Skip to content

My collection of Semgrep rules for vulnerability detection on source code (swift, java)

Notifications You must be signed in to change notification settings

akabe1/akabe1-semgrep-rules

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

58 Commits
 
 
 
 
 
 

Repository files navigation

akabe1-semgrep-rules

Description

The akabe1-semgrep-rules are a collection of my custom Semgrep rules, built to speed-up activities like source code analysis (swift, java).

They provide various additional patterns useful to detect vulnerabilities and security bad-practices, which could be used in combination with the official Semgrep rules in order to reduce the percentage of false negatives.

Usage

To use these rules is needed first to install Semgrep tool, from the official github repo Semgrep, or alternatively download Semgrep docker image.

Then clone this github repo, and finally run any of these commands:

  1. Run multiple rules in a folder
semgrep --config akabe1-semgrep-rules/<SUBFOLDER>/
  1. Run single rule in a file
semgrep --config akabe1-semgrep-rules/<SUBFOLDER>/<FILE>.yaml

Features

Below a non-exhaustive list of the rules included in this repo:

Swift

  • Certificate Pinning issues
  • Biometric Authentication issues
  • XXE issues
  • SQL Injection issues
  • Crypto issues
  • Log Injection issues
  • NoSQL Injection issues
  • WebView issues
  • Insecure Storage issues
  • Keychain Settings issues
  • and others..

Java

  • XXE
  • Improper Cookie issues
  • Crypto issues

Note

Currently the support of Swift language on Semgrep is in experimantal phase, this could cause false negatives.

Author

  • akabe1-semgrep-rules were written by Maurizio Siddu

GNU License

Copyright (c) 2023 akabe1-semgrep-rules

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/

About

My collection of Semgrep rules for vulnerability detection on source code (swift, java)

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published