From 9771291d496b04419a46d8737ee97519d8b5a99f Mon Sep 17 00:00:00 2001 From: htrgouvea Date: Fri, 2 Feb 2024 09:24:22 -0300 Subject: [PATCH 1/4] some fix for linter warnings --- .perlcriticrc | 2 +- lib/Zarn/AST.pm | 2 +- lib/Zarn/Files.pm | 2 +- lib/Zarn/Rules.pm | 2 +- lib/Zarn/Sarif.pm | 2 +- zarn.pl | 25 ++++++++++++------------- 6 files changed, 17 insertions(+), 18 deletions(-) diff --git a/.perlcriticrc b/.perlcriticrc index 722782a..61ab588 100644 --- a/.perlcriticrc +++ b/.perlcriticrc @@ -1,4 +1,4 @@ -severity = 4 +severity = 3 [-TestingAndDebugging::RequireUseStrict] [-TestingAndDebugging::RequireUseWarnings] \ No newline at end of file diff --git a/lib/Zarn/AST.pm b/lib/Zarn/AST.pm index 573b35e..3d6409f 100644 --- a/lib/Zarn/AST.pm +++ b/lib/Zarn/AST.pm @@ -5,7 +5,7 @@ package Zarn::AST { use PPI::Find; use PPI::Document; - our $VERSION = '0.01'; + our $VERSION = '0.0.1'; sub new { my ($self, $parameters) = @_; diff --git a/lib/Zarn/Files.pm b/lib/Zarn/Files.pm index 14e90f6..1c018c2 100644 --- a/lib/Zarn/Files.pm +++ b/lib/Zarn/Files.pm @@ -3,7 +3,7 @@ package Zarn::Files { use warnings; use File::Find::Rule; - our $VERSION = '0.01'; + our $VERSION = '0.0.1'; sub new { my ($self, $source, $ignore) = @_; diff --git a/lib/Zarn/Rules.pm b/lib/Zarn/Rules.pm index d4afe25..04511d8 100644 --- a/lib/Zarn/Rules.pm +++ b/lib/Zarn/Rules.pm @@ -3,7 +3,7 @@ package Zarn::Rules { use warnings; use YAML::Tiny; - our $VERSION = '0.01'; + our $VERSION = '0.0.1'; sub new { my ($self, $rules) = @_; diff --git a/lib/Zarn/Sarif.pm b/lib/Zarn/Sarif.pm index f529931..4b02ab2 100644 --- a/lib/Zarn/Sarif.pm +++ b/lib/Zarn/Sarif.pm @@ -2,7 +2,7 @@ package Zarn::Sarif { use strict; use warnings; - our $VERSION = '0.01'; + our $VERSION = '0.0.1'; sub new { my ($self, @vulnerabilities) = @_; diff --git a/zarn.pl b/zarn.pl index 82cab74..9a97155 100755 --- a/zarn.pl +++ b/zarn.pl @@ -3,6 +3,7 @@ use 5.030; use strict; use warnings; +use Carp; use lib "./lib/"; use Getopt::Long; use Zarn::AST; @@ -25,18 +26,16 @@ sub main { ); if (!$source) { - print " - \rZarn v0.0.9 - \rCore Commands - \r============== - \r\tCommand Description - \r\t------- ----------- - \r\t-s, --source Configure a source directory to do static analysis - \r\t-r, --rules Define YAML file with rules - \r\t-i, --ignore Define a file or directory to ignore - \r\t-srf, --sarif Define the SARIF output file - \r\t-h, --help To see help menu of a module\n - \r"; + print "\nZarn v0.0.9" + . "\nCore Commands" + . "\n==============\n" + . "\tCommand Description\n" + . "\t------- -----------\n" + . "\t-s, --source Configure a source directory to do static analysis\n" + . "\t-r, --rules Define YAML file with rules\n" + . "\t-i, --ignore Define a file or directory to ignore\n" + . "\t-srf, --sarif Define the SARIF output file\n" + . "\t-h, --help To see help menu of a module\n\n"; exit 1; } @@ -68,7 +67,7 @@ sub main { if ($sarif) { my $sarif_data = Zarn::Sarif -> new (@results); - open(my $output, '>', $sarif) or die "Cannot open file '$sarif': $!"; + open(my $output, '>', $sarif) or croak "Cannot open file '$sarif': $!"; print $output encode_json($sarif_data); From 7f057f482cf3687997a0fbaac635b4d06af2cc19 Mon Sep 17 00:00:00 2001 From: htrgouvea Date: Tue, 6 Feb 2024 08:55:40 -0300 Subject: [PATCH 2/4] update example of rules with description --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index b021325..5ead482 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ - +
@@ -57,21 +57,22 @@ rules: - id: '0001' category: info name: Debug module enabled - message: + message: Debug modules can expose sensitive information and potentially create security vulnerabilities. sample: - Dumper - id: '0002' category: vuln name: Code Injection - message: + message: Occur when untrusted data is executed as code, allowing attackers to run arbitrary commands on the server. sample: - system - eval - exec + - qx - id: '0003' category: vuln name: Path Traversal - message: + message: Occur when user input is not properly sanitized, allowing attackers to access files and directories outside of the intended directory structure. sample: - open ``` @@ -114,7 +115,6 @@ jobs: Your contributions and suggestions are heartily ♥ welcome. [See here the contribution guidelines.](/.github/CONTRIBUTING.md) Please, report bugs via [issues page](https://github.com/htrgouvea/zarn/issues) and for security issues, see here the [security policy.](/SECURITY.md) (✿ ◕‿◕) This project follows this [style guide: (https://github.com/htrgouvea/perl-style-guide)](https://github.com/htrgouvea/perl-style-guide). - --- ### License From 473cce4e5a1383127f0b70e0e88283960fa35ec9 Mon Sep 17 00:00:00 2001 From: htrgouvea Date: Sun, 18 Feb 2024 22:00:23 -0300 Subject: [PATCH 3/4] fix row and line numbers on print findings --- lib/Zarn/AST.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/Zarn/AST.pm b/lib/Zarn/AST.pm index 3d6409f..0de6c99 100644 --- a/lib/Zarn/AST.pm +++ b/lib/Zarn/AST.pm @@ -45,7 +45,7 @@ package Zarn::AST { $var_token -> parent -> isa("PPI::Token::Operator") || $var_token -> parent -> isa("PPI::Statement::Expression") )) { - my ($line, $rowchar) = @{$var_token -> location}; + my ($line, $rowchar) = @{$token -> location}; push @results, { category => $category, From 9e3b03035a437ce159ed7fb7393c22e93b876c39 Mon Sep 17 00:00:00 2001 From: htrgouvea Date: Sun, 18 Feb 2024 22:00:46 -0300 Subject: [PATCH 4/4] change quote to double quotes --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5ead482..aa91d53 100644 --- a/README.md +++ b/README.md @@ -90,7 +90,7 @@ on: pull_request: branches: [ "main" ] schedule: - - cron: '28 23 * * 1' + - cron: "28 23 * * 1" jobs: zarn: