Add Swift YAML rules for HKDF, PKCS5, Scrypt; update test configs

[ESS-ENN]

Summary by CodeRabbit

• New Features

  • Introduced enhanced security scans for Swift applications to identify hard-coded sensitive credentials and promote secure practices.

• Tests

  • Added comprehensive test cases to verify the new security checks.
  • Removed outdated test examples related to alternative authentication methods.

[coderabbitai]

Walkthrough

This pull request introduces three new YAML rule files for Swift that detect hard-coded secrets in HKDF, PKCS5, and Scrypt functions. Additionally, new snapshot and test configuration files have been added to validate each of these rules, while an outdated Python Neo4j snapshot file has been removed.

Changes

File(s)	Change Summary
rules/swift/security/hdkf-hardcoded-secret-swift.yml rules/swift/security/pkcs5-hardcoded-secret-swift.yml rules/swift/security/scrypt-hardcoded-secret-swift.yml	Added new security rules for detecting hard-coded secrets in Swift using HKDF, PKCS5, and Scrypt functions, including AST pattern matching and CWE/OWASP references.
tests/__snapshots__/hkdf-hardcoded-secret-swift-snapshot.yml tests/__snapshots__/pkcs5-hardcoded-secret-swift-snapshot.yml tests/__snapshots__/scrypt-hardcoded-secret-swift-snapshot.yml	Created new snapshot files for each security rule; some contain detailed test cases while others use empty snapshot objects.
tests/swift/hdkf-hardcoded-secret-swift-test.yml tests/swift/pkcs5-hardcoded-secret-swift-test.yml tests/swift/scrypt-hardcoded-secret-swift-test.yml	Introduced test configuration files with valid and invalid test cases to verify the proper behavior of the new rules.
tests/__snapshots__/python-neo4j-hardcoded-secret-auth-python-snapshot.yml	Deleted outdated snapshot file related to Neo4j authentication examples.

Sequence Diagram(s)

sequenceDiagram
    participant Dev as Developer
    participant SA as Static Analyzer
    participant RL as Rule Loader
    participant Out as Output

    Dev->>SA: Run analysis on Swift code
    SA->>RL: Load HKDF, PKCS5, Scrypt rules
    RL-->>SA: Provide detection patterns
    SA->>Out: Emit warnings if hard-coded secrets detected
    Out-->>Dev: Display analysis results

Loading

Possibly related PRs

• Add security rules for Java and Swift applications for cookie and secret management #43: Adds a rule for detecting hard-coded secrets in Swift targeting AES encryption, sharing similar security concerns.
• Two openai go rules #28: Introduces a rule for identifying hard-coded secrets in Go, aligning with the overall objective of secure credential handling.
• Add Swift rules and tests for hard-coded encryption secrets #167: Incorporates multiple rules for Swift that check for hard-coded secrets across various encryption functions, complementing the current changes.

Suggested reviewers

• ganeshpatro321

Poem

I hop through code with ears so keen,
Guarding secrets, keeping them unseen.
Swift rules now stand as watchful guards,
In secure lines, no error lards.
A rabbit’s cheer for code that gleams!
🐇✨

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai plan to trigger planning for file edits and PR creation.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ ESS-ENN
❌ Sakshis

---

Sakshis seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (5)

tests/swift/pkcs5-hardcoded-secret-swift-test.yml (1)

31-31: Trailing Spaces Detected:
Line 31 contains trailing spaces. Please remove these extra spaces to comply with YAML linting guidelines.

🧰 Tools

🪛 YAMLlint (1.35.1)

[error] 31-31: trailing spaces

(trailing-spaces)

tests/swift/hdkf-hardcoded-secret-swift-test.yml (1)

1-2: Test Configuration for HKDF:
The file introduces the HKDF test cases with a valid section and several invalid cases. However, note that the file name is hdkf-hardcoded-secret-swift-test.yml while the id in the file is hkdf-hardcoded-secret-swift. Please verify if there is a typo in the filename.

tests/__snapshots__/hkdf-hardcoded-secret-swift-snapshot.yml (2)

3-37: Review Duplicate or Overlapping Label Entries.

