coderabbitai · harjotgill · Sep 13, 2024 · Sep 5, 2024 · Sep 5, 2024 · Sep 5, 2024
diff --git a/rules/c/security/libxml2-audit-parser-c.yml b/rules/c/security/libxml2-audit-parser-c.yml
@@ -0,0 +1,25 @@
+id: libxml2-audit-parser-c
+language: c
+severity: warning
+message: >-
+  The libxml2 library is used to parse XML. When auditing such code, make
+  sure that either the document being parsed is trusted or that the parsing
+  options are safe to consume untrusted documents. In such case make sure
+  DTD or XInclude documents cannot be loaded and there is no network access.
+note: >-
+  [CWE-611] Improper Restriction of XML External Entity Reference.
+  [REFERENCES]
+      - https://owasp.org/Top10/A05_2021-Security_Misconfiguration
+rule:
+  any:
+    - pattern: xmlParseInNodeContext($CUR, $SRC, $DATALEN, $XML_OPTIONS, $LST)
+    - pattern: xmlReadDoc($CUR, $SRC, $ENC, $XML_OPTIONS)
+    - pattern: xmlReadFd($FD, $SRC, $ENC, $XML_OPTIONS)
+    - pattern: xmlReadFile($SRC, $ENC, $XML_OPTIONS)
+    - pattern: xmlReadIO($IO_READ, $IO_CLOSE, $IO_CTX, $SRC, $ENC, $XML_OPTIONS)
+    - pattern: xmlReadMemory($SRC, $SIZE, $URL, $ENC, $XML_OPTIONS)
+    - pattern: xmlCtxtReadDoc($CTX, $CUR, $SRC, $ENC, $XML_OPTIONS)
+    - pattern: xmlCtxtReadFd($CTX, $FD, $SRC, $ENC, $XML_OPTIONS)
+    - pattern: xmlCtxtReadFile($CTX, $SRC, $ENC, $XML_OPTIONS)
+    - pattern: xmlCtxtReadIO($CTX, $IO_READ, $IO_CLOSE, $IO_CTX, $SRC, $ENC,$XML_OPTIONS)
+    - pattern: xmlCtxtReadMemory($CTX, $SRC, $SIZE, $URL, $ENC, $XML_OPTIONS)
diff --git a/rules/c/security/sizeof-this-c.yml b/rules/c/security/sizeof-this-c.yml
@@ -0,0 +1,13 @@
+id: sizeof-this-c
+language: c
+severity: warning
+message: >-
+  Do not use `sizeof(this)` to get the number of bytes of the object in
+  memory. It returns the size of the pointer, not the size of the object.
+note: >-
+  [CWE-467]: Use of sizeof() on a Pointer Type
+  [REFERENCES]
+      - https://wiki.sei.cmu.edu/confluence/display/c/ARR01-C.+Do+not+apply+the+sizeof+operator+to+a+pointer+when+taking+the+size+of+an+array
+rule:
+  any:
+    - pattern: "sizeof(this)"
diff --git a/rules/cpp/security/libxml2-audit-parser-cpp.yml b/rules/cpp/security/libxml2-audit-parser-cpp.yml
@@ -0,0 +1,25 @@
+id: libxml2-audit-parser-cpp
+language: Cpp
+severity: warning
+message: >-
+  The libxml2 library is used to parse XML. When auditing such code, make
+  sure that either the document being parsed is trusted or that the parsing
+  options are safe to consume untrusted documents. In such case make sure
+  DTD or XInclude documents cannot be loaded and there is no network access.
+note: >-
+  [CWE-611] Improper Restriction of XML External Entity Reference.
