Add rules for Vert.X

[carlspring]

Task Description

We would like to see specialized rules for the Vert.x Java framework. This is a popular Eclipse framework hosted on Github with over 13000 followers (as of now).

Based on our research, it appears Checkmarx is the only SAST tool that has rules for Vert.X, targetting Kotlin.

Our codebase is written in Java and heavily dependent on Vert.X. We are already using GHAS for scanning our private repositories (in GHES). We would like to not need to use several different tools such as Fortify, Checkmarx, Mend, etc for the job.

It would be great, it we could see the same support in CodeQL.

Task List

The following tasks will have to be carried out:

• Collect a list of common security issues in Vert.X
• Implement rules for them
• Add tests
• Update the documentation

Useful Links

• Vert.X: Github Org
• Vert.X: Website
• Vert.X: Writing Secure Vert.X webapps
• Vert.X: Things to keep in mind concerning CSRF attacks"
• Vert.X: #security chat channel on Discord
• Checkmarx: Supported Code Languages And Frameworks

[sj]

Hi @carlspring! Thanks for the suggestion. We'll look into Vert.X and get back to you soon.

[coadaflorin]

Hi @carlspring, after some analysis on Vert.X we decided not to include it on our short-term roadmap. We will keep an eye on it and track its adoption and popularity. We'll revisit this decision later to see how things evolved.

[carlspring]

@coadaflorin , @sj ,

Thanks for getting back to me!

What would make you reconsider and help move this forward? Would a list of typical security issues with sample code help? Would an established contributor with the Vert.X help?

The company I'm representing is a large client of Github's with an on-prem GHES and is also a big and regular contributor to Vert.X.

[coadaflorin]

@carlspring

What would make you reconsider and help move this forward? Would a list of typical security issues with sample code help? Would an established contributor with the Vert.X help?

When we get to the point of writing support for the framework all these are extremely helpful. Knowing that people use certain frameworks is what helps us prioritise things. As you've done that already we are very thankful and will try to keep you up to date on how things progress. We will follow up with updates/plans as soon as we have anything.

[carlspring]

Hi,

We've been working on adding some queries for the Vert.X framework for Java. At the moment this is a separate project. We intend to contribute the code back to CodeQL once it has a sufficient amount of meaningful queries that we have tested against our code base.

We are working under the following repositories:

• carlspring/vertx-vulns : We're collecting samples of anti-patterns (with good and bad code) in this repository.
• carlspring/vertx-codeql-queries : We are implementing the CodeQL queries here.
• This is the Github project Kanban board tracking the progress.

If anyone is interested in joining this effort, this would be much appreciated!