From 2a70a6c8664e12acbcfab8f77c5858135c60ca18 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Wed, 23 Oct 2024 22:09:22 -0700 Subject: [PATCH] Move some configuration into the docs themselves (#655) For convenience and for more clarity to end users, having the configuration in the docs themselves can aid how each rule is configured. Later, when precli handles a configuration file mechanism, a user can customize rules based on this config noted in the docs in each rule. Signed-off-by: Eric Brown --- precli/core/config.py | 17 +++++++++++ precli/core/result.py | 2 +- precli/renderers/json.py | 6 ++-- precli/rules/__init__.py | 26 +++++++++++++++-- precli/rules/go/stdlib/crypto_weak_cipher.py | 10 +++++-- precli/rules/go/stdlib/crypto_weak_hash.py | 10 +++++-- precli/rules/go/stdlib/crypto_weak_key.py | 28 ++++++++++++++----- precli/rules/go/stdlib/syscall_setuid_root.py | 10 +++++-- .../java/stdlib/java_net_insecure_cookie.py | 7 +++++ .../java/stdlib/java_security_weak_hash.py | 26 ++++++++++++----- .../java/stdlib/java_security_weak_key.py | 23 +++++++++++---- .../java/stdlib/java_security_weak_random.py | 7 +++++ .../java/stdlib/javax_crypto_weak_cipher.py | 24 +++++++++++----- .../javax_servlet_http_insecure_cookie.py | 7 +++++ .../python/stdlib/argparse_sensitive_info.py | 22 ++++++++++----- precli/rules/python/stdlib/assert.py | 9 ++++-- precli/rules/python/stdlib/crypt_weak_hash.py | 7 +++++ .../rules/python/stdlib/ftplib_cleartext.py | 7 +++++ .../rules/python/stdlib/ftplib_no_timeout.py | 7 +++++ .../stdlib/ftplib_unverified_context.py | 7 +++++ .../python/stdlib/hashlib_improper_prng.py | 7 +++++ .../rules/python/stdlib/hashlib_weak_hash.py | 10 +++++-- .../rules/python/stdlib/hmac_timing_attack.py | 10 +++++-- precli/rules/python/stdlib/hmac_weak_hash.py | 10 +++++-- precli/rules/python/stdlib/hmac_weak_key.py | 7 +++++ .../stdlib/http_server_unrestricted_bind.py | 7 +++++ precli/rules/python/stdlib/http_url_secret.py | 23 ++++++++++----- .../rules/python/stdlib/imaplib_cleartext.py | 10 +++++-- .../rules/python/stdlib/imaplib_no_timeout.py | 7 +++++ .../stdlib/imaplib_unverified_context.py | 7 +++++ precli/rules/python/stdlib/json_load.py | 9 ++++-- .../stdlib/logging_insecure_listen_config.py | 7 +++++ precli/rules/python/stdlib/marshal_load.py | 7 +++++ .../rules/python/stdlib/nntplib_cleartext.py | 10 +++++-- .../rules/python/stdlib/nntplib_no_timeout.py | 7 +++++ .../stdlib/nntplib_unverified_context.py | 7 +++++ .../rules/python/stdlib/os_loose_file_perm.py | 11 +++++++- precli/rules/python/stdlib/os_setuid_root.py | 10 +++++-- .../python/stdlib/pathlib_loose_file_perm.py | 11 +++++++- precli/rules/python/stdlib/pickle_load.py | 7 +++++ .../rules/python/stdlib/poplib_cleartext.py | 10 +++++-- .../rules/python/stdlib/poplib_no_timeout.py | 7 +++++ .../stdlib/poplib_unverified_context.py | 7 +++++ .../python/stdlib/re_denial_of_service.py | 10 +++++-- .../rules/python/stdlib/secrets_weak_token.py | 20 ++++++++++--- precli/rules/python/stdlib/shelve_open.py | 7 +++++ .../rules/python/stdlib/smtplib_cleartext.py | 10 +++++-- .../rules/python/stdlib/smtplib_no_timeout.py | 7 +++++ .../stdlib/smtplib_unverified_context.py | 7 +++++ .../rules/python/stdlib/socket_no_timeout.py | 7 +++++ .../python/stdlib/socket_unrestricted_bind.py | 7 +++++ .../stdlib/socketserver_unrestricted_bind.py | 7 +++++ .../python/stdlib/ssl_context_weak_key.py | 23 +++++++++++---- .../stdlib/ssl_create_unverified_context.py | 7 +++++ .../python/stdlib/ssl_insecure_tls_version.py | 10 +++++-- precli/rules/python/stdlib/ssl_no_timeout.py | 7 +++++ .../python/stdlib/telnetlib_cleartext.py | 10 +++++-- .../python/stdlib/telnetlib_no_timeout.py | 7 +++++ .../stdlib/tempfile_mktemp_race_condition.py | 7 +++++ .../stdlib/xmlrpc_server_unrestricted_bind.py | 7 +++++ requirements.txt | 1 + .../stdlib/crypto/test_crypto_weak_cipher.py | 6 ++-- .../go/stdlib/crypto/test_crypto_weak_hash.py | 6 ++-- .../go/stdlib/crypto/test_crypto_weak_key.py | 6 ++-- .../syscall/test_syscall_setuid_root.py | 6 ++-- .../stdlib/java_net/test_insecure_cookie.py | 6 ++-- .../stdlib/java_security/test_weak_hash.py | 6 ++-- .../stdlib/java_security/test_weak_key.py | 6 ++-- .../stdlib/java_security/test_weak_random.py | 6 ++-- .../stdlib/javax_crypto/test_weak_cipher.py | 6 ++-- .../test_insecure_cookie.py | 6 ++-- .../argparse/test_argparse_sensitive_info.py | 6 ++-- .../rules/python/stdlib/assert/test_assert.py | 6 ++-- .../stdlib/crypt/test_crypt_weak_hash.py | 6 ++-- .../stdlib/ftplib/test_ftplib_cleartext.py | 6 ++-- .../stdlib/ftplib/test_ftplib_no_timeout.py | 6 ++-- .../ftplib/test_ftplib_unverified_context.py | 6 ++-- .../hashlib/test_hashlib_improper_prng.py | 6 ++-- .../stdlib/hashlib/test_hashlib_weak_hash.py | 6 ++-- .../stdlib/hmac/test_hmac_timing_attack.py | 6 ++-- .../python/stdlib/hmac/test_hmac_weak_hash.py | 6 ++-- .../python/stdlib/hmac/test_hmac_weak_key.py | 6 ++-- .../test_http_server_unrestricted_bind.py | 6 ++-- .../stdlib/http/test_http_url_secret.py | 6 ++-- .../stdlib/imaplib/test_imaplib_cleartext.py | 6 ++-- .../stdlib/imaplib/test_imaplib_no_timeout.py | 6 ++-- .../test_imaplib_unverified_context.py | 6 ++-- .../python/stdlib/json/test_json_load.py | 6 ++-- .../test_logging_insecure_listen_config.py | 6 ++-- .../stdlib/marshal/test_marshal_load.py | 6 ++-- .../stdlib/nntplib/test_nntplib_cleartext.py | 6 ++-- .../stdlib/nntplib/test_nntplib_no_timeout.py | 6 ++-- .../test_nntplib_unverified_context.py | 6 ++-- .../stdlib/os/test_os_loose_file_perm.py | 6 ++-- .../python/stdlib/os/test_os_setuid_root.py | 6 ++-- .../pathlib/test_pathlib_loose_file_perm.py | 6 ++-- .../python/stdlib/pickle/test_pickle_load.py | 6 ++-- .../stdlib/poplib/test_poplib_cleartext.py | 6 ++-- .../stdlib/poplib/test_poplib_no_timeout.py | 6 ++-- .../poplib/test_poplib_unverified_context.py | 6 ++-- .../stdlib/re/test_re_denial_of_service.py | 6 ++-- .../stdlib/secrets/test_secrets_weak_token.py | 6 ++-- .../python/stdlib/shelve/test_shelve_open.py | 6 ++-- .../stdlib/smtplib/test_smtplib_cleartext.py | 6 ++-- .../stdlib/smtplib/test_smtplib_no_timeout.py | 6 ++-- .../test_smtplib_unverified_context.py | 6 ++-- .../stdlib/socket/test_socket_no_timeout.py | 6 ++-- .../socket/test_socket_unrestricted_bind.py | 6 ++-- .../test_socketserver_unrestricted_bind.py | 6 ++-- .../ssl/test_ssl_context_tls_version.py | 6 ++-- .../stdlib/ssl/test_ssl_context_weak_key.py | 6 ++-- .../stdlib/ssl/test_ssl_create_context.py | 6 ++-- ..._ssl_get_server_certificate_tls_version.py | 6 ++-- .../python/stdlib/ssl/test_ssl_no_timeout.py | 6 ++-- .../ssl/test_ssl_wrap_socket_tls_version.py | 6 ++-- .../telnetlib/test_telnetlib_cleartext.py | 6 ++-- .../telnetlib/test_telnetlib_no_timeout.py | 6 ++-- .../test_tempfile_mktemp_race_condition.py | 6 ++-- .../test_xmlrpc_server_unrestricted_bind.py | 6 ++-- 119 files changed, 702 insertions(+), 277 deletions(-) diff --git a/precli/core/config.py b/precli/core/config.py index 1c4476d9..0ebb559a 100644 --- a/precli/core/config.py +++ b/precli/core/config.py @@ -9,10 +9,12 @@ def __init__( enabled: bool = True, level: Level = Level.WARNING, rank: float = -1.0, + parameters: dict = None, ): self._enabled = enabled self._level = level self._rank = rank + self._parameters = parameters @property def enabled(self) -> bool: @@ -29,7 +31,22 @@ def level(self) -> Level: """The default severity level.""" return self._level + @level.setter + def level(self, level: Level): + """Set the default severity level.""" + self._level = level + @property def rank(self) -> float: """The default rank for the rule.""" return self._rank + + @property + def parameters(self) -> dict: + """A dictionary of default parameters.""" + return self._parameters + + @parameters.setter + def parameters(self, parameters: dict): + """Set the dictionary of default parameters.""" + self._parameters = parameters diff --git a/precli/core/result.py b/precli/core/result.py index 7bbc122e..1bfe1ebf 100644 --- a/precli/core/result.py +++ b/precli/core/result.py @@ -29,7 +29,7 @@ def __init__( self._artifact = artifact self._kind = kind rule = Rule.get_by_id(self._rule_id) - default_config = rule.default_config if rule else None + default_config = rule.config if rule else None self._rank = default_config.rank if default_config else -1.0 if level: self._level = level diff --git a/precli/renderers/json.py b/precli/renderers/json.py index 179b0dc2..f4bd1dc2 100644 --- a/precli/renderers/json.py +++ b/precli/renderers/json.py @@ -73,8 +73,8 @@ def create_rule_if_needed( text=rule.short_description ), default_configuration=sarif_om.ReportingConfiguration( - enabled=rule.default_config.enabled, - level=rule.default_config.level.name.lower(), + enabled=rule.config.enabled, + level=rule.config.level.name.lower(), ), help=sarif_om.MultiformatMessageString( text=rule.full_description, markdown=rule.full_description @@ -87,7 +87,7 @@ def create_rule_if_needed( "security", f"external/cwe/cwe-{rule.cwe.id}", ], - "security-severity": (rule.default_config.level.to_severity()), + "security-severity": (rule.config.level.to_severity()), }, ) diff --git a/precli/rules/__init__.py b/precli/rules/__init__.py index 8437bc4d..f818cc6f 100644 --- a/precli/rules/__init__.py +++ b/precli/rules/__init__.py @@ -1,10 +1,18 @@ # Copyright 2024 Secure Sauce LLC +import re +import sys from abc import ABC from typing import Optional +if sys.version_info >= (3, 11): + import tomllib +else: + import tomli as tomllib + from precli.core.config import Config from precli.core.cwe import Cwe from precli.core.fix import Fix +from precli.core.level import Level from precli.core.location import Location @@ -41,7 +49,21 @@ def __init__( self._cwe = Cwe(cwe_id) self._message = message self._wildcards = wildcards if wildcards else {} - self._config = Config() if not config else config + + match = re.search(r"```toml(.