Skip to content

Annotate param for Java path traversal rule

Julian Thome requested to merge julianthome/annotated-param into main

What does this MR do?

After the recent improvements for the JavaBenchmark work more sources and sinks were added to the path traversal rules for java. However, the source fragment below in combination with the newly added sinks cause the number of findings to spike where many of the findings are not legitimate -- 402/427 new findings.

  - patterns:
    - pattern-inside:
        $FUNC(..., String $X, ...) { ... }
    - focus-metavariable: $X

This discussion thread includes more details.

What are the relevant issue numbers?

Does this MR meet the acceptance criteria?

  • The test cases cover both positive and negative cases and have appropriate Semgrep annotations:
    • For positive cases: // ruleid: ...
    • For negative cases: // ok: ....
  • Prefer ($X.servlet.http.HttpServletResponse $RESP).addCookie($C) over $RESPONSE.addCookie($C) to avoid False-Positives.
  • Following metadata fields exist for the rule(s) added/updated in this MR:
    • owasp: with both 2017 and 2021 mappings
    • shortDescription: e.g: "Use of a broken or risky cryptographic algorithm NOT "Use of a Broken or Risky Cryptographic Algorithm"
    • security-severity: one of Info, Low, Medium, High or Critical
    • pattern: use multi-line patterns (with |) only when the actual search patterns spans more than a single line
  • The message contains a secure code example and no insecure ones.
  • The rule is placed in the correct rules/ subfolder based on its license, refering to the internal guidance.
  • Relevant labels including workflow labels are appropriately selected.
  • The MR is freshly rebased with main.
Edited by Julian Thome

Merge request reports