Add static analysis rules for C++ and Rust security checks (#128)

* removed missing-secure-java

* sizeof-this-cpp

* tokio-postgres-empty-password-rust

* tokio-postgres-hardcoded-password-rust

---------

Co-authored-by: Sakshis <[email protected]>

Author: ESS-ENN

rules/cpp/sizeof-this-cpp.yml

@@ -0,0 +1,44 @@
+id: sizeof-this-cpp
+language: cpp
+severity: warning
+message: >-
+  Do not use `sizeof(this)` to get the number of bytes of the object in
+  memory. It returns the size of the pointer, not the size of the object.
+note: >-
+  [CWE-467]: Use of sizeof() on a Pointer Type
+  [REFERENCES]
+      - https://wiki.sei.cmu.edu/confluence/display/c/ARR01-C.+Do+not+apply+the+sizeof+operator+to+a+pointer+when+taking+the+size+of+an+array
+utils:
+  match_sizeof_this:
+    kind: sizeof_expression
+    has:
+      kind: parenthesized_expression
+      has:
+        kind: this
+        regex: "^this$"
+    inside:
+      stopBy: end
+      kind: return_statement
+      inside:
+        kind: compound_statement
+        follows:
+          kind: function_declarator
+          inside:
+            kind: function_definition
+
+rule:
+   kind: sizeof_expression 
+   all:
+     - has:
+        stopBy: end
+        kind: this
+     - not:
+         has:
+            stopBy: end
+            any:
+               - nthChild: 2
+               - kind: pointer_expression
+               - kind: ERROR
+               - kind: sizeof_expression
+
+

rules/rust/security/tokio-postgres-empty-password-rust.yml

@@ -0,0 +1,248 @@
+id: tokio-postgres-empty-password-rust
+language: rust
+severity: warning
+message: >-
+  The application uses an empty credential. This can lead to unauthorized
+  access by either an internal or external malicious actor. It is
+  recommended to rotate the secret and retrieve them from a secure secret
+  vault or Hardware Security Module (HSM), alternatively environment
+  variables can be used if allowed by your company policy.
+note: >-
+  [CWE-287] Improper Authentication.
+  [REFERENCES]
+      - https://docs.rs/tokio-postgres/latest/tokio_postgres/
+      - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
+
+
+utils:
+  MATCH_FOLLOW_1:
+    follows:
+        stopBy: end
+        any:
+            - kind: let_declaration
+              all:
+                - has:
+                    kind: identifier
+                    pattern: $CONFIG
+                - has:
+                    kind: call_expression
+                    regex: ^tokio_postgres::Config::new\(\)$
+            - kind: let_declaration
+              all:
+                - has:
+                    kind: identifier
+                    pattern: $CONFIG
+                - has:
+                    kind: call_expression
+                    regex: ^Config::new\(\)$
+              any:
+                - follows:
+                    stopBy: end
+                    kind: use_declaration
+                    has:
+                      stopBy: end
+                      kind: scoped_identifier
+                      regex: ^tokio_postgres::Config$
+                - inside:
+                    stopBy: end
+                    follows:
+                      stopBy: end
+                      kind: use_declaration
+                      has:
+                        stopBy: end
+                        kind: scoped_identifier
+                        regex: ^tokio_postgres::Config$
+                          
+
+rule:
+  kind: call_expression
+  not:
+    has:
+      stopBy: end
+      kind: ERROR
+  any:
+    # CONFIG IS DIRECT AND PWD IS DIRECT    
+    - all:
+        - has:
+            stopBy: end
+            kind: scoped_identifier
+            regex: ^tokio_postgres::Config::new()$
+        - has:
+            kind: field_expression
+            regex: \.password$
+            nthChild: 1
+        - has:
+            kind: arguments
+            nthChild: 2
+            has:
+              stopBy: end
+              kind: string_literal
+              not:
+                has:
+                  kind: string_content
+              nthChild: 1
+            all:
+              - not:
+                  has:
+                    stopBy: end
+                    nthChild: 2
+              - not:
+                  has:
+                    stopBy: end
+                    any:
+                    - kind: block
+                    - kind: array_expression
+    # CONFIG IS DIRECT AND PWD IS INSTANCE
+    - all:
+        - has:
+            stopBy: end
+            kind: scoped_identifier
+            regex: ^tokio_postgres::Config::new()$
+        - has:
+            kind: field_expression
+            regex: \.password$
+            nthChild: 1
+        - has:
+            kind: arguments
+            nthChild: 2
+            has:
+              stopBy: end
+              kind: identifier
+              pattern: $PASSWORD
+              inside:
+                stopBy: end
+                follows:
+                  stopBy: end
+                  any:
+                    - kind: let_declaration
+                      has:
+                        kind: identifier
+                        pattern: $PASSWORD
+                        precedes:
+                          stopBy: end
+                          kind: string_literal
+                          not:
+                            has:
+                              kind: string_content
+                    - kind: expression_statement
+                      has: 
+                        kind: assignment_expression
+                        has:
+                            kind: identifier
+                            pattern: $PASSWORD
+                            precedes:
+                              stopBy: end
+                              kind: string_literal
+                              not:
+                                has:
+                                  kind: string_content
+
+              nthChild: 1
+            all:
+              - not:
+                  has:
+                    stopBy: end
+                    nthChild: 2
+              - not:
+                  has:
+                    stopBy: end
+                    any:
+                    - kind: block
+                    - kind: array_expression
+    # CONFIG IS INSTANCE AND PWD IS DIRECT
+    - all:
+        - has:
+            stopBy: end
+            kind: identifier
+            pattern: $CONFIG
+            any:
+              - inside:
+                  stopBy: end
+                  matches: MATCH_FOLLOW_1
+        - has:
+            kind: field_expression
+            regex: \.password$
+            nthChild: 1
+        - has:
+            kind: arguments
+            nthChild: 2
+            has:
+              stopBy: end
+              kind: string_literal
+              not:
+                has:
+                  kind: string_content
+              nthChild: 1
+            all:
+              - not:
+                  has:
+                    stopBy: end
+                    nthChild: 2
+              - not:
+                  has:
+                    stopBy: end
+                    any:
+                    - kind: block
+                    - kind: array_expression
+    # CONFIG IS INSTANCE AND PWD IS INSTANCE
+    - all:
+        - has:
+            stopBy: end
+            kind: identifier
+            pattern: $CONFIG
+            any:
+              - inside:
+                  stopBy: end
+                  matches: MATCH_FOLLOW_1
+        - has:
+            kind: field_expression
+            regex: \.password$
+            nthChild: 1
+        - has:
+            kind: arguments
+            nthChild: 2
+            has:
+              stopBy: end
+              kind: identifier
+              pattern: $PASSWORD
+              nthChild: 1
+              inside:
+                stopBy: end
+                follows:
+                    stopBy: end
+                    any:
+                        - kind: let_declaration
+                          all:
+                            - has:
+                                kind: identifier
+                                pattern: $PASSWORD
+                            - has:
+                                kind: string_literal
+                                not:
+                                  has:
+                                    kind: string_content
+                        - kind: expression_statement
+                          has:
+                            kind: assignment_expression
+                            all:
+                            - has:
+                                kind: identifier
+                                pattern: $PASSWORD
+                            - has:
+                                kind: string_literal
+                                not:
+                                  has:
+                                    kind: string_content
+
+            all:
+              - not:
+                  has:
+                    stopBy: end
+                    nthChild: 2
+              - not:
+                  has:
+                    stopBy: end
+                    any:
+                    - kind: block
+                    - kind: array_expression
+