fix: not recommended patterns are now included in semgrep config CF-1809 (#175)

* fix: not recommended patterns are now included in semgrep config CF-1809

* fix: semgrep rules updated CF-1809

Author: pedrobpereira

.codacy/codacy.yaml

@@ -13,4 +13,4 @@ tools:
     - [email protected]
     - [email protected]
     - [email protected]
-    - trivy@0.65.0
+    - trivy@0.66.0

cmd/init_test.go

@@ -25,7 +25,7 @@ func TestConfigFileTemplate(t *testing.T) {
 				"[email protected]",
 				"[email protected]",
 				"[email protected]",
-				"trivy@0.65.0",
+				"trivy@0.66.0",
 				"[email protected]",
 				"[email protected]",
 			},

codacy-client/client.go

@@ -172,12 +172,29 @@ func parsePatternConfigurations(response []byte) ([]domain.PatternConfiguration,
 
 // GetDefaultToolPatternsConfig fetches the default patterns for a tool
 func GetDefaultToolPatternsConfig(initFlags domain.InitFlags, toolUUID string, onlyEnabledPatterns bool) ([]domain.PatternConfiguration, error) {
-	baseURL := fmt.Sprintf("%s/api/v3/tools/%s/patterns", CodacyApiBase, toolUUID)
+	return GetDefaultToolPatternsConfigWithCodacyAPIBase(CodacyApiBase, initFlags, toolUUID, onlyEnabledPatterns)
+}
+
+// GetDefaultToolPatternsConfigWithCodacyAPIBase fetches the default patterns for a tool, and a base api url
+func GetDefaultToolPatternsConfigWithCodacyAPIBase(codacyAPIBaseURL string, initFlags domain.InitFlags, toolUUID string, onlyEnabledPatterns bool) ([]domain.PatternConfiguration, error) {
+	baseURL := fmt.Sprintf("%s/api/v3/tools/%s/patterns", codacyAPIBaseURL, toolUUID)
 	if onlyEnabledPatterns {
 		baseURL += "?enabled=true"
 	}
 
-	return getAllPages(baseURL, initFlags, parseDefaultPatternConfigurations)
+	allPaterns, err := getAllPages(baseURL, initFlags, parseDefaultPatternConfigurations)
+	if err != nil {
+		return nil, err
+	}
+
+	onlyRecommendedPatterns := make([]domain.PatternConfiguration, 0)
+	for _, pattern := range allPaterns {
+		if pattern.PatternDefinition.Enabled {
+			onlyRecommendedPatterns = append(onlyRecommendedPatterns, pattern)
+		}
+	}
+
+	return onlyRecommendedPatterns, nil
 }
 
 // GetRepositoryToolPatterns fetches the patterns for a tool in a repository

codacy-client/client_test.go

@@ -2,6 +2,7 @@ package codacyclient
 
 import (
 	"encoding/json"
+	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"testing"
@@ -100,15 +101,55 @@ func TestGetDefaultToolPatternsConfig_Empty(t *testing.T) {
 	}))
 	defer ts.Close()
 
