codacy
diff --git a/‎codacy-client/client.go‎
Lines changed: 13 additions & 1 deletion b/‎codacy-client/client.go‎
Lines changed: 13 additions & 1 deletion
diff --git a/‎integration-tests/config-discover/expected/tools-configs/semgrep.yaml‎
Lines changed: 43 additions & 2 deletions b/‎integration-tests/config-discover/expected/tools-configs/semgrep.yaml‎
Lines changed: 43 additions & 2 deletions
diff --git a/‎integration-tests/init-with-token/expected/tools-configs/semgrep.yaml‎
Lines changed: 72 additions & 41 deletions b/‎integration-tests/init-with-token/expected/tools-configs/semgrep.yaml‎
Lines changed: 72 additions & 41 deletions
@@ -177,7 +177,19 @@ func GetDefaultToolPatternsConfig(initFlags domain.InitFlags, toolUUID string, o
 		baseURL += "?enabled=true"
 	}
 
-	return getAllPages(baseURL, initFlags, parseDefaultPatternConfigurations)
+	allPaterns, err := getAllPages(baseURL, initFlags, parseDefaultPatternConfigurations)
+	if err != nil {
+		return nil, err
+	}
+
+	onlyRecommendedPatterns := make([]domain.PatternConfiguration, 0)
+	for _, pattern := range allPaterns {
+		if pattern.PatternDefinition.Enabled {
+			onlyRecommendedPatterns = append(onlyRecommendedPatterns, pattern)
+		}
+	}
+
+	return onlyRecommendedPatterns, nil
 }
 
 // GetRepositoryToolPatterns fetches the patterns for a tool in a repository
 
@@ -29501,6 +29501,43 @@ rules:
             }
         - focus-metavariable: $SECRET
       severity: WARNING
+    - id: terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec
+      languages:
+        - terraform
+      message: Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design.
+      metadata:
+        category: security
+        confidence: HIGH
+        cwe:
+            - 'CWE-77: Improper Neutralization of Special Elements used in a Command (''Command Injection'')'
+            - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')'
+        impact: MEDIUM
+        likelihood: HIGH
+        owasp:
+            - A03:2021 - Injection
+            - A01:2017 - Injection
+        references:
+            - https://developer.hashicorp.com/terraform/language/resources/provisioners/remote-exec
+            - https://developer.hashicorp.com/terraform/language/resources/provisioners/local-exec
+        subcategory:
+            - guardrail
+        technology:
+            - terraform
+      patterns:
+        - pattern-either:
+            - pattern: |
+                provisioner "remote-exec" {
+                    ...
+                }
+            - pattern: |
+                provisioner "local-exec" {
+                    ...
+                }
+        - pattern-inside: |
+            resource "aws_instance" "..." {
+                ...
+            }
+      severity: WARNING
     - id: terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention
       languages:
         - hcl
@@ -34374,8 +34411,12 @@ rules:
             - A3:2017 Sensitive Data Exposure
       options:
         generic_ellipsis_max_span: 0
-      pattern: |
-        $PASSWORD VARCHAR2($LENGTH) := $...VALUE;
+      patterns:
+        - pattern: |
+            $PASSWORD VARCHAR2($LENGTH) := $...VALUE;
+        - metavariable-regex:
+            metavariable: $PASSWORD
+            regex: (?i).*(password|motdepasse|heslo|adgangskode|wachtwoord|salasana|passwort|passord|senha|geslo|clave|losenord|clave|parola|secret|pwd).*
       severity: ERROR
     - id: codacy.generic.plsql.resource-injection
       languages:
 
