chore: removed ScoreParameters, Category and RuleType are now fields of Rule (#356)

<!--
Thanks for contributing to 2ms by offering a pull request.
-->

Closes #

**Proposed Changes**

<!--
Please describe the big picture of your changes here. If it fixes a bug
or resolves a feature request, be sure to link to that issue.
-->

**Checklist**

- [ ] I covered my changes with tests.
- [ ] I Updated the documentation that is affected by my changes:
  - [ ] Change in the CLI arguments
  - [ ] Change in the configuration file

I submit this contribution under the Apache-2.0 license.

Author: cx-diogo-rocha

README.md

@@ -362,9 +362,8 @@ Other fields are optional and can be seen in the example bellow of a file with a
   severity: High # severity, can only be one of [Critical, High, Medium, Low, Info]
   tags: # identifiers for the rule, tags can be used as values of --rule and --ignore-rule flags
     - api-key
-  scoreParameters: # scoreParameters can be omitted for overrides, in which case the respective default rule scoreParameters will be considered
-    category: General # category of the rule, should be a string of type ruledefine.RuleCategory. Impacts cvss score
-    ruleType: 4 # can go from 4 to 0, 4 being most severe. For overrides, if Category is defined, ruleType also needs to be defined, or otherwise it will be considered 0. Impacts cvss score
+  category: General # category of the rule, should be a string of type ruledefine.RuleCategory. Can be omitted in custom rule, but if omitted and ruleId matches a default rule, the category will take the value of the category of that defaultRule. Impacts cvss score
+  scoreRuleType: 4 # can go from 1 to 4, 4 being most severe. If omitted in rule it will take the value of 1. Impacts cvss score
   disableValidation: false # if true, disables validity check for this rule, regardless of --validate flag
   deprecated: false # if true, the rule will not be used in the scan, regardless of --rule flag
   allowLists: # allowed values to ignore if matched

cmd/config_test.go

@@ -1,6 +1,7 @@
 package cmd
 
 import (
+	"fmt"
 	"os"
 	"path/filepath"
 	"testing"
@@ -297,11 +298,9 @@ func TestCustomRulesFlag(t *testing.T) {
 					StopWords:      []string{"example", "sample"},
 				},
 			},
-			Tags: []string{"security", "credentials"},
-			ScoreParameters: ruledefine.ScoreParameters{
-				Category: "General",
-				RuleType: 2,
-			},
+			Tags:              []string{"security", "credentials"},
+			Category:          "General",
+			ScoreRuleType:     2,
 			DisableValidation: true,
 			Deprecated:        true,
 		},
@@ -347,6 +346,12 @@ func TestCustomRulesFlag(t *testing.T) {
 			expectedRules:   nil,
 			expectErrors:    []error{errInvalidCustomRulesExtension},
 		},
+		{
+			name:            "Invalid rule type",
+			customRulesFile: "testData/customRulesInvalidRuleType.json",
+			expectedRules:   nil,
+			expectErrors:    []error{fmt.Errorf("cannot unmarshal number -2 into Go struct field Rule.scoreRuleType of type uint8")},
+		},
 	}
 
 	for _, tt := range tests {

cmd/main_test.go

@@ -83,15 +83,13 @@ func TestPreRun(t *testing.T) {
 			engineConfigVar: engine.EngineConfig{
 				CustomRules: []*ruledefine.Rule{
 					{
-						RuleID:      "db18ccf1-4fbf-49f6-aec1-939a2e5464c0",
-						RuleName:    "mock-rule",
-						Description: "Match passwords",
-						Regex:       "[A-Za-z0-9]{32})",
-						Severity:    "mockSeverity",
-						ScoreParameters: ruledefine.ScoreParameters{
-							Category: "mockCategory",
-							RuleType: 10,
-						},
+						RuleID:        "db18ccf1-4fbf-49f6-aec1-939a2e5464c0",
+						RuleName:      "mock-rule",
+						Description:   "Match passwords",
+						Regex:         "[A-Za-z0-9]{32})",
+						Severity:      "mockSeverity",
+						Category:      "mockCategory",
+						ScoreRuleType: 10,
 					},
 					{
 						RuleID:      "b47a1995-6572-41bb-b01d-d215b43ab089",
@@ -108,7 +106,7 @@ func TestPreRun(t *testing.T) {
 					" mockSeverity not one of ([Critical High Medium Low Info])"),
 				fmt.Errorf("rule#0;RuleID-db18ccf1-4fbf-49f6-aec1-939a2e5464c0: invalid category:" +
 					" mockCategory not an acceptable category of type RuleCategory"),
-				fmt.Errorf("rule#0;RuleID-db18ccf1-4fbf-49f6-aec1-939a2e5464c0: invalid rule type: 10 not an acceptable uint8 value, maximum is 4"),
+				fmt.Errorf("rule#0;RuleID-db18ccf1-4fbf-49f6-aec1-939a2e5464c0: invalid rule type: 10 not an acceptable uint8 value, should be between 1 and 4"),
 			},
 		},
 		{

