Changed category to be considered 1 if no category is specified and no override detected

cx-diogo-rocha · cx-diogo-rocha · commit c828e3a8008c · 2025-12-12T14:58:03.000Z
diff --git a/README.md b/README.md
@@ -298,8 +298,8 @@ Other fields are optional and can be seen in the example bellow of a file with a
   severity: High # severity, can only be one of [Critical, High, Medium, Low, Info]
   tags: # identifiers for the rule, tags can be used as values of --rule and --ignore-rule flags
     - api-key
-  category: General # category of the rule, should be a string of type ruledefine.RuleCategory. Impacts cvss score
-  scoreRuleType: 4 # can go from 4 to 0, 4 being most severe. For overrides, if Category is defined, ruleType also needs to be defined, or otherwise it will be considered 0. Impacts cvss score
+  category: General # category of the rule, should be a string of type ruledefine.RuleCategory. Can be omitted in custom rule, but if omitted and ruleId matches a default rule, the category will take the value of the category of that defaultRule. Impacts cvss score
+  scoreRuleType: 4 # can go from 1 to 4, 4 being most severe. If omitted in rule it will take the value of 1. Impacts cvss score
   disableValidation: false # if true, disables validity check for this rule, regardless of --validate flag
   deprecated: false # if true, the rule will not be used in the scan, regardless of --rule flag
   allowLists: # allowed values to ignore if matched
diff --git a/cmd/config_test.go b/cmd/config_test.go
@@ -1,6 +1,7 @@
 package cmd
 
 import (
+	"fmt"
 	"os"
 	"path/filepath"
 	"testing"
@@ -345,6 +346,12 @@ func TestCustomRulesFlag(t *testing.T) {
 			expectedRules:   nil,
 			expectErrors:    []error{errInvalidCustomRulesExtension},
 		},
+		{
+			name:            "Invalid rule type",
+			customRulesFile: "testData/customRulesInvalidRuleType.json",
+			expectedRules:   nil,
+			expectErrors:    []error{fmt.Errorf("cannot unmarshal number -2 into Go struct field Rule.scoreRuleType of type uint8")},
+		},
 	}
 
 	for _, tt := range tests {
diff --git a/cmd/main_test.go b/cmd/main_test.go
@@ -106,7 +106,7 @@ func TestPreRun(t *testing.T) {
 					" mockSeverity not one of ([Critical High Medium Low Info])"),
 				fmt.Errorf("rule#0;RuleID-db18ccf1-4fbf-49f6-aec1-939a2e5464c0: invalid category:" +
 					" mockCategory not an acceptable category of type RuleCategory"),
-				fmt.Errorf("rule#0;RuleID-db18ccf1-4fbf-49f6-aec1-939a2e5464c0: invalid rule type: 10 not an acceptable uint8 value, maximum is 4"),
+				fmt.Errorf("rule#0;RuleID-db18ccf1-4fbf-49f6-aec1-939a2e5464c0: invalid rule type: 10 not an acceptable uint8 value, should be between 1 and 4"),
 			},
 		},
 		{
diff --git a/cmd/testData/customRulesInvalidRuleType.json b/cmd/testData/customRulesInvalidRuleType.json
@@ -0,0 +1,16 @@
+[
+  {
+    "ruleId": "db18ccf1-4fbf-49f6-aec1-939a2e5464c0",
+    "ruleName": "mock-rule",
+    "description": "Match passwords",
+    "regex": "[A-Za-z0-9]{32}",
+    "keywords": ["password", "pwd"],
+    "entropy": 3.5,
+    "path": "secrets/passwords.txt",
+    "secretGroup": 1,
+    "severity": "High",
+    "tags": ["security", "credentials"],
+    "category": "General",
+    "scoreRuleType": -2
+  }
+]
diff --git a/customrule_empty.json b/customrule_empty.json
diff --git a/engine/engine.go b/engine/engine.go
@@ -860,20 +860,17 @@ func CheckRulesRequiredFields(rulesToCheck []*ruledefine.Rule) error {
 			}
 		}
 
