RUST-1920 Annotate sarif report with mongodb ratings (#1134)

abr-egn · web-flow · commit b9915a43a5e1 · 2024-06-12T14:38:28.000-04:00
diff --git a/.evergreen/check-semgrep.sh b/.evergreen/check-semgrep.sh
@@ -2,23 +2,29 @@
 
 set -o errexit
 
-source ./.evergreen/env.sh
-
-. ${DRIVERS_TOOLS}/.evergreen/find-python3.sh
-PYTHON=$(find_python3)
+if [ -t 0 ] ; then
+    # Interactive shell
+    PYTHON3=${PYTHON3:-"python3"}
+else
+    # Evergreen run (probably)
+    source ./.evergreen/env.sh
+    source ${DRIVERS_TOOLS}/.evergreen/find-python3.sh
+    PYTHON3=$(find_python3)
+fi
 
 if [[ -f "semgrep/bin/activate" ]]; then
-    echo 'using existing virtualenv'
+    echo 'Using existing virtualenv...'
     . semgrep/bin/activate
 else
-    echo 'Creating new virtualenv'  
-    ${PYTHON} -m venv semgrep
-    echo 'Activating new virtualenv'
+    echo 'Creating new virtualenv...'
+    ${PYTHON3} -m venv semgrep
+    echo 'Activating new virtualenv...'
     . semgrep/bin/activate
+    echo 'Installing semgrep...'
     python3 -m pip install semgrep
 fi
 
+# Show human-readable output
+semgrep --config p/rust --error
 # Generate a SARIF report
-semgrep --config p/rust --sarif > mongo-rust-driver.json.sarif
-# And human-readable output
-semgrep --config p/rust --error
+semgrep --config p/rust --quiet --sarif -o sarif.json
diff --git a/.gitignore b/.gitignore
@@ -12,4 +12,6 @@ Cargo.lock
 # we install cargo and rustup in the project directory on Evergreen.
 .cargo
 .rustup
-mongocryptd.pid
+mongocryptd.pid
+semgrep/
+sarif.json
diff --git a/.semgrepignore b/.semgrepignore
@@ -1,2 +1,3 @@
 benchmarks/
-src/test/
+src/test/
+etc/
diff --git a/src/client/auth/scram.rs b/src/client/auth/scram.rs
@@ -317,7 +317,7 @@ impl ScramVersion {
         let normalized_password = match self {
             ScramVersion::Sha1 => {
                 // nosemgrep: insecure-hashes
-                let mut md5 = Md5::new();
+                let mut md5 = Md5::new(); // mongodb rating: No Fix Needed
                 md5.update(format!("{}:mongo:{}", username, password));
                 Cow::Owned(hex::encode(md5.finalize()))
             }
diff --git a/src/runtime/tls_rustls.rs b/src/runtime/tls_rustls.rs
@@ -143,7 +143,7 @@ fn make_rustls_config(cfg: TlsOptions) -> Result<rustls::ClientConfig> {
 
     if let Some(true) = cfg.allow_invalid_certificates {
         // nosemgrep: rustls-dangerous
-        config
+        config // mongodb rating: No Fix Needed
             .dangerous()
             .set_certificate_verifier(Arc::new(NoCertVerifier {}));
     }

Original file line number	Diff line number	Diff line change
`@@ -317,7 +317,7 @@ impl ScramVersion {`
`317`	`317`	`let normalized_password = match self {`
`318`	`318`	`ScramVersion::Sha1 => {`
`319`	`319`	`// nosemgrep: insecure-hashes`
`320`		`- let mut md5 = Md5::new();`
	`320`	`+ let mut md5 = Md5::new(); // mongodb rating: No Fix Needed`
`321`	`321`	`md5.update(format!("{}:mongo:{}", username, password));`
`322`	`322`	`Cow::Owned(hex::encode(md5.finalize()))`
`323`	`323`	`}`
Original file line number	Diff line number	Diff line change
`@@ -143,7 +143,7 @@ fn make_rustls_config(cfg: TlsOptions) -> Result<rustls::ClientConfig> {`
`143`	`143`
`144`	`144`	`if let Some(true) = cfg.allow_invalid_certificates {`
`145`	`145`	`// nosemgrep: rustls-dangerous`
`146`		`- config`
	`146`	`+ config // mongodb rating: No Fix Needed`
`147`	`147`	`.dangerous()`
`148`	`148`	`.set_certificate_verifier(Arc::new(NoCertVerifier {}));`
`149`	`149`	`}`