-	// TODO: Refactor GetDefaultToolPatternsConfig to accept a baseURL for easier testing
-	// oldBase := CodacyApiBase
-	// CodacyApiBase = ts.URL
-	// defer func() { CodacyApiBase = oldBase }()
-
-	// Placeholder: test cannot be run until function is refactored for testability
-	_ = ts // avoid unused warning
-	// initFlags := domain.InitFlags{ApiToken: "dummy"}
-	// patterns, err := GetDefaultToolPatternsConfig(initFlags, "tool-uuid")
-	// assert.NoError(t, err)
-	// assert.Empty(t, patterns)
+	CodacyApiBase = ts.URL
+
+	initFlags := domain.InitFlags{ApiToken: "dummy"}
+	patterns, err := GetDefaultToolPatternsConfigWithCodacyAPIBase(CodacyApiBase, initFlags, "tool-uuid", true)
+	assert.NoError(t, err)
+	assert.Empty(t, patterns)
+}
+
+func TestGetDefaultToolPatternsConfig_WithNonRecommended(t *testing.T) {
+
+	config := []domain.PatternDefinition{
+		{
+			Id:      "internal_id_1",
+			Enabled: true,
+		},
+		{
+			Id:      "internal_id_2",
+			Enabled: false,
+		},
+	}
+
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+
+		resp := map[string]interface{}{
+			"data":       config,
+			"pagination": map[string]interface{}{"cursor": ""},
+		}
+		w.Header().Set("Content-Type", "application/json")
+		json.NewEncoder(w).Encode(resp)
+	}))
+	defer ts.Close()
+
+	expected := []domain.PatternConfiguration{
+		{
+			Enabled: true,
+			PatternDefinition: domain.PatternDefinition{
+				Id:      "internal_id_1",
+				Enabled: true,
+			},
+		},
+	}
+
+	CodacyApiBase = ts.URL
+
+	initFlags := domain.InitFlags{ApiToken: "dummy"}
+	patterns, err := GetDefaultToolPatternsConfigWithCodacyAPIBase(CodacyApiBase, initFlags, "tool-uuid", true)
+
+	fmt.Println(len(patterns))
+
+	assert.NoError(t, err)
+	assert.Equal(t, expected, patterns)
 }

integration-tests/config-discover/expected/codacy.yaml

@@ -10,4 +10,4 @@ tools:
     - [email protected]
     - [email protected]
     - [email protected]
-    - trivy@0.65.0
+    - trivy@0.66.0

integration-tests/config-discover/expected/tools-configs/semgrep.yaml

@@ -29501,6 +29501,43 @@ rules:
             }
         - focus-metavariable: $SECRET
       severity: WARNING
+    - id: terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec
+      languages:
+        - terraform
+      message: Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design.
+      metadata:
+        category: security
+        confidence: HIGH
+        cwe:
+            - 'CWE-77: Improper Neutralization of Special Elements used in a Command (''Command Injection'')'
+            - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')'
+        impact: MEDIUM
+        likelihood: HIGH
+        owasp:
+            - A03:2021 - Injection
+            - A01:2017 - Injection
+        references:
+            - https://developer.hashicorp.com/terraform/language/resources/provisioners/remote-exec
+            - https://developer.hashicorp.com/terraform/language/resources/provisioners/local-exec
+        subcategory:
+            - guardrail
+        technology:
+            - terraform
+      patterns:
+        - pattern-either:
+            - pattern: |
+                provisioner "remote-exec" {
+                    ...
+                }
+            - pattern: |
+                provisioner "local-exec" {
+                    ...
+                }
+        - pattern-inside: |
+            resource "aws_instance" "..." {
+                ...
+            }
+      severity: WARNING
     - id: terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention
       languages:
         - hcl
@@ -34374,8 +34411,12 @@ rules:
             - A3:2017 Sensitive Data Exposure
       options:
         generic_ellipsis_max_span: 0
-      pattern: |
-        $PASSWORD VARCHAR2($LENGTH) := $...VALUE;
+      patterns:
+        - pattern: |
+            $PASSWORD VARCHAR2($LENGTH) := $...VALUE;
+        - metavariable-regex:
+            metavariable: $PASSWORD
+            regex: (?i).*(password|motdepasse|heslo|adgangskode|wachtwoord|salasana|passwort|passord|senha|geslo|clave|losenord|clave|parola|secret|pwd).*
       severity: ERROR
     - id: codacy.generic.plsql.resource-injection
       languages:

integration-tests/init-with-token/expected/codacy.yaml

@@ -8,4 +8,4 @@ tools:
     - [email protected]
     - [email protected]
     - [email protected]
-    - trivy@0.65.0
+    - trivy@0.66.0

