fix semgrep rules

MobSF · Aug 10, 2023 · d009eb2 · d009eb2
1 parent bea65f8
commit d009eb2
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 7 deletions.
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -26,7 +26,7 @@ jobs:
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
-        pip install tox semgrep==1.21.0
+        pip install tox semgrep
 
     - name: Lint
       run: |
@@ -42,7 +42,7 @@ jobs:
 
     - name: Semgrep tests
       run: |
-        semgrep --quiet --test --config ./mobsfscan/rules/semgrep/ ./tests/assets/rules/semgrep/
+        SEMGREP_SETTINGS_FILE=/dev/null semgrep --metrics=off --test --config ./mobsfscan/rules/semgrep/ ./tests/assets/rules/semgrep/
 
     - name: Run tests
       run: |

diff --git a/mobsfscan/rules/semgrep/android/secrets.yaml b/mobsfscan/rules/semgrep/android/secrets.yaml
@@ -10,7 +10,7 @@ rules:
               $M($X, "...", ...);
       - metavariable-regex:
           metavariable: "$X"
-          regex: "(?i:pass.{0,100})"
+          regex: "(?i:^.{0,100}pass.{0,100})"
     message: >-
       A hardcoded password in plain text is identified.
     languages:
@@ -32,7 +32,7 @@ rules:
               $M($X, "...", ...);
       - metavariable-regex:
           metavariable: "$X"
-          regex: "(?i:user.{0,100})"
+          regex: "(?i:^.{0,100}user.{0,100})"
     message: >-
       A hardcoded username in plain text is identified.
     languages:
@@ -54,7 +54,7 @@ rules:
               $M($X, "...", ...);
       - metavariable-regex:
           metavariable: "$X"
-          regex: "(?i:key.{0,100})"
+          regex: "(?i:^.{0,100}key.{0,100})"
     message: >-
       A hardcoded Key is identified.
     languages:
@@ -76,7 +76,7 @@ rules:
               $M($X, "...", ...);
       - metavariable-regex:
           metavariable: "$X"
-          regex: "(?i:secret.{0,100})"
+          regex: "(?i:^.{0,100}secret.{0,100})"
     message: >-
       A hardcoded secret is identified.
     languages:

diff --git a/mobsfscan/rules/semgrep/crypto/rsa_no_oeap.yaml b/mobsfscan/rules/semgrep/crypto/rsa_no_oeap.yaml
@@ -8,7 +8,7 @@ rules:
               javax.crypto.Cipher.getInstance($X, ...)
       - metavariable-regex:
           metavariable: $X
-          regex: '(?i:rsa/.{1,23}/nopadding.{0,100})'
+          regex: '(?i:^.{0,100}rsa/.{1,23}/nopadding.{0,100})'
     message: >-
       This App uses RSA Crypto without OAEP padding. The purpose of the padding
       scheme is to prevent a number of attacks on RSA that only work when the