Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

semgrep rules: December 2024 Update #723

Merged
merged 1 commit into from
Dec 15, 2024
Merged

semgrep rules: December 2024 Update #723

merged 1 commit into from
Dec 15, 2024
+2,501 −514

Conversation

thypon
Copy link
Member

@thypon thypon commented Dec 12, 2024 

@ nonfree.audit (+4, -1)
+ dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount
+ go.lang.security.reverseproxy-director.reverseproxy-director
+ yaml.openapi.security.openai-consequential-action-false.openai-consequential-action-false
+ python.lang.security.insecure-uuid-version.insecure-uuid-version
- python.django.security.django-no-csrf-token.django-no-csrf-token
@ nonfree.others (+0, -0)
@ nonfree.security_noaudit_novuln (+0, -5)
- go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion
- javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash
- python.django.security.django-no-csrf-token.django-no-csrf-token
- python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid
- terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec
@ nonfree.vulns (+4, -0)
+ javascript.node-crypto.security.aead-no-final.aead-no-final
+ javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv
+ javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length
+ php.lang.security.injection.tainted-exec.tainted-exec
@ oss.audit (+35, -1)
+ trailofbits.generic.mongodb-insecure-transport.mongodb-insecure-transport
+ trailofbits.ruby.json-create-deserialization.json-create-deserialization
+ trailofbits.yaml.github-actions.pypi-publish-password.pypi-publish-password
+ trailofbits.ruby.faraday-disable-verification.faraday-disable-verification
+ trailofbits.hcl.nomad.tls-hostname-verification-disabled.tls-hostname-verification-disabled
+ trailofbits.generic.node-disable-certificate-validation.node-disable-certificate-validation
+ trailofbits.ruby.rails-cookie-attributes.rails-cookie-attributes
+ trailofbits.yaml.github-actions.rubygems-publish-key.rubygems-publish-key
+ trailofbits.ruby.yaml-unsafe-load.yaml-unsafe-load
+ trailofbits.ruby.insecure-rails-cookie-session-store.insecure-rails-cookie-session-store
+ trailofbits.hcl.nomad.docker-privileged-mode.docker-privileged-mode
+ trailofbits.generic.postgres-insecure-sslmode.postgres-insecure-sslmode
+ trailofbits.ruby.ruby-saml-skip-validation.ruby-saml-skip-validation
+ trailofbits.yaml.github-actions.aws-secret-key.aws-secret-key
+ trailofbits.ruby.action-dispatch-insecure-ssl.action-dispatch-insecure-ssl
+ trailofbits.hcl.nomad.root-user.root-user
+ trailofbits.generic.mysql-insecure-sslmode.mysql-insecure-sslmode
+ trailofbits.yaml.github-actions.azure-principal-secret.azure-principal-secret
+ trailofbits.ruby.active-record-hardcoded-encryption-key.active-record-hardcoded-encryption-key
+ trailofbits.hcl.terraform.aws-oidc-role-policy-duplicate-condition.aws-oidc-role-policy-duplicate-condition
+ trailofbits.yaml.github-actions.gcp-credentials-json.gcp-credentials-json
+ trailofbits.hcl.nomad.docker-hardcoded-password.docker-hardcoded-password
+ trailofbits.hcl.terraform.aws-oidc-role-policy-missing-sub.aws-oidc-role-policy-missing-sub
+ trailofbits.ruby.rails-cache-store-marshal.rails-cache-store-marshal
+ trailofbits.generic.redis-unencrypted-transport.redis-unencrypted-transport
+ trailofbits.hcl.terraform.vault-skip-tls-verify.vault-skip-tls-verify
+ trailofbits.yaml.github-actions.vault-token.vault-token
+ trailofbits.yaml.github-actions.jfrog-hardcoded-credential.jfrog-hardcoded-credential
+ trailofbits.hcl.terraform.vault-hardcoded-token.vault-hardcoded-token
+ trailofbits.generic.amqp-unencrypted-transport.amqp-unencrypted-transport
+ trailofbits.ruby.global-timeout.global-timeout
+ trailofbits.ruby.active-record-encrypts-misorder.active-record-encrypts-misorder
+ trailofbits.ruby.action-mailer-insecure-tls.action-mailer-insecure-tls
+ trailofbits.hcl.nomad.podman-tls-verify-disabled.podman-tls-verify-disabled
+ trailofbits.ruby.rest-client-disable-verification.rest-client-disable-verification
- gitlab.bandit.B101
@ oss.others (+0, -0)
@ oss.security_noaudit_novuln (+0, -0)
@ oss.vulns (+0, -0)

