75 + DataTypesRequired bool `mapstructure:"data_types_required" json:"data_types_required" yaml:"data_types_required"`
     76 + RequiredDetection *string `mapstructure:"required_detection" json:"required_detection" yaml:"required_detection"`
     77 +}
     78 + 
     79 +type RuleDefinitionTrigger struct {
     80 + MatchOn *MatchOn `mapstructure:"match_on" json:"match_on" yaml:"match_on"`
     81 + RequiredDetection *string `mapstructure:"required_detection" json:"required_detection" yaml:"required_detection"`
     82 + DataTypesRequired *bool `mapstructure:"data_types_required" json:"data_types_required" yaml:"data_types_required"`
     83 +}
     84 + 
    65 85  type RuleMetadata struct {
    66 86   Description string `mapstructure:"description" json:"description" yaml:"description"`
    67 87   RemediationMessage string `mapstructure:"remediation_message" json:"remediation_messafe" yaml:"remediation_messafe"`
    skipped 4 lines
    72 92  }
    73 93   
    74 94  type RuleDefinition struct {
    75  - Disabled bool `mapstructure:"disabled" json:"disabled" yaml:"disabled"`
    76  - Type string `mapstructure:"type" json:"type" yaml:"type"`
    77  - Languages []string `mapstructure:"languages" json:"languages" yaml:"languages"`
    78  - ParamParenting bool `mapstructure:"param_parenting" json:"param_parenting" yaml:"param_parenting"`
    79  - Patterns []RulePattern `mapstructure:"patterns" json:"patterns" yaml:"patterns"`
    80  - Stored bool `mapstructure:"stored" json:"stored" yaml:"stored"`
    81  - Detectors []string `mapstructure:"detectors" json:"detectors,omitempty" yaml:"detectors,omitempty"`
    82  - Processors []string `mapstructure:"processors" json:"processors,omitempty" yaml:"processors,omitempty"`
    83  - AutoEncrytPrefix string `mapstructure:"auto_encrypt_prefix" json:"auto_encrypt_prefix,omitempty" yaml:"auto_encrypt_prefix,omitempty"`
    84  - DetectPresence bool `mapstructure:"detect_presence" json:"detect_presence" yaml:"detect_presence"`
    85  - Trigger string `mapstructure:"trigger" json:"trigger" yaml:"trigger"` // TODO: use enum value
    86  - Severity string `mapstructure:"severity" json:"severity,omitempty" yaml:"severity,omitempty"`
    87  - SkipDataTypes []string `mapstructure:"skip_data_types" json:"skip_data_types,omitempty" yaml:"skip_data_types,omitempty"`
    88  - OnlyDataTypes []string `mapstructure:"only_data_types" json:"only_data_types,omitempty" yaml:"only_data_types,omitempty"`
    89  - OmitParentContent bool `mapstructure:"omit_parent_content" json:"omit_parent_content,omitempty" yaml:"omit_parent_content,omitempty"`
    90  - Metadata *RuleMetadata `mapstructure:"metadata" json:"metadata" yaml:"metadata"`
    91  - Auxiliary []Auxiliary `mapstructure:"auxiliary" json:"auxiliary" yaml:"auxiliary"`
    92  - TriggerRuleOnPresenceOf string `mapstructure:"trigger_rule_on_presence_of" json:"trigger_rule_on_presence_of" yaml:"trigger_rule_on_presence_of"`
     95 + Disabled bool `mapstructure:"disabled" json:"disabled" yaml:"disabled"`
     96 + Type string `mapstructure:"type" json:"type" yaml:"type"`
     97 + Languages []string `mapstructure:"languages" json:"languages" yaml:"languages"`
     98 + ParamParenting bool `mapstructure:"param_parenting" json:"param_parenting" yaml:"param_parenting"`
     99 + Patterns []RulePattern `mapstructure:"patterns" json:"patterns" yaml:"patterns"`
     100 + Stored bool `mapstructure:"stored" json:"stored" yaml:"stored"`
     101 + Detectors []string `mapstructure:"detectors" json:"detectors,omitempty" yaml:"detectors,omitempty"`
