diff --git a/integration-tests/init-with-token/expected/tools-configs/semgrep.yaml b/integration-tests/init-with-token/expected/tools-configs/semgrep.yaml index f7fdd3f9..9ae36146 100644 --- a/integration-tests/init-with-token/expected/tools-configs/semgrep.yaml +++ b/integration-tests/init-with-token/expected/tools-configs/semgrep.yaml @@ -1,30 +1,4 @@ rules: - - id: apex.lang.security.ncino.endpoints.namedcredentialsconstantmatch.named-credentials-constant-match - languages: - - apex - message: Named Credentials (and callout endpoints) should be used instead of hard-coding credentials. 1. Hard-coded credentials are hard to maintain when mixed in with application code. 2. It is particularly hard to update hard-coded credentials when they are used amongst different classes. 3. Granting a developer access to the codebase means granting knowledge of credentials, and thus keeping a two-level access is not possible. 4. Using different credentials for different environments is troublesome and error-prone. - metadata: - category: security - confidence: HIGH - cwe: - - 'CWE-540: Inclusion of Sensitive Information in Source Code' - impact: HIGH - likelihood: LOW - references: - - https://cwe.mitre.org/data/definitions/540.html - subcategory: - - vuln - technology: - - salesforce - min-version: 1.44.0 - mode: taint - pattern-sinks: - - patterns: - - pattern: req.setHeader($X, ...); - - focus-metavariable: $X - pattern-sources: - - pattern: '...String $X = ''Authorization'';' - severity: ERROR - id: clojure.lang.security.use-of-md5.use-of-md5 languages: - clojure diff --git a/integration-tests/init-without-token/expected/tools-configs/semgrep.yaml b/integration-tests/init-without-token/expected/tools-configs/semgrep.yaml index 2c2eccc1..57321757 100644 --- a/integration-tests/init-without-token/expected/tools-configs/semgrep.yaml +++ b/integration-tests/init-without-token/expected/tools-configs/semgrep.yaml @@ -1,279 +1,4 @@ rules: - - id: apex.lang.security.ncino.dml.apexcsrfconstructor.apex-csrf-constructor - languages: - - apex - message: 'Having DML operations in Apex class constructor or initializers can have unexpected side effects: By just accessing a page, the DML statements would be executed and the database would be modified. Just querying the database is permitted.' - metadata: - category: security - confidence: HIGH - cwe: - - 'CWE-352: Cross-Site Request Forgery (CSRF)' - cwe2020-top25': true - cwe2021-top25': true - cwe2022-top25': true - impact: HIGH - likelihood: MEDIUM - owasp: - - A01:2021 - Broken Access Control - references: - - https://cwe.mitre.org/data/definitions/352.html - subcategory: - - vuln - technology: - - salesforce - min-version: 1.44.0 - paths: - exclude: - - '*Test*' - - '*test*' - patterns: - - pattern-either: - - pattern-inside: public class $CLASSNAME {...} - - pattern-inside: private class $CLASSNAME {...} - - pattern-inside: public $SOME sharing class $CLASSNAME {...} - - pattern-inside: private $SOME sharing class $CLASSNAME {...} - - pattern-either: - - pattern-inside: public $CLASSNAME() {...} - - pattern-inside: private $CLASSNAME() {...} - - pattern-either: - - pattern: | - insert $DATA; - - pattern: | - update $DATA; - - pattern: | - upsert $DATA; - - pattern: | - delete $DATA; - severity: ERROR - - id: apex.lang.security.ncino.dml.apexcsrfstaticconstructor.apex-csrf-static-constructor - languages: - - generic - message: 'Having DML operations in Apex class constructor or initializers can have unexpected side effects: By just accessing a page, the DML statements would be executed and the database would be modified. Just querying the database is permitted.' - metadata: - category: security - confidence: HIGH - cwe: - - 'CWE-352: Cross-Site Request Forgery (CSRF)' - cwe2020-top25': true - cwe2021-top25': true - cwe2022-top25': true - impact: HIGH - likelihood: MEDIUM - owasp: - - A01:2021 - Broken Access Control - references: - - https://cwe.mitre.org/data/definitions/352.html - subcategory: - - vuln - technology: - - salesforce - min-version: 1.44.0 - paths: - exclude: - - '*Test*' - - '*test*' - patterns: - - pattern-inside: static {...