Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding slack workflow #585

Merged
merged 6 commits into from
Dec 8, 2021
Merged

Adding slack workflow #585

merged 6 commits into from
Dec 8, 2021

Conversation

eddynaka
Copy link
Collaborator

@eddynaka eddynaka commented Nov 29, 2021
edited

Changes

image

For significant contributions please make sure you have completed the following items:

  • ReleaseHistory.md updated for non-trivial changes
  • Added unit tests

@eddynaka eddynaka marked this pull request as ready for review November 30, 2021 22:31
michaelcfanning
michaelcfanning reviewed Dec 8, 2021
View reviewed changes
Src/Plugins/Security/SEC101.SecurePlaintextSecrets.json Outdated
@@ -463,6 +463,12 @@
"ContentsRegex": "$SEC101/047.CratesApiKey",
"MessageArguments": { "secretKind": "Crates API key" }
},
{
"Id": "SEC101/048",
"Name": "DoNotExposePlaintextSecrets/SlackWorkflow",
Copy link
Member

@michaelcfanning michaelcfanning Dec 8, 2021
edited by eddynaka

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SlackWorkflow

usually a rule name has Credentials, Token or something like that as a suffix, why don't we have one here?

btw - aren't we supposed to rename all 'ApiKey' rules to 'Token'? didn't we do that rename exercise elsewhere? #Closed

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Credentials = id + password, for example.
Token/ApiKey = you use that to authenticate.
For others, such as workflows/webhooks, we don't have a specific pattern.

Now, should we change all to 'Token', when we discussed about this, we were relying on the term used by the secret.

For example, we found a Nuget api key and not a nuget token.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we actually converged on 'Key' elsewhere unless there was a better term.

In any case, what name do we want here? SlackWorkflowKey?

michaelcfanning
michaelcfanning reviewed Dec 8, 2021
View reviewed changes
Src/Plugins/Security/SEC101_048.SlackWorkflowValidator.cs Outdated

case HttpStatusCode.NotFound:
{
message = "The specified Slack webhook could not be found.";
Copy link
Member

@michaelcfanning michaelcfanning Dec 8, 2021
edited by eddynaka

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

webhook

webhook? isn't that another rule? #Closed

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, forgot to update.
will do once u finish this review!

thanks!

michaelcfanning
michaelcfanning reviewed Dec 8, 2021
View reviewed changes
Src/Plugins/Tests.Security/Validators/SEC101_005.SlackTokenValidatorTests.cs Outdated
@@ -15,6 +15,9 @@

namespace Microsoft.CodeAnalysis.Sarif.PatternMatcher.Plugins.Security.Validators
{
/// <summary>
/// Testing SEC101/005.SlackTokenValidator
Copy link
Member

@michaelcfanning michaelcfanning Dec 8, 2021
edited by eddynaka

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SlackTokenValidator

The name of this rule is wrong, it should be SlackApiToken. When you fix this, be sure to indicate the deprecated rule name. #Closed

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops, I think SlackApiKey is actually the right rule name.

michaelcfanning
michaelcfanning reviewed Dec 8, 2021
View reviewed changes
Src/Plugins/Security/SEC101_048.SlackWorkflowValidator.cs Outdated

namespace Microsoft.CodeAnalysis.Sarif.PatternMatcher.Plugins.Security
{
public class SlackWorkflowValidator : DynamicValidatorBase
Copy link
Member

@michaelcfanning michaelcfanning Dec 8, 2021
edited by eddynaka

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SlackWorkflowValidator

I think SlackWorkflowToken is the right name of this rule. #Closed

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, SlackWorkflowKey looks right.

michaelcfanning
michaelcfanning reviewed Dec 8, 2021
View reviewed changes
Src/Plugins/Tests.Security/Validators/SEC101_020.DropboxAccessTokenTokenValidatorTests.cs
@@ -16,6 +16,9 @@

namespace Microsoft.CodeAnalysis.Sarif.PatternMatcher.Plugins.Security.Validators
{
/// <summary>
/// Testing SEC101/020.DropboxAccessTokenValidator
Copy link
Member

@michaelcfanning michaelcfanning Dec 8, 2021
edited by eddynaka

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

DropboxAccessTokenValidator

The name of this file is wrong, SEC101_020.DropboxAccessTokenTokenValidatorTests.cs, the word 'Token' is repeated.
#Closed

michaelcfanning
michaelcfanning reviewed Dec 8, 2021
View reviewed changes
Src/Plugins/Tests.Security/Validators/SEC101_015.AkamaiCredentialsValidatorTests.cs
@@ -18,7 +18,7 @@
namespace Microsoft.CodeAnalysis.Sarif.PatternMatcher.Plugins.Security.Validators
{
/// <summary>
/// Testing SEC101/026.AkamaiCredentialsValidatorTests
/// Testing SEC101/015.AkamaiCredentialsValidator
Copy link
Member

@michaelcfanning michaelcfanning Dec 8, 2021
edited by eddynaka

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AkamaiCredentialsValidator

Well done fixing all these comments up, Ed!! #Closed

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks!
i'm following ur guidance to make everything in the same format, it will facilitate in the future :)

michaelcfanning
michaelcfanning requested changes Dec 8, 2021
View reviewed changes
Copy link
Member

@michaelcfanning michaelcfanning left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🕐

michaelcfanning
michaelcfanning approved these changes Dec 8, 2021
View reviewed changes
Copy link
Member

@michaelcfanning michaelcfanning left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@michaelcfanning michaelcfanning enabled auto-merge (squash) December 8, 2021 22:33
@michaelcfanning michaelcfanning merged commit bbeae03 into main Dec 8, 2021
@eddynaka eddynaka deleted the users/ednakamu/addinig-slack-workflow branch March 8, 2022 00:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michaelcfanning michaelcfanning michaelcfanning approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@eddynaka @michaelcfanning