From 076e44e39a8681160f03b2c9cfc54453abcc4230 Mon Sep 17 00:00:00 2001 From: Lenin Alevski Date: Sun, 15 May 2022 18:54:22 -0700 Subject: [PATCH] implement semgrep in github worflow for project (#1979) --- .github/workflows/jobs.yaml | 36 +++++++++++++++++ .semgrepignore | 33 ++++++++++++++++ semgrep.yaml | 78 +++++++++++++++++++++++++++++++++++++ 3 files changed, 147 insertions(+) create mode 100644 .semgrepignore create mode 100644 semgrep.yaml diff --git a/.github/workflows/jobs.yaml b/.github/workflows/jobs.yaml index 9ea671a95..f4534656c 100644 --- a/.github/workflows/jobs.yaml +++ b/.github/workflows/jobs.yaml @@ -24,6 +24,7 @@ jobs: - no-warnings-and-make-assets - reuse-golang-dependencies - vulnerable-dependencies-checks + - semgrep-static-code-analysis runs-on: ubuntu-latest strategy: @@ -92,6 +93,7 @@ jobs: - no-warnings-and-make-assets - reuse-golang-dependencies - vulnerable-dependencies-checks + - semgrep-static-code-analysis runs-on: ubuntu-latest strategy: @@ -160,6 +162,7 @@ jobs: - no-warnings-and-make-assets - reuse-golang-dependencies - vulnerable-dependencies-checks + - semgrep-static-code-analysis runs-on: ubuntu-latest strategy: @@ -256,6 +259,22 @@ jobs: curl -L -o nancy https://github.com/sonatype-nexus-community/nancy/releases/download/${nancy_version}/nancy-${nancy_version}-linux-amd64 && chmod +x nancy go list -deps -json ./... | jq -s 'unique_by(.Module.Path)|.[]|select(has("Module"))|.Module' | ./nancy sleuth + semgrep-static-code-analysis: + name: "semgrep checks" + runs-on: ${{ matrix.os }} + container: + image: "returntocorp/semgrep" + strategy: + matrix: + os: [ ubuntu-latest ] + steps: + - name: Check out source code + uses: actions/checkout@v2 + - name: Scanning code on ${{ matrix.os }} + continue-on-error: false + run: | + semgrep --config semgrep.yaml $(pwd)/portal-ui --error + no-warnings-and-make-assets: name: "React Code Has No Warnings and then Make Assets" runs-on: ${{ matrix.os }} @@ -350,6 +369,7 @@ jobs: - no-warnings-and-make-assets - reuse-golang-dependencies - vulnerable-dependencies-checks + - semgrep-static-code-analysis runs-on: ${{ matrix.os }} strategy: matrix: @@ -428,6 +448,7 @@ jobs: - no-warnings-and-make-assets - reuse-golang-dependencies - vulnerable-dependencies-checks + - semgrep-static-code-analysis runs-on: ${{ matrix.os }} strategy: matrix: @@ -506,6 +527,7 @@ jobs: - no-warnings-and-make-assets - reuse-golang-dependencies - vulnerable-dependencies-checks + - semgrep-static-code-analysis runs-on: ${{ matrix.os }} strategy: matrix: @@ -585,6 +607,7 @@ jobs: - no-warnings-and-make-assets - reuse-golang-dependencies - vulnerable-dependencies-checks + - semgrep-static-code-analysis runs-on: ${{ matrix.os }} timeout-minutes: 5 strategy: @@ -654,6 +677,7 @@ jobs: - no-warnings-and-make-assets - reuse-golang-dependencies - vulnerable-dependencies-checks + - semgrep-static-code-analysis runs-on: ${{ matrix.os }} strategy: matrix: @@ -722,6 +746,7 @@ jobs: - no-warnings-and-make-assets - reuse-golang-dependencies - vulnerable-dependencies-checks + - semgrep-static-code-analysis runs-on: ${{ matrix.os }} strategy: matrix: @@ -790,6 +815,7 @@ jobs: - no-warnings-and-make-assets - reuse-golang-dependencies - vulnerable-dependencies-checks + - semgrep-static-code-analysis runs-on: ${{ matrix.os }} strategy: matrix: @@ -863,6 +889,7 @@ jobs: - no-warnings-and-make-assets - reuse-golang-dependencies - vulnerable-dependencies-checks + - semgrep-static-code-analysis runs-on: ${{ matrix.os }} strategy: matrix: @@ -900,6 +927,7 @@ jobs: - no-warnings-and-make-assets - reuse-golang-dependencies - vulnerable-dependencies-checks + - semgrep-static-code-analysis runs-on: ${{ matrix.os }} strategy: matrix: @@ -937,6 +965,7 @@ jobs: - no-warnings-and-make-assets - reuse-golang-dependencies - vulnerable-dependencies-checks + - semgrep-static-code-analysis runs-on: ${{ matrix.os }} strategy: matrix: @@ -974,6 +1003,7 @@ jobs: - no-warnings-and-make-assets - reuse-golang-dependencies - vulnerable-dependencies-checks + - semgrep-static-code-analysis runs-on: ${{ matrix.os }} strategy: matrix: @@ -1011,6 +1041,7 @@ jobs: - no-warnings-and-make-assets - reuse-golang-dependencies - vulnerable-dependencies-checks + - semgrep-static-code-analysis runs-on: ${{ matrix.os }} strategy: matrix: @@ -1048,6 +1079,7 @@ jobs: - no-warnings-and-make-assets - reuse-golang-dependencies - vulnerable-dependencies-checks + - semgrep-static-code-analysis runs-on: ${{ matrix.os }} strategy: matrix: @@ -1085,6 +1117,7 @@ jobs: - no-warnings-and-make-assets - reuse-golang-dependencies - vulnerable-dependencies-checks + - semgrep-static-code-analysis runs-on: ${{ matrix.os }} strategy: matrix: @@ -1122,6 +1155,7 @@ jobs: - no-warnings-and-make-assets - reuse-golang-dependencies - vulnerable-dependencies-checks + - semgrep-static-code-analysis runs-on: ${{ matrix.os }} strategy: matrix: @@ -1167,6 +1201,7 @@ jobs: - no-warnings-and-make-assets - reuse-golang-dependencies - vulnerable-dependencies-checks + - semgrep-static-code-analysis runs-on: ubuntu-latest strategy: @@ -1235,6 +1270,7 @@ jobs: - no-warnings-and-make-assets - reuse-golang-dependencies - vulnerable-dependencies-checks + - semgrep-static-code-analysis runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 diff --git a/.semgrepignore b/.semgrepignore new file mode 100644 index 000000000..18621cb29 --- /dev/null +++ b/.semgrepignore @@ -0,0 +1,33 @@ +# Ignore git items +.gitignore +.git/ +:include .gitignore + +# Common large paths +node_modules/ +portal-ui/node_modules/ +build/ +dist/ +.idea/ +vendor/ +.env/ +.venv/ +.tox/ +*.min.js + +# Common test paths +test/ +tests/ +*_test.go + +# Semgrep rules folder +.semgrep + +# Semgrep-action log folder +.semgrep_logs/ + +# Ignore VsCode files +.vscode/ +*.code-workspace +*~ +.eslintcache \ No newline at end of file diff --git a/semgrep.yaml b/semgrep.yaml new file mode 100644 index 000000000..b470c90ea --- /dev/null +++ b/semgrep.yaml @@ -0,0 +1,78 @@ +rules: + - id: js-func-encode-uri-Component + patterns: + - pattern: encodeURIComponent($X) + - pattern-not-inside: | + export const encodeURLString = (...) => { + ... + }; + message: Use encodeURLString() instead of encodeURIComponent() + languages: + - typescript + - javascript + severity: WARNING + fix: encodeURLString($X) + - id: js-func-encode-uri + patterns: + - pattern: encodeURI($X) + message: Use encodeURLString() instead of encodeURI() + languages: + - typescript + - javascript + severity: WARNING + fix: encodeURLString($X) + - id: js-dangerous-func-document-write + patterns: + - pattern: document.write(...) + message: Don't render html directly into the page, use React components instead + languages: + - typescript + - javascript + severity: WARNING + - id: js-dangerous-func-assign-document-write + patterns: + - pattern: | + $X1 = document + ... + $X1.write(...) + message: Don't render html directly into the page, use React components instead + languages: + - typescript + - javascript + severity: WARNING + - id: js-dangerous-func-document-writeln + patterns: + - pattern: document.writeln(...) + message: Don't render html directly into the page, use React components instead + languages: + - typescript + - javascript + severity: WARNING + - id: js-dangerous-func-assign-document-writeln + patterns: + - pattern: | + $X1 = document + ... + $X1.writeln(...) + message: Don't render html directly into the page, use React components instead + languages: + - typescript + - javascript + severity: WARNING + - id: react-dangerouslysetinnerhtml + languages: + - typescript + - javascript + message: "Setting HTML from code is risky because it’s easy to inadvertently expose your users to a cross-site scripting (XSS) attack." + pattern-either: + - pattern: | + <$X dangerouslySetInnerHTML=... /> + - pattern: | + {dangerouslySetInnerHTML: ...} + - pattern: | + $X1.innerHTML=... + - pattern: | + $X1.outerHTML=... + - pattern: | + $X1.insertAdjacentHTML=... + severity: WARNING