integration-tests/init-with-token/expected/tools-configs/semgrep.yaml

@@ -1,4 +1,22 @@
 rules:
+    - id: bash.lang.correctness.unquoted-expansion.unquoted-variable-expansion-in-command
+      languages:
+        - bash
+      message: Variable expansions must be double-quoted so as to prevent being split into multiple pieces according to whitespace or whichever separator is specified by the IFS variable. If you really wish to split the variable's contents, you may use a variable that starts with an underscore e.g. $_X instead of $X, and semgrep will ignore it. If what you need is an array, consider using a proper bash array.
+      metadata:
+        category: correctness
+        technology:
+            - bash
+      patterns:
+        - pattern-either:
+            - pattern: |
+                ... ${$VAR} ...
+            - pattern: |
+                ... ...${$VAR}... ...
+        - metavariable-regex:
+            metavariable: $VAR
+            regex: '[*@0-9]|[A-Za-z].*'
+      severity: INFO
     - id: clojure.lang.security.use-of-md5.use-of-md5
       languages:
         - clojure
@@ -30,6 +48,19 @@ rules:
         - pattern: (java.security.MessageDigest/getInstance MessageDigestAlgorithms/MD5)
         - pattern: (java.security.MessageDigest/getInstance org.apache.commons.codec.digest.MessageDigestAlgorithms/MD5)
       severity: WARNING
+    - fix: Bitwise.bnot($VAL)
+      id: elixir.lang.best-practice.deprecated-bnot-operator.deprecated_bnot_operator
+      languages:
+        - elixir
+      message: The bitwise operator (`^^^`) is already deprecated. Please use `Bitwise.bnot($VAL)` instead.
+      metadata:
+        category: best-practice
+        references:
+            - https://github.com/elixir-lang/elixir/commit/f1b9d3e818e5bebd44540f87be85979f24b9abfc
+        technology:
+            - elixir
+      pattern: ~~~$VAL
+      severity: WARNING
     - id: codacy.generic.plsql.empty-strings
       languages:
         - generic

integration-tests/init-without-token/expected/codacy.yaml

@@ -12,4 +12,4 @@ tools:
     - [email protected]
     - [email protected]
     - [email protected]
-    - trivy@0.65.0
+    - trivy@0.66.0

integration-tests/init-without-token/expected/tools-configs/semgrep.yaml

@@ -29501,6 +29501,43 @@ rules:
             }
         - focus-metavariable: $SECRET
       severity: WARNING
+    - id: terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec
+      languages:
+        - terraform
+      message: Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design.
+      metadata:
+        category: security
+        confidence: HIGH
+        cwe:
+            - 'CWE-77: Improper Neutralization of Special Elements used in a Command (''Command Injection'')'
+            - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')'
+        impact: MEDIUM
+        likelihood: HIGH
+        owasp:
+            - A03:2021 - Injection
+            - A01:2017 - Injection
+        references:
+            - https://developer.hashicorp.com/terraform/language/resources/provisioners/remote-exec
+            - https://developer.hashicorp.com/terraform/language/resources/provisioners/local-exec
+        subcategory:
+            - guardrail
+        technology:
+            - terraform
+      patterns:
+        - pattern-either:
+            - pattern: |
+                provisioner "remote-exec" {
+                    ...
+                }
+            - pattern: |
+                provisioner "local-exec" {
+                    ...
+                }
+        - pattern-inside: |
+            resource "aws_instance" "..." {
+                ...
+            }
+      severity: WARNING
     - id: terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention
       languages:
         - hcl
@@ -34374,8 +34411,12 @@ rules:
             - A3:2017 Sensitive Data Exposure
       options:
         generic_ellipsis_max_span: 0
-      pattern: |
-        $PASSWORD VARCHAR2($LENGTH) := $...VALUE;
+      patterns:
+        - pattern: |
+            $PASSWORD VARCHAR2($LENGTH) := $...VALUE;
+        - metavariable-regex:
+            metavariable: $PASSWORD
+            regex: (?i).*(password|motdepasse|heslo|adgangskode|wachtwoord|salasana|passwort|passord|senha|geslo|clave|losenord|clave|parola|secret|pwd).*
       severity: ERROR
     - id: codacy.generic.plsql.resource-injection
       languages: