Limit rule to not apply to rust (#353)

* Limit rule to not apply to rust Fix #352 * Add rust rules for insecure random
microsoft · Jan 10, 2022 · ff2f8fb · ff2f8fb
1 parent 3314822
commit ff2f8fb
Showing 1 changed file with 72 additions and 12 deletions.
diff --git a/rules/default/security/cryptography/random.json b/rules/default/security/cryptography/random.json
@@ -7,16 +7,19 @@
         "tags": [
             "Cryptography.PRNG.Weak"
         ],
+        "language": [
+            "c",
+            "cpp",
+            "csharp",
+            "python",
+            "php",
+            "java",
+            "javascript",
+            "typescript"
+        ],
         "severity": "important",
         "rule_info": "DS148264.md",
         "patterns": [
-            {
-                "pattern": "DUAL_EC_DRBG",
-                "type": "string",
-                "scopes": [
-                    "code"
-                ]
-            },
             {
                 "pattern": "pseudoRandomBytes",
                 "type": "string",
@@ -67,32 +70,89 @@
                 ]
             },
             {
-                "pattern": "(32969|18273)",
+                "pattern": "System.Random",
+                "type": "string",
+                "scopes": [
+                    "code"
+                ]
+            },
+            {
+                "pattern": "\\bRandom\\(",
                 "type": "regex-word",
                 "scopes": [
                     "code"
                 ]
             },
             {
-                "pattern": "System.Random",
+                "pattern": "arc4random",
+                "type": "string",
+                "scopes": [
+                    "code"
+                ]
+            }
+        ]
+    },
+    {
+        "name": "Do not use weak/non-cryptographic random number generators",
+        "id": "DS148264",
+        "description": "Use cryptographic random numbers generators for anything even close to a security function.",
+        "recommendation": "Use the Rust Rand crate.",
+        "tags": [
+            "Cryptography.PRNG.Weak"
+        ],
+        "language": [
+            "rust"
+        ],
+        "severity": "important",
+        "rule_info": "DS148264.md",
+        "patterns": [
+            {
+                "pattern": "seed_from_u64",
                 "type": "string",
                 "scopes": [
                     "code"
                 ]
             },
             {
-                "pattern": "\\bRandom\\(",
-                "type": "regex-word",
+                "pattern": "fastrand",
+                "type": "string",
                 "scopes": [
                     "code"
                 ]
             },
             {
-                "pattern": "arc4random",
+                "pattern": "oorandom",
+                "type": "string",
+                "scopes": [
+                    "code"
+                ]
+            }
+        ]
+    },
+    {
+        "name": "Do not use weak/non-cryptographic random number generators",
+        "id": "DS148264",
+        "description": "Use cryptographic random numbers generators for anything even close to a security function.",
+        "recommendation": "Replacements depend on language.",
+        "tags": [
+            "Cryptography.PRNG.Weak"
+        ],
+        "severity": "important",
+        "rule_info": "DS148264.md",
+        "patterns": [
+            {
+                "pattern": "DUAL_EC_DRBG",
                 "type": "string",
                 "scopes": [
                     "code"
                 ]
+            },
+            {
+                "pattern": "(32969|18273)",
+                "type": "regex-word",
+                "scopes": [
+                    "code"
+                ]
             }
         ]
     },