Fix: refine ios_biometric_acl logic to reduce false positives

Puneet Gillrequested to merge
pgill4/sast-rules-sandbox:fix/ios-biometric-acl-logic into main

What does this MR do?

This MR implements a logic refinement for the ios_biometric_acl rule to address significant false-positive regressions. The previous implementation used a broad keyword search for biometric flags (e.g., .biometryAny, .userPresence), which incorrectly flagged standalone informational checks—such as checking if biometrics are available on a device (if context.biometryType == .biometryAny).

Changes include:

  • Semantic API Targeting: The rule now specifically targets the usage of these flags within the SecAccessControlCreateWithFlags function call, where the security risk actually resides.
  • Variable & Array Propagation: Added patterns to detect insecure flags even when they are assigned to local variables or wrapped in array literals (OptionSets) before being passed to the API.
  • Logic Correction: Transitioned from a simple "OR" match on keywords to an "AND" match requiring the flags to be used as functional arguments.

What are the relevant issue numbers?

  • Addresses logic regression in existing rule where standalone LAContext checks were being incorrectly flagged.

Does this MR meet the acceptance criteria?

  • The test cases cover both positive and negative cases and have appropriate Semgrep annotations:
    • For positive cases: // ruleid: rules_lgpl_swift_other_rule-ios-biometric-acl
    • For negative cases: // ok: rules_lgpl_swift_other_rule-ios-biometric-acl
  • Prefer ($X.servlet.http.HttpServletResponse $RESP).addCookie($C) over $RESPONSE.addCookie($C) to avoid False-Positives.
  • Following metadata fields exist for the rule(s) added/updated in this MR:
    • owasp: with both 2017 and 2021 mappings
    • shortDescription: "Authentication bypass by primary weakness"
    • security-severity: Critical
    • pattern: use multi-line patterns (with |) only when the actual search patterns spans more than a single line
  • The message contains a secure code example and no insecure ones.
  • The rule is placed in the correct rules/ subfolder based on its license, refering to the internal guidance.
  • Relevant labels including workflow labels are appropriately selected.
  • The MR is freshly rebased with main.

Merge request reports