     102 + Processors []string `mapstructure:"processors" json:"processors,omitempty" yaml:"processors,omitempty"`
     103 + AutoEncrytPrefix string `mapstructure:"auto_encrypt_prefix" json:"auto_encrypt_prefix,omitempty" yaml:"auto_encrypt_prefix,omitempty"`
     104 + DetectPresence bool `mapstructure:"detect_presence" json:"detect_presence" yaml:"detect_presence"`
     105 + Trigger *RuleDefinitionTrigger `mapstructure:"trigger" json:"trigger" yaml:"trigger"` // TODO: use enum value
     106 + Severity string `mapstructure:"severity" json:"severity,omitempty" yaml:"severity,omitempty"`
     107 + SkipDataTypes []string `mapstructure:"skip_data_types" json:"skip_data_types,omitempty" yaml:"skip_data_types,omitempty"`
     108 + OnlyDataTypes []string `mapstructure:"only_data_types" json:"only_data_types,omitempty" yaml:"only_data_types,omitempty"`
     109 + OmitParentContent bool `mapstructure:"omit_parent_content" json:"omit_parent_content,omitempty" yaml:"omit_parent_content,omitempty"`
     110 + Metadata *RuleMetadata `mapstructure:"metadata" json:"metadata" yaml:"metadata"`
     111 + Auxiliary []Auxiliary `mapstructure:"auxiliary" json:"auxiliary" yaml:"auxiliary"`
    93 112  }
    94 113   
    95 114  type Auxiliary struct {
    skipped 17 lines
    113 132  }
    114 133   
    115 134  type Rule struct {
    116  - Id string `mapstructure:"id" json:"id,omitempty" yaml:"id,omitempty"`
    117  - AssociatedRecipe string `mapstructure:"associated_recipe" json:"associated_recipe" yaml:"associated_recipe"`
    118  - Type string `mapstructure:"type" json:"type,omitempty" yaml:"type,omitempty"` // TODO: use enum value
    119  - Trigger string `mapstructure:"trigger" json:"trigger,omitempty" yaml:"trigger,omitempty"` // TODO: use enum value
    120  - Detectors []string `mapstructure:"detectors" json:"detectors,omitempty" yaml:"detectors,omitempty"`
    121  - Processors []string `mapstructure:"processors" json:"processors,omitempty" yaml:"processors,omitempty"`
    122  - Stored bool `mapstructure:"stored" json:"stored,omitempty" yaml:"stored,omitempty"`
    123  - AutoEncrytPrefix string `mapstructure:"auto_encrypt_prefix" json:"auto_encrypt_prefix,omitempty" yaml:"auto_encrypt_prefix,omitempty"`
    124  - OmitParentContent bool `mapstructure:"omit_parent_content" json:"omit_parent_content,omitempty" yaml:"omit_parent_content,omitempty"`
    125  - SkipDataTypes []string `mapstructure:"skip_data_types" json:"skip_data_types,omitempty" yaml:"skip_data_types,omitempty"`
    126  - OnlyDataTypes []string `mapstructure:"only_data_types" json:"only_data_types,omitempty" yaml:"only_data_types,omitempty"`
    127  - Severity string `mapstructure:"severity" json:"severity,omitempty" yaml:"severity,omitempty"`
    128  - Description string `mapstructure:"description" json:"description" yaml:"description"`
    129  - RemediationMessage string `mapstructure:"remediation_message" json:"remediation_messafe" yaml:"remediation_messafe"`
    130  - CWEIDs []string `mapstructure:"cwe_ids" json:"cwe_ids" yaml:"cwe_ids"`
    131  - Languages []string `mapstructure:"languages" json:"languages" yaml:"languages"`
    132  - Patterns []RulePattern `mapstructure:"patterns" json:"patterns" yaml:"patterns"`
    133  - DocumentationUrl string `mapstructure:"documentation_url" json:"documentation_url" yaml:"documentation_url"`
    134  - TriggerRuleOnPresenceOf string `mapstructure:"trigger_rule_on_presence_of" json:"trigger_rule_on_presence_of" yaml:"trigger_rule_on_presence_of"`
    135  - IsAuxilary bool `mapstructure:"is_auxilary" json:"is_auxilary" yaml:"is_auxilary"`
