.github/workflows/python_test.yml

@@ -14,7 +14,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest]
-        python-version: [3.7, 3.8, 3.9, '3.10']
+        python-version: [3.8, 3.9, '3.10']
 
     steps:
     - uses: actions/checkout@v2

Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.9-slim-buster
+FROM python:3.12-slim
 
 RUN apt-get update \
 && apt-get install gcc -y \

README.md

@@ -6,10 +6,7 @@ Made with ![Love](https://cloud.githubusercontent.com/assets/4301109/16754758/82
 [![PyPI version](https://badge.fury.io/py/njsscan.svg)](https://badge.fury.io/py/njsscan)
 [![platform](https://img.shields.io/badge/platform-osx%2Flinux-green.svg)](https://github.com/ajinabraham/njsscan)
 [![License](https://img.shields.io/:license-lgpl3+-blue.svg)](https://www.gnu.org/licenses/lgpl-3.0.en.html)
-[![python](https://img.shields.io/badge/python-7+-blue.svg)](https://www.python.org/downloads/)
-
-[![Language grade: Python](https://img.shields.io/lgtm/grade/python/g/ajinabraham/njsscan.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/ajinabraham/njsscan/context:python)
-[![Requirements Status](https://requires.io/github/ajinabraham/njsscan/requirements.svg?branch=master)](https://requires.io/github/ajinabraham/njsscan/requirements/?branch=master)
+[![python](https://img.shields.io/badge/python-3.7+-blue.svg)](https://www.python.org/downloads/)
 [![Build](https://github.com/ajinabraham/njsscan/workflows/Build/badge.svg)](https://github.com/ajinabraham/njsscan/actions?query=workflow%3ABuild)
 
