From b08bf6e531dc28f239a0d9d89cd476480089cf27 Mon Sep 17 00:00:00 2001 From: Gabe Stocco <98900+gfs@users.noreply.github.com> Date: Thu, 29 Feb 2024 22:49:02 +0000 Subject: [PATCH] Updates to Populate Sarif Fields for GitHub Severity + Precision (#606) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Update dependencies * Improve Confidence Reporting Adds Confidence Field to Issue Record Sets Confidence to either Confidence of Pattern if specified, or confidence of overall rule if specified Report Confidence and Severity in special Github sarif fields. Add Confidence values to rules * Update Guidance (#600) Fixed typo Tokens/keys in source code DES->AES Guidance * Update Changelog.md --------- Co-authored-by: Cristián Rojas --- Changelog.md | 13 +++++++++++ .../Microsoft.DevSkim.CLI.csproj | 4 ++-- .../Writers/SarifWriter.cs | 23 +++++++++++++++++++ .../Microsoft.DevSkim.Tests.csproj | 4 ++-- .../Microsoft.DevSkim.VisualStudio.csproj | 6 ++--- .../Microsoft.DevSkim/DevSkimRuleProcessor.cs | 3 +++ DevSkim-DotNet/Microsoft.DevSkim/Issue.cs | 4 ++++ .../Microsoft.DevSkim.csproj | 2 +- guidance/DS106864.md | 6 +++++ guidance/DS113286.md | 2 +- guidance/DS117838.md | 17 ++++++++++++-- rules/default/correctness/datetime.json | 1 + rules/default/security/TLS/tls_appconfig.json | 1 + .../default/security/TLS/tls_appcontext.json | 1 + rules/default/security/TLS/tls_cobol.json | 1 + .../security/TLS/tls_functioncall.json | 1 + rules/default/security/TLS/tls_generic.json | 9 ++++++++ rules/default/security/TLS/tls_go.json | 1 + rules/default/security/TLS/tls_java.json | 2 ++ .../default/security/TLS/tls_javascript.json | 1 + rules/default/security/TLS/tls_macos.json | 1 + rules/default/security/TLS/tls_python.json | 1 + rules/default/security/TLS/tls_rust.json | 1 + .../security/TLS/tls_securityprotocol.json | 1 + .../default/security/TLS/tls_sslprotocol.json | 1 + rules/default/security/TLS/tls_win32.json | 4 ++++ rules/default/security/api/dangerous_api.json | 6 +++++ .../default/security/api/deserialization.json | 5 ++++ rules/default/security/api/misused_api.json | 2 ++ rules/default/security/api/suggested_api.json | 3 +++ rules/default/security/api/t_sql.json | 1 + .../attack_surface/outbound_network.json | 2 ++ .../control_flow/dynamic_execution.json | 1 + .../security/control_flow/format_string.json | 1 + .../control_flow/permission_evelation.json | 2 ++ .../security/cryptography/certificate.json | 12 ++++++++++ .../security/cryptography/ciphers.json | 7 ++++++ .../security/cryptography/general.json | 2 ++ .../security/cryptography/hardcoded_tls.json | 7 ++++++ .../security/cryptography/hash_algorithm.json | 7 ++++++ .../cryptography/initialization_vector.json | 2 ++ .../security/cryptography/protocol.json | 6 +++++ .../default/security/cryptography/random.json | 4 ++++ .../security/cryptography/underhanded.json | 1 + .../cryptography/weak_cipher_modes.json | 2 ++ .../default/security/frameworks/android.json | 3 +++ .../default/security/frameworks/aspnet5.json | 1 + .../security/frameworks/dotnet_framework.json | 4 ++++ rules/default/security/frameworks/php.json | 2 ++ rules/default/security/hygiene/localhost.json | 1 + rules/default/security/hygiene/todo.json | 1 + .../security/manualreview/dynamiccode.json | 3 +++ .../security/manualreview/zip_slip.json | 1 + .../security/privacy/device_restrictions.json | 1 + rules/default/security/privacy/secrets.json | 2 ++ .../security/storage/secure_storage.json | 2 ++ .../vulnerable_libraries/microsoft_nuget.json | 2 ++ .../security/xml/external_entities.json | 3 +++ .../default/security/xml/xslt_scripting.json | 1 + 59 files changed, 200 insertions(+), 11 deletions(-) diff --git a/Changelog.md b/Changelog.md index f836722a..db0da4a5 100644 --- a/Changelog.md +++ b/Changelog.md @@ -4,6 +4,19 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [1.0.31] - 2024-1-28 +### Sarif Format +Populate additional fields for GitHub Code scanning + +### Rules +Populate Confidence values for rules + +### Dependencies +Update Dependencies + +### Engine +Prioritize confidence value from Pattern level in Issue records but fall back to rule level if not specified. + ## [1.0.30] - 2024-1-31 ### Pipeline Additional pipeline fixes diff --git a/DevSkim-DotNet/Microsoft.DevSkim.CLI/Microsoft.DevSkim.CLI.csproj b/DevSkim-DotNet/Microsoft.DevSkim.CLI/Microsoft.DevSkim.CLI.csproj index 737d144b..b6df9215 100644 --- a/DevSkim-DotNet/Microsoft.DevSkim.CLI/Microsoft.DevSkim.CLI.csproj +++ b/DevSkim-DotNet/Microsoft.DevSkim.CLI/Microsoft.DevSkim.CLI.csproj @@ -37,9 +37,9 @@ - + - + diff --git a/DevSkim-DotNet/Microsoft.DevSkim.CLI/Writers/SarifWriter.cs b/DevSkim-DotNet/Microsoft.DevSkim.CLI/Writers/SarifWriter.cs index f7059bb0..32522fb2 100644 --- a/DevSkim-DotNet/Microsoft.DevSkim.CLI/Writers/SarifWriter.cs +++ b/DevSkim-DotNet/Microsoft.DevSkim.CLI/Writers/SarifWriter.cs @@ -213,6 +213,9 @@ private void AddRuleToSarifRule(DevSkimRule devskimRule) Enabled = true, Level = DevSkimLevelToSarifLevel(devskimRule.Severity) }; + // Set github code scanning properties + sarifRule.SetProperty("precision", ConfidenceToPrecision(devskimRule.Confidence)); + sarifRule.SetProperty("problem.severity", DevSkimLevelToGitHubLevel(devskimRule.Severity)); sarifRule.SetProperty("DevSkimSeverity", devskimRule.Severity.ToString()); sarifRule.SetProperty("DevSkimConfidence", devskimRule.Confidence.ToString()); @@ -220,6 +223,26 @@ private void