-		if rule.Category != "" {
-			if _, ok := score.CategoryScoreMap[rule.Category]; !ok {
-				invalidCategoryError := fmt.Errorf("%w: %s not an acceptable category of type RuleCategory",
-					errInvalidCategory, rule.Category)
-				err = errors.Join(err, buildCustomRuleError(i, rule, invalidCategoryError))
-			}
+		_, validCategory := score.CategoryScoreMap[rule.Category]
+		if rule.Category != "" && !validCategory {
+			invalidCategoryError := fmt.Errorf("%w: %s not an acceptable category of type RuleCategory",
+				errInvalidCategory, rule.Category)
+			err = errors.Join(err, buildCustomRuleError(i, rule, invalidCategoryError))
 		}
 
-		if rule.ScoreRuleType != 0 {
-			if rule.ScoreRuleType > score.RuleTypeMaxValue {
-				invalidRuleTypeError := fmt.Errorf("%w: %d not an acceptable uint8 value, maximum is %d",
-					errInvalidRuleType, rule.ScoreRuleType, score.RuleTypeMaxValue)
-				err = errors.Join(err, buildCustomRuleError(i, rule, invalidRuleTypeError))
-			}
+		if rule.ScoreRuleType != 0 && rule.ScoreRuleType > score.RuleTypeMaxValue {
+			invalidRuleTypeError := fmt.Errorf("%w: %d not an acceptable uint8 value, should be between 1 and 4",
+				errInvalidRuleType, rule.ScoreRuleType)
+			err = errors.Join(err, buildCustomRuleError(i, rule, invalidRuleTypeError))
 		}
 	}
 
diff --git a/engine/rules/ruledefine/rule.go b/engine/rules/ruledefine/rule.go
@@ -89,8 +89,8 @@ type Rule struct {
 	OldSeverity       string       `json:"oldSeverity" yaml:"oldSeverity"` //nolint:lll // fallback for when critical is not enabled, has no effect on open source
 	AllowLists        []*AllowList `json:"allowLists" yaml:"allowLists"`
 	Tags              []string     `json:"tags" yaml:"tags"`
-	Category          RuleCategory `json:"category" yaml:"category"`                   // used for ASPM
-	ScoreRuleType     uint8        `json:"scoreRuleType" yaml:"scoreRuleType"`         // used for ASPM
+	Category          RuleCategory `json:"category" yaml:"category"`                   // used for cvssScore
+	ScoreRuleType     uint8        `json:"scoreRuleType" yaml:"scoreRuleType"`         // used for cvssScore
 	DisableValidation bool         `json:"disableValidation" yaml:"disableValidation"` ////nolint:lll // if true, validation checks will be skipped for this rule if any validation is possible
 	Deprecated        bool         `json:"deprecated" yaml:"deprecated"`
 }
diff --git a/engine/score/score.go b/engine/score/score.go
@@ -105,7 +105,12 @@ func getValidityScore(baseRiskScore float64, validationStatus secrets.Validation
 }
 
 func GetBaseRiskScore(category ruledefine.RuleCategory, ruleType uint8) float64 {
-	categoryScore := CategoryScoreMap[category]
+	var categoryScore uint8
+	var ok bool
+	// default to the lowest score if category not found, should only happen on custom rules with undefined category
+	if categoryScore, ok = CategoryScoreMap[category]; !ok {
+		categoryScore = 1
+	}
 	return float64(categoryScore)*0.6 + float64(ruleType)*0.4
 }
 
