From 0423a95115ad38a642842dece95652dd92cfa6d6 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Fri, 26 Jan 2024 18:34:16 -0800 Subject: [PATCH] Move 3rd party rules to separate repo (#232) Signed-off-by: Eric Brown --- docs/source/rules/python/index.rst | 5 - docs/source/rules/python/stdlib/assert.rst | 5 + .../rules/python/stdlib/assert/assert.rst | 5 - .../rules/python/stdlib/assert/index.rst | 8 - .../python/stdlib/crypt/crypt_weak_hash.rst | 5 - .../rules/python/stdlib/crypt/index.rst | 8 - .../rules/python/stdlib/crypt_weak_hash.rst | 5 + .../python/stdlib/ftplib/ftp_cleartext.rst | 5 - .../rules/python/stdlib/ftplib/index.rst | 8 - .../rules/python/stdlib/ftplib_cleartext.rst | 5 + .../stdlib/hashlib/hashlib_weak_hash.rst | 5 - .../rules/python/stdlib/hashlib/index.rst | 8 - .../rules/python/stdlib/hashlib_weak_hash.rst | 5 + .../python/stdlib/hmac/hmac_timing_attack.rst | 5 - .../python/stdlib/hmac/hmac_weak_hash.rst | 5 - .../source/rules/python/stdlib/hmac/index.rst | 8 - .../python/stdlib/hmac_timing_attack.rst | 5 + .../rules/python/stdlib/hmac_weak_hash.rst | 5 + .../python/stdlib/imaplib/imap_cleartext.rst | 5 - .../rules/python/stdlib/imaplib/index.rst | 8 - .../rules/python/stdlib/imaplib_cleartext.rst | 5 + docs/source/rules/python/stdlib/index.rst | 81 +----- .../source/rules/python/stdlib/json/index.rst | 8 - .../rules/python/stdlib/json/json_load.rst | 5 - docs/source/rules/python/stdlib/json_load.rst | 5 + .../rules/python/stdlib/logging/index.rst | 8 - .../stdlib/logging/insecure_listen_config.rst | 5 - .../stdlib/logging_insecure_listen_config.rst | 5 + .../rules/python/stdlib/marshal/index.rst | 8 - .../python/stdlib/marshal/marshal_load.rst | 5 - .../rules/python/stdlib/marshal_load.rst | 5 + .../rules/python/stdlib/nntplib/index.rst | 8 - .../python/stdlib/nntplib/nntp_cleartext.rst | 5 - .../rules/python/stdlib/nntplib_cleartext.rst | 5 + .../rules/python/stdlib/pickle/index.rst | 8 - .../python/stdlib/pickle/pickle_load.rst | 5 - .../rules/python/stdlib/pickle_load.rst | 5 + .../rules/python/stdlib/poplib/index.rst | 8 - .../python/stdlib/poplib/pop_cleartext.rst | 5 - .../rules/python/stdlib/poplib_cleartext.rst | 5 + .../rules/python/stdlib/shelve/index.rst | 8 - .../python/stdlib/shelve/shelve_open.rst | 5 - .../rules/python/stdlib/shelve_open.rst | 5 + .../rules/python/stdlib/smtplib/index.rst | 8 - .../python/stdlib/smtplib/smtp_cleartext.rst | 5 - .../rules/python/stdlib/smtplib_cleartext.rst | 5 + .../stdlib/ssl/create_unverified_context.rst | 5 - docs/source/rules/python/stdlib/ssl/index.rst | 8 - .../stdlib/ssl/insecure_tls_version.rst | 5 - .../stdlib/ssl_create_unverified_context.rst | 5 + .../stdlib/ssl_insecure_tls_version.rst | 5 + .../rules/python/stdlib/telnetlib/index.rst | 8 - .../stdlib/telnetlib/telnetlib_cleartext.rst | 5 - .../python/stdlib/telnetlib_cleartext.rst | 5 + .../rules/python/stdlib/tempfile/index.rst | 8 - .../stdlib/tempfile/mktemp_race_condition.rst | 5 - .../stdlib/tempfile_mktemp_race_condition.rst | 5 + .../PRE0014_cryptography_weak_hash.rst | 5 - .../python/third_party/PRE0015_dill_load.rst | 5 - .../PRE0016_no_certificate_verify.rst | 5 - .../third_party/PRE0017_jsonpickle_decode.rst | 5 - .../PRE0018_pandas_read_pickle.rst | 5 - .../PRE0019_paramiko_no_host_key_verify.rst | 5 - .../third_party/PRE0020_pyghmi_cleartext.rst | 5 - .../PRE0021_pycrypto_weak_hash.rst | 5 - .../PRE0022_pycryptodomex_weak_hash.rst | 5 - .../PRE0023_insecure_tls_method.rst | 5 - .../python/third_party/PRE0024_yaml_load.rst | 5 - .../PRE0025_no_certificate_verify.rst | 5 - .../source/rules/python/third_party/index.rst | 8 - .../rules/go/golang_org_x_crypto/__init__.py | 0 .../ssh_insecure_ignore_hostkey.py | 175 ------------- .../go/golang_org_x_crypto/weak_cipher.py | 155 ----------- .../rules/go/golang_org_x_crypto/weak_hash.py | 142 ---------- precli/rules/python/Django/__init__.py | 0 precli/rules/python/Flask/__init__.py | 0 precli/rules/python/Flask/flask_run_debug.py | 119 --------- precli/rules/python/Jinja2/__init__.py | 0 precli/rules/python/M2Crypto/__init__.py | 0 .../python/M2Crypto/m2crypto_weak_key.py | 194 -------------- precli/rules/python/Mako/__init__.py | 0 precli/rules/python/PyYAML/__init__.py | 0 precli/rules/python/PyYAML/yaml_load.py | 126 --------- precli/rules/python/Twisted/__init__.py | 0 precli/rules/python/aiohttp/__init__.py | 0 .../python/aiohttp/no_certificate_verify.py | 128 --------- precli/rules/python/cryptography/__init__.py | 0 .../cryptography/cryptography_weak_cipher.py | 209 --------------- .../cryptography_weak_cipher_mode.py | 127 --------- .../cryptography/cryptography_weak_hash.py | 104 -------- .../cryptography/cryptography_weak_key.py | 245 ------------------ precli/rules/python/dill/__init__.py | 0 precli/rules/python/dill/dill_load.py | 84 ------ precli/rules/python/httpx/__init__.py | 0 .../python/httpx/no_certificate_verify.py | 125 --------- precli/rules/python/jsonpickle/__init__.py | 0 .../python/jsonpickle/jsonpickle_decode.py | 87 ------- precli/rules/python/ldap3/__init__.py | 0 precli/rules/python/pandas/__init__.py | 0 .../rules/python/pandas/pandas_read_pickle.py | 91 ------- precli/rules/python/paramiko/__init__.py | 0 .../paramiko/paramiko_no_host_key_verify.py | 135 ---------- precli/rules/python/pycrypto/__init__.py | 0 .../python/pycrypto/pycrypto_weak_cipher.py | 178 ------------- .../python/pycrypto/pycrypto_weak_hash.py | 128 --------- .../python/pycrypto/pycrypto_weak_key.py | 148 ----------- precli/rules/python/pycryptodomex/__init__.py | 0 .../pycryptodomex_weak_cipher.py | 178 ------------- .../pycryptodomex/pycryptodomex_weak_hash.py | 133 ---------- .../pycryptodomex/pycryptodomex_weak_key.py | 148 ----------- precli/rules/python/pyghmi/__init__.py | 0 .../rules/python/pyghmi/pyghmi_cleartext.py | 153 ----------- precli/rules/python/pyjwt/__init__.py | 0 precli/rules/python/pyopenssl/__init__.py | 0 .../python/pyopenssl/insecure_tls_method.py | 132 ---------- .../python/pyopenssl/pyopenssl_weak_key.py | 135 ---------- precli/rules/python/pysnmp/__init__.py | 0 precli/rules/python/python-ipmi/__init__.py | 0 precli/rules/python/requests/__init__.py | 0 .../python/requests/no_certificate_verify.py | 128 --------- precli/rules/python/wsgiref/__init__.py | 0 setup.cfg | 78 ------ .../rules/go/golang_org_x_crypto/__init__.py | 0 .../examples/ssh_insecure_ignore_hostkey.go | 55 ---- .../examples/weak_cipher_blowfish.go | 21 -- .../weak_cipher_blowfish_new_salted_cipher.go | 22 -- .../examples/weak_cipher_cast5.go | 21 -- .../examples/weak_cipher_tea.go | 21 -- .../weak_cipher_tea_new_cipher_with_rounds.go | 21 -- .../examples/weak_cipher_twofish.go | 63 ----- .../examples/weak_cipher_xtea.go | 21 -- .../examples/weak_hash_md4.go | 17 -- .../examples/weak_hash_ripemd160.go | 17 -- .../test_ssh_insecure_ignore_hostkey.py | 44 ---- .../golang_org_x_crypto/test_weak_cipher.py | 52 ---- .../go/golang_org_x_crypto/test_weak_hash.py | 45 ---- tests/unit/rules/python/Flask/__init__.py | 0 .../Flask/examples/flask_run_debug_as_var.py | 11 - .../Flask/examples/flask_run_debug_false.py | 6 - .../Flask/examples/flask_run_debug_true.py | 10 - .../Flask/examples/flask_run_debug_unset.py | 6 - .../examples/flask_run_debug_wildcard.py | 10 - .../python/Flask/test_flask_run_debug.py | 48 ---- tests/unit/rules/python/M2Crypto/__init__.py | 0 .../M2Crypto/examples/dsa_gen_params_1024.py | 9 - .../M2Crypto/examples/dsa_gen_params_2048.py | 5 - .../M2Crypto/examples/dsa_gen_params_4096.py | 5 - .../examples/ec_gen_params_nid_secp112r1.py | 9 - .../M2Crypto/examples/rsa_gen_key_1024.py | 9 - .../M2Crypto/examples/rsa_gen_key_2048.py | 5 - .../M2Crypto/examples/rsa_gen_key_4096.py | 5 - .../python/M2Crypto/test_m2crypto_weak_key.py | 50 ---- tests/unit/rules/python/PyYAML/__init__.py | 0 .../rules/python/PyYAML/examples/yaml_load.py | 9 - .../PyYAML/examples/yaml_load_from_import.py | 9 - .../examples/yaml_load_from_import_alias.py | 9 - .../yaml_load_from_import_wildcard.py | 9 - .../PyYAML/examples/yaml_load_import_alias.py | 9 - .../yaml_load_import_in_async_func.py | 6 - .../examples/yaml_load_import_in_class.py | 6 - .../examples/yaml_load_import_in_func.py | 6 - .../examples/yaml_load_import_in_loop.py | 8 - .../PyYAML/examples/yaml_load_importlib.py | 10 - .../examples/yaml_load_incomplete_import.py | 5 - .../examples/yaml_load_invalid_import.py | 5 - .../examples/yaml_load_kwarg_alias_loader.py | 10 - .../examples/yaml_load_kwarg_csafeloader.py | 5 - .../yaml_load_kwarg_json_safeloader.py | 11 - .../PyYAML/examples/yaml_load_kwarg_loader.py | 9 - .../examples/yaml_load_kwarg_safeloader.py | 6 - .../examples/yaml_load_loader_as_var.py | 6 - .../PyYAML/examples/yaml_load_no_import.py | 2 - .../yaml_load_positional_csafeloader.py | 5 - .../examples/yaml_load_positional_loader.py | 10 - .../yaml_load_positional_safeloader.py | 5 - .../examples/yaml_load_yaml_as_identifier.py | 3 - .../rules/python/PyYAML/test_yaml_load.py | 66 ----- tests/unit/rules/python/aiohttp/__init__.py | 0 .../examples/session_delete_ssl_false.py | 11 - .../session_delete_verify_ssl_false.py | 13 - .../aiohttp/examples/session_get_ssl_false.py | 11 - .../aiohttp/examples/session_get_ssl_true.py | 7 - .../aiohttp/examples/session_get_ssl_unset.py | 7 - .../examples/session_get_verify_ssl_false.py | 11 - .../examples/session_get_verify_ssl_true.py | 7 - .../examples/session_head_ssl_false.py | 11 - .../examples/session_head_verify_ssl_false.py | 11 - .../examples/session_options_ssl_false.py | 11 - .../session_options_verify_ssl_false.py | 13 - .../examples/session_patch_ssl_false.py | 11 - .../session_patch_verify_ssl_false.py | 13 - .../examples/session_post_ssl_false.py | 11 - .../examples/session_post_verify_ssl_false.py | 11 - .../aiohttp/examples/session_put_ssl_false.py | 11 - .../examples/session_put_verify_ssl_false.py | 11 - .../examples/session_request_ssl_false.py | 11 - .../session_request_verify_ssl_false.py | 13 - .../examples/session_ws_connect_ssl_false.py | 11 - .../session_ws_connect_verify_ssl_false.py | 13 - .../aiohttp/test_no_certificate_verify.py | 64 ----- .../rules/python/cryptography/__init__.py | 0 .../cryptography/examples/algorithms_arc4.py | 16 -- .../examples/algorithms_blowfish.py | 16 -- .../cryptography/examples/algorithms_idea.py | 16 -- .../examples/dsa_generate_parameters_1024.py | 9 - .../examples/dsa_generate_parameters_2048.py | 5 - .../examples/dsa_generate_parameters_4096.py | 5 - .../dsa_generate_parameters_kwarg_1024.py | 9 - .../dsa_generate_parameters_kwarg_2048.py | 5 - .../dsa_generate_parameters_kwarg_4096.py | 5 - .../dsa_generate_parameters_var_1024.py | 10 - .../examples/dsa_generate_private_key_1024.py | 9 - .../examples/dsa_generate_private_key_2048.py | 5 - .../examples/dsa_generate_private_key_4096.py | 5 - .../dsa_generate_private_key_kwarg_1024.py | 9 - .../dsa_generate_private_key_kwarg_2048.py | 5 - .../dsa_generate_private_key_kwarg_4096.py | 5 - .../dsa_generate_private_key_var_1024.py | 10 - .../ec_derive_private_key_brainpoolp256r1.py | 7 - .../ec_derive_private_key_brainpoolp384r1.py | 7 - .../ec_derive_private_key_brainpoolp512r1.py | 7 - .../ec_derive_private_key_secp192r1.py | 11 - .../ec_derive_private_key_secp224r1.py | 7 - .../ec_derive_private_key_secp256k1.py | 7 - .../ec_derive_private_key_secp256r1.py | 7 - .../ec_derive_private_key_secp384r1.py | 7 - .../ec_derive_private_key_secp521r1.py | 7 - .../ec_derive_private_key_sect163k1.py | 11 - .../ec_derive_private_key_sect163r2.py | 11 - .../ec_derive_private_key_sect233k1.py | 7 - .../ec_derive_private_key_sect233r1.py | 7 - .../ec_derive_private_key_sect283k1.py | 7 - .../ec_derive_private_key_sect283r1.py | 7 - .../ec_derive_private_key_sect409k1.py | 7 - .../ec_derive_private_key_sect409r1.py | 7 - .../ec_derive_private_key_sect571k1.py | 7 - .../ec_derive_private_key_sect571r1.py | 7 - ...ec_generate_private_key_brainpoolp256r1.py | 5 - ...ec_generate_private_key_brainpoolp384r1.py | 5 - ...ec_generate_private_key_brainpoolp512r1.py | 5 - .../ec_generate_private_key_secp192r1.py | 9 - .../ec_generate_private_key_secp224r1.py | 5 - .../ec_generate_private_key_secp256k1.py | 5 - .../ec_generate_private_key_secp256r1.py | 5 - .../ec_generate_private_key_secp384r1.py | 5 - .../ec_generate_private_key_secp521r1.py | 5 - .../ec_generate_private_key_sect163k1.py | 9 - .../ec_generate_private_key_sect163r2.py | 9 - .../ec_generate_private_key_sect233k1.py | 5 - .../ec_generate_private_key_sect233r1.py | 5 - .../ec_generate_private_key_sect283k1.py | 5 - .../ec_generate_private_key_sect283r1.py | 5 - .../ec_generate_private_key_sect409k1.py | 5 - .../ec_generate_private_key_sect409r1.py | 5 - .../ec_generate_private_key_sect571k1.py | 5 - .../ec_generate_private_key_sect571r1.py | 5 - .../cryptography/examples/hashes_md5.py | 9 - .../cryptography/examples/hashes_sha1.py | 9 - .../python/cryptography/examples/modes_ecb.py | 18 -- .../examples/rsa_generate_private_key_1024.py | 9 - .../examples/rsa_generate_private_key_2048.py | 5 - .../examples/rsa_generate_private_key_4096.py | 5 - .../rsa_generate_private_key_kwarg_1024.py | 9 - .../rsa_generate_private_key_kwarg_2048.py | 5 - .../rsa_generate_private_key_kwarg_4096.py | 5 - .../rsa_generate_private_key_var_1024.py | 11 - .../test_cryptography_weak_cipher.py | 38 --- .../test_cryptography_weak_cipher_mode.py | 44 ---- .../test_cryptography_weak_hash.py | 45 ---- .../test_cryptography_weak_key.py | 102 -------- tests/unit/rules/python/dill/__init__.py | 0 .../rules/python/dill/examples/dill_load.py | 14 - .../rules/python/dill/examples/dill_loads.py | 10 - .../python/dill/examples/dill_unpickler.py | 14 - .../unit/rules/python/dill/test_dill_load.py | 46 ---- tests/unit/rules/python/httpx/__init__.py | 0 ...px_async_client_as_context_verify_false.py | 10 - .../httpx_async_client_verify_false.py | 10 - .../httpx_client_as_context_verify_false.py | 10 - .../examples/httpx_client_verify_false.py | 10 - .../examples/httpx_delete_verify_false.py | 9 - .../httpx/examples/httpx_get_verify_false.py | 9 - .../httpx/examples/httpx_get_verify_true.py | 5 - .../httpx/examples/httpx_get_verify_unset.py | 5 - .../httpx/examples/httpx_head_verify_false.py | 9 - .../examples/httpx_options_verify_false.py | 9 - .../examples/httpx_patch_verify_false.py | 9 - .../httpx/examples/httpx_post_verify_false.py | 9 - .../httpx/examples/httpx_put_verify_false.py | 9 - .../examples/httpx_request_verify_false.py | 9 - .../examples/httpx_stream_verify_false.py | 9 - .../httpx/test_no_certificate_verify.py | 58 ----- .../unit/rules/python/jsonpickle/__init__.py | 0 .../jsonpickle/examples/jsonpickle_decode.py | 10 - .../examples/jsonpickle_unpickler_decode.py | 10 - .../jsonpickle_unpickler_unpickler.py | 10 - .../jsonpickle/test_jsonpickle_decode.py | 46 ---- tests/unit/rules/python/pandas/__init__.py | 0 .../pandas/examples/pandas_read_pickle.py | 13 - .../python/pandas/test_pandas_read_pickle.py | 44 ---- tests/unit/rules/python/paramiko/__init__.py | 0 .../examples/host_key_auto_add_policy.py | 10 - ...ost_key_auto_add_policy_import_paramiko.py | 10 - .../host_key_auto_add_policy_in_func.py | 10 - .../host_key_auto_add_policy_kwarg.py | 10 - ...st_key_auto_add_policy_single_statement.py | 9 - .../host_key_auto_add_policy_walrus.py | 10 - ...ost_key_warning_policy_single_statement.py | 9 - .../python/paramiko/test_host_key_policy.py | 50 ---- tests/unit/rules/python/pycrypto/__init__.py | 0 .../python/pycrypto/examples/cipher_arc2.py | 15 -- .../python/pycrypto/examples/cipher_arc4.py | 15 -- .../pycrypto/examples/cipher_blowfish.py | 15 -- .../python/pycrypto/examples/cipher_des.py | 15 -- .../python/pycrypto/examples/cipher_xor.py | 15 -- .../pycrypto/examples/dsa_generate_1024.py | 9 - .../pycrypto/examples/dsa_generate_2048.py | 5 - .../pycrypto/examples/dsa_generate_4096.py | 5 - .../python/pycrypto/examples/hash_md2.py | 11 - .../python/pycrypto/examples/hash_md4.py | 11 - .../python/pycrypto/examples/hash_md5.py | 11 - .../python/pycrypto/examples/hash_ripemd.py | 11 - .../python/pycrypto/examples/hash_sha.py | 11 - .../pycrypto/examples/rsa_generate_1024.py | 9 - .../pycrypto/examples/rsa_generate_2048.py | 5 - .../pycrypto/examples/rsa_generate_4096.py | 5 - .../pycrypto/test_pycrypto_weak_cipher.py | 50 ---- .../pycrypto/test_pycrypto_weak_hash.py | 48 ---- .../python/pycrypto/test_pycrypto_weak_key.py | 49 ---- .../rules/python/pycryptodomex/__init__.py | 0 .../pycryptodomex/examples/cipher_arc2.py | 15 -- .../pycryptodomex/examples/cipher_arc4.py | 15 -- .../pycryptodomex/examples/cipher_blowfish.py | 15 -- .../pycryptodomex/examples/cipher_des.py | 15 -- .../pycryptodomex/examples/cipher_xor.py | 15 -- .../examples/dsa_generate_1024.py | 9 - .../examples/dsa_generate_2048.py | 5 - .../examples/dsa_generate_4096.py | 5 - .../python/pycryptodomex/examples/hash_md2.py | 11 - .../python/pycryptodomex/examples/hash_md4.py | 11 - .../python/pycryptodomex/examples/hash_md5.py | 11 - .../pycryptodomex/examples/hash_ripemd.py | 11 - .../python/pycryptodomex/examples/hash_sha.py | 11 - .../examples/rsa_generate_1024.py | 9 - .../examples/rsa_generate_2048.py | 5 - .../examples/rsa_generate_4096.py | 5 - .../test_pycryptodomex_weak_cipher.py | 50 ---- .../test_pycryptodomex_weak_hash.py | 48 ---- .../test_pycryptodomex_weak_key.py | 49 ---- tests/unit/rules/python/pyghmi/__init__.py | 0 .../python/pyghmi/examples/command_command.py | 13 - .../examples/command_command_no_password.py | 9 - .../python/pyghmi/examples/command_console.py | 13 - .../examples/command_console_no_password.py | 9 - .../python/pyghmi/test_pyghmi_cleartext.py | 47 ---- tests/unit/rules/python/pyopenssl/__init__.py | 0 .../examples/generate_key_dsa_1024.py | 9 - .../examples/generate_key_dsa_2048.py | 5 - .../examples/generate_key_dsa_4096.py | 5 - .../examples/generate_key_rsa_1024.py | 9 - .../examples/generate_key_rsa_2048.py | 5 - .../examples/generate_key_rsa_4096.py | 5 - .../pyopenssl/examples/ssl_context_sslv2.py | 9 - .../pyopenssl/examples/ssl_context_sslv23.py | 5 - .../pyopenssl/examples/ssl_context_sslv3.py | 9 - .../pyopenssl/examples/ssl_context_tlsv1.py | 9 - .../pyopenssl/examples/ssl_context_tlsv11.py | 9 - .../pyopenssl/examples/ssl_context_tlsv12.py | 5 - .../pyopenssl/test_pyopenssl_weak_key.py | 49 ---- .../python/pyopenssl/test_ssl_context.py | 49 ---- tests/unit/rules/python/requests/__init__.py | 0 .../examples/requests_delete_verify_false.py | 9 - .../examples/requests_get_verify_as_var.py | 10 - .../examples/requests_get_verify_false.py | 9 - .../examples/requests_get_verify_true.py | 5 - .../examples/requests_get_verify_unset.py | 5 - .../examples/requests_head_verify_false.py | 9 - .../examples/requests_options_verify_false.py | 9 - .../examples/requests_patch_verify_false.py | 9 - .../examples/requests_post_verify_false.py | 9 - .../examples/requests_put_verify_false.py | 9 - .../examples/requests_request_verify_false.py | 9 - ...sts_session_as_context_get_verify_false.py | 10 - .../requests_session_delete_verify_false.py | 10 - .../requests_session_get_verify_false.py | 10 - .../requests_session_head_verify_false.py | 10 - .../requests_session_options_verify_false.py | 10 - .../requests_session_patch_verify_false.py | 10 - .../requests_session_post_verify_false.py | 10 - .../requests_session_put_verify_false.py | 10 - .../requests_session_request_verify_false.py | 10 - .../requests/test_no_certificate_verify.py | 63 ----- 392 files changed, 97 insertions(+), 7680 deletions(-) create mode 100644 docs/source/rules/python/stdlib/assert.rst delete mode 100644 docs/source/rules/python/stdlib/assert/assert.rst delete mode 100644 docs/source/rules/python/stdlib/assert/index.rst delete mode 100644 docs/source/rules/python/stdlib/crypt/crypt_weak_hash.rst delete mode 100644 docs/source/rules/python/stdlib/crypt/index.rst create mode 100644 docs/source/rules/python/stdlib/crypt_weak_hash.rst delete mode 100644 docs/source/rules/python/stdlib/ftplib/ftp_cleartext.rst delete mode 100644 docs/source/rules/python/stdlib/ftplib/index.rst create mode 100644 docs/source/rules/python/stdlib/ftplib_cleartext.rst delete mode 100644 docs/source/rules/python/stdlib/hashlib/hashlib_weak_hash.rst delete mode 100644 docs/source/rules/python/stdlib/hashlib/index.rst create mode 100644 docs/source/rules/python/stdlib/hashlib_weak_hash.rst delete mode 100644 docs/source/rules/python/stdlib/hmac/hmac_timing_attack.rst delete mode 100644 docs/source/rules/python/stdlib/hmac/hmac_weak_hash.rst delete mode 100644 docs/source/rules/python/stdlib/hmac/index.rst create mode 100644 docs/source/rules/python/stdlib/hmac_timing_attack.rst create mode 100644 docs/source/rules/python/stdlib/hmac_weak_hash.rst delete mode 100644 docs/source/rules/python/stdlib/imaplib/imap_cleartext.rst delete mode 100644 