fix: semgrep rules updated CF-1809

Author: pedrobpereira

codacy-client/client.go

@@ -177,7 +177,19 @@ func GetDefaultToolPatternsConfig(initFlags domain.InitFlags, toolUUID string, o
 		baseURL += "?enabled=true"
 	}
 
-	return getAllPages(baseURL, initFlags, parseDefaultPatternConfigurations)
+	allPaterns, err := getAllPages(baseURL, initFlags, parseDefaultPatternConfigurations)
+	if err != nil {
+		return nil, err
+	}
+
+	onlyRecommendedPatterns := make([]domain.PatternConfiguration, 0)
+	for _, pattern := range allPaterns {
+		if pattern.PatternDefinition.Enabled {
+			onlyRecommendedPatterns = append(onlyRecommendedPatterns, pattern)
+		}
+	}
+
+	return onlyRecommendedPatterns, nil
 }
 
 // GetRepositoryToolPatterns fetches the patterns for a tool in a repository

integration-tests/config-discover/expected/tools-configs/semgrep.yaml

@@ -29501,6 +29501,43 @@ rules:
             }
         - focus-metavariable: $SECRET
       severity: WARNING
+    - id: terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec
+      languages:
+        - terraform
+      message: Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design.
+      metadata:
+        category: security
+        confidence: HIGH
+        cwe:
+            - 'CWE-77: Improper Neutralization of Special Elements used in a Command (''Command Injection'')'
+            - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')'
+        impact: MEDIUM
+        likelihood: HIGH
+        owasp:
+            - A03:2021 - Injection
+            - A01:2017 - Injection
+        references:
+            - https://developer.hashicorp.com/terraform/language/resources/provisioners/remote-exec
+            - https://developer.hashicorp.com/terraform/language/resources/provisioners/local-exec
+        subcategory:
+            - guardrail
+        technology:
+            - terraform
+      patterns:
+        - pattern-either:
+            - pattern: |
+                provisioner "remote-exec" {
+                    ...
+                }
+            - pattern: |
+                provisioner "local-exec" {
+                    ...
+                }
+        - pattern-inside: |
+            resource "aws_instance" "..." {
+                ...
+            }
+      severity: WARNING
     - id: terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention
       languages:
         - hcl
@@ -34374,8 +34411,12 @@ rules:
             - A3:2017 Sensitive Data Exposure
       options:
         generic_ellipsis_max_span: 0
-      pattern: |
-        $PASSWORD VARCHAR2($LENGTH) := $...VALUE;
+      patterns:
+        - pattern: |
+            $PASSWORD VARCHAR2($LENGTH) := $...VALUE;
+        - metavariable-regex:
+            metavariable: $PASSWORD
+            regex: (?i).*(password|motdepasse|heslo|adgangskode|wachtwoord|salasana|passwort|passord|senha|geslo|clave|losenord|clave|parola|secret|pwd).*
       severity: ERROR
     - id: codacy.generic.plsql.resource-injection
       languages:

integration-tests/init-with-token/expected/tools-configs/semgrep.yaml

@@ -1,4 +1,22 @@
 rules:
+    - id: bash.lang.correctness.unquoted-expansion.unquoted-variable-expansion-in-command
+      languages:
+        - bash
+      message: Variable expansions must be double-quoted so as to prevent being split into multiple pieces according to whitespace or whichever separator is specified by the IFS variable. If you really wish to split the variable's contents, you may use a variable that starts with an underscore e.g. $_X instead of $X, and semgrep will ignore it. If what you need is an array, consider using a proper bash array.
+      metadata:
+        category: correctness
+        technology:
+        - bash
+      patterns:
+        - pattern-either:
+            - pattern: |
+                ... ${$VAR} ...
+            - pattern: |
+                ... ...${$VAR}... ...
+        - metavariable-regex:
+            metavariable: $VAR
+            regex: '[*@0-9]|[A-Za-z].*'
+      severity: INFO
     - id: clojure.lang.security.use-of-md5.use-of-md5
       languages:
         - clojure
@@ -8,20 +26,20 @@ rules:
         category: security
         confidence: HIGH
         cwe:
-            - 'CWE-328: Use of Weak Hash'
+        - 'CWE-328: Use of Weak Hash'
         impact: HIGH
         likelihood: MEDIUM
         owasp:
-            - A03:2017 - Sensitive Data Exposure
-            - A02:2021 - Cryptographic Failures
+        - A03:2017 - Sensitive Data Exposure
+        - A02:2021 - Cryptographic Failures
         references:
-            - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
-            - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
+        - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
+        - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
         source-rule-url: https://github.com/clj-holmes/clj-holmes-rules/blob/main/security/weak-hash-function-md5.yml
         subcategory:
-            - vuln
+        - vuln
         technology:
-            - clojure
+        - clojure
       pattern-either:
         - pattern: (MessageDigest/getInstance "MD5")
         - pattern: (MessageDigest/getInstance MessageDigestAlgorithms/MD5)
@@ -30,6 +48,19 @@ rules:
         - pattern: (java.security.MessageDigest/getInstance MessageDigestAlgorithms/MD5)
         - pattern: (java.security.MessageDigest/getInstance org.apache.commons.codec.digest.MessageDigestAlgorithms/MD5)
       severity: WARNING
+    - fix: Bitwise.bnot($VAL)
+      id: elixir.lang.best-practice.deprecated-bnot-operator.deprecated_bnot_operator
+      languages:
+        - elixir
+      message: The bitwise operator (`^^^`) is already deprecated. Please use `Bitwise.bnot($VAL)` instead.
+      metadata:
+        category: best-practice
+        references:
+        - https://github.com/elixir-lang/elixir/commit/f1b9d3e818e5bebd44540f87be85979f24b9abfc
+        technology:
+        - elixir
+      pattern: ~~~$VAL
+      severity: WARNING
     - id: codacy.generic.plsql.empty-strings
       languages:
         - generic