@thypon
semgrep rules: December 2024 Update
1338671 
```
@ nonfree.audit (+4, -1)
+ dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount
+ go.lang.security.reverseproxy-director.reverseproxy-director
+ yaml.openapi.security.openai-consequential-action-false.openai-consequential-action-false
+ python.lang.security.insecure-uuid-version.insecure-uuid-version
- python.django.security.django-no-csrf-token.django-no-csrf-token
@ nonfree.others (+0, -0)
@ nonfree.security_noaudit_novuln (+0, -5)
- go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion
- javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash
- python.django.security.django-no-csrf-token.django-no-csrf-token
- python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid
- terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec
@ nonfree.vulns (+4, -0)
+ javascript.node-crypto.security.aead-no-final.aead-no-final
+ javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv
+ javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length
+ php.lang.security.injection.tainted-exec.tainted-exec
@ oss.audit (+35, -1)
+ trailofbits.generic.mongodb-insecure-transport.mongodb-insecure-transport
+ trailofbits.ruby.json-create-deserialization.json-create-deserialization
+ trailofbits.yaml.github-actions.pypi-publish-password.pypi-publish-password
+ trailofbits.ruby.faraday-disable-verification.faraday-disable-verification
+ trailofbits.hcl.nomad.tls-hostname-verification-disabled.tls-hostname-verification-disabled
+ trailofbits.generic.node-disable-certificate-validation.node-disable-certificate-validation
+ trailofbits.ruby.rails-cookie-attributes.rails-cookie-attributes
+ trailofbits.yaml.github-actions.rubygems-publish-key.rubygems-publish-key
+ trailofbits.ruby.yaml-unsafe-load.yaml-unsafe-load
+ trailofbits.ruby.insecure-rails-cookie-session-store.insecure-rails-cookie-session-store
+ trailofbits.hcl.nomad.docker-privileged-mode.docker-privileged-mode
+ trailofbits.generic.postgres-insecure-sslmode.postgres-insecure-sslmode
+ trailofbits.ruby.ruby-saml-skip-validation.ruby-saml-skip-validation
+ trailofbits.yaml.github-actions.aws-secret-key.aws-secret-key
+ trailofbits.ruby.action-dispatch-insecure-ssl.action-dispatch-insecure-ssl
+ trailofbits.hcl.nomad.root-user.root-user
+ trailofbits.generic.mysql-insecure-sslmode.mysql-insecure-sslmode
+ trailofbits.yaml.github-actions.azure-principal-secret.azure-principal-secret
+ trailofbits.ruby.active-record-hardcoded-encryption-key.active-record-hardcoded-encryption-key
+ trailofbits.hcl.terraform.aws-oidc-role-policy-duplicate-condition.aws-oidc-role-policy-duplicate-condition
+ trailofbits.yaml.github-actions.gcp-credentials-json.gcp-credentials-json
+ trailofbits.hcl.nomad.docker-hardcoded-password.docker-hardcoded-password
+ trailofbits.hcl.terraform.aws-oidc-role-policy-missing-sub.aws-oidc-role-policy-missing-sub
+ trailofbits.ruby.rails-cache-store-marshal.rails-cache-store-marshal
+ trailofbits.generic.redis-unencrypted-transport.redis-unencrypted-transport
+ trailofbits.hcl.terraform.vault-skip-tls-verify.vault-skip-tls-verify
+ trailofbits.yaml.github-actions.vault-token.vault-token
+ trailofbits.yaml.github-actions.jfrog-hardcoded-credential.jfrog-hardcoded-credential
+ trailofbits.hcl.terraform.vault-hardcoded-token.vault-hardcoded-token
+ trailofbits.generic.amqp-unencrypted-transport.amqp-unencrypted-transport
+ trailofbits.ruby.global-timeout.global-timeout
+ trailofbits.ruby.active-record-encrypts-misorder.active-record-encrypts-misorder
+ trailofbits.ruby.action-mailer-insecure-tls.action-mailer-insecure-tls
+ trailofbits.hcl.nomad.podman-tls-verify-disabled.podman-tls-verify-disabled
+ trailofbits.ruby.rest-client-disable-verification.rest-client-disable-verification
- gitlab.bandit.B101
@ oss.others (+0, -0)
@ oss.security_noaudit_novuln (+0, -0)
@ oss.vulns (+0, -0)
```
@thypon thypon requested a review from diracdeltas December 12, 2024 22:25
@github-actions GitHub Actions
Copy link

