-
Notifications
You must be signed in to change notification settings - Fork 307
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #6845 from Checkmarx/cwe
feat(cwe): add cwe into sarif report and KICS CLI results
- Loading branch information
Showing
39 changed files
with
2,264 additions
and
122 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
{ | ||
"taxonomies": | ||
{ | ||
"downloadUri": "https://cwe.mitre.org/data/xml/cwec_v4.13.xml.zip", | ||
"guid": "1489b0c4-d7ce-4d31-af66-6382a01202e3", | ||
"informationUri": "https://cwe.mitre.org/data/published/cwe_v4.13.pdf", | ||
"isComprehensive": true, | ||
"language": "en", | ||
"minimumRequiredLocalizedDataSemanticVersion": "4.13", | ||
"name": "CWE", | ||
"organization": "MITRE", | ||
"releaseDateUtc": "2023-10-26", | ||
"shortDescription": { | ||
"text": "The MITRE Common Weakness Enumeration" | ||
}, | ||
"fullDescription": { | ||
"text": "The MITRE Common Weakness Enumeration" | ||
}, | ||
"taxa": [] | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,306 @@ | ||
{ | ||
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", | ||
"version": "2.1.0", | ||
"runs": [ | ||
{ | ||
"tool": { | ||
"driver": { | ||
"name": "KICS", | ||
"version": "development", | ||
"fullName": "Keeping Infrastructure as Code Secure", | ||
"informationUri": "https://www.kics.io/", | ||
"rules": [ | ||
{ | ||
"id": "20f14e1a-a899-4e79-9f09-b6a84cd4649b", | ||
"name": "Run Block Injection", | ||
"shortDescription": { | ||
"text": "Run Block Injection" | ||
}, | ||
"fullDescription": { | ||
"text": "GitHub Actions workflows can be triggered by a variety of events. Every workflow trigger is provided with a GitHub context that contains information about the triggering event, such as which user triggered it, the branch name, and other event context details. Some of this event data, like the base repository name, hash value of a changeset, or pull request number, is unlikely to be controlled or used for injection by the user that triggered the event." | ||
}, | ||
"defaultConfiguration": { | ||
"level": "error" | ||
}, | ||
"helpUri": "https://securitylab.github.com/research/github-actions-untrusted-input/", | ||
"relationships": [ | ||
{ | ||
"target": { | ||
"id": "CAT007", | ||
"index": 14, | ||
"toolComponent": { | ||
"name": "Categories", | ||
"guid": "58cdcc6f-fe41-4724-bfb3-131a93df4c3f" | ||
} | ||
} | ||
}, | ||
{ | ||
"target": { | ||
"id": "22", | ||
"guid": "81713b3d-740e-4d67-8003-27068b8214b4", | ||
"toolComponent": { | ||
"name": "CWE", | ||
"guid": "1489b0c4-d7ce-4d31-af66-6382a01202e3" | ||
} | ||
} | ||
} | ||
] | ||
} | ||
] | ||
} | ||
}, | ||
"results": [ | ||
{ | ||
"ruleId": "20f14e1a-a899-4e79-9f09-b6a84cd4649b", | ||
"ruleIndex": 0, | ||
"kind": "fail", | ||
"message": { | ||
"text": "Run block contains dangerous input controlled by user.", | ||
"properties": { | ||
"platform": "CICD" | ||
} | ||
}, | ||
"locations": [ | ||
{ | ||
"physicalLocation": { | ||
"artifactLocation": { | ||
"uri": "path\\test\\fixtures\\test_sarif_cwe_report\\run_block_injection\\test\\positive1.yaml" | ||
}, | ||
"region": { | ||
"startLine": 10 | ||
} | ||
} | ||
} | ||
] | ||
}, | ||
{ | ||
"ruleId": "20f14e1a-a899-4e79-9f09-b6a84cd4649b", | ||
"ruleIndex": 0, | ||
"kind": "fail", | ||
"message": { | ||
"text": "Run block contains dangerous input controlled by user.", | ||
"properties": { | ||
"platform": "CICD" | ||
} | ||
}, | ||
"locations": [ | ||
{ | ||
"physicalLocation": { | ||
"artifactLocation": { | ||
"uri": "path\\test\\fixtures\\test_sarif_cwe_report\\run_block_injection\\test\\positive1.yaml" | ||
}, | ||
"region": { | ||
"startLine": 10 | ||
} | ||
} | ||
} | ||
] | ||
} | ||
], | ||
"taxonomies": [ | ||
{ | ||
"guid": "58cdcc6f-fe41-4724-bfb3-131a93df4c3f", | ||
"name": "Categories", | ||
"fullDescription": { | ||
"text": "This taxonomy contains the types an issue can assume" | ||
}, | ||
"shortDescription": { | ||
"text": "Vulnerabilities categories" | ||
}, | ||
"taxa": [ | ||
{ | ||
"name": "Undefined Category", | ||
"id": "CAT000", | ||
"shortDescription": { | ||
"text": "Category is not defined" | ||
}, | ||
"fullDescription": { | ||
"text": "Category is not defined" | ||
} | ||
}, | ||
{ | ||
"name": "Insecure Defaults", | ||
"id": "CAT008", | ||
"shortDescription": { | ||
"text": "Configurations that are insecure by default" | ||
}, | ||
"fullDescription": { | ||
"text": "Configurations that are insecure by default" | ||
} | ||
}, | ||
{ | ||
"name": "Structure and Semantics", | ||
"id": "CAT014", | ||
"shortDescription": { | ||
"text": "Malformed document structure or inadequate semantics" | ||
}, | ||
"fullDescription": { | ||
"text": "Malformed document structure or inadequate semantics" | ||
} | ||
}, | ||
{ | ||
"name": "Availability", | ||
"id": "CAT002", | ||
"shortDescription": { | ||
"text": "Reliability and Scalability" | ||