diff --git a/pkg/scan_test.go b/pkg/scan_test.go
@@ -67,15 +67,14 @@ var customRules = []*ruledefine.Rule{
 		Tags:        []string{"custom"},
 		Deprecated:  true,
 	},
+	// missing category and scoreRuleType, which should be defaulted to 1
 	{
-		RuleID:        "16be2682-51ee-44f5-82dc-695f4d1eda45",
-		RuleName:      "Mock-Custom-Rule",
-		Description:   "Rule that checks for a very specific string",
-		Regex:         `very_secret_value`,
-		Severity:      "Low",
-		Tags:          []string{"custom"},
-		Category:      "General",
-		ScoreRuleType: 4,
+		RuleID:      "16be2682-51ee-44f5-82dc-695f4d1eda45",
+		RuleName:    "Mock-Custom-Rule",
+		Description: "Rule that checks for a very specific string",
+		Regex:       `very_secret_value`,
+		Severity:    "Low",
+		Tags:        []string{"custom"},
 	},
 	{
 		RuleID:            "9f24ac30-9e04-4dc2-bc32-26da201f87e5",
@@ -596,7 +595,7 @@ func TestScanAndScanDynamicWithCustomRules(t *testing.T) {
 					" mockSeverity not one of ([Critical High Medium Low Info])"),
 				fmt.Errorf("rule#0;RuleID-db18ccf1-4fbf-49f6-aec1-939a2e5464c0: invalid category:" +
 					" mockCategory not an acceptable category of type RuleCategory"),
-				fmt.Errorf("rule#0;RuleID-db18ccf1-4fbf-49f6-aec1-939a2e5464c0: invalid rule type: 10 not an acceptable uint8 value, maximum is 4"),
+				fmt.Errorf("rule#0;RuleID-db18ccf1-4fbf-49f6-aec1-939a2e5464c0: invalid rule type: 10 not an acceptable uint8 value, should be between 1 and 4"),
 			},
 		},
 		{
diff --git a/pkg/testData/expectedReports/customRules/defaultPlusAllCustomRules.json b/pkg/testData/expectedReports/customRules/defaultPlusAllCustomRules.json
@@ -8,7 +8,7 @@
         "source": "testData/secrets/generic-api-keys.txt",
         "ruleId": "16be2682-51ee-44f5-82dc-695f4d1eda45",
         "ruleName": "Mock-Custom-Rule",
-        "ruleCategory": "General",
+        "ruleCategory": "",
         "startLine": 1,
         "endLine": 1,
         "lineContent": "mock_secret:=very_secret_value",
@@ -18,7 +18,7 @@
         "validationStatus": "Unknown",
         "ruleDescription": "Rule that checks for a very specific string",
         "severity": "Low",
-        "cvssScore": 8.2
+        "cvssScore": 1
       }
     ],
     "5c27b555f2e14a8f4f9fdeda124f7332dd9835d9": [
diff --git a/pkg/testData/expectedReports/customRules/defaultPlusNonOverrideRules.json b/pkg/testData/expectedReports/customRules/defaultPlusNonOverrideRules.json
@@ -8,7 +8,7 @@
         "source": "testData/secrets/generic-api-keys.txt",
         "ruleId": "16be2682-51ee-44f5-82dc-695f4d1eda45",
         "ruleName": "Mock-Custom-Rule",
-        "ruleCategory": "General",
+        "ruleCategory": "",
         "startLine": 1,
         "endLine": 1,
         "lineContent": "mock_secret:=very_secret_value",
@@ -18,7 +18,7 @@
         "validationStatus": "Unknown",
         "ruleDescription": "Rule that checks for a very specific string",
         "severity": "Low",
-        "cvssScore": 8.2
+        "cvssScore": 1
       }
     ],
     "5c27b555f2e14a8f4f9fdeda124f7332dd9835d9": [
diff --git a/pkg/testData/expectedReports/customRules/onlyCustomNoOverrideRules.json b/pkg/testData/expectedReports/customRules/onlyCustomNoOverrideRules.json
@@ -8,7 +8,7 @@
         "source": "testData/secrets/generic-api-keys.txt",
         "ruleId": "16be2682-51ee-44f5-82dc-695f4d1eda45",
         "ruleName": "Mock-Custom-Rule",
-        "ruleCategory": "General",
+        "ruleCategory": "",
         "startLine": 1,
         "endLine": 1,
         "lineContent": "mock_secret:=very_secret_value",
@@ -18,7 +18,7 @@
         "validationStatus": "Unknown",
         "ruleDescription": "Rule that checks for a very specific string",
         "severity": "Low",
-        "cvssScore": 8.2
+        "cvssScore": 1
       }
     ],
     "5c27b555f2e14a8f4f9fdeda124f7332dd9835d9": [
diff --git a/pkg/testData/expectedReports/customRules/onlyCustomRules.json b/pkg/testData/expectedReports/customRules/onlyCustomRules.json
@@ -8,7 +8,7 @@
         "source": "testData/secrets/generic-api-keys.txt",
         "ruleId": "16be2682-51ee-44f5-82dc-695f4d1eda45",
         "ruleName": "Mock-Custom-Rule",
-        "ruleCategory": "General",
+        "ruleCategory": "",
         "startLine": 1,
         "endLine": 1,
         "lineContent": "mock_secret:=very_secret_value",
@@ -18,7 +18,7 @@
         "validationStatus": "Unknown",
         "ruleDescription": "Rule that checks for a very specific string",
         "severity": "Low",
-        "cvssScore": 8.2
+        "cvssScore": 1
       }
     ],
     "5c27b555f2e14a8f4f9fdeda124f7332dd9835d9": [
diff --git a/tests/testData/customRuleConfig/customRules.json b/tests/testData/customRuleConfig/customRules.json
@@ -35,8 +35,6 @@
     "regex": "very_secret_value",
     "severity": "Low",
     "tags": ["custom"],
-    "category": "General",
-    "scoreRuleType": 4
   },
   {
     "ruleId": "9f24ac30-9e04-4dc2-bc32-26da201f87e5",
diff --git a/tests/testData/customRuleConfig/customRules.yaml b/tests/testData/customRuleConfig/customRules.yaml
@@ -39,8 +39,6 @@
   severity: Low
   tags:
     - custom
-  category: General
-  scoreRuleType: 4
 
