Improvements to a few rules (#398)

* Improve certificate validation rules.

Made a few rules less strict.
Added test cases.
Added additional "disabled certificate validation" rules.

* Add correctness rule (invalid date format string).

* Add additional dynamic execution rules (plus swift).

* Add comment support for batch files

Disable VS Code pipeline until fixed builds can be produced.

Co-authored-by: Gabe Stocco <98900+gfs@users.noreply.github.com>

DevSkim-DotNet/Microsoft.DevSkim/Microsoft.DevSkim.csproj

@@ -173,6 +173,10 @@
       <EmbeddedResource Include="..\..\rules\default\security\xml\external_entities.json">
         <Link>rules\default\security\xml\external_entities.json</Link>
       </EmbeddedResource>
+      <EmbeddedResource Include="..\..\rules\default\correctness\datetime.json">
+        <Link>rules\default\correctness\datetime.json</Link>
+      </EmbeddedResource>
+
       <EmbeddedResource Include="resources\comments.json" />
       <EmbeddedResource Include="resources\languages.json" />
     </ItemGroup>

DevSkim-DotNet/Microsoft.DevSkim/resources/comments.json

@@ -66,5 +66,13 @@
     "inline": "'",
     "preffix": "'",
     "suffix": ""
+  },
+  {
+    "language": [
+      "batch"
+    ],
+    "inline": "::",
+    "preffix": "Rem",
+    "suffix": "\n"
   }
 ]

DevSkim-DotNet/Microsoft.DevSkim/resources/languages.json

@@ -1,4 +1,8 @@
 [
+  {
+    "name": "batch",
+    "extensions": [ ".bat" ]
+  },
   {
     "name": "c",
     "extensions": [ ".c", ".h" ]

Pipelines/devskim-vscode.yml

@@ -2,162 +2,162 @@
 # https://aka.ms/yaml
 
 name: DevSkim_VSCode_CI_$(SourceBranchName)_$(Date:yyyyMMdd)$(Rev:.r)
-trigger:
-  batch: true
-  branches:
-    include:
-    - main
-  paths:
-    include:
-    - DevSkim-VSCode-Plugin/*
-    - rules/*
-pr:
-  branches:
-    include:
-    - main
-  paths:
-    include:
-    - Pipelines
-    - DevSkim-VSCode-Plugin/*
-    - rules/*
+trigger: none
+#   batch: true
+#   branches:
+#     include:
+#     - main
+#   paths:
+#     include:
+#     - DevSkim-VSCode-Plugin/*
+#     - rules/*
+# pr:
+#   branches:
+#     include:
+#     - main
+#   paths:
+#     include:
+#     - Pipelines
+#     - DevSkim-VSCode-Plugin/*
+#     - rules/*
 
-stages:
-- stage: SDL
-  jobs:
-  - template: templates/sdl-job.yml
-    parameters:
-      serviceTreeID: '9792b8d3-bc2c-432c-8fc9-bdb143552208'
+# stages:
+# - stage: SDL
+#   jobs:
+#   - template: templates/sdl-job.yml
+#     parameters:
+#       serviceTreeID: '9792b8d3-bc2c-432c-8fc9-bdb143552208'
 
