Skip to content

fix: remove apex semgrep rules #135

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
andrzej-janczak merged 2 commits into from
May 29, 2025
Merged

fix: remove apex semgrep rules #135

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2d331bc
fix: remove apex semgrep rules
andrzej-janczak May 28, 2025
c3587c5
fix it tests
andrzej-janczak May 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 0 additions & 26 deletions integration-tests/init-with-token/expected/tools-configs/semgrep.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,30 +1,4 @@
rules:
- id: apex.lang.security.ncino.endpoints.namedcredentialsconstantmatch.named-credentials-constant-match
languages:
- apex
message: Named Credentials (and callout endpoints) should be used instead of hard-coding credentials. 1. Hard-coded credentials are hard to maintain when mixed in with application code. 2. It is particularly hard to update hard-coded credentials when they are used amongst different classes. 3. Granting a developer access to the codebase means granting knowledge of credentials, and thus keeping a two-level access is not possible. 4. Using different credentials for different environments is troublesome and error-prone.
metadata:
category: security
confidence: HIGH
cwe:
- 'CWE-540: Inclusion of Sensitive Information in Source Code'
impact: HIGH
likelihood: LOW
references:
- https://cwe.mitre.org/data/definitions/540.html
subcategory:
- vuln
technology:
- salesforce
min-version: 1.44.0
mode: taint
pattern-sinks:
- patterns:
- pattern: req.setHeader($X, ...);
- focus-metavariable: $X
pattern-sources:
- pattern: '...String $X = ''Authorization'';'
severity: ERROR
- id: clojure.lang.security.use-of-md5.use-of-md5
languages:
- clojure
Expand Down
275 changes: 0 additions & 275 deletions integration-tests/init-without-token/expected/tools-configs/semgrep.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,279 +1,4 @@
rules:
- id: apex.lang.security.ncino.dml.apexcsrfconstructor.apex-csrf-constructor
languages:
- apex
message: 'Having DML operations in Apex class constructor or initializers can have unexpected side effects: By just accessing a page, the DML statements would be executed and the database would be modified. Just querying the database is permitted.'
metadata:
category: security
confidence: HIGH
cwe:
- 'CWE-352: Cross-Site Request Forgery (CSRF)'
cwe2020-top25': true
cwe2021-top25': true
cwe2022-top25': true
impact: HIGH
likelihood: MEDIUM
owasp:
- A01:2021 - Broken Access Control
references:
- https://cwe.mitre.org/data/definitions/352.html
subcategory:
- vuln
technology:
- salesforce
min-version: 1.44.0
paths:
exclude:
- '*Test*'
- '*test*'
patterns:
- pattern-either:
- pattern-inside: public class $CLASSNAME {...}
- pattern-inside: private class $CLASSNAME {...}
- pattern-inside: public $SOME sharing class $CLASSNAME {...}
- pattern-inside: private $SOME sharing class $CLASSNAME {...}
- pattern-either:
- pattern-inside: public $CLASSNAME() {...}
- pattern-inside: private $CLASSNAME() {...}
- pattern-either:
- pattern: |
insert $DATA;
- pattern: |
update $DATA;
- pattern: |
upsert $DATA;
- pattern: |
delete $DATA;
severity: ERROR
- id: apex.lang.security.ncino.dml.apexcsrfstaticconstructor.apex-csrf-static-constructor
languages:
- generic
message: 'Having DML operations in Apex class constructor or initializers can have unexpected side effects: By just accessing a page, the DML statements would be executed and the database would be modified. Just querying the database is permitted.'
