diff --git a/.gitignore b/.gitignore deleted file mode 100644 index 4880bc66..00000000 --- a/.gitignore +++ /dev/null @@ -1,5 +0,0 @@ -################################################################################ -# This .gitignore file was automatically created by Microsoft(R) Visual Studio. -################################################################################ - -/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/bin/Debug diff --git a/rules/default/security/api/deserialization.json b/rules/default/security/api/deserialization.json index a13c6162..858f11bc 100644 --- a/rules/default/security/api/deserialization.json +++ b/rules/default/security/api/deserialization.json @@ -40,8 +40,8 @@ "rule_info": "DS425000.md", "patterns": [ { - "pattern": ".readObject\\(", - "type": "substring", + "pattern": "\\.readObject\\(", + "type": "regex", "scopes": [ "code" ], @@ -66,7 +66,7 @@ "patterns": [ { "pattern": "unserialize\\(", - "type": "string", + "type": "regex", "scopes": [ "code" ], @@ -96,7 +96,15 @@ "code" ], "_comment": "" - } + }, + { + "pattern": "(YAML|Syck|Marshal)::load", + "type": "regex", + "scopes": [ + "code" + ], + "_comment": "" + } ] }, { diff --git a/rules/default/security/api/tests/DS108330.test b/rules/default/security/api/tests/DS108330.test new file mode 100644 index 00000000..65bd3805 --- /dev/null +++ b/rules/default/security/api/tests/DS108330.test @@ -0,0 +1,10 @@ +line: 5 +===== +int main () +{ + char str1[20]; + char str2[20]; + strncat (str1, str2, 6); + + return 0; +} \ No newline at end of file diff --git a/rules/default/security/api/tests/DS111237.test b/rules/default/security/api/tests/DS111237.test new file mode 100644 index 00000000..2cd10567 --- /dev/null +++ b/rules/default/security/api/tests/DS111237.test @@ -0,0 +1,12 @@ +line: 7 +==== +int main () +{ + char str1[]= "To be or not to be"; + char str2[40]; + char str3[40]; + + strncpy ( str2, str1, sizeof(str2) ); + + return 0; +} \ No newline at end of file diff --git a/rules/default/security/api/tests/DS121708.test b/rules/default/security/api/tests/DS121708.test new file mode 100644 index 00000000..5d86938d --- /dev/null +++ b/rules/default/security/api/tests/DS121708.test @@ -0,0 +1,8 @@ +line: 5 +===== +int main () { + const char src[50] = "www.tutorialspoint.com"; + char dest[50]; + + memcpy(dest, src, 20); +} \ No newline at end of file diff --git a/rules/default/security/api/tests/DS140021.test b/rules/default/security/api/tests/DS140021.test new file mode 100644 index 00000000..f335aa5f --- /dev/null +++ b/rules/default/security/api/tests/DS140021.test @@ -0,0 +1,6 @@ +line: 3 +====== +int main () { + const char src[50] = "www.tutorialspoint.com"; + int a = strlen(src)+1; +} \ No newline at end of file diff --git a/rules/default/security/api/tests/DS141863.test b/rules/default/security/api/tests/DS141863.test new file mode 100644 index 00000000..d4366928 --- /dev/null +++ b/rules/default/security/api/tests/DS141863.test @@ -0,0 +1,8 @@ +line: 4 +==== +int main () +{ + char str[80]; + strcat (str,"strings "); + return 0; +} \ No newline at end of file diff --git a/rules/default/security/api/tests/DS154189.test b/rules/default/security/api/tests/DS154189.test new file mode 100644 index 00000000..2bb1058d --- /dev/null +++ b/rules/default/security/api/tests/DS154189.test @@ -0,0 +1,11 @@ +line: 5 +line: 6 +===== +int main () +{ + char buffer [50]; + int n, a=5, b=3; + n=sprintf (buffer, "%d plus %d is %d", a, b, a+b); + printf ("[%s] is a string %d chars long\n",buffer,n); + return 0; +} \ No newline at end of file diff --git a/rules/default/security/api/tests/DS161085.test b/rules/default/security/api/tests/DS161085.test new file mode 100644 index 00000000..9c325469 --- /dev/null +++ b/rules/default/security/api/tests/DS161085.test @@ -0,0 +1,8 @@ +line: 5 +======= +int main () { + char *str; + + /* Following line should be hit */ + str = (char *) malloc(15); +} \ No newline at end of file diff --git a/rules/default/security/api/tests/DS181021.test b/rules/default/security/api/tests/DS181021.test new file mode 100644 index 00000000..acbde9d2 --- /dev/null +++ b/rules/default/security/api/tests/DS181021.test @@ -0,0 +1,10 @@ +line: 5 +===== +int main() +{ + char string [256]; + + gets (string); // warning: unsafe (see fgets instead) + + return 0; +} \ No newline at end of file diff --git a/rules/default/security/api/tests/DS185832.test b/rules/default/security/api/tests/DS185832.test new file mode 100644 index 00000000..cf1af129 --- /dev/null +++ b/rules/default/security/api/tests/DS185832.test @@ -0,0 +1,13 @@ +line: 6 +line: 7 +===== +int main () +{ + char str1[]="Sample string"; + char str2[40]; + char str3[40]; + strcpy (str2,str1); + strcpy (str3,"copy successful"); + + return 0; +} \ No newline at end of file diff --git a/rules/default/security/api/tests/DS425000.test b/rules/default/security/api/tests/DS425000.test new file mode 100644 index 00000000..9499aaf3 --- /dev/null +++ b/rules/default/security/api/tests/DS425000.test @@ -0,0 +1,3 @@ +line: 1 +===== +favorite_color = pickle.load( open( "save.p", "rb" ) ) diff --git a/rules/default/security/api/tests/DS425010.test b/rules/default/security/api/tests/DS425010.test new file mode 100644 index 00000000..1e820d30 --- /dev/null +++ b/rules/default/security/api/tests/DS425010.test @@ -0,0 +1,6 @@ +line: 3 +===== +private void readObject(ObjectInputStream in) throws IOException,ClassNotFoundException { + in.defaultReadObject(); + this.author = (String)in.readObject(); +} \ No newline at end of file diff --git a/rules/default/security/api/tests/DS425020.test b/rules/default/security/api/tests/DS425020.test new file mode 100644 index 00000000..c7c221f8 --- /dev/null +++ b/rules/default/security/api/tests/DS425020.test @@ -0,0 +1,3 @@ +line: 1 +===== +$session_data = unserialize($tmp[0]); diff --git a/rules/default/security/api/tests/DS425030.test b/rules/default/security/api/tests/DS425030.test new file mode 100644 index 00000000..69161cae --- /dev/null +++ b/rules/default/security/api/tests/DS425030.test @@ -0,0 +1,7 @@ +line: 1 +line: 2 +line: 3 +===== +thing = YAML.load_file('some.yml') +obj = Marshal.load(data) +ruby_obj = YAML::load( yaml_obj ) \ No newline at end of file diff --git a/rules/default/security/api/tests/DS425040.test b/rules/default/security/api/tests/DS425040.test