+  [REFERENCES]
+      - https://owasp.org/Top10/A05_2021-Security_Misconfiguration
+rule:
+  any:
+    - pattern: xmlParseInNodeContext($CUR, $SRC, $DATALEN, $XML_OPTIONS, $LST)
+    - pattern: xmlReadDoc($CUR, $SRC, $ENC, $XML_OPTIONS)
+    - pattern: xmlReadFd($FD, $SRC, $ENC, $XML_OPTIONS)
+    - pattern: xmlReadFile($SRC, $ENC, $XML_OPTIONS)
+    - pattern: xmlReadIO($IO_READ, $IO_CLOSE, $IO_CTX, $SRC, $ENC, $XML_OPTIONS)
+    - pattern: xmlReadMemory($SRC, $SIZE, $URL, $ENC, $XML_OPTIONS)
+    - pattern: xmlCtxtReadDoc($CTX, $CUR, $SRC, $ENC, $XML_OPTIONS)
+    - pattern: xmlCtxtReadFd($CTX, $FD, $SRC, $ENC, $XML_OPTIONS)
+    - pattern: xmlCtxtReadFile($CTX, $SRC, $ENC, $XML_OPTIONS)
+    - pattern: xmlCtxtReadIO($CTX, $IO_READ, $IO_CLOSE, $IO_CTX, $SRC, $ENC,$XML_OPTIONS)
+    - pattern: xmlCtxtReadMemory($CTX, $SRC, $SIZE, $URL, $ENC, $XML_OPTIONS)
diff --git a/rules/csharp/security/httponly-false-csharp.yml b/rules/csharp/security/httponly-false-csharp.yml
@@ -0,0 +1,25 @@
+id: httponly-false-csharp
+language: csharp
+severity: warning
+message: >-
+  "Detected a cookie where the `HttpOnly` flag is either missing or
+      disabled. The `HttpOnly` cookie flag instructs the browser to forbid
+      client-side JavaScript to read the cookie. If JavaScript interaction is
+      required, you can ignore this finding. However, set the `HttpOnly` flag to
+      `true` in all other cases. If this wasn't intentional, it's recommended to
+      set the HttpOnly flag to true so the cookie will not be accessible through
+      client-side scripts or to use the Cookie Policy Middleware to globally set
+      the HttpOnly flag. You can then use the CookieOptions class when
+      instantiating the cookie, which inherits these settings and will require
+      future developers to have to explicitly override them on a case-by-case
+      basis if needed. This approach ensures cookies are secure by default."
+note: >-
+  [CWE-1004] Sensitive Cookie Without 'HttpOnly' Flag"
+  [REFERENCES]
+      - https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware
+      - https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions
+      - https://owasp.org/Top10/A05_2021-Security_Misconfiguration
+rule:
+  any:
+    - pattern: $BUILDER.Cookie.HttpOnly = false;
+    - pattern: $COOKIE.HttpOnly = false;
diff --git a/rules/html/security/plaintext-http-link-html.yml b/rules/html/security/plaintext-http-link-html.yml
@@ -0,0 +1,14 @@
+id: plaintext-http-link-html
+language: html
+severity: warning
+message: >-
+  "This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible."
+note: >-
+  [CWE-319] Authentication Bypass by Primary Weakness
+  [REFERENCES]
+      -  https://cwe.mitre.org/data/definitions/319.html
+rule:
+  pattern: <a $$$ href=$URL>$C</a>
+constraints:
+  URL:
+    regex: ^['"`]?([Hh][Tt][Tt][Pp]://)
diff --git a/rules/java/security/cbc-padding-oracle-java.yml b/rules/java/security/cbc-padding-oracle-java.yml
@@ -0,0 +1,17 @@
+id: cbc-padding-oracle-java
+severity: warning
+language: java
+message: >-
+  Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A
+      malicious actor could discern the difference between plaintext with valid
+      or invalid padding. Further, CBC mode does not include any integrity
+      checks. Use 'AES/GCM/NoPadding' instead.
+note: >-
+  [CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
+  [REFERENCES]
+      - https://capec.mitre.org/data/definitions/463.html
+rule:
+  pattern: Cipher.getInstance($MODE)
+constraints:
+  MODE:
+    regex: ".*/CBC/PKCS5Padding"
diff --git a/rules/java/security/cbc-padding-oracle.yml b/rules/java/security/cbc-padding-oracle.yml
diff --git a/rules/java/security/des-is-deprecated-java.yml b/rules/java/security/des-is-deprecated-java.yml
@@ -0,0 +1,16 @@
+id: des-is-deprecated-java
+severity: warning
+language: java
+message: >-
+  DES is considered deprecated. AES is the recommended cipher. Upgrade to
+  use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard
+  for more information.
+note: >-
+  [CWE-326] Inadequate Encryption Strength.
+  [REFERENCES]
+      - https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard
+rule:
+  pattern: $CIPHER.getInstance($SAS)
+constraints:
+  SAS:
+    regex: "DES"
diff --git a/rules/java/security/desede-is-deprecated-java.yml b/rules/java/security/desede-is-deprecated-java.yml
@@ -0,0 +1,16 @@
+id: desede-is-deprecated-java
+language: java
+severity: warning
+message: >-
+  Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES.