docs/source/rules/python/stdlib/imaplib/index.rst create mode 100644 docs/source/rules/python/stdlib/imaplib_cleartext.rst delete mode 100644 docs/source/rules/python/stdlib/json/index.rst delete mode 100644 docs/source/rules/python/stdlib/json/json_load.rst create mode 100644 docs/source/rules/python/stdlib/json_load.rst delete mode 100644 docs/source/rules/python/stdlib/logging/index.rst delete mode 100644 docs/source/rules/python/stdlib/logging/insecure_listen_config.rst create mode 100644 docs/source/rules/python/stdlib/logging_insecure_listen_config.rst delete mode 100644 docs/source/rules/python/stdlib/marshal/index.rst delete mode 100644 docs/source/rules/python/stdlib/marshal/marshal_load.rst create mode 100644 docs/source/rules/python/stdlib/marshal_load.rst delete mode 100644 docs/source/rules/python/stdlib/nntplib/index.rst delete mode 100644 docs/source/rules/python/stdlib/nntplib/nntp_cleartext.rst create mode 100644 docs/source/rules/python/stdlib/nntplib_cleartext.rst delete mode 100644 docs/source/rules/python/stdlib/pickle/index.rst delete mode 100644 docs/source/rules/python/stdlib/pickle/pickle_load.rst create mode 100644 docs/source/rules/python/stdlib/pickle_load.rst delete mode 100644 docs/source/rules/python/stdlib/poplib/index.rst delete mode 100644 docs/source/rules/python/stdlib/poplib/pop_cleartext.rst create mode 100644 docs/source/rules/python/stdlib/poplib_cleartext.rst delete mode 100644 docs/source/rules/python/stdlib/shelve/index.rst delete mode 100644 docs/source/rules/python/stdlib/shelve/shelve_open.rst create mode 100644 docs/source/rules/python/stdlib/shelve_open.rst delete mode 100644 docs/source/rules/python/stdlib/smtplib/index.rst delete mode 100644 docs/source/rules/python/stdlib/smtplib/smtp_cleartext.rst create mode 100644 docs/source/rules/python/stdlib/smtplib_cleartext.rst delete mode 100644 docs/source/rules/python/stdlib/ssl/create_unverified_context.rst delete mode 100644 docs/source/rules/python/stdlib/ssl/index.rst delete mode 100644 docs/source/rules/python/stdlib/ssl/insecure_tls_version.rst create mode 100644 docs/source/rules/python/stdlib/ssl_create_unverified_context.rst create mode 100644 docs/source/rules/python/stdlib/ssl_insecure_tls_version.rst delete mode 100644 docs/source/rules/python/stdlib/telnetlib/index.rst delete mode 100644 docs/source/rules/python/stdlib/telnetlib/telnetlib_cleartext.rst create mode 100644 docs/source/rules/python/stdlib/telnetlib_cleartext.rst delete mode 100644 docs/source/rules/python/stdlib/tempfile/index.rst delete mode 100644 docs/source/rules/python/stdlib/tempfile/mktemp_race_condition.rst create mode 100644 docs/source/rules/python/stdlib/tempfile_mktemp_race_condition.rst delete mode 100644 docs/source/rules/python/third_party/PRE0014_cryptography_weak_hash.rst delete mode 100644 docs/source/rules/python/third_party/PRE0015_dill_load.rst delete mode 100644 docs/source/rules/python/third_party/PRE0016_no_certificate_verify.rst delete mode 100644 docs/source/rules/python/third_party/PRE0017_jsonpickle_decode.rst delete mode 100644 docs/source/rules/python/third_party/PRE0018_pandas_read_pickle.rst delete mode 100644 docs/source/rules/python/third_party/PRE0019_paramiko_no_host_key_verify.rst delete mode 100644 docs/source/rules/python/third_party/PRE0020_pyghmi_cleartext.rst delete mode 100644 docs/source/rules/python/third_party/PRE0021_pycrypto_weak_hash.rst delete mode 100644 docs/source/rules/python/third_party/PRE0022_pycryptodomex_weak_hash.rst delete mode 100644 docs/source/rules/python/third_party/PRE0023_insecure_tls_method.rst delete mode 100644 docs/source/rules/python/third_party/PRE0024_yaml_load.rst delete mode 100644 docs/source/rules/python/third_party/PRE0025_no_certificate_verify.rst delete mode 100644 docs/source/rules/python/third_party/index.rst delete mode 100644 precli/rules/go/golang_org_x_crypto/__init__.py delete mode 100644 precli/rules/go/golang_org_x_crypto/ssh_insecure_ignore_hostkey.py delete mode 100644 precli/rules/go/golang_org_x_crypto/weak_cipher.py delete mode 100644 precli/rules/go/golang_org_x_crypto/weak_hash.py delete mode 100644 precli/rules/python/Django/__init__.py delete mode 100644 precli/rules/python/Flask/__init__.py delete mode 100644 precli/rules/python/Flask/flask_run_debug.py delete mode 100644 precli/rules/python/Jinja2/__init__.py delete mode 100644 precli/rules/python/M2Crypto/__init__.py delete mode 100644 precli/rules/python/M2Crypto/m2crypto_weak_key.py delete mode 100644 precli/rules/python/Mako/__init__.py delete mode 100644 precli/rules/python/PyYAML/__init__.py delete mode 100644 precli/rules/python/PyYAML/yaml_load.py delete mode 100644 precli/rules/python/Twisted/__init__.py delete mode 100644 precli/rules/python/aiohttp/__init__.py delete mode 100644 precli/rules/python/aiohttp/no_certificate_verify.py delete mode 100644 precli/rules/python/cryptography/__init__.py delete mode 100644 precli/rules/python/cryptography/cryptography_weak_cipher.py delete mode 100644 precli/rules/python/cryptography/cryptography_weak_cipher_mode.py delete mode 100644 precli/rules/python/cryptography/cryptography_weak_hash.py delete mode 100644 precli/rules/python/cryptography/cryptography_weak_key.py delete mode 