search

daveshanley / vacuum

vacuum is the worlds fastest OpenAPI 3, OpenAPI 2 / Swagger linter and quality analysis tool. Built in go, it tears through API specs faster than you can think. vacuum is compatible with Spectral rulesets and generates compatible reports.
https://quobix.com/vacuum
MIT License
580 stars 48 forks source link

owasp linting flags false positives when properties are out of expected sequence #398

Closed bbrink1 closed 9 months ago

bbrink1 commented 9 months ago

The owasp linter expects properties to be in a certain seqence including leaf limits, otherwise they are flagged as not found. For example if minLength is not before maxLength, or minLength doesn't exist, but maxLength does, the linter doesn't see the properties. There are many other cases too. This can lead to a significant number of false positives.

I'd like to contribute a fix, but need to understand where to make changes in the system.

I'm guessing the issue is the modality of if/then/else in this file: rulesets/owasp_ruleset_functions.go

Yet, I'm not sure how/where to apply a fix.

Where may I see an example of how the owasp ruleset should be applied?

Thank you.

daveshanley commented 9 months ago

@rica-graca Would you be able to chime in?

rica-graca commented 9 months ago

Hello :smiley_cat: Will take a look asap. @daveshanley I will try to explain here afterwards so @bbrink1 can contribute.

daveshanley commented 9 months ago

This has been resolved in v0.7.0, all of the OWASP functions were re-written to use custom logic that does not depend on any kind of ordering.