Enhance sast-rule python/exec/rule-subprocess-popen-shell-true.yml
Problem
Review this customer suggested enhancement to prune lots of false-positives, as the current version also flag constant string literals:
patterns:
- pattern-not: subprocess.$FUNC(..., shell=False, ...)
- pattern-not: subprocess.$FUNC(..., shell=False)
- pattern-not: subprocess.$FUNC(..., shell=0)
- pattern-not: subprocess.$FUNC(..., shell=[])
- pattern-not: subprocess.$FUNC(..., shell={})
- pattern-not: subprocess.$FUNC(..., shell=None)
- pattern-either:
- patterns:
- pattern-not-inside: |
...
$VAR = "..." + "..."
...
- pattern-inside: |
...
$VAR = "..." + ...
...
- pattern-inside: |
def $FUNCX(...,$VAR,...):
...
- patterns:
- pattern-not-inside: |
...
$VAR = "...".format("...")
...
- pattern-inside: |
...
$VAR = "...".format(...)
...
- patterns:
- pattern-not-inside: |
...
$VAR = "..." % "..."
...
- pattern-inside: |
...
$VAR = "..." % ...
...
- pattern-inside: |
...
$VAR = f"...{$X}..."
...
- pattern-either:
- pattern: subprocess.$FUNC($VAR,...)
- patterns:
- pattern: subprocess.$FUNC("...".format(...), ...)
- pattern-not: subprocess.$FUNC("...".format("..."),...)
- patterns:
- pattern: subprocess.$FUNC("..." + ..., ...)
- pattern-not: subprocess.$FUNC("..." + "...", ...)
- patterns:
- pattern: subprocess.$FUNC("..." % ...)
- pattern-not: subprocess.$FUNC("..." % "...")
- pattern: subprocess.$FUNC(f"...{$X}...", ...)
Solution
Follow the enhance rule checklist.
Edited by Dinesh Bolkensteyn