+note: >-
+  [CWE-326]: Inadequate Encryption Strength
+  [OWASP A03:2017]: Sensitive Data Exposure
+  [OWASP A02:2021]: Cryptographic Failures
+  [REFERENCES]
+      - https://find-sec-bugs.github.io/bugs.htm#TDES_USAGE
+      - https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA
+rule:
+  any:
+    - pattern: $CIPHER.getInstance("=~/DESede.*/")
+    - pattern: $CRYPTO.KeyGenerator.getInstance("DES")
-  any:
-    - pattern: $CIPHER.getInstance("=~/DESede.*/")
-    - pattern: $CRYPTO.KeyGenerator.getInstance("DES")
+  any:
+    - pattern: $CIPHER.getInstance("=~/DESede.*/")
+    - pattern: $CRYPTO.KeyGenerator.getInstance("=~/DESede.*/")
-  any:
-    - pattern: $CIPHER.getInstance("=~/DESede.*/")
-    - pattern: $CRYPTO.KeyGenerator.getInstance("DES")
+  any:
+    - pattern: $CIPHER.getInstance("=~/DESede.*/")
+    - pattern: $CRYPTO.KeyGenerator.getInstance("=~/DESede.*/")
diff --git a/rules/java/security/ecb-cipher-java.yml b/rules/java/security/ecb-cipher-java.yml
@@ -0,0 +1,17 @@
+id: ecb-cipher-java
+severity: warning
+language: java
+message: >-
+  Cipher in ECB mode is detected. ECB mode produces the same output for
+  the same input each time which allows an attacker to intercept and replay
+  the data. Further, ECB mode does not provide any integrity checking. See
+  https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.
+note: >-
+  [CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
+  [REFERENCES]
+      - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+rule:
+  pattern: Cipher $VAR = $CIPHER.getInstance($MODE);
+constraints:
+  MODE:
+    regex: .*ECB.*
diff --git a/rules/java/security/no-null-cipher-java.yml b/rules/java/security/no-null-cipher-java.yml
@@ -0,0 +1,17 @@
+id: no-null-cipher-java
+severity: warning
+language: java
+message: >-
+  NullCipher was detected. This will not encrypt anything; the cipher
+  text will be the same as the plain text. Use a valid, secure cipher:
+  Cipher.getInstance("AES/CBC/PKCS7PADDING"). See
+  https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions
+  for more information.
+note: >-
+  [CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
+  [REFERENCES]
+      - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+rule:
+  any:
+    - pattern: new NullCipher($$$)
+    - pattern: new javax.crypto.NullCipher($$$)
diff --git a/rules/java/security/rsa-no-padding-java.yml b/rules/java/security/rsa-no-padding-java.yml
@@ -0,0 +1,14 @@
+id: rsa-no-padding-java
+severity: warning
+language: java
+message: >-
+  Using RSA without OAEP mode weakens the encryption.
+note: >-
+  [CWE-326] Inadequate Encryption Strength
+  [REFERENCES]
+      - https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/
+rule:
+  pattern: $YST.getInstance($MODE)
+constraints:
+  MODE:
+    regex: "RSA/[Nn][Oo][Nn][Ee]/NoPadding"
diff --git a/rules/java/security/system-setproperty-hardcoded-secret-java.yml b/rules/java/security/system-setproperty-hardcoded-secret-java.yml
@@ -0,0 +1,22 @@
+id: system-setproperty-hardcoded-secret-java
+language: java
+severity: warning
+message: >-
+  A secret is hard-coded in the application. Secrets stored in source
+  code, such as credentials, identifiers, and other types of sensitive data,
+  can be leaked and used by internal or external malicious actors. Use
+  environment variables to securely provide credentials and other secrets or
+  retrieve them from a secure vault or Hardware Security Module (HSM).
+note: >-
+  [CWE-798]: Use of Hard-coded Credentials
+  [OWASP A07:2021]: Identification and Authentication Failures
+  [REFERENCES]
+      - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+rule:
+  all:
+    - any:
+        - pattern: System.setProperty("javax.net.ssl.keyStorePassword", $PWD);
+        - pattern: System.setProperty("javax.net.ssl.trustStorePassword", $PWD);
+constraints:
+  PWD:
+    regex: '^"'
diff --git a/rules/java/security/unencrypted-socket-java.yml b/rules/java/security/unencrypted-socket-java.yml
@@ -0,0 +1,16 @@
+id: unencrypted-socket-java
+language: java
+severity: info
+message: >-
+  "Detected use of a Java socket that is not encrypted. As a result, the
+      traffic could be read by an attacker intercepting the network traffic. Use
+      an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory'
+      instead."
+note: >-
+  [CWE-319] Cleartext Transmission of Sensitive Information
+  [REFERENCES]
+      - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+rule:
+  any:
+    - pattern: new ServerSocket($$$)
+    - pattern: new Socket($$$)
diff --git a/rules/java/security/use-of-aes-ecb-java.yml b/rules/java/security/use-of-aes-ecb-java.yml
@@ -0,0 +1,22 @@
+id: use-of-aes-ecb-java
+language: java
+severity: warning
+message: >-
+  Use of AES with ECB mode detected. ECB doesn't provide message
+  confidentiality and  is not semantically secure so should not be used.
+  Instead, use a strong, secure cipher:
+  Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See
+  https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions
+  for more information.
