From d009eb22ca5506767acf856bb175cd6dd2237e92 Mon Sep 17 00:00:00 2001
From: "Ajin.Abraham" <ajin.abraham@chime.com>
Date: Wed, 9 Aug 2023 23:14:41 -0700
Subject: [PATCH] fix semgrep rules

---
 .github/workflows/tests.yml                     | 4 ++--
 mobsfscan/rules/semgrep/android/secrets.yaml    | 8 ++++----
 mobsfscan/rules/semgrep/crypto/rsa_no_oeap.yaml | 2 +-
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 88b7381..ef10492 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -26,7 +26,7 @@ jobs:
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
-        pip install tox semgrep==1.21.0
+        pip install tox semgrep
 
     - name: Lint
       run: |
@@ -42,7 +42,7 @@ jobs:
 
     - name: Semgrep tests
       run: |
-        semgrep --quiet --test --config ./mobsfscan/rules/semgrep/ ./tests/assets/rules/semgrep/
+        SEMGREP_SETTINGS_FILE=/dev/null semgrep --metrics=off --test --config ./mobsfscan/rules/semgrep/ ./tests/assets/rules/semgrep/
 
     - name: Run tests
       run: |
diff --git a/mobsfscan/rules/semgrep/android/secrets.yaml b/mobsfscan/rules/semgrep/android/secrets.yaml
index a1c5663..00f0b87 100644
--- a/mobsfscan/rules/semgrep/android/secrets.yaml
+++ b/mobsfscan/rules/semgrep/android/secrets.yaml
@@ -10,7 +10,7 @@ rules:
               $M($X, "...", ...);
       - metavariable-regex:
           metavariable: "$X"
-          regex: "(?i:pass.{0,100})"
+          regex: "(?i:^.{0,100}pass.{0,100})"
     message: >-
       A hardcoded password in plain text is identified.
     languages:
@@ -32,7 +32,7 @@ rules:
               $M($X, "...", ...);
       - metavariable-regex:
           metavariable: "$X"
-          regex: "(?i:user.{0,100})"
+          regex: "(?i:^.{0,100}user.{0,100})"
     message: >-
       A hardcoded username in plain text is identified.
     languages:
@@ -54,7 +54,7 @@ rules:
               $M($X, "...", ...);
       - metavariable-regex:
           metavariable: "$X"
-          regex: "(?i:key.{0,100})"
+          regex: "(?i:^.{0,100}key.{0,100})"
     message: >-
       A hardcoded Key is identified.
     languages:
@@ -76,7 +76,7 @@ rules:
               $M($X, "...", ...);
       - metavariable-regex:
           metavariable: "$X"
-          regex: "(?i:secret.{0,100})"
+          regex: "(?i:^.{0,100}secret.{0,100})"
     message: >-
       A hardcoded secret is identified.
     languages:
diff --git a/mobsfscan/rules/semgrep/crypto/rsa_no_oeap.yaml b/mobsfscan/rules/semgrep/crypto/rsa_no_oeap.yaml
index 392ce24..aa262b6 100644
--- a/mobsfscan/rules/semgrep/crypto/rsa_no_oeap.yaml
+++ b/mobsfscan/rules/semgrep/crypto/rsa_no_oeap.yaml
@@ -8,7 +8,7 @@ rules:
               javax.crypto.Cipher.getInstance($X, ...)
       - metavariable-regex:
           metavariable: $X
-          regex: '(?i:rsa/.{1,23}/nopadding.{0,100})'
+          regex: '(?i:^.{0,100}rsa/.{1,23}/nopadding.{0,100})'
     message: >-
       This App uses RSA Crypto without OAEP padding. The purpose of the padding
       scheme is to prevent a number of attacks on RSA that only work when the