cmd/testData/customRulesInvalidRuleType.json

@@ -0,0 +1,16 @@
+[
+  {
+    "ruleId": "db18ccf1-4fbf-49f6-aec1-939a2e5464c0",
+    "ruleName": "mock-rule",
+    "description": "Match passwords",
+    "regex": "[A-Za-z0-9]{32}",
+    "keywords": ["password", "pwd"],
+    "entropy": 3.5,
+    "path": "secrets/passwords.txt",
+    "secretGroup": 1,
+    "severity": "High",
+    "tags": ["security", "credentials"],
+    "category": "General",
+    "scoreRuleType": -2
+  }
+]

cmd/testData/customRulesValid.json

@@ -21,10 +21,8 @@
       }
     ],
     "tags": ["security", "credentials"],
-    "scoreParameters": {
-      "category": "General",
-      "ruleType": 2
-    },
+    "category": "General",
+    "scoreRuleType": 2,
     "disableValidation": true,
     "deprecated": true
   },

cmd/testData/customRulesValid.yaml

@@ -25,9 +25,8 @@
   tags:
     - security
     - credentials
-  scoreParameters:
-    category: General
-    ruleType: 2
+  category: General
+  scoreRuleType: 2
   disableValidation: true
   deprecated: true
 

engine/engine.go

@@ -740,7 +740,7 @@ func (e *Engine) addExtrasToSecret(secret *secrets.Secret) {
 	// add general extra data
 	extra.Mtxs.Lock(secret.ID)
 	secret.RuleName = e.rules[secret.RuleID].RuleName
-	secret.RuleCategory = string(e.rules[secret.RuleID].ScoreParameters.Category)
+	secret.RuleCategory = string(e.rules[secret.RuleID].Category)
 	extra.Mtxs.Unlock(secret.ID)
 
 	// add rule specific extra data
@@ -869,20 +869,17 @@ func CheckRulesRequiredFields(rulesToCheck []*ruledefine.Rule) error {
 			}
 		}
 
-		if rule.ScoreParameters.Category != "" {
-			if _, ok := score.CategoryScoreMap[rule.ScoreParameters.Category]; !ok {
-				invalidCategoryError := fmt.Errorf("%w: %s not an acceptable category of type RuleCategory",
-					errInvalidCategory, rule.ScoreParameters.Category)
-				err = errors.Join(err, buildCustomRuleError(i, rule, invalidCategoryError))
-			}
+		_, validCategory := score.CategoryScoreMap[rule.Category]
+		if rule.Category != "" && !validCategory {
+			invalidCategoryError := fmt.Errorf("%w: %s not an acceptable category of type RuleCategory",
+				errInvalidCategory, rule.Category)
+			err = errors.Join(err, buildCustomRuleError(i, rule, invalidCategoryError))
 		}
 
-		if rule.ScoreParameters.RuleType != 0 {
-			if rule.ScoreParameters.RuleType > score.RuleTypeMaxValue {
-				invalidRuleTypeError := fmt.Errorf("%w: %d not an acceptable uint8 value, maximum is %d",
-					errInvalidRuleType, rule.ScoreParameters.RuleType, score.RuleTypeMaxValue)
-				err = errors.Join(err, buildCustomRuleError(i, rule, invalidRuleTypeError))
-			}
+		if rule.ScoreRuleType != 0 && rule.ScoreRuleType > score.RuleTypeMaxValue {
+			invalidRuleTypeError := fmt.Errorf("%w: %d not an acceptable uint8 value, should be between 1 and 4",
+				errInvalidRuleType, rule.ScoreRuleType)
+			err = errors.Join(err, buildCustomRuleError(i, rule, invalidRuleTypeError))
 		}
 	}
 

