/
rules-4.xml
222 lines (221 loc) · 10.5 KB
/
rules-4.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
<rulestore type="mule4">
<ruleset category="application">
<rule id="1"
name="Application should have used APIKit to auto-generate the implementation interface"
description="Application should have used APIKit to auto-generate the implementation interface"
severity="MAJOR" applies="application" type="code_smell">
count(//mule:mule/apikit:config)>0
</rule>
<rule id="2"
name="Application should have an APIKit Global exception strategy"
description="Application should have an APIKit Global exception strategy"
severity="MAJOR" applies="application" type="code_smell">
starts-with(//mule:on-error-propagate/@type,'APIKIT')
</rule>
</ruleset>
<ruleset category="flows">
<rule id="1"
name="Configuration files should not have so many flows"
description="Configuration files should not have so many flows"
severity="MAJOR" type="code_smell">
not(count(//mule:mule/mule:flow)>=10)
</rule>
<rule id="2"
name="Configuration files should not have so many subflows"
description="Configuration files should not have so many subflows"
severity="MAJOR" type="code_smell">
not(count(//mule:mule/mule:sub-flow)>=5)
</rule>
<rule id="3" name="Flows names should match a naming convention"
description="Flows names should match a naming convention"
severity="MINOR" type="code_smell">
count(//mule:mule/mule:flow)=0 or
matches(//mule:mule/mule:flow/@name, '^[a-z:\\{}]+(-[a-z]+)*$')
</rule>
<rule id="4"
name="SubFlows names should match a naming convention"
description="SubFlows names should match a naming convention"
severity="MINOR" type="code_smell">
count(//mule:mule/mule:sub-flow)=0 or
matches(//mule:mule/mule:sub-flow/@name, '^[a-z:\\{}]+(-[a-z]+)*$')
</rule>
<rule id="6" name="Encryption key should not be logged"
description="Encryption key should not be logged" severity="MAJOR"
type="vulnerability">
count(//mule:mule/mule:flow/mule:logger[contains(@message,'${mule.key}')])=0
and
count(//mule:mule/mule:sub-flow/mule:logger[contains(@message,'${mule.key}')])=0
</rule>
</ruleset>
<ruleset category="configuration">
<rule id="1"
name="Credentials and resources should be managed with application properties"
description="Credentials and resources should be managed with application properties"
severity="MAJOR" applies="application" type="bug">
count(//mule:mule/secure-properties:config)>=1 or
count(//mule:mule/mule:configuration-properties)>=1
</rule>
<rule id="2"
name="Mule Credentials Vault should not use a hardcoded encryption key"
description="Mule Credentials Vault should not use a hardcoded encryption key"
severity="MAJOR" type="bug">
count(//mule:mule/secure-properties:config)=0
or
matches(//mule:mule/secure-properties:config/@key, '^\$\{.*\}$')
</rule>
<rule id="3"
name="AutoDiscovery should be used to register the app in API manager"
description="AutoDiscovery should be used to register the app in API manager"
severity="MAJOR" applies="application" type="vulnerability">
count(//mule:mule/api-gateway:autodiscovery)=1
</rule>
<rule id="4"
name="HTTP Status codes should have been properly set inside the exception handler"
description="HTTP Status codes should have been properly set inside the exception handler"
severity="MAJOR" applies="application" type="bug">
count(//mule:on-error-propagate[@type='APIKIT:BAD_REQUEST'])>0
and
count(//mule:on-error-propagate[@type='APIKIT:METHOD_NOT_ALLOWED'])>0
and
count(//mule:on-error-propagate[@type='APIKIT:NOT_FOUND'])>0
</rule>
<rule id="5"
name="Data Transformations should be stored in external DWL Files - Payload"
description="Data Transformations should be stored in external DWL Files - Payload"
severity="MINOR" type="code_smell">
count(//mule:mule/mule:flow/ee:transform/ee:message/ee:set-payload)=0
or
matches(//mule:mule/mule:flow/ee:transform/ee:message/ee:set-payload/@resource,'^.*dwl$')
</rule>
<rule id="6"
name="Data Transformations should be stored in external DWL Files - Variable"
description="Data Transformations should be stored in external DWL Files - Variable"
severity="MINOR" type="code_smell">
count(//mule:mule/mule:flow/ee:transform/ee:message/ee:set-variable)=0
or
matches(//mule:mule/mule:flow/ee:transform/ee:message/ee:set-variable/@resource,'^.*dwl$')
</rule>
<rule id="7" name="HTTP Listener should use HTTPS protocol"
description="HTTP Listener should use HTTPS protocol"
severity="MAJOR" type="vulnerability"
locationHint="//*[local-name()='listener-config']">
count(//mule:mule/http:listener-config)=0
or
//mule:mule/http:listener-config/http:listener-connection/@protocol='HTTPS'
</rule>
<rule id="8"
name="HTTP Listener should use a specific port property"
description="HTTP Listener should use a specific port property"
severity="MAJOR" type="code_smell"
locationHint="//*[local-name()='listener-config']">
count(//mule:mule/http:listener-config)=0
or
//mule:mule/http:listener-config/http:listener-connection/@port='${https.port}'
or
//mule:mule/http:listener-config/http:listener-connection/@port='${https.private.port}'
</rule>
<rule id="9"