new file mode 100644 index 00000000..f43d1ccc --- /dev/null +++ b/rules/default/security/api/tests/DS425040.test @@ -0,0 +1,24 @@ +line: 3 +line: 8 +line: 13 +line: 18 +==== +Stockholder newStockholder = JsonConvert.DeserializeObject(jsonTypeNameAuto, new JsonSerializerSettings +{ + TypeNameHandling = TypeNameHandling.Auto +}); + +newStockholder = JsonConvert.DeserializeObject(jsonTypeNameAuto, new JsonSerializerSettings +{ + TypeNameHandling = TypeNameHandling.Objects +}); + +newStockholder = JsonConvert.DeserializeObject(jsonTypeNameAuto, new JsonSerializerSettings +{ + TypeNameHandling = TypeNameHandling.Arrays +}); + +newStockholder = JsonConvert.DeserializeObject(jsonTypeNameAuto, new JsonSerializerSettings +{ + TypeNameHandling = TypeNameHandling.All +}); \ No newline at end of file diff --git a/rules/default/security/attack_surface/tests/DS137038.test b/rules/default/security/attack_surface/tests/DS137038.test new file mode 100644 index 00000000..84d73102 --- /dev/null +++ b/rules/default/security/attack_surface/tests/DS137038.test @@ -0,0 +1,3 @@ +line: 1 +===== +res = Net::HTTP.get_response(uri) diff --git a/rules/default/security/control_flow/format_string.json b/rules/default/security/control_flow/format_string.json index ab10c952..9ca70cc2 100644 --- a/rules/default/security/control_flow/format_string.json +++ b/rules/default/security/control_flow/format_string.json @@ -22,7 +22,7 @@ "code" ], "_comment": "" - } + } ], "fix_its": [ { diff --git a/rules/default/security/control_flow/tests/DS104456.test b/rules/default/security/control_flow/tests/DS104456.test new file mode 100644 index 00000000..7596da6c --- /dev/null +++ b/rules/default/security/control_flow/tests/DS104456.test @@ -0,0 +1,3 @@ +line: 1 +==== +$IsWow64Process = GetDelegateForFunctionPointer($IsWow64ProcessAddr, $IsWow64ProcessDelegate) diff --git a/rules/default/security/control_flow/tests/DS113286.TODO b/rules/default/security/control_flow/tests/DS113286.TODO new file mode 100644 index 00000000..2b026730 --- /dev/null +++ b/rules/default/security/control_flow/tests/DS113286.TODO @@ -0,0 +1,3 @@ +line: 1 +==== +NSString *string1 = [NSString stringWithFormat:@"A string: %@, a float: %1.2f", @"string", 31415.9265]; \ No newline at end of file diff --git a/rules/default/security/control_flow/tests/DS113853.test b/rules/default/security/control_flow/tests/DS113853.test new file mode 100644 index 00000000..a6d5ace8 --- /dev/null +++ b/rules/default/security/control_flow/tests/DS113853.test @@ -0,0 +1,3 @@ +line: 1 +==== +Set-ExecutionPolicy RemoteSigned \ No newline at end of file diff --git a/rules/default/security/control_flow/tests/DS165746.test b/rules/default/security/control_flow/tests/DS165746.test new file mode 100644 index 00000000..24cdb574 --- /dev/null +++ b/rules/default/security/control_flow/tests/DS165746.test @@ -0,0 +1,3 @@ +line: 1 +==== +NSString *title = [webView stringByEvaluatingJavaScriptFromString:@"document.title"]; \ No newline at end of file diff --git a/rules/default/security/cryptography/certificate.json b/rules/default/security/cryptography/certificate.json index 630faf45..72fb73a0 100644 --- a/rules/default/security/cryptography/certificate.json +++ b/rules/default/security/cryptography/certificate.json @@ -68,14 +68,6 @@ ], "_comment": "" }, - { - "pattern": "setValidatesSecureCertificate:\\s*NO", - "type": "regex", - "scopes": [ - "code" - ], - "_comment": "" - }, { "pattern": "validatesSecureCertificate\\s*=\\s*NO", "type": "regex", @@ -160,7 +152,7 @@ }, { "pattern": "disable_ssl_certificate_validation\\s*=\\s*True", - "type": "string", + "type": "regex", "scopes": [ "code" ], @@ -249,31 +241,31 @@ "rule_info": "DS114352.md", "patterns": [ { - "pattern": "certificateValidationMode=\"None\"", - "type": "string", + "pattern": "certificateValidationMode\\s*=\\s*\"None\"", + "type": "regex", "scopes": [ "code" ], "_comment": "" }, { - "pattern": "checkCertificateName=\"false\"", - "type": "string", + "pattern": "checkCertificateName\\s*=\\s*\"false\"", + "type": "regex", "scopes": [ "code" ], "_comment": "" }, { - "pattern": "checkCertificateRevocationList=\"false\"", - "type": "string", + "pattern": "checkCertificateRevocationList\\s*=\\s*\"false\"", + "type": "regex", "scopes": [ "code" ], "_comment": "" }, { - "pattern": "encryptionPolicy=\"(AllowNoEncryption|NoEncryption)", + "pattern": "encryptionPolicy\\s*=\\s*\"(AllowNoEncryption|NoEncryption)", "type": "regex", "scopes": [ "code" @@ -414,7 +406,7 @@ "rule_info": "DS114352.md", "patterns": [ { - "pattern": "\\.ServerCertificateValidationCallback\\s*\\+?=\\s*delegate\\s*{\\s*return true;\\s*};", + "pattern": "\\.ServerCertificateValidationCallback\\s*=\\s*delegate\\s*{\\s*return true;\\s*};", "type": "regex", "scopes": [ "code" @@ -422,7 +414,7 @@ "_comment": "" }, { - "pattern": "\\.ServerCertificateValidationCallback\\s*\\+?=\\s*\\(?[^\\)]+\\)\\s*=>\\s*{\\s*return true;\\s*};", + "pattern": "\\.ServerCertificateValidationCallback\\s*=\\s*\\(?[^\\)]+\\)\\s*=>\\s*{\\s*return true;\\s*};", "type": "regex", "scopes": [ "code" @@ -430,7 +422,7 @@ "_comment": "" }, { - "pattern": "\\.ServerCertificateValidationCallback\\s*\\+?=\\s*\\(+[^\\)]+\\)\\s*=>\\s*true", + "pattern": "\\.ServerCertificateValidationCallback\\s*=\\s*\\(+[^\\)]+\\)\\s*=>\\s*true", "type": "regex", "scopes": [ "code" diff --git a/rules/default/security/cryptography/ciphers.json b/rules/default/security/cryptography/ciphers.json index 5f237ea8..c910af19 100644 --- a/rules/default/security/cryptography/ciphers.json +++ b/rules/default/security/cryptography/ciphers.json @@ -16,7 +16,7 @@ "patterns": [ { "pattern": "mcrypt", - "type": "string", + "type": "substring", "scopes": [ "code" ], diff --git a/rules/default/security/cryptography/general.json b/rules/default/security/cryptography/general.json index 8c0c4268..64391b3f 100644 --- a/rules/default/security/cryptography/general.json +++ b/rules/default/security/cryptography/general.json @@ -12,16 +12,16 @@ "rule_info": "DS101155.md", "patterns": [ { - "pattern": "encrypt=false", - "type": "string", + "pattern": "encrypt\\s*=\\s*false", + "type": "regex", "scopes": [ "code" ], "_comment": "" }, { - "pattern": "encryption=false", - "type": "string", + "pattern": "encryption\\s*=\\s*false", + "type": "regex", "scopes": [ "code" ], diff --git a/rules/default/security/cryptography/hash_algorithm.json b/rules/default/security/cryptography/hash_algorithm.json index f5a42bb5..8fc9d976 100644 --- a/rules/default/security/cryptography/hash_algorithm.json +++ b/rules/default/security/cryptography/hash_algorithm.json @@ -128,7 +128,7 @@ "rule_info": "DS128420.md", "patterns": [ { - "pattern": "hash\\s*\\(\\s*[\\'\\\"](md2|md4|md5|sha1|sha224|ripemd128|ripemd160|ripemd256|ripemd320)[\\'\\\"](.