*?)```", description, re.DOTALL) + if match: + toml_content = match.group(1).strip() + try: + metadata = tomllib.loads(toml_content) + self._config = Config() + self._config.enabled = metadata.get("enabled") + self._config.level = Level(metadata.get("level")) + self._config.parameters = metadata.get("parameters") + except tomllib.TOMLDecodeError as err: + print(err) + print("Invalid config in documentation") + else: + self._config = Config() if not config else config self._enabled = self._config.enabled self._help_url = f"https://docs.securesauce.dev/rules/{id}" Rule._rules[id] = self @@ -89,7 +111,7 @@ def help_url(self) -> str: return self._help_url @property - def default_config(self) -> Config: + def config(self) -> Config: """Default configuration for this rule.""" return self._config diff --git a/precli/rules/go/stdlib/crypto_weak_cipher.py b/precli/rules/go/stdlib/crypto_weak_cipher.py index e099299f..06e6f75b 100644 --- a/precli/rules/go/stdlib/crypto_weak_cipher.py +++ b/precli/rules/go/stdlib/crypto_weak_cipher.py @@ -112,6 +112,13 @@ } ``` +# Default Configuration + +```toml +enabled = true +level = "error" +``` + # See also !!! info @@ -125,8 +132,6 @@ from typing import Optional from precli.core.call import Call -from precli.core.config import Config -from precli.core.level import Level from precli.core.location import Location from precli.core.result import Result from precli.rules import Rule @@ -141,7 +146,6 @@ def __init__(self, id: str): cwe_id=327, message="Weak ciphers like '{0}' should be avoided due to their " "known vulnerabilities and weaknesses.", - config=Config(level=Level.ERROR), ) def analyze_call_expression( diff --git a/precli/rules/go/stdlib/crypto_weak_hash.py b/precli/rules/go/stdlib/crypto_weak_hash.py index 2e7e71fb..c48997a6 100644 --- a/precli/rules/go/stdlib/crypto_weak_hash.py +++ b/precli/rules/go/stdlib/crypto_weak_hash.py @@ -62,6 +62,13 @@ } ``` +# Default Configuration + +```toml +enabled = true +level = "error" +``` + # See also !!! info @@ -76,8 +83,6 @@ from typing import Optional from precli.core.call import Call -from precli.core.config import Config -from precli.core.level import Level from precli.core.location import Location from precli.core.result import Result from precli.rules import Rule @@ -92,7 +97,6 @@ def __init__(self, id: str): cwe_id=328, message="Use of weak hash function '{0}' does not meet security " "expectations.", - config=Config(level=Level.ERROR), ) def analyze_call_expression( diff --git a/precli/rules/go/stdlib/crypto_weak_key.py b/precli/rules/go/stdlib/crypto_weak_key.py index cfb3a6bd..594234ef 100644 --- a/precli/rules/go/stdlib/crypto_weak_key.py +++ b/precli/rules/go/stdlib/crypto_weak_key.py @@ -119,6 +119,15 @@ } ``` +# Default Configuration + +```toml +enabled = true +level = "warning" +parameters.warning_key_size = 2048 +parameters.error_key_size = 1024 +``` + # See also !!! info @@ -152,6 +161,9 @@ def __init__(self, id: str): def analyze_call_expression( self, context: dict, call: Call ) -> Optional[Result]: + WARN_SIZE = self.config.parameters.get("warning_key_size") + ERR_SIZE = self.config.parameters.get("error_key_size") + if call.name_qualified in ["crypto/dsa.GenerateParameters"]: argument = call.get_argument(position=2) sizes = argument.value @@ -160,7 +172,8 @@ def analyze_call_expression( fixes = Rule.get_fixes( context=context, deleted_location=Location(node=argument.identifier_node), - description="Use a minimum key size of 2048 for DSA keys.", + description=f"Use a minimum key size of {WARN_SIZE} for " + "DSA keys.", inserted_content="L2048N224", ) @@ -168,25 +181,26 @@ def analyze_call_expression( rule_id=self.id, location=Location(node=argument.identifier_node), level=Level.ERROR, - message=self.message.format("DSA", 2048), + message=self.message.format("DSA", WARN_SIZE), fixes=fixes, ) elif call.name_qualified in ["crypto/rsa.GenerateKey"]: argument = call.get_argument(position=1) bits = argument.value - if isinstance(bits, int) and bits < 2048: + if isinstance(bits, int) and bits < WARN_SIZE: fixes = Rule.get_fixes( context=context, deleted_location=Location(node=argument.node), - description="Use a minimum key size of 2048 for RSA keys.", - inserted_content="2048", + description=f"Use a minimum key size of {WARN_SIZE} for " + "RSA keys.", + inserted_content=f"{WARN_SIZE}", ) return Result( rule_id=self.id, location=Location(node=argument.node), - level=Level.ERROR if bits <= 1024 else Level.WARNING, - message=self.message.format("RSA", 2048), + level=Level.ERROR if bits <= ERR_SIZE else Level.WARNING, + message=self.message.format("RSA", WARN_SIZE), fixes=fixes, ) diff --git a/precli/rules/go/stdlib/syscall_setuid_root.py b/precli/rules/go/stdlib/syscall_setuid_root.py index bc3897d7..85b4b9c5 100644 --- a/precli/rules/go/stdlib/syscall_setuid_root.py +++ b/precli/rules/go/stdlib/syscall_setuid_root.py @@ -78,6 +78,13 @@ } ``` +# Default Configuration + +```toml +enabled = true +level = "error" +``` + ## See also !!! info @@ -91,8 +98,6 @@ from typing import Optional from precli.core.call import Call -from precli.core.config import Config -from precli.core.level import Level from precli.core.location import Location from precli.core.result import Result from precli.rules import Rule @@ -107,7 +112,6 @@ def __init__(self, id: str): cwe_id=250, message="The function '{0}(0)' escalates the process to run with " "root (superuser) privileges.", - config=Config(level=Level.ERROR), ) def analyze_call_expression( diff --git a/precli/rules/java/stdlib/java_net_insecure_cookie.py b/precli/rules/java/stdlib/java_net_insecure_cookie.py index c9ebe39e..da3e53af 100644 --- a/precli/rules/java/stdlib/java_net_insecure_cookie.py +++ b/precli/rules/java/stdlib/java_net_insecure_cookie.py @@ -60,6 +60,13 @@ } ``` +# Default Configuration + +```toml +enabled = true +level = "warning" +``` + # See also !!! info diff --git a/precli/rules/java/stdlib/java_security_weak_hash.py b/precli/rules/java/stdlib/java_security_weak_hash.py index f40b5a8f..6ae56cb9 100644 --- a/precli/rules/java/stdlib/java_security_weak_hash.py +++ b/precli/rules/java/stdlib/java_security_weak_hash.py @@ -58,6 +58,20 @@ } ``` +# Default Configuration + +```toml +enabled = true +level = "error" +parameters.weak_hashes = [ + "MD2", + "MD5", + "SHA", + "SHA1", + "SHA-1", +] +``` + # See also !!! info @@ -71,16 +85,11 @@ from typing import Optional from precli.core.call import Call -from precli.core.config import Config -from precli.core.level import Level from precli.core.location import Location from precli.core.result import Result from precli.rules import Rule -WEAK_HASHES = ("MD2", "MD5", "SHA", "SHA1", "SHA-1") - - class MessageDigestWeakHash(Rule): def __init__(self, id: str): super().__init__( @@ -95,7 +104,6 @@ def __init__(self, id: str): "MessageDigest", ], }, - config=Config(level=Level.ERROR), ) def analyze_method_invocation( @@ -109,7 +117,11 @@ def analyze_method_invocation( argument = call.get_argument(position=0) algorithm = argument.value_str - if algorithm is None or algorithm.upper() not in WEAK_HASHES: + if ( + algorithm is None + or algorithm.upper() + not in self.config.parameters.get("weak_hashes") + ): return fixes = Rule.get_fixes( diff --git a/precli/rules/java/stdlib/java_security_weak_key.py b/precli/rules/java/stdlib/java_security_weak_key.py index 5d849981..dae209d1 100644 --- a/precli/rules/java/stdlib/java_security_weak_key.py +++ b/precli/rules/java/stdlib/java_security_weak_key.py @@ -77,6 +77,15 @@ } ``` +# Default Configuration + +```toml +enabled = true +level = "warning" +parameters.warning_key_size = 2048 +parameters.error_key_size = 1024 +``` + # See also !!! info @@ -119,6 +128,9 @@ def analyze_method_invocation( ]: return + WARN_SIZE = self.config.parameters.get("warning_key_size") + ERR_SIZE = self.config.parameters.get("error_key_size") + argument = call.get_argument(position=0) keysize = argument.value @@ -133,18 +145,19 @@ def analyze_method_invocation( if algorithm is None or algorithm.upper() not in ("DSA", "RSA"): return - if isinstance(keysize, int) and keysize < 2048: + if isinstance(keysize, int) and keysize < WARN_SIZE: fixes = Rule.get_fixes( context=context, deleted_location=Location(node=argument.node), - description="Use a minimum key size of 2048 for RSA keys.", - inserted_content="2048", + description=f"Use a minimum key size of {WARN_SIZE} for RSA " + "keys.", + inserted_content=f"{WARN_SIZE}", ) return Result( rule_id=self.id, location=Location(node=argument.node), - level=Level.ERROR if keysize <= 1024 else Level.WARNING, - message=self.message.format("RSA", 2048), + level=Level.ERROR if keysize <= ERR_SIZE else Level.WARNING, + message=self.message.format("RSA", WARN_SIZE), fixes=fixes, ) diff --git a/precli/rules/java/stdlib/java_security_weak_random.py b/precli/rules/java/stdlib/java_security_weak_random.py index def65591..d9c63c30 100644 --- a/precli/rules/java/stdlib/java_security_weak_random.py +++ b/precli/rules/java/stdlib/java_security_weak_random.py @@ -59,6 +59,13 @@ } ``` +# Default Configuration + +```toml +enabled = true +level = "warning" +``` + # See also !!! info diff --git a/precli/rules/java/stdlib/javax_crypto_weak_cipher.py b/precli/rules/java/stdlib/javax_crypto_weak_cipher.py index 1c5f3107..2fde1fed 100644 --- a/precli/rules/java/stdlib/javax_crypto_weak_cipher.py +++ b/precli/rules/java/stdlib/javax_crypto_weak_cipher.py @@ -112,6 +112,22 @@ } ``` +# Default Configuration + +```toml +enabled = true +level = "error" +parameters.weak_ciphers = [ + "ARCFOUR", + "Blowfish", + "DES", + "DESede", + "RC2", + "RC4", + "RC5", +] +``` + # See also !!! info @@ -125,16 +141,11 @@ from typing import Optional from precli.core.call import Call -from precli.core.config import Config -from precli.core.level import Level from precli.core.location import Location from precli.core.result import Result from precli.rules import Rule -WEAK_CIPHERS = ("ARCFOUR", "Blowfish", "DES", "DESede", "RC2", "RC4", "RC5") - - class WeakCipher(Rule): def __init__(self, id: str): super().