Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Custom rules to SAST scan #474

Merged
merged 3 commits into from
May 20, 2024
Merged

Add Custom rules to SAST scan #474

merged 3 commits into from
May 20, 2024

Conversation

attiasas
Copy link
Contributor

@attiasas attiasas commented Apr 30, 2024
edited
Loading

  • All tests passed. If this feature is not already covered by the tests, I added new tests.
  • I used npm run format for formatting the code before submitting the pull request.

Add Custom rules to the SAST scan in your workspace

image
  1. Prepare a custom json rules file with your rules:
[
  {
    "name": "custom-rule",
    "message": "User-controlled data used as argument to math.sqrt",
    "finder": {
      "type": "FlowFinder",
      "sources": {
        "type": "calls",
        "names": [
          "input"
        ]
      },
      "sinks": {
        "type": "calls",
        "names": [
          "math.sqrt"
        ]
      }
    },
    "cwe": null,
    "description": "User-controlled square root",
    "severity": "high",
    "tags": []
  }
]
  1. Provide the Absolute path to the user custom rule file at the extension's new configuration.
image
  1. Rescan your workspace.

@attiasas attiasas added new feature Automatically generated release notes safe to test Approve running integration tests on a pull request labels Apr 30, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Apr 30, 2024
@attiasas attiasas requested review from yahavi and Or-Geva May 15, 2024 13:40
hadarshjfrog
hadarshjfrog reviewed May 20, 2024
View reviewed changes
src/main/scanLogic/scanRunners/sastScan.ts
@@ -92,6 +94,7 @@ export class SastRunner extends JasRunner {
type: this._scanType,
roots: this._config.GetSourceRoots(this._scanType),
language: this._config.GetScanLanguage(),
user_rules: Configuration.getSastCustomRulesPath(this._logManager),
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see user_rules is assigned here - but where is it used? who calls this param inside Configuration object?

Copy link
Contributor Author

@attiasas attiasas May 20, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hadarshjfrog, The configuration value is coming from the settings in the vscode as shared at the details
image

The value is than fetched using Configuration.getSastCustomRulesPath and we pass it to the SAST scanner that uses it while running. (user_rules is a new attribute in the scanner config)

@attiasas attiasas added the safe to test Approve running integration tests on a pull request label May 20, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label May 20, 2024
@attiasas attiasas merged commit 79fcff5 into jfrog:master May 20, 2024
3 of 10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hadarshjfrog hadarshjfrog hadarshjfrog approved these changes

@yahavi yahavi Awaiting requested review from yahavi

@Or-Geva Or-Geva Awaiting requested review from Or-Geva

Assignees
No one assigned
Labels
new feature Automatically generated release notes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@attiasas @hadarshjfrog