} - - pattern-either: - - pattern: | - insert $DATA; - - pattern: | - update $DATA; - - pattern: | - upsert $DATA; - - pattern: | - delete $DATA; - severity: ERROR - - id: apex.lang.security.ncino.endpoints.insecurehttprequest.insecure-http-request - languages: - - apex - message: The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. - metadata: - category: security - confidence: MEDIUM - cwe: - - 'CWE-319: Cleartext Transmission of Sensitive Information' - impact: MEDIUM - likelihood: LOW - references: - - https://cwe.mitre.org/data/definitions/319.html - subcategory: - - vuln - technology: - - salesforce - min-version: 1.44.0 - paths: - exclude: - - '*Test*' - - '*test*' - patterns: - - pattern-regex: http[:][/][/] - - pattern-not-regex: //.* - - pattern-not-regex: '[*].*' - severity: ERROR - - id: apex.lang.security.ncino.endpoints.namedcredentialsconstantmatch.named-credentials-constant-match - languages: - - apex - message: Named Credentials (and callout endpoints) should be used instead of hard-coding credentials. 1. Hard-coded credentials are hard to maintain when mixed in with application code. 2. It is particularly hard to update hard-coded credentials when they are used amongst different classes. 3. Granting a developer access to the codebase means granting knowledge of credentials, and thus keeping a two-level access is not possible. 4. Using different credentials for different environments is troublesome and error-prone. - metadata: - category: security - confidence: HIGH - cwe: - - 'CWE-540: Inclusion of Sensitive Information in Source Code' - impact: HIGH - likelihood: LOW - references: - - https://cwe.mitre.org/data/definitions/540.html - subcategory: - - vuln - technology: - - salesforce - min-version: 1.44.0 - mode: taint - pattern-sinks: - - patterns: - - pattern: req.setHeader($X, ...); - - focus-metavariable: $X - pattern-sources: - - pattern: '...String $X = ''Authorization'';' - severity: ERROR - - id: apex.lang.security.ncino.endpoints.namedcredentialsstringmatch.named-credentials-string-match - languages: - - apex - message: Named Credentials (and callout endpoints) should be used instead of hard-coding credentials. 1. Hard-coded credentials are hard to maintain when mixed in with application code. 2. It is particularly hard to update hard-coded credentials when they are used amongst different classes. 3. Granting a developer access to the codebase means granting knowledge of credentials, and thus keeping a two-level access is not possible. 4. Using different credentials for different environments is troublesome and error-prone. - metadata: - category: security - confidence: HIGH - cwe: - - 'CWE-540: Inclusion of Sensitive Information in Source Code' - impact: HIGH - likelihood: LOW - references: - - https://cwe.mitre.org/data/definitions/540.html - subcategory: - - vuln - technology: - - salesforce - min-version: 1.44.0 - pattern: $REQUEST.setHeader('Authorization', $AUTHSTRING); - severity: ERROR - - id: apex.lang.security.ncino.injection.apexsoqlinjectionfromunescapedurlparam.soql-injection-unescaped-url-param - languages: - - apex - message: If a dynamic query must be used,leverage nFORCE Query Builder. In other programming languages, the related flaw is known as SQL injection. Apex doesn't use SQL, but uses its own database query language, SOQL. SOQL is much simpler and more limited in functionality than SQL. The risks are much lower for SOQL injection than for SQL injection, but the attacks are nearly identical to traditional SQL injection. SQL/SOQL injection takes user-supplied input and uses those values in a dynamic SOQL query. If the input isn't validated, it can include SOQL commands that effectively