From bbd9b660b3e3bc0eba38662bdc2cfbe49e9e8f4a Mon Sep 17 00:00:00 2001 From: Eleftheria Stein-Kousathana Date: Fri, 31 Jan 2025 17:18:50 +0100 Subject: [PATCH] Add ruletype for OSPS-QA-03 Fix #289 --- .../rule-types/github/osps-qa-03.test.yaml | 43 +++++++++++ .../gemfile_no_lock/Gemfile | 4 + .../gemfile_with_lock/Gemfile | 4 + .../gemfile_with_lock/Gemfile.lock | 25 +++++++ .../go_mod_no_go_sum/go.mod | 7 ++ .../go_mod_with_go_sum/go.mod | 7 ++ .../go_mod_with_go_sum/go.sum | 11 +++ .../package_json_no_lock/package.json | 15 ++++ .../package-lock.json | 12 +++ .../package.json | 15 ++++ .../package_json_with_yarn_lock/package.json | 15 ++++ .../package_json_with_yarn_lock/yarn.lock | 4 + .../rule-types/github/osps-qa-03.yaml | 73 +++++++++++++++++++ 13 files changed, 235 insertions(+) create mode 100644 security-baseline/rule-types/github/osps-qa-03.test.yaml create mode 100644 security-baseline/rule-types/github/osps-qa-03.testdata/gemfile_no_lock/Gemfile create mode 100644 security-baseline/rule-types/github/osps-qa-03.testdata/gemfile_with_lock/Gemfile create mode 100644 security-baseline/rule-types/github/osps-qa-03.testdata/gemfile_with_lock/Gemfile.lock create mode 100644 security-baseline/rule-types/github/osps-qa-03.testdata/go_mod_no_go_sum/go.mod create mode 100644 security-baseline/rule-types/github/osps-qa-03.testdata/go_mod_with_go_sum/go.mod create mode 100644 security-baseline/rule-types/github/osps-qa-03.testdata/go_mod_with_go_sum/go.sum create mode 100644 security-baseline/rule-types/github/osps-qa-03.testdata/package_json_no_lock/package.json create mode 100644 security-baseline/rule-types/github/osps-qa-03.testdata/package_json_with_package_lock/package-lock.json create mode 100644 security-baseline/rule-types/github/osps-qa-03.testdata/package_json_with_package_lock/package.json create mode 100644 security-baseline/rule-types/github/osps-qa-03.testdata/package_json_with_yarn_lock/package.json create mode 100644 security-baseline/rule-types/github/osps-qa-03.testdata/package_json_with_yarn_lock/yarn.lock create mode 100644 security-baseline/rule-types/github/osps-qa-03.yaml diff --git a/security-baseline/rule-types/github/osps-qa-03.test.yaml b/security-baseline/rule-types/github/osps-qa-03.test.yaml new file mode 100644 index 0000000..e15d7ef --- /dev/null +++ b/security-baseline/rule-types/github/osps-qa-03.test.yaml @@ -0,0 +1,43 @@ +tests: + - name: go.mod with no go.sum + def: {} + params: {} + expect: "fail" + git: + repo_base: go_mod_no_go_sum + - name: go.mod with go.sum + def: {} + params: {} + expect: "pass" + git: + repo_base: go_mod_with_go_sum + - name: Gemfile with no Gemfile.lock + def: {} + params: {} + expect: "fail" + git: + repo_base: gemfile_no_lock + - name: Gemfile with Gemfile.lock + def: {} + params: {} + expect: "pass" + git: + repo_base: gemfile_with_lock + - name: package.json with package-lock.json + def: {} + params: {} + expect: "pass" + git: + repo_base: package_json_with_package_lock + - name: package.json with yarn.lock + def: {} + params: {} + expect: "pass" + git: + repo_base: package_json_with_yarn_lock + - name: package.json with no lockfile + def: {} + params: {} + expect: "fail" + git: + repo_base: package_json_no_lock diff --git a/security-baseline/rule-types/github/osps-qa-03.testdata/gemfile_no_lock/Gemfile b/security-baseline/rule-types/github/osps-qa-03.testdata/gemfile_no_lock/Gemfile new file mode 100644 index 0000000..862ede7 --- /dev/null +++ b/security-baseline/rule-types/github/osps-qa-03.testdata/gemfile_no_lock/Gemfile @@ -0,0 +1,4 @@ +source 'https://rubygems.org' + +gem 'rails', '~> 7.0' +gem 'sqlite3', '~> 1.4' diff --git a/security-baseline/rule-types/github/osps-qa-03.testdata/gemfile_with_lock/Gemfile b/security-baseline/rule-types/github/osps-qa-03.testdata/gemfile_with_lock/Gemfile new file mode 100644 index 0000000..862ede7 --- /dev/null +++ b/security-baseline/rule-types/github/osps-qa-03.testdata/gemfile_with_lock/Gemfile @@ -0,0 +1,4 @@ +source 'https://rubygems.org' + +gem 'rails', '~> 7.0' +gem 'sqlite3', '~> 1.4' diff --git a/security-baseline/rule-types/github/osps-qa-03.testdata/gemfile_with_lock/Gemfile.lock