engine/engine_test.go

@@ -1077,7 +1077,7 @@ func TestProcessSecretsExtras(t *testing.T) {
 					ID:           "mockId",
 					RuleID:       ruledefine.JWT().RuleID,
 					RuleName:     ruledefine.JWT().RuleName,
-					RuleCategory: string(ruledefine.JWT().ScoreParameters.Category),
+					RuleCategory: string(ruledefine.JWT().Category),
 					Value:        "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJtb2NrU3ViMSIsIm5hbWUiOiJtb2NrTmFtZTEifQ.dummysignature1",
 					ExtraDetails: map[string]interface{}{
 						"secretDetails": map[string]interface{}{
@@ -1090,7 +1090,7 @@ func TestProcessSecretsExtras(t *testing.T) {
 					ID:           "mockId2",
 					RuleID:       ruledefine.JWT().RuleID,
 					RuleName:     ruledefine.JWT().RuleName,
-					RuleCategory: string(ruledefine.JWT().ScoreParameters.Category),
+					RuleCategory: string(ruledefine.JWT().Category),
 					Value:        "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJtb2NrU3ViMiIsIm5hbWUiOiJtb2NrTmFtZTIifQ.dummysignature2",
 					ExtraDetails: map[string]interface{}{
 						"secretDetails": map[string]interface{}{
@@ -1103,7 +1103,7 @@ func TestProcessSecretsExtras(t *testing.T) {
 					ID:           "mockId3",
 					RuleID:       ruledefine.HubSpot().RuleID,
 					RuleName:     ruledefine.HubSpot().RuleName,
-					RuleCategory: string(ruledefine.HubSpot().ScoreParameters.Category),
+					RuleCategory: string(ruledefine.HubSpot().Category),
 					Value:        "mockValue",
 				},
 			},
@@ -1184,7 +1184,8 @@ func TestProcessEvaluationWithValidation(t *testing.T) {
 					RuleName:          ruledefine.GitHubPat().RuleName,
 					Regex:             ruledefine.GitHubPat().Regex,
 					Severity:          ruledefine.GitHubPat().Severity,
-					ScoreParameters:   ruledefine.GitlabPat().ScoreParameters,
+					Category:          ruledefine.GitHubPat().Category,
+					ScoreRuleType:     ruledefine.GitHubPat().ScoreRuleType,
 					DisableValidation: true,
 				},
 			},

engine/rules/ruledefine/1password_secret_key.go

@@ -12,14 +12,15 @@ var onePasswordSecretKeyRegex = regexp.MustCompile(
 func OnePasswordSecretKey() *Rule {
 	// define rule
 	return &Rule{
-		RuleID:          "4068d686-6833-4976-8f4a-5397e75c7fc5",
-		Description:     "Uncovered a possible 1Password secret key, potentially compromising access to secrets in vaults.",
-		RuleName:        "1Password-Secret-Key",
-		Regex:           onePasswordSecretKeyRegex,
-		Entropy:         3.8,
-		Keywords:        []string{"A3-"},
-		Severity:        "High",
-		Tags:            []string{TagPrivateKey},
-		ScoreParameters: ScoreParameters{Category: CategoryAuthenticationAndAuthorization, RuleType: 4},
+		RuleID:        "4068d686-6833-4976-8f4a-5397e75c7fc5",
+		Description:   "Uncovered a possible 1Password secret key, potentially compromising access to secrets in vaults.",
+		RuleName:      "1Password-Secret-Key",
+		Regex:         onePasswordSecretKeyRegex,
+		Entropy:       3.8,
+		Keywords:      []string{"A3-"},
+		Severity:      "High",
+		Tags:          []string{TagPrivateKey},
+		Category:      CategoryAuthenticationAndAuthorization,
+		ScoreRuleType: 4,
 	}
 }

engine/rules/ruledefine/1password_service_account.go

@@ -10,14 +10,15 @@ var onePasswordServiceAccountTokenRegex = regexp.MustCompile(`ops_eyJ[a-zA-Z0-9+
 func OnePasswordServiceAccountToken() *Rule {
 	// define rule
 	return &Rule{
-		RuleID:          "0ea85582-ea27-4f6f-b5f0-db3c4a75a07e",
-		RuleName:        "1Password-Service-Account-Token",
-		Description:     "Uncovered a possible 1Password service account token, potentially compromising access to secrets in vaults.",
-		Regex:           onePasswordServiceAccountTokenRegex,
-		Entropy:         4,
-		Keywords:        []string{"ops_"},
-		Severity:        "High",
-		Tags:            []string{TagAccessToken},
-		ScoreParameters: ScoreParameters{Category: CategoryAuthenticationAndAuthorization, RuleType: 4},
+		RuleID:        "0ea85582-ea27-4f6f-b5f0-db3c4a75a07e",
+		RuleName:      "1Password-Service-Account-Token",
+		Description:   "Uncovered a possible 1Password service account token, potentially compromising access to secrets in vaults.",
+		Regex:         onePasswordServiceAccountTokenRegex,
+		Entropy:       4,
+		Keywords:      []string{"ops_"},
+		Severity:      "High",
+		Tags:          []string{TagAccessToken},
+		Category:      CategoryAuthenticationAndAuthorization,
+		ScoreRuleType: 4,
 	}
 }