modify the SOQL statement and trick the application into performing unintended commands. - metadata: - category: security - confidence: HIGH - cwe: - - 'CWE-943: Improper Neutralization of Special Elements in Data Query Logic' - impact: HIGH - likelihood: HIGH - owasp: - - A03:2021 - Injection - references: - - https://cwe.mitre.org/data/definitions/943.html - subcategory: - - vuln - technology: - - salesforce - min-version: 1.44.0 - mode: taint - pattern-sanitizers: - - pattern: String.escapeSingleQuotes(...) - pattern-sinks: - - patterns: - - pattern: Database.query($SINK,...); - - focus-metavariable: $SINK - pattern-sources: - - by-side-effect: true - pattern: ApexPage.getCurrentPage().getParameters.get($URLPARAM); - severity: ERROR - - id: apex.lang.security.ncino.injection.apexsoqlinjectionunescapedparam.soql-injection-unescaped-param - languages: - - apex - message: If a dynamic query must be used,leverage nFORCE Query Builder. In other programming languages, the related flaw is known as SQL injection. Apex doesn't use SQL, but uses its own database query language, SOQL. SOQL is much simpler and more limited in functionality than SQL. The risks are much lower for SOQL injection than for SQL injection, but the attacks are nearly identical to traditional SQL injection. SQL/SOQL injection takes user-supplied input and uses those values in a dynamic SOQL query. If the input isn't validated, it can include SOQL commands that effectively modify the SOQL statement and trick the application into performing unintended commands. - metadata: - category: security - confidence: HIGH - cwe: - - 'CWE-943: Improper Neutralization of Special Elements in Data Query Logic' - impact: HIGH - likelihood: HIGH - owasp: - - A03:2021 - Injection - references: - - https://cwe.mitre.org/data/definitions/943.html - subcategory: - - vuln - technology: - - salesforce - min-version: 1.44.0 - mode: taint - pattern-sanitizers: - - pattern-either: - - pattern: String.escapeSingleQuotes($P) - - pattern: Database.query(<... String.escapeSingleQuotes($P) ...>) - pattern-sinks: - - pattern: Database.query(<... $P ...>) - pattern-sources: - - by-side-effect: true - patterns: - - pattern: $M(...,String $P,...) { ... } - - focus-metavariable: $P - severity: ERROR - - id: apex.lang.security.ncino.sharing.specifysharinglevel.specify-sharing-level - languages: - - apex - message: Every Apex class should have an explicit sharing mode declared. Use the `with sharing` or `without sharing` keywords on a class to specify whether sharing rules must be enforced. Use the `inherited sharing` keyword on an Apex class to run the class in the sharing mode of the class that called it. - metadata: - category: security - confidence: HIGH - cwe: - - 'CWE-284: Improper Access Control' - impact: MEDIUM - likelihood: MEDIUM - owasp: - - A04:2021 - Insecure Design - references: - - https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_classes_keywords_sharing.htm - - https://cwe.mitre.org/data/definitions/284.html - - https://owasp.org/Top10/A04_2021-Insecure_Design/ - subcategory: - - vuln - technology: - - salesforce - min-version: 1.44.0 - patterns: - - pattern-regex: (private|public|global).*\s(class)\s.*[{] - - pattern-not-regex: (private|public|global).*[with|without|inherited]\s[sharing].*\s(class)\s.*[{] - - pattern-not-regex: (private|public|global).*\s(class)\s.*(extends)\s(Exception).