 ### Support njsscan
@@ -188,7 +185,10 @@ jobs:
     name: njsscan check
     steps:
     - name: Checkout the code
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4.2.2
+    - uses: actions/setup-python@v5.3.0
+      with:
+        python-version: '3.12'
     - name: nodejsscan scan
       id: njsscan
       uses: ajinabraham/njsscan-action@master
@@ -214,14 +214,17 @@ jobs:
     name: njsscan code scanning
     steps:
     - name: Checkout the code
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4.2.2
+    - uses: actions/setup-python@v5.3.0
+      with:
+        python-version: '3.12'
     - name: nodejsscan scan
       id: njsscan
       uses: ajinabraham/njsscan-action@master
       with:
         args: '. --sarif --output results.sarif || true'
     - name: Upload njsscan report
-      uses: github/codeql-action/upload-sarif@v1
+      uses: github/codeql-action/upload-sarif@v3
       with:
         sarif_file: results.sarif
 ```

njsscan/__init__.py

@@ -6,7 +6,7 @@
 __title__ = 'njsscan'
 __authors__ = 'Ajin Abraham'
 __copyright__ = f'Copyright {datetime.now().year} Ajin Abraham, OpenSecurity'
-__version__ = '0.3.3'
+__version__ = '0.4.3'
 __version_info__ = tuple(int(i) for i in __version__.split('.'))
 __all__ = [
     '__title__',

njsscan/__main__.py

@@ -8,7 +8,7 @@
 from njsscan.njsscan import NJSScan
 from njsscan.formatters import (
     cli,
-    json,
+    json_out,
     sarif,
     sonarqube,
 )
@@ -81,7 +81,7 @@ def main():
                 scan_results,
                 __version__)
         elif args.json:
-            json.json_output(
+            json_out.json_output(
                 args.output,
                 scan_results,
                 __version__)

njsscan/formatters/sarif.py

@@ -1,122 +1,104 @@
 # -*- coding: utf_8 -*-
-"""Sarif output format.
+"""SARIF output formatter for NodeJS scan results.
 
-Based on https://github.com/microsoft/bandit-sarif-formatter/
-blob/master/bandit_sarif_formatter/formatter.py
+Based on https://github.com/microsoft/
+bandit-sarif-formatter/blob/master/
+bandit_sarif_formatter/formatter.py
+MIT License, Copyright (c) Microsoft Corporation.
 
-Copyright (c) Microsoft.  All Rights Reserved.
-MIT License
-
-Copyright (c) Microsoft Corporation.
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE
 """
-from datetime import datetime
+from datetime import datetime, timezone
 from pathlib import PurePath
 import urllib.parse as urlparse
 
 import sarif_om as om
 
 from jschema_to_python.to_json import to_json
 
-
 TS_FORMAT = '%Y-%m-%dT%H:%M:%SZ'
 
 
 def level_from_severity(severity):
-    if severity == 'ERROR':
-        return 'error'
-    elif severity == 'WARNING':
-        return 'warning'
-    elif severity == 'INFO':
-        return 'note'
-    else:
-        return 'none'
+    return {
+        'ERROR': 'error',
+        'WARNING': 'warning',
+        'INFO': 'note',
+    }.get(severity, 'none')
 
 
 def to_uri(file_path):
     pure_path = PurePath(file_path)
     if pure_path.is_absolute():
         return pure_path.as_uri()
     else:
-        posix_path = pure_path.as_posix()  # Replace backslashes with slashes.
-        return urlparse.quote(posix_path)  # %-encode special characters.
+        return urlparse.quote(pure_path.as_posix())
 
 
-def get_rule_name(rule_id):
-    normalized = []
-    noms = rule_id.split('_')
-    for nom in noms:
-        normalized.append(nom.capitalize())
-    return ''.join(normalized)
+def format_rule_name(rule_id):
+    return ''.join(word.capitalize() for word in rule_id.split('_'))
 
 
 def add_results(scan_results, run):
     if run.results is None:
         run.results = []
-    res = {}
-    res.update(scan_results.get('nodejs', []))
-    res.update(scan_results.get('templates', []))
+    combined_results = {
+        **scan_results.get('nodejs', {}),
+        **scan_results.get('templates', {})}
     rules = {}
     rule_indices = {}
 
-    for rule_id, issue_dict in res.items():
+    for rule_id, issue_dict in combined_results.items():
         if 'files' not in issue_dict:
-            # no missing controls in sarif
             continue
-        result = create_result(rule_id, issue_dict, rules, rule_indices)
-        run.results.append(result)
-
-    if len(rules) > 0:
+        result = create_rule_results(
+            rule_id,
+            issue_dict,
+            rules,
+            rule_indices)
+        run.results.extend(result)
+
+    if rules:
         run.tool.driver.rules = list(rules.values())
 
 
-def create_result(rule_id, issue_dict, rules, rule_indices):
-    if rule_id in rules:
-        rule = rules[rule_id]
-        rule_index = rule_indices[rule_id]
-    else:
-        doc = 'https://ajinabraham.github.io/nodejsscan/#{}'.format(rule_id)
+def create_rule_results(rule_id, issue_dict, rules, rule_indices):
+    rule_results = []
+
+    rule, rule_index = rules.get(rule_id), rule_indices.get(rule_id)
+
+    if not rule:
+        doc = ('https://ajinabraham.'
+               f'github.io/nodejsscan/#{rule_id}')
+        cwe_id = issue_dict['metadata']['cwe'].split(':')[0].lower()
         rule = om.ReportingDescriptor(
             id=rule_id,
-            name=get_rule_name(rule_id),
+            name=format_rule_name(rule_id),
             help_uri=doc,
-        )
+            properties={'tags': ['security', f'external/cwe/{cwe_id}']})
         rule_index = len(rules)
         rules[rule_id] = rule
         rule_indices[rule_id] = rule_index
 
-    locations = []
-    for item in issue_dict['files']:
-        physical_location = om.PhysicalLocation(
-            artifact_location=om.ArtifactLocation(
-                uri=to_uri(item['file_path'])),
-        )
-        physical_location.region = om.Region(
-            start_line=item['match_lines'][0],
-            end_line=item['match_lines'][1],
-            start_column=item['match_position'][0],
-            end_column=item['match_position'][1],
-            snippet=om.ArtifactContent(text=item['match_string']),
-        )
-        locations.append(om.Location(physical_location=physical_location))
+    for item in issue_dict.get('files', []):
+        location = create_location(item)
+        rule_results.append(create_result(rule, rule_index, issue_dict, [location]))
+
+    return rule_results
+
 
+def create_location(item):
+    return om.Location(
+        physical_location=om.PhysicalLocation(