name="API ID in AutoDiscovery should not use a hardcoded value"
description="API ID in AutoDiscovery should not use a hardcoded value"
severity="MAJOR" type="code_smell">
count(//mule:mule/api-gateway:autodiscovery)=0
or
matches(//mule:mule/api-gateway:autodiscovery/@apiId, '^\$\{.*\}$')
</rule>
<rule id="10"
name="MSSQL - DB Host name should not use a hardcoded value"
description="DB Host name should not use a <b>hardcoded value</b>"
severity="MAJOR" type="code_smell">
count(//mule:mule/db:config/db:mssql-connection)=0
or
matches(//mule:mule/db:config/db:mssql-connection/@host,
'^\$\{.*\}$')
</rule>
<rule id="11"
name="Domain - HTTP Requestor reconnection strategy should use a configurable count value"
description="<b>Domain</b> - HTTP Requestor reconnection strategy should use a configurable count value"
severity="MAJOR" applies="file" type="bug">
count(//domain:mule-domain/http:request-config/http:request-connection)
= count(
//domain:mule-domain/http:request-config/http:request-connection/mule:reconnection/mule:reconnect[matches(@count,'^\$\{.*\}$')]
)
</rule>
<rule id="12"
name="Domain - HTTP Requestor reconnection strategy should use configurable frequency"
description="<b>Domain</b> - HTTP Requestor reconnection strategy should use configurable frequency"
severity="MAJOR" applies="file" type="bug">
count(//domain:mule-domain/http:request-config/http:request-connection)
= count(
//domain:mule-domain/http:request-config/http:request-connection/mule:reconnection/mule:reconnect[matches(@frequency,'^\$\{.*\}$')]
)
</rule>
<rule id="13"
name="Domain - Mule Secure Properties should use AES-CBC algorithm"
description="<b>Domain</b> - Mule Secure Properties should use AES-CBC algorithm"
severity="MAJOR" applies="file" type="vulnerability">
count(//domain:mule-domain/secure-properties:config/secure-properties:encrypt[@algorithm!='AES'
or @mode!='CBC']) = 0
</rule>
<rule id="14"
name="Domain - HTTP Listener should not use a hardcoded port value"
description="<b>Domain</b> - HTTP Listener should not use a hardcoded port value"
severity="MAJOR" applies="file" type="code_smell">
count(//domain:mule-domain/http:listener-config)=0
or
matches(//domain:mule-domain/http:listener-config/http:listener-connection/@port,
'^\$\{.*\}$')
</rule>
<rule id="15"
name="Domain - HTTP Requestor Configuration should reference a TLS Configuration"
description="<b>Domain</b> - HTTP Requestor should reference a TLS Configuration"
severity="MINOR" applies="file" type="bug">
count(//domain:mule-domain/http:request-config) =
count(//domain:mule-domain/http:request-config/http:request-connection[matches(@tlsContext,'^\$\{.*\}$')])
</rule>
<rule id="16"
name="Domain - Trust Store Configuration should use a configurable path"
description="<b>Domain</b> - Trust Store Configuration should use a configurable path"
severity="MINOR" applies="file" type="vulnerability">
count(//domain:mule-domain/tls:context/tls:trust-store) =
count(//domain:mule-domain/tls:context/tls:trust-store[matches(@path,'^\$\{.*\}$')])
</rule>
<rule id="17"
name="Domain - Key Store Configuration should use a configurable path"
description="<b>Domain</b> - Key Store Configuration should use a configurable path"
severity="MINOR" applies="file" type="vulnerability">
count(//domain:mule-domain/tls:context/tls:key-store) =
count(//domain:mule-domain/tls:context/tls:key-store[matches(@path,'^\$\{.*\}$')])
</rule>
<rule id="18"
name="Domain - Trust Store Configuration should not have the insecure attribute"
description="<b>Domain</b> - Trust Store Configuration should not have the insecure attribute"
severity="CRITICAL" applies="file" type="vulnerability">
count(//domain:mule-domain/tls:context/tls:trust-store) =
count(//domain:mule-domain/tls:context/tls:trust-store[not(@insecure)])
</rule>
<rule id="19"
name="Domain - HTTPS Listener should have a TLS Configuration"
description="<b>Domain</b> - HTTPS Listener should have a TLS Configuration"
severity="MAJOR" applies="file" type="vulnerability">
count(//domain:mule-domain/http:listener-config/http:listener-connection[@protocol='HTTPS'
and not(@tlsContext)])=0
</rule>
<rule id="20"
name="Domain - HTTP Requestor Configuration should not use dynamic default headers or query params"
description="<b>Domain</b> - HTTP Requestor Configuration should not use dynamic default headers or query params"
severity="CRITICAL" applies="file" type="code_smell">
count(//domain:mule-domain/http:request-config/http:default-headers/http:default-header[matches(@value,'^#\[.*\]$')])
= 0
and
count(//domain:mule-domain/http:request-config/http:default-query-params/http:query-param[matches(@value,'^#\[.*\]$')])
= 0
</rule>
<rule id="21"
name="Domain - HTTP Requestor Configuration should have a configurable Response Timeout"
description="<b>Domain</b> - HTTP Requestor Configuration should have a configurable Response Timeout"
severity="CRITICAL" applies="file" type="bug">
count(//domain:mule-domain/http:request-config[not(@responseTimeout)
or not(matches(@responseTimeout,'^\$\{.*\}$'))]) = 0
</rule>
</ruleset>
</rulestore>