Closed salecharohit closed 3 years ago
I like the idea (and Semgrep), we can also add Semgrep index to track and help find all Semgrep rules. I have another questions:
I see that there are some pre-written rules: https://semgrep.live/packs so I feel that it will be better to just link to this rules
I like the idea (and Semgrep), we can also add Semgrep index to track and help find all Semgrep rules. I have another questions:
- Does Semgrep have default\good rules? I want to avoid to have rules in 2 places, if Semgrep has place with rules I would rather prefer to link to them.
> Yes Semgrep has an entire public registry of rules but there maybe instances where we may require to add a few more. So I'll be adding the new rules in the Semgrep registry itself and then link it up here by referencing the code snippets provided in the cheatsheet series.
- Do you have contact to someone from Semgrep project to help us with review?
> Not sure if we can add them to this conversation.
I see that there are some pre-written rules: https://semgrep.live/packs so I feel that it will be better to just link to this rules
Yep Thats true but there maybe instances where we may require to build new rules. For Ex: https://semgrep.live/salecharohit:xxe here I've written a ruleset to identify for DocumentBuilder class whereas in the default semgrep registry they've provided only string search for XMLInputFactory. So my idea is to create Semgrep rules as per the OWASP cheatsheet series
Hmm what about creating new pack (inside semgrep.live/packs) with rules for OWASP cheatsheet series and link to them - that way it will be easier to use and find them. I just try to avoid having 2 sets of similar content in 2 different places but I like the idea!
Hmm what about creating new pack (inside semgrep.live/packs) with rules for OWASP cheatsheet series and link to them - that way it will be easier to use and find them. I just try to avoid having 2 sets of similar content in 2 different places but I like the idea!
Yep that's exactly how i wanted to make.
Only if i can get approval for the same I can start creating packs and make PRs
Naming convention would be
owasp.
I like it and I will be happy to help with this work. @jmanico do you have more questions or any concerns around it?
While SemGrep is the future of static analysis, keep in mind there are many security areas like business logic and workflows where static analysis is not effective. As long as we are not selling it as a way to discover all security issues I think it’s a great idea!
-- Jim Manico @Manicode
On Jul 29, 2020, at 7:28 AM, mackowski notifications@github.com wrote:
I like it and I will be happy to help with this work. @jmanico do you have more questions or any concerns around it?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.
While SemGrep is the future of static analysis, keep in mind there are many security areas like business logic and workflows where static analysis is not effective. As long as we are not selling it as a way to discover all security issues I think it’s a great idea! … -- Jim Manico @manicode On Jul 29, 2020, at 7:28 AM, mackowski @.***> wrote: I like it and I will be happy to help with this work. @jmanico do you have more questions or any concerns around it? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.
Surely. Semgrep and i guess most static analysers cannot detect Business logic issues and workflows. My idea is just to highlight some of the best ways we can write creative rules and what better context than the OWASP cheatseries.
I think this is a great idea, Rohit!
On 7/29/20 11:40 AM, Rohit Salecha wrote:
While SemGrep is the future of static analysis, keep in mind there are many security areas like business logic and workflows where static analysis is not effective. As long as we are not selling it as a way to discover all security issues I think it’s a great idea! … <#> -- Jim Manico @manicode <https://github.com/manicode> On Jul 29, 2020, at 7:28 AM, mackowski /*@*/.***> wrote: I like it and I will be happy to help with this work. @jmanico <https://github.com/jmanico> do you have more questions or any concerns around it? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.
Surely. Semgrep and i guess most static analysers cannot detect Business logic issues and workflows. My idea is just to highlight some of the best ways we can write creative rules and what better context than the OWASP cheatseries.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/OWASP/CheatSheetSeries/issues/457#issuecomment-665740112, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEBYCLOKVYNPMDGUFH5T4LR6A7F7ANCNFSM4PLJ4KXQ.
Shall I start working on creating the rules and send individual PRs then ?
BRING THE HEAT ROHIT BRING THE HEAT!
That is a yes.
On 7/29/20 11:42 AM, Rohit Salecha wrote:
Shall I start working on creating the rules and send individual PRs then ?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/OWASP/CheatSheetSeries/issues/457#issuecomment-665741195, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEBYCNKREBGER4YUUV32GTR6A7M5ANCNFSM4PLJ4KXQ.
@salecharohit I assigned this issue to you and changed status. Let us know if you need any help. Cheers!
Just an update for everyone that Semgrep folks have created a separate folder for all OWASP related rules. My first rule on java/ssrf has been published. So going forward please PR into this directory depending on the language you want. https://github.com/returntocorp/semgrep-rules/tree/develop/contrib/owasp
There is also a dedicated channel in Semgrep slack to discuss rules for OWASP Cheatsheet series and ASVS https://app.slack.com/client/TKABHD886/owasp
Also while speaking with Semgrep folks they introduced me to an interesting project on the same lines as what i've suggested here. Details availible here https://github.com/semgrep/rules-owasp-asvs
Good work. Is there a rule pack for these new OWASP rules?
Good work. Is there a rule pack for these new OWASP rules?
All OWASP Cheatseries related rules wil bel aggregated here https://github.com/returntocorp/semgrep-rules/tree/develop/contrib/owasp/java
I am closing this issue. Please feel free to create more PRs with Semgrep Rules! Thank you for your contribution @salecharohit
What is missing or needs to be updated?
Cheatsheet series contain plenty of code snippets which either highlight good practice or a sample vulnerable code. For Ex: This XXE code snippet very well highlights the idea of using the setFeature function whenever instantiating a DocumentBuilderFactory class. At times developers can miss out on these best practices due to many reasons Is there any way in which we can enforce these best practices or help them identify vulnerable code snippets by making using of a lightweight utility that allows them to write their own rules?
How should this be resolved?
Semgrep is an opensource tool for scanning source code supporting various languages like Java,Python,Javascript,Go,C etc ... The beauty of Semgrep is that allows the developers to write their own rules where they can enforce the security best practices or identify vulnerable code snippets. Its fast,sleek and easy to use. As an example , for the above XXE DocumentBuilderFactory code the below Semgrep rule can easily identify whether a DocumentBuilderFactory has been instantiated WITHOUT calling the setFeature function.
You can also try this rule live here https://semgrep.live/salecharohit:xxe
What i wish to propose is to inject Semgrep rules in the Cheatsheet series where developers can simply copy/clone/fork the rules provided at the particular topic and reuse them. For Ex: at the same XXE cheatsheet while discussing on best practices for DocumentBuilderFactory I can add a Semgrep rule or a URL of the semgrep.live editor or maybe both which the reader can then reuse in his/her code base or Semgrep rules. Please Note : Every Cheatsheet may require multiple updates.