Several label entries (e.g. lines 22–29 and lines 30–37) define similar ranges and sources. Please verify that these duplications are intentional for increased test coverage rather than accidental redundancy.

---

105-175: Try Block Snapshot for HKDF is Well-Defined.

The snapshot capturing a try expression around the HKDF calculation is comprehensive. Please ensure that the error handling behavior it implies is validated in the corresponding runtime tests.

rules/swift/security/pkcs5-hardcoded-secret-swift.yml (1)

141-186: Instance-Based tryPKCS5 Matching is Thorough.

The _with_Instance variant is carefully designed to capture password arguments using the nthChild property. Please confirm that the use of the $PSWD placeholder is consistent with related rules.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cc2e5aa and 8a39ca3.

📒 Files selected for processing (10)

• rules/swift/security/hdkf-hardcoded-secret-swift.yml (1 hunks)
• rules/swift/security/pkcs5-hardcoded-secret-swift.yml (1 hunks)
• rules/swift/security/scrypt-hardcoded-secret-swift.yml (1 hunks)
• tests/__snapshots__/hkdf-hardcoded-secret-swift-snapshot.yml (1 hunks)
• tests/__snapshots__/pkcs5-hardcoded-secret-swift-snapshot.yml (1 hunks)
• tests/__snapshots__/python-neo4j-hardcoded-secret-auth-python-snapshot.yml (0 hunks)
• tests/__snapshots__/scrypt-hardcoded-secret-swift-snapshot.yml (1 hunks)
• tests/swift/hdkf-hardcoded-secret-swift-test.yml (1 hunks)
• tests/swift/pkcs5-hardcoded-secret-swift-test.yml (1 hunks)
• tests/swift/scrypt-hardcoded-secret-swift-test.yml (1 hunks)

💤 Files with no reviewable changes (1)

• tests/snapshots/python-neo4j-hardcoded-secret-auth-python-snapshot.yml

🧰 Additional context used

🪛 YAMLlint (1.35.1)

tests/swift/pkcs5-hardcoded-secret-swift-test.yml

[error] 31-31: trailing spaces

(trailing-spaces)

🔇 Additional comments (45)

tests/__snapshots__/pkcs5-hardcoded-secret-swift-snapshot.yml (1)

1-2: Snapshot File for PKCS5 Hardcoded Secret:
The new snapshot file is structured correctly with a unique id and an empty snapshots object. This minimal template is exactly what is needed for snapshot testing.

tests/__snapshots__/scrypt-hardcoded-secret-swift-snapshot.yml (1)

1-2: Snapshot File for Scrypt Hardcoded Secret:
The snapshot file is correctly set up with the appropriate id and an empty snapshots object. It conforms with the expected format.

tests/swift/scrypt-hardcoded-secret-swift-test.yml (3)

1-4: Valid Test Case Configuration:
The valid block is clearly defined with a correct invocation of the Scrypt calculation. Just ensure that the variable config is properly defined in the test environment.

---

5-8: Invalid Test Case – Array-based Password:
This invalid test case correctly demonstrates a scenario where a hard-coded password is provided via an Array<UInt8>. The setup is appropriate for triggering the intended failure.

---

9-10: Invalid Test Case – Direct String Password:
Using a direct string for the password in this invalid block efficiently simulates an erroneous input scenario. The structure is clear and as expected.

tests/swift/pkcs5-hardcoded-secret-swift-test.yml (6)

1-4: Test ID and Valid Test Case:
The file correctly identifies itself with id: pkcs5-hardcoded-secret-swift and includes a valid test case invoking PKCS5.PBKDF2(...). This setup is consistent with the intended behavior.

---

5-8: Invalid Test – Array Conversion Block:
The first invalid test case uses an Array<UInt8> for the password and is designed to trigger a failure when calling PBKDF2. This negative test case helps ensure robust rule validation.

---

9-11: Invalid Test – Direct String Block:
The test case where the password is passed as a string (i.e. "123") is an effective negative test case and is set up correctly.