100644 precli/rules/python/dill/__init__.py delete mode 100644 precli/rules/python/dill/dill_load.py delete mode 100644 precli/rules/python/httpx/__init__.py delete mode 100644 precli/rules/python/httpx/no_certificate_verify.py delete mode 100644 precli/rules/python/jsonpickle/__init__.py delete mode 100644 precli/rules/python/jsonpickle/jsonpickle_decode.py delete mode 100644 precli/rules/python/ldap3/__init__.py delete mode 100644 precli/rules/python/pandas/__init__.py delete mode 100644 precli/rules/python/pandas/pandas_read_pickle.py delete mode 100644 precli/rules/python/paramiko/__init__.py delete mode 100644 precli/rules/python/paramiko/paramiko_no_host_key_verify.py delete mode 100644 precli/rules/python/pycrypto/__init__.py delete mode 100644 precli/rules/python/pycrypto/pycrypto_weak_cipher.py delete mode 100644 precli/rules/python/pycrypto/pycrypto_weak_hash.py delete mode 100644 precli/rules/python/pycrypto/pycrypto_weak_key.py delete mode 100644 precli/rules/python/pycryptodomex/__init__.py delete mode 100644 precli/rules/python/pycryptodomex/pycryptodomex_weak_cipher.py delete mode 100644 precli/rules/python/pycryptodomex/pycryptodomex_weak_hash.py delete mode 100644 precli/rules/python/pycryptodomex/pycryptodomex_weak_key.py delete mode 100644 precli/rules/python/pyghmi/__init__.py delete mode 100644 precli/rules/python/pyghmi/pyghmi_cleartext.py delete mode 100644 precli/rules/python/pyjwt/__init__.py delete mode 100644 precli/rules/python/pyopenssl/__init__.py delete mode 100644 precli/rules/python/pyopenssl/insecure_tls_method.py delete mode 100644 precli/rules/python/pyopenssl/pyopenssl_weak_key.py delete mode 100644 precli/rules/python/pysnmp/__init__.py delete mode 100644 precli/rules/python/python-ipmi/__init__.py delete mode 100644 precli/rules/python/requests/__init__.py delete mode 100644 precli/rules/python/requests/no_certificate_verify.py delete mode 100644 precli/rules/python/wsgiref/__init__.py delete mode 100644 tests/unit/rules/go/golang_org_x_crypto/__init__.py delete mode 100644 tests/unit/rules/go/golang_org_x_crypto/examples/ssh_insecure_ignore_hostkey.go delete mode 100644 tests/unit/rules/go/golang_org_x_crypto/examples/weak_cipher_blowfish.go delete mode 100644 tests/unit/rules/go/golang_org_x_crypto/examples/weak_cipher_blowfish_new_salted_cipher.go delete mode 100644 tests/unit/rules/go/golang_org_x_crypto/examples/weak_cipher_cast5.go delete mode 100644 tests/unit/rules/go/golang_org_x_crypto/examples/weak_cipher_tea.go delete mode 100644 tests/unit/rules/go/golang_org_x_crypto/examples/weak_cipher_tea_new_cipher_with_rounds.go delete mode 100644 tests/unit/rules/go/golang_org_x_crypto/examples/weak_cipher_twofish.go delete mode 100644 tests/unit/rules/go/golang_org_x_crypto/examples/weak_cipher_xtea.go delete mode 100644 tests/unit/rules/go/golang_org_x_crypto/examples/weak_hash_md4.go delete mode 100644 tests/unit/rules/go/golang_org_x_crypto/examples/weak_hash_ripemd160.go delete mode 100644 tests/unit/rules/go/golang_org_x_crypto/test_ssh_insecure_ignore_hostkey.py delete mode 100644 tests/unit/rules/go/golang_org_x_crypto/test_weak_cipher.py delete mode 100644 tests/unit/rules/go/golang_org_x_crypto/test_weak_hash.py delete mode 100644 tests/unit/rules/python/Flask/__init__.py delete mode 100644 tests/unit/rules/python/Flask/examples/flask_run_debug_as_var.py delete mode 100644 tests/unit/rules/python/Flask/examples/flask_run_debug_false.py delete mode 100644 tests/unit/rules/python/Flask/examples/flask_run_debug_true.py delete mode 100644 tests/unit/rules/python/Flask/examples/flask_run_debug_unset.py delete mode 100644 tests/unit/rules/python/Flask/examples/flask_run_debug_wildcard.py delete mode 100644 tests/unit/rules/python/Flask/test_flask_run_debug.py delete mode 100644 tests/unit/rules/python/M2Crypto/__init__.py delete mode 100644 tests/unit/rules/python/M2Crypto/examples/dsa_gen_params_1024.py delete mode 100644 tests/unit/rules/python/M2Crypto/examples/dsa_gen_params_2048.py delete mode 100644 tests/unit/rules/python/M2Crypto/examples/dsa_gen_params_4096.py delete mode 100644 tests/unit/rules/python/M2Crypto/examples/ec_gen_params_nid_secp112r1.py delete mode 100644 tests/unit/rules/python/M2Crypto/examples/rsa_gen_key_1024.py delete mode 100644 tests/unit/rules/python/M2Crypto/examples/rsa_gen_key_2048.py delete mode 100644 tests/unit/rules/python/M2Crypto/examples/rsa_gen_key_4096.py delete mode 100644 tests/unit/rules/python/M2Crypto/test_m2crypto_weak_key.py delete mode 100644 tests/unit/rules/python/PyYAML/__init__.py delete mode 100644 tests/unit/rules/python/PyYAML/examples/yaml_load.py delete mode 100644 tests/unit/rules/python/PyYAML/examples/yaml_load_from_import.py delete mode 100644 tests/unit/rules/python/PyYAML/examples/yaml_load_from_import_alias.py delete mode 100644 tests/unit/rules/python/PyYAML/examples/yaml_load_from_import_wildcard.py delete mode 100644 tests/unit/rules/python/PyYAML/examples/yaml_load_import_alias.py delete mode 100644 tests/unit/rules/python/PyYAML/examples/yaml_load_import_in_async_func.py delete mode 100644 tests/unit/rules/python/PyYAML/examples/yaml_load_import_in_class.py delete mode 100644 tests/unit/rules/python/PyYAML/examples/yaml_load_import_in_func.py