Develop

LICENSE.MD

@@ -2,7 +2,7 @@ License
 ==============
 The MIT License (MIT)
 
-Copyright (c) 2023 - 2024 | Heitor Gouvêa.
+Copyright (c) 2023 - 2025 | Heitor Gouvêa.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -56,12 +56,14 @@ $ perl zarn.pl --rules rules/quick-wins.yml --source ../nozaki --sarif report.sa
 ```yaml
 rules:
   - id: '0001'
+    type: presence
     category: info
     name: Debug module enabled
     message: Debug modules can expose sensitive information and potentially create security vulnerabilities.
     sample:
       - Dumper
   - id: '0002'
+    type: presence
     category: vuln
     name: Code Injection
     message: Occur when untrusted data is executed as code, allowing attackers to run arbitrary commands on the server.
@@ -71,11 +73,34 @@ rules:
       - exec
       - qx
   - id: '0003'
+    type: presence
     category: vuln
     name: Path Traversal
     message: Occur when user input is not properly sanitized, allowing attackers to access files and directories outside of the intended directory structure.
     sample:
       - open
+  - id: '0004'
+    type: presence
+    category: vuln
+    name: Weak Criptography Algorithm
+    message: Weak algorithms like MD5 are susceptible to various attacks and should be avoided in favor of stronger alternatives to ensure the security of sensitive data.
+    sample:
+      - md5
+  - id: '0005'
+    type: presence
+    category: vuln
+    name: Weak Random Value Generator
+    message: Weak random value generators can lead to predictable values, which can be exploited by attackers to bypass security controls.
+    sample:
+      - rand
+  - id: '0006'
+    type: absence
+    category: warning
+    name: Error Suppression
+    message: Suppressing errors can make it difficult to identify and troubleshoot issues, potentially leading to security vulnerabilities.
+    sample:
+      - strict
+      - warnings
 ```
 
 ---

lib/Zarn/Engine/Source_to_Sink.pm

@@ -19,9 +19,35 @@ package Zarn::Engine::Source_to_Sink {
             'rules=s' => \$rules
         );
 
+
         if ($ast && $rules) {
+            my @absence = grep { $_ -> {type} && $_ -> {type} eq 'absence' } $rules -> @*;
+
+            for my $rule (@absence) {
+                my $category = $rule -> {category};
+                my $title    = $rule -> {name};
+                my $message  = $rule -> {message};
+
+                foreach my $token ($rule -> {sample} -> @*) {
+
+                    if ($ast -> content() !~ m/$token/xms ) {
+                        push @results, {
+                            category       => $category,
+                            title          => $title,
+                            message        => $message,
+                            line_sink      => 'n/a',
+                            rowchar_sink   => 'n/a',
+                            line_source    => 'n/a',
+                            rowchar_source => 'n/a'
+                        };
+                    }
+                }
+            }
+
+            my @presence = grep { !($_ -> {type}) || $_ -> {type} eq 'presence' } $rules -> @*;
+
             foreach my $token (@{$ast -> find('PPI::Token') || []}) {
-                foreach my $rule (@{$rules}) {
+                foreach my $rule (@presence) {
                     my @sample   = $rule -> {sample} -> @*;
                     my $category = $rule -> {category};
                     my $title    = $rule -> {name};
@@ -63,4 +89,4 @@ package Zarn::Engine::Source_to_Sink {
     }
 }
 
-1;
+1;

rules/default.yml

@@ -1,12 +1,14 @@
 ---
 rules:
   - id: '0001'
+    type: presence
     category: info
     name: Debug module enabled
     message: Debug modules can expose sensitive information and potentially create security vulnerabilities.
     sample:
       - Dumper
   - id: '0002'
+    type: presence
     category: vuln
     name: Code Injection
     message: Occur when untrusted data is executed as code, allowing attackers to run arbitrary commands on the server.
@@ -16,20 +18,31 @@ rules:
       - exec
       - qx
   - id: '0003'
+    type: presence
     category: vuln
     name: Path Traversal
     message: Occur when user input is not properly sanitized, allowing attackers to access files and directories outside of the intended directory structure.
     sample:
       - open
   - id: '0004'
+    type: presence
     category: vuln
     name: Weak Criptography Algorithm
     message: Weak algorithms like MD5 are susceptible to various attacks and should be avoided in favor of stronger alternatives to ensure the security of sensitive data.
     sample:
       - md5
   - id: '0005'
+    type: presence
     category: vuln
     name: Weak Random Value Generator
     message: Weak random value generators can lead to predictable values, which can be exploited by attackers to bypass security controls.
     sample:
-      - rand
+      - rand
+  - id: '0006'
+    type: absence
+    category: warning
+    name: Error Suppression
+    message: Suppressing errors can make it difficult to identify and troubleshoot issues, potentially leading to security vulnerabilities.
+    sample:
+      - strict
+      - warnings