__init__( @@ -149,7 +160,6 @@ def __init__(self, id: str): "Cipher", ], }, - config=Config(level=Level.ERROR), ) def analyze_method_invocation( @@ -168,7 +178,7 @@ def analyze_method_invocation( # DES/CBC/PKCS5Padding cipher, *mode_padding = transformation.split("/") - if cipher not in WEAK_CIPHERS: + if cipher not in self.config.parameters.get("weak_ciphers"): return content = "/".join(["AES"] + mode_padding) diff --git a/precli/rules/java/stdlib/javax_servlet_http_insecure_cookie.py b/precli/rules/java/stdlib/javax_servlet_http_insecure_cookie.py index ae857ad1..0edf8635 100644 --- a/precli/rules/java/stdlib/javax_servlet_http_insecure_cookie.py +++ b/precli/rules/java/stdlib/javax_servlet_http_insecure_cookie.py @@ -58,6 +58,13 @@ } ``` +# Default Configuration + +```toml +enabled = true +level = "warning" +``` + # See also !!! info diff --git a/precli/rules/python/stdlib/argparse_sensitive_info.py b/precli/rules/python/stdlib/argparse_sensitive_info.py index 1eb409cb..66418182 100644 --- a/precli/rules/python/stdlib/argparse_sensitive_info.py +++ b/precli/rules/python/stdlib/argparse_sensitive_info.py @@ -65,6 +65,18 @@ ) ``` +# Default Configuration + +```toml +enabled = true +level = "error" +parameters.sensitive_arguments = [ + "--api-key", + "--password", + "--token" +] +``` + # See also !!! info @@ -79,8 +91,6 @@ from typing import Optional from precli.core.call import Call -from precli.core.config import Config -from precli.core.level import Level from precli.core.location import Location from precli.core.result import Result from precli.rules import Rule @@ -95,7 +105,6 @@ def __init__(self, id: str): cwe_id=214, message="{0} in CLI arguments are leaked to command history, " "logs, ps output, etc.", - config=Config(level=Level.ERROR), ) def analyze_call(self, context: dict, call: Call) -> Optional[Result]: @@ -111,10 +120,9 @@ def analyze_call(self, context: dict, call: Call) -> Optional[Result]: arg1 = call.get_argument(position=1) action = call.get_argument(name="action") - if ( - "--password" in [arg0.value_str, arg1.value_str] - or "--api-key" in [arg0.value_str, arg1.value_str] - or "--token" in [arg0.value_str, arg1.value_str] + if any( + arg in [arg0.value_str, arg1.value_str] + for arg in self.config.parameters.get("sensitive_arguments") ) and (action.value is None or action.value_str == "store"): return Result( rule_id=self.id, diff --git a/precli/rules/python/stdlib/assert.py b/precli/rules/python/stdlib/assert.py index b243a376..53f2451a 100644 --- a/precli/rules/python/stdlib/assert.py +++ b/precli/rules/python/stdlib/assert.py @@ -51,6 +51,13 @@ def foobar(a: str = None): foobar("World") ``` +# Default Configuration + +```toml +enabled = false +level = "warning" +``` + # See also !!! info @@ -63,7 +70,6 @@ def foobar(a: str = None): """ # noqa: E501 from typing import Optional -from precli.core.config import Config from precli.core.location import Location from precli.core.result import Result from precli.rules import Rule @@ -78,7 +84,6 @@ def __init__(self, id: str): cwe_id=703, message="Assert statements are disabled when optimizations are " "enabled.", - config=Config(enabled=False), ) def analyze_assert(self, context: dict) -> Optional[Result]: diff --git a/precli/rules/python/stdlib/crypt_weak_hash.py b/precli/rules/python/stdlib/crypt_weak_hash.py index 79cefc38..e3440f00 100644 --- a/precli/rules/python/stdlib/crypt_weak_hash.py +++ b/precli/rules/python/stdlib/crypt_weak_hash.py @@ -96,6 +96,13 @@ algorithm. Scrypt is designed to be more secure than bcrypt, and it is also more resistant to GPU-based attacks. +# Default Configuration + +```toml +enabled = true +level = "warning" +``` + ## See also !!! info diff --git a/precli/rules/python/stdlib/ftplib_cleartext.py b/precli/rules/python/stdlib/ftplib_cleartext.py index ed81ccbd..366df9f5 100644 --- a/precli/rules/python/stdlib/ftplib_cleartext.py +++ b/precli/rules/python/stdlib/ftplib_cleartext.py @@ -74,6 +74,13 @@ network protocols, including SSH. Twisted can be used to create secure SFTP clients and servers. +# Default Configuration + +```toml +enabled = true +level = "warning" +``` + ## See also !!! info diff --git a/precli/rules/python/stdlib/ftplib_no_timeout.py b/precli/rules/python/stdlib/ftplib_no_timeout.py index 3fe68945..b1cfa27d 100644 --- a/precli/rules/python/stdlib/ftplib_no_timeout.py +++ b/precli/rules/python/stdlib/ftplib_no_timeout.py @@ -56,6 +56,13 @@ ftp_server = ftplib.FTP("ftp.example.com", timeout=5) ``` +# Default Configuration + +```toml +enabled = true +level = "warning" +``` + # See also !!! info diff --git a/precli/rules/python/stdlib/ftplib_unverified_context.py b/precli/rules/python/stdlib/ftplib_unverified_context.py index 82d6a693..5c9b0be3 100644 --- a/precli/rules/python/stdlib/ftplib_unverified_context.py +++ b/precli/rules/python/stdlib/ftplib_unverified_context.py @@ -56,6 +56,13 @@ ftp.retrlines("LIST") ``` +# Default Configuration + +```toml +enabled = true +level = "warning" +``` + # See also !!! info diff --git a/precli/rules/python/stdlib/hashlib_improper_prng.py b/precli/rules/python/stdlib/hashlib_improper_prng.py index 84e4342f..0d31b03a 100644 --- a/precli/rules/python/stdlib/hashlib_improper_prng.py +++ b/precli/rules/python/stdlib/hashlib_improper_prng.py @@ -56,6 +56,13 @@ hashlib.scrypt(password, salt=salt, n=16384, r=8, p=1) ``` +# Default Configuration + +```toml +enabled = true +level = "warning" +``` + # See also !!! info diff --git a/precli/rules/python/stdlib/hashlib_weak_hash.py b/precli/rules/python/stdlib/hashlib_weak_hash.py index 2511e018..eb047a3e 100644 --- a/precli/rules/python/stdlib/hashlib_weak_hash.py +++ b/precli/rules/python/stdlib/hashlib_weak_hash.py @@ -69,6 +69,13 @@ hash.hexdigest() ``` +# Default Configuration + +```toml +enabled = true +level = "error" +``` + # See also !!! info @@ -85,8 +92,6 @@ from precli.core.argument import Argument from precli.core.call import Call -from precli.core.config import Config -from precli.core.level import Level from precli.core.location import Location from precli.core.result import Result from precli.rules import Rule @@ -111,7 +116,6 @@ def __init__(self, id: str): cwe_id=328, message="The hash function '{0}' is vulnerable to collision and " "pre-image attacks.", - config=Config(level=Level.ERROR), ) def analyze_call(self, context: dict, call: Call) -> Optional[Result]: diff --git a/precli/rules/python/stdlib/hmac_timing_attack.py b/precli/rules/python/stdlib/hmac_timing_attack.py index 5e45c94a..98068316 100644 --- a/precli/rules/python/stdlib/hmac_timing_attack.py +++ b/precli/rules/python/stdlib/hmac_timing_attack.py @@ -69,6 +69,13 @@ print(hmac.compare_digest(digest, received_digest)) ``` +# Default Configuration + +```toml +enabled = true +level = "error" +``` + # See also !!! info @@ -81,8 +88,6 @@ from typing import Optional from precli.core.comparison import Comparison -from precli.core.config import Config -from precli.core.level import Level from precli.core.location import Location from precli.core.result import Result from precli.rules import Rule @@ -106,7 +111,6 @@ def __init__(self, id: str): cwe_id=208, message="Comparing digests with the '{0}' operator is vulnerable " "to timing attacks.", - config=Config(level=Level.ERROR), ) def analyze_comparison_operator( diff --git a/precli/rules/python/stdlib/hmac_weak_hash.py b/precli/rules/python/stdlib/hmac_weak_hash.py index 24ded521..50b06e2c 100644 --- a/precli/rules/python/stdlib/hmac_weak_hash.py +++ b/precli/rules/python/stdlib/hmac_weak_hash.py @@ -60,6 +60,13 @@ hmac.new(key, msg=message, digestmod="sha256") ``` +# Default Configuration + +```toml +enabled = true +level = "error" +``` + # See also !!! info @@ -75,8 +82,6 @@ from typing import Optional from precli.core.call import Call -from precli.core.config import Config -from precli.core.level import Level from precli.core.location import Location from precli.core.result import Result from precli.rules import Rule @@ -101,7 +106,6 @@ def __init__(self, id: str): cwe_id=328, message="The hash function '{0}' is vulnerable to collision and " "pre-image attacks.", - config=Config(level=Level.ERROR), ) def analyze_call(self, context: dict, call: Call) -> Optional[Result]: diff --git a/precli/rules/python/stdlib/hmac_weak_key.py b/precli/rules/python/stdlib/hmac_weak_key.py index f61d15d0..b1128981 100644 --- a/precli/rules/python/stdlib/hmac_weak_key.py +++ b/precli/rules/python/stdlib/hmac_weak_key.py @@ -57,6 +57,13 @@ hmac.new(key, msg=message, digestmod=hashlib.sha3_384) ``` +# Default Configuration + +```toml +enabled = true +level = "warning" +``` + # See also !!! info diff --git a/precli/rules/python/stdlib/http_server_unrestricted_bind.py b/precli/rules/python/stdlib/http_server_unrestricted_bind.py index 16babf10..feda632f 100644 --- a/precli/rules/python/stdlib/http_server_unrestricted_bind.py +++ b/precli/rules/python/stdlib/http_server_unrestricted_bind.py @@ -63,6 +63,13 @@ def run(server_class: HTTPServer): run(HTTPServer) ``` +# Default Configuration + +```toml +enabled = true +level = "warning" +``` + # See also !!! info diff --git a/precli/rules/python/stdlib/http_url_secret.py b/precli/rules/python/stdlib/http_url_secret.py index 2ec23a45..6f5c5a0c 100644 --- a/precli/rules/python/stdlib/http_url_secret.py +++ b/precli/rules/python/stdlib/http_url_secret.py @@ -50,6 +50,20 @@ response = conn.getresponse() ``` +# Default Configuration + +```toml +enabled = true +level = "error" +parameters.sensitive_params = [ + "apiKey", + "pass", + "password", + "user", + "username", +] +``` + # See also !!! info @@ -65,16 +79,11 @@ from urllib.parse import urlsplit from precli.core.call import Call -from precli.core.config import Config -from precli.core.level import Level from precli.core.location import Location from precli.core.result import Result from precli.rules import Rule -SENSITIVE_PARAMS = ("apiKey", "pass", "password", "user", "username") - - class HttpUrlSecret(Rule): def __init__(self, id: str): super().