 - ruleId: 9f24ac30-9e04-4dc2-bc32-26da201f87e5
   ruleName: Github-Pat-Custom
diff --git a/tests/testData/expectedReport/customRules/default_plus_all_custom_rules.json b/tests/testData/expectedReport/customRules/default_plus_all_custom_rules.json
@@ -27,7 +27,7 @@
         "source": "testData/input/custom_rules_secrets.txt",
         "ruleId": "16be2682-51ee-44f5-82dc-695f4d1eda45",
         "ruleName": "Mock-Custom-Rule",
-        "ruleCategory": "General",
+        "ruleCategory": "",
         "startLine": 4,
         "endLine": 4,
         "lineContent": "mock_secret:=very_secret_value",
@@ -37,7 +37,7 @@
         "validationStatus": "Unknown",
         "ruleDescription": "Rule that checks for a very specific string",
         "severity": "Low",
-        "cvssScore": 8.2
+        "cvssScore": 1
       }
     ],
     "4431f6f38c1a36156f0486df95b0436810272bfb": [
diff --git a/tests/testData/expectedReport/customRules/default_plus_non_override_rules.json b/tests/testData/expectedReport/customRules/default_plus_non_override_rules.json
@@ -27,7 +27,7 @@
         "source": "testData/input/custom_rules_secrets.txt",
         "ruleId": "16be2682-51ee-44f5-82dc-695f4d1eda45",
         "ruleName": "Mock-Custom-Rule",
-        "ruleCategory": "General",
+        "ruleCategory": "",
         "startLine": 4,
         "endLine": 4,
         "lineContent": "mock_secret:=very_secret_value",
@@ -37,7 +37,7 @@
         "validationStatus": "Unknown",
         "ruleDescription": "Rule that checks for a very specific string",
         "severity": "Low",
-        "cvssScore": 8.2
+        "cvssScore": 1
       }
     ],
     "4431f6f38c1a36156f0486df95b0436810272bfb": [
diff --git a/tests/testData/expectedReport/customRules/only_custom_no_override_rules.json b/tests/testData/expectedReport/customRules/only_custom_no_override_rules.json
@@ -27,7 +27,7 @@
         "source": "testData/input/custom_rules_secrets.txt",
         "ruleId": "16be2682-51ee-44f5-82dc-695f4d1eda45",
         "ruleName": "Mock-Custom-Rule",
-        "ruleCategory": "General",
+        "ruleCategory": "",
         "startLine": 4,
         "endLine": 4,
         "lineContent": "mock_secret:=very_secret_value",
@@ -37,7 +37,7 @@
         "validationStatus": "Unknown",
         "ruleDescription": "Rule that checks for a very specific string",
         "severity": "Low",
-        "cvssScore": 8.2
+        "cvssScore": 1
       }
     ],
     "b72e2b9140a555724a63bbb8e8e6689b81ebaf28": [
diff --git a/tests/testData/expectedReport/customRules/only_custom_rules.json b/tests/testData/expectedReport/customRules/only_custom_rules.json
@@ -27,7 +27,7 @@
         "source": "testData/input/custom_rules_secrets.txt",
         "ruleId": "16be2682-51ee-44f5-82dc-695f4d1eda45",
         "ruleName": "Mock-Custom-Rule",
-        "ruleCategory": "General",
+        "ruleCategory": "",
         "startLine": 4,
         "endLine": 4,
         "lineContent": "mock_secret:=very_secret_value",
@@ -37,7 +37,7 @@
         "validationStatus": "Unknown",
         "ruleDescription": "Rule that checks for a very specific string",
         "severity": "Low",
-        "cvssScore": 8.2
+        "cvssScore": 1
       }
     ],
     "4431f6f38c1a36156f0486df95b0436810272bfb": [