*[{] - severity: WARNING - - id: apex.lang.security.ncino.system.systemdebug.system-debug - languages: - - apex - message: In addition to debug statements potentially logging data excessively, debug statements also contribute to longer transactions and consume Apex CPU time even when debug logs are not being captured. - metadata: - category: security - confidence: HIGH - cwe: - - 'CWE-489: Active Debug Code' - - 'CWE-779: Logging of Excessive Data' - impact: MEDIUM - likelihood: LOW - references: - - https://cwe.mitre.org/data/definitions/489.html - - https://cwe.mitre.org/data/definitions/779.html - subcategory: - - vuln - technology: - - vuln - min-version: 1.44.0 - paths: - exclude: - - '*Test*' - - '*test*' - pattern: System.debug(...) - severity: WARNING - id: bash.curl.security.curl-eval.curl-eval languages: - bash diff --git a/plugins/tools/semgrep/embedded/rules.yaml b/plugins/tools/semgrep/embedded/rules.yaml index 2cda3d97..505a9964 100644 --- a/plugins/tools/semgrep/embedded/rules.yaml +++ b/plugins/tools/semgrep/embedded/rules.yaml @@ -363,615 +363,6 @@ rules: - genAI - LLMs confidence: LOW -- id: apex.lang.best-practice.ncino.accessmodifiers.globalaccessmodifiers.global-access-modifiers - min-version: 1.44.0 - severity: WARNING - languages: - - apex - metadata: - cwe: - - 'CWE-284: Improper Access Control' - category: best-practice - technology: - - salesforce - references: - - https://cwe.mitre.org/data/definitions/284.html - message: >- - Global classes, methods, and variables should be avoided (especially in managed packages) as they can - never be deleted or changed in signature. Always check twice if something needs to be global. - patterns: - - pattern-regex: global [A-Za-z0-9_]{3,} - - pattern-not-regex: //(\s+([a-zA-Z]+\s+)+)[a-zA-Z]+ - - pattern-not-regex: '[*](\s+([a-zA-Z]+\s+)+)[a-zA-Z]+' - paths: - exclude: - - "*Test*" - - "*test*" -- id: apex.lang.best-practice.ncino.tests.useassertclass.use-assert-class - min-version: 1.44.0 - severity: WARNING - languages: - - generic - metadata: - category: best-practice - references: - - https://developer.salesforce.com/docs/atlas.en-us.apexref.meta/apexref/apex_class_System_Assert.htm - technology: - - salesforce - message: >- - Assert methods in the System class have been replaced with the Assert class: - https://developer.salesforce.com/docs/atlas.en-us.apexref.meta/apexref/apex_class_System_Assert.htm - pattern-regex: System\.assert - paths: - include: - - "*.cls" - - "UseAssertClass.cls" -- id: apex.lang.best-practice.ncino.urls.absoluteurls.absolute-urls - min-version: 1.44.0 - severity: WARNING - languages: - - apex - metadata: - category: best-practice - references: - - '' - technology: - - salesforce - message: >- - Using absolute URLs to Salesforce Pages is bug prone. Different sandboxes and production - environments will have different instance names (like "na10", "na15" etc.). Code using - absolute URLs will only work when it runs in the corresponding salesforce instances. It - will break as soon as it is deployed in another one. Thus only relative URLs, i.e. without - the domain and subdomain names, should be used when pointing to a salesforce page. - pattern-regex: (http|https)://.*(salesforce|force|visualforce)\.com\.* - paths: - exclude: - - "*Test*" - - "*test*" -- id: apex.lang.performance.ncino.operationsinloops.avoidnativedmlinloops.avoid-native-dml-in-loops - min-version: 1.44.0 - severity: ERROR - languages: - - generic - metadata: - category: performance - references: - - https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_gov_limits.htm - technology: - - salesforce - message: >- - Avoid DML statements inside loops to avoid hitting the DML governor limit. - Instead, try to batch up the data into a list and invoke your DML once on - that list of data outside the loop. - patterns: - - pattern-either: - - pattern-inside: | - for (...) { - ... - } - - pattern-inside: | - while (...) { - ... - } - - pattern-inside: | - do { - ... - } while (...); - - pattern-either: - - pattern: | - insert $DATA; - - pattern: | - update $DATA; - - pattern: | - upsert $DATA; - - pattern: | - delete $DATA; - - pattern: | - Database.insert($DATA); - - pattern: | - Database.update($DATA); - - pattern: | - Database.upsert($DATA); - - pattern: | - Database.delete($DATA); -- id: apex.lang.performance.ncino.operationsinloops.avoidoperationswithlimitsinloops.avoid-operations-with-limits-in-loops - min-version: 1.44.0 - severity: ERROR - languages: - - generic - metadata: - category: performance - references: - - https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_gov_limits.htm - technology: - - salesforce - message: >- - Database class methods, DML operations, SOQL queries, SOSL queries, - Approval class methods, Email sending, async scheduling or queueing - within loops can cause governor limit exceptions. Instead, try to - batch up the data into a list and invoke the operation once on that - list of data outside the loop. - patterns: - - pattern-either: - - pattern-inside: | - for (...) { - ... - } - - pattern-inside: | - while (...) { - ... - } - - pattern-inside: | - do { - ... - } while (...); - - pattern-either: - - pattern: | - Messaging.sendEmail(...); - - pattern: | - Approval.ProcessSubmitRequest $REQUEST = new Approval.ProcessSubmitRequest(); - - pattern: | - System.enqueueJob(...); - - pattern: | - System.schedule(...); - - pattern: | - System.scheduleBatch(...); -- id: apex.lang.performance.ncino.operationsinloops.avoidsoqlinloops.avoid-soql-in-loops - min-version: 1.44.0 - severity: ERROR - languages: - - generic - metadata: - category: performance - references: - - https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_gov_limits.htm - technology: - - salesforce - message: >- - Database class methods, DML operations, SOQL queries, SOSL queries, - Approval class methods, Email sending, async scheduling or queueing - within loops can cause governor limit exceptions. Instead, try to - batch up the data into a list and invoke the operation once on that - list of data outside the loop. - patterns: - - pattern-either: - - pattern-inside: | - for (...) { - ... - } - - pattern-inside: | - while (...) { - ... - } - - pattern-inside: | - do { - ... - } while (...); - - pattern: | - $OBJECTS = [...SELECT...FROM...]; -- id: apex.lang.performance.ncino.operationsinloops.avoidsoslinloops.avoid-sosl-in-loops - min-version: 1.44.0 - severity: ERROR - languages: - - generic - metadata: - category: performance - references: - - https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_gov_limits.htm - technology: - - salesforce - message: >- - Database class methods, DML operations, SOQL queries, SOSL queries, - Approval class methods, Email sending, async scheduling or queueing - within loops can cause governor limit exceptions. Instead, try to - batch up the data into a list and invoke the operation once on that - list of data outside the loop. - patterns: - - pattern-either: - - pattern-inside: | - for (...) { - ... - } - - pattern-inside: | - while (...) { - ... - } - - pattern-inside: | - do { - ... - } while (...); - - pattern-either: - - pattern: | - $OBJECTS = ... Search.query(...) - - pattern: | - $OBJECTS = ... [FIND...IN ALL FIELDS RETURNING...] -- id: apex.lang.security.ncino.dml.apexcsrfconstructor.apex-csrf-constructor - min-version: 1.44.0 - severity: ERROR - languages: - - apex - metadata: - cwe: - - 'CWE-352: Cross-Site Request Forgery (CSRF)' - owasp: - - A01:2021 - Broken Access Control - cwe2020-top25': true - cwe2021-top25': true - cwe2022-top25': true - impact: HIGH - likelihood: MEDIUM - confidence: HIGH - category: security - subcategory: - - vuln - technology: - - salesforce - references: - - https://cwe.mitre.org/data/definitions/352.html - message: >- - Having DML operations in Apex class constructor or initializers can - have unexpected side effects: By just accessing a page, the DML statements - would be executed and the database would be modified. Just querying the - database is permitted. - patterns: - - pattern-either: - - pattern-inside: public class $CLASSNAME {...} - - pattern-inside: private class $CLASSNAME {...} - - pattern-inside: public $SOME sharing class $CLASSNAME {...} - - pattern-inside: private $SOME sharing class $CLASSNAME {...} - - pattern-either: - - pattern-inside: public $CLASSNAME() {...