*)\\)\\s*;", + "pattern": "hash\\s*\\(\\s*[\\'\\\"](md2|md4|md5|sha1|sha224|ripemd128|ripemd160|ripemd256|ripemd320)[\\'\\\"](.*)\\)", "type": "regex", "scopes": [ "code" @@ -143,7 +143,7 @@ "_comment": "", "replacement": "hash('sha256'$2);", "pattern": { - "pattern": "hash\\s*\\(\\s*[\\'\\\"](md2|md4|md5|sha1|sha224|ripemd128|ripemd160|ripemd256|ripemd320)[\\'\\\"](.*)\\)\\s*;", + "pattern": "hash\\s*\\(\\s*[\\'\\\"](md2|md4|md5|sha1|sha224|ripemd128|ripemd160|ripemd256|ripemd320)[\\'\\\"](.*)\\)", "type": "regex", "scopes": [ "code" @@ -171,10 +171,13 @@ "name": "Do not use broken/weak cryptographic hash algorithms", "id": "DS108647", "description": "Avoid using broken or weak hash algorithms.", - "recommendation": "Use Digest::SHA256 or Digest::SHA512", + "recommendation": "Use Digest::SHA256 or Digest::SHA512", "applies_to": [ "ruby" ], + "overrides": [ + "DS126858" + ], "tags": [ "Cryptography.HashAlgorithm.BrokenOrWeak" ], @@ -352,6 +355,7 @@ "patterns": [ { "pattern": "(MD4|MD5|(SHA(1|224|256|384|512))).*Time", + "modifiers" : ["i"], "type": "regex", "scopes": [ "code" diff --git a/rules/default/security/cryptography/initialization_vector.json b/rules/default/security/cryptography/initialization_vector.json index d21bc5bf..b773baa9 100644 --- a/rules/default/security/cryptography/initialization_vector.json +++ b/rules/default/security/cryptography/initialization_vector.json @@ -4,6 +4,7 @@ "id": "DS188250", "description": "The mcrypt_encrypt function was used without an initialization vector.", "recommendation": "Add an initialization vector or consider a different cipher mode", + "overrides" : [ "DS175862" ], "applies_to": [ "php" ], @@ -45,6 +46,7 @@ "id": "DS128921", "description": "An initialization vector was created to a static size, rather than determining it based on the encryption algorithm used.", "recommendation": "Use mcrypt_get_iv_size to get the correct IV size based on the cipher and mode.", + "overrides" : [ "DS175862" ], "applies_to": [ "php" ], diff --git a/rules/default/security/cryptography/tests/DS101155.test b/rules/default/security/cryptography/tests/DS101155.test new file mode 100644 index 00000000..ed76c83a --- /dev/null +++ b/rules/default/security/cryptography/tests/DS101155.test @@ -0,0 +1,3 @@ +line: 1 +==== +encrypt=false diff --git a/rules/default/security/cryptography/tests/DS101159.test b/rules/default/security/cryptography/tests/DS101159.test new file mode 100644 index 00000000..7ce747ad --- /dev/null +++ b/rules/default/security/cryptography/tests/DS101159.test @@ -0,0 +1,3 @@ +line: 1 +==== +InitializeSecurityContext \ No newline at end of file diff --git a/rules/default/security/cryptography/tests/DS101940.test b/rules/default/security/cryptography/tests/DS101940.test new file mode 100644 index 00000000..b47128ec --- /dev/null +++ b/rules/default/security/cryptography/tests/DS101940.test @@ -0,0 +1,5 @@ +line: 2 +===== + + + \ No newline at end of file diff --git a/rules/default/security/cryptography/tests/DS106863.test b/rules/default/security/cryptography/tests/DS106863.test new file mode 100644 index 00000000..28b7e45e --- /dev/null +++ b/rules/default/security/cryptography/tests/DS106863.test @@ -0,0 +1,3 @@ +line: 1 +==== +DES(); diff --git a/rules/default/security/cryptography/tests/DS106865.TODO b/rules/default/security/cryptography/tests/DS106865.TODO new file mode 100644 index 00000000..e69de29b diff --git a/rules/default/security/cryptography/tests/DS106866.test b/rules/default/security/cryptography/tests/DS106866.test new file mode 100644 index 00000000..0844d6eb --- /dev/null +++ b/rules/default/security/cryptography/tests/DS106866.test @@ -0,0 +1,3 @@ +line: 1 +==== +cipher = new DESEngine(); \ No newline at end of file diff --git a/rules/default/security/cryptography/tests/DS108647.test b/rules/default/security/cryptography/tests/DS108647.test new file mode 100644 index 00000000..c566972e --- /dev/null +++ b/rules/default/security/cryptography/tests/DS108647.test @@ -0,0 +1,3 @@ +line: 1 +===== +irb(main):002:0> Digest::MD5.hexdigest('foobar') \ No newline at end of file diff --git a/rules/default/security/cryptography/tests/DS109501.test b/rules/default/security/cryptography/tests/DS109501.test index caf8f71d..179ccdc8 100644 --- a/rules/default/security/cryptography/tests/DS109501.test +++ b/rules/default/security/cryptography/tests/DS109501.test @@ -1,7 +1,13 @@ -line: 1 -=============================================== -using (var myTripleDES = new TripleDESCryptoServiceProvider()) +line: 5 +===== +static void Main() { - ... - -} + try + { + var tDESalg = new TripleDESCryptoServiceProvider(); + } + catch (Exception e) + { + Console.WriteLine(e.Message); + } +} \ No newline at end of file diff --git a/rules/default/security/cryptography/tests/DS109733.test b/rules/default/security/cryptography/tests/DS109733.test new file mode 100644 index 00000000..8a5729c7 --- /dev/null +++ b/rules/default/security/cryptography/tests/DS109733.test @@ -0,0 +1,3 @@ +line: 1 +===== +242070db diff --git a/rules/default/security/cryptography/tests/DS114352.test b/rules/default/security/cryptography/tests/DS114352.test new file mode 100644 index 00000000..8284b034 --- /dev/null +++ b/rules/default/security/cryptography/tests/DS114352.test @@ -0,0 +1,5 @@ +line: 1 +line: 2 +======== +IntegrityCheck = optional +EncryptionEnabled = optional \ No newline at end of file diff --git a/rules/default/security/cryptography/tests/DS125134.test b/rules/default/security/cryptography/tests/DS125134.test new file mode 100644 index 00000000..753358d6 --- /dev/null +++ b/rules/default/security/cryptography/tests/DS125134.test @@ -0,0 +1,3 @@ +line: 1 +===== +export NODE_TLS_REJECT_UNAUTHORIZED = 0 \ No newline at end of file diff --git a/rules/default/security/cryptography/tests/DS126185.test b/rules/default/security/cryptography/tests/DS126185.test