}, | ||
"fullDescription": { | ||
"text": "Reliability and Scalability" | ||
} | ||
}, | ||
{ | ||
"name": "Build Process", | ||
"id": "CAT005", | ||
"shortDescription": { | ||
"text": "Insecure configurations when building/deploying" | ||
}, | ||
"fullDescription": { | ||
"text": "Insecure configurations when building/deploying" | ||
} | ||
}, | ||
{ | ||
"name": "Secret Management", | ||
"id": "CAT012", | ||
"shortDescription": { | ||
"text": "Secret and Key management" | ||
}, | ||
"fullDescription": { | ||
"text": "Secret and Key management" | ||
} | ||
}, | ||
{ | ||
"name": "Supply-Chain", | ||
"id": "CAT013", | ||
"shortDescription": { | ||
"text": "Dependency version management" | ||
}, | ||
"fullDescription": { | ||
"text": "Dependency version management" | ||
} | ||
}, | ||
{ | ||
"name": "Backup", | ||
"id": "CAT003", | ||
"shortDescription": { | ||
"text": "Survivability and Recovery" | ||
}, | ||
"fullDescription": { | ||
"text": "Survivability and Recovery" | ||
} | ||
}, | ||
{ | ||
"name": "Encryption", | ||
"id": "CAT006", | ||
"shortDescription": { | ||
"text": "Data Security and Encryption configuration" | ||
}, | ||
"fullDescription": { | ||
"text": "Data Security and Encryption configuration" | ||
} | ||
}, | ||
{ | ||
"name": "Observability", | ||
"id": "CAT010", | ||
"shortDescription": { | ||
"text": "Logging and Monitoring" | ||
}, | ||
"fullDescription": { | ||
"text": "Logging and Monitoring" | ||
} | ||
}, | ||
{ | ||
"name": "Bill Of Materials", | ||
"id": "CAT015", | ||
"shortDescription": { | ||
"text": "List of resources provisioned" | ||
}, | ||
"fullDescription": { | ||
"text": "List of resources provisioned" | ||
} | ||
}, | ||
{ | ||
"name": "Access Control", | ||
"id": "CAT001", | ||
"shortDescription": { | ||
"text": "Service permission and identity management" | ||
}, | ||
"fullDescription": { | ||
"text": "Service permission and identity management" | ||
} | ||
}, | ||
{ | ||
"name": "Best Practices", | ||
"id": "CAT004", | ||
"shortDescription": { | ||
"text": "Metadata management" | ||
}, | ||
"fullDescription": { | ||
"text": "Metadata management" | ||
} | ||
}, | ||
{ | ||
"name": "Resource Management", | ||
"id": "CAT011", | ||
"shortDescription": { | ||
"text": "Resource and privilege limit configuration" | ||
}, | ||
"fullDescription": { | ||
"text": "Resource and privilege limit configuration" | ||
} | ||
}, | ||
{ | ||
"name": "Insecure Configurations", | ||
"id": "CAT007", | ||
"shortDescription": { | ||
"text": "Configurations which expose the application unnecessarily" | ||
}, | ||
"fullDescription": { | ||
"text": "Configurations which expose the application unnecessarily" | ||
} | ||
}, | ||
{ | ||
"name": "Networking and Firewall", | ||
"id": "CAT009", | ||
"shortDescription": { | ||
"text": "Network port exposure and firewall configuration" | ||
}, | ||
"fullDescription": { | ||
"text": "Network port exposure and firewall configuration" | ||
} | ||
} | ||
] | ||
}, | ||
{ | ||
"guid": "1489b0c4-d7ce-4d31-af66-6382a01202e3", | ||
"name": "CWE", | ||
"fullDescription": { | ||
"text": "The MITRE Common Weakness Enumeration" | ||
}, | ||
"shortDescription": { | ||
"text": "The MITRE Common Weakness Enumeration" | ||
}, | ||
"downloadUri": "https://cwe.mitre.org/data/xml/cwec_v4.13.xml.zip", | ||
"informationUri": "https://cwe.mitre.org/data/published/cwe_v4.13.pdf", | ||
"isComprehensive": true, | ||
"language": "en", | ||
"minimumRequiredLocalizedDataSemanticVersion": "4.13", | ||
"organization": "MITRE", | ||
"releaseDateUtc": "2023-10-26", | ||
"taxa": [ | ||
{ | ||
"guid": "81713b3d-740e-4d67-8003-27068b8214b4", | ||
"id": "22", | ||
"shortDescription": { | ||
"text": "The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory." | ||
}, | ||
"fullDescription": { | ||
"text": "Many file operations are intended to take place within a restricted directory. By using special elements such as .. and / separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system. One of the most common special elements is the ../ sequence, which in most modern operating systems is interpreted as the parent directory of the current location. This is referred to as relative path traversal. Path traversal also covers the use of absolute pathnames such as /usr/local/bin, which may also be useful in accessing unexpected files. This is referred to as absolute path traversal. In many programming languages, the injection of a null byte (the 0 or NUL) may allow an attacker to truncate a generated filename to widen the scope of attack. For example, the product may add .txt to any pathname, thus limiting the attacker to text files, but a null injection may effectively remove this restriction." | ||
}, | ||
"helpUri": "https://cwe.mitre.org/data/definitions/22.html" | ||
} | ||
] | ||
} | ||
] | ||
} | ||
] | ||
} |
Oops, something went wrong.