Merge Develop into Release (#3515)

* Allow OWASP Top 10 references from Kubernetes and LLM Top 10 (#3499) Co-authored-by: Berne Campbell <[email protected]> Co-authored-by: Pieter De Cremer (Semgrep) <[email protected]> * Add literal pattern (#3507) Co-authored-by: Pieter De Cremer (Semgrep) <[email protected]> --------- Co-authored-by: berney <[email protected]> Co-authored-by: Berne Campbell <[email protected]> Co-authored-by: Pieter De Cremer (Semgrep) <[email protected]> Co-authored-by: QU35T-code <[email protected]>
semgrep · Nov 13, 2024 · d53e57e · d53e57e
1 parent 7a0f292
commit d53e57e
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 4 deletions.
diff --git a/javascript/sequelize/security/audit/sequelize-raw-query.yaml b/javascript/sequelize/security/audit/sequelize-raw-query.yaml
@@ -40,3 +40,15 @@ rules:
       $QUERY = $SQL + $VALUE
       ...
       $DATABASE.sequelize.query($QUERY, ...)
+  - pattern: |
+      Sequelize.literal(`...${...}...`)
+  - pattern: |
+      $QUERY = `...${...}...`
+      ...
+      Sequelize.literal($QUERY)
+  - pattern: |
+      Sequelize.literal($SQL + $VALUE)
+  - pattern: |
+      $QUERY = $SQL + $VALUE
+      ...
+      Sequelize.literal($QUERY)
diff --git a/yaml/semgrep/metadata-owasp.test.yaml b/yaml/semgrep/metadata-owasp.test.yaml
@@ -15,6 +15,22 @@ rules:
     metadata:
       # ok: metadata-owasp
       owasp: A05:2021 - Security Misconfiguration
+  - id: example-k8s-1
+    message: Example
+    severity: ERROR
+    languages: [json, yaml]
+    pattern: "..."
+    metadata:
+      # ok: metadata-owasp
+      owasp: "K1: Insecure Workload Configurations"
+  - id: example-k8s-1b
+    message: Example
+    severity: ERROR
+    languages: [json, yaml]
+    pattern: "..."
+    metadata:
+      # ok: metadata-owasp
+      owasp: K01:2022 - Insecure Workload Configurations
   - id: example-bad-zero
     message: Example
     severity: ERROR
@@ -75,6 +91,8 @@ rules:
         - A05:2021 - Security Misconfiguration
         # ok: metadata-owasp
         - A06:2017 - Security Misconfiguration
+        # ok: metadata-owasp
+        - K01:2022 - Insecure Workload Configurations
   - id: example-bad-list
     message: Example
     severity: ERROR

diff --git a/yaml/semgrep/metadata-owasp.yaml b/yaml/semgrep/metadata-owasp.yaml
@@ -2,7 +2,7 @@ rules:
   - id: metadata-owasp
     message: >-
       The `owasp` tag in Semgrep rule metadata should start with the format "A00:YYYY",
-      where A00 is the OWASP top ten number and YYYY is the OWASP top ten year.
+      where A00 is the OWASP Top 10 number and YYYY is the OWASP Top 10 year.
     severity: ERROR
     languages: [json, yaml]
     patterns:
@@ -13,13 +13,13 @@ rules:
         # If there's a year, need leading zero, e.g. `A01:2021 blah` rather than `A1:2021 blah`.
           - patterns:
               - pattern: 'owasp: "..."'
-              - pattern-not: 'owasp: "=~/^A(0?[1-9]|10):\s+.+$/"'
-              - pattern-not: 'owasp: "=~/^A(0[1-9]|10):([0-9]{4})?\s+.+$/"'
+              - pattern-not: 'owasp: "=~/^(A|K|LLM)(0?[1-9]|10):\s+.+$/"'
+              - pattern-not: 'owasp: "=~/^(A|K|LLM)(0[1-9]|10):([0-9]{4})?\s+.+$/"'
           # A list, must have the year, e.g. `- A01:2021 blah`
           - patterns:
               - pattern-inside: "owasp: [...]"
               - pattern: '"$ANYTHING"'
-              - pattern-not-regex: .*A(0[1-9]|10):[0-9]{4}\s+.*
+              - pattern-not-regex: .*(A|K|LLM)(0[1-9]|10):[0-9]{4}\s+.*
               - pattern-not-regex: "owasp:"
     metadata:
       category: best-practice