-- stage: Build
-  jobs:
-  - job: build_vscode_plugin
-    displayName: Build VSCode Plugin
-    pool:
-      vmImage: 'windows-latest'
-    steps:
-    - task: Npm@1
-      displayName: npm install
-      inputs:
-        command: 'install'
-        workingDir: 'DevSkim-VSCode-Plugin/'
-    - task: Npm@1
-      inputs:
-        command: 'custom'
-        workingDir: 'DevSkim-VSCode-Plugin/'
-        customCommand: 'run pack-ext'
-    - task: AntiMalware@3
-      displayName: Anti-Malware Scan
-      inputs:
-        InputType: 'Basic'
-        ScanType: 'CustomScan'
-        FileDirPath: 'DevSkim-VSCode-Plugin/'
-        EnableServices: true
-        SupportLogOnError: false
-        TreatSignatureUpdateFailureAs: 'Warning'
-        SignatureFreshness: 'UpToDate'
-        TreatStaleSignatureAs: 'Warning'
-    - task: PowerShell@2
-      displayName: Move Plugin File
-      inputs:
-        targetType: 'inline'
-        script: 'mv DevSkim-VSCode-Plugin/*.vsix $env:BUILD_STAGINGDIRECTORY'
-    - task: PublishBuildArtifacts@1
-      displayName: Publish Unsigned Artifact
-      inputs:
-        PathtoPublish: '$(Build.StagingDirectory)'
-        ArtifactName: 'Unsigned_Plugin'
-        publishLocation: 'Container'
+# - stage: Build
+#   jobs:
+#   - job: build_vscode_plugin
+#     displayName: Build VSCode Plugin
+#     pool:
+#       vmImage: 'windows-latest'
+#     steps:
+#     - task: Npm@1
+#       displayName: npm install
+#       inputs:
+#         command: 'install'
+#         workingDir: 'DevSkim-VSCode-Plugin/'
+#     - task: Npm@1
+#       inputs:
+#         command: 'custom'
+#         workingDir: 'DevSkim-VSCode-Plugin/'
+#         customCommand: 'run pack-ext'
+#     - task: AntiMalware@3
+#       displayName: Anti-Malware Scan
+#       inputs:
+#         InputType: 'Basic'
+#         ScanType: 'CustomScan'
+#         FileDirPath: 'DevSkim-VSCode-Plugin/'
+#         EnableServices: true
+#         SupportLogOnError: false
+#         TreatSignatureUpdateFailureAs: 'Warning'
+#         SignatureFreshness: 'UpToDate'
+#         TreatStaleSignatureAs: 'Warning'
+#     - task: PowerShell@2
+#       displayName: Move Plugin File
+#       inputs:
+#         targetType: 'inline'
+#         script: 'mv DevSkim-VSCode-Plugin/*.vsix $env:BUILD_STAGINGDIRECTORY'
+#     - task: PublishBuildArtifacts@1
+#       displayName: Publish Unsigned Artifact
+#       inputs:
+#         PathtoPublish: '$(Build.StagingDirectory)'
+#         ArtifactName: 'Unsigned_Plugin'
+#         publishLocation: 'Container'
 