delete mode 100644 tests/unit/rules/python/PyYAML/examples/yaml_load_import_in_loop.py delete mode 100644 tests/unit/rules/python/PyYAML/examples/yaml_load_importlib.py delete mode 100644 tests/unit/rules/python/PyYAML/examples/yaml_load_incomplete_import.py delete mode 100644 tests/unit/rules/python/PyYAML/examples/yaml_load_invalid_import.py delete mode 100644 tests/unit/rules/python/PyYAML/examples/yaml_load_kwarg_alias_loader.py delete mode 100644 tests/unit/rules/python/PyYAML/examples/yaml_load_kwarg_csafeloader.py delete mode 100644 tests/unit/rules/python/PyYAML/examples/yaml_load_kwarg_json_safeloader.py delete mode 100644 tests/unit/rules/python/PyYAML/examples/yaml_load_kwarg_loader.py delete mode 100644 tests/unit/rules/python/PyYAML/examples/yaml_load_kwarg_safeloader.py delete mode 100644 tests/unit/rules/python/PyYAML/examples/yaml_load_loader_as_var.py delete mode 100644 tests/unit/rules/python/PyYAML/examples/yaml_load_no_import.py delete mode 100644 tests/unit/rules/python/PyYAML/examples/yaml_load_positional_csafeloader.py delete mode 100644 tests/unit/rules/python/PyYAML/examples/yaml_load_positional_loader.py delete mode 100644 tests/unit/rules/python/PyYAML/examples/yaml_load_positional_safeloader.py delete mode 100644 tests/unit/rules/python/PyYAML/examples/yaml_load_yaml_as_identifier.py delete mode 100644 tests/unit/rules/python/PyYAML/test_yaml_load.py delete mode 100644 tests/unit/rules/python/aiohttp/__init__.py delete mode 100644 tests/unit/rules/python/aiohttp/examples/session_delete_ssl_false.py delete mode 100644 tests/unit/rules/python/aiohttp/examples/session_delete_verify_ssl_false.py delete mode 100644 tests/unit/rules/python/aiohttp/examples/session_get_ssl_false.py delete mode 100644 tests/unit/rules/python/aiohttp/examples/session_get_ssl_true.py delete mode 100644 tests/unit/rules/python/aiohttp/examples/session_get_ssl_unset.py delete mode 100644 tests/unit/rules/python/aiohttp/examples/session_get_verify_ssl_false.py delete mode 100644 tests/unit/rules/python/aiohttp/examples/session_get_verify_ssl_true.py delete mode 100644 tests/unit/rules/python/aiohttp/examples/session_head_ssl_false.py delete mode 100644 tests/unit/rules/python/aiohttp/examples/session_head_verify_ssl_false.py delete mode 100644 tests/unit/rules/python/aiohttp/examples/session_options_ssl_false.py delete mode 100644 tests/unit/rules/python/aiohttp/examples/session_options_verify_ssl_false.py delete mode 100644 tests/unit/rules/python/aiohttp/examples/session_patch_ssl_false.py delete mode 100644 tests/unit/rules/python/aiohttp/examples/session_patch_verify_ssl_false.py delete mode 100644 tests/unit/rules/python/aiohttp/examples/session_post_ssl_false.py delete mode 100644 tests/unit/rules/python/aiohttp/examples/session_post_verify_ssl_false.py delete mode 100644 tests/unit/rules/python/aiohttp/examples/session_put_ssl_false.py delete mode 100644 tests/unit/rules/python/aiohttp/examples/session_put_verify_ssl_false.py delete mode 100644 tests/unit/rules/python/aiohttp/examples/session_request_ssl_false.py delete mode 100644 tests/unit/rules/python/aiohttp/examples/session_request_verify_ssl_false.py delete mode 100644 tests/unit/rules/python/aiohttp/examples/session_ws_connect_ssl_false.py delete mode 100644 tests/unit/rules/python/aiohttp/examples/session_ws_connect_verify_ssl_false.py delete mode 100644 tests/unit/rules/python/aiohttp/test_no_certificate_verify.py delete mode 100644 tests/unit/rules/python/cryptography/__init__.py delete mode 100644 tests/unit/rules/python/cryptography/examples/algorithms_arc4.py delete mode 100644 tests/unit/rules/python/cryptography/examples/algorithms_blowfish.py delete mode 100644 tests/unit/rules/python/cryptography/examples/algorithms_idea.py delete mode 100644 tests/unit/rules/python/cryptography/examples/dsa_generate_parameters_1024.py delete mode 100644 tests/unit/rules/python/cryptography/examples/dsa_generate_parameters_2048.py delete mode 100644 tests/unit/rules/python/cryptography/examples/dsa_generate_parameters_4096.py delete mode 100644 tests/unit/rules/python/cryptography/examples/dsa_generate_parameters_kwarg_1024.py delete mode 100644 tests/unit/rules/python/cryptography/examples/dsa_generate_parameters_kwarg_2048.py delete mode 100644 tests/unit/rules/python/cryptography/examples/dsa_generate_parameters_kwarg_4096.py delete mode 100644 tests/unit/rules/python/cryptography/examples/dsa_generate_parameters_var_1024.py delete mode 100644 tests/unit/rules/python/cryptography/examples/dsa_generate_private_key_1024.py delete mode 100644 tests/unit/rules/python/cryptography/examples/dsa_generate_private_key_2048.py delete mode 100644 tests/unit/rules/python/cryptography/examples/dsa_generate_private_key_4096.py delete mode 100644 tests/unit/rules/python/cryptography/examples/dsa_generate_private_key_kwarg_1024.py delete mode 100644 tests/unit/rules/python/cryptography/examples/dsa_generate_private_key_kwarg_2048.py delete mode 100644 tests/unit/rules/python/cryptography/examples/dsa_generate_private_key_kwarg_4096.py delete mode 100644 tests/unit/rules/python/cryptography/examples/dsa_generate_private_key_var_1024.