---

12-23: Invalid Test with do-catch Block:
The block that imports modules, defines main(), and then calls an undefined method PKCS5.h(password:) is an inventive way to simulate an invalid usage scenario while showcasing proper error handling. No issues found.

---

25-36: Do-Catch Test with Correct PBKDF2 Invocation:
This block tests the standard PBKDF2 invocation within a do-catch block, ensuring the code properly handles errors. The test case is clear and adheres to best practices.

🧰 Tools

🪛 YAMLlint (1.35.1)

[error] 31-31: trailing spaces

(trailing-spaces)

---

38-38: Invalid Method Invocation:
Testing an invalid method call with PKCS5.ggg effectively covers another possible error case. This negative scenario is acceptable for thorough testing.

tests/swift/hdkf-hardcoded-secret-swift-test.yml (4)

3-4: Valid HKDF Test Case:
The valid test demonstrates the correct usage of the HKDF function by using a try invocation and calling calculate(). This is consistent with expected behavior.

---

5-7: Invalid Test – Array-based Password for HKDF:
The first invalid test case passes a password as an array derived from "hello".utf8, which should help verify that the rule catches this hard-coded secret scenario.

---

8-9: Invalid Test – Try Invocation with Array-based Password:
This test case, while similar to the previous one, includes a try invocation to simulate an alternative failure mode. The inclusion of both types of invalid inputs is a robust approach.

---

10-11: Invalid Test – String Password:
The final invalid test case, where a plain string "123" is used as the password, effectively rounds out the negative testing scenarios.

tests/__snapshots__/hkdf-hardcoded-secret-swift-snapshot.yml (2)

1-2: Snapshot File Metadata and Structure is Correct.

The snapshot file sets the identifier (hkdf-hardcoded-secret-swift) and organizes test cases with clearly defined source snippets and labels.

---

38-104: Array Password Test Case Looks Consistent.

The test case using Array("hello".utf8) is well structured with consistent label ranges that clearly capture all the relevant parts of the source expression.

rules/swift/security/pkcs5-hardcoded-secret-swift.yml (7)

1-3: Header Metadata is Valid.

The rule is correctly identified as pkcs5-hardcoded-secret-swift, written for Swift, and its severity message clearly warns about hard-coded secrets.

---

18-48: Utility Pattern for tryPKCS5 with Hard-Coded Password is Clear.

The AST pattern targeting tryPKCS5.$FUNC(password:"") is well defined. The use of a line string literal to capture the password is appropriate and helps ensure accurate matching.

---

49-79: Direct PKCS5 Call Pattern is Appropriately Scoped.

The utility for detecting a direct call of PKCS5.$FUNC(password:"") distinguishes itself from try expressions effectively.

---

80-109: Array-based Password Detection in tryPKCS5 is Consistent.

The pattern that matches tryPKCS5.$FUNC(password:Array("...".utf8)) maintains consistency with the string-based version by using the $PASS placeholder. Ensure that the placeholder naming is documented for maintainability.

---

110-139: Direct Call with Array Password is Well-Handled.

This utility pattern for PKCS5.$FUNC(password:Array("...".utf8)) accurately targets array-based password instances and excludes try expression contexts.

---

187-233: Instance-Based Direct Call Matching is Comprehensive.

The pattern for PKCS5.$FUNC(password:"")_with_Instance mirrors the try expression variant, ensuring that even instance-bound expressions are detected.

---

234-242: Rule Composition Aggregates All Cases Effectively.

The final rule section uses an “any” clause to combine the various utility patterns. Verify that repeated entries (for instance-based patterns) are intentional.

rules/swift/security/scrypt-hardcoded-secret-swift.yml (11)

1-4: File Metadata for Scrypt Rule is Accurate.

The rule’s identifier (scrypt-hardcoded-secret-swift), language, severity, and descriptive message clearly communicate its purpose.

---

10-14: Note and References Provide Essential Guidance.

The note cites CWE-798 and includes an OWASP Secrets Management Cheat Sheet link, which is very useful. Double-check that the reference URL remains current.

---

16-16: AST Grep Essentials Flag is Enabled.