new file mode 100644 index 00000000..8c0f2368 --- /dev/null +++ b/rules/default/security/cryptography/tests/DS126185.test @@ -0,0 +1,3 @@ +line: 1 +===== +::ServerCertificateValidationCallback={$true} \ No newline at end of file diff --git a/rules/default/security/cryptography/tests/DS126186.test b/rules/default/security/cryptography/tests/DS126186.test index 250a1703..304865c5 100644 --- a/rules/default/security/cryptography/tests/DS126186.test +++ b/rules/default/security/cryptography/tests/DS126186.test @@ -1,4 +1,4 @@ line: 2 -=============================================== -requests.get('https://kennethreitz.com', - verify=False) \ No newline at end of file +====== +r = requests.get('https://github.com/timeline.json', + verify=False) diff --git a/rules/default/security/cryptography/tests/DS126187.test b/rules/default/security/cryptography/tests/DS126187.test new file mode 100644 index 00000000..a471296f --- /dev/null +++ b/rules/default/security/cryptography/tests/DS126187.test @@ -0,0 +1,3 @@ +line: 1 +=== +HttpWebRequest.ServerCertificateValidationCallback = delegate { return true; }; \ No newline at end of file diff --git a/rules/default/security/cryptography/tests/DS126858.test b/rules/default/security/cryptography/tests/DS126858.test new file mode 100644 index 00000000..553703aa --- /dev/null +++ b/rules/default/security/cryptography/tests/DS126858.test @@ -0,0 +1,3 @@ +line: 1 +=== +MD5 hash = new Hash(); diff --git a/rules/default/security/cryptography/tests/DS127101.test b/rules/default/security/cryptography/tests/DS127101.test new file mode 100644 index 00000000..2347d9ad --- /dev/null +++ b/rules/default/security/cryptography/tests/DS127101.test @@ -0,0 +1,4 @@ +line: 2 +===== +#define SECPKG_ATTR_SUPPORTED_PROTOCOLS 0x58 +returns SecPkgCred_SupportedProtocols \ No newline at end of file diff --git a/rules/default/security/cryptography/tests/DS128420.test b/rules/default/security/cryptography/tests/DS128420.test new file mode 100644 index 00000000..3f8a066b --- /dev/null +++ b/rules/default/security/cryptography/tests/DS128420.test @@ -0,0 +1,5 @@ +line: 2 +==== + diff --git a/rules/default/security/cryptography/tests/DS128921.test b/rules/default/security/cryptography/tests/DS128921.test new file mode 100644 index 00000000..fb52d04b --- /dev/null +++ b/rules/default/security/cryptography/tests/DS128921.test @@ -0,0 +1,3 @@ +line: 1 +===== +$iv = mcrypt_create_iv(5000, MCRYPT_RAND); \ No newline at end of file diff --git a/rules/default/security/cryptography/tests/DS130821.test b/rules/default/security/cryptography/tests/DS130821.test deleted file mode 100644 index 3491cbf7..00000000 --- a/rules/default/security/cryptography/tests/DS130821.test +++ /dev/null @@ -1,2 +0,0 @@ -requests.get('https://kennethreitz.com', - verify=False) \ No newline at end of file diff --git a/rules/default/security/cryptography/tests/DS130822.test b/rules/default/security/cryptography/tests/DS130822.test new file mode 100644 index 00000000..65d85f87 --- /dev/null +++ b/rules/default/security/cryptography/tests/DS130822.test @@ -0,0 +1,7 @@ +line: 2 +line: 4 +=== +context.verify_mode = ssl.CERT_REQUIRED +context.check_hostname = False + +disable_ssl_certificate_validation = True \ No newline at end of file diff --git a/rules/default/security/cryptography/tests/DS134411.test b/rules/default/security/cryptography/tests/DS134411.test deleted file mode 100644 index 52b45b7b..00000000 --- a/rules/default/security/cryptography/tests/DS134411.test +++ /dev/null @@ -1,16 +0,0 @@ -line: 2 -line: 3 -line: 4 -line: 5 -line: 6 -line: 7 -line: 8 -=============================================== -HttpBaseProtocolFilter filter = new HttpBaseProtocolFilter(); -filter.IgnorableServerCertificateErrors.Add(ChainValidationResult.Untrusted); -filter.IgnorableServerCertificateErrors.Add(ChainValidationResult.Expired); -filter.IgnorableServerCertificateErrors.Add(ChainValidationResult.IncompleteChain); -filter.IgnorableServerCertificateErrors.Add(ChainValidationResult.WrongUsage); -filter.IgnorableServerCertificateErrors.Add(ChainValidationResult.InvalidName); -filter.IgnorableServerCertificateErrors.Add(ChainValidationResult.RevocationInformationMissing); -filter.IgnorableServerCertificateErrors.Add(ChainValidationResult.RevocationFailure); \ No newline at end of file diff --git a/rules/default/security/cryptography/tests/DS144436.test b/rules/default/security/cryptography/tests/DS144436.test new file mode 100644 index 00000000..a3ddaa5c --- /dev/null +++ b/rules/default/security/cryptography/tests/DS144436.test @@ -0,0 +1,4 @@ +line: 2 +====== +ServicePointManager.Expect100Continue = true; +ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls; \ No newline at end of file diff --git a/rules/default/security/cryptography/tests/DS148264.test b/rules/default/security/cryptography/tests/DS148264.test index 105c7d75..d51c3d09 100644 --- a/rules/default/security/cryptography/tests/DS148264.test +++ b/rules/default/security/cryptography/tests/DS148264.test @@ -3,4 +3,4 @@ line: 3 =============================================== # $sha1->add($$ , time() , rand(time) ); -$md5->add($$ , time() , rand(time) ); \ No newline at end of file +$md5->add($$ , 500 , rand(500) ); \ No newline at end of file diff --git a/rules/default/security/cryptography/tests/DS149435.test b/rules/default/security/cryptography/tests/DS149435.test new file mode 100644 index 00000000..d936ee97 --- /dev/null +++ b/rules/default/security/cryptography/tests/DS149435.test @@ -0,0 +1,3 @@ +line: 1 +===== +srand(time(NULL)) \ No newline at end of file diff --git a/rules/default/security/cryptography/tests/DS152094.test b/rules/default/security/cryptography/tests/DS152094.test new file mode 100644 index 00000000..0913a1e3 --- /dev/null +++ b/rules/default/security/cryptography/tests/DS152094.test @@ -0,0 +1,4 @@ +line: 2 +===== +if (sInsecureFactory == null) { + sInsecureFactory = SSLCertificateSocketFactory.getInsecure(0, null); \ No newline at end of file diff --git a/rules/default/security/cryptography/tests/DS159369.test b/rules/default/security/cryptography/tests/DS159369.test index c0f832cc..4b634877 100644 --- a/rules/default/security/cryptography/tests/DS159369.test +++ b/rules/default/security/cryptography/tests/DS159369.test @@ -1,3 +1,12 @@ -line: 1 -=============================================== -SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE \ No newline at end of file +line: 6 +==== +CHttpFile * mp_file; +DWORD old; +DWORD ss=sizeof(old); +if(InternetQueryOption(*mp_file,INTERNET_OPTION_SECURITY_FLAGS ,&old,&ss)) +{ + old|=SECURITY_FLAG_IGNORE_CERT_DATE_INVALID; + ss=sizeof(old); + if(InternetSetOption(*mp_file,INTERNET_OPTION_SECURITY_FLAGS ,&old,ss)) + ss=0; +} \ No newline at end of file diff --git a/rules/default/security/cryptography/tests/DS168931.test b/rules/default/security/cryptography/tests/DS168931.test new file mode 100644 index 00000000..31882586 --- /dev/null +++ b/rules/default/security/cryptography/tests/DS168931.test @@ -0,0 +1,3 @@ +line: 1 +====== +var hash = new MD5CryptoServiceProvider(); \ No newline at end of file diff --git a/rules/default/security/cryptography/tests/DS169125.test b/rules/default/security/cryptography/tests/DS169125.test new file mode 100644 index 00000000..057acc20 --- /dev/null +++ b/rules/default/security/cryptography/tests/DS169125.test @@ -0,0 +1,9 @@ +line: 1 expect DS169125,DS169126 +line: 2 expect DS169125,DS169126 +line: 3 expect DS169125,DS169126 +line: 4 expect DS169126 +==== +SSLv3 +TLSv1 +TLSv10 +SSLv2_client diff --git a/rules/default/security/cryptography/tests/DS169127.test b/rules/default/security/cryptography/tests/DS169127.test index 0fc83aee..f8dec458 100644 --- a/rules/default/security/cryptography/tests/DS169127.test +++ b/rules/default/security/cryptography/tests/DS169127.test @@ -8,14 +8,10 @@ line: 7 line: 8 line: 9 line: 10 -line: 12 -line: 13 -line: 14 -line: 15 -line: 17 expect DS169125 -line: 18 expect DS169125 -line: 19 expect DS169125 -line: 21 expect DS101159 +line: 12 expect DS169125 +line: 13 expect DS169125 +line: 14 expect DS169125 +line: 16 expect DS101159 =============================================== SP_PROT_PCT1_CLIENT SP_PROT_PCT1_SERVER @@ -28,11 +24,6 @@ SP_PROT_TLS1_SERVER SP_PROT_TLS1_0_CLIENT SP_PROT_TLS1_0_SERVER -SP_PROT_TLS_1_1_CLIENT -SP_PROT_TLS_1_1_SERVER -SP_PROT_TLS_1_2_CLIENT -SP_PROT_TLS_1_2_SERVER - TLS1 SSL2 SSL3 diff --git a/rules/default/security/cryptography/tests/DS169128.test b/rules/default/security/cryptography/tests/DS169128.test new file mode 100644 index 00000000..ae18fa7e --- /dev/null +++ b/rules/default/security/cryptography/tests/DS169128.test @@ -0,0 +1,4 @@ +line: 2 +====== +if protocol is None: + protocol = ssl.PROTOCOL_SSLv2 \ No newline at end of file diff --git a/rules/default/security/cryptography/tests/DS175862.test b/rules/default/security/cryptography/tests/DS175862.test new file mode 100644 index 00000000..8d617a99 --- /dev/null +++ b/rules/default/security/cryptography/tests/DS175862.test @@ -0,0 +1,4 @@ +line: 1 +==== +$size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC); + diff --git a/rules/default/security/cryptography/tests/DS176603.test b/rules/default/security/cryptography/tests/DS176603.test new file mode 100644 index 00000000..8e44dd14 --- /dev/null +++ b/rules/default/security/cryptography/tests/DS176603.test @@ -0,0 +1,4 @@ +line: 2 +==== +http.use_ssl = true +http.verify_mode = OpenSSL::SSL::VERIFY_NONE \ No newline at end of file diff --git a/rules/default/security/cryptography/tests/DS181865.test b/rules/default/security/cryptography/tests/DS181865.test new file mode 100644 index 00000000..52e7006e --- /dev/null +++ b/rules/default/security/cryptography/tests/DS181865.test @@ -0,0 +1,17 @@ +line: 1 +line: 2 +line: 3 +line: 4 +line: 5 +line: 6 +line: 7 +line: 8 +==== +setValidatesSecureCertificate: NO +setAllowsAnyHTTPSCertificate: YES +allowsAnyHTTPSCertificate = YES +setValidatesSecureCertificate: NO +validatesSecureCertificate = NO +continueWithoutCredentialForAuthenticationChallenge = true +kCFStreamSSLAllowsExpiredCertificates +kCFStreamPropertySSLSettings diff --git a/rules/default/security/cryptography/tests/DS182720.test b/rules/default/security/cryptography/tests/DS182720.test index 699d03c7..ccbd1a2c 100644 --- a/rules/default/security/cryptography/tests/DS182720.test +++ b/rules/default/security/cryptography/tests/DS182720.test @@ -1,4 +1,5 @@ line: 3 +line: 3 expect DS175862 =============================================== - + - diff --git a/rules/default/security/vulnerable_libraries/tests/DS378901.test b/rules/default/security/vulnerable_libraries/tests/DS300005.test similarity index 100% rename from rules/default/security/vulnerable_libraries/tests/DS378901.test rename to rules/default/security/vulnerable_libraries/tests/DS300005.test diff --git a/rules/default/security/vulnerable_libraries/tests/DS378900.test b/rules/default/security/vulnerable_libraries/tests/DS378900.test deleted file mode 100644 index 08d680ed..00000000 --- a/rules/default/security/vulnerable_libraries/tests/DS378900.test +++ /dev/null @@ -1,11 +0,0 @@ -line: 2 -=============================================== - - - - - - - - - \ No newline at end of file diff --git a/rules/default/security/xml/tests/DS132780.test b/rules/default/security/xml/tests/DS132780.test new file mode 100644 index 00000000..a8ede4ad --- /dev/null +++ b/rules/default/security/xml/tests/DS132780.test @@ -0,0 +1,3 @@ +line: 1 +====== +shouldResolveExternalEntities=TRUE \ No newline at end of file diff --git a/rules/default/security/xml/tests/DS132790.test b/rules/default/security/xml/tests/DS132790.test new file mode 100644 index 00000000..47a72464 --- /dev/null +++ b/rules/default/security/xml/tests/DS132790.test @@ -0,0 +1,3 @@ +line: 1 +========= +setShouldResolveExternalEntities: YES \ No newline at end of file diff --git a/src/Microsoft.DevSkim/.gitignore b/src/Microsoft.DevSkim/.gitignore index 5d5a951e..c4eb3986 100644 --- a/src/Microsoft.DevSkim/.gitignore +++ b/src/Microsoft.DevSkim/.gitignore @@ -8,6 +8,8 @@ Microsoft.DevSkim.Tests/bin Microsoft.DevSkim.Tests/obj Microsoft.DevSkim.CLI/bin Microsoft.DevSkim.CLI/obj +Microsoft.DevSkim.CLI.Tests/bin +Microsoft.DevSkim.CLI.Tests/obj TestResults packages .vs/ diff --git a/src/Microsoft.DevSkim/.vscode/tasks.json b/src/Microsoft.DevSkim/.vscode/tasks.json index b8739f57..a914fef1 100644 --- a/src/Microsoft.DevSkim/.vscode/tasks.json +++ b/src/Microsoft.DevSkim/.vscode/tasks.json @@ -4,7 +4,7 @@ "version": "2.0.0", "tasks": [ { - "taskName": "build", + "label": "build", "command": "dotnet build", "type": "shell", "group": "build", diff --git a/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI.Tests/AnalyzeTest.cs b/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI.Tests/AnalyzeTest.cs new file mode 100644 index 00000000..4c97e7fe --- /dev/null +++ b/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI.Tests/AnalyzeTest.cs @@ -0,0 +1,13 @@ +using Microsoft.VisualStudio.TestTools.UnitTesting; + +namespace Microsoft.DevSkim.CLI.Tests +{ + [TestClass] + public class UnitTest1 + { + [TestMethod] + public void TestMethod1() + { + } + } +} diff --git a/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI.Tests/Microsoft.DevSkim.CLI.Tests.csproj b/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI.Tests/Microsoft.DevSkim.CLI.Tests.csproj new file mode 100644 index 00000000..49d0f15f --- /dev/null +++ b/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI.Tests/Microsoft.DevSkim.CLI.Tests.csproj @@ -0,0 +1,15 @@ + + + + netcoreapp2.0 + + false + + + + + + + + + diff --git a/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Commands/AnalyzeCommand.cs b/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Commands/AnalyzeCommand.cs index 2067745e..5b54c5cc 100644 --- a/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Commands/AnalyzeCommand.cs +++ b/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Commands/AnalyzeCommand.cs @@ -136,10 +136,12 @@ public int Run() } } } - - Writer outputWriter = WriterFactory.GetWriter(_fileFormat, _outputFormat); + + Writer outputWriter = WriterFactory.GetWriter(_fileFormat, + (string.IsNullOrEmpty(_outputFile)) ? null : "text", + _outputFormat); if (string.IsNullOrEmpty(_outputFile)) - outputWriter.TextWriter= Console.Out; + outputWriter.TextWriter = Console.Out; else outputWriter.TextWriter = File.CreateText(_outputFile); diff --git a/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Commands/TestCommand.cs b/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Commands/TestCommand.cs index 1f6046c4..5d68be08 100644 --- a/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Commands/TestCommand.cs +++ b/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Commands/TestCommand.cs @@ -17,14 +17,20 @@ public static void Configure(CommandLineApplication command) var locationArgument = command.Argument("[path]", "Path to rules"); + var coverageOption = command.Option("-c|--coverage", + "Test coverage information", + CommandOptionType.NoValue); + command.OnExecute(() => { - return (new TestCommand(locationArgument.Value)).Run(); + return (new TestCommand(locationArgument.Value, + coverageOption.HasValue())).Run(); }); } - public TestCommand(string path) + public TestCommand(string path, bool coverage) { _path = path; + _coverage = coverage; } public int Run() @@ -40,11 +46,11 @@ public int Run() return (int)ExitCode.IssuesExists; Tester tester = new Tester(verifier.CompiledRuleset); - tester.Run(_path); - - return (int)ExitCode.NoIssues; + tester.DoCoverage = _coverage; + return tester.Run(_path); } private string _path; + private bool _coverage; } } \ No newline at end of file diff --git a/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Microsoft.DevSkim.CLI.csproj b/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Microsoft.DevSkim.CLI.csproj index 71938b4b..45990af8 100644 --- a/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Microsoft.DevSkim.CLI.csproj +++ b/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Microsoft.DevSkim.CLI.csproj @@ -9,7 +9,7 @@ Microsoft.DevSkim.CLI Microsoft DevSkim Command Line Interface - 0.1.7 + 0.1.8 Microsoft Microsoft (c) Microsoft Corporation. All rights reserved diff --git a/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Properties/launchSettings.json b/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Properties/launchSettings.json index bda0a0ce..ebac2f2f 100644 --- a/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Properties/launchSettings.json +++ b/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Properties/launchSettings.json @@ -2,7 +2,7 @@ "profiles": { "Microsoft.DevSkim.CLI": { "commandName": "Project", - "commandLineArgs": "test d:\\projects\\DevSkim\\rules" + "commandLineArgs": "test d:\\A\\rules -c" } } } \ No newline at end of file diff --git a/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Resources/devskim-rules.json b/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Resources/devskim-rules.json index c1aae104..1900782c 100644 --- a/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Resources/devskim-rules.json +++ b/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Resources/devskim-rules.json @@ -386,7 +386,7 @@ "rule_info": "DS425000.md", "patterns": [ { - "pattern": "\\.readObject\\\\\\(", + "pattern": "\\.readObject\\(", "type": "regex", "modifiers": null, "scopes": [ @@ -415,7 +415,7 @@ "rule_info": "DS425000.md", "patterns": [ { - "pattern": "\\bunserialize\\\\\\(\\b", + "pattern": "unserialize\\(", "type": "regex", "modifiers": null, "scopes": [ @@ -451,6 +451,15 @@ "code", "code" ] + }, + { + "pattern": "(YAML|Syck|Marshal)::load", + "type": "regex", + "modifiers": null, + "scopes": [ + "code", + "code" + ] } ], "conditions": [], @@ -1142,15 +1151,6 @@ "code" ] }, - { - "pattern": "setValidatesSecureCertificate:\\s*NO", - "type": "regex", - "modifiers": null, - "scopes": [ - "code", - "code" - ] - }, { "pattern": "validatesSecureCertificate\\s*=\\s*NO", "type": "regex", @@ -1246,7 +1246,7 @@ ] }, { - "pattern": "\\bdisable_ssl_certificate_validation\\\\s\\*=\\\\s\\*True\\b", + "pattern": "disable_ssl_certificate_validation\\s*=\\s*True", "type": "regex", "modifiers": null, "scopes": [ @@ -1349,7 +1349,7 @@ "rule_info": "DS114352.md", "patterns": [ { - "pattern": "\\bcertificateValidationMode=\"None\"\\b", + "pattern": "certificateValidationMode\\s*=\\s*\"None\"", "type": "regex", "modifiers": null, "scopes": [ @@ -1358,7 +1358,7 @@ ] }, { - "pattern": "\\bcheckCertificateName=\"false\"\\b", + "pattern": "checkCertificateName\\s*=\\s*\"false\"", "type": "regex", "modifiers": null, "scopes": [ @@ -1367,7 +1367,7 @@ ] }, { - "pattern": "\\bcheckCertificateRevocationList=\"false\"\\b", + "pattern": "checkCertificateRevocationList\\s*=\\s*\"false\"", "type": "regex", "modifiers": null, "scopes": [ @@ -1376,7 +1376,7 @@ ] }, { - "pattern": "encryptionPolicy=\"(AllowNoEncryption|NoEncryption)", + "pattern": "encryptionPolicy\\s*=\\s*\"(AllowNoEncryption|NoEncryption)", "type": "regex", "modifiers": null, "scopes": [ @@ -1535,7 +1535,7 @@ "rule_info": "DS114352.md", "patterns": [ { - "pattern": "\\.ServerCertificateValidationCallback\\s*\\+?