Merge pull request #3609 from semgrep/merge-develop-to-release

Merge Develop into Release

Author: p4p3r

.github/scripts/validate-metadata.py

@@ -118,7 +118,8 @@ def is_rule(path: Path) -> bool:
         config_path = Path(config_item)
         if (
             config_path.is_file()
-            and config_path.suffix == ".yaml"
+            and ".yaml" in config_path.suffixes 
+            and not ".test" in config_path.suffixes 
             and is_rule(config_path)
         ):
             validate_config_file_metadata(config_path, v, invalid_configs)

.github/workflows/semgrep-rule-lints.yaml

@@ -45,4 +45,37 @@ jobs:
             --exclude *.test.yaml \
             --exclude contrib/ \
             --exclude stats/ \
+            --exclude .github/ \
             --exclude yaml/semgrep/
+
+  semgrep-changed-files:
+    runs-on: ubuntu-22.04
+    name: semgrep-rules-on-changed-files
+    if: github.event_name == 'pull_request'
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.10'
+      - name: install semgrep
+        run: pip3 install semgrep
+      - name: Get changed files
+        id: changed-files
+        run: |
+          echo "CHANGED_FILES=$(git diff --name-only --diff-filter=ACMRT origin/${{ github.base_ref }} ${{ github.sha }} | grep -E "\.ya?ml$" | grep -v "\.test\.ya?ml$" | grep -v "^contrib/" | grep -v "^stats/" | grep -v "^yaml/semgrep/" | tr '\n' ' ')" >> $GITHUB_ENV
+      - name: Run strict lints on changed files only
+        if: env.CHANGED_FILES != ''
+        run: |
+          echo "Running stricter lints on changed files: ${{ env.CHANGED_FILES }}"
+          # Add stricter lints here that are hard to enforce on existing rules
+          semgrep \
+            --error \
+            --config yaml/semgrep/metadata-cwe-prohibited-or-discouraged.yaml \
+            --exclude .github/ \
+            --exclude *.test.yaml \
+            --exclude contrib/ \
+            --exclude stats/ \
+            --exclude yaml/semgrep/ \
+            ${{ env.CHANGED_FILES }}

javascript/express/security/injection/tainted-sql-string.yaml

@@ -25,7 +25,7 @@ rules:
     - vuln
     likelihood: HIGH
     impact: MEDIUM
-    confidence: MEDIUM
+    confidence: LOW
   languages:
   - javascript
   - typescript

python/django/security/audit/django-rest-framework/missing-throttle-config.yaml

@@ -20,7 +20,7 @@ rules:
     - A05:2021 - Security Misconfiguration
     - A06:2017 - Security Misconfiguration
     cwe:
-    - 'CWE-400: Uncontrolled Resource Consumption'
+    - 'CWE-770: Allocation of Resources Without Limits or Throttling'
     references:
     - https://www.django-rest-framework.org/api-guide/throttling/#setting-the-throttling-policy
     category: security

yaml/semgrep/metadata-cwe-prohibited-or-discouraged.test.yaml

@@ -0,0 +1,21 @@
+rules:
+  - id: example-allowed
+    message: Example
+    severity: ERROR
+    languages: [json, yaml]
+    pattern: "..."
+    metadata:
+      # ok: metadata-cwe-prohibited-or-discouraged
+      cwe: "CWE-257: Storing Passwords in a Recoverable Format"
+      technoloy:
+        - semgrep
+  - id: example-prohibited
+    message: Example
+    severity: ERROR
+    languages: [json, yaml]
+    pattern: "..."
+    metadata:
+      # ruleid: metadata-cwe-prohibited-or-discouraged
+      cwe: "CWE-320: Key Management Errors"
+      technoloy:
+        - semgrep

