Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add static analysis rules for C++ and Rust security checks #128

Merged
merged 9 commits into from
Jan 13, 2025
+761 −1
Merged

Add static analysis rules for C++ and Rust security checks #128

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
bb7b8e1
removed missing-secure-java
Dec 16, 2024
308e947
Merge branch 'coderabbitai:main' into main
ESS-ENN Jan 6, 2025
46efd55
Merge branch 'coderabbitai:main' into main
ESS-ENN Jan 8, 2025
3ac0204
Merge branch 'coderabbitai:main' into main
ESS-ENN Jan 8, 2025
7caba92
Merge branch 'coderabbitai:main' into main
ESS-ENN Jan 9, 2025
d3a2776
Merge branch 'coderabbitai:main' into main
ESS-ENN Jan 10, 2025
2ba2058
sizeof-this-cpp
ESS-ENN Jan 10, 2025
2b31bbd
tokio-postgres-empty-password-rust
ESS-ENN Jan 10, 2025
1cc3164
tokio-postgres-hardcoded-password-rust
ESS-ENN Jan 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions rules/cpp/sizeof-this-cpp.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
id: sizeof-this-cpp
language: cpp
severity: warning
message: >-
Do not use `sizeof(this)` to get the number of bytes of the object in
memory. It returns the size of the pointer, not the size of the object.
note: >-
[CWE-467]: Use of sizeof() on a Pointer Type
[REFERENCES]
- https://wiki.sei.cmu.edu/confluence/display/c/ARR01-C.+Do+not+apply+the+sizeof+operator+to+a+pointer+when+taking+the+size+of+an+array
utils:
match_sizeof_this:
kind: sizeof_expression
has:
kind: parenthesized_expression
has:
kind: this
regex: "^this$"
inside:
stopBy: end
kind: return_statement
inside:
kind: compound_statement
follows:
kind: function_declarator
inside:
kind: function_definition

rule:
kind: sizeof_expression
all:
- has:
stopBy: end
kind: this
- not:
has:
stopBy: end
any:
- nthChild: 2
- kind: pointer_expression
- kind: ERROR
- kind: sizeof_expression


ESS-ENN marked this conversation as resolved.
Show resolved Hide resolved
248 changes: 248 additions & 0 deletions rules/rust/security/tokio-postgres-empty-password-rust.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,248 @@
id: tokio-postgres-empty-password-rust
language: rust
severity: warning
message: >-
The application uses an empty credential. This can lead to unauthorized
access by either an internal or external malicious actor. It is
recommended to rotate the secret and retrieve them from a secure secret
vault or Hardware Security Module (HSM), alternatively environment
variables can be used if allowed by your company policy.
note: >-
[CWE-287] Improper Authentication.
[REFERENCES]
- https://docs.rs/tokio-postgres/latest/tokio_postgres/
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
utils:
MATCH_FOLLOW_1:
follows:
stopBy: end
any:
- kind: let_declaration
all:
- has:
kind: identifier
pattern: $CONFIG
- has:
kind: call_expression
regex: ^tokio_postgres::Config::new\(\)$
- kind: let_declaration
all:
- has:
kind: identifier
pattern: $CONFIG
- has:
kind: call_expression
regex: ^Config::new\(\)$
any:
- follows:
stopBy: end
kind: use_declaration
has:
stopBy: end
kind: scoped_identifier
regex: ^tokio_postgres::Config$
- inside:
stopBy: end
follows:
stopBy: end
kind: use_declaration
has:
stopBy: end
kind: scoped_identifier
regex: ^tokio_postgres::Config$


rule:
kind: call_expression
not:
has:
stopBy: end
kind: ERROR
any:
# CONFIG IS DIRECT AND PWD IS DIRECT
- all:
- has:
stopBy: end
kind: scoped_identifier
regex: ^tokio_postgres::Config::new()$
- has:
kind: field_expression
regex: \.password$
nthChild: 1
- has:
kind: arguments
nthChild: 2
has:
stopBy: end
kind: string_literal
not:
has:
kind: string_content
nthChild: 1
all:
- not:
has:
stopBy: end
nthChild: 2
- not:
has:
stopBy: end
any:
- kind: block
- kind: array_expression
# CONFIG IS DIRECT AND PWD IS INSTANCE
- all:
- has:
stopBy: end
kind: scoped_identifier
regex: ^tokio_postgres::Config::new()$
- has:
kind: field_expression
regex: \.password$
nthChild: 1
- has:
kind: arguments
nthChild: 2
has:
stopBy: end
kind: identifier
pattern: $PASSWORD
inside:
stopBy: end
follows:
stopBy: end
any:
- kind: let_declaration
has:
kind: identifier
pattern: $PASSWORD
precedes:
stopBy: end
kind: string_literal
not:
has:
kind: string_content
- kind: expression_statement
has:
kind: assignment_expression
has:
kind: identifier
pattern: $PASSWORD
precedes:
stopBy: end
kind: string_literal
not:
has:
kind: string_content

nthChild: 1
all:
- not:
has:
stopBy: end
nthChild: 2
- not:
has:
stopBy: end
any:
- kind: block
- kind: array_expression
# CONFIG IS INSTANCE AND PWD IS DIRECT
- all:
- has:
stopBy: end
kind: identifier
pattern: $CONFIG
any:
- inside:
stopBy: end
matches: MATCH_FOLLOW_1
- has:
kind: field_expression
regex: \.password$
nthChild: 1
- has:
kind: arguments
nthChild: 2
has:
stopBy: end
kind: string_literal
not:
has:
kind: string_content
nthChild: 1
all:
- not:
has:
stopBy: end
nthChild: 2
- not:
has:
stopBy: end
any:
- kind: block
- kind: array_expression
# CONFIG IS INSTANCE AND PWD IS INSTANCE
- all:
- has:
stopBy: end
kind: identifier
pattern: $CONFIG
any:
- inside:
stopBy: end
matches: MATCH_FOLLOW_1
- has:
kind: field_expression
regex: \.password$
nthChild: 1
- has:
kind: arguments
nthChild: 2
has:
stopBy: end
kind: identifier
pattern: $PASSWORD
nthChild: 1
inside:
stopBy: end
follows:
stopBy: end
any:
- kind: let_declaration
all:
- has:
kind: identifier
pattern: $PASSWORD
- has:
kind: string_literal
not:
has:
kind: string_content
- kind: expression_statement
has:
kind: assignment_expression
all:
- has:
kind: identifier
pattern: $PASSWORD
- has:
kind: string_literal
not:
has:
kind: string_content

all:
- not:
has:
stopBy: end
nthChild: 2
- not:
has:
stopBy: end
any:
- kind: block
- kind: array_expression

Loading