metadata:
category: security
confidence: HIGH
cwe:
- 'CWE-352: Cross-Site Request Forgery (CSRF)'
cwe2020-top25': true
cwe2021-top25': true
cwe2022-top25': true
impact: HIGH
likelihood: MEDIUM
owasp:
- A01:2021 - Broken Access Control
references:
- https://cwe.mitre.org/data/definitions/352.html
subcategory:
- vuln
technology:
- salesforce
min-version: 1.44.0
paths:
exclude:
- '*Test*'
- '*test*'
patterns:
- pattern-inside: static {...}
- pattern-either:
- pattern: |
insert $DATA;
- pattern: |
update $DATA;
- pattern: |
upsert $DATA;
- pattern: |
delete $DATA;
severity: ERROR
- id: apex.lang.security.ncino.endpoints.insecurehttprequest.insecure-http-request
languages:
- apex
message: The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
metadata:
category: security
confidence: MEDIUM
cwe:
- 'CWE-319: Cleartext Transmission of Sensitive Information'
impact: MEDIUM
likelihood: LOW
references:
- https://cwe.mitre.org/data/definitions/319.html
subcategory:
- vuln
technology:
- salesforce
min-version: 1.44.0
paths:
exclude:
- '*Test*'
- '*test*'
patterns:
- pattern-regex: http[:][/][/]
- pattern-not-regex: //.*
- pattern-not-regex: '[*].*'
severity: ERROR
- id: apex.lang.security.ncino.endpoints.namedcredentialsconstantmatch.named-credentials-constant-match
languages:
- apex
message: Named Credentials (and callout endpoints) should be used instead of hard-coding credentials. 1. Hard-coded credentials are hard to maintain when mixed in with application code. 2. It is particularly hard to update hard-coded credentials when they are used amongst different classes. 3. Granting a developer access to the codebase means granting knowledge of credentials, and thus keeping a two-level access is not possible. 4. Using different credentials for different environments is troublesome and error-prone.
metadata:
category: security
confidence: HIGH
cwe:
- 'CWE-540: Inclusion of Sensitive Information in Source Code'
impact: HIGH
likelihood: LOW
references:
- https://cwe.mitre.org/data/definitions/540.html
subcategory:
- vuln
technology:
- salesforce
min-version: 1.44.0
mode: taint
pattern-sinks:
- patterns:
- pattern: req.setHeader($X, ...);
- focus-metavariable: $X
pattern-sources:
- pattern: '...String $X = ''Authorization'';'
severity: ERROR
- id: apex.lang.security.ncino.endpoints.namedcredentialsstringmatch.named-credentials-string-match
languages:
- apex
message: Named Credentials (and callout endpoints) should be used instead of hard-coding credentials. 1. Hard-coded credentials are hard to maintain when mixed in with application code. 2. It is particularly hard to update hard-coded credentials when they are used amongst different classes. 3. Granting a developer access to the codebase means granting knowledge of credentials, and thus keeping a two-level access is not possible. 4. Using different credentials for different environments is troublesome and error-prone.
metadata:
category: security
confidence: HIGH
cwe:
- 'CWE-540: Inclusion of Sensitive Information in Source Code'
impact: HIGH
likelihood: LOW
references:
- https://cwe.mitre.org/data/definitions/540.html
subcategory:
- vuln
technology:
- salesforce
min-version: 1.44.0
pattern: $REQUEST.setHeader('Authorization', $AUTHSTRING);
severity: ERROR
- id: apex.lang.security.ncino.injection.apexsoqlinjectionfromunescapedurlparam.soql-injection-unescaped-url-param
languages:
- apex
message: If a dynamic query must be used,leverage nFORCE Query Builder. In other programming languages, the related flaw is known as SQL injection. Apex doesn't use SQL, but uses its own database query language, SOQL. SOQL is much simpler and more limited in functionality than SQL. The risks are much lower for SOQL injection than for SQL injection, but the attacks are nearly identical to traditional SQL injection. SQL/SOQL injection takes user-supplied input and uses those values in a dynamic SOQL query. If the input isn't validated, it can include SOQL commands that effectively modify the SOQL statement and trick the application into performing unintended commands.
metadata:
category: security
confidence: HIGH
cwe:
- 'CWE-943: Improper Neutralization of Special Elements in Data Query Logic'
impact: HIGH
likelihood: HIGH
owasp:
- A03:2021 - Injection
references:
- https://cwe.mitre.org/data/definitions/943.html
subcategory:
- vuln
technology:
- salesforce
min-version: 1.44.0
mode: taint
pattern-sanitizers:
- pattern: String.escapeSingleQuotes(...)