Original file line number	Diff line number	Diff line change
`@@ -106,7 +106,7 @@ func TestPreRun(t *testing.T) {`
`106`	`106`	`" mockSeverity not one of ([Critical High Medium Low Info])"),`
`107`	`107`	`fmt.Errorf("rule#0;RuleID-db18ccf1-4fbf-49f6-aec1-939a2e5464c0: invalid category:" +`
`108`	`108`	`" mockCategory not an acceptable category of type RuleCategory"),`
`109`		`- fmt.Errorf("rule#0;RuleID-db18ccf1-4fbf-49f6-aec1-939a2e5464c0: invalid rule type: 10 not an acceptable uint8 value, maximum is 4"),`
	`109`	`+ fmt.Errorf("rule#0;RuleID-db18ccf1-4fbf-49f6-aec1-939a2e5464c0: invalid rule type: 10 not an acceptable uint8 value, should be between 1 and 4"),`
`110`	`110`	`},`
`111`	`111`	`},`
`112`	`112`	`{`
Original file line number	Diff line number	Diff line change
`@@ -860,20 +860,17 @@ func CheckRulesRequiredFields(rulesToCheck []*ruledefine.Rule) error {`
`860`	`860`	`}`
`861`	`861`	`}`
`862`	`862`
`863`		`- if rule.Category != "" {`
`864`		`- if _, ok := score.CategoryScoreMap[rule.Category]; !ok {`
`865`		`- invalidCategoryError := fmt.Errorf("%w: %s not an acceptable category of type RuleCategory",`
`866`		`- errInvalidCategory, rule.Category)`
`867`		`- err = errors.Join(err, buildCustomRuleError(i, rule, invalidCategoryError))`
`868`		`- }`
	`863`	`+ _, validCategory := score.CategoryScoreMap[rule.Category]`
	`864`	`+ if rule.Category != "" && !validCategory {`
	`865`	`+ invalidCategoryError := fmt.Errorf("%w: %s not an acceptable category of type RuleCategory",`
	`866`	`+ errInvalidCategory, rule.Category)`
	`867`	`+ err = errors.Join(err, buildCustomRuleError(i, rule, invalidCategoryError))`
`869`	`868`	`}`
`870`	`869`
`871`		`- if rule.ScoreRuleType != 0 {`
`872`		`- if rule.ScoreRuleType > score.RuleTypeMaxValue {`
`873`		`- invalidRuleTypeError := fmt.Errorf("%w: %d not an acceptable uint8 value, maximum is %d",`
`874`		`- errInvalidRuleType, rule.ScoreRuleType, score.RuleTypeMaxValue)`
`875`		`- err = errors.Join(err, buildCustomRuleError(i, rule, invalidRuleTypeError))`
`876`		`- }`
	`870`	`+ if rule.ScoreRuleType != 0 && rule.ScoreRuleType > score.RuleTypeMaxValue {`
	`871`	`+ invalidRuleTypeError := fmt.Errorf("%w: %d not an acceptable uint8 value, should be between 1 and 4",`
	`872`	`+ errInvalidRuleType, rule.ScoreRuleType)`
	`873`	`+ err = errors.Join(err, buildCustomRuleError(i, rule, invalidRuleTypeError))`
`877`	`874`	`}`
`878`	`875`	`}`
`879`	`876`
Original file line number	Diff line number	Diff line change
`@@ -105,7 +105,12 @@ func getValidityScore(baseRiskScore float64, validationStatus secrets.Validation`
`105`	`105`	`}`
`106`	`106`
`107`	`107`	`func GetBaseRiskScore(category ruledefine.RuleCategory, ruleType uint8) float64 {`
`108`		`- categoryScore := CategoryScoreMap[category]`
	`108`	`+ var categoryScore uint8`
	`109`	`+ var ok bool`
	`110`	`+ // default to the lowest score if category not found, should only happen on custom rules with undefined category`
	`111`	`+ if categoryScore, ok = CategoryScoreMap[category]; !ok {`
	`112`	`+ categoryScore = 1`
	`113`	`+ }`
`109`	`114`	`return float64(categoryScore)0.6 + float64(ruleType)0.4`
`110`	`115`	`}`
`111`	`116`