Allow year in OWASP string for scalar type

yaml/semgrep/metadata-owasp.test.yaml

@@ -7,31 +7,63 @@ rules:
     metadata:
       # ok: metadata-owasp
       owasp: "A1: Some Vulnerability"
-  - id: example-2
+  - id: example-1b
+    message: Example
+    severity: ERROR
+    languages: [json, yaml]
+    pattern: "..."
+    metadata:
+      # ok: metadata-owasp
+      owasp: A05:2021 - Security Misconfiguration
+  - id: example-bad-zero
+    message: Example
+    severity: ERROR
+    languages: [json, yaml]
+    pattern: "..."
+    metadata:
+      # ruleid: metadata-owasp
+      owasp: "A0: Zero"
+  - id: example-bad-double-zero-year
+    message: Example
+    severity: ERROR
+    languages: [json, yaml]
+    pattern: "..."
+    metadata:
+      # ruleid: metadata-owasp
+      owasp: "A00:2021 Zero"
+  - id: example-bad-missing-leading-zero
+    message: Example
+    severity: ERROR
+    languages: [json, yaml]
+    pattern: "..."
+    metadata:
+      # ruleid: metadata-owasp
+      owasp: A5:2021 - Security Misconfiguration
+  - id: example-bad-greater-than-10
     message: Example
     severity: ERROR
     languages: [json, yaml]
     pattern: "..."
     metadata:
       # ruleid: metadata-owasp
       owasp: "A11: Some Vulnerability"
-  - id: example-3
+  - id: example-bad-missing-details
     message: Example
     severity: ERROR
     languages: [json, yaml]
     pattern: "..."
     metadata:
       # ruleid: metadata-owasp
       owasp: a4
-  - id: example-4
+  - id: example-bad-missing-colon
     message: Example
     severity: ERROR
     languages: [json, yaml]
     pattern: "..."
     metadata:
       # ruleid: metadata-owasp
       owasp: A5 Some Vulnerability
-  - id: example-5
+  - id: example-good-list
     message: Example
     severity: ERROR
     languages: [json, yaml]
@@ -43,15 +75,21 @@ rules:
         - A05:2021 - Security Misconfiguration
         # ok: metadata-owasp
         - A06:2017 - Security Misconfiguration
-  - id: example-6
+  - id: example-bad-list
     message: Example
     severity: ERROR
     languages: [json, yaml]
     pattern: "..."
     metadata:
       # ok: metadata-owasp
       owasp:
+        # ruleid: metadata-owasp
+        - A0:2021 - Zero
+        # ruleid: metadata-owasp
+        - A00:2021 - Double Zero
+        # Missing leading zero
         # ruleid: metadata-owasp
         - A5:2021 - Security Misconfiguration
+        # Crazy year
         # ruleid: metadata-owasp
         - A06:201789 - Security Misconfiguration

yaml/semgrep/metadata-owasp.yaml

@@ -9,13 +9,17 @@ rules:
       - pattern-inside: "rules: ..."
       - pattern-inside: "metadata: ..."
       - pattern-either:
+        # A single line year is optional, e.g. `owasp: "A1: blah"` or `owasp: A01:2021 blah`
+        # If there's a year, need leading zero, e.g. `A01:2021 blah` rather than `A1:2021 blah`.
           - patterns:
               - pattern: 'owasp: "..."'
-              - pattern-not: 'owasp: "=~/^A(0?[1-9]|10): .+$/"'
+              - pattern-not: 'owasp: "=~/^A(0?[1-9]|10):\s+.+$/"'
+              - pattern-not: 'owasp: "=~/^A(0[1-9]|10):([0-9]{4})?\s+.+$/"'
+          # A list, must have the year, e.g. `- A01:2021 blah`
           - patterns:
               - pattern-inside: "owasp: [...]"
               - pattern: '"$ANYTHING"'
-              - pattern-not-regex: .*A[01][0-9]:[0-9]{4}\s+.*
+              - pattern-not-regex: .*A(0[1-9]|10):[0-9]{4}\s+.*
               - pattern-not-regex: "owasp:"
     metadata:
       category: best-practice