-- stage: Release
-  dependsOn:
-  - SDL
-  - Build
-  condition: and(succeeded(), in(variables['Build.Reason'], 'IndividualCI', 'BatchedCI'))
-  jobs:
-  - job: sign_hash_release
-    displayName: Code Sign, Generate Hashes, Publish Public Release
-    pool:
-      vmImage: 'windows-latest'
-    steps:
-    - task: DownloadBuildArtifacts@0
-      displayName: Retrieve Unsigned Artifact 
-      inputs:
-        buildType: 'current'
-        downloadType: 'specific'
-        itemPattern: 'Unsigned_Plugin\*.vsix'
-        downloadPath: '$(Build.BinariesDirectory)'
-    - task: AntiMalware@3
-      displayName: Anti-Malware Scan
-      inputs:
-        InputType: 'Basic'
-        ScanType: 'CustomScan'
-        FileDirPath: '$(Build.BinariesDirectory)\Unsigned_Plugin'
-        EnableServices: true
-        SupportLogOnError: false
-        TreatSignatureUpdateFailureAs: 'Warning'
-        SignatureFreshness: 'UpToDate'
-        TreatStaleSignatureAs: 'Warning'
-    - task: EsrpCodeSigning@1
-      displayName: Code Sign VSCode Plugin
-      inputs:
-        ConnectedServiceName: 'Devskim_CodeSign'
-        FolderPath: '$(Build.BinariesDirectory)\Unsigned_Plugin'
-        Pattern: '*.vsix'
-        signConfigType: 'inlineSignParams'
-        inlineOperation: |
-          [
-                  {
-                      "KeyCode" : "CP-233016",
-                      "OperationCode" : "OpcSign",
-                      "Parameters" : {
-                          "FileDigest" : "/fd SHA256"
-                      },
-                      "ToolName" : "sign",
-                      "ToolVersion" : "1.0"
-                  },
-                  {
-                      "KeyCode" : "CP-233016",
-                      "OperationCode" : "OpcVerify",
-                      "Parameters" : {},
-                      "ToolName" : "sign",
-                      "ToolVersion" : "1.0"
-                  }
-              ]
-        SessionTimeout: '60'
-        MaxConcurrency: '50'
-        MaxRetryAttempts: '5'
-    - powershell: 'Get-ChildItem -Path ''$(Build.BinariesDirectory)'' -Recurse CodeSign* | foreach { Remove-Item -Path $_.FullName }'
-      displayName: 'Delete Code Sign Summaries'
-    - task: PowerShell@2
-      displayName: Move Plugin File
-      inputs:
-        targetType: 'inline'
-        script: 'mv $env:BUILD_BINARIESDIRECTORY/Unsigned_Plugin/*.vsix $env:BUILD_STAGINGDIRECTORY/'
-    - task: PowerShell@2
-      displayName: Generate Hashes
-      inputs:
-        targetType: 'inline'
-        script: |
-          Get-ChildItem $(Build.StagingDirectory) | Foreach-Object {
-            $name = $_.Name
-            $tmp = (Get-FileHash "$(Build.StagingDirectory)\$name").Hash
-            Add-Content $(Build.StagingDirectory)\HASHES.txt "$tmp`t$name"
-          }
-    - task: PublishPipelineArtifact@1
-      displayName: Publish Signed Artifact to Pipeline
-      inputs:
-        targetPath: '$(Build.StagingDirectory)'
-        artifact: 'Signed_Plugin'
-    - task: Npm@1
-      displayName: Install vsce
-      inputs:
-        command: 'custom'
-        customCommand: 'install -g vsce'
-    - task: PowerShell@2
-      displayName: Deploy to VS Marketplace
-      inputs:
-        targetType: 'inline'
-        script: |
-          $packPath = Resolve-Path $env:BUILD_STAGINGDIRECTORY\*.vsix -Relative
-          vsce publish --packagePath $packPath --pat $(VS_Token)
-        workingDirectory: '$(Build.StagingDirectory)'
+# - stage: Release
+#   dependsOn:
+#   - SDL
+#   - Build
+#   condition: and(succeeded(), in(variables['Build.Reason'], 'IndividualCI', 'BatchedCI'))
+#   jobs:
+#   - job: sign_hash_release
+#     displayName: Code Sign, Generate Hashes, Publish Public Release
+#     pool:
+#       vmImage: 'windows-latest'
+#     steps:
+#     - task: DownloadBuildArtifacts@0
+#       displayName: Retrieve Unsigned Artifact 
+#       inputs:
+#         buildType: 'current'
+#         downloadType: 'specific'
+#         itemPattern: 'Unsigned_Plugin\*.vsix'
+#         downloadPath: '$(Build.BinariesDirectory)'
