Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow year in OWASP string for scalar type #2867

Merged
merged 3 commits into from
Apr 17, 2023
Merged

Allow year in OWASP string for scalar type #2867

merged 3 commits into from
Apr 17, 2023

Conversation

ben-elttam
Copy link
Contributor

  • The regex for scalar strings and lists are different.
  • Before this change scalar strings did not allow specifying a year, whilst lists must have a year.
  • After this change a single string may (optionally) have a year, list behaviour is unchanged, a year must be specified.
  • I also tweaked the string regex to allow multiple whitespace characters like the list regex.

I didn't changing the lists regex to make years optional (e.g. use the same regex for strings and lists of strings). I figured when specifying multiple OWASP references, it's probably the one category mapped to different years, rather than several categories from a single year. I think years been mandatory is probably a good thing.

@ben-elttam
Allow year in OWASP string for scalar type
6a55bfc 
- The regex for scalar strings and lists are different.
- Before this change scalar strings did not allow specifying a year,
  whilst lists must have a year.
- After this change a single string may (optionally) have a year, list
  behaviour is unchanged, a year must be specified.
0xDC0DE
0xDC0DE approved these changes Apr 12, 2023
View reviewed changes
Copy link
Contributor

@0xDC0DE 0xDC0DE left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your contribution!

@ben-elttam
Update metadata-owasp regex
b57794a 
- I noticed original rule's regex cared about leading zeros.
- Restored old behaviour of leading zeros.
- Scalar string and list now have consistent behaviour of caring about
  leading zeros when year is specified.
- Scalar string leading year is optional when no year is specified.
- Updated test cases.
@ben-elttam
metadata-owasp more tests
03aff57 
- Old regex allowed double-zero with year
@ben-elttam
Copy link
Contributor Author

I couldn't reproduce the returntocorp/semgrep:1.0.0 failure, it works fine for me.

Looking into the rules I noticed that in the list regex cared about leading zeros. So, I've updated the tests cases and regexs to have matching consistent behaviour of caring about leading zeros. I also noticed the old regex allowed double zero as in A00, so I've tightened that up.

I've added more test cases for these.

@0xDC0DE
Copy link
Contributor

0xDC0DE commented Apr 17, 2023

Don't worry about the historical tests. They are not required, and I believe not cause by your PR at the moment.

@0xDC0DE 0xDC0DE merged commit 71a2070 into semgrep:develop Apr 17, 2023
5 of 6 checks passed
@ben-elttam ben-elttam deleted the b-fix-metadata-owasp branch April 18, 2023 06:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@0xDC0DE 0xDC0DE 0xDC0DE approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@ben-elttam @0xDC0DE