} - - pattern-inside: private $CLASSNAME() {...} - - pattern-either: - - pattern: | - insert $DATA; - - pattern: | - update $DATA; - - pattern: | - upsert $DATA; - - pattern: | - delete $DATA; - paths: - exclude: - - "*Test*" - - "*test*" -- id: apex.lang.security.ncino.dml.apexcsrfstaticconstructor.apex-csrf-static-constructor - min-version: 1.44.0 - severity: ERROR - languages: - - generic - metadata: - cwe: - - 'CWE-352: Cross-Site Request Forgery (CSRF)' - owasp: - - A01:2021 - Broken Access Control - cwe2020-top25': true - cwe2021-top25': true - cwe2022-top25': true - impact: HIGH - likelihood: MEDIUM - confidence: HIGH - category: security - subcategory: - - vuln - technology: - - salesforce - references: - - https://cwe.mitre.org/data/definitions/352.html - message: >- - Having DML operations in Apex class constructor or initializers can - have unexpected side effects: By just accessing a page, the DML statements - would be executed and the database would be modified. Just querying the - database is permitted. - patterns: - - pattern-inside: static {...} - - pattern-either: - - pattern: | - insert $DATA; - - pattern: | - update $DATA; - - pattern: | - upsert $DATA; - - pattern: | - delete $DATA; - paths: - exclude: - - "*Test*" - - "*test*" -- id: apex.lang.security.ncino.dml.dmlnativestatements.dml-native-statements - min-version: 1.44.0 - severity: WARNING - languages: - - apex - metadata: - cwe: - - 'CWE-863: Incorrect Authorization' - owasp: - - A01:2021 - Broken Access Control - - A04:2021 - Insecure Design - impact: HIGH - likelihood: LOW - confidence: LOW - category: security - subcategory: - - audit - technology: - - salesforce - references: - - https://developer.salesforce.com/docs/atlas.en-us.apexref.meta/apexref/apex_dml_section.htm - - https://cwe.mitre.org/data/definitions/863.html - - https://owasp.org/Top10/A04_2021-Insecure_Design/ - message: >- - Native Salesforce DML operations execute in system context, ignoring the current user's permissions, - field-level security, organization-wide defaults, position in the role hierarchy, and sharing rules. - Be mindful when using native Salesforce DML operations. - patterns: - - pattern-either: - - pattern-regex: '(insert|upsert|update|delete)[\s]' - - pattern-regex: '(insert|upsert|update|delete)[(]' - - pattern-not-regex: '[\/\/].*(insert|upsert|update|delete).*' - - pattern-not-regex: '[\/\/].*(insert|upsert|update|delete)[\n]' - - pattern-not-regex: '.*[=].*(insert|upsert|update|delete).*[,;]' -- id: apex.lang.security.ncino.encryption.badcrypto.bad-crypto - min-version: 1.44.0 - severity: ERROR - languages: - - apex - metadata: - cwe: - - 'CWE-321: Use of Hard-coded Cryptographic Key' - owasp: - - A02:2021 - Cryptographic Failures - impact: HIGH - likelihood: LOW - confidence: LOW - category: security - subcategory: - - audit - technology: - - salesforce - references: - - https://cwe.mitre.org/data/definitions/321.html - message: >- - The rule makes sure you are using randomly generated IVs and keys - for Crypto calls. Hard-coding these values greatly compromises the - security of encrypted data. - pattern-either: - - pattern: Blob $IV = Blob.valueOf('$STRING');...Crypto.encrypt($ONE, $TWO, $IV, $FOUR); - - pattern: Blob $IV = Blob.valueOf('$STRING');...Crypto.decrypt($ONE, $TWO, $IV, $FOUR); - - pattern: Blob $KEY = Blob.valueOf('$STRING');...Crypto.encrypt($ONE, $KEY, $THREE, $FOUR); - - pattern: Blob $KEY = Blob.valueOf('$STRING');...Crypto.decrypt($ONE, $KEY, $THREE, $FOUR); - paths: - exclude: - - "*Test*" - - "*test*" -- id: apex.lang.security.ncino.endpoints.insecurehttprequest.insecure-http-request - min-version: 1.44.0 - severity: ERROR - languages: - - apex - metadata: - cwe: - - 'CWE-319: Cleartext Transmission of Sensitive Information' - impact: MEDIUM - likelihood: LOW - confidence: MEDIUM - category: security - subcategory: - - vuln - technology: - - salesforce - references: - - https://cwe.mitre.org/data/definitions/319.html - message: >- - The software transmits sensitive or security-critical data in cleartext in - a communication channel that can be sniffed by unauthorized actors. - patterns: - - pattern-regex: http[:][/][/] - - pattern-not-regex: //.