yaml/semgrep/metadata-cwe-prohibited-or-discouraged.yaml

@@ -0,0 +1,20 @@
+rules:
+- id: metadata-cwe-prohibited-or-discouraged
+  message: >-
+    Vulnerability mapping for this CWE is discouraged or prohibited.
+  severity: ERROR
+  metadata:
+    category: best-practice
+    technology:
+      - cwe
+      - semgrep
+  languages: [yaml]
+  patterns:
+  - pattern-inside: 'rules: ...'
+  - pattern-inside: 'metadata: ...'
+  - pattern: 'cwe: $CWE'
+  - metavariable-regex:
+      metavariable: $CWE
+      regex: 
+        .*CWE-(1|2|3|4|10|16|17|18|19|20|21|60|63|68|70|71|74|75|92|100|101|114|118|119|132|133|136|137|138|139|169|171|189|199|200|216|217|218|225|227|234|247|249|251|254|255|264|265|269|274|275|284|285|287|292|300|310|311|320|330|345|355|361|365|371|372|373|376|380|381|387|388|389|391|398|399|400|411|417|418|423|429|435|438|442|443|445|452|458|461|465|485|490|503|504|505|513|516|517|518|519|533|534|542|545|557|559|569|592|596|604|610|629|630|631|632|633|634|635|657|658|659|660|661|662|664|665|666|668|677|678|679|680|682|690|691|692|693|697|699|700|701|702|703|707|709|710|711|712|713|714|715|716|717|718|719|720|721|722|723|724|725|726|727|728|729|730|731|734|735|736|737|738|739|740|741|742|743|744|745|746|747|748|750|751|752|753|755|769|786|788|800|801|802|803|808|809|810|811|812|813|814|815|816|817|818|819|834|840|844|845|846|847|848|849|850|851|852|853|854|855|856|857|858|859|860|861|864|865|866|867|868|869|870|871|872|873|874|875|876|877|878|879|880|881|882|883|884|885|886|887|888|889|890|891|892|893|894|895|896|897|898|899|900|901|902|903|904|905|906|907|919|928|929|930|931|932|933|934|935|936|937|938|944|945|946|947|948|949|950|951|952|953|954|955|956|957|958|959|960|961|962|963|964|965|966|967|968|969|970|971|972|973|974|975|976|977|978|979|980|981|982|983|984|985|986|987|988|989|990|991|992|993|994|995|996|997|998|999|1000|1001|1002|1003|1005|1006|1008|1009|1010|1011|1012|1013|1014|1015|1016|1017|1018|1019|1020|1026|1027|1028|1029|1030|1031|1032|1033|1034|1035|1036|1040|1041|1042|1043|1044|1047|1048|1051|1053|1054|1055|1056|1057|1059|1060|1062|1063|1064|1065|1066|1068|1069|1070|1072|1073|1074|1076|1078|1080|1081|1082|1083|1084|1085|1086|1090|1092|1094|1095|1097|1099|1101|1103|1105|1106|1107|1109|1110|1111|1112|1113|1114|1115|1117|1118|1119|1121|1122|1124|1125|1128|1129|1130|1131|1132|1133|1134|1135|1136|1137|1138|1139|1140|1141|1142|1143|1144|1145|1146|1147|1148|1149|1150|1151|1152|1153|1154|1155|1156|1157|1158|1159|1160|1161|1162|1163|1165|1166|1167|1168|1169|1170|1171|1172|1175|1178|1179|1180|1181|1182|1183|1184|1185|1186|1187|1194|1195|1196|1197|1198|1199|1200|1201|1202|1203|1205|1206|1207|1208|1210|1211|1212|1213|1214|1215|1216|1217|1218|1219|1225|1226|1227|1228|1237|1238|1305|1306|1307|1308|1309|1324|1337|1340|1343|1344|1345|1346|1347|1348|1349|1350|1352|1353|1354|1355|1356|1358|1359|1360|1361|1362|1363|1364|1365|1366|1367|1368|1369|1370|1371|1372|1373|1374|1375|1376|1377|1378|1379|1380|1381|1382|1383|1387|1388|1396|1397|1398|1399|1400):.*
+