Enabling ast-grep-essentials on line 16 is appropriate for achieving accurate tree-sitter–based matching.

---

19-62: Utility for Scrypt Expression with Instance is Detailed and Correct.

This utility pattern excludes irrelevant contexts (e.g. nested call expressions, functions, and throw keywords) and precisely matches a Scrypt call with a hard-coded password.

---

63-99: try Expression with Instance is Effectively Captured.

The pattern for match_pattern_try_expression_with_instance ensures that try expressions involving Scrypt calls are detected, including verification of the password argument.

---

128-173: Direct Scrypt Expression Matching is Comprehensive.

The utility match_pattern_Scrypt_expression_directly is well constructed—it excludes function declarations and try expressions while ensuring the presence of a hard-coded password via a line string literal.

---

174-177: Exclusion of Try Expressions Strengthens the Direct Match.

Adding a clause to exclude try expressions in the direct matching block further refines the detection criteria so that the pattern focuses solely on direct call expressions.

---

178-214: Direct Try Expression Matching for Scrypt is Precise.

The match_pattern_try_expression_directly block accurately captures try expressions that involve a Scrypt call with a hard-coded password argument.

---

215-289: UTF-8 Based Scrypt Expression Detection is Robust.

The match_pattern_Scrypt_expression_with_utf8 utility method extends matching to cover cases where the password is wrapped with a UTF-8 conversion. Its detailed sub-patterns ensure reliable detection.

---

293-358: Try Expression with UTF-8 for Scrypt is Well-Formulated.

This pattern mirrors the non-UTF8 try expression variant, thereby ensuring that Scrypt calls involving UTF-8–converted hard-coded passwords are reliably detected.

---

359-378: Rule Aggregation and Secret Constraint are Sound.

The final rule section aggregates all the utility patterns using “any” clauses for both try and call expressions and properly constrains the secret to be a line string literal.

rules/swift/security/hdkf-hardcoded-secret-swift.yml (10)

1-4: Header Metadata for HKDF Rule is Correct.

The rule identifier (hkdf-hardcoded-secret-swift), severity level, language, and descriptive message are all clearly defined.

---

10-14: Note and References are Informative.

The note provides a reference to CWE-798 and an OWASP cheat sheet URL, which is helpful. Consider using a list format if additional references are added later.

---

15-16: AST Grep Essentials Flag is Properly Set.

Setting ast-grep-essentials to true enables the precise AST-matching capabilities required for this rule.

---

17-66: HKDF Expression with Instance Pattern is Detailed.

The utility pattern match_pattern_HKDF_expression_with_instance effectively detects HKDF calls by excluding irrelevant contexts (such as being inside a function declaration or a try expression) and then confirming the presence of a password argument.

---

97-159: HKDF Try Expression with Instance Pattern Covers Key Cases.

This block captures try expression instances of HKDF calls and includes logic to match property declarations that might hold hard-coded secrets. Ensure that the placeholders (e.g. $R and $SECRET) are consistent with documentation across similar rules.

---

160-210: Direct HKDF Expression Pattern is Comprehensive.

The match_pattern_HKDF_expression_directly utility excludes non-relevant contexts such as function declarations and try blocks, ensuring robust detection of direct HKDF calls with hard-coded passwords.

---

211-248: Direct Try Expression for HKDF is Well-Defined.

This section targets try expressions that involve HKDF calls, ensuring that the hard-coded password is reliably detected even in error-handling contexts.

---

249-323: HKDF Expression with UTF-8 Conversion is Accurately Captured.

The utility match_pattern_HKDF_expression_with_utf8 extends detection to cover HKDF calls where the password is expressed via UTF-8 conversion. This improves the rule’s overall sensitivity.

---

328-393: Try Expression with UTF-8 for HKDF is Consistent and Thorough.

This variant mirrors the direct HKDF try expression pattern but accommodates the UTF-8 conversion, ensuring no hard-coded secrets slip through because of encoding variations.

---

394-413: Overall Rule Aggregation and Constraints are Excellent.

The final rule section correctly aggregates the various utility patterns under “any” clauses and applies a constraint ensuring that the secret is extracted as a line string literal.