yaml.semgrep.metadata-owasp.metadata-owasp

profile photo of returntocorpreturntocorp
Author
672
Download Count*
LGPL Commons Clause
License

The owasp tag in Semgrep rule metadata should start with the format "A00:YYYY", where A00 is the OWASP top ten number and YYYY is the OWASP top ten year.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: metadata-owasp
    message: The `owasp` tag in Semgrep rule metadata should start with the format
      "A00:YYYY", where A00 is the OWASP top ten number and YYYY is the OWASP
      top ten year.
    severity: ERROR
    languages:
      - json
      - yaml
    patterns:
      - pattern-inside: "rules: ..."
      - pattern-inside: "metadata: ..."
      - pattern-either:
          - patterns:
              - pattern: 'owasp: "..."'
              - pattern-not: 'owasp: "=~/^A(0?[1-9]|10): .+$/"'
          - patterns:
              - pattern-inside: "owasp: [...]"
              - pattern: '"$ANYTHING"'
              - pattern-not-regex: .*A[01][0-9]:[0-9]{4}\s+.*
              - pattern-not-regex: "owasp:"
    metadata:
      category: best-practice
      technology:
        - semgrep
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

metadata-owasp.test.yaml

rules:
  - id: example-1
    message: Example
    severity: ERROR
    languages: [json, yaml]
    pattern: "..."
    metadata:
      # ok: metadata-owasp
      owasp: "A1: Some Vulnerability"
  - id: example-2
    message: Example
    severity: ERROR
    languages: [json, yaml]
    pattern: "..."
    metadata:
      # ruleid: metadata-owasp
      owasp: "A11: Some Vulnerability"
  - id: example-3
    message: Example
    severity: ERROR
    languages: [json, yaml]
    pattern: "..."
    metadata:
      # ruleid: metadata-owasp
      owasp: a4
  - id: example-4
    message: Example
    severity: ERROR
    languages: [json, yaml]
    pattern: "..."
    metadata:
      # ruleid: metadata-owasp
      owasp: A5 Some Vulnerability
  - id: example-5
    message: Example
    severity: ERROR
    languages: [json, yaml]
    pattern: "..."
    metadata:
      # ok: metadata-owasp
      owasp:
        # ok: metadata-owasp
        - A05:2021 - Security Misconfiguration
        # ok: metadata-owasp
        - A06:2017 - Security Misconfiguration
  - id: example-6
    message: Example
    severity: ERROR
    languages: [json, yaml]
    pattern: "..."
    metadata:
      # ok: metadata-owasp
      owasp:
        # ruleid: metadata-owasp
        - A5:2021 - Security Misconfiguration
        # ruleid: metadata-owasp
        - A06:201789 - Security Misconfiguration