Add F5 Big-IP rule

[mrheinen]

User description

Add big ip pages for version 17 which has CVEs

• CVE-2024-41723
• CVE-2024-27202
• CVE-2024-45844

---

PR Type

Enhancement, Documentation

---

Description

• Added new YAML file rules/Big-IP-17.0.0-0.0.22.yaml for F5 Big-IP version 17
• Included rules for three new CVEs:
  • CVE-2024-41723
  • CVE-2024-27202
  • CVE-2024-45844
• Enhanced security coverage for F5 Big-IP products
• Improved documentation by adding rules for the latest version

---

Changes walkthrough 📝

	Relevant files
Enhancement	Big-IP-17.0.0-0.0.22.yaml Add F5 Big-IP 17 rules with CVEs                                                  rules/Big-IP-17.0.0-0.0.22.yaml Added new file for F5 Big-IP version 17.0.0-0.0.22 Included rules for CVE-2024-41723, CVE-2024-27202, and CVE-2024-45844 +358/-0
Additional files (token-limit)	Big-IP-17.0.0-0.0.22.yaml ...                                                                                                            rules/Big-IP-17.0.0-0.0.22.yaml ... +358/-0

---

💡 PR-Agent usage: Comment /help "your question" on any pull request to receive relevant information

[codiumai-pr-agent-pro[bot]]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Content Verification Verify that the new YAML file contains accurate and complete rules for the three mentioned CVEs (CVE-2024-41723, CVE-2024-27202, CVE-2024-45844) for F5 Big-IP version 17. File Naming Convention Ensure that the file naming convention follows the established pattern for other Big-IP version files in the repository. YAML Structure Check that the YAML structure in the new file is consistent with other similar files in the repository, including proper indentation and key-value pairs.

[github-actions[bot]]

Failed to generate code suggestions for PR

[codiumai-pr-agent-pro[bot]]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Score
Security	Strengthen the Content-Security-Policy header to enhance protection against XSS attacks ___ **Consider using a more specific Content-Security-Policy header. The current policy allows 'unsafe-inline' and 'unsafe-eval', which can potentially expose the application to XSS attacks. If possible, remove these directives and use nonces or hashes for inline scripts and styles.** [rules/Big-IP-17.0.0-0.0.22.yaml [197]](https://github.com/mrheinen/lophiid/pull/63/files#diff-b498a9070f6ad5f0745fcf5536748b402c00c716f2e007aee416480442e46411R197-R197) ```diff -- 'Content-Security-Policy: default-src ''self'' ''unsafe-inline'' ''unsafe-eval'' data: blob:; img-src ''self'' data: http://127.4.1.1 http://127.4.2.1' +- 'Content-Security-Policy: default-src ''self''; script-src ''self''; style-src ''self''; img-src ''self'' data: http://127.4.1.1 http://127.4.2.1; object-src ''none''' ``` - [ ] **Apply this suggestion** Suggestion importance[1-10]: 9 Why: This suggestion addresses a critical security issue by proposing a more restrictive Content-Security-Policy. Removing 'unsafe-inline' and 'unsafe-eval' significantly reduces the risk of XSS attacks, which is a high-priority security concern.	9
	Enhance protection against clickjacking by using CSP frame-ancestors directive ___ **The 'X-Frame-Options' header is set to 'SAMEORIGIN', which is good. However, for even better protection against clickjacking attacks, consider using the 'frame-ancestors' directive in the Content-Security-Policy header instead, as it provides more granular control.** [rules/Big-IP-17.0.0-0.0.22.yaml [217]](https://github.com/mrheinen/lophiid/pull/63/files#diff-b498a9070f6ad5f0745fcf5536748b402c00c716f2e007aee416480442e46411R217-R217) ```diff -- 'X-Frame-Options: SAMEORIGIN' +- 'Content-Security-Policy: frame-ancestors ''self'';' ``` - [ ] **Apply this suggestion** Suggestion importance[1-10]: 8 Why: This suggestion offers improved protection against clickjacking attacks by using a more modern and flexible approach. The CSP frame-ancestors directive provides better control and is considered a best practice for preventing clickjacking.	8
	Enhance HTTPS enforcement by adding the 'preload' directive to the HSTS header ___ **The 'Strict-Transport-Security' header is good, but you could enhance it by adding the 'preload' directive. This would instruct browsers to always use HTTPS for your domain, providing additional security.** [rules/Big-IP-17.0.0-0.0.22.yaml [195]](https://github.com/mrheinen/lophiid/pull/63/files#diff-b498a9070f6ad5f0745fcf5536748b402c00c716f2e007aee416480442e46411R195-R195) ```diff -- 'Strict-Transport-Security: max-age=16070400; includeSubDomains' +- 'Strict-Transport-Security: max-age=31536000; includeSubDomains; preload' ``` - [ ] **Apply this suggestion** Suggestion importance[1-10]: 7 Why: Adding the 'preload' directive to the HSTS header provides an additional layer of security by ensuring HTTPS is always used. While the existing header is good, this enhancement further strengthens the security posture.	7
Performance	Optimize caching strategy for static assets to improve performance ___ **The 'Cache-Control' header is set to 'no-store' for HTML content, which is good for sensitive data. However, for static assets like images, consider allowing caching to improve performance. You could use 'Cache-Control: public, max-age=3600' for the logo image.** [rules/Big-IP-17.0.0-0.0.22.yaml [221]](https://github.com/mrheinen/lophiid/pull/63/files#diff-b498a9070f6ad5f0745fcf5536748b402c00c716f2e007aee416480442e46411R221-R221) ```diff -- 'Cache-Control: max-age=18000, no-store' +- 'Cache-Control: public, max-age=3600' ``` - [ ] **Apply this suggestion** Suggestion importance[1-10]: 6 Why: This suggestion offers a good balance between security and performance. While it's not as critical as security fixes, optimizing cache settings for static assets can noticeably improve load times and user experience.	6

💡 Need additional feedback ? start a PR chat