+#     - task: AntiMalware@3
+#       displayName: Anti-Malware Scan
+#       inputs:
+#         InputType: 'Basic'
+#         ScanType: 'CustomScan'
+#         FileDirPath: '$(Build.BinariesDirectory)\Unsigned_Plugin'
+#         EnableServices: true
+#         SupportLogOnError: false
+#         TreatSignatureUpdateFailureAs: 'Warning'
+#         SignatureFreshness: 'UpToDate'
+#         TreatStaleSignatureAs: 'Warning'
+#     - task: EsrpCodeSigning@1
+#       displayName: Code Sign VSCode Plugin
+#       inputs:
+#         ConnectedServiceName: 'Devskim_CodeSign'
+#         FolderPath: '$(Build.BinariesDirectory)\Unsigned_Plugin'
+#         Pattern: '*.vsix'
+#         signConfigType: 'inlineSignParams'
+#         inlineOperation: |
+#           [
+#                   {
+#                       "KeyCode" : "CP-233016",
+#                       "OperationCode" : "OpcSign",
+#                       "Parameters" : {
+#                           "FileDigest" : "/fd SHA256"
+#                       },
+#                       "ToolName" : "sign",
+#                       "ToolVersion" : "1.0"
+#                   },
+#                   {
+#                       "KeyCode" : "CP-233016",
+#                       "OperationCode" : "OpcVerify",
+#                       "Parameters" : {},
+#                       "ToolName" : "sign",
+#                       "ToolVersion" : "1.0"
+#                   }
+#               ]
+#         SessionTimeout: '60'
+#         MaxConcurrency: '50'
+#         MaxRetryAttempts: '5'
+#     - powershell: 'Get-ChildItem -Path ''$(Build.BinariesDirectory)'' -Recurse CodeSign* | foreach { Remove-Item -Path $_.FullName }'
+#       displayName: 'Delete Code Sign Summaries'
+#     - task: PowerShell@2
+#       displayName: Move Plugin File
+#       inputs:
+#         targetType: 'inline'
+#         script: 'mv $env:BUILD_BINARIESDIRECTORY/Unsigned_Plugin/*.vsix $env:BUILD_STAGINGDIRECTORY/'
+#     - task: PowerShell@2
+#       displayName: Generate Hashes
+#       inputs:
+#         targetType: 'inline'
+#         script: |
+#           Get-ChildItem $(Build.StagingDirectory) | Foreach-Object {
+#             $name = $_.Name
+#             $tmp = (Get-FileHash "$(Build.StagingDirectory)\$name").Hash
+#             Add-Content $(Build.StagingDirectory)\HASHES.txt "$tmp`t$name"
+#           }
+#     - task: PublishPipelineArtifact@1
+#       displayName: Publish Signed Artifact to Pipeline
+#       inputs:
+#         targetPath: '$(Build.StagingDirectory)'
+#         artifact: 'Signed_Plugin'
+#     - task: Npm@1
+#       displayName: Install vsce
+#       inputs:
+#         command: 'custom'
+#         customCommand: 'install -g vsce'
+#     - task: PowerShell@2
+#       displayName: Deploy to VS Marketplace
+#       inputs:
+#         targetType: 'inline'
+#         script: |
+#           $packPath = Resolve-Path $env:BUILD_STAGINGDIRECTORY\*.vsix -Relative
+#           vsce publish --packagePath $packPath --pat $(VS_Token)
+#         workingDirectory: '$(Build.StagingDirectory)'

rules/default/correctness/datetime.json

@@ -0,0 +1,33 @@
+[
+    {
+        "name": "Possible incorrect datetime format",
+        "id": "DS600100",
+        "description": "The %M format is 'minute' but used like 'month'",
+        "recommendation": "Change the format to %m.",
+        "applies_to": [
+            "python"
+        ],
+        "tags": [
+            "Correctness.DateTime.Format"
+        ],
+        "severity": "moderate",
+        "rule_info": "",
+        "patterns": [
+            {
+                "pattern": "(%Y-%M-%d)|(%M-%d-%Y)|(%M/%d/%Y)",
+                "type": "regex",
+                "scopes": [
+                    "code"
+                ]
+            }
+        ],
+        "must-match": [
+            "when = [tm.strftime('%M/%d/%Y %I:%M %p') for tm in when]",
+            "return '%s [%s:%s] ' % (time.strftime('%Y-%M-%d %X'),"
+        ],
+        "must-not-match": [
+            "when = tm.strftime('%m/%d/%Y %I:%M %p')",
+            "%Y-%m-%d %H:%M:%S"
+        ]
+    }
+]