__init__( @@ -83,7 +92,6 @@ def __init__(self, id: str): description=__doc__, cwe_id=598, message="Secrets in URLs are vulnerable to unauthorized access.", - config=Config(level=Level.ERROR), ) def analyze_call(self, context: dict, call: Call) -> Optional[Result]: @@ -103,7 +111,8 @@ def analyze_call(self, context: dict, call: Call) -> Optional[Result]: params = parse_qs(query) if split_url.username or any( - key in params for key in SENSITIVE_PARAMS + key in params + for key in self.config.parameters.get("sensitive_params") ): return Result( rule_id=self.id, diff --git a/precli/rules/python/stdlib/imaplib_cleartext.py b/precli/rules/python/stdlib/imaplib_cleartext.py index 6d51af21..cf16fab2 100644 --- a/precli/rules/python/stdlib/imaplib_cleartext.py +++ b/precli/rules/python/stdlib/imaplib_cleartext.py @@ -60,6 +60,13 @@ M.logout() ``` +# Default Configuration + +```toml +enabled = true +level = "error" +``` + # See also !!! info @@ -72,8 +79,6 @@ from typing import Optional from precli.core.call import Call -from precli.core.config import Config -from precli.core.level import Level from precli.core.location import Location from precli.core.result import Result from precli.rules import Rule @@ -88,7 +93,6 @@ def __init__(self, id: str): cwe_id=319, message="The IMAP protocol can transmit data in cleartext without " "encryption.", - config=Config(level=Level.ERROR), ) def analyze_call(self, context: dict, call: Call) -> Optional[Result]: diff --git a/precli/rules/python/stdlib/imaplib_no_timeout.py b/precli/rules/python/stdlib/imaplib_no_timeout.py index 1b14dce6..f42b0611 100644 --- a/precli/rules/python/stdlib/imaplib_no_timeout.py +++ b/precli/rules/python/stdlib/imaplib_no_timeout.py @@ -59,6 +59,13 @@ imap.starttls(ssl.create_default_context()) ``` +# Default Configuration + +```toml +enabled = true +level = "warning" +``` + # See also !!! info diff --git a/precli/rules/python/stdlib/imaplib_unverified_context.py b/precli/rules/python/stdlib/imaplib_unverified_context.py index f856ea8d..45a146f2 100644 --- a/precli/rules/python/stdlib/imaplib_unverified_context.py +++ b/precli/rules/python/stdlib/imaplib_unverified_context.py @@ -66,6 +66,13 @@ imap4.logout() ``` +# Default Configuration + +```toml +enabled = true +level = "warning" +``` + # See also !!! info diff --git a/precli/rules/python/stdlib/json_load.py b/precli/rules/python/stdlib/json_load.py index 1c5b2f1c..7614a893 100644 --- a/precli/rules/python/stdlib/json_load.py +++ b/precli/rules/python/stdlib/json_load.py @@ -32,6 +32,13 @@ trusted sources. If you are parsing JSON data from an untrusted source, you should first sanitize the data to remove any potential malicious code. +# Default Configuration + +```toml +enabled = false +level = "warning" +``` + # See also !!! info @@ -44,7 +51,6 @@ from typing import Optional from precli.core.call import Call -from precli.core.config import Config from precli.core.location import Location from precli.core.result import Result from precli.rules import Rule @@ -59,7 +65,6 @@ def __init__(self, id: str): cwe_id=502, message="Potential unsafe usage of '{0}' that can allow " "instantiation of arbitrary objects.", - config=Config(enabled=False), ) def analyze_call(self, context: dict, call: Call) -> Optional[Result]: diff --git a/precli/rules/python/stdlib/logging_insecure_listen_config.py b/precli/rules/python/stdlib/logging_insecure_listen_config.py index 10edb7bf..39fe21ae 100644 --- a/precli/rules/python/stdlib/logging_insecure_listen_config.py +++ b/precli/rules/python/stdlib/logging_insecure_listen_config.py @@ -44,6 +44,13 @@ def validate(recv: bytes): thread = logging.config.listen(verify=validate) ``` +# Default Configuration + +```toml +enabled = true +level = "warning" +``` + # See also !!! info diff --git a/precli/rules/python/stdlib/marshal_load.py b/precli/rules/python/stdlib/marshal_load.py index 0e84a82f..d01b91a3 100644 --- a/precli/rules/python/stdlib/marshal_load.py +++ b/precli/rules/python/stdlib/marshal_load.py @@ -37,6 +37,13 @@ trusted sources. If you are deserializing data from an untrusted source, you should first sanitize the data to remove any potential malicious code. +# Default Configuration + +```toml +enabled = true +level = "warning" +``` + # See also !!! info diff --git a/precli/rules/python/stdlib/nntplib_cleartext.py b/precli/rules/python/stdlib/nntplib_cleartext.py index 392d5fa1..f6755a3b 100644 --- a/precli/rules/python/stdlib/nntplib_cleartext.py +++ b/precli/rules/python/stdlib/nntplib_cleartext.py @@ -46,6 +46,13 @@ n.group('gmane.comp.python.committers') ``` +# Default Configuration + +```toml +enabled = true +level = "error" +``` + # See also !!! info @@ -58,8 +65,6 @@ from typing import Optional from precli.core.call import Call -from precli.core.config import Config -from precli.core.level import Level from precli.core.location import Location from precli.core.result import Result from precli.rules import Rule @@ -74,7 +79,6 @@ def __init__(self, id: str): cwe_id=319, message="The NNTP protocol can transmit data in cleartext without " "encryption.", - config=Config(level=Level.ERROR), ) def analyze_call(self, context: dict, call: Call) -> Optional[Result]: diff --git a/precli/rules/python/stdlib/nntplib_no_timeout.py b/precli/rules/python/stdlib/nntplib_no_timeout.py index 78ca2412..aebbfb9b 100644 --- a/precli/rules/python/stdlib/nntplib_no_timeout.py +++ b/precli/rules/python/stdlib/nntplib_no_timeout.py @@ -59,6 +59,13 @@ nntp.starttls(ssl.create_default_context()) ``` +# Default Configuration + +```toml +enabled = true +level = "warning" +``` + # See also !!! info diff --git a/precli/rules/python/stdlib/nntplib_unverified_context.py b/precli/rules/python/stdlib/nntplib_unverified_context.py index c23a2235..08772ad8 100644 --- a/precli/rules/python/stdlib/nntplib_unverified_context.py +++ b/precli/rules/python/stdlib/nntplib_unverified_context.py @@ -56,6 +56,13 @@ s.quit() ``` +# Default Configuration + +```toml +enabled = true +level = "warning" +``` + # See also !!! info diff --git a/precli/rules/python/stdlib/os_loose_file_perm.py b/precli/rules/python/stdlib/os_loose_file_perm.py index 7907061f..0eac2327 100644 --- a/precli/rules/python/stdlib/os_loose_file_perm.py +++ b/precli/rules/python/stdlib/os_loose_file_perm.py @@ -72,6 +72,14 @@ ) ``` +# Default Configuration + +```toml +enabled = true +level = "warning" +parameters.umask = 0o022 +``` + ## See also !!! info @@ -99,7 +107,6 @@ "os.mkfifo": 0o666, "os.mknod": 0o600, } -UMASK = 0o022 class OsLooseFilePermissions(Rule): @@ -165,6 +172,8 @@ def analyze_call(self, context: dict, call: Call) -> Optional[Result]: location = Location(node=argument.node) message = self.message elif call.name_qualified in ("os.mkdir", "os.open", "os.mkfifo"): + UMASK = self.config.parameters.get("umask") + if argument.node is not None and isinstance(mode, int): # mode argument passed location = Location(node=argument.node) diff --git a/precli/rules/python/stdlib/os_setuid_root.py b/precli/rules/python/stdlib/os_setuid_root.py index 718e39ba..0ef4c5e8 100644 --- a/precli/rules/python/stdlib/os_setuid_root.py +++ b/precli/rules/python/stdlib/os_setuid_root.py @@ -54,6 +54,13 @@ os.setuid(1000) ``` +# Default Configuration + +```toml +enabled = true +level = "error" +``` + ## See also !!! info @@ -67,8 +74,6 @@ from typing import Optional from precli.core.call import Call -from precli.core.config import Config -from precli.core.level import Level from precli.core.location import Location from precli.core.result import Result from precli.rules import Rule @@ -83,7 +88,6 @@ def __init__(self, id: str): cwe_id=250, message="The function '{0}(0)' escalates the process to run with " "root (superuser) privileges.", - config=Config(level=Level.ERROR), ) def analyze_call(self, context: dict, call: Call) -> Optional[Result]: diff --git a/precli/rules/python/stdlib/pathlib_loose_file_perm.py b/precli/rules/python/stdlib/pathlib_loose_file_perm.py index 4ad94931..32f29b57 100644 --- a/precli/rules/python/stdlib/pathlib_loose_file_perm.py +++ b/precli/rules/python/stdlib/pathlib_loose_file_perm.py @@ -72,6 +72,14 @@ ) ``` +# Default Configuration + +```toml +enabled = true +level = "warning" +parameters.umask = 0o022 +``` + ## See also !!! info @@ -97,7 +105,6 @@ "pathlib.Path.mkdir": 0o777, "pathlib.Path.touch": 0o666, } -UMASK = 0o022 class PathlibLooseFilePermissions(Rule): @@ -164,6 +171,8 @@ def analyze_call(self, context: dict, call: Call) -> Optional[Result]: "pathlib.Path.mkdir", "pathlib.Path.touch", ): + UMASK = self.config.parameters.get("umask") + if argument.node is not None and isinstance(mode, int): # mode argument passed location = Location(node=argument.node) diff --git a/precli/rules/python/stdlib/pickle_load.py b/precli/rules/python/stdlib/pickle_load.py index 94ca0789..5c2e2499 100644 --- a/precli/rules/python/stdlib/pickle_load.py +++ b/precli/rules/python/stdlib/pickle_load.py @@ -48,6 +48,13 @@ def load_pickle_file(file_path): secure serialization format, such as JSON or XML. These formats are designed to be secure and cannot be used to execute malicious code. +# Default Configuration + +```toml +enabled = true +level = "warning" +``` + # See also !!! info diff --git a/precli/rules/python/stdlib/poplib_cleartext.py b/precli/rules/python/stdlib/poplib_cleartext.py index 6136f8ea..e8a8e15c 100644 --- a/precli/rules/python/stdlib/poplib_cleartext.py +++ b/precli/rules/python/stdlib/poplib_cleartext.py @@ -55,6 +55,13 @@ print(j) ``` +# Default Configuration + +```toml +enabled = true +level = "error" +``` + # See also !!! info @@ -67,8 +74,6 @@ from typing import Optional from precli.core.call import Call -from precli.core.config import Config -from precli.core.level import Level from precli.core.location import Location from precli.core.result import Result from precli.rules import Rule @@ -83,7 +88,6 @@ def __init__(self, id: str): cwe_id=319, message="The POP protocol can transmit data in cleartext without " "encryption.", - config=Config(level=Level.ERROR), ) def analyze_call(self, context: dict, call: Call) -> Optional[Result]: diff --git a/precli/rules/python/stdlib/poplib_no_timeout.py b/precli/rules/python/stdlib/poplib_no_timeout.py index 42ccf7c0..0f14ecfe 100644 --- a/precli/rules/python/stdlib/poplib_no_timeout.py +++ b/precli/rules/python/stdlib/poplib_no_timeout.py @@ -59,6 +59,13 @@ pop.stls(ssl.create_default_context()) ``` +# Default Configuration + +```toml +enabled = true +level = "warning" +``` + # See also !!! info diff --git a/precli/rules/python/stdlib/poplib_unverified_context.py b/precli/rules/python/stdlib/poplib_unverified_context.py index 4883d8a5..c2e52a8e 100644 --- a/precli/rules/python/stdlib/poplib_unverified_context.py +++ b/precli/rules/python/stdlib/poplib_unverified_context.py @@ -62,6 +62,13 @@ print(j) ``` +# Default Configuration + +```toml +enabled = true +level = "warning" +``` + # See also !!! info diff --git a/precli/rules/python/stdlib/re_denial_of_service.py b/precli/rules/python/stdlib/re_denial_of_service.py index 739ec1d4..682893e0 100644 --- a/precli/rules/python/stdlib/re_denial_of_service.py +++ b/precli/rules/python/stdlib/re_denial_of_service.py @@ -50,6 +50,13 @@ reg.search("http://[:::::::::::::::::::::::::::::::::::::::]/path") ``` +# Default Configuration + +```toml +enabled = true +level = "error" +``` + # See also !!! info @@ -64,8 +71,6 @@ from precli.core import redos from precli.core.call import Call -from precli.core.config import Config -from precli.core.level import Level from precli.core.location import Location from precli.core.result import Result from precli.rules import Rule @@ -81,7 +86,6 @@ def __init__(self, id: str): message="The call to '{0}'' with regex pattern '{1}'' is " "susceptible to catastrophic backtracking and may cause " "performance degradation.", - config=Config(level=Level.ERROR), ) def analyze_call(self, context: dict, call: Call) -> Optional[Result]: diff --git a/precli/rules/python/stdlib/secrets_weak_token.py b/precli/rules/python/stdlib/secrets_weak_token.py index bdc1bea6..02a07e58 100644 --- a/precli/rules/python/stdlib/secrets_weak_token.py +++ b/precli/rules/python/stdlib/secrets_weak_token.py @@ -45,6 +45,15 @@ token = secrets.token_bytes() ``` +# Default Configuration + +```toml +enabled = true +level = "warning" +parameters.warning_token_size = 32 +parameters.error_token_size = 16 +``` + # See also !!! info @@ -82,10 +91,13 @@ def analyze_call(self, context: dict, call: Call) -> Optional[Result]: ]: return + WARN_SIZE = self.config.parameters.get("warning_token_size") + ERR_SIZE = self.config.parameters.get("error_token_size") + arg = call.get_argument(position=0, name="nbytes") - nbytes = int(arg.value) if isinstance(arg.value, int) else 32 + nbytes = int(arg.value) if isinstance(arg.value, int) else WARN_SIZE - if nbytes < 32: + if nbytes < WARN_SIZE: fixes = Rule.get_fixes( context=context, deleted_location=Location(node=arg.node), @@ -97,7 +109,7 @@ def analyze_call(self, context: dict, call: Call) -> Optional[Result]: return Result( rule_id=self.id, location=Location(node=arg.node), - level=Level.ERROR if nbytes < 16 else Level.WARNING, - message=self.message.format(nbytes, 32), + level=Level.ERROR if nbytes < ERR_SIZE else Level.WARNING, + message=self.message.format(nbytes, WARN_SIZE), fixes=fixes, ) diff --git a/precli/rules/python/stdlib/shelve_open.py b/precli/rules/python/stdlib/shelve_open.py index 9d79aff3..f89c3ec2 100644 --- a/precli/rules/python/stdlib/shelve_open.py +++ b/precli/rules/python/stdlib/shelve_open.py @@ -36,6 +36,13 @@ data from an untrusted source, you should first sanitize the data to remove any potential malicious code. +# Default Configuration + +```toml +enabled = true +level = "warning" +``` + # See also !!! info diff --git a/precli/rules/python/stdlib/smtplib_cleartext.py b/precli/rules/python/stdlib/smtplib_cleartext.py index 62cfc1d4..d5c4ee22 100644 --- a/precli/rules/python/stdlib/smtplib_cleartext.py +++ b/precli/rules/python/stdlib/smtplib_cleartext.py @@ -91,6 +91,13 @@ def prompt(prompt): server.quit() ``` +# Default Configuration + +```toml +enabled = true +level = "error" +``` + # See also !!! info @@ -103,8 +110,6 @@ def prompt(prompt): from typing import Optional from precli.core.call import Call -from precli.core.config import Config -from precli.core.level import Level from precli.core.location import Location from precli.core.result import Result from precli.rules import Rule @@ -119,7 +124,6 @@ def __init__(self, id: str): cwe_id=319, message="The POP protocol can transmit data in cleartext without " "encryption.", - config=Config(level=Level.ERROR), ) def analyze_call(self, context: dict, call: Call) -> Optional[Result]: diff --git a/precli/rules/python/stdlib/smtplib_no_timeout.py b/precli/rules/python/stdlib/smtplib_no_timeout.py index 5c65a56e..b8d1bfa5 100644 --- a/precli/rules/python/stdlib/smtplib_no_timeout.py +++ b/precli/rules/python/stdlib/smtplib_no_timeout.py @@ -60,6 +60,13 @@ server.starttls(context=ssl.create_default_context()) ``` +# Default Configuration + +```toml +enabled = true +level = "warning" +``` + # See also !!! info diff --git a/precli/rules/python/stdlib/smtplib_unverified_context.py b/precli/rules/python/stdlib/smtplib_unverified_context.py index 40caf84f..f727d867 100644 --- a/precli/rules/python/stdlib/smtplib_unverified_context.py +++ b/precli/rules/python/stdlib/smtplib_unverified_context.py @@ -98,6 +98,13 @@ def prompt(prompt): server.quit() ``` +# Default Configuration + +```toml +enabled = true +level = "warning" +``` + # See also !!! info diff --git a/precli/rules/python/stdlib/socket_no_timeout.py b/precli/rules/python/stdlib/socket_no_timeout.py index 9ad7e961..0b0e84d8 100644 --- a/precli/rules/python/stdlib/socket_no_timeout.py +++ b/precli/rules/python/stdlib/socket_no_timeout.py @@ -57,6 +57,13 @@ s.close() ``` +# Default Configuration + +```toml +enabled = true +level = "warning" +``` + # See also !!! info diff --git a/precli/rules/python/stdlib/socket_unrestricted_bind.py b/precli/rules/python/stdlib/socket_unrestricted_bind.py index 2183560f..4fab67c3 100644 --- a/precli/rules/python/stdlib/socket_unrestricted_bind.py +++ b/precli/rules/python/stdlib/socket_unrestricted_bind.py @@ -53,6 +53,13 @@ s.listen() ``` +# Default Configuration + +```toml +enabled = true +level = "warning" +``` + # See also !!! info diff --git a/precli/rules/python/stdlib/socketserver_unrestricted_bind.py b/precli/rules/python/stdlib/socketserver_unrestricted_bind.py index bd063080..a2b986d3 100644 --- a/precli/rules/python/stdlib/socketserver_unrestricted_bind.py +++ b/precli/rules/python/stdlib/socketserver_unrestricted_bind.py @@ -67,6 +67,13 @@ def handle(self): server.serve_forever() ``` +# Default Configuration + +```toml +enabled = true +level = "warning" +``` + # See also !!! info diff --git a/precli/rules/python/stdlib/ssl_context_weak_key.py b/precli/rules/python/stdlib/ssl_context_weak_key.py index 74f52488..4dc54461 100644 --- a/precli/rules/python/stdlib/ssl_context_weak_key.py +++ b/precli/rules/python/stdlib/ssl_context_weak_key.py @@ -49,6 +49,15 @@ context.set_ecdh_curve("prime256v1") ``` +# Default Configuration + +```toml +enabled = true +level = "warning" +parameters.warning_key_size = 224 +parameters.error_key_size = 160 +``` + # See also !!! info @@ -88,6 +97,9 @@ def analyze_call(self, context: dict, call: Call) -> Optional[Result]: ]: return + WARN_SIZE = self.config.parameters.get("warning_key_size") + ERR_SIZE = self.config.parameters.get("error_key_size") + arg = call.get_argument(position=0, name="curve_name") curve_name = arg.value @@ -98,20 +110,21 @@ def analyze_call(self, context: dict, call: Call) -> Optional[Result]: result = re.search(r"brainpoolP(\d{3})r[1|2|3]", curve_name) if not result: result = re.search(r"brainpoolP(\d{3})r1tls13", curve_name) - key_size = int(result.group(1)) if result else 224 + key_size = int(result.group(1)) if result else WARN_SIZE - if key_size < 224: + if key_size < WARN_SIZE: fixes = Rule.get_fixes( context=context, deleted_location=Location(node=arg.node), - description="Use a curve with a minimum size of 224 bits.", + description=f"Use a curve with a minimum size of {WARN_SIZE} " + "bits.", inserted_content='"secp256k1"', ) return Result( rule_id=self.id, location=Location(node=arg.node), - level=Level.ERROR if key_size < 160 else Level.WARNING, - message=self.message.format("EC", 224), + level=Level.ERROR if key_size < ERR_SIZE else Level.WARNING, + message=self.message.format("EC", WARN_SIZE), fixes=fixes, ) diff --git a/precli/rules/python/stdlib/ssl_create_unverified_context.py b/precli/rules/python/stdlib/ssl_create_unverified_context.py index 2e8846f9..0cf682a2 100644 --- a/precli/rules/python/stdlib/ssl_create_unverified_context.py +++ b/precli/rules/python/stdlib/ssl_create_unverified_context.py @@ -46,6 +46,13 @@ context = ssl.create_default_context() ``` +# Default Configuration + +```toml +enabled = true +level = "warning" +``` + # See also !!! info diff --git a/precli/rules/python/stdlib/ssl_insecure_tls_version.py b/precli/rules/python/stdlib/ssl_insecure_tls_version.py index 38d0def3..6bc37a38 100644 --- a/precli/rules/python/stdlib/ssl_insecure_tls_version.py +++ b/precli/rules/python/stdlib/ssl_insecure_tls_version.py @@ -59,6 +59,13 @@ ssl.get_server_certificate(("localhost", 443), ssl_version=ssl.PROTOCOL_TLSv1_2) ``` +# Default Configuration + +```toml +enabled = true +level = "error" +``` + # See also !!! info @@ -72,8 +79,6 @@ from precli.core.argument import Argument from precli.core.call import Call -from precli.core.config import Config -from precli.core.level import Level from precli.core.location import Location from precli.core.result import Result from precli.rules import Rule @@ -95,7 +100,6 @@ def __init__(self, id: str): description=__doc__, cwe_id=326, message="The '{0}' protocol has insufficient encryption strength.", - config=Config(level=Level.ERROR), ) def analyze_call(self, context: dict, call: Call) -> Optional[Result]: diff --git a/precli/rules/python/stdlib/ssl_no_timeout.py b/precli/rules/python/stdlib/ssl_no_timeout.py index c0c6adbb..624d4156 100644 --- a/precli/rules/python/stdlib/ssl_no_timeout.py +++ b/precli/rules/python/stdlib/ssl_no_timeout.py @@ -52,6 +52,13 @@ cert = ssl.get_server_certificate(("example.com", 443), timeout=5) ``` +# Default Configuration + +```toml +enabled = true +level = "warning" +``` + # See also !!! info diff --git a/precli/rules/python/stdlib/telnetlib_cleartext.py b/precli/rules/python/stdlib/telnetlib_cleartext.py index c0377ad5..70847915 100644 --- a/precli/rules/python/stdlib/telnetlib_cleartext.py +++ b/precli/rules/python/stdlib/telnetlib_cleartext.py @@ -96,6 +96,13 @@ network protocols, including SSH. Twisted can be used to create secure SSH clients and servers. +# Default Configuration + +```toml +enabled = true +level = "error" +``` + # See also !!! info @@ -110,8 +117,6 @@ from typing import Optional from precli.core.call import Call -from precli.core.config import Config -from precli.core.level import Level from precli.core.location import Location from precli.core.result import Result from precli.rules import Rule @@ -126,7 +131,6 @@ def __init__(self, id: str): cwe_id=319, message="The '{0}' module transmits data in cleartext without " "encryption.", - config=Config(level=Level.ERROR), ) def analyze_call(self, context: dict, call: Call) -> Optional[Result]: diff --git a/precli/rules/python/stdlib/telnetlib_no_timeout.py b/precli/rules/python/stdlib/telnetlib_no_timeout.py index 4a619109..b51c7438 100644 --- a/precli/rules/python/stdlib/telnetlib_no_timeout.py +++ b/precli/rules/python/stdlib/telnetlib_no_timeout.py @@ -54,6 +54,13 @@ telnet = telnetlib.Telnet("example.com", 23, timeout=5) ``` +# Default Configuration + +```toml +enabled = true +level = "warning" +``` + # See also !!! info diff --git a/precli/rules/python/stdlib/tempfile_mktemp_race_condition.py b/precli/rules/python/stdlib/tempfile_mktemp_race_condition.py index f59bc273..eb1a6074 100644 --- a/precli/rules/python/stdlib/tempfile_mktemp_race_condition.py +++ b/precli/rules/python/stdlib/tempfile_mktemp_race_condition.py @@ -49,6 +49,13 @@ f.write(b"Hello World!\n") ``` +# Default Configuration + +```toml +enabled = true +level = "warning" +``` + # See also !!! info diff --git a/precli/rules/python/stdlib/xmlrpc_server_unrestricted_bind.py b/precli/rules/python/stdlib/xmlrpc_server_unrestricted_bind.py index aed2cb34..cbf473ac 100644 --- a/precli/rules/python/stdlib/xmlrpc_server_unrestricted_bind.py +++ b/precli/rules/python/stdlib/xmlrpc_server_unrestricted_bind.py @@ -63,6 +63,13 @@ def run(server_class: DocXMLRPCServer): run(DocXMLRPCServer) ``` +# Default Configuration + +```toml +enabled = true +level = "warning" +``` + # See also !!! info diff --git a/requirements.txt b/requirements.txt index c8c647a7..51dee1ca 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,6 +1,7 @@ # Copyright 2024 Secure Sauce LLC # SPDX-License-Identifier: BUSL-1.1 typing-extensions==4.12.2;python_version<"3.11" +tomli>=1.1.0; python_version<"3.11" rich==13.9.3 tree-sitter==0.23.1 ignorelib==0.3.0 diff --git a/tests/unit/rules/go/stdlib/crypto/test_crypto_weak_cipher.py b/tests/unit/rules/go/stdlib/crypto/test_crypto_weak_cipher.py index 5f112ba7..aeccdceb 100644 --- a/tests/unit/rules/go/stdlib/crypto/test_crypto_weak_cipher.py +++ b/tests/unit/rules/go/stdlib/crypto/test_crypto_weak_cipher.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.ERROR - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.ERROR + assert rule.config.rank == -1.0 assert rule.cwe.id == 327 @pytest.mark.parametrize( diff --git a/tests/unit/rules/go/stdlib/crypto/test_crypto_weak_hash.py b/tests/unit/rules/go/stdlib/crypto/test_crypto_weak_hash.py index 68aa3de1..b72c611a 100644 --- a/tests/unit/rules/go/stdlib/crypto/test_crypto_weak_hash.py +++ b/tests/unit/rules/go/stdlib/crypto/test_crypto_weak_hash.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.ERROR - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.ERROR + assert rule.config.rank == -1.0 assert rule.cwe.id == 328 @pytest.mark.parametrize( diff --git a/tests/unit/rules/go/stdlib/crypto/test_crypto_weak_key.py b/tests/unit/rules/go/stdlib/crypto/test_crypto_weak_key.py index 9978fe0d..af35d6a7 100644 --- a/tests/unit/rules/go/stdlib/crypto/test_crypto_weak_key.py +++ b/tests/unit/rules/go/stdlib/crypto/test_crypto_weak_key.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 326 @pytest.mark.parametrize( diff --git a/tests/unit/rules/go/stdlib/syscall/test_syscall_setuid_root.py b/tests/unit/rules/go/stdlib/syscall/test_syscall_setuid_root.py index 25a9e781..c8dd224c 100644 --- a/tests/unit/rules/go/stdlib/syscall/test_syscall_setuid_root.py +++ b/tests/unit/rules/go/stdlib/syscall/test_syscall_setuid_root.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.ERROR - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.ERROR + assert rule.config.rank == -1.0 assert rule.cwe.id == 250 @pytest.mark.parametrize( diff --git a/tests/unit/rules/java/stdlib/java_net/test_insecure_cookie.py b/tests/unit/rules/java/stdlib/java_net/test_insecure_cookie.py index 5b30aa11..4e3e5868 100644 --- a/tests/unit/rules/java/stdlib/java_net/test_insecure_cookie.py +++ b/tests/unit/rules/java/stdlib/java_net/test_insecure_cookie.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 614 @pytest.mark.parametrize( diff --git a/tests/unit/rules/java/stdlib/java_security/test_weak_hash.py b/tests/unit/rules/java/stdlib/java_security/test_weak_hash.py index 899c5931..f5e32dc9 100644 --- a/tests/unit/rules/java/stdlib/java_security/test_weak_hash.py +++ b/tests/unit/rules/java/stdlib/java_security/test_weak_hash.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.ERROR - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.ERROR + assert rule.config.rank == -1.0 assert rule.cwe.id == 328 @pytest.mark.parametrize( diff --git a/tests/unit/rules/java/stdlib/java_security/test_weak_key.py b/tests/unit/rules/java/stdlib/java_security/test_weak_key.py index 0cb91079..ff1feea1 100644 --- a/tests/unit/rules/java/stdlib/java_security/test_weak_key.py +++ b/tests/unit/rules/java/stdlib/java_security/test_weak_key.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 326 @pytest.mark.parametrize( diff --git a/tests/unit/rules/java/stdlib/java_security/test_weak_random.py b/tests/unit/rules/java/stdlib/java_security/test_weak_random.py index 8b962793..9516d967 100644 --- a/tests/unit/rules/java/stdlib/java_security/test_weak_random.py +++ b/tests/unit/rules/java/stdlib/java_security/test_weak_random.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 338 @pytest.mark.parametrize( diff --git a/tests/unit/rules/java/stdlib/javax_crypto/test_weak_cipher.py b/tests/unit/rules/java/stdlib/javax_crypto/test_weak_cipher.py index 0a2bbe2e..d1d67e3c 100644 --- a/tests/unit/rules/java/stdlib/javax_crypto/test_weak_cipher.py +++ b/tests/unit/rules/java/stdlib/javax_crypto/test_weak_cipher.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.ERROR - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.ERROR + assert rule.config.rank == -1.0 assert rule.cwe.id == 327 @pytest.mark.parametrize( diff --git a/tests/unit/rules/java/stdlib/javax_servlet_http/test_insecure_cookie.py b/tests/unit/rules/java/stdlib/javax_servlet_http/test_insecure_cookie.py index 04086c7c..836c3cf6 100644 --- a/tests/unit/rules/java/stdlib/javax_servlet_http/test_insecure_cookie.py +++ b/tests/unit/rules/java/stdlib/javax_servlet_http/test_insecure_cookie.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 614 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/argparse/test_argparse_sensitive_info.py b/tests/unit/rules/python/stdlib/argparse/test_argparse_sensitive_info.py index 0e05f763..d6a2587e 100644 --- a/tests/unit/rules/python/stdlib/argparse/test_argparse_sensitive_info.py +++ b/tests/unit/rules/python/stdlib/argparse/test_argparse_sensitive_info.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.ERROR - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.ERROR + assert rule.config.rank == -1.0 assert rule.cwe.id == 214 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/assert/test_assert.py b/tests/unit/rules/python/stdlib/assert/test_assert.py index 74aed5b8..ea639246 100644 --- a/tests/unit/rules/python/stdlib/assert/test_assert.py +++ b/tests/unit/rules/python/stdlib/assert/test_assert.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is False - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is False + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 703 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/crypt/test_crypt_weak_hash.py b/tests/unit/rules/python/stdlib/crypt/test_crypt_weak_hash.py index ff322021..ef0c4997 100644 --- a/tests/unit/rules/python/stdlib/crypt/test_crypt_weak_hash.py +++ b/tests/unit/rules/python/stdlib/crypt/test_crypt_weak_hash.