semgrep · semgrep-dev-pr-bot · Nov 23, 2024 · Nov 23, 2024
diff --git a/aaronmiller_personal_org/node-uuid-v1-usage.jsx b/aaronmiller_personal_org/node-uuid-v1-usage.jsx
@@ -0,0 +1,14 @@
+print("Welcome to Semgrep!" + "Use our Run button to start experimenting -->")
+
+
+print("...")
+
+# To detect ALL calls to the print() function, change the Semgrep Rule from print("...") to print(...)
+
+print(not_a_string)
+
+print(first_var, second_var)
+
+print()
+
+# print("This is commented out so it will never be found")
diff --git a/aaronmiller_personal_org/node-uuid-v1-usage.yaml b/aaronmiller_personal_org/node-uuid-v1-usage.yaml
@@ -0,0 +1,30 @@
+rules:
+- id: node-uuid-v1-usage
+  pattern-either:
+  - pattern: |
+      $UUID.v1()
+  - pattern: |
+      require('uuid').v1()
+  - pattern: |
+      import { v1 } from 'uuid'
+  message: UUID v1 usage detected. Prefer UUID v4 for better security properties.
+  languages:
+  - javascript
+  - typescript
+  severity: WARNING
+  fix-regex:
+    regex: v1
+    replacement: v4
+  metadata:
+    category: security
+    subcategory:
+    - guardrail
+    cwe:
+    - 'CWE 330: Use of Insufficiently Random Values'
+    confidence: HIGH
+    likelihood: MEDIUM
+    impact: HIGH
+    technology:
+    - nginx
+    references:
+    - https://medium.com/appsec-untangled/lessons-learned-3-is-your-random-uuid-really-random-1a8a62207c8b