adding cases that trigger FPs

DataDog · Sep 10, 2024 · ed4f2d9 · ed4f2d9
1 parent 72e9e54
commit ed4f2d9
Showing 1 changed file with 11 additions and 21 deletions.
diff --git a/guarddog/analyzer/sourcecode/npm-install-script.yml b/guarddog/analyzer/sourcecode/npm-install-script.yml
@@ -6,34 +6,24 @@ rules:
     patterns:
       - pattern-inside: |
           "scripts": {...}
-      # note that on some cases installing a package can lead to the execution of some "prepare" scripts
+      - pattern-either:
+        - pattern: |
+            "preinstall": $VAR
+        - pattern: |
+            "postinstall": $VAR
+        - pattern: |
+            "install": $VAR
       # (typically when a dependency is a git repository, see https://github.com/npm/cli/issues/6031#issuecomment-1449119423)
       # however this happens pretty rarely so reporting every package with a "prepare" script would be too noisy;
       # see https://github.com/DataDog/guarddog/issues/308
-      - pattern-not: |
-            "...": "npx patch-package"
-      - pattern-not: |
-            "...": "npx only-allow pnpm"
-      - pattern-not: |
-          "...": ""
-      - pattern-not: |
-          "...": "patch-package"
-      - pattern-not: |
-          "...": "husky"
-      - pattern-not: |
-          "preinstall": "echo \"preinstall script\""
-
-      - pattern-either:
-          - pattern: |
-              "preinstall": "..."
-          - pattern: |
-              "install": "..."
-          - pattern: |
-              "postinstall": "..."
+      - metavariable-pattern:
+          metavariable: $VAR
+          pattern-regex: ^(?!"(npx patch-package|nuxt prepare|npx only-allow pnpm|prisma generate|ibmtelemetry --config=telemetry.yml|husky install|tsc \|\| exit 0|patch-package|husky|echo \"preinstall script\")").*$
     languages:
       - json
     paths:
       include:
         - "*/package.json"
         - "*/npm-install-script.json" # unit test
     severity: WARNING
+