Merge Develop into Release (#3642)

* fix query-set-extra tests (#3635)

Co-authored-by: Lewis <[email protected]>

* Update TLS version info in Go missing-ssl-minversion

Closes #3643

* Regex update - Missing integrity HTML rule

* new line

* Add detail to message for TF GCP bucket access

The message here was pretty vague and unhelpful - this adds some more specificity.

* Update semgrep-rules-test-develop.yml (#3658)

* Fix csharp-sqli sanitizers

* update CWEs for terraform rules (#3666)

---------

Co-authored-by: tean-lai <[email protected]>
Co-authored-by: Lewis <[email protected]>
Co-authored-by: Ville Skyttä <[email protected]>
Co-authored-by: gobind-singh <[email protected]>
Co-authored-by: Alexis Grant <[email protected]>
Co-authored-by: Claudio <[email protected]>
Co-authored-by: Alexis Grant <[email protected]>
Co-authored-by: Vladislav Timakov <[email protected]>
Co-authored-by: Kurt Boberg <[email protected]>
Co-authored-by: Vasilii Ermilov <[email protected]>

Author: 10 people

.github/workflows/semgrep-rules-test-develop.yml

@@ -28,6 +28,6 @@ jobs:
     #TODO: this actually currently fails because of errors in stats/ but GHA
     # still continue, weird
     - name: run osemgrep validate --pro
-      run: docker run --rm -w /src -v ${GITHUB_WORKSPACE}/semgrep-rules:/src semgrep/semgrep:pro-develop semgrep validate --pro .
+      run: docker run --rm -w /src -v ${GITHUB_WORKSPACE}/semgrep-rules:/src semgrep/semgrep-nightly:develop semgrep validate --pro .
     - name: run osemgrep test --pro
-      run: docker run --rm -w /src -v ${GITHUB_WORKSPACE}/semgrep-rules:/src semgrep/semgrep:pro-develop semgrep test --pro .
+      run: docker run --rm -w /src -v ${GITHUB_WORKSPACE}/semgrep-rules:/src semgrep/semgrep-nightly:develop semgrep test --pro .

csharp/lang/security/sqli/csharp-sqli.yaml

@@ -28,9 +28,13 @@ rules:
     pattern-sanitizers:
       - pattern-either:
           - pattern: |
-              $CMD.Parameters.add(...)
+              $CMD.Parameters.Add(...)
           - pattern: |
-              $CMD.Parameters[$IDX] = ...
+              $CMD.Parameters.AddRange(...)
+          - pattern: |
+              $CMD.Parameters.AddWithValue(...)
+          - pattern: |
+              $CMD.Parameters[$IDX].Value = ...
         by-side-effect: true
     message: Detected a formatted string in a SQL statement. This could lead to SQL
       injection if variables in the SQL statement are not properly sanitized.

go/lang/security/audit/crypto/missing-ssl-minversion.yaml

@@ -2,7 +2,7 @@ rules:
 - id: missing-ssl-minversion
   message: >-
     `MinVersion` is missing from this TLS configuration. 
-    By default, TLS 1.2 is currently used as the minimum when acting as a client, and TLS 1.0 when acting as a server.
+    By default, as of Go 1.22, TLS 1.2 is currently used as the minimum.
     General purpose web applications should default to TLS 1.3 with all other protocols disabled. 
     Only where it is known that a web server must support legacy clients
     with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support.
@@ -15,8 +15,8 @@ rules:
     - A02:2021 - Cryptographic Failures
     source-rule-url: https://github.com/securego/gosec/blob/master/rules/tls_config.go
     references:
-    - https://golang.org/doc/go1.14#crypto/tls
-    - https://golang.org/pkg/crypto/tls/#:~:text=MinVersion
+    - https://go.dev/doc/go1.22#minor_library_changes
+    - https://pkg.go.dev/crypto/tls#:~:text=MinVersion
     - https://www.us-cert.gov/ncas/alerts/TA14-290A
     category: security
     technology:

html/security/audit/missing-integrity.html

@@ -35,6 +35,8 @@
     <!-- ok: missing-integrity -->
     <link rel="stylesheet" href="https://someurl/style.css" integrity="sha256-somehashdigest">
     <!-- ok: missing-integrity -->
+    <link rel="stylesheet" integrity="sha256-somehashdigest href="https://someurl/style.css">
+    <!-- ok: missing-integrity -->
     <link rel="stylesheet" href="./css/mystyle.css">
 	<!-- ok: missing-integrity -->
 	<link rel="preconnect" href="https://fonts.gstatic.com/" />

html/security/audit/missing-integrity.yaml

@@ -31,7 +31,7 @@ rules:
           - pattern: src="//..."
           - pattern: href='//...'
           - pattern: href="//..."
-        - pattern-not-regex: (?is).*integrity=
+        - pattern-not-regex: (?is).*integrity=.*
         - pattern-not-regex: (google-analytics\.com|fonts\.googleapis\.com|fonts\.gstatic\.com|googletagmanager\.com)
         - pattern-not-regex: .*rel\s*=\s*['"]?preconnect.*
   paths:

python/django/security/audit/query-set-extra.py

@@ -14,34 +14,74 @@
 Entry.objects.get({}).filter().update().extra()
 
