Add security rules for RSA key sizes and hard-coded secrets in Ruby and Rust

rules/ruby/security/insufficient-rsa-key-size-ruby.yml

@@ -0,0 +1,91 @@
+id: insufficient-rsa-key-size-ruby
+language: ruby
+severity: warning
+message: >-
+  The RSA key size $SIZE is insufficent by NIST standards. It is
+  recommended to use a key length of 2048 or higher.
+note: >-
+  [CWE-326] Inadequate Encryption Strength.
+  [REFERENCES]
+      - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf
+utils:
+  OpenSSL::PKey::RSA.generate($SIZE,...):
+    # OpenSSL::PKey::RSA.generate($SIZE,...)
+    kind: call
+    all:
+      - has:
+          stopBy: neighbor
+          kind: scope_resolution
+          regex: ^OpenSSL::PKey::RSA$
+      - has:
+          stopBy: neighbor
+          regex: ^.$
+      - has:
+          stopBy: neighbor
+          kind: identifier
+          regex: ^new|generate$
+      - has:
+          stopBy: neighbor
+          kind: argument_list
+          any:
+              - has:
+                 stopBy: neighbor
+                 kind: integer
+                 pattern: $KEY
+              - has:
+                 stopBy: neighbor
+                 kind: float
+                 pattern: $KEY
+              - has:
+                 stopBy: neighbor
+                 kind: unary
+                 all:
+                  - has:
+                      stopBy: neighbor
+                      regex: ^-$
+                  - any:
+                    - has:
+                       stopBy: neighbor
+                       kind: float
+                       pattern: $KEY
+                    - has:
+                       stopBy: neighbor
+                       kind: integer
+                       pattern: $KEY
+  OpenSSL::PKey::RSA.new($ASSIGN, ...):
+    # $ASSIGN = $SIZE
+    # OpenSSL::PKey::RSA.new($ASSIGN, ...)
+    kind: call
+    all:
+      - has:
+          stopBy: neighbor
+          kind: scope_resolution
+          regex: ^OpenSSL::PKey::RSA$
+      - has:
+          stopBy: neighbor
+          regex: ^.$
+      - has:
+          stopBy: neighbor
+          kind: identifier
+          regex: ^new|generate$
+      - has:
+          stopBy: neighbor
+          kind: argument_list
+          has:
+            stopBy: neighbor
+            pattern: $BIT
+      - inside:
+          stopBy: end
+          kind: class
+          has:
+            stopBy: end
+            kind: assignment
+            pattern: $BIT = $KEY
+rule:
+  kind: call
+  any:
+    - matches: OpenSSL::PKey::RSA.generate($SIZE,...)
+    - matches: OpenSSL::PKey::RSA.new($ASSIGN, ...)
+constraints:
+  KEY:
+    regex: '^(-?(0|[1-9][0-9]?|[1-9][0-9]{2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|0|-[1-9][0-9]*|-[1-9][0-9]{2,}|-1[0-9]{3}|-20[0-3][0-9]|-204[0-7])$'

rules/ruby/security/ruby-cassandra-hardcoded-secret-ruby.yml

@@ -0,0 +1,127 @@
+id: ruby-cassandra-hardcoded-secret-ruby
+language: ruby
+severity: warning
+message: >-
+  A secret is hard-coded in the application. Secrets stored in source
+  code, such as credentials, identifiers, and other types of sensitive data,
+  can be leaked and used by internal or external malicious actors. Use
+  environment variables to securely provide credentials and other secrets or
+  retrieve them from a secure vault or Hardware Security Module (HSM).
+note: >-
+  [CWE-798] Use of Hard-coded Credentials.
+  [REFERENCES]
+      - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+utils:
+  Cassandra.cluster():
+    # Cassandra.cluster(..., password: "", ...)
+   kind: call
+   all:
+     - has:
+         stopBy: neighbor
+         kind: constant
+         regex: ^Cassandra$
+     - has:
+         stopBy: neighbor
+         regex: ^.$
+     - has:
+         stopBy: neighbor
+         kind: identifier
+         regex: ^cluster$
+     - has:
+         stopBy: neighbor
+         kind: argument_list
+         has:
+           stopBy: end
+           kind: pair
+           all:
+            - has:
+                stopBy: neighbor
+                kind: hash_key_symbol
+                regex: ^password$
+            - has:
+                stopBy: neighbor
+                kind: string
+                has:
+                  stopBy: neighbor
+                  kind: string_content
+     - inside:
+           stopBy: end
+           kind: program
+           has:
+               stopBy: end
+               kind: call
+               pattern: require 'cassandra'
+  Cassandra.cluster()_with_instance:
+    # Cassandra.cluster(..., password: "", ...)
+   kind: call
+   all:
+     - has:
+         stopBy: neighbor
+         kind: constant
+         regex: ^Cassandra$
+     - has:
+         stopBy: neighbor
+         regex: ^.$
+     - has:
+         stopBy: neighbor
+         kind: identifier
+         regex: ^cluster$
+     - has:
+         stopBy: neighbor
+         kind: argument_list
+         has:
+           stopBy: end
+           kind: pair
+           all:
+            - has:
+                stopBy: neighbor
+                kind: hash_key_symbol
+                regex: ^password$
+            - has:
+                stopBy: neighbor
+                kind: identifier
+                pattern: $SECRET
+     - inside:
+           stopBy: end
+           kind: program
+           has:
+               stopBy: end
+               kind: call
+               pattern: require 'cassandra'
+     - any:
+        - follows:
+               stopBy: end
+               kind: assignment
+               all:
+                - has:
+                      stopBy: neighbor
+                      kind:  identifier
+                      pattern: $SECRET
+                - has:
+                      stopBy: neighbor
+                      kind: string
+                      has:
+                              stopBy: neighbor
+                              kind: string_content
+        - inside:
+              stopBy: end
+              kind: assignment
+              follows:
+               stopBy: end
+               kind: assignment
+               all:
+                - has:
+                      stopBy: neighbor
+                      kind:  identifier
+                      pattern: $SECRET
+                - has:
+                      stopBy: neighbor
+                      kind: string
+                      has:
+                              stopBy: neighbor
+                              kind: string_content                 
+rule:
+  kind: call
+  any:
+    - matches: Cassandra.cluster()
+    - matches: Cassandra.cluster()_with_instance