Skip to content

clj-holmes/clj-holmes-rules

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
.github/workflows
.github/workflows
 
 
correctness
correctness
 
 
scripts
scripts
 
 
security
security
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation

clj-holmes rules

Open source rules used by clj-holmes.

Rule syntax

The rule syntax is defined by the spec defined here.

Fields

id

A short, unique and descriptive identifier for the rule.

name

A short description for the rule.

severity

The severity of the finding. This is useful for filtering security issues when viewing SARIF outputs uploaded to GitHub, for example.

message

A more descriptive message for the rule that specifies in detail what the rule is looking for.

properties

A dictionary that provides metadata about the rule.

precision

The precision of the finding. This is useful for filtering security issues when viewing SARIF outputs uploaded to GitHub, for example.

tags

A list of markers to make possible using only a subset of rules when scanning a project.

Pattern Description (patterns/patterns-either)

A dictionary with configurable parameters that are necessary to finding relevant code. These fields can be nested as to provide enough expressive power to match almost any code. The engine will resolve the innermost pattern and work its way out until all Pattern Descriptions are solved. A Pattern Description can also be collection of Pattern Expressions.

patterns

A collection of Patterns Descriptions. Matches when all Pattern Descriptions inside also match. Functionally equivalent to doing a AND of all Pattern Descriptions inside.

patterns-either

A collection of Patterns Descriptions. Matches when at least one Pattern Description inside also match. Functionally equivalent to doing a OR of all Pattern Descriptions inside.

Pattern Expression (pattern/pattern-not)

A Pattern Expression as documented in shape-shifter.

pattern

Pattern Expression to search for. Matches when pattern is found on code.

pattern-not

Pattern Expression to search for. Matches when pattern is not found on code.

custom-function?

Boolean flag to indicate if finding a custom-funciton is required. The presence of this flag forces clj-holmes to use the function and namespace fields to find usages of function called via a full namespace, a namespace alias or simply when using :refer or :refer :all.

function

The function to be matched.

namespace

The namespace where the function being searched for comes from.

interpret-regex?

Boolean flag to indicate if there's a regex in the pattern that needs to be interpreted and searched.

About

Open source rules used by clj-holmes.

Topics

yaml security clojure

Resources

Readme
Activity
Custom properties

Stars

9 stars

Watchers

1 watching

Forks

1 fork
Report repository

Contributors 5

Languages