-
Notifications
You must be signed in to change notification settings - Fork 115
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improving rule accuracy #523
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good additions! I think there might be a typo in one of the android rules "debuggin" vs "debugging"
"rule_info": "DS180000.md", | ||
"patterns": [ | ||
{ | ||
"pattern": "setWebContentsDebugginEnabled(true)", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Typo? Missing the g for on debuggin.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh whoops, good catch
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall looks like good improvements. I think we have the ability to have a couple of these have automatic fixes - particularly the ones doing the xml parsing for android.
Other comments are about how many variations of c# instantiation the XSLT query can detect.
"name": "Android debug is enabled.", | ||
"id": "DS180000", | ||
"description": "The android:debuggable element is set to true, which should be disabled for release builds.", | ||
"recommendation": "", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"recommendation": "", | |
"recommendation": "Set android:debuggable to false for release builds.", |
"name": "Android debug is enabled.", | ||
"id": "DS180001", | ||
"description": "The setWebContentsDebuggingEnabled element is set to true, which should be disabled for release builds.", | ||
"recommendation": "", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"recommendation": "", | |
"recommendation": "Set setWebContentsDebuggingEnabled to false for release builds.", | |
"name": "Android StrictMode is enabled.", | ||
"id": "DS180002", | ||
"description": "StrictMode is detected, which is useful for developers but should be disabled for release builds.", | ||
"recommendation": "", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"recommendation": "", | |
"recommendation": "Disable StrictMode for release builds.", | |
"name": "XSLT Scripting Enabled", | ||
"id": "DS132781", | ||
"description": "XSLT Scripting is a feature that should only be enabled if script support is necessary and you are certain this is used in a trusted environment.", | ||
"recommendation": "", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"recommendation": "", | |
"recommendation": "Disable XSLT scripting.", |
} | ||
], | ||
"must-match": [ | ||
"XsltSettings n = new XsltSettings();\n n.EnableScript=true" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this detect
XsltSettings n = new XsltSettings(){ EnableScript = true };
or
var settings = new XsltSettings(){ EnableScript = true };
or
XsltSettings n = new(){ EnableScript = true };
@atrompler added references to the devskim issues I think this PR aims to resolve. Can you double check that list is accurate? |
"modifiers" : ["i"] | ||
} | ||
], | ||
"fix_its": [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe these fix it's need to specify a search-in of finding-only
.
In particular updates App inspector rules engine to support xpath namespaces.
Test failures seem odd. Issues with files not found. I suspect just a transient pipeline issue and worth just rerunning them first. |
The test failures revealed an issue in Recursive Extractor pulled into AI. Now fixed. |
Fix #472
Fix #452
Fix #544
Fix #546
Related:
#339
#231