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 328 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/ftplib/test_ftplib_cleartext.py b/tests/unit/rules/python/stdlib/ftplib/test_ftplib_cleartext.py index 0002ddd5..cf6481b7 100644 --- a/tests/unit/rules/python/stdlib/ftplib/test_ftplib_cleartext.py +++ b/tests/unit/rules/python/stdlib/ftplib/test_ftplib_cleartext.py @@ -34,9 +34,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 319 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/ftplib/test_ftplib_no_timeout.py b/tests/unit/rules/python/stdlib/ftplib/test_ftplib_no_timeout.py index e9131748..941668e1 100644 --- a/tests/unit/rules/python/stdlib/ftplib/test_ftplib_no_timeout.py +++ b/tests/unit/rules/python/stdlib/ftplib/test_ftplib_no_timeout.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 1088 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/ftplib/test_ftplib_unverified_context.py b/tests/unit/rules/python/stdlib/ftplib/test_ftplib_unverified_context.py index 360786ae..eda2342b 100644 --- a/tests/unit/rules/python/stdlib/ftplib/test_ftplib_unverified_context.py +++ b/tests/unit/rules/python/stdlib/ftplib/test_ftplib_unverified_context.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 295 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/hashlib/test_hashlib_improper_prng.py b/tests/unit/rules/python/stdlib/hashlib/test_hashlib_improper_prng.py index 6faccb01..ecf17e74 100644 --- a/tests/unit/rules/python/stdlib/hashlib/test_hashlib_improper_prng.py +++ b/tests/unit/rules/python/stdlib/hashlib/test_hashlib_improper_prng.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 330 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/hashlib/test_hashlib_weak_hash.py b/tests/unit/rules/python/stdlib/hashlib/test_hashlib_weak_hash.py index c06082e0..67e91b9b 100644 --- a/tests/unit/rules/python/stdlib/hashlib/test_hashlib_weak_hash.py +++ b/tests/unit/rules/python/stdlib/hashlib/test_hashlib_weak_hash.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.ERROR - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.ERROR + assert rule.config.rank == -1.0 assert rule.cwe.id == 328 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/hmac/test_hmac_timing_attack.py b/tests/unit/rules/python/stdlib/hmac/test_hmac_timing_attack.py index 8ac81ef7..5a323e8b 100644 --- a/tests/unit/rules/python/stdlib/hmac/test_hmac_timing_attack.py +++ b/tests/unit/rules/python/stdlib/hmac/test_hmac_timing_attack.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.ERROR - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.ERROR + assert rule.config.rank == -1.0 assert rule.cwe.id == 208 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/hmac/test_hmac_weak_hash.py b/tests/unit/rules/python/stdlib/hmac/test_hmac_weak_hash.py index 025c0db9..c4385d09 100644 --- a/tests/unit/rules/python/stdlib/hmac/test_hmac_weak_hash.py +++ b/tests/unit/rules/python/stdlib/hmac/test_hmac_weak_hash.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.ERROR - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.ERROR + assert rule.config.rank == -1.0 assert rule.cwe.id == 328 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/hmac/test_hmac_weak_key.py b/tests/unit/rules/python/stdlib/hmac/test_hmac_weak_key.py index 45a3ed2f..7e5f33d2 100644 --- a/tests/unit/rules/python/stdlib/hmac/test_hmac_weak_key.py +++ b/tests/unit/rules/python/stdlib/hmac/test_hmac_weak_key.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 326 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/http/test_http_server_unrestricted_bind.py b/tests/unit/rules/python/stdlib/http/test_http_server_unrestricted_bind.py index 5de5a42f..5d840d93 100644 --- a/tests/unit/rules/python/stdlib/http/test_http_server_unrestricted_bind.py +++ b/tests/unit/rules/python/stdlib/http/test_http_server_unrestricted_bind.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 1327 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/http/test_http_url_secret.py b/tests/unit/rules/python/stdlib/http/test_http_url_secret.py index 6cfc484e..aa232c64 100644 --- a/tests/unit/rules/python/stdlib/http/test_http_url_secret.py +++ b/tests/unit/rules/python/stdlib/http/test_http_url_secret.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.ERROR - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.ERROR + assert rule.config.rank == -1.0 assert rule.cwe.id == 598 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/imaplib/test_imaplib_cleartext.py b/tests/unit/rules/python/stdlib/imaplib/test_imaplib_cleartext.py index 9dfbc1e2..63cc9479 100644 --- a/tests/unit/rules/python/stdlib/imaplib/test_imaplib_cleartext.py +++ b/tests/unit/rules/python/stdlib/imaplib/test_imaplib_cleartext.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.ERROR - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.ERROR + assert rule.config.rank == -1.0 assert rule.cwe.id == 319 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/imaplib/test_imaplib_no_timeout.py b/tests/unit/rules/python/stdlib/imaplib/test_imaplib_no_timeout.py index 5eae0abf..0e35602e 100644 --- a/tests/unit/rules/python/stdlib/imaplib/test_imaplib_no_timeout.py +++ b/tests/unit/rules/python/stdlib/imaplib/test_imaplib_no_timeout.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 1088 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/imaplib/test_imaplib_unverified_context.py b/tests/unit/rules/python/stdlib/imaplib/test_imaplib_unverified_context.py index 5d678723..d6af190c 100644 --- a/tests/unit/rules/python/stdlib/imaplib/test_imaplib_unverified_context.py +++ b/tests/unit/rules/python/stdlib/imaplib/test_imaplib_unverified_context.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 295 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/json/test_json_load.py b/tests/unit/rules/python/stdlib/json/test_json_load.py index 6d6d1fa4..38c8d9f7 100644 --- a/tests/unit/rules/python/stdlib/json/test_json_load.py +++ b/tests/unit/rules/python/stdlib/json/test_json_load.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is False - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is False + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 502 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/logging/test_logging_insecure_listen_config.py b/tests/unit/rules/python/stdlib/logging/test_logging_insecure_listen_config.py index 498e2fe9..1f48c054 100644 --- a/tests/unit/rules/python/stdlib/logging/test_logging_insecure_listen_config.py +++ b/tests/unit/rules/python/stdlib/logging/test_logging_insecure_listen_config.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 94 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/marshal/test_marshal_load.py b/tests/unit/rules/python/stdlib/marshal/test_marshal_load.py index bdfac1d5..592c5aad 100644 --- a/tests/unit/rules/python/stdlib/marshal/test_marshal_load.py +++ b/tests/unit/rules/python/stdlib/marshal/test_marshal_load.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 502 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/nntplib/test_nntplib_cleartext.py b/tests/unit/rules/python/stdlib/nntplib/test_nntplib_cleartext.py index 40673d68..56e54460 100644 --- a/tests/unit/rules/python/stdlib/nntplib/test_nntplib_cleartext.py +++ b/tests/unit/rules/python/stdlib/nntplib/test_nntplib_cleartext.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.ERROR - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.ERROR + assert rule.config.rank == -1.0 assert rule.cwe.id == 319 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/nntplib/test_nntplib_no_timeout.py b/tests/unit/rules/python/stdlib/nntplib/test_nntplib_no_timeout.py index fd3c806a..010aa1e4 100644 --- a/tests/unit/rules/python/stdlib/nntplib/test_nntplib_no_timeout.py +++ b/tests/unit/rules/python/stdlib/nntplib/test_nntplib_no_timeout.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 1088 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/nntplib/test_nntplib_unverified_context.py b/tests/unit/rules/python/stdlib/nntplib/test_nntplib_unverified_context.py index a576b940..8f84c10b 100644 --- a/tests/unit/rules/python/stdlib/nntplib/test_nntplib_unverified_context.py +++ b/tests/unit/rules/python/stdlib/nntplib/test_nntplib_unverified_context.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 295 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/os/test_os_loose_file_perm.py b/tests/unit/rules/python/stdlib/os/test_os_loose_file_perm.py index 2fd1408b..abea0347 100644 --- a/tests/unit/rules/python/stdlib/os/test_os_loose_file_perm.py +++ b/tests/unit/rules/python/stdlib/os/test_os_loose_file_perm.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 732 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/os/test_os_setuid_root.py b/tests/unit/rules/python/stdlib/os/test_os_setuid_root.py index a65c03dc..6a4fd8c8 100644 --- a/tests/unit/rules/python/stdlib/os/test_os_setuid_root.py +++ b/tests/unit/rules/python/stdlib/os/test_os_setuid_root.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.ERROR - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.ERROR + assert rule.config.rank == -1.0 assert rule.cwe.id == 250 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/pathlib/test_pathlib_loose_file_perm.py b/tests/unit/rules/python/stdlib/pathlib/test_pathlib_loose_file_perm.py index 7c0922dd..920c3173 100644 --- a/tests/unit/rules/python/stdlib/pathlib/test_pathlib_loose_file_perm.py +++ b/tests/unit/rules/python/stdlib/pathlib/test_pathlib_loose_file_perm.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 732 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/pickle/test_pickle_load.py b/tests/unit/rules/python/stdlib/pickle/test_pickle_load.py index 980043f8..bf0700d2 100644 --- a/tests/unit/rules/python/stdlib/pickle/test_pickle_load.py +++ b/tests/unit/rules/python/stdlib/pickle/test_pickle_load.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 502 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/poplib/test_poplib_cleartext.py b/tests/unit/rules/python/stdlib/poplib/test_poplib_cleartext.py index 478b64e4..d23ddd7a 100644 --- a/tests/unit/rules/python/stdlib/poplib/test_poplib_cleartext.py +++ b/tests/unit/rules/python/stdlib/poplib/test_poplib_cleartext.