b/security-baseline/rule-types/github/osps-qa-03.testdata/gemfile_with_lock/Gemfile.lock new file mode 100644 index 0000000..e62e9aa --- /dev/null +++ b/security-baseline/rule-types/github/osps-qa-03.testdata/gemfile_with_lock/Gemfile.lock @@ -0,0 +1,25 @@ +GEM + remote: https://rubygems.org/ + specs: + rails (7.0.4) + actioncable (= 7.0.4) + actionmailer (= 7.0.4) + actionpack (= 7.0.4) + actionview (= 7.0.4) + activejob (= 7.0.4) + activemodel (= 7.0.4) + activerecord (= 7.0.4) + activestorage (= 7.0.4) + activesupport (= 7.0.4) + railties (= 7.0.4) + sqlite3 (1.4.2) + +PLATFORMS + ruby + +DEPENDENCIES + rails (~> 7.0) + sqlite3 (~> 1.4) + +BUNDLED WITH + 2.2.19 diff --git a/security-baseline/rule-types/github/osps-qa-03.testdata/go_mod_no_go_sum/go.mod b/security-baseline/rule-types/github/osps-qa-03.testdata/go_mod_no_go_sum/go.mod new file mode 100644 index 0000000..31322aa --- /dev/null +++ b/security-baseline/rule-types/github/osps-qa-03.testdata/go_mod_no_go_sum/go.mod @@ -0,0 +1,7 @@ +module github.com/mindersec/minder-rules-and-profiles + +go 1.23.4 + +require ( + github.com/rs/zerolog v1.33.0 +) \ No newline at end of file diff --git a/security-baseline/rule-types/github/osps-qa-03.testdata/go_mod_with_go_sum/go.mod b/security-baseline/rule-types/github/osps-qa-03.testdata/go_mod_with_go_sum/go.mod new file mode 100644 index 0000000..31322aa --- /dev/null +++ b/security-baseline/rule-types/github/osps-qa-03.testdata/go_mod_with_go_sum/go.mod @@ -0,0 +1,7 @@ +module github.com/mindersec/minder-rules-and-profiles + +go 1.23.4 + +require ( + github.com/rs/zerolog v1.33.0 +) \ No newline at end of file diff --git a/security-baseline/rule-types/github/osps-qa-03.testdata/go_mod_with_go_sum/go.sum b/security-baseline/rule-types/github/osps-qa-03.testdata/go_mod_with_go_sum/go.sum new file mode 100644 index 0000000..24d737c --- /dev/null +++ b/security-baseline/rule-types/github/osps-qa-03.testdata/go_mod_with_go_sum/go.sum @@ -0,0 +1,11 @@ +github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= +github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= +github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= +github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= +github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg= +github.com/rs/zerolog v1.33.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss= +golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= diff --git a/security-baseline/rule-types/github/osps-qa-03.testdata/package_json_no_lock/package.json b/security-baseline/rule-types/github/osps-qa-03.testdata/package_json_no_lock/package.json new file mode 100644 index 0000000..331c359 --- /dev/null +++ b/security-baseline/rule-types/github/osps-qa-03.testdata/package_json_no_lock/package.json @@ -0,0 +1,15 @@ +{ + "name": "my-app", + "version": "1.0.0", + "description": "A simple project with one dependency", + "main": "index.js", + "dependencies": { + "lodash": "^4.17.21" + }, + "devDependencies": {}, + "scripts": { + "start": "node index.js" + }, + "author": "Your Name", + "license": "MIT" +} diff --git a/security-baseline/rule-types/github/osps-qa-03.testdata/package_json_with_package_lock/package-lock.json b/security-baseline/rule-types/github/osps-qa-03.testdata/package_json_with_package_lock/package-lock.json new file mode 100644 index 0000000..4e424f4 --- /dev/null +++ b/security-baseline/rule-types/github/osps-qa-03.testdata/package_json_with_package_lock/package-lock.json @@ -0,0 +1,12 @@ +{ + "name": "my-app", + "version": "1.0.0", + "lockfileVersion": 2, + "dependencies": { + "lodash": { + "version": "4.17.21", + "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", + "integrity": "sha512-KnxlP5n7gOxlXj1SxxWnWy0xQQjjfgtA5r+DRfdGp1P0FBrw6zEhmL+u90hQH2JszQXOxj6MSLytFz2oZv0O8A==" + } + } +} diff --git a/security-baseline/rule-types/github/osps-qa-03.testdata/package_json_with_package_lock/package.json b/security-baseline/rule-types/github/osps-qa-03.testdata/package_json_with_package_lock/package.json new file mode 100644 index 0000000..331c359 --- /dev/null +++ b/security-baseline/rule-types/github/osps-qa-03.testdata/package_json_with_package_lock/package.json @@ -0,0 +1,15 @@ +{ + "name": "my-app", + "version": "1.0.0", + "description": "A simple project with one dependency", + "main": "index.js", + "dependencies": { + "lodash": "^4.17.21" + }, + "devDependencies": {}, + "scripts": { + "start": "node index.js" + }, + "author": "Your Name", + "license": "MIT" +} diff --git a/security-baseline/rule-types/github/osps-qa-03.testdata/package_json_with_yarn_lock/package.json b/security-baseline/rule-types/github/osps-qa-03.testdata/package_json_with_yarn_lock/package.json new file mode 100644 index 0000000..331c359 --- /dev/null +++ b/security-baseline/rule-types/github/osps-qa-03.testdata/package_json_with_yarn_lock/package.json @@ -0,0 +1,15 @@ +{ + "name": "my-app", + "version": "1.0.0", + "description": "A simple project with one dependency", + "main": "index.js", + "dependencies": { + "lodash": "^4.17.21" + }, + "devDependencies": {}, + "scripts": { + "start": "node index.js" + }, + "author": "Your Name", + "license": "MIT" +} diff --git a/security-baseline/rule-types/github/osps-qa-03.testdata/package_json_with_yarn_lock/yarn.lock b/security-baseline/rule-types/github/osps-qa-03.testdata/package_json_with_yarn_lock/yarn.lock new file mode 100644 index 0000000..7d95412 --- /dev/null +++ b/security-baseline/rule-types/github/osps-qa-03.testdata/package_json_with_yarn_lock/yarn.lock @@ -0,0 +1,4 @@ +lodash@^4.17.21: + version "4.17.21" + resolved "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz" + integrity sha512-KnxlP5n7gOxlXj1SxxWnWy0xQQjjfgtA5r+DRfdGp1P0FBrw6zEhmL+u90hQH2JszQXOxj6MSL diff --git a/security-baseline/rule-types/github/osps-qa-03.yaml b/security-baseline/rule-types/github/osps-qa-03.yaml new file mode 100644 index 0000000..ab4d108 --- /dev/null +++ b/security-baseline/rule-types/github/osps-qa-03.yaml @@ -0,0 +1,73 @@ +--- +version: v1 +release_phase: alpha +type: rule-type +name: osps-qa-03 +display_name: Package management file listing dependencies is present +short_failure_message: No package management file listing dependencies was found +severity: + value: info +context: + provider: github +description: | + This rule ensures that the repository provides a dependency list that accounts + for the direct language dependencies when the package management system supports it. + It checks for the presence of a Gemfile.lock, go.sum, package-lock.json or + Cargo.toml according to the package management system used. +guidance: | + Ensure that the repository provides a dependency list that accounts for the direct + language dependencies in the form of a lockfile, for example Gemfile.lock, go.sum, + package-lock.json etc. + Ensure the lockfile is in the same directory as the package file. +def: + in_entity: repository + rule_schema: {} + ingest: + type: git + eval: + type: rego + rego: + type: deny-by-default + def: | + package minder + + import rego.v1 + + default allow := false + default skip := false + default message := "Cannot find lockfile in the same directory as the package file" + + package_manager_files := [ + {"name": "Gemfile", "lockfiles": ["Gemfile.lock"]}, + {"name": "go.mod", "lockfiles": ["go.sum"]}, + {"name": "package.json", "lockfiles": ["package-lock.json", "yarn.lock"]}, + {"name": "Cargo.toml", "lockfiles": ["Cargo.lock"]}, + ] + + skip if { + # Skip if no package manager file exists + every package_manager in package_manager_files { + required_files := file.ls_glob(sprintf("./%s", [package_manager.name])) + count(required_files) == 0 + } + } + + allow if { + # Ensure that we find the required file + some package_manager in package_manager_files + package_files := file.ls_glob(sprintf("./%s", [package_manager.name])) + count(package_files) > 0 + + # Get the directory for the package file + some package_path in package_files + dir := trim_suffix(package_path, sprintf("/%s", [package_manager.name])) + + # Ensure a lockfile exists for the required file in the same directory + lockfile_exists(dir, package_manager.lockfiles) + } + + lockfile_exists(dir, lockfiles) if { + some lockfile in lockfiles + count(file.ls_glob(sprintf("%s/%s", [dir, lockfile]))) > 0 + } +