rules/prototype.yml

@@ -1,8 +1,80 @@
 ---
 rules:
-  - id: '0001'
+  - id: '0006'
     category: vuln
     name: Cross Site Scripting (XSS)
     message: Occur when untrusted data is rendered as HTML without proper escaping, allowing attackers to execute malicious scripts in the context of the victim's browser.
     sample:
-      - render
+      - render
+  rules:
+  - id: '0012'
+    category: vuln
+    name: Command Injection
+    message: Command injection attacks are possible when an application passes unsafe user supplied data like form values, cookies, HTTP headers etc. to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application.
+    sample:
+      - exec
+      - syscall
+      - open
+      - qx
+      - readpipe
+  - id: '0006'
+    category: vuln
+    name: Connection String Injection
+    message: A connection string injection attack can occur when dynamic string concatenation is used to build connection strings that are based on user input. If the string isn't validated and malicious text or characters not escaped, an attacker can potentially access sensitive data or other resources on the server.
+    sample:
+      - connect
+      - ora_login
+  - id: '0007'
+    category: vuln
+    name: LDAP Injection
+    message: LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary commands such as granting permissions to unauthorized queries, and content modification inside the LDAP tree.
+    sample:
+      - search
+      - modify
+      - moddn
+      - add
+      - bind
+      - delete
+      - compare
+  - id: '0008'
+    category: vuln
+    name: XSS
+    message: Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
+    sample:
+      - print
+      - printf
+      - say
+      - echo
+      - header
+      - start_html
+      - end_html
+  - id: '0009'
+    category: vuln
+    name: Remote File Inclusion
+    message: This vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation. this can lead to issues like - Code execution, Denial of Service, Sensitive Information Disclosure,etc.
+    sample:
+      - use
+      - require
+  - id: '0010'
+    category: vuln
+    name: Resource Injection
+    message: This attack consists of changing resource identifiers used by an application in order to perform a malicious task. When an application defines a resource type or location based on user input, such as a file name or port number, this data can be manipulated to execute or access different resources.
+    sample:
+      - socket
+  - id: '0011'
+    category: vuln
+    name: SQL Injection
+    message: A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system.
+    sample:
+      - prepare
+      - execute
+      - bind_param
+      - do
+      - find
+      - create
+      - update
+      - ora_open
+      - ora_do
+      - ora_fetch
+      - select
+      - query

zarn.pl

@@ -27,7 +27,7 @@
     );
 
     if ( !$source ) {
         print "\nZarn v0.1.0"
             . "\nCore Commands"
             . "\n==============\n"
             . "\tCommand          Description\n"
@@ -55,8 +55,8 @@
                 ]
             );
 
-            if (@analysis) {
-                $analysis[0]->{'file'} = $file;
+            for (@analysis) {
+                $_->{file} = $file;
             }
 
             push @results, @analysis;
@@ -72,16 +72,16 @@
         my $line_source    = $result->{line_source};
         my $rowchar_source = $result->{rowchar_source};
 
         print
             "[$category] - FILE:$file \t Potential: $title. \t Dangerous function on line: $line_sink:$rowchar_sink \t Data point possibility controlled: $line_source:$rowchar_source\n";
     }
 
     if ($sarif) {
         my $sarif_data = Zarn::Helper::Sarif->new(@results);
 
         open( my $output, '>', $sarif ) or croak "Cannot open the $sarif file\n";
         print $output encode_json($sarif_data);
         close($output) or die "Error to close the file\n";
     }
 
     return 0;