[puLL-Merge] - brave/security-action@723

Description

This PR updates the semgrep rules in the security-action repository. It adds new rules, modifies existing ones, and removes some outdated rules across various programming languages and frameworks.

Changes

Changes

  1. assets/semgrep_rules/generated/nonfree/audit.yaml:

    • Added new rules for Dockerfile security, Go language security, and OpenAPI security.
    • Modified existing rules for Python, JavaScript, and TypeScript.

  2. assets/semgrep_rules/generated/nonfree/vulns.yaml:

    • Updated existing rules for JavaScript, Express, and Node.js security.
    • Added new rules for JavaScript Node-crypto security.

  3. assets/semgrep_rules/generated/oss/audit.yaml:

    • Removed some GitLab Bandit rules.
    • Added new rules for HCL (HashiCorp Configuration Language), Ruby, and YAML.
    • Updated existing rules for various languages including Python, Rust, and Ruby.

  4. assets/semgrep_rules/generated/oss/vulns.yaml:

    • Minor updates to existing Go language security rules.
sequenceDiagram
    participant User
    participant SecurityAction
    participant Semgrep
    participant CodeRepository

    User->>SecurityAction: Triggers security scan
    SecurityAction->>Semgrep: Loads updated rules
    Semgrep->>CodeRepository: Scans code with new rules
    CodeRepository-->>Semgrep: Returns scan results
    Semgrep-->>SecurityAction: Provides analysis
    SecurityAction-->>User: Reports security findings
Loading

Possible Issues

  • The removal of certain rules (e.g., some GitLab Bandit rules) might leave gaps in security coverage if they're not replaced by equivalent or improved rules.
  • New rules might increase false positives if not properly tuned.

Security Hotspots

  1. Dockerfile security: New rules for detecting insecure practices like mounting docker.sock (high risk).
  2. Node.js crypto: Added rules to detect improper use of cryptographic functions (medium risk).
  3. Ruby on Rails: New rules for detecting insecure SSL configurations and cookie attributes (medium risk).
  4. GitHub Actions: Added rules to detect hardcoded credentials for various cloud providers and services (high risk).

@github-actions GitHub Actions
Copy link

The security team is monitoring all repositories for certain keywords. This PR includes the word(s) "password, policy, secure, insecure" and so security team members have been added as reviewers to take a look.

No need to request a full security review at this stage, the security team will take a look shortly and either clear the label or request more information/changes.

Notifications have already been sent, but if this is blocking your merge feel free to reach out directly to the security team on Slack so that we can expedite this check.

@diracdeltas diracdeltas requested review from stoletheminerals and removed request for diracdeltas December 12, 2024 22:50
@diracdeltas
Copy link
Member

defer to @stoletheminerals

@thypon thypon merged commit c3a4e70 into main Dec 15, 2024
7 checks passed
@thypon thypon deleted the features/semgrep-update-december branch December 15, 2024 18:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stoletheminerals stoletheminerals stoletheminerals approved these changes

Assignees

@thypon thypon

@kdenhartog kdenhartog

Labels
puLL-Merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@thypon @diracdeltas @stoletheminerals @kdenhartog