feat: Hard coded key

packages/scanner/doc/labels/crypto.decrypt.md

@@ -0,0 +1,7 @@
+---
+name: crypto.decrypt
+rules:
+  - hard-coded-key
+---
+
+A function that performs decryption.

packages/scanner/doc/labels/crypto.encrypt.md

@@ -0,0 +1,8 @@
+---
+name: crypto.encrypt
+rules:
+  - hard-coded-key
+  - unauthenticated-encryption
+---
+
+A function that performs encryption.

packages/scanner/doc/labels/crypto.set_auth_data.md

@@ -0,0 +1,7 @@
+---
+name: crypto.set_auth_data
+rules:
+  - unauthenticated-encryption
+---
+
+A function that sets authenticated data for an encryption operation.

packages/scanner/doc/labels/crypto.set_key.md

@@ -0,0 +1,7 @@
+---
+name: crypto.set_key
+rules:
+  - hard-coded-key
+---
+
+A function that sets the crytographic key for encryption, decryption, or signature.

packages/scanner/doc/labels/string.unpack.md

@@ -0,0 +1,12 @@
+---
+name: string.unpack
+rules:
+  - hard-coded-key
+---
+
+Unpacks a string into binary from a printable encoding such as hex or Base64.
+
+## Examples
+
+- Ruby [String#unpack](https://ruby-doc.org/core-3.1.2/String.html#method-i-unpack)
+- Ruby [String#unpack1](https://ruby-doc.org/core-3.1.2/String.html#method-i-unpack1)

packages/scanner/doc/rules/hard-coded-key.md

@@ -0,0 +1,17 @@
+---
+rule: hard-coded-key
+name: Hard coded key
+title: Hard-coded key
+references:
+  A02:2021: https://owasp.org/Top10/A02_2021-Cryptographic_Failures/
+impactDomain: Security
+labels:
+  - crypto.encrypt
+  - crypto.decrypt
+  - crypto.set_key
+  - string.unpack
+---
+
+Finds occurrances in which a cryptographic key is used that is not provided by a function.
+
+`string.unpack` functions are an exception, because they are only modifying, not creating, the key.

packages/scanner/doc/rules/unauthenticated-encryption.md

@@ -0,0 +1,14 @@
+---
+rule: unauthenticated-encryption
+name: Unauthenticated encryption
+title: Unauthenticated encryption
+references:
+  A02:2021: https://owasp.org/Top10/A02_2021-Cryptographic_Failures/
+impactDomain: Security
+labels:
+  - crypto.encrypt
+  - crypto.set_auth_data
+scope: root
+---
+
+Ensure that encryption operations use authenticated encryption.

packages/scanner/src/rules/hard-coded-key/metadata.ts

@@ -0,0 +1,12 @@
+import { Metadata } from '../lib/metadata';
+
+export default {
+  title: 'Hard-coded key',
+  scope: 'root',
+  enumerateScope: true,
+  impactDomain: 'Security',
+  references: {
+    'A02:2021': 'https://owasp.org/Top10/A02_2021-Cryptographic_Failures/',
+  },
+  labels: ['crypto.encrypt', 'crypto.decrypt', 'crypto.set_key', 'string.unpack'],
+} as Metadata;

packages/scanner/src/rules/hard-coded-key/rule.ts

@@ -0,0 +1,44 @@
+import { Event } from '@appland/models';
+import { AppMapIndex, MatcherResult, RuleLogic } from '../../types';
+
+function matcher(event: Event, appMapIndex: AppMapIndex): MatcherResult {
+  if (!event.receiver) return;
+
+  const receiverObjectId = event.receiver.object_id;
+  const setKey = appMapIndex.appMap.events.find(
+    (evt) =>
+      evt.isCall() &&
+      evt.receiver?.object_id === receiverObjectId &&
+      evt.labels.has('crypto.set_key')
+  );
+  if (!setKey) return;
+
+  const keyObject = setKey.parameters![0];
+  if (!keyObject) return;
+
+  const keyObjectId = keyObject.object_id;
+  const obtainKey = appMapIndex.appMap.events.find(
+    (evt) =>
+      evt.isReturn() &&
+      evt !== setKey.returnEvent &&
+      !evt.codeObject.labels.has('string.unpack') &&
+      evt.returnValue?.object_id === keyObjectId
+  );
+  if (!obtainKey) {
+    return [
+      {
+        level: 'warning',
+        event,
+        message: `Cryptographic key is not obtained from a function, and may be hard-coded`,
+        participatingEvents: { 'crypto.set_key': setKey },
+      },
+    ];
+  }
+}
+
+export default function rule(): RuleLogic {
+  return {
+    matcher,
+    where: (e: Event) => e.labels.has('crypto.encrypt'),
+  };
+}