@@ -1,43 +1,74 @@
 rules:
-    - id: clojure.lang.security.use-of-md5.use-of-md5
-      languages:
+  - id: bash.lang.correctness.unquoted-expansion.unquoted-variable-expansion-in-command
+    languages:
+      - bash
+    message: Variable expansions must be double-quoted so as to prevent being split into multiple pieces according to whitespace or whichever separator is specified by the IFS variable. If you really wish to split the variable's contents, you may use a variable that starts with an underscore e.g. $_X instead of $X, and semgrep will ignore it. If what you need is an array, consider using a proper bash array.
+    metadata:
+      category: correctness
+      technology:
+        - bash
+    patterns:
+      - pattern-either:
+          - pattern: |
+              ... ${$VAR} ...
+          - pattern: |
+              ... ...${$VAR}... ...
+      - metavariable-regex:
+          metavariable: $VAR
+          regex: '[*@0-9]|[A-Za-z].*'
+    severity: INFO
+  - id: clojure.lang.security.use-of-md5.use-of-md5
+    languages:
+      - clojure
+    message: MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms.
+    metadata:
+      author: Gabriel Marquet <[email protected]>
+      category: security
+      confidence: HIGH
+      cwe:
+        - 'CWE-328: Use of Weak Hash'
+      impact: HIGH
+      likelihood: MEDIUM
+      owasp:
+        - A03:2017 - Sensitive Data Exposure
+        - A02:2021 - Cryptographic Failures
+      references:
+        - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
+        - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
+      source-rule-url: https://github.com/clj-holmes/clj-holmes-rules/blob/main/security/weak-hash-function-md5.yml
+      subcategory:
+        - vuln
+      technology:
         - clojure
-      message: MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms.
-      metadata:
-        author: Gabriel Marquet <[email protected]>
-        category: security
-        confidence: HIGH
-        cwe:
-            - 'CWE-328: Use of Weak Hash'
-        impact: HIGH
-        likelihood: MEDIUM
-        owasp:
-            - A03:2017 - Sensitive Data Exposure
-            - A02:2021 - Cryptographic Failures
-        references:
-            - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
-            - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
-        source-rule-url: https://github.com/clj-holmes/clj-holmes-rules/blob/main/security/weak-hash-function-md5.yml
-        subcategory:
-            - vuln
-        technology:
-            - clojure
-      pattern-either:
-        - pattern: (MessageDigest/getInstance "MD5")
-        - pattern: (MessageDigest/getInstance MessageDigestAlgorithms/MD5)
-        - pattern: (MessageDigest/getInstance org.apache.commons.codec.digest.MessageDigestAlgorithms/MD5)
-        - pattern: (java.security.MessageDigest/getInstance "MD5")
-        - pattern: (java.security.MessageDigest/getInstance MessageDigestAlgorithms/MD5)
-        - pattern: (java.security.MessageDigest/getInstance org.apache.commons.codec.digest.MessageDigestAlgorithms/MD5)
-      severity: WARNING
-    - id: codacy.generic.plsql.empty-strings
-      languages:
-        - generic
-      message: Empty strings can lead to unexpected behavior and should be handled carefully.
-      metadata:
-        category: security
-        confidence: MEDIUM
-        description: Detects empty strings in the code which might cause issues or bugs.
-        impact: MEDIUM
-      pattern: $VAR VARCHAR2($LENGTH) := '';
-      severity: WARNING
+    pattern-either:
+      - pattern: (MessageDigest/getInstance "MD5")
+      - pattern: (MessageDigest/getInstance MessageDigestAlgorithms/MD5)
+      - pattern: (MessageDigest/getInstance org.apache.commons.codec.digest.MessageDigestAlgorithms/MD5)
+      - pattern: (java.security.MessageDigest/getInstance "MD5")
+      - pattern: (java.security.MessageDigest/getInstance MessageDigestAlgorithms/MD5)
+      - pattern: (java.security.MessageDigest/getInstance org.apache.commons.codec.digest.MessageDigestAlgorithms/MD5)
+    severity: WARNING
+  - fix: Bitwise.bnot($VAL)
+    id: elixir.lang.best-practice.deprecated-bnot-operator.deprecated_bnot_operator
+    languages:
+      - elixir
+    message: The bitwise operator (`^^^`) is already deprecated. Please use `Bitwise.bnot($VAL)` instead.
+    metadata:
+      category: best-practice
+      references:
+        - https://github.com/elixir-lang/elixir/commit/f1b9d3e818e5bebd44540f87be85979f24b9abfc
+      technology:
+        - elixir
+    pattern: ~~~$VAL
+    severity: WARNING
+  - id: codacy.generic.plsql.empty-strings
+    languages:
+      - generic
+    message: Empty strings can lead to unexpected behavior and should be handled carefully.
+    metadata:
+      category: security
+      confidence: MEDIUM
+      description: Detects empty strings in the code which might cause issues or bugs.
+      impact: MEDIUM
+    pattern: $VAR VARCHAR2($LENGTH) := '';
+    severity: WARNING