fix it tests

andrzej-janczak · andrzej-janczak · commit c3587c513ced · 2025-05-28T16:50:34.000+02:00
diff --git a/integration-tests/init-with-token/expected/tools-configs/semgrep.yaml b/integration-tests/init-with-token/expected/tools-configs/semgrep.yaml
@@ -1,30 +1,4 @@
 rules:
-    - id: apex.lang.security.ncino.endpoints.namedcredentialsconstantmatch.named-credentials-constant-match
-      languages:
-        - apex
-      message: Named Credentials (and callout endpoints) should be used instead of hard-coding credentials. 1. Hard-coded credentials are hard to maintain when mixed in with application code. 2. It is particularly hard to update hard-coded credentials when they are used amongst different classes. 3. Granting a developer access to the codebase means granting knowledge of credentials, and thus keeping a two-level access is not possible. 4. Using different credentials for different environments is troublesome and error-prone.
-      metadata:
-        category: security
-        confidence: HIGH
-        cwe:
-            - 'CWE-540: Inclusion of Sensitive Information in Source Code'
-        impact: HIGH
-        likelihood: LOW
-        references:
-            - https://cwe.mitre.org/data/definitions/540.html
-        subcategory:
-            - vuln
-        technology:
-            - salesforce
-      min-version: 1.44.0
-      mode: taint
-      pattern-sinks:
-        - patterns:
-            - pattern: req.setHeader($X, ...);
-            - focus-metavariable: $X
-      pattern-sources:
-        - pattern: '...String $X = ''Authorization'';'
-      severity: ERROR
     - id: clojure.lang.security.use-of-md5.use-of-md5
       languages:
         - clojure
diff --git a/integration-tests/init-without-token/expected/tools-configs/semgrep.yaml b/integration-tests/init-without-token/expected/tools-configs/semgrep.yaml
@@ -1,279 +1,4 @@
 rules:
-    - id: apex.lang.security.ncino.dml.apexcsrfconstructor.apex-csrf-constructor
-      languages:
-        - apex
-      message: 'Having DML operations in Apex class constructor or initializers can have unexpected side effects: By just accessing a page, the DML statements would be executed and the database would be modified. Just querying the database is permitted.'
-      metadata:
-        category: security
-        confidence: HIGH
-        cwe:
-            - 'CWE-352: Cross-Site Request Forgery (CSRF)'
-        cwe2020-top25': true
-        cwe2021-top25': true
-        cwe2022-top25': true
-        impact: HIGH
-        likelihood: MEDIUM
-        owasp:
-            - A01:2021 - Broken Access Control
-        references:
-            - https://cwe.mitre.org/data/definitions/352.html
-        subcategory:
-            - vuln
-        technology:
-            - salesforce
-      min-version: 1.44.0
-      paths:
-        exclude:
-            - '*Test*'
-            - '*test*'
-      patterns:
-        - pattern-either:
-            - pattern-inside: public class $CLASSNAME {...}
-            - pattern-inside: private class $CLASSNAME {...}
-            - pattern-inside: public $SOME sharing class $CLASSNAME {...}
-            - pattern-inside: private $SOME sharing class $CLASSNAME {...}
-        - pattern-either:
-            - pattern-inside: public $CLASSNAME() {...}
-            - pattern-inside: private $CLASSNAME() {...}
-        - pattern-either:
-            - pattern: |
-                insert $DATA;
-            - pattern: |
-                update $DATA;
-            - pattern: |
-                upsert $DATA;
-            - pattern: |
-                delete $DATA;
-      severity: ERROR
-    - id: apex.lang.security.ncino.dml.apexcsrfstaticconstructor.apex-csrf-static-constructor
-      languages:
-        - generic
-      message: 'Having DML operations in Apex class constructor or initializers can have unexpected side effects: By just accessing a page, the DML statements would be executed and the database would be modified. Just querying the database is permitted.'
