Skip to content

fix: Correct CI trigger and branch name; fix OWASP rules #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
seqradev merged 1 commit into from
Jan 21, 2026
Merged

fix: Correct CI trigger and branch name; fix OWASP rules #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions .github/workflows/ci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,9 @@ name: Run rule tests

on:
push:
branches: [ "v2" ]
branches: [ "main" ]
pull_request:
branches: [ "v2" ]
branches: [ "main" ]

jobs:
run-test:
Expand All @@ -22,10 +22,10 @@ jobs:
token: ${{ secrets.SEQRA_GITHUB_TOKEN }}
latest: true
fileName: seqra_linux_amd64.tar.gz
out-file-path: seqra-cli
out-file-path: cli

- run: |
cd seqra-cli
cd cli
tar -xzf seqra_linux_amd64.tar.gz

- uses: robinraju/release-downloader@v1.12
Expand Down Expand Up @@ -58,7 +58,7 @@ jobs:

- name: Seqra compile test project
run: |
seqra-cli/seqra compile test --github-token ${{ secrets.SEQRA_GITHUB_TOKEN }} --compile-type native --output ./seqra-project --verbosity debug
cli/seqra compile test --github-token ${{ secrets.SEQRA_GITHUB_TOKEN }} --output ./seqra-project --verbosity debug

- name: Run Seqra analyzer
run: |
Expand Down
3 changes: 3 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
## v2.1.1
### fix: Correct CI trigger and branch name; fix OWASP rules
- fix: Fix sqli and crypto rules
## v2.1.0
### feat: Add JSP source and sink
- feat: Add jsp source and sink
Expand Down
48 changes: 0 additions & 48 deletions rules/java/lib/generic/servlet-sqli-sinks.yaml
View file
Open in desktop

This file was deleted.

5 changes: 2 additions & 3 deletions rules/java/lib/spring/jdbc-sqli-sinks.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,8 @@ rules:
- pattern: (Statement $S).$SQLFUNC(..., $UNTRUSTED, ...)
- pattern: (CallableStatement $S).$SQLFUNC(..., $UNTRUSTED, ...)
- pattern: (PreparedStatement $P).$SQLFUNC(..., $UNTRUSTED, ...)
- pattern: (Connection $C).createStatement(...).$SQLFUNC(..., $UNTRUSTED, ...)
- pattern: (Connection $C).prepareStatement(...).$SQLFUNC(..., $UNTRUSTED, ...)
- pattern: (Connection $C).prepareStatement($UNTRUSTED, ...).$SQLFUNC(...)
- pattern: (Connection $C).prepareCall($UNTRUSTED, ...).$SQLFUNC(...)
- pattern: (io.vertx.sqlclient.SqlClient $O).query($UNTRUSTED, ...)
- pattern: (io.vertx.sqlclient.SqlClient $O).preparedQuery($UNTRUSTED, ...)
- pattern: (io.vertx.sqlclient.SqlConnection $O).prepare($UNTRUSTED, ...)
Expand Down Expand Up @@ -58,7 +58,6 @@ rules:
- pattern: org.hibernate.criterion.Restrictions.sqlRestriction($UNTRUSTED, ...)
- pattern: (org.hibernate.Session $S).createQuery((String $UNTRUSTED), ...)
- pattern: (org.hibernate.Session $S).createSQLQuery($UNTRUSTED, ...)
- pattern: (org.hibernate.Session $S).connection().prepareStatement($UNTRUSTED)
- pattern: (io.vertx.sqlclient.SqlClient $O).query($UNTRUSTED, ...)
- pattern: (io.vertx.sqlclient.SqlClient $O).preparedQuery($UNTRUSTED, ...)
- pattern: (io.vertx.sqlclient.SqlConnection $O).prepare($UNTRUSTED, ...)
Expand Down
32 changes: 18 additions & 14 deletions rules/java/security/crypto.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -321,7 +321,7 @@ rules:
javax.crypto.Cipher.getInstance($PROP, ...);
- metavariable-regex:
metavariable: $ALG
regex: .*ECB.*
regex: (?i).*ECB.*