     135 + Id string `mapstructure:"id" json:"id,omitempty" yaml:"id,omitempty"`
     136 + AssociatedRecipe string `mapstructure:"associated_recipe" json:"associated_recipe" yaml:"associated_recipe"`
     137 + Type string `mapstructure:"type" json:"type,omitempty" yaml:"type,omitempty"` // TODO: use enum value
     138 + Trigger RuleTrigger `mapstructure:"trigger" json:"trigger,omitempty" yaml:"trigger,omitempty"`
     139 + IsLocal bool `mapstructure:"is_local" json:"is_local,omitempty" yaml:"is_local,omitempty"`
     140 + Detectors []string `mapstructure:"detectors" json:"detectors,omitempty" yaml:"detectors,omitempty"`
     141 + Processors []string `mapstructure:"processors" json:"processors,omitempty" yaml:"processors,omitempty"`
     142 + Stored bool `mapstructure:"stored" json:"stored,omitempty" yaml:"stored,omitempty"`
     143 + AutoEncrytPrefix string `mapstructure:"auto_encrypt_prefix" json:"auto_encrypt_prefix,omitempty" yaml:"auto_encrypt_prefix,omitempty"`
     144 + OmitParentContent bool `mapstructure:"omit_parent_content" json:"omit_parent_content,omitempty" yaml:"omit_parent_content,omitempty"`
     145 + SkipDataTypes []string `mapstructure:"skip_data_types" json:"skip_data_types,omitempty" yaml:"skip_data_types,omitempty"`
     146 + OnlyDataTypes []string `mapstructure:"only_data_types" json:"only_data_types,omitempty" yaml:"only_data_types,omitempty"`
     147 + Severity string `mapstructure:"severity" json:"severity,omitempty" yaml:"severity,omitempty"`
     148 + Description string `mapstructure:"description" json:"description" yaml:"description"`
     149 + RemediationMessage string `mapstructure:"remediation_message" json:"remediation_messafe" yaml:"remediation_messafe"`
     150 + CWEIDs []string `mapstructure:"cwe_ids" json:"cwe_ids" yaml:"cwe_ids"`
     151 + Languages []string `mapstructure:"languages" json:"languages" yaml:"languages"`
     152 + Patterns []RulePattern `mapstructure:"patterns" json:"patterns" yaml:"patterns"`
     153 + DocumentationUrl string `mapstructure:"documentation_url" json:"documentation_url" yaml:"documentation_url"`
     154 + IsAuxilary bool `mapstructure:"is_auxilary" json:"is_auxilary" yaml:"is_auxilary"`
    136 155   
    137 156   // FIXME: remove after refactor of sql
    138 157   Metavars map[string]MetaVar `mapstructure:"metavars" json:"metavars" yaml:"metavars"`
    skipped 170 lines
  • ■ ■ ■ ■ ■ ■
    pkg/report/output/privacy/privacy.go
    skipped 140 lines
    141 141   thirdPartyRulesCounter := make(map[string]ThirdPartyRuleCounter)
    142 142   
    143 143   for _, rule := range config.Rules {
    144  - 
    145 144   // increment counters
    146  - 
    147  - if rule.Trigger == "local" {
     145 + if rule.IsLocal {
    148 146   localRuleCounter += 1
    149 147   }
    150 148   
    skipped 48 lines
    199 197   }
    200 198   
    201 199   for _, ruleOutputFailure := range ruleOutput["local_rule_failure"] {
    202  - 
    203  - // update subject rule failures
    204  - ruleSeverity := security.CalculateSeverity(ruleOutputFailure.CategoryGroups, rule.Severity, rule.Trigger)
     200 + ruleSeverity := security.CalculateSeverity(ruleOutputFailure.CategoryGroups, rule.Severity, true)
    205 201   
    206 202   key := buildKey(ruleOutputFailure.DataSubject, ruleOutputFailure.DataType)
    207 203   subjectRuleFailure, ok := subjectRuleFailures[key]
    skipped 172 lines
  • ■ ■ ■ ■ ■ ■
    pkg/report/output/security/security.go
    skipped 14 lines
    15 15   "github.com/bearer/bearer/pkg/util/rego"
    16 16   "github.com/fatih/color"
    17 17   "github.com/hhatto/gocloc"