=\\s*delegate\\s*{\\s*return true;\\s*};", + "pattern": "\\.ServerCertificateValidationCallback\\s*=\\s*delegate\\s*{\\s*return true;\\s*};", "type": "regex", "modifiers": null, "scopes": [ @@ -1544,7 +1544,7 @@ ] }, { - "pattern": "\\.ServerCertificateValidationCallback\\s*\\+?=\\s*\\(?[^\\)]+\\)\\s*=>\\s*{\\s*return true;\\s*};", + "pattern": "\\.ServerCertificateValidationCallback\\s*=\\s*\\(?[^\\)]+\\)\\s*=>\\s*{\\s*return true;\\s*};", "type": "regex", "modifiers": null, "scopes": [ @@ -1553,7 +1553,7 @@ ] }, { - "pattern": "\\.ServerCertificateValidationCallback\\s*\\+?=\\s*\\(+[^\\)]+\\)\\s*=>\\s*true", + "pattern": "\\.ServerCertificateValidationCallback\\s*=\\s*\\(+[^\\)]+\\)\\s*=>\\s*true", "type": "regex", "modifiers": null, "scopes": [ @@ -1609,7 +1609,7 @@ "rule_info": "DS175862.md", "patterns": [ { - "pattern": "\\bmcrypt\\b", + "pattern": "mcrypt", "type": "regex", "modifiers": null, "scopes": [ @@ -1900,7 +1900,7 @@ "rule_info": "DS101155.md", "patterns": [ { - "pattern": "\\bencrypt=false\\b", + "pattern": "encrypt\\s*=\\s*false", "type": "regex", "modifiers": null, "scopes": [ @@ -1909,7 +1909,7 @@ ] }, { - "pattern": "\\bencryption=false\\b", + "pattern": "encryption\\s*=\\s*false", "type": "regex", "modifiers": null, "scopes": [ @@ -2103,7 +2103,7 @@ "rule_info": "DS128420.md", "patterns": [ { - "pattern": "hash\\s*\\(\\s*[\\'\\\"](md2|md4|md5|sha1|sha224|ripemd128|ripemd160|ripemd256|ripemd320)[\\'\\\"](.*)\\)\\s*;", + "pattern": "hash\\s*\\(\\s*[\\'\\\"](md2|md4|md5|sha1|sha224|ripemd128|ripemd160|ripemd256|ripemd320)[\\'\\\"](.*)\\)", "type": "regex", "modifiers": null, "scopes": [ @@ -2118,7 +2118,7 @@ "name": "Change to SHA-256", "type": "regex-replace", "pattern": { - "pattern": "hash\\s*\\(\\s*[\\'\\\"](md2|md4|md5|sha1|sha224|ripemd128|ripemd160|ripemd256|ripemd320)[\\'\\\"](.*)\\)\\s*;", + "pattern": "hash\\s*\\(\\s*[\\'\\\"](md2|md4|md5|sha1|sha224|ripemd128|ripemd160|ripemd256|ripemd320)[\\'\\\"](.*)\\)", "type": "regex", "modifiers": null, "scopes": [ @@ -2147,7 +2147,9 @@ { "id": "DS108647", "name": "Do not use broken/weak cryptographic hash algorithms", - "overrides": null, + "overrides": [ + "DS126858" + ], "schema_version": 0, "tags": [ "Cryptography.HashAlgorithm.BrokenOrWeak" @@ -2339,7 +2341,9 @@ { "pattern": "(MD4|MD5|(SHA(1|224|256|384|512))).*Time", "type": "regex", - "modifiers": null, + "modifiers": [ + "i" + ], "scopes": [ "code", "code" @@ -2352,7 +2356,9 @@ { "id": "DS188250", "name": "Missing initialization vector", - "overrides": null, + "overrides": [ + "DS175862" + ], "schema_version": 0, "tags": [ "Cryptography.Symmetric.InitializationVector.Missing" @@ -2396,7 +2402,9 @@ { "id": "DS128921", "name": "Hardcoded initialization vector size", - "overrides": null, + "overrides": [ + "DS175862" + ], "schema_version": 0, "tags": [ "Cryptography.Symmetric.InitializationVector.HardcodedSize" @@ -3370,7 +3378,7 @@ "rule_info": "DS163877.md", "patterns": [ { - "pattern": "\\becho.*(\\$_(POST|GET|REQUEST|COOKIE)\\[.*\\]).*;", + "pattern": "\\becho.*(\\$_(POST|GET|REQUEST|COOKIE)\\[.*\\])", "type": "regex", "modifiers": null, "scopes": [ @@ -3630,7 +3638,7 @@ "rule_info": "DS173237.md", "patterns": [ { - "pattern": "[a-f0-9]{30,}", + "pattern": "[\"'][a-f0-9]{30,}[\"']", "type": "regex", "modifiers": null, "scopes": [ @@ -3935,35 +3943,6 @@ "conditions": [], "fix_its": null }, - { - "id": "DS300004", - "name": "Vulnerable NuGet Library", - "overrides": null, - "schema_version": 0, - "tags": [ - "Vulerable-Dependency.Library.NuGet" - ], - "applies_to": [ - "packages.config" - ], - "severity": "moderate", - "description": "Vulnerability in ASP.NET Core MVC 1.1.0 Could Allow Denial of Service", - "recommendation": "Upgrade this package to a later, unaffected version.", - "rule_info": "4010983", - "patterns": [ - { - "pattern": " missingTest = new List(); + + foreach (Rule r in _rules) + { + if (!_coverageList.Contains(r.Id)) + missingTest.Add(r.Id); + } + + if (missingTest.Count > 0) + { + foreach (string id in missingTest) + { + Console.Error.WriteLine("{0} test is missing", id); + } + + result = (int)ExitCode.IssuesExists; + } + + float percentage = 100 - ((_rules.Count() / (float)100) * missingTest.Count); + Console.Error.WriteLine("\nCoverage: {0:00.00}%", percentage); + } + Console.Error.WriteLine("Tests: {0}", totalFiles); Console.Error.WriteLine("Failed: {0}", failedFiles); + + if (failedFiles > 0) + result = (int)ExitCode.NoIssues; + + return result; } private bool TestFile(string fileName) @@ -65,8 +95,10 @@ private bool TestFile(string fileName) foreach (Issue issue in issues) { + AddToCoverageList(issue.Rule.Id); + // if issue on this line was expected remove it from expecations - int line = issue.StartLocation.Line; + int line = issue.StartLocation.Line; if (expecations.ContainsKey(line) && expecations[line].Contains(issue.Rule.Id)) { expecations[line].Remove(issue.Rule.Id); @@ -161,7 +193,16 @@ private Dictionary> GetExpectations(string header, string defa return result; } - + + private void AddToCoverageList(string id) + { + if (!_coverageList.Contains(id)) + _coverageList.Add(id); + } + + public bool DoCoverage { get; set; } + private RuleSet _rules; + private List _coverageList = new List(); } } diff --git a/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Writers/SimpleTextWriter.cs b/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Writers/SimpleTextWriter.cs index eebb2fd1..5859b549 100644 --- a/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Writers/SimpleTextWriter.cs +++ b/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Writers/SimpleTextWriter.cs @@ -22,7 +22,7 @@ public class SimpleTextWriter : Writer public SimpleTextWriter(string formatString) { if (string.IsNullOrEmpty(formatString)) - _formatString = "%F:%L:%C [%S] %R %N"; + _formatString = "%F:%L:%C:%l:%c [%S] %R %N"; else _formatString = formatString; } diff --git a/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Writers/WriterFactory.cs b/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Writers/WriterFactory.cs