- id: gcm-detection
severity: NOTE
Expand All @@ -346,10 +346,14 @@ rules:
- java
- kt
patterns:
- pattern-either:
- pattern: javax.crypto.Cipher.getInstance("AES/GCM/NoPadding")
- pattern: (javax.crypto.Cipher $CIPHER).getInstance("AES/GCM/NoPadding")
- pattern: new GCMParameterSpec(...);
- patterns:
- metavariable-regex:
metavariable: $ALGO
regex: (?i)AES/GCM/NoPadding
- pattern-either:
- pattern: javax.crypto.Cipher.getInstance("$ALGO", ...)
- pattern: (javax.crypto.Cipher $CIPHER).getInstance("$ALGO", ...)
- pattern: new GCMParameterSpec(...);

- id: gcm-nonce-reuse
severity: WARNING
Expand Down Expand Up @@ -442,7 +446,7 @@ rules:
javax.crypto.Cipher.getInstance($PROP, ...);
- metavariable-regex:
metavariable: $ALG
regex: /?RSA/[Nn][Oo][Nn][Ee]/NoPadding/?
regex: (?i)RSA/NONE/NoPadding/?

- id: cbc-padding-oracle
severity: WARNING
Expand All @@ -464,10 +468,10 @@ rules:
- java
- kt
patterns:
- pattern: javax.crypto.Cipher.getInstance("$MODE")
- pattern: javax.crypto.Cipher.getInstance("$MODE", ...)
- metavariable-regex:
metavariable: $MODE
regex: .*/CBC/PKCS5Padding/?
regex: (?i).*/CBC/PKCS5Padding/?

- id: use-of-blowfish
severity: WARNING
Expand All @@ -487,8 +491,8 @@ rules:
- java
- kt
pattern-either:
- pattern: javax.crypto.Cipher.getInstance("Blowfish")
- pattern: (javax.crypto.Cipher $CIPHER).getInstance("Blowfish")
- pattern: javax.crypto.Cipher.getInstance("Blowfish", ...)
- pattern: (javax.crypto.Cipher $CIPHER).getInstance("Blowfish", ...)

- id: use-of-default-aes
severity: WARNING
Expand All @@ -508,8 +512,8 @@ rules:
- java
- kt
pattern-either:
- pattern: javax.crypto.Cipher.getInstance("AES")
- pattern: (javax.crypto.Cipher $CIPHER).getInstance("AES")
- pattern: javax.crypto.Cipher.getInstance("AES", ...)
- pattern: (javax.crypto.Cipher $CIPHER).getInstance("AES", ...)

- id: aes-hardcoded-key
severity: WARNING
Expand Down Expand Up @@ -573,7 +577,7 @@ rules:
languages:
- java
- kt
pattern: $CIPHER.getInstance("RC2")
pattern: $CIPHER.getInstance("RC2", ...)

- id: use-of-rc4
severity: WARNING
Expand All @@ -593,7 +597,7 @@ rules:
languages:
- java
- kt
pattern: $CIPHER.getInstance("RC4")
pattern: $CIPHER.getInstance("RC4", ...)

- id: use-of-sha1
severity: WARNING
Expand Down
5 changes: 3 additions & 2 deletions rules/java/security/sensitive-data-exposure.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,8 @@ rules:
This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks.
metadata:
cwe:
- CWE-319:
- CWE-319
- CWE-614
short-description: Cleartext transmission of sensitive cookie value
references:
- https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setSecure(boolean)
Expand All @@ -19,7 +20,7 @@ rules:
- pattern-not-inside: |
$COOKIE = new Cookie(...);
...
$COOKIE.setSecure(...);
$COOKIE.setSecure(true);
- pattern-not-inside: |
$COOKIE.setValue("");

Expand Down
2 changes: 1 addition & 1 deletion rules/java/security/sqli.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,7 @@ rules:
refs:
- rule: java/lib/generic/servlet-untrusted-data-source.yaml#java-servlet-untrusted-data-source
as: untrusted-data
- rule: java/lib/generic/servlet-sqli-sinks.yaml#java-servlet-sqli-sink
- rule: java/lib/spring/jdbc-sqli-sinks.yaml#spring-sqli-sink
as: sink
on:
- 'untrusted-data.$UNTRUSTED -> sink.$UNTRUSTED'
Expand Down