+            artifact_location=om.ArtifactLocation(uri=to_uri(item['file_path'])),
+            region=om.Region(
+                start_line=item['match_lines'][0],
+                end_line=item['match_lines'][1],
+                start_column=item['match_position'][0],
+                end_column=item['match_position'][1],
+                snippet=om.ArtifactContent(text=item['match_string']))))
+
+
+def create_result(rule, rule_index, issue_dict, locations):
     return om.Result(
         rule_id=rule.id,
         rule_index=rule_index,
@@ -125,39 +107,34 @@ def create_result(rule_id, issue_dict, rules, rule_indices):
         locations=locations,
         properties={
             'owasp-web': issue_dict['metadata']['owasp-web'],
-            'cwe': issue_dict['metadata']['cwe'],
-        },
-    )
+            'cwe': issue_dict['metadata']['cwe']})
 
 
 def sarif_output(outfile, scan_results, njsscan_version):
     log = om.SarifLog(
-        schema_uri=('https://raw.githubusercontent.com/oasis-tcs/'
-                    'sarif-spec/master/Schemata/sarif-schema-2.1.0.json'),
+        schema_uri=('https://raw.githubusercontent.com/'
+                    'oasis-tcs/sarif-spec/master/Schemata/'
+                    'sarif-schema-2.1.0.json'),
         version='2.1.0',
-        runs=[
-            om.Run(
-                tool=om.Tool(driver=om.ToolComponent(
-                    name='nodejsscan',
-                    information_uri='https://github.com/ajinabraham/njsscan',
-                    semantic_version=njsscan_version,
-                    version=njsscan_version),
-                ),
-                invocations=[
-                    om.Invocation(
-                        end_time_utc=datetime.utcnow().strftime(TS_FORMAT),
-                        execution_successful=True,
-                    ),
-                ],
-            ),
-        ],
-    )
+        runs=[om.Run(
+            tool=om.Tool(driver=om.ToolComponent(
+                name='nodejsscan',
+                information_uri='https://github.com/ajinabraham/njsscan',
+                semantic_version=njsscan_version,
+                version=njsscan_version,
+            )),
+            invocations=[om.Invocation(
+                end_time_utc=datetime.now(timezone.utc).strftime(TS_FORMAT),
+                execution_successful=True,
+            )])])
     run = log.runs[0]
     add_results(scan_results, run)
     json_out = to_json(log)
+
     if outfile:
         with open(outfile, 'w') as of:
             of.write(json_out)
     else:
         print(json_out)
+
     return json_out

njsscan/formatters/sonarqube.py

@@ -1,7 +1,7 @@
 # -*- coding: utf_8 -*-
 """Sonarqube output format."""
 
-from njsscan.formatters.json import json_output
+from njsscan.formatters.json_out import json_output
 
 
 def get_sonarqube_issue(njsscan_issue):

njsscan/rules/semantic_grep/crypto/timing_attack_node.yaml

@@ -485,7 +485,8 @@ rules:
               return api != $X;
     message: >-
       String comparisons using '===', '!==', '!=' and '==' is vulnerable to timing attacks.
-      More info: https://snyk.io/blog/node-js-timing-attack-ccc-ctf/
+      A timing attack allows the attacker to learn potentially sensitive information by, for example, measuring how long it takes for the application to respond to a request. 
+      More info: https://nodejs.org/en/learn/getting-started/security-best-practices#information-exposure-through-timing-attacks-cwe-208
     languages:
       - javascript
     severity: WARNING

njsscan/rules/semantic_grep/database/nosql_find_injection.yaml

@@ -1,6 +1,16 @@
 rules:
 - id: node_nosqli_injection
   patterns:
+  - pattern-not-inside: |
+      $SEQUELIZE = require('sequelize')
+      ...
+      $SEQUELIZE(...)
+      ...
+  - pattern-not-inside: |
+      import $SEQUELIZE from 'sequelize'
+      ...
+      $SEQUELIZE(...)
+      ...
   - pattern-not-inside: |
       $SANITIZE = require('mongo-sanitize')
       ...

njsscan/rules/semantic_grep/dos/regex_injection.yaml

@@ -57,11 +57,13 @@ rules:
           - pattern: |
               $STR.split(<... $REQ.$PARAM.$BAR ...>)
     message: >-
-      User controlled data in RegExp() can make the application vulnerable to
-      layer 7 DoS.
+      User controlled data in RegExp() can make the application vulnerable to layer 7 DoS.
+      If user input is used to create a regular expression without validation, it can be exploited to create a complex regular expression that takes an excessive amount of time to evaluate. This can lead to a Denial of Service (DoS) attack where the application becomes unresponsive.
+      Even if a ReDoS attack is not intended, poorly crafted or complex regular expressions from user input can cause performance issues that impact the responsiveness of an application.
+      Always sanitize and validate user input to ensure that only safe, expected characters are used in the pattern. This can be done by whitelisting known safe characters and escaping potentially harmful ones.
     languages:
       - javascript
     severity: ERROR
     metadata:
       owasp-web: a1
-      cwe: cwe-400
+      cwe: cwe-400

njsscan/rules/semantic_grep/headers/header_injection.yaml

@@ -45,11 +45,16 @@ rules:
         - pattern: |
             $RES.writeHead(..., { $X: <... $REQ.$QUERY.$FOO ...> }, ...)
     message: >-
-      Untrusted user input in response header will result in HTTP Header
-      Injection or Response Splitting Attacks.
+      If user input is not properly sanitized, an attacker can insert malicious data into response headers. 
+      This can lead to HTTP response splitting, where an attacker injects additional headers or even full HTTP responses, 
+      potentially altering how clients or intermediaries (e.g., proxies) handle the request. 
+      This can lead to vulnerabilities like Cross-Site Scripting (XSS) and cache poisoning.
+      Always sanitize and validate user inputs to ensure they do not contain characters or data that could alter the header structure (e.g., newline characters, control characters). 
+      Another good option is to leverage well-established libraries or frameworks that handle headers securely. 
+      Many frameworks offer built-in methods for setting headers that ensure they are correctly formatted and safe.
     languages:
       - javascript
     severity: ERROR
     metadata:
       owasp-web: a1
-      cwe: cwe-644
+      cwe: cwe-644