index 44e64cea..4e7b1de6 100644 --- a/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Writers/WriterFactory.cs +++ b/src/Microsoft.DevSkim/Microsoft.DevSkim.CLI/Writers/WriterFactory.cs @@ -7,8 +7,11 @@ namespace Microsoft.DevSkim.CLI.Writers { public class WriterFactory { - public static Writer GetWriter(string writerName, string format = null) + public static Writer GetWriter(string writerName, string defaultWritter, string format = null) { + if (string.IsNullOrEmpty(writerName)) + writerName = defaultWritter; + if (string.IsNullOrEmpty(writerName)) writerName = "_dummy"; diff --git a/src/Microsoft.DevSkim/Microsoft.DevSkim.sln b/src/Microsoft.DevSkim/Microsoft.DevSkim.sln index abf922b6..45399b1a 100644 --- a/src/Microsoft.DevSkim/Microsoft.DevSkim.sln +++ b/src/Microsoft.DevSkim/Microsoft.DevSkim.sln @@ -8,6 +8,8 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.DevSkim.CLI", "Mi EndProject Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.DevSkim.Tests", "Microsoft.DevSkim.Tests\Microsoft.DevSkim.Tests.csproj", "{1381D892-227E-41F1-9410-5B1C29C367D6}" EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.DevSkim.CLI.Tests", "Microsoft.DevSkim.CLI.Tests\Microsoft.DevSkim.CLI.Tests.csproj", "{4B18F528-528F-4884-9059-B27A77CBE30D}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|Any CPU = Debug|Any CPU @@ -54,6 +56,18 @@ Global {1381D892-227E-41F1-9410-5B1C29C367D6}.Release|x64.Build.0 = Release|Any CPU {1381D892-227E-41F1-9410-5B1C29C367D6}.Release|x86.ActiveCfg = Release|Any CPU {1381D892-227E-41F1-9410-5B1C29C367D6}.Release|x86.Build.0 = Release|Any CPU + {4B18F528-528F-4884-9059-B27A77CBE30D}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {4B18F528-528F-4884-9059-B27A77CBE30D}.Debug|Any CPU.Build.0 = Debug|Any CPU + {4B18F528-528F-4884-9059-B27A77CBE30D}.Debug|x64.ActiveCfg = Debug|Any CPU + {4B18F528-528F-4884-9059-B27A77CBE30D}.Debug|x64.Build.0 = Debug|Any CPU + {4B18F528-528F-4884-9059-B27A77CBE30D}.Debug|x86.ActiveCfg = Debug|Any CPU + {4B18F528-528F-4884-9059-B27A77CBE30D}.Debug|x86.Build.0 = Debug|Any CPU + {4B18F528-528F-4884-9059-B27A77CBE30D}.Release|Any CPU.ActiveCfg = Release|Any CPU + {4B18F528-528F-4884-9059-B27A77CBE30D}.Release|Any CPU.Build.0 = Release|Any CPU + {4B18F528-528F-4884-9059-B27A77CBE30D}.Release|x64.ActiveCfg = Release|Any CPU + {4B18F528-528F-4884-9059-B27A77CBE30D}.Release|x64.Build.0 = Release|Any CPU + {4B18F528-528F-4884-9059-B27A77CBE30D}.Release|x86.ActiveCfg = Release|Any CPU + {4B18F528-528F-4884-9059-B27A77CBE30D}.Release|x86.Build.0 = Release|Any CPU EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/src/Microsoft.DevSkim/Microsoft.DevSkim/Microsoft.DevSkim.csproj b/src/Microsoft.DevSkim/Microsoft.DevSkim/Microsoft.DevSkim.csproj index 88b003df..242d5c55 100644 --- a/src/Microsoft.DevSkim/Microsoft.DevSkim/Microsoft.DevSkim.csproj +++ b/src/Microsoft.DevSkim/Microsoft.DevSkim/Microsoft.DevSkim.csproj @@ -3,7 +3,7 @@ netstandard2.0;net45 Microsoft.DevSkim - 0.3.6 + 0.3.7 Microsoft Security Linter false diff --git a/src/Microsoft.DevSkim/Microsoft.DevSkim/RuleProcessor.cs b/src/Microsoft.DevSkim/Microsoft.DevSkim/RuleProcessor.cs index 667b903a..b478c2bf 100644 --- a/src/Microsoft.DevSkim/Microsoft.DevSkim/RuleProcessor.cs +++ b/src/Microsoft.DevSkim/Microsoft.DevSkim/RuleProcessor.cs @@ -193,7 +193,8 @@ public Issue[] Analyze(string text, string[] languages) // Find all overriden rules and mark them for removal from issues list foreach(Issue om in resultsList.FindAll(x => x.Rule.Id == ovrd)) { - if (m.Boundary.Index == om.Boundary.Index) + if (om.Boundary.Index >= m.Boundary.Index && + om.Boundary.Index <= m.Boundary.Index + m.Boundary.Length ) removes.Add(om); } } diff --git a/src/scripts/debpackage/DEBIAN/control b/src/scripts/debpackage/DEBIAN/control new file mode 100644 index 00000000..277e4939 --- /dev/null +++ b/src/scripts/debpackage/DEBIAN/control @@ -0,0 +1,9 @@ +Package: devskim +Version: 0.1.7 +Section: devel +Depends: libunwind8 +Priority: optional +Architecture: amd64 +Maintainer: Microsoft Corporation +Description: DevSkim security linter + diff --git a/src/scripts/debpackage/DEBIAN/postinst b/src/scripts/debpackage/DEBIAN/postinst new file mode 100755 index 00000000..2cc90cc2 --- /dev/null +++ b/src/scripts/debpackage/DEBIAN/postinst @@ -0,0 +1,9 @@ +#!/bin/sh +# +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. + +# Symlink bin command to /usr/bin +rm -f /usr/bin/devskim +ln -s /usr/share/devskim/bin/devskim /usr/bin/devskim + diff --git a/src/scripts/debpackage/DEBIAN/postrm b/src/scripts/debpackage/DEBIAN/postrm new file mode 100755 index 00000000..05ce8a77 --- /dev/null +++ b/src/scripts/debpackage/DEBIAN/postrm @@ -0,0 +1,6 @@ +#!/bin/sh +# +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. + +rm -f /usr/bin/devskim diff --git a/src/scripts/debpackage/usr/share/devskim/License.txt b/src/scripts/debpackage/usr/share/devskim/License.txt new file mode 100644 index 00000000..61bf7e01 --- /dev/null +++ b/src/scripts/debpackage/usr/share/devskim/License.txt @@ -0,0 +1,17 @@ +Copyright (c) 2016 Microsoft Corporation + +All rights reserved. + +MIT License + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation +files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, +modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software +is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED *AS IS*, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES +OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS +BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT +OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/src/scripts/debpackage/usr/share/devskim/bin/devskim b/src/scripts/debpackage/usr/share/devskim/bin/devskim new file mode 100755 index 00000000..0477a920 --- /dev/null +++ b/src/scripts/debpackage/usr/share/devskim/bin/devskim @@ -0,0 +1,21 @@ +#!/bin/sh +# +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. + + +if [ ! -L $0 ]; then + # if path is not a symlink, find relatively + DEVSKIM_PATH="$(dirname $0)/.." +else + if which readlink >/dev/null; then + # if readlink exists, follow the symlink and find relatively + DEVSKIM_PATH="$(dirname $(readlink -f $0))/.." + else + # else use the standard install location + DEVSKIM_PATH=/usr/share/devskim + fi +fi + +exec $DEVSKIM_PATH/lib/devskim "$@" +exit $?