packages/scanner/src/rules/unauthenticated-encryption/metadata.ts

@@ -0,0 +1,12 @@
+import { Metadata } from '../lib/metadata';
+
+export default {
+  title: 'Unauthenticated encryption',
+  scope: 'root',
+  enumerateScope: true,
+  impactDomain: 'Security',
+  references: {
+    'A02:2021': 'https://owasp.org/Top10/A02_2021-Cryptographic_Failures/',
+  },
+  labels: ['crypto.encrypt', 'crypto.set_auth_data'],
+} as Metadata;

packages/scanner/src/rules/unauthenticated-encryption/rule.ts

@@ -0,0 +1,26 @@
+import { Event } from '@appland/models';
+import { AppMapIndex, MatcherResult, RuleLogic } from '../../types';
+
+function matcher(event: Event, appMapIndex: AppMapIndex): MatcherResult {
+  if (!event.receiver) return;
+
+  const objectId = event.receiver.object_id;
+  const setAuthData = appMapIndex.appMap.events
+    .filter((evt) => evt.receiver?.object_id === objectId)
+    .find((evt) => evt.labels.has('crypto.set_auth_data'));
+  if (!setAuthData) {
+    return [
+      {
+        event,
+        message: 'Encryption is not authenticated',
+      },
+    ];
+  }
+}
+
+export default function rule(): RuleLogic {
+  return {
+    matcher,
+    where: (e: Event) => e.labels.has('crypto.encrypt'),
+  };
+}

packages/scanner/src/sampleConfig/default.yml

@@ -1,26 +1,28 @@
 checks:
-  - rule: authzBeforeAuthn
-  # - rule: circularDependency
-  - rule: deserializationOfUntrustedData
-  - rule: execOfUntrustedCommand
-  - rule: http500
-  # - rule: illegalPackageDependency
-  # - rule: incompatibleHttpClientRequest
-  # - rule: insecureCompare
-  # - rule: jobNotCancelled
-  - rule: logoutWithoutSessionReset
-  # - rule: missingAuthentication
-  - rule: missingContentType
-  - rule: nPlusOneQuery
-  # - rule: queryFromInvalidPackage
-  # - rule: queryFromView
-  # - rule: rpcWithoutCircuitBreaker
-  # - rule: saveWithoutValidation
-  - rule: secretInLog
-  #  - rule: slowFunctionCall
-  #  - rule: slowHttpServerRequest
-  #  - rule: slowQuery
-  - rule: tooManyJoins
-  - rule: tooManyUpdates
-  # - rule: unbatchedMaterializedQuery
-  - rule: updateInGetRequest
+  - rule: authz-before-authn
+  # - rule: circular-dependency
+  - rule: deserialization-of-untrusted-data
+  - rule: exec-of-untrusted-command
+  - rule: hard-coded-key
+  - rule: http-500
+  # - rule: illegal-package-dependency
+  # - rule: incompatible-http-client-request
+  # - rule: insecure-compare
+  # - rule: job-not-cancelled
+  - rule: logout-without-session-reset
+  # - rule: missing-authentication
+  - rule: missing-content-type
+  - rule: n-plus-one-query
+  # - rule: query-from-invalid-package
+  # - rule: query-from-view
+  # - rule: rpc-without-circuit-breaker
+  # - rule: save-without-validation
+  - rule: secret-in-log
+  #  - rule: slow-function-call
+  #  - rule: slow-httpServer-request
+  #  - rule: slow-query
+  - rule: too-many-joins
+  - rule: too-many-updates
+  # - rule: unbatched-materialized-query
+  - rule: unauthenticated-encryption
+  - rule: update-in-get-request

packages/scanner/test/cli/scan.spec.ts

@@ -60,7 +60,7 @@ describe('scan', () => {
     const appMapMetadata = scanResults.summary.appMapMetadata;
     expect(appMapMetadata.apps).toEqual(['spring-petclinic']);
     const checks = scanResults.configuration.checks;
-    ['http500', 'nPlusOneQuery'].forEach((rule) =>
+    ['http-500', 'n-plus-one-query'].forEach((rule) =>
       expect(checks.map((check) => check.rule)).toContain(rule)
     );
     expect(Object.keys(scanResults).sort()).toEqual([