    18  - "github.com/rs/zerolog/log"
    19 18   "github.com/schollz/progressbar/v3"
    20 19   "github.com/ssoroka/slice"
    21 20   "golang.org/x/exp/maps"
    skipped 27 lines
    49 48  }
    50 49   
    51 50  type Output struct {
     51 + IsLocal *bool `json:"is_local,omitempty" yaml:"is_local,omitempty"`
    52 52   ParentLineNumber int `json:"parent_line_number,omitempty" yaml:"parent_line_number,omitempty"`
    53 53   ParentContent string `json:"parent_content,omitempty" yaml:"parent_content,omitempty"`
    54 54   LineNumber int `json:"line_number,omitempty" yaml:"line_number,omitempty"`
    skipped 107 lines
    162 162   DetailedContext: output.DetailedContext,
    163 163   }
    164 164   
    165  - severity := CalculateSeverity(result.CategoryGroups, rule.Severity, rule.Trigger)
     165 + severity := CalculateSeverity(result.CategoryGroups, rule.Severity, output.IsLocal != nil && *output.IsLocal)
    166 166   
    167 167   if config.Report.Severity[severity] {
    168 168   summaryResults[severity] = append(summaryResults[severity], result)
    skipped 67 lines
    236 236   return reportStr, reportPassed
    237 237  }
    238 238   
    239  -func CalculateSeverity(groups []string, severity string, trigger string) string {
     239 +func CalculateSeverity(groups []string, severity string, hasLocalDataTypes bool) string {
    240 240   if severity == types.LevelWarning {
    241  - log.Debug().Msgf("Calculated severity = %s (no calculation applied)", severity)
    242 241   return types.LevelWarning
    243 242   }
    244 243   
    skipped 22 lines
    267 266   }
    268 267   
    269 268   triggerWeighting := 1
    270  - if trigger == types.LocalTrigger {
     269 + if hasLocalDataTypes {
    271 270   triggerWeighting = 2
    272 271   }
    273  - 
    274  - log.Debug().Msgf("Calculated severity = %s : %d + (%s : %d * %s : %d)", severity, ruleSeverityWeighting, groups, sensitiveDataCategoryWeighting, trigger, triggerWeighting)
    275 272   
    276 273   switch finalWeighting := ruleSeverityWeighting + (sensitiveDataCategoryWeighting * triggerWeighting); {
    277 274   case finalWeighting >= 8:
    skipped 241 lines
  • ■ ■ ■ ■ ■ ■
    pkg/report/output/security/security_test.go
    skipped 32 lines
    33 33   Type: "risk",
    34 34   Languages: []string{"ruby"},
    35 35   Severity: "low",
     36 + IsLocal: false,
    36 37   }
    37 38   
    38 39   // limit rules so that test doesn't fail just because
    skipped 82 lines
    121 122   
    122 123  func TestCalculateSeverity(t *testing.T) {
    123 124   res := []string{
    124  - security.CalculateSeverity([]string{"PHI", "Personal Data"}, "low", "local"),
    125  - security.CalculateSeverity([]string{"Personal Data (Sensitive)"}, "low", "global"),
    126  - security.CalculateSeverity([]string{"Personal Data"}, "low", "global"),
    127  - security.CalculateSeverity([]string{"Personal Data"}, "warning", "absence"),
    128  - security.CalculateSeverity([]string{}, "warning", "presence"),
     125 + security.CalculateSeverity([]string{"PHI", "Personal Data"}, "low", true),
     126 + security.CalculateSeverity([]string{"Personal Data (Sensitive)"}, "low", false),
     127 + security.CalculateSeverity([]string{"Personal Data"}, "low", false),
     128 + security.CalculateSeverity([]string{"Personal Data"}, "warning", false),
     129 + security.CalculateSeverity([]string{}, "warning", false),
    129 130   }
    130 131   
    131 132   cupaloy.SnapshotT(t, res)
    skipped 96 lines
Please wait...
Page is in error, reload to recover