-      metadata:
-        category: security
-        confidence: HIGH
-        cwe:
-            - 'CWE-352: Cross-Site Request Forgery (CSRF)'
-        cwe2020-top25': true
-        cwe2021-top25': true
-        cwe2022-top25': true
-        impact: HIGH
-        likelihood: MEDIUM
-        owasp:
-            - A01:2021 - Broken Access Control
-        references:
-            - https://cwe.mitre.org/data/definitions/352.html
-        subcategory:
-            - vuln
-        technology:
-            - salesforce
-      min-version: 1.44.0
-      paths:
-        exclude:
-            - '*Test*'
-            - '*test*'
-      patterns:
-        - pattern-inside: static {...}
-        - pattern-either:
-            - pattern: |
-                insert $DATA;
-            - pattern: |
-                update $DATA;
-            - pattern: |
-                upsert $DATA;
-            - pattern: |
-                delete $DATA;
-      severity: ERROR
-    - id: apex.lang.security.ncino.endpoints.insecurehttprequest.insecure-http-request
-      languages:
-        - apex
-      message: The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
-      metadata:
-        category: security
-        confidence: MEDIUM
-        cwe:
-            - 'CWE-319: Cleartext Transmission of Sensitive Information'
-        impact: MEDIUM
-        likelihood: LOW
-        references:
-            - https://cwe.mitre.org/data/definitions/319.html
-        subcategory:
-            - vuln
-        technology:
-            - salesforce
-      min-version: 1.44.0
-      paths:
-        exclude:
-            - '*Test*'
-            - '*test*'
-      patterns:
-        - pattern-regex: http[:][/][/]
-        - pattern-not-regex: //.*
-        - pattern-not-regex: '[*].*'
-      severity: ERROR
-    - id: apex.lang.security.ncino.endpoints.namedcredentialsconstantmatch.named-credentials-constant-match
-      languages:
-        - apex
-      message: Named Credentials (and callout endpoints) should be used instead of hard-coding credentials. 1. Hard-coded credentials are hard to maintain when mixed in with application code. 2. It is particularly hard to update hard-coded credentials when they are used amongst different classes. 3. Granting a developer access to the codebase means granting knowledge of credentials, and thus keeping a two-level access is not possible. 4. Using different credentials for different environments is troublesome and error-prone.
-      metadata:
-        category: security
-        confidence: HIGH
-        cwe:
-            - 'CWE-540: Inclusion of Sensitive Information in Source Code'
-        impact: HIGH
-        likelihood: LOW
-        references:
-            - https://cwe.mitre.org/data/definitions/540.html
-        subcategory:
-            - vuln
-        technology:
-            - salesforce
-      min-version: 1.44.0
-      mode: taint
-      pattern-sinks:
-        - patterns:
-            - pattern: req.setHeader($X, ...);
-            - focus-metavariable: $X
-      pattern-sources:
-        - pattern: '...String $X = ''Authorization'';'
-      severity: ERROR
-    - id: apex.lang.security.ncino.endpoints.namedcredentialsstringmatch.named-credentials-string-match
-      languages:
-        - apex
-      message: Named Credentials (and callout endpoints) should be used instead of hard-coding credentials. 1. Hard-coded credentials are hard to maintain when mixed in with application code. 2. It is particularly hard to update hard-coded credentials when they are used amongst different classes. 3. Granting a developer access to the codebase means granting knowledge of credentials, and thus keeping a two-level access is not possible. 4. Using different credentials for different environments is troublesome and error-prone.
-      metadata:
-        category: security
-        confidence: HIGH
-        cwe:
-            - 'CWE-540: Inclusion of Sensitive Information in Source Code'
-        impact: HIGH
-        likelihood: LOW
-        references:
-            - https://cwe.mitre.org/data/definitions/540.html
-        subcategory:
-            - vuln
-        technology:
-            - salesforce
-      min-version: 1.44.0
-      pattern: $REQUEST.setHeader('Authorization', $AUTHSTRING);
-      severity: ERROR
-    - id: apex.lang.security.ncino.injection.apexsoqlinjectionfromunescapedurlparam.soql-injection-unescaped-url-param
-      languages:
-        - apex
-      message: If a dynamic query must be used,leverage nFORCE Query Builder. In other programming languages, the related flaw is known as SQL injection. Apex doesn't use SQL, but uses its own database query language, SOQL. SOQL is much simpler and more limited in functionality than SQL. The risks are much lower for SOQL injection than for SQL injection, but the attacks are nearly identical to traditional SQL injection. SQL/SOQL injection takes user-supplied input and uses those values in a dynamic SOQL query. If the input isn't validated, it can include SOQL commands that effectively modify the SOQL statement and trick the application into performing unintended commands.
-      metadata:
-        category: security
-        confidence: HIGH
-        cwe:
-            - 'CWE-943: Improper Neutralization of Special Elements in Data Query Logic'
-        impact: HIGH
-        likelihood: HIGH
-        owasp:
-            - A03:2021 - Injection
-        references:
-            - https://cwe.mitre.org/data/definitions/943.html
-        subcategory:
-            - vuln
-        technology:
-            - salesforce
-      min-version: 1.44.0
-      mode: taint
-      pattern-sanitizers:
-        - pattern: String.escapeSingleQuotes(...)