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.ERROR - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.ERROR + assert rule.config.rank == -1.0 assert rule.cwe.id == 319 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/poplib/test_poplib_no_timeout.py b/tests/unit/rules/python/stdlib/poplib/test_poplib_no_timeout.py index c9ab3ad2..9bce778d 100644 --- a/tests/unit/rules/python/stdlib/poplib/test_poplib_no_timeout.py +++ b/tests/unit/rules/python/stdlib/poplib/test_poplib_no_timeout.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 1088 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/poplib/test_poplib_unverified_context.py b/tests/unit/rules/python/stdlib/poplib/test_poplib_unverified_context.py index 51079ebe..a762742f 100644 --- a/tests/unit/rules/python/stdlib/poplib/test_poplib_unverified_context.py +++ b/tests/unit/rules/python/stdlib/poplib/test_poplib_unverified_context.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 295 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/re/test_re_denial_of_service.py b/tests/unit/rules/python/stdlib/re/test_re_denial_of_service.py index 07d22ab9..c5279aef 100644 --- a/tests/unit/rules/python/stdlib/re/test_re_denial_of_service.py +++ b/tests/unit/rules/python/stdlib/re/test_re_denial_of_service.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.ERROR - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.ERROR + assert rule.config.rank == -1.0 assert rule.cwe.id == 1333 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/secrets/test_secrets_weak_token.py b/tests/unit/rules/python/stdlib/secrets/test_secrets_weak_token.py index 76cbccb2..833fac13 100644 --- a/tests/unit/rules/python/stdlib/secrets/test_secrets_weak_token.py +++ b/tests/unit/rules/python/stdlib/secrets/test_secrets_weak_token.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 326 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/shelve/test_shelve_open.py b/tests/unit/rules/python/stdlib/shelve/test_shelve_open.py index 340ebacc..be64b319 100644 --- a/tests/unit/rules/python/stdlib/shelve/test_shelve_open.py +++ b/tests/unit/rules/python/stdlib/shelve/test_shelve_open.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 502 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/smtplib/test_smtplib_cleartext.py b/tests/unit/rules/python/stdlib/smtplib/test_smtplib_cleartext.py index 64abe43e..3035cea5 100644 --- a/tests/unit/rules/python/stdlib/smtplib/test_smtplib_cleartext.py +++ b/tests/unit/rules/python/stdlib/smtplib/test_smtplib_cleartext.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.ERROR - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.ERROR + assert rule.config.rank == -1.0 assert rule.cwe.id == 319 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/smtplib/test_smtplib_no_timeout.py b/tests/unit/rules/python/stdlib/smtplib/test_smtplib_no_timeout.py index 7d91de79..e337f004 100644 --- a/tests/unit/rules/python/stdlib/smtplib/test_smtplib_no_timeout.py +++ b/tests/unit/rules/python/stdlib/smtplib/test_smtplib_no_timeout.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 1088 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/smtplib/test_smtplib_unverified_context.py b/tests/unit/rules/python/stdlib/smtplib/test_smtplib_unverified_context.py index 3deaef49..9b3e0050 100644 --- a/tests/unit/rules/python/stdlib/smtplib/test_smtplib_unverified_context.py +++ b/tests/unit/rules/python/stdlib/smtplib/test_smtplib_unverified_context.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 295 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/socket/test_socket_no_timeout.py b/tests/unit/rules/python/stdlib/socket/test_socket_no_timeout.py index 426c5680..e46cfa93 100644 --- a/tests/unit/rules/python/stdlib/socket/test_socket_no_timeout.py +++ b/tests/unit/rules/python/stdlib/socket/test_socket_no_timeout.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 1088 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/socket/test_socket_unrestricted_bind.py b/tests/unit/rules/python/stdlib/socket/test_socket_unrestricted_bind.py index 9045a7f1..3f6dfc37 100644 --- a/tests/unit/rules/python/stdlib/socket/test_socket_unrestricted_bind.py +++ b/tests/unit/rules/python/stdlib/socket/test_socket_unrestricted_bind.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 1327 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/socketserver/test_socketserver_unrestricted_bind.py b/tests/unit/rules/python/stdlib/socketserver/test_socketserver_unrestricted_bind.py index f2228cd9..2075cc59 100644 --- a/tests/unit/rules/python/stdlib/socketserver/test_socketserver_unrestricted_bind.py +++ b/tests/unit/rules/python/stdlib/socketserver/test_socketserver_unrestricted_bind.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 1327 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/ssl/test_ssl_context_tls_version.py b/tests/unit/rules/python/stdlib/ssl/test_ssl_context_tls_version.py index 1cb0f1a7..124a1c4f 100644 --- a/tests/unit/rules/python/stdlib/ssl/test_ssl_context_tls_version.py +++ b/tests/unit/rules/python/stdlib/ssl/test_ssl_context_tls_version.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.ERROR - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.ERROR + assert rule.config.rank == -1.0 assert rule.cwe.id == 326 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/ssl/test_ssl_context_weak_key.py b/tests/unit/rules/python/stdlib/ssl/test_ssl_context_weak_key.py index 0c3281f5..157ce1b7 100644 --- a/tests/unit/rules/python/stdlib/ssl/test_ssl_context_weak_key.py +++ b/tests/unit/rules/python/stdlib/ssl/test_ssl_context_weak_key.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 326 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/ssl/test_ssl_create_context.py b/tests/unit/rules/python/stdlib/ssl/test_ssl_create_context.py index e8c300d0..b5656f4d 100644 --- a/tests/unit/rules/python/stdlib/ssl/test_ssl_create_context.py +++ b/tests/unit/rules/python/stdlib/ssl/test_ssl_create_context.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 295 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/ssl/test_ssl_get_server_certificate_tls_version.py b/tests/unit/rules/python/stdlib/ssl/test_ssl_get_server_certificate_tls_version.py index d378a9d2..79cdcd67 100644 --- a/tests/unit/rules/python/stdlib/ssl/test_ssl_get_server_certificate_tls_version.py +++ b/tests/unit/rules/python/stdlib/ssl/test_ssl_get_server_certificate_tls_version.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.ERROR - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.ERROR + assert rule.config.rank == -1.0 assert rule.cwe.id == 326 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/ssl/test_ssl_no_timeout.py b/tests/unit/rules/python/stdlib/ssl/test_ssl_no_timeout.py index 1ad53c44..6fb55d61 100644 --- a/tests/unit/rules/python/stdlib/ssl/test_ssl_no_timeout.py +++ b/tests/unit/rules/python/stdlib/ssl/test_ssl_no_timeout.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 1088 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/ssl/test_ssl_wrap_socket_tls_version.py b/tests/unit/rules/python/stdlib/ssl/test_ssl_wrap_socket_tls_version.py index 9f84c784..0f9c4ea2 100644 --- a/tests/unit/rules/python/stdlib/ssl/test_ssl_wrap_socket_tls_version.py +++ b/tests/unit/rules/python/stdlib/ssl/test_ssl_wrap_socket_tls_version.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.ERROR - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.ERROR + assert rule.config.rank == -1.0 assert rule.cwe.id == 326 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/telnetlib/test_telnetlib_cleartext.py b/tests/unit/rules/python/stdlib/telnetlib/test_telnetlib_cleartext.py index 235215ef..df3a7193 100644 --- a/tests/unit/rules/python/stdlib/telnetlib/test_telnetlib_cleartext.py +++ b/tests/unit/rules/python/stdlib/telnetlib/test_telnetlib_cleartext.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.ERROR - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.ERROR + assert rule.config.rank == -1.0 assert rule.cwe.id == 319 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/telnetlib/test_telnetlib_no_timeout.py b/tests/unit/rules/python/stdlib/telnetlib/test_telnetlib_no_timeout.py index 7685d2c9..ca9cc578 100644 --- a/tests/unit/rules/python/stdlib/telnetlib/test_telnetlib_no_timeout.py +++ b/tests/unit/rules/python/stdlib/telnetlib/test_telnetlib_no_timeout.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 1088 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/tempfile/test_tempfile_mktemp_race_condition.py b/tests/unit/rules/python/stdlib/tempfile/test_tempfile_mktemp_race_condition.py index bfc63c86..b4c998b9 100644 --- a/tests/unit/rules/python/stdlib/tempfile/test_tempfile_mktemp_race_condition.py +++ b/tests/unit/rules/python/stdlib/tempfile/test_tempfile_mktemp_race_condition.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 377 @pytest.mark.parametrize( diff --git a/tests/unit/rules/python/stdlib/xmlrpc/test_xmlrpc_server_unrestricted_bind.py b/tests/unit/rules/python/stdlib/xmlrpc/test_xmlrpc_server_unrestricted_bind.py index de7bbd13..e8236295 100644 --- a/tests/unit/rules/python/stdlib/xmlrpc/test_xmlrpc_server_unrestricted_bind.py +++ b/tests/unit/rules/python/stdlib/xmlrpc/test_xmlrpc_server_unrestricted_bind.py @@ -33,9 +33,9 @@ def test_rule_meta(self): rule.help_url == f"https://docs.securesauce.dev/rules/{self.rule_id}" ) - assert rule.default_config.enabled is True - assert rule.default_config.level == Level.WARNING - assert rule.default_config.rank == -1.0 + assert rule.config.enabled is True + assert rule.config.level == Level.WARNING + assert rule.config.rank == -1.0 assert rule.cwe.id == 1327 @pytest.mark.parametrize(