pattern-sinks:
- patterns:
- pattern: Database.query($SINK,...);
- focus-metavariable: $SINK
pattern-sources:
- by-side-effect: true
pattern: ApexPage.getCurrentPage().getParameters.get($URLPARAM);
severity: ERROR
- id: apex.lang.security.ncino.injection.apexsoqlinjectionunescapedparam.soql-injection-unescaped-param
languages:
- apex
message: If a dynamic query must be used,leverage nFORCE Query Builder. In other programming languages, the related flaw is known as SQL injection. Apex doesn't use SQL, but uses its own database query language, SOQL. SOQL is much simpler and more limited in functionality than SQL. The risks are much lower for SOQL injection than for SQL injection, but the attacks are nearly identical to traditional SQL injection. SQL/SOQL injection takes user-supplied input and uses those values in a dynamic SOQL query. If the input isn't validated, it can include SOQL commands that effectively modify the SOQL statement and trick the application into performing unintended commands.
metadata:
category: security
confidence: HIGH
cwe:
- 'CWE-943: Improper Neutralization of Special Elements in Data Query Logic'
impact: HIGH
likelihood: HIGH
owasp:
- A03:2021 - Injection
references:
- https://cwe.mitre.org/data/definitions/943.html
subcategory:
- vuln
technology:
- salesforce
min-version: 1.44.0
mode: taint
pattern-sanitizers:
- pattern-either:
- pattern: String.escapeSingleQuotes($P)
- pattern: Database.query(<... String.escapeSingleQuotes($P) ...>)
pattern-sinks:
- pattern: Database.query(<... $P ...>)
pattern-sources:
- by-side-effect: true
patterns:
- pattern: $M(...,String $P,...) { ... }
- focus-metavariable: $P
severity: ERROR
- id: apex.lang.security.ncino.sharing.specifysharinglevel.specify-sharing-level
languages:
- apex
message: Every Apex class should have an explicit sharing mode declared. Use the `with sharing` or `without sharing` keywords on a class to specify whether sharing rules must be enforced. Use the `inherited sharing` keyword on an Apex class to run the class in the sharing mode of the class that called it.
metadata:
category: security
confidence: HIGH
cwe:
- 'CWE-284: Improper Access Control'
impact: MEDIUM
likelihood: MEDIUM
owasp:
- A04:2021 - Insecure Design
references:
- https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_classes_keywords_sharing.htm
- https://cwe.mitre.org/data/definitions/284.html
- https://owasp.org/Top10/A04_2021-Insecure_Design/
subcategory:
- vuln
technology:
- salesforce
min-version: 1.44.0
patterns:
- pattern-regex: (private|public|global).*\s(class)\s.*[{]
- pattern-not-regex: (private|public|global).*[with|without|inherited]\s[sharing].*\s(class)\s.*[{]
- pattern-not-regex: (private|public|global).*\s(class)\s.*(extends)\s(Exception).*[{]
severity: WARNING
- id: apex.lang.security.ncino.system.systemdebug.system-debug
languages:
- apex
message: In addition to debug statements potentially logging data excessively, debug statements also contribute to longer transactions and consume Apex CPU time even when debug logs are not being captured.
metadata:
category: security
confidence: HIGH
cwe:
- 'CWE-489: Active Debug Code'
- 'CWE-779: Logging of Excessive Data'
impact: MEDIUM
likelihood: LOW
references:
- https://cwe.mitre.org/data/definitions/489.html
- https://cwe.mitre.org/data/definitions/779.html
subcategory:
- vuln
technology:
- vuln
min-version: 1.44.0
paths:
exclude:
- '*Test*'
- '*test*'
pattern: System.debug(...)
severity: WARNING
- id: bash.curl.security.curl-eval.curl-eval
languages:
- bash
Expand Down
Loading
Loading