AddRuleToSarifRule(DevSkimRule devskimRule) } } + private object DevSkimLevelToGitHubLevel(Severity severity) => severity switch + { + Severity.Unspecified => string.Empty, + Severity.Critical => "error", + Severity.Important => "warning", + Severity.Moderate => "warning", + Severity.BestPractice => "recommendation", + Severity.ManualReview => "recommendation", + _ => string.Empty, + }; + + private static string ConfidenceToPrecision(Confidence confidence) => confidence switch + { + Confidence.High => "high", + Confidence.Medium => "medium", + Confidence.Low => "low", + Confidence.Unspecified => string.Empty, + _ => string.Empty + }; + private string ToSarifFriendlyName(string devskimRuleName) => string.Concat(devskimRuleName.Split(' ', StringSplitOptions.RemoveEmptyEntries) .Select(x => string.Concat(x.Where(char.IsLetterOrDigit))) diff --git a/DevSkim-DotNet/Microsoft.DevSkim.Tests/Microsoft.DevSkim.Tests.csproj b/DevSkim-DotNet/Microsoft.DevSkim.Tests/Microsoft.DevSkim.Tests.csproj index 00632dcc..5c7410e0 100644 --- a/DevSkim-DotNet/Microsoft.DevSkim.Tests/Microsoft.DevSkim.Tests.csproj +++ b/DevSkim-DotNet/Microsoft.DevSkim.Tests/Microsoft.DevSkim.Tests.csproj @@ -10,8 +10,8 @@ - - + + diff --git a/DevSkim-DotNet/Microsoft.DevSkim.VisualStudio/Microsoft.DevSkim.VisualStudio.csproj b/DevSkim-DotNet/Microsoft.DevSkim.VisualStudio/Microsoft.DevSkim.VisualStudio.csproj index b7a9ce2e..09ab8330 100644 --- a/DevSkim-DotNet/Microsoft.DevSkim.VisualStudio/Microsoft.DevSkim.VisualStudio.csproj +++ b/DevSkim-DotNet/Microsoft.DevSkim.VisualStudio/Microsoft.DevSkim.VisualStudio.csproj @@ -87,15 +87,15 @@ - 17.8.36 + 17.9.46 17.2.8 - + compile; build; native; contentfiles; analyzers; buildtransitive - + all runtime; build; native; contentfiles; analyzers; buildtransitive diff --git a/DevSkim-DotNet/Microsoft.DevSkim/DevSkimRuleProcessor.cs b/DevSkim-DotNet/Microsoft.DevSkim/DevSkimRuleProcessor.cs index 5080f188..b0f781cb 100644 --- a/DevSkim-DotNet/Microsoft.DevSkim/DevSkimRuleProcessor.cs +++ b/DevSkim-DotNet/Microsoft.DevSkim/DevSkimRuleProcessor.cs @@ -41,6 +41,9 @@ public IEnumerable Analyze(string text, string fileName) StartLocation: textContainer.GetLocation(matchRecord.Boundary.Index), EndLocation: textContainer.GetLocation(matchRecord.Boundary.Index + matchRecord.Boundary.Length), Rule: devSkimRule); + // Match record confidence is based on pattern confidence (from AI engine) + // As a backup, DevSkim Rules may also have an overall confidence specified for the rule, use that when match confidence undefined + issue.Confidence = matchRecord.Confidence == Confidence.Unspecified ? devSkimRule.Confidence : matchRecord.Confidence; if (_processorOptions.EnableSuppressions) { Suppression supp = new(textContainer, issue.StartLocation.Line); diff --git a/DevSkim-DotNet/Microsoft.DevSkim/Issue.cs b/DevSkim-DotNet/Microsoft.DevSkim/Issue.cs index 9756ef7b..6db36f87 100644 --- a/DevSkim-DotNet/Microsoft.DevSkim/Issue.cs +++ b/DevSkim-DotNet/Microsoft.DevSkim/Issue.cs @@ -41,5 +41,9 @@ public Issue(Boundary Boundary, Location StartLocation, Location EndLocation, De /// Location (line, column) where issue starts /// public Location StartLocation { get; set; } + /// + /// Confidence level of match + /// + public Confidence Confidence { get; internal set; } } } \ No newline at end of file diff --git a/DevSkim-DotNet/Microsoft.DevSkim/Microsoft.DevSkim.csproj b/DevSkim-DotNet/Microsoft.DevSkim/Microsoft.DevSkim.csproj index 83e4efc8..b19d4d07 100644 --- a/DevSkim-DotNet/Microsoft.DevSkim/Microsoft.DevSkim.csproj +++ b/DevSkim-DotNet/Microsoft.DevSkim/Microsoft.DevSkim.csproj @@ -24,7 +24,7 @@ - + diff --git a/guidance/DS106864.md b/guidance/DS106864.md index 86e8c1db..074ea9e9 100644 --- a/guidance/DS106864.md +++ b/guidance/DS106864.md @@ -11,6 +11,12 @@ anywhere. In general, the [Advanced Encryption Standard](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard), or AES, algorithm, is preferred for all cases where symmetric encryption is needed. +#### Solution + +##### .NET + +Use the following method: `System.Security.Cryptography.Aes.Create()` + ### Implementation #### C# / .NET diff --git a/guidance/DS113286.md b/guidance/DS113286.md index 6405e4dd..6c500e8e 100644 --- a/guidance/DS113286.md +++ b/guidance/DS113286.md @@ -1,4 +1,4 @@ -## Do not include user-input directoy in format strings +## Do not include user-input directly in format strings ### Summary Do not create NSString objects using a user-provided format string, as this could lead to a security vulnerability. https://www.securecoding.cert.org/confluence/display/c/FIO30-C.+Exclude+user+input+from+format+strings diff --git a/guidance/DS117838.md b/guidance/DS117838.md index 40b7f66e..d6f20c86 100644 --- a/guidance/DS117838.md +++ b/guidance/DS117838.md @@ -4,8 +4,21 @@ A token or key was found in source code. If this represents a secret, it should be moved somewhere else. ### Details -TO DO - put more details of problem and solution here + +Secrets in source code pose a threat to the application's components, like +databases and other users, especially if this source code is leaked or shared. +This applies to: + +* Users/passwords +* Tokens (JWT's, etc.) +* Hashes +* Encryption keys ### Severity Considerations -TO DO - put more details on the severity of the issue here. Generally how big of a problem is this, and what makes it more or less of a problem? + +Follow these steps: + +* Change passwords/keys/secrets