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_derive_private_key_brainpoolp256r1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_derive_private_key_brainpoolp384r1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_derive_private_key_brainpoolp512r1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_derive_private_key_secp192r1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_derive_private_key_secp224r1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_derive_private_key_secp256k1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_derive_private_key_secp256r1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_derive_private_key_secp384r1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_derive_private_key_secp521r1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect163k1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect163r2.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect233k1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect233r1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect283k1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect283r1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect409k1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect409r1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect571k1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect571r1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_generate_private_key_brainpoolp256r1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_generate_private_key_brainpoolp384r1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_generate_private_key_brainpoolp512r1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_generate_private_key_secp192r1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_generate_private_key_secp224r1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_generate_private_key_secp256k1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_generate_private_key_secp256r1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_generate_private_key_secp384r1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_generate_private_key_secp521r1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect163k1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect163r2.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect233k1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect233r1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect283k1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect283r1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect409k1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect409r1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect571k1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect571r1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/hashes_md5.py delete mode 100644 tests/unit/rules/python/cryptography/examples/hashes_sha1.py delete mode 100644 tests/unit/rules/python/cryptography/examples/modes_ecb.py delete mode 100644 tests/unit/rules/python/cryptography/examples/rsa_generate_private_key_1024.py delete mode 100644 tests/unit/rules/python/cryptography/examples/rsa_generate_private_key_2048.py delete mode 100644 tests/unit/rules/python/cryptography/examples/rsa_generate_private_key_4096.py delete mode 100644 tests/unit/rules/python/cryptography/examples/rsa_generate_private_key_kwarg_1024.py delete mode 100644 tests/unit/rules/python/cryptography/examples/rsa_generate_private_key_kwarg_2048.py delete mode 100644 tests/unit/rules/python/cryptography/examples/rsa_generate_private_key_kwarg_4096.py delete mode 100644 tests/unit/rules/python/cryptography/examples/rsa_generate_private_key_var_1024.py delete mode 100644 tests/unit/rules/python/cryptography/test_cryptography_weak_cipher.py delete mode 100644 tests/unit/rules/python/cryptography/test_cryptography_weak_cipher_mode.py delete mode 100644 tests/unit/rules/python/cryptography/test_cryptography_weak_hash.py delete mode 100644 tests/unit/rules/python/cryptography/test_cryptography_weak_key.py delete mode 100644 tests/unit/rules/python/dill/__init__.py delete mode 100644 tests/unit/rules/python/dill/examples/dill_load.py delete mode 100644 tests/unit/rules/python/dill/examples/dill_loads.py delete mode 100644 tests/unit/rules/python/dill/examples/dill_unpickler.py delete mode 100644 tests/unit/rules/python/dill/test_dill_load.py delete mode 100644 tests/unit/rules/python/httpx/__init__.py delete mode 100644 tests/unit/rules/python/httpx/examples/httpx_async_client_as_context_verify_false.py delete mode 100644 tests/unit/rules/python/httpx/examples/httpx_async_client_verify_false.py delete mode 100644 tests/unit/rules/python/httpx/examples/httpx_client_as_context_verify_false.py delete mode 100644 tests/unit/rules/python/httpx/examples/httpx_client_verify_false.py delete mode 100644 tests/unit/rules/python/httpx/examples/httpx_delete_verify_false.py delete mode 100644 tests/unit/rules/python/httpx/examples/httpx_get_verify_false.py delete mode 100644 tests/unit/rules/python/httpx/examples/httpx_get_verify_true.py delete mode 100644 tests/unit/rules/python/httpx/examples/httpx_get_verify_unset.py delete mode 100644 tests/unit/rules/python/httpx/examples/httpx_head_verify_false.