 # ok:avoid-query-set-extra
-findings = Finding.objects.filter(verified=True,
-                                      severity__in=('Critical', 'High', 'Medium', 'Low', 'Info')).prefetch_related(
-        'test__engagement__product',
-        'test__engagement__product__prod_type',
-        'test__engagement__risk_acceptance',
-        'risk_acceptance_set',
-        'reporter').extra(
+findings = (
+    Finding.objects.filter(
+        verified=True, severity__in=("Critical", "High", "Medium", "Low", "Info")
+    )
+    .prefetch_related(
+        "test__engagement__product",
+        "test__engagement__product__prod_type",
+        "test__engagement__risk_acceptance",
+        "risk_acceptance_set",
+        "reporter",
+    )
+    .extra(
         select={
-            'ra_count': 'SELECT COUNT(*) FROM dojo_risk_acceptance INNER JOIN '
-                        'dojo_risk_acceptance_accepted_findings ON '
-                        '( dojo_risk_acceptance.id = dojo_risk_acceptance_accepted_findings.risk_acceptance_id ) '
-                        'WHERE dojo_risk_acceptance_accepted_findings.finding_id = dojo_finding.id',
+            "ra_count": "SELECT COUNT(*) FROM dojo_risk_acceptance INNER JOIN "
+            "dojo_risk_acceptance_accepted_findings ON "
+            "( dojo_risk_acceptance.id = dojo_risk_acceptance_accepted_findings.risk_acceptance_id ) "
+            "WHERE dojo_risk_acceptance_accepted_findings.finding_id = dojo_finding.id",
         },
     )
+)
 
-example = 1
+
+example = input()
 # ruleid:avoid-query-set-extra
-active_findings = Finding.objects.filter(verified=True, active=True,
-                                      severity__in=('Critical', 'High', 'Medium', 'Low', 'Info')).prefetch_related(
-        'test__engagement__product',
-        'test__engagement__product__prod_type',
-        'test__engagement__risk_acceptance',
-        'risk_acceptance_set',
-        'reporter').extra(
+active_findings = (
+    Finding.objects.filter(
+        verified=True,
+        active=True,
+        severity__in=("Critical", "High", "Medium", "Low", "Info"),
+    )
+    .prefetch_related(
+        "test__engagement__product",
+        "test__engagement__product__prod_type",
+        "test__engagement__risk_acceptance",
+        "risk_acceptance_set",
+        "reporter",
+    )
+    .extra(
+        select={
+            "ra_count": f"SELECT COUNT(*) FROM dojo_risk_acceptance INNER JOIN "
+            f"dojo_risk_acceptance_accepted_findings ON "
+            f"( dojo_risk_acceptance.id = dojo_risk_acceptance_accepted_findings.risk_acceptance_id ) "
+            f"WHERE dojo_risk_acceptance_accepted_findings.finding_id = {example}",
+        },
+    )
+)
+
+example = 1
+# ok:avoid-query-set-extra
+active_findings = (
+    Finding.objects.filter(
+        verified=True,
+        active=True,
+        severity__in=("Critical", "High", "Medium", "Low", "Info"),
+    )
+    .prefetch_related(
+        "test__engagement__product",
+        "test__engagement__product__prod_type",
+        "test__engagement__risk_acceptance",
+        "risk_acceptance_set",
+        "reporter",
+    )
+    .extra(
         select={
-            'ra_count': f'SELECT COUNT(*) FROM dojo_risk_acceptance INNER JOIN '
-                        f'dojo_risk_acceptance_accepted_findings ON '
-                        f'( dojo_risk_acceptance.id = dojo_risk_acceptance_accepted_findings.risk_acceptance_id ) '
-                        f'WHERE dojo_risk_acceptance_accepted_findings.finding_id = {example}',
+            "ra_count": f"SELECT COUNT(*) FROM dojo_risk_acceptance INNER JOIN "
+            f"dojo_risk_acceptance_accepted_findings ON "
+            f"( dojo_risk_acceptance.id = dojo_risk_acceptance_accepted_findings.risk_acceptance_id ) "
+            f"WHERE dojo_risk_acceptance_accepted_findings.finding_id = {example}",
         },
     )
+)

terraform/aws/security/aws-ec2-has-public-ip.yaml

@@ -31,7 +31,7 @@ rules:
     - A05:2017 - Broken Access Control
     - A01:2021 - Broken Access Control
     cwe:
-    - 'CWE-284: Improper Access Control'
+    - 'CWE-1220: Insufficient Granularity of Access Control'
     references:
     - https://owasp.org/Top10/A01_2021-Broken_Access_Control
     subcategory:

terraform/aws/security/aws-ec2-security-group-allows-public-ingress.yaml

@@ -73,7 +73,7 @@ rules:
     owasp:
     - A01:2021 - Broken Access Control
     cwe:
-    - 'CWE-284: Improper Access Control'
+    - 'CWE-1220: Insufficient Granularity of Access Control'
     references:
     - https://owasp.org/Top10/A01_2021-Broken_Access_Control/
     - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group

terraform/aws/security/aws-network-acl-allows-all-ports.yaml

@@ -49,7 +49,7 @@ rules:
     owasp:
     - A01:2021 - Broken Access Control
     cwe:
-    - 'CWE-284: Improper Access Control'
+    - 'CWE-1220: Insufficient Granularity of Access Control'
     references:
     - https://owasp.org/Top10/A01_2021-Broken_Access_Control/
     - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl

terraform/aws/security/aws-network-acl-allows-public-ingress.yaml

@@ -72,7 +72,7 @@ rules:
     owasp:
     - A01:2021 - Broken Access Control
     cwe:
-    - 'CWE-284: Improper Access Control'
+    - 'CWE-1220: Insufficient Granularity of Access Control'
     references:
     - https://owasp.org/Top10/A01_2021-Broken_Access_Control/
     - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl