yaml.semgrep.metadata-owasp.metadata-owasp

profile photo of semgrepsemgrep
Author
672
Download Count*
LGPL Commons Clause
License

The owasp tag in Semgrep rule metadata should start with the format "A00:YYYY", where A00 is the OWASP top ten number and YYYY is the OWASP top ten year.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: metadata-owasp
    message: The `owasp` tag in Semgrep rule metadata should start with the format
      "A00:YYYY", where A00 is the OWASP top ten number and YYYY is the OWASP
      top ten year.
    severity: ERROR
    languages:
      - json
      - yaml
    patterns:
      - pattern-inside: "rules: ..."
      - pattern-inside: "metadata: ..."
      - pattern-either:
          - patterns:
              - pattern: 'owasp: "..."'
              - pattern-not: 'owasp: "=~/^A(0?[1-9]|10):\s+.+$/"'
              - pattern-not: 'owasp: "=~/^A(0[1-9]|10):([0-9]{4})?\s+.+$/"'
          - patterns:
              - pattern-inside: "owasp: [...]"
              - pattern: '"$ANYTHING"'
              - pattern-not-regex: .*A(0[1-9]|10):[0-9]{4}\s+.*
              - pattern-not-regex: "owasp:"
    metadata:
      category: best-practice
      technology:
        - semgrep
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

metadata-owasp.test.yaml

rules:
  - id: example-1
    message: Example
    severity: ERROR
    languages: [json, yaml]
    pattern: "..."
    metadata:
      # ok: metadata-owasp
      owasp: "A1: Some Vulnerability"
  - id: example-1b
    message: Example
    severity: ERROR
    languages: [json, yaml]
    pattern: "..."
    metadata:
      # ok: metadata-owasp
      owasp: A05:2021 - Security Misconfiguration
  - id: example-bad-zero
    message: Example
    severity: ERROR
    languages: [json, yaml]
    pattern: "..."
    metadata:
      # ruleid: metadata-owasp
      owasp: "A0: Zero"
  - id: example-bad-double-zero-year
    message: Example
    severity: ERROR
    languages: [json, yaml]
    pattern: "..."
    metadata:
      # ruleid: metadata-owasp
      owasp: "A00:2021 Zero"
  - id: example-bad-missing-leading-zero
    message: Example
    severity: ERROR
    languages: [json, yaml]
    pattern: "..."
    metadata:
      # ruleid: metadata-owasp
      owasp: A5:2021 - Security Misconfiguration
  - id: example-bad-greater-than-10
    message: Example
    severity: ERROR
    languages: [json, yaml]
    pattern: "..."
    metadata:
      # ruleid: metadata-owasp
      owasp: "A11: Some Vulnerability"
  - id: example-bad-missing-details
    message: Example
    severity: ERROR
    languages: [json, yaml]
    pattern: "..."
    metadata:
      # ruleid: metadata-owasp
      owasp: a4
  - id: example-bad-missing-colon
    message: Example
    severity: ERROR
    languages: [json, yaml]
    pattern: "..."
    metadata:
      # ruleid: metadata-owasp
      owasp: A5 Some Vulnerability
  - id: example-good-list
    message: Example
    severity: ERROR
    languages: [json, yaml]
    pattern: "..."
    metadata:
      # ok: metadata-owasp
      owasp:
        # ok: metadata-owasp
        - A05:2021 - Security Misconfiguration
        # ok: metadata-owasp
        - A06:2017 - Security Misconfiguration
  - id: example-bad-list
    message: Example
    severity: ERROR
    languages: [json, yaml]
    pattern: "..."
    metadata:
      # ok: metadata-owasp
      owasp:
        # ruleid: metadata-owasp
        - A0:2021 - Zero
        # ruleid: metadata-owasp
        - A00:2021 - Double Zero
        # Missing leading zero
        # ruleid: metadata-owasp
        - A5:2021 - Security Misconfiguration
        # Crazy year
        # ruleid: metadata-owasp
        - A06:201789 - Security Misconfiguration