Skip to content

Add 3 rules for sql #41

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Mar 4, 2025
Merged

Add 3 rules for sql #41

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0ec838e
add first generic rule for sql
heliocodacy Feb 20, 2025
1d931b5
add 3 sql related rules
heliocodacy Mar 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 67 additions & 0 deletions docs/codacy-rules.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -134,3 +134,70 @@ rules:
category: security
impact: HIGH
confidence: MEDIUM
- id: codacy.generic.sql.grant-all
severity: ERROR
languages:
- generic
pattern: |
GRANT ALL $X
paths:
include:
- '*.sql'
message: >
GRANT ALL privileges should not be used as it gives excessive permissions that violate the principle of least privilege.
Instead, grant only the specific privileges that are required.
metadata:
owasp:
- A5:2017 Broken Access Control
description: Detects use of GRANT ALL which gives excessive database privileges
category: security
impact: HIGH
confidence: HIGH
- id: codacy.generic.sql.grant-select-no-role
severity: ERROR
languages:
- generic
pattern: |
GRANT SELECT $X TO $Y
patterns_not:
- pattern: |
GRANT SELECT $X TO $Y_role
paths:
include:
- '*.sql'
message: >
GRANT SELECT privileges should only be given to role-based accounts (ending in '_role').
Direct grants to users or non-role accounts violate security best practices.
metadata:
owasp:
- A5:2017 Broken Access Control
description: Detects GRANT SELECT statements that are not targeting role-based accounts
category: security
impact: MEDIUM
confidence: HIGH
- id: codacy.generic.sql.fnd-profile-in-query
severity: ERROR
languages:
- generic
patterns:
- pattern-either:
- pattern: |
SELECT ... FND_PROFILE.$F(...) ...
- pattern: |
SELECT ... FROM ... WHERE ... FND_PROFILE.$F(...) ...
- pattern: |
SELECT ... FROM ... WHERE ... = FND_PROFILE.$F(...)
- pattern: |
SELECT ... FROM ... WHERE ... IN (... FND_PROFILE.$F(...) ...)
paths:
include:
- '*.sql'
message: >
FND_PROFILE functions should not be used directly in SELECT or WHERE clauses.
Instead, assign the FND_PROFILE function value to a variable first and then use that variable in the query.
This improves performance and maintainability.
metadata:
description: Detects direct usage of FND_PROFILE functions in SQL queries instead of using variables
category: performance
impact: MEDIUM
confidence: HIGH
4 changes: 4 additions & 0 deletions docs/multiple-tests/codacy-rules-sql/patterns.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
<module name="root">
<module name="codacy.generic.sql.grant-all" />
</module>
7 changes: 7 additions & 0 deletions docs/multiple-tests/codacy-rules-sql/results.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
<?xml version="1.0" encoding="utf-8" ?>
<checkstyle version="1.5">
<file name="script.sql">
<error source="codacy.generic.sql.grant-all" line="1" message="GRANT ALL privileges should not be used as it gives excessive permissions that violate the principle of least privilege." severity="error" />
<error source="codacy.generic.sql.grant-all" line="7" message="GRANT ALL privileges should not be used as it gives excessive permissions that violate the principle of least privilege." severity="error" />
</file>
</checkstyle>
9 changes: 9 additions & 0 deletions docs/multiple-tests/codacy-rules-sql/src/script.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
GRANT ALL PRIVILEGES
ON mydb.*
TO 'myuser'@'%'
WITH GRANT OPTION;


GRANT ALL PRIVILEGES ON mydb.* TO myuser;


4 changes: 3 additions & 1 deletion internal/docgen/parsing.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,7 +153,6 @@ func getRules(location string, commit string, validate FilenameValidator, genera

var errorWithinMap error
rules := lo.FlatMap(rulesFiles, func(file SemgrepRuleFile, _ int) []SemgrepRule {
fmt.Printf("Reading YAML file: %s\n", file.AbsolutePath)
rs, err := readRulesFromYaml(file.AbsolutePath)
if err != nil {
errorWithinMap = err
Expand Down Expand Up @@ -498,6 +497,9 @@ func toCodacyLanguages(r SemgrepRule) []string {
if strings.HasPrefix(r.ID, "codacy.generic.plsql") {
return []string{"PLSQL"}
}
if strings.HasPrefix(r.ID, "codacy.generic.sql") {
return []string{"SQL"}
}
// Secret detection rules are compatible with all languages
if strings.HasPrefix(r.ID, "generic.secrets") {
return lo.Uniq(lo.Values(supportedLanguages))
Expand Down
1 change: 1 addition & 0 deletions internal/tool/configuration.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,7 @@ var extensionToLanguageMap = map[string]string{
".tsx": "typescript",
".dockerfile": "dockerfile",
"Dockerfile": "dockerfile",
".sql": "generic",
".pls": "generic",
".trg": "generic",
".prc": "generic",
Expand Down