-
Notifications
You must be signed in to change notification settings - Fork 1
Writing a custom ruleset
The rulesets are retrieved from the core/ruleset.yaml file and are being processed by core/ruleset_engine.py.
JS_SAST is developed in a structure where it makes the addition of new rules as easy as possible. The first step is to familiarize yourself with the structure of the rules processed by JS_SAST. The rules structure is divided into eight key components. Taking the following as an example:
new_rule:
issue_type: new_rule issue type title
severity: <impact of the issue, either High, Medium, or Low>
confidence: <confidence on the given rule to catch issues, either High, Medium, or Low>
CWE: "The CWE of the issue (the link to the CWE issue)"
description: "Learn More: (OWASP top 10 link to the issue)"
remediation: |
Here we can descripe how to remediate the issue
And it support multi line description.
regex: >-
Here post your regex syntax to find such issueAfter understanding the structure of adding additional rules to the core/ruleset.yaml file, you will now be able to add as many rules as needed. JS_SAST will go through each of the yaml top keys and process its sub-keys to search each given rule. There is no further code modification needed in order to support additional rulesets. Isn't this nice? Let us look at a supported rule to understand how the final new rule could be formatted.
weak_hash:
issue_type: Use of Weak Hash
severity: Medium
confidence: High
CWE: "CWE-328: Use of Weak Hash (https://cwe.mitre.org/data/definitions/328.html)"
description: "Learn More: (https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)"
remediation: |
Use a secure password hashing algorithm such as BCRYPT, SCRYPT, PBKDF2, or Argon2.
regex: >-
createHash\( {0,}(?:'|\") {0,}(md5|sha1)(?:'|\")As we can see with the above-supported rule, this rule looks for the usage of creating weak hash functions such as md5 or sha1. Now, you will be able to write your own custom ruleset to be supported by JS_SAST.