-      pattern-sinks:
-        - patterns:
-            - pattern: Database.query($SINK,...);
-            - focus-metavariable: $SINK
-      pattern-sources:
-        - by-side-effect: true
-          pattern: ApexPage.getCurrentPage().getParameters.get($URLPARAM);
-      severity: ERROR
-    - id: apex.lang.security.ncino.injection.apexsoqlinjectionunescapedparam.soql-injection-unescaped-param
-      languages:
-        - apex
-      message: If a dynamic query must be used,leverage nFORCE Query Builder. In other programming languages, the related flaw is known as SQL injection. Apex doesn't use SQL, but uses its own database query language, SOQL. SOQL is much simpler and more limited in functionality than SQL. The risks are much lower for SOQL injection than for SQL injection, but the attacks are nearly identical to traditional SQL injection. SQL/SOQL injection takes user-supplied input and uses those values in a dynamic SOQL query. If the input isn't validated, it can include SOQL commands that effectively modify the SOQL statement and trick the application into performing unintended commands.
-      metadata:
-        category: security
-        confidence: HIGH
-        cwe:
-            - 'CWE-943: Improper Neutralization of Special Elements in Data Query Logic'
-        impact: HIGH
-        likelihood: HIGH
-        owasp:
-            - A03:2021 - Injection
-        references:
-            - https://cwe.mitre.org/data/definitions/943.html
-        subcategory:
-            - vuln
-        technology:
-            - salesforce
-      min-version: 1.44.0
-      mode: taint
-      pattern-sanitizers:
-        - pattern-either:
-            - pattern: String.escapeSingleQuotes($P)
-            - pattern: Database.query(<... String.escapeSingleQuotes($P) ...>)
-      pattern-sinks:
-        - pattern: Database.query(<... $P ...>)
-      pattern-sources:
-        - by-side-effect: true
-          patterns:
-            - pattern: $M(...,String $P,...) { ... }
-            - focus-metavariable: $P
-      severity: ERROR
-    - id: apex.lang.security.ncino.sharing.specifysharinglevel.specify-sharing-level
-      languages:
-        - apex
-      message: Every Apex class should have an explicit sharing mode declared. Use the `with sharing` or `without sharing` keywords on a class to specify whether sharing rules must be enforced. Use the `inherited sharing` keyword on an Apex class to run the class in the sharing mode of the class that called it.
-      metadata:
-        category: security
-        confidence: HIGH
-        cwe:
-            - 'CWE-284: Improper Access Control'
-        impact: MEDIUM
-        likelihood: MEDIUM
-        owasp:
-            - A04:2021 - Insecure Design
-        references:
-            - https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_classes_keywords_sharing.htm
-            - https://cwe.mitre.org/data/definitions/284.html
-            - https://owasp.org/Top10/A04_2021-Insecure_Design/
-        subcategory:
-            - vuln
-        technology:
-            - salesforce
-      min-version: 1.44.0
-      patterns:
-        - pattern-regex: (private|public|global).*\s(class)\s.*[{]
-        - pattern-not-regex: (private|public|global).*[with|without|inherited]\s[sharing].*\s(class)\s.*[{]
-        - pattern-not-regex: (private|public|global).*\s(class)\s.*(extends)\s(Exception).*[{]
-      severity: WARNING
-    - id: apex.lang.security.ncino.system.systemdebug.system-debug
-      languages:
-        - apex
-      message: In addition to debug statements potentially logging data excessively, debug statements also contribute to longer transactions and consume Apex CPU time even when debug logs are not being captured.
-      metadata:
-        category: security
-        confidence: HIGH
-        cwe:
-            - 'CWE-489: Active Debug Code'
-            - 'CWE-779: Logging of Excessive Data'
-        impact: MEDIUM
-        likelihood: LOW
-        references:
-            - https://cwe.mitre.org/data/definitions/489.html
-            - https://cwe.mitre.org/data/definitions/779.html
-        subcategory:
-            - vuln
-        technology:
-            - vuln
-      min-version: 1.44.0
-      paths:
-        exclude:
-            - '*Test*'
-            - '*test*'
-      pattern: System.debug(...)
-      severity: WARNING
     - id: bash.curl.security.curl-eval.curl-eval
       languages:
         - bash