+note: >-
+  [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm
+  [OWASP A03:2017]: Sensitive Data Exposure
+  [OWASP A02:2021]: Cryptographic Failures
+  [REFERENCES]
+      - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+      - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
+rule:
+  pattern: $CIPHER.getInstance($MATCHES)
+constraints:
+  MATCHES:
+    regex: ".*AES/ECB/.*"
diff --git a/rules/java/security/use-of-blowfish-java.yml b/rules/java/security/use-of-blowfish-java.yml
@@ -0,0 +1,17 @@
+id: use-of-blowfish-java
+language: java
+severity: info
+message: >-
+  Use of Blowfish was detected. Blowfish uses a 64-bit block size
+      that  makes it vulnerable to birthday attacks, and is therefore considered
+      non-compliant.  Instead, use a strong, secure cipher:
+      Cipher.getInstance("AES/CBC/PKCS7PADDING"). See
+      https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions
+      for more information.
+note: >-
+  [CWE-327] Use of a Broken or Risky Cryptographic Algorithm
+  [REFERENCES]
+      - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+      - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
+rule:
+  pattern: $CIPHER.getInstance("Blowfish")
diff --git a/rules/java/security/use-of-md5-digest-utils-java.yml b/rules/java/security/use-of-md5-digest-utils-java.yml
@@ -0,0 +1,13 @@
+id: use-of-md5-digest-utils-java
+language: java
+severity: warning
+message: >-
+  'Detected MD5 hash algorithm which is considered insecure. MD5 is not
+      collision resistant and is therefore not suitable as a cryptographic
+      signature. Use HMAC instead.'
+note: >-
+  [CWE-328] Use of Weak Hash
+  [REFERENCES]
+      - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+rule:
+  pattern: DigestUtils.getMd5Digest($$$).digest($$$)
diff --git a/rules/java/security/use-of-md5-java.yml b/rules/java/security/use-of-md5-java.yml
@@ -0,0 +1,20 @@
+id: use-of-md5-java
+severity: warning
+language: java
+message: >-
+  Detected MD5 hash algorithm which is considered insecure. MD5 is not
+  collision resistant and is therefore not suitable as a cryptographic
+  signature. Use HMAC instead.
+note: >-
+  [CWE-328] Use of Weak Hash.
+  [REFERENCES]
+      - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+rule:
+  any:
+    - pattern: java.security.MessageDigest.getInstance($ALGO)
+    - pattern: java.security.MessageDigest.getInstance($ALGO, $$$)
+    - pattern: MessageDigest.getInstance($ALGO)
+    - pattern: MessageDigest.getInstance($ALGO, $$$)
+constraints:
+  ALGO:
+    regex: "MD5"
diff --git a/rules/java/security/use-of-rc4-java.yml b/rules/java/security/use-of-rc4-java.yml
@@ -0,0 +1,16 @@
+id: use-of-rc4-java
+language: java
+severity: warning
+message: >-
+  'Use of RC4 was detected. RC4 is vulnerable to several attacks,
+      including stream cipher attacks and bit flipping attacks. Instead, use a
+      strong, secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). See
+      https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions
+      for more information.'
+note: >-
+  [CWE-327] Use of a Broken or Risky Cryptographic Algorithm
+  [REFERENCES]
+      - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+      - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
+rule:
+  pattern: $CIPHER.getInstance("RC4")
diff --git a/rules/java/security/use-of-sha1-java.yml b/rules/java/security/use-of-sha1-java.yml
@@ -0,0 +1,20 @@
+id: use-of-sha1-java
+language: java
+severity: warning
+message: >-
+  Detected SHA1 hash algorithm which is considered insecure. SHA1 is not
+  collision resistant and is therefore not suitable as a cryptographic
+  signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512
+  for other hash function applications.
+note: >-
+  [CWE-328] Use of Weak Hash.
+  [REFERENCES]
+      - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+rule:
+  any:
+    - pattern: $DU.getSha1Digest().digest($$$)
+    - pattern: MessageDigest.getInstance($ALGO)
+    - pattern: java.security.MessageDigest.getInstance($ALGO,$$$)
+constraints:
+  ALGO:
+    regex: "SHA1|SHA-1"
diff --git a/rules/java/security/use-of-weak-rsa-key-java.yml b/rules/java/security/use-of-weak-rsa-key-java.yml
@@ -0,0 +1,16 @@
+id: use-of-weak-rsa-key-java
+language: java
+severity: warning
+message: >-
+  RSA keys should be at least 2048 bits based on NIST recommendation.
+note: >-
+  [CWE-326] Inadequate Encryption Strength.
+  [REFERENCES]
+      - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms
+rule:
+  pattern: |
+    $KEY.initialize($AST)
+follows: KeyPairGenerator $KEY = $G.getInstance("RSA");
+constraints:
+  AST:
+    regex: '^(-?(0|[1-9][0-9]?|[1-9][0-9]{2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|0|-[1-9][0-9]*|-[1-9][0-9]{2,}|-1[0-9]{3}|-20[0-3][0-9]|-204[0-7])$'