on the target components. +* Store them in a secrets vault +* Remove them from your code. diff --git a/rules/default/correctness/datetime.json b/rules/default/correctness/datetime.json index c8b66c74..340d783f 100644 --- a/rules/default/correctness/datetime.json +++ b/rules/default/correctness/datetime.json @@ -14,6 +14,7 @@ "rule_info": "", "patterns": [ { + "confidence": "high", "pattern": "(%Y-%M-%d)|(%M-%d-%Y)|(%M/%d/%Y)", "type": "regex", "scopes": [ diff --git a/rules/default/security/TLS/tls_appconfig.json b/rules/default/security/TLS/tls_appconfig.json index d682e695..2dc6264e 100644 --- a/rules/default/security/TLS/tls_appconfig.json +++ b/rules/default/security/TLS/tls_appconfig.json @@ -10,6 +10,7 @@ "tags": [ "Cryptography.Protocol.TLS.Hard-Coded" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS112838.md", "patterns": [ diff --git a/rules/default/security/TLS/tls_appcontext.json b/rules/default/security/TLS/tls_appcontext.json index d81bc63a..c399d0cb 100644 --- a/rules/default/security/TLS/tls_appcontext.json +++ b/rules/default/security/TLS/tls_appcontext.json @@ -13,6 +13,7 @@ "tags": [ "Cryptography.Protocol.TLS.Hard-Coded" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS440000.md", "patterns": [ diff --git a/rules/default/security/TLS/tls_cobol.json b/rules/default/security/TLS/tls_cobol.json index 0ee18e0d..9c162cf4 100644 --- a/rules/default/security/TLS/tls_cobol.json +++ b/rules/default/security/TLS/tls_cobol.json @@ -13,6 +13,7 @@ "tags": [ "Cryptography.Protocol.TLS.Hard-Coded" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS440000.md", "patterns": [ diff --git a/rules/default/security/TLS/tls_functioncall.json b/rules/default/security/TLS/tls_functioncall.json index d1742378..5251d891 100644 --- a/rules/default/security/TLS/tls_functioncall.json +++ b/rules/default/security/TLS/tls_functioncall.json @@ -13,6 +13,7 @@ "tags": [ "Cryptography.Protocol.TLS.Hard-Coded" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS440000.md", "patterns": [ diff --git a/rules/default/security/TLS/tls_generic.json b/rules/default/security/TLS/tls_generic.json index 179281c9..2e10a29e 100644 --- a/rules/default/security/TLS/tls_generic.json +++ b/rules/default/security/TLS/tls_generic.json @@ -15,6 +15,7 @@ "overrides": [ "DS440000" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS440001.md", "patterns": [ @@ -58,6 +59,7 @@ "tags": [ "Cryptography.Protocol.TLS.Hard-Coded" ], + "confidence": "high", "severity": "ManualReview", "_comment": "Applies to all languages since many just wrap OpenSSL constructs.", "rule_info": "DS440001.md", @@ -127,6 +129,7 @@ "tags": [ "Cryptography.Protocol.TLS.Hard-Coded" ], + "confidence": "high", "severity": "ManualReview", "_comment": "Applies to all languages since many just wrap OpenSSL constructs.", "rule_info": "DS440001.md", @@ -156,6 +159,7 @@ "tags": [ "Cryptography.Protocol.TLS.Hard-Coded" ], + "confidence": "high", "severity": "ManualReview", "_comment": "Applies to all languages since many just wrap GnuTLS constructs.", "rule_info": "DS440001.md", @@ -185,6 +189,7 @@ "tags": [ "Cryptography.Protocol.TLS.Hard-Coded" ], + "confidence": "high", "severity": "ManualReview", "_comment": "Applies to all languages since many just wrap LibreSSL constructs.", "rule_info": "DS440001.md", @@ -214,6 +219,7 @@ "tags": [ "Cryptography.Protocol.TLS.Hard-Coded" ], + "confidence": "high", "severity": "ManualReview", "_comment": "Applies to all languages since many just wrap mbedTLS constructs.", "rule_info": "DS440001.md", @@ -251,6 +257,7 @@ "tags": [ "Cryptography.Protocol.TLS.Hard-Coded" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS440001.md", "patterns": [ @@ -293,6 +300,7 @@ "tags": [ "Cryptography.Protocol.TLS.Hard-Coded" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS440001.md", "patterns": [ @@ -364,6 +372,7 @@ "tags": [ "Cryptography.Protocol.TLS.Elliptic-Curve.Hard-Coded" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS440001.md", "patterns": [ diff --git a/rules/default/security/TLS/tls_go.json b/rules/default/security/TLS/tls_go.json index 4c52af9c..2ce5b5ea 100644 --- a/rules/default/security/TLS/tls_go.json +++ b/rules/default/security/TLS/tls_go.json @@ -13,6 +13,7 @@ "tags": [ "Cryptography.Protocol.TLS.Hard-Coded" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS440000.md", "patterns": [ diff --git a/rules/default/security/TLS/tls_java.json b/rules/default/security/TLS/tls_java.json index 0f11325f..e491b01f 100644 --- a/rules/default/security/TLS/tls_java.json +++ b/rules/default/security/TLS/tls_java.json @@ -13,6 +13,7 @@ "tags": [ "Cryptography.Protocol.TLS.Hard-Coded" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS440000.md", "patterns": [ @@ -55,6 +56,7 @@ "tags": [ "Cryptography.Protocol.TLS.Hard-Coded" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS440000.md", "patterns": [ diff --git a/rules/default/security/TLS/tls_javascript.json b/rules/default/security/TLS/tls_javascript.json index ffe21637..0125aa55 100644 --- a/rules/default/security/TLS/tls_javascript.json +++ b/rules/default/security/TLS/tls_javascript.json @@ -14,6 +14,7 @@ "tags": [ "Cryptography.Protocol.TLS.Hard-Coded" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS440000.md", "patterns": [ diff --git a/rules/default/security/TLS/tls_macos.json b/rules/default/security/TLS/tls_macos.json index ad030485..084f4627 100644 --- a/rules/default/security/TLS/tls_macos.json +++ b/rules/default/security/TLS/tls_macos.json @@ -12,6 +12,7 @@ "tags": [ "Cryptography.Protocol.TLS.Hard-Coded" ], + "confidence": "high", "severity": "ManualReview", "_comment": "Generic, since there are multiple languages that bind to these constants.", "rule_info": "DS440000.md", diff --git a/rules/default/security/TLS/tls_python.json b/rules/default/security/TLS/tls_python.json index c660fc31..76f87ad9 100644 --- a/rules/default/security/TLS/tls_python.json +++ b/rules/default/security/TLS/tls_python.json @@ -13,6 +13,7 @@ "tags": [ "Cryptography.Protocol.TLS.Hard-Coded" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS440000.md", "patterns": [ diff --git a/rules/default/security/TLS/tls_rust.json b/rules/default/security/TLS/tls_rust.json index a1ad7e9c..67538511 100644 --- a/rules/default/security/TLS/tls_rust.json +++ b/rules/default/security/TLS/tls_rust.json @@ -13,6 +13,7 @@ "tags": [ "Cryptography.Protocol.TLS.Hard-Coded" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS440000.md", "patterns": [ diff --git a/rules/default/security/TLS/tls_securityprotocol.json b/rules/default/security/TLS/tls_securityprotocol.json index 7a82bad2..7aea63b9 100644 --- a/rules/default/security/TLS/tls_securityprotocol.json +++ b/rules/default/security/TLS/tls_securityprotocol.json @@ -16,6 +16,7 @@ "tags": [ "Cryptography.Protocol.TLS.Hard-Coded" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS112835.md", "patterns": [ diff --git a/rules/default/security/TLS/tls_sslprotocol.json b/rules/default/security/TLS/tls_sslprotocol.json index 9d325d7d..ddc0547c 100644 --- a/rules/default/security/TLS/tls_sslprotocol.json +++ b/rules/default/security/TLS/tls_sslprotocol.json @@ -16,6 +16,7 @@ "tags": [ "Cryptography.Protocol.TLS.Hard-Coded" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS440000.md", "patterns": [ diff --git a/rules/default/security/TLS/tls_win32.json b/rules/default/security/TLS/tls_win32.json index 87dccdbe..099844fc 100644 --- a/rules/default/security/TLS/tls_win32.json +++ b/rules/default/security/TLS/tls_win32.json @@ -15,6 +15,7 @@ "tags": [ "Cryptography.Protocol.TLS.Hard-Coded" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS440000.md", "patterns": [ @@ -43,6 +44,7 @@ "tags": [ "Cryptography.Protocol.TLS.Hard-Coded" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS440000.md", "patterns": [ @@ -71,6 +73,7 @@ "tags": [ "Cryptography.Protocol.TLS.Hard-Coded" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS440000.md", "patterns": [ @@ -155,6 +158,7 @@ "tags": [ "Cryptography.Protocol.TLS.Hard-Coded" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS440000.md", "patterns": [ diff --git a/rules/default/security/api/dangerous_api.json b/rules/default/security/api/dangerous_api.json index 31f2c51e..5c902bed 100644 --- a/rules/default/security/api/dangerous_api.json +++ b/rules/default/security/api/dangerous_api.json @@ -12,6 +12,7 @@ "tags": [ "API.DangerousAPI.BannedFunction" ], + "confidence": "high", "severity": "moderate", "rule_info": "DS154189.md", "patterns": [ @@ -43,6 +44,7 @@ "tags": [ "API.DangerousAPI.BannedFunction" ], + "confidence": "high", "severity": "important", "rule_info": "DS185832.md", "patterns": [ @@ -105,6 +107,7 @@ "tags": [ "API.DangerousAPI.BannedFunction" ], + "confidence": "high", "severity": "important", "rule_info": "DS111237.md", "patterns": [ @@ -162,6 +165,7 @@ "tags": [ "API.DangerousAPI.BannedFunction" ], + "confidence": "high", "severity": "important", "rule_info": "DS141863.md", "patterns": [ @@ -219,6 +223,7 @@ "tags": [ "API.DangerousAPI.BannedFunction" ], + "confidence": "high", "severity": "important", "rule_info": "DS108330.md", "patterns": [ @@ -276,6 +281,7 @@ "tags": [ "API.DangerousAPI.BannedFunction" ], + "confidence": "high", "severity": "important", "rule_info": "DS181021.md", "patterns": [ diff --git a/rules/default/security/api/deserialization.json b/rules/default/security/api/deserialization.json index 560d865e..020ad209 100644 --- a/rules/default/security/api/deserialization.json +++ b/rules/default/security/api/deserialization.json @@ -10,6 +10,7 @@ "tags": [ "Deserialization" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS425000.md", "patterns": [ @@ -36,6 +37,7 @@ "tags": [ "Deserialization" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS425000.md", "patterns": [ @@ -62,6 +64,7 @@ "tags": [ "Deserialization" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS425000.md", "patterns": [ @@ -88,6 +91,7 @@ "tags": [ "Deserialization" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS425000.md", "patterns": [ @@ -124,6 +128,7 @@ "tags": [ "Deserialization" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS425000.md", "patterns": [ diff --git a/rules/default/security/api/misused_api.json b/rules/default/security/api/misused_api.json index fc646287..cdecde3c 100644 --- a/rules/default/security/api/misused_api.json +++ b/rules/default/security/api/misused_api.json @@ -12,6 +12,7 @@ "CERT.FIO38-C", "C.DangerousFunctionCall" ], + "confidence": "high", "severity": "important", "rule_info": "DS179924.md", "patterns": [ @@ -41,6 +42,7 @@ "tags": [ "PHP.Injection" ], + "confidence": "high", "severity": "critical", "rule_info": "DS181731.md", "patterns": [ diff --git a/rules/default/security/api/suggested_api.json b/rules/default/security/api/suggested_api.json index 7cd6e153..db008e33 100644 --- a/rules/default/security/api/suggested_api.json +++ b/rules/default/security/api/suggested_api.json @@ -12,6 +12,7 @@ "tags": [ "API.DangerousAPI.ProblematicFunction" ], + "confidence": "high", "severity": "BestPractice", "rule_info": "DS161085.md", "patterns": [ @@ -54,6 +55,7 @@ "tags": [ "API.DangerousAPI.ProblematicFunction" ], + "confidence": "high", "severity": "BestPractice", "rule_info": "DS121708.md", "patterns": [ @@ -99,6 +101,7 @@ "tags": [ "API.DangerousAPI.ProblematicFunction" ], + "confidence": "high", "severity": "BestPractice", "rule_info": "DS140021.md", "patterns": [ diff --git a/rules/default/security/api/t_sql.json b/rules/default/security/api/t_sql.json index 750f0e2e..ad676860 100644 --- a/rules/default/security/api/t_sql.json +++ b/rules/default/security/api/t_sql.json @@ -10,6 +10,7 @@ "tags": [ "API.T-SQL.Dangerous" ], + "confidence": "high", "severity": "important", "rule_info": "DS224000.md", "patterns": [ diff --git a/rules/default/security/attack_surface/outbound_network.json b/rules/default/security/attack_surface/outbound_network.json index 9193074e..4db8d82d 100644 --- a/rules/default/security/attack_surface/outbound_network.json +++ b/rules/default/security/attack_surface/outbound_network.json @@ -10,6 +10,7 @@ "tags": [ "ThreatModel.Integration.HTTP" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS137038.md", "patterns": [ @@ -33,6 +34,7 @@ "tags": [ "ThreatModel.Integration.HTTP" ], + "confidence": "high", "severity": "moderate", "rule_info": "DS137138.md", "patterns": [ diff --git a/rules/default/security/control_flow/dynamic_execution.json b/rules/default/security/control_flow/dynamic_execution.json index 0172cb98..bc923ca6 100644 --- a/rules/default/security/control_flow/dynamic_execution.json +++ b/rules/default/security/control_flow/dynamic_execution.json @@ -12,6 +12,7 @@ "ControlFlow.DynamicExecution.JavaScript", "Design.Mobile.iOS.WebView.DynamicJavaScript" ], + "confidence": "high", "severity": "important", "rule_info": "DS165746.md", "patterns": [ diff --git a/rules/default/security/control_flow/format_string.json b/rules/default/security/control_flow/format_string.json index 2c2f325d..6cf03153 100644 --- a/rules/default/security/control_flow/format_string.json +++ b/rules/default/security/control_flow/format_string.json @@ -11,6 +11,7 @@ "ControlFlow.Injection.FormatString", "cert:FIO30-C" ], + "confidence": "high", "severity": "important", "rule_info": "DS113286.md", "patterns": [ diff --git a/rules/default/security/control_flow/permission_evelation.json b/rules/default/security/control_flow/permission_evelation.json index 18be163e..13be0068 100644 --- a/rules/default/security/control_flow/permission_evelation.json +++ b/rules/default/security/control_flow/permission_evelation.json @@ -10,6 +10,7 @@ "tags": [ "ControlFlow.Permission.Evalation" ], + "confidence": "high", "severity": "moderate", "rule_info": "DS113853.md", "patterns": [ @@ -36,6 +37,7 @@ "tags": [ "Implementation.Scripting.PowerShell.DangeousFunction" ], + "confidence": "high", "severity": "important", "rule_info": "DS104456.md", "patterns": [ diff --git a/rules/default/security/cryptography/certificate.json b/rules/default/security/cryptography/certificate.json index c420f696..d5a56be4 100644 --- a/rules/default/security/cryptography/certificate.json +++ b/rules/default/security/cryptography/certificate.json @@ -7,6 +7,7 @@ "tags": [ "Cryptography.Optional" ], + "confidence": "high", "severity": "important", "rule_info": "DS114352.md", "patterns": [ @@ -41,6 +42,7 @@ "tags": [ "Cryptography.Certificate.Validation" ], + "confidence": "high", "severity": "critical", "rule_info": "DS181865.md", "patterns": [ @@ -119,6 +121,7 @@ "tags": [ "Cryptography.Certificate.Validation" ], + "confidence": "high", "severity": "critical", "rule_info": "DS114352.md", "patterns": [ @@ -147,6 +150,7 @@ "tags": [ "Cryptography.Certificate.Validation" ], + "confidence": "high", "severity": "critical", "rule_info": "DS130822.md", "patterns": [ @@ -187,6 +191,7 @@ "tags": [ "Cryptography.Certificate.Validation" ], + "confidence": "high", "severity": "critical", "rule_info": "DS114352.md", "patterns": [ @@ -248,6 +253,7 @@ "tags": [ "Cryptography.Certificate.Validation" ], + "confidence": "high", "severity": "critical", "rule_info": "DS114352.md", "patterns": [ @@ -297,6 +303,7 @@ "tags": [ "Cryptography.Certificate.Validation" ], + "confidence": "high", "severity": "critical", "rule_info": "DS114352.md", "patterns": [ @@ -323,6 +330,7 @@ "tags": [ "Cryptography.Certificate.Validation" ], + "confidence": "high", "severity": "critical", "rule_info": "DS114352.md", "patterns": [ @@ -349,6 +357,7 @@ "tags": [ "Cryptography.Certificate.Validation" ], + "confidence": "high", "severity": "critical", "rule_info": "DS114352.md", "patterns": [ @@ -375,6 +384,7 @@ "tags": [ "Cryptography.Certificate.Validation" ], + "confidence": "medium", "severity": "critical", "rule_info": "DS114352.md", "patterns": [ @@ -417,6 +427,7 @@ "tags": [ "Cryptography.Certificate.Validation" ], + "confidence": "high", "severity": "critical", "rule_info": "DS114352.md", "patterns": [ @@ -493,6 +504,7 @@ "tags": [ "Cryptography.Certificate.Validation" ], + "confidence": "high", "severity": "critical", "rule_info": "DS114352.md", "patterns": [ diff --git a/rules/default/security/cryptography/ciphers.json b/rules/default/security/cryptography/ciphers.json index cf26a1fc..98bc9947 100644 --- a/rules/default/security/cryptography/ciphers.json +++ b/rules/default/security/cryptography/ciphers.json @@ -10,6 +10,7 @@ "tags": [ "Cryptography.Library.Abandoned" ], + "confidence": "medium", "severity": "moderate", "rule_info": "DS175862.md", "patterns": [ @@ -42,6 +43,7 @@ "tags": [ "Cryptography.Symmetric.PotentiallyWeakAlgorithm" ], + "confidence": "high", "severity": "moderate", "rule_info": "DS109501.md", "patterns": [ @@ -86,6 +88,7 @@ "tags": [ "Cryptography.Symmetric.WeakOrBrokenAlgorithm" ], + "confidence": "medium", "severity": "critical", "rule_info": "DS106863.md", "patterns": [ @@ -131,6 +134,7 @@ "tags": [ "Cryptography.Symmetric.WeakOrBrokenAlgorithm" ], + "confidence": "high", "severity": "critical", "rule_info": "DS106864.md", "patterns": [ @@ -175,6 +179,7 @@ "tags": [ "Cryptography.Symmetric.WeakOrBrokenAlgorithm.DES" ], + "confidence": "high", "severity": "critical", "rule_info": "DS106865.md", "patterns": [ @@ -213,6 +218,7 @@ "tags": [ "Cryptography.Symmetric.WeakOrBrokenAlgorithm.DES" ], + "confidence": "high", "severity": "critical", "rule_info": "DS106866.md", "patterns": [ @@ -258,6 +264,7 @@ "tags": [ "Cryptography.Symmetric.WeakOrBrokenAlgorithm.RC2" ], + "confidence": "high", "severity": "critical", "rule_info": "DS156431.md", "patterns": [ diff --git a/rules/default/security/cryptography/general.json b/rules/default/security/cryptography/general.json index 3507ac11..551fe9c2 100644 --- a/rules/default/security/cryptography/general.json +++ b/rules/default/security/cryptography/general.json @@ -7,6 +7,7 @@ "tags": [ "Cryptography.Certificate.Validation" ], + "confidence": "high", "severity": "critical", "rule_info": "DS101155.md", "patterns": [ @@ -56,6 +57,7 @@ "tags": [ "Cryptography.SecurityContext.Initialization" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS101159.md", "patterns": [ diff --git a/rules/default/security/cryptography/hardcoded_tls.json b/rules/default/security/cryptography/hardcoded_tls.json index dd0d0774..938a870f 100644 --- a/rules/default/security/cryptography/hardcoded_tls.json +++ b/rules/default/security/cryptography/hardcoded_tls.json @@ -11,6 +11,7 @@ "tags": [ "Cryptography.Protocol.TLS.Hardcoded" ], + "confidence": "high", "severity": "important", "rule_info": "DS440000.md", "must-match": [ @@ -73,6 +74,7 @@ "tags": [ "Cryptography.Protocol.TLS.Hardcoded" ], + "confidence": "high", "severity": "important", "_comment": "Applies to all languages since many just wrap OpenSSL constructs.", "rule_info": "DS440000.md", @@ -146,6 +148,7 @@ "tags": [ "Cryptography.Protocol.TLS.Hardcoded" ], + "confidence": "high", "severity": "important", "_comment": "Applies to all languages since many just wrap OpenSSL constructs.", "rule_info": "DS440000.md", @@ -190,6 +193,7 @@ "tags": [ "Cryptography.Protocol.TLS.Hardcoded" ], + "confidence": "high", "severity": "important", "rule_info": "DS440000.md", "patterns": [ @@ -213,6 +217,7 @@ "tags": [ "Cryptography.Protocol.TLS.Hardcoded" ], + "confidence": "high", "severity": "important", "rule_info": "DS440000.md", "patterns": [ @@ -280,6 +285,7 @@ "tags": [ "Cryptography.Protocol.TLS.Hardcoded" ], + "confidence": "high", "severity": "important", "rule_info": "DS440000.md", "patterns": [ @@ -316,6 +322,7 @@ "tags": [ "Cryptography.Protocol.TLS.Hardcoded" ], + "confidence": "high", "severity": "important", "rule_info": "DS440000.md", "patterns": [ diff --git a/rules/default/security/cryptography/hash_algorithm.json b/rules/default/security/cryptography/hash_algorithm.json index 707ce072..cdbd4bc0 100644 --- a/rules/default/security/cryptography/hash_algorithm.json +++ b/rules/default/security/cryptography/hash_algorithm.json @@ -8,6 +8,7 @@ "Cryptography.BannedHashAlgorithm" ], "does_not_apply_to": ["json"], + "confidence": "high", "severity": "critical", "rule_info": "DS126858.md", "patterns": [ @@ -96,6 +97,7 @@ "tags": [ "Cryptography.HashAlgorithm.BrokenOrWeak" ], + "confidence": "high", "severity": "critical", "rule_info": "DS197800.md", "patterns": [ @@ -155,6 +157,7 @@ "tags": [ "Cryptography.HashAlgorithm.BrokenOrWeak" ], + "confidence": "high", "severity": "critical", "rule_info": "DS128420.md", "patterns": [ @@ -212,6 +215,7 @@ "tags": [ "Cryptography.HashAlgorithm.BrokenOrWeak" ], + "confidence": "high", "severity": "critical", "rule_info": "DS108647.md", "patterns": [ @@ -275,6 +279,7 @@ "tags": [ "Cryptography.HashAlgorithm.BrokenOrWeak" ], + "confidence": "high", "severity": "critical", "rule_info": "DS196098.md", "patterns": [ @@ -335,6 +340,7 @@ "tags": [ "Cryptography.HashAlgorithm.BrokenOrWeak" ], + "confidence": "high", "severity": "critical", "rule_info": "DS168931.md", "patterns": [ @@ -389,6 +395,7 @@ "tags": [ "Cryptography.HashAlgorithm.InsufficientEntropy" ], + "confidence": "high", "severity": "important", "rule_info": "DS197836.md", "patterns": [ diff --git a/rules/default/security/cryptography/initialization_vector.json b/rules/default/security/cryptography/initialization_vector.json index 3c189ae8..1d1ef274 100644 --- a/rules/default/security/cryptography/initialization_vector.json +++ b/rules/default/security/cryptography/initialization_vector.json @@ -11,6 +11,7 @@ "tags": [ "Cryptography.Symmetric.InitializationVector.Missing" ], + "confidence": "high", "severity": "important", "rule_info": "DS188250.md", "patterns": [ @@ -55,6 +56,7 @@ "tags": [ "Cryptography.Symmetric.InitializationVector.HardcodedSize" ], + "confidence": "high", "severity": "moderate", "rule_info": "DS128921.md", "patterns": [ diff --git a/rules/default/security/cryptography/protocol.json b/rules/default/security/cryptography/protocol.json index e027d49f..e3956427 100644 --- a/rules/default/security/cryptography/protocol.json +++ b/rules/default/security/cryptography/protocol.json @@ -11,6 +11,7 @@ "tags": [ "Cryptography.Protocol.TLS" ], + "confidence": "high", "severity": "important", "rule_info": "DS144436.md", "patterns": [ @@ -52,6 +53,7 @@ "tags": [ "Cryptography.Protocol.TLS" ], + "confidence": "high", "severity": "moderate", "rule_info": "DS127101.md", "patterns": [ @@ -75,6 +77,7 @@ "tags": [ "Cryptography.Protocol.TLS" ], + "confidence": "high", "severity": "important", "rule_info": "DS169125.md", "patterns": [ @@ -100,6 +103,7 @@ "tags": [ "Cryptography.Protocol.Banned" ], + "confidence": "high", "severity": "important", "rule_info": "DS169126.md", "patterns": [ @@ -169,6 +173,7 @@ "tags": [ "Cryptography.Protocol.Banned" ], + "confidence": "high", "severity": "important", "rule_info": "DS169126.md", "patterns": [ @@ -430,6 +435,7 @@ "tags": [ "Cryptography.Protocol.Banned" ], + "confidence": "high", "severity": "important", "rule_info": "DS169126.md", "patterns": [ diff --git a/rules/default/security/cryptography/random.json b/rules/default/security/cryptography/random.json index df19b681..9ff37d93 100644 --- a/rules/default/security/cryptography/random.json +++ b/rules/default/security/cryptography/random.json @@ -17,6 +17,7 @@ "javascript", "typescript" ], + "confidence": "high", "severity": "important", "rule_info": "DS148264.md", "patterns": [ @@ -106,6 +107,7 @@ "applies_to": [ "rust" ], + "confidence": "high", "severity": "important", "rule_info": "DS148264.md", "patterns": [ @@ -140,6 +142,7 @@ "tags": [ "Cryptography.PRNG.Weak" ], + "confidence": "high", "severity": "important", "rule_info": "DS148264.md", "patterns": [ @@ -167,6 +170,7 @@ "tags": [ "Cryptography.WeakRandomness" ], + "confidence": "high", "severity": "critical", "rule_info": "DS149435.md", "patterns": [ diff --git a/rules/default/security/cryptography/underhanded.json b/rules/default/security/cryptography/underhanded.json index 5a522ede..efaaf0ef 100644 --- a/rules/default/security/cryptography/underhanded.json +++ b/rules/default/security/cryptography/underhanded.json @@ -7,6 +7,7 @@ "tags": [ "Cryptography.HashAlgorithm.WeakOrBrokenImplementation" ], + "confidence": "medium", "severity": "critical", "rule_info": "DS109733.md", "patterns": [ diff --git a/rules/default/security/cryptography/weak_cipher_modes.json b/rules/default/security/cryptography/weak_cipher_modes.json index 461bdeb1..4e3953c2 100644 --- a/rules/default/security/cryptography/weak_cipher_modes.json +++ b/rules/default/security/cryptography/weak_cipher_modes.json @@ -7,6 +7,7 @@ "tags": [ "Cryptography.Symmetric.CipherMode.Weak" ], + "confidence": "medium", "severity": "important", "rule_info": "DS187371.md", "patterns": [ @@ -35,6 +36,7 @@ "tags": [ "Cryptography.Symmetric.CipherMode.Weak" ], + "confidence": "high", "severity": "important", "rule_info": "DS182720.md", "patterns": [ diff --git a/rules/default/security/frameworks/android.json b/rules/default/security/frameworks/android.json index 18714dae..2fdc1edf 100644 --- a/rules/default/security/frameworks/android.json +++ b/rules/default/security/frameworks/android.json @@ -10,6 +10,7 @@ "tags": [ "Framework.Android" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS180000.md", "patterns": [ @@ -60,6 +61,7 @@ "tags": [ "Framework.Android" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS180000.md", "patterns": [ @@ -105,6 +107,7 @@ "tags": [ "Framework.Android" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS180001.md", "patterns": [ diff --git a/rules/default/security/frameworks/aspnet5.json b/rules/default/security/frameworks/aspnet5.json index cc2a2273..75258136 100644 --- a/rules/default/security/frameworks/aspnet5.json +++ b/rules/default/security/frameworks/aspnet5.json @@ -10,6 +10,7 @@ "tags": [ "Implementation.Web.ASPNET.ControllerWithoutExtendingController" ], + "confidence": "medium", "severity": "moderate", "rule_info": "DS184626.md", "patterns": [ diff --git a/rules/default/security/frameworks/dotnet_framework.json b/rules/default/security/frameworks/dotnet_framework.json index f907c655..5ee148cc 100644 --- a/rules/default/security/frameworks/dotnet_framework.json +++ b/rules/default/security/frameworks/dotnet_framework.json @@ -10,6 +10,7 @@ "tags": [ "Framework.NET.Outdated" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS450000.md", "patterns": [ @@ -35,6 +36,7 @@ "id": "DS450001", "description": "Disabling the Secure flag could result in the disclosure of sensitive cookie information over HTTP.", "recommendation": "Enable the Secure cookie on cookies.", + "confidence": "high", "severity": "important", "rule_info": "DS450001.md", "applies_to_file_regex": [ @@ -91,6 +93,7 @@ "tags": [ "Framework.NET" ], + "confidence": "high", "severity": "important", "rule_info": "DS450002.md", "patterns": [ @@ -135,6 +138,7 @@ "tags": [ "Framework.NET" ], + "confidence": "high", "severity": "manualreview", "rule_info": "DS450003.md", "patterns": [ diff --git a/rules/default/security/frameworks/php.json b/rules/default/security/frameworks/php.json index d5700e66..fb08c226 100644 --- a/rules/default/security/frameworks/php.json +++ b/rules/default/security/frameworks/php.json @@ -10,6 +10,7 @@ "tags": [ "Implementation.PHP" ], + "confidence": "high", "severity": "moderate", "rule_info": "DS144886.md", "patterns": [ @@ -79,6 +80,7 @@ "tags": [ "Implementation.PHP" ], + "confidence": "high", "severity": "moderate", "rule_info": "DS163877.md", "patterns": [ diff --git a/rules/default/security/hygiene/localhost.json b/rules/default/security/hygiene/localhost.json index 557ad61e..381a2383 100644 --- a/rules/default/security/hygiene/localhost.json +++ b/rules/default/security/hygiene/localhost.json @@ -7,6 +7,7 @@ "tags": [ "Hygiene.Network.AccessingLocalhost" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS162092.md", "patterns": [ diff --git a/rules/default/security/hygiene/todo.json b/rules/default/security/hygiene/todo.json index 3c98befd..37590122 100644 --- a/rules/default/security/hygiene/todo.json +++ b/rules/default/security/hygiene/todo.json @@ -7,6 +7,7 @@ "tags": [ "Hygiene.Comment.Suspicious" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS176209.md", "patterns": [ diff --git a/rules/default/security/manualreview/dynamiccode.json b/rules/default/security/manualreview/dynamiccode.json index a762a852..207e094b 100644 --- a/rules/default/security/manualreview/dynamiccode.json +++ b/rules/default/security/manualreview/dynamiccode.json @@ -16,6 +16,7 @@ "TypeScript.DangerousFunctionCall", "PHP.DangerousFunctionCall" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS189424.md", "patterns": [ @@ -46,6 +47,7 @@ "JavaScript.DangerousFunctionCall", "TypeScript.DangerousFunctionCall" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS172411.md", "patterns": [ @@ -75,6 +77,7 @@ "tags": [ "Dotnet.Unsafecode" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS172412.md", "patterns": [ diff --git a/rules/default/security/manualreview/zip_slip.json b/rules/default/security/manualreview/zip_slip.json index e332065e..b067e964 100644 --- a/rules/default/security/manualreview/zip_slip.json +++ b/rules/default/security/manualreview/zip_slip.json @@ -11,6 +11,7 @@ "tags": [ "DotNet.DangerousFunctionCall" ], + "confidence": "medium", "severity": "ManualReview", "rule_info": "DS113854.md", "patterns": [ diff --git a/rules/default/security/privacy/device_restrictions.json b/rules/default/security/privacy/device_restrictions.json index 9fd72f1e..f529e053 100644 --- a/rules/default/security/privacy/device_restrictions.json +++ b/rules/default/security/privacy/device_restrictions.json @@ -10,6 +10,7 @@ "tags": [ "Implementation.Mobile.iOS.DataProtection.Privacy.UDID" ], + "confidence": "medium", "severity": "important", "rule_info": "DS165348.md", "patterns": [ diff --git a/rules/default/security/privacy/secrets.json b/rules/default/security/privacy/secrets.json index 1b2883e1..6ae1a671 100644 --- a/rules/default/security/privacy/secrets.json +++ b/rules/default/security/privacy/secrets.json @@ -7,6 +7,7 @@ "tags": [ "Implementation.Privacy.Token" ], + "confidence": "medium", "severity": "important", "rule_info": "DS173237.md", "patterns": [ @@ -50,6 +51,7 @@ "tags": [ "Implementation.Privacy.Token" ], + "confidence": "high", "severity": "critical", "rule_info": "DS117838.md", "patterns": [ diff --git a/rules/default/security/storage/secure_storage.json b/rules/default/security/storage/secure_storage.json index e64c9f6d..4ce047b9 100644 --- a/rules/default/security/storage/secure_storage.json +++ b/rules/default/security/storage/secure_storage.json @@ -11,6 +11,7 @@ "tags": [ "Storage.Windows.DPAPI" ], + "confidence": "high", "severity": "moderate", "rule_info": "DS112266.md", "patterns": [ @@ -54,6 +55,7 @@ "tags": [ "Storage.Apple.iOS.UserDefaults.SensitiveData" ], + "confidence": "high", "severity": "moderate", "rule_info": "DS191340.md", "patterns": [ diff --git a/rules/default/security/vulnerable_libraries/microsoft_nuget.json b/rules/default/security/vulnerable_libraries/microsoft_nuget.json index 06a68500..355d4e05 100644 --- a/rules/default/security/vulnerable_libraries/microsoft_nuget.json +++ b/rules/default/security/vulnerable_libraries/microsoft_nuget.json @@ -10,6 +10,7 @@ "tags": [ "Vulerable-Dependency.Library.NuGet" ], + "confidence": "high", "severity": "moderate", "rule_info": "4021279", "patterns": [ @@ -168,6 +169,7 @@ "tags": [ "Vulerable-Dependency.Library.NuGet" ], + "confidence": "high", "severity": "moderate", "rule_info": "3214296", "patterns": [ diff --git a/rules/default/security/xml/external_entities.json b/rules/default/security/xml/external_entities.json index bcc40633..3f9a05b6 100644 --- a/rules/default/security/xml/external_entities.json +++ b/rules/default/security/xml/external_entities.json @@ -10,6 +10,7 @@ "tags": [ "Implementation.iOS.XML.DTDEntityResolution" ], + "confidence": "high", "severity": "moderate", "rule_info": "DS132779.md", "patterns": [ @@ -57,6 +58,7 @@ "tags": [ "Implementation.iOS.XML.DTDEntityResolution" ], + "confidence": "high", "severity": "moderate", "rule_info": "DS132780.md", "patterns": [ @@ -100,6 +102,7 @@ "tags": [ "Implementation.iOS.XML.DTDEntityResolution" ], + "confidence": "high", "severity": "moderate", "rule_info": "DS132790.md", "patterns": [ diff --git a/rules/default/security/xml/xslt_scripting.json b/rules/default/security/xml/xslt_scripting.json index a930e3bd..ba27f6a2 100644 --- a/rules/default/security/xml/xslt_scripting.json +++ b/rules/default/security/xml/xslt_scripting.json @@ -10,6 +10,7 @@ "tags": [ "XSLT" ], + "confidence": "high", "severity": "ManualReview", "rule_info": "DS132781.md", "patterns": [