* - - pattern-not-regex: '[*].*' - paths: - exclude: - - "*Test*" - - "*test*" -- id: apex.lang.security.ncino.endpoints.namedcredentialsconstantmatch.named-credentials-constant-match - min-version: 1.44.0 - mode: taint - severity: ERROR - languages: - - apex - metadata: - cwe: - - 'CWE-540: Inclusion of Sensitive Information in Source Code' - impact: HIGH - likelihood: LOW - confidence: HIGH - category: security - subcategory: - - vuln - technology: - - salesforce - references: - - https://cwe.mitre.org/data/definitions/540.html - message: >- - Named Credentials (and callout endpoints) should be used instead of hard-coding credentials. - 1. Hard-coded credentials are hard to maintain when mixed in with application code. - 2. It is particularly hard to update hard-coded credentials when they are used amongst different classes. - 3. Granting a developer access to the codebase means granting knowledge of credentials, and thus keeping a two-level access is not possible. - 4. Using different credentials for different environments is troublesome and error-prone. - pattern-sources: - - pattern: ...String $X = 'Authorization'; - pattern-sinks: - - patterns: - - pattern: req.setHeader($X, ...); - - focus-metavariable: $X -- id: apex.lang.security.ncino.endpoints.namedcredentialsstringmatch.named-credentials-string-match - min-version: 1.44.0 - severity: ERROR - languages: - - apex - metadata: - cwe: - - 'CWE-540: Inclusion of Sensitive Information in Source Code' - impact: HIGH - likelihood: LOW - confidence: HIGH - category: security - subcategory: - - vuln - technology: - - salesforce - references: - - https://cwe.mitre.org/data/definitions/540.html - message: >- - Named Credentials (and callout endpoints) should be used instead of hard-coding credentials. - 1. Hard-coded credentials are hard to maintain when mixed in with application code. - 2. It is particularly hard to update hard-coded credentials when they are used amongst different classes. - 3. Granting a developer access to the codebase means granting knowledge of credentials, and thus keeping a two-level access is not possible. - 4. Using different credentials for different environments is troublesome and error-prone. - pattern: $REQUEST.setHeader('Authorization', $AUTHSTRING); -- id: apex.lang.security.ncino.injection.apexsoqlinjectionfromunescapedurlparam.soql-injection-unescaped-url-param - min-version: 1.44.0 - mode: taint - severity: ERROR - languages: - - apex - metadata: - category: security - subcategory: - - vuln - technology: - - salesforce - cwe: - - 'CWE-943: Improper Neutralization of Special Elements in Data Query Logic' - owasp: - - A03:2021 - Injection - references: - - https://cwe.mitre.org/data/definitions/943.html - impact: HIGH - likelihood: HIGH - confidence: HIGH - message: >- - If a dynamic query must be used,leverage nFORCE Query Builder. - In other programming languages, the related flaw is known as SQL injection. - Apex doesn't use SQL, but uses its own database query language, SOQL. SOQL is - much simpler and more limited in functionality than SQL. The risks are much - lower for SOQL injection than for SQL injection, but the attacks are nearly - identical to traditional SQL injection. SQL/SOQL injection takes user-supplied - input and uses those values in a dynamic SOQL query. If the input isn't validated, - it can include SOQL commands that effectively modify the SOQL statement and trick - the application into performing unintended commands. - pattern-sources: - - by-side-effect: true - pattern: ApexPage.getCurrentPage().getParameters.get($URLPARAM); - pattern-sanitizers: - - pattern: String.escapeSingleQuotes(...) - pattern-sinks: - - patterns: - - pattern: Database.query($SINK,...); - - focus-metavariable: $SINK -- id: apex.lang.security.ncino.injection.apexsoqlinjectionunescapedparam.soql-injection-unescaped-param - min-version: 1.44.0 - mode: taint - severity: ERROR - languages: - - apex - metadata: - category: security - subcategory: - - vuln - technology: - - salesforce - cwe: - - 'CWE-943: Improper Neutralization of Special Elements in Data Query Logic' - owasp: - - A03:2021 - Injection - references: - - https://cwe.mitre.org/data/definitions/943.html - impact: HIGH - likelihood: HIGH - confidence: HIGH - message: >- - If a dynamic query must be used,leverage nFORCE Query Builder. - In other programming languages, the related flaw is known as SQL injection. - Apex doesn't use SQL, but uses its own database query language, SOQL. SOQL is - much simpler and more limited in functionality than SQL. The risks are much - lower for SOQL injection than for SQL injection, but the attacks are nearly - identical to traditional SQL injection. SQL/SOQL injection takes user-supplied - input and uses those values in a dynamic SOQL query. If the input isn't validated, - it can include SOQL commands that effectively modify the SOQL statement and trick - the application into performing unintended commands. - pattern-sources: - - by-side-effect: true - patterns: - - pattern: $M(...,String $P,...) { ... } - - focus-metavariable: $P - pattern-sanitizers: - - pattern-either: - - pattern: String.escapeSingleQuotes($P) - - pattern: Database.query(<... String.escapeSingleQuotes($P) ...>) - pattern-sinks: - - pattern: Database.query(<... $P ...>) -- id: apex.lang.security.ncino.sharing.specifysharinglevel.specify-sharing-level - min-version: 1.44.0 - severity: WARNING - languages: - - apex - metadata: - cwe: - - 'CWE-284: Improper Access Control' - owasp: - - A04:2021 - Insecure Design - references: - - https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_classes_keywords_sharing.htm - - https://cwe.mitre.org/data/definitions/284.html - - https://owasp.org/Top10/A04_2021-Insecure_Design/ - category: security - subcategory: - - vuln - technology: - - salesforce - impact: MEDIUM - likelihood: MEDIUM - confidence: HIGH - message: >- - Every Apex class should have an explicit sharing mode declared. Use the `with sharing` - or `without sharing` keywords on a class to specify whether sharing rules must be enforced. - Use the `inherited sharing` keyword on an Apex class to run the class in the sharing mode - of the class that called it. - patterns: - - pattern-regex: (private|public|global).*\s(class)\s.*[{] - - pattern-not-regex: (private|public|global).*[with|without|inherited]\s[sharing].*\s(class)\s.*[{] - - pattern-not-regex: (private|public|global).*\s(class)\s.*(extends)\s(Exception).*[{] -- id: apex.lang.security.ncino.system.systemdebug.system-debug - min-version: 1.44.0 - severity: WARNING - languages: - - apex - metadata: - cwe: - - 'CWE-489: Active Debug Code' - - 'CWE-779: Logging of Excessive Data' - category: security - subcategory: - - vuln - technology: - - vuln - references: - - https://cwe.mitre.org/data/definitions/489.html - - https://cwe.mitre.org/data/definitions/779.html - impact: MEDIUM - likelihood: LOW - confidence: HIGH - message: >- - In addition to debug statements potentially logging data excessively, debug statements - also contribute to longer transactions and consume Apex CPU time even when debug logs - are not being captured. - pattern: System.debug(...) - paths: - exclude: - - "*Test*" - - "*test*" - id: bash.curl.security.curl-eval.curl-eval severity: WARNING languages: @@ -1116,7 +507,6 @@ rules: # unsafe: $* $@ $0 $15 $_ $foo $FOO # unsafe but tolerated: $_foo $_FOO $_42 regex: "[*@0-9]|[A-Za-z].*" - - id: bash.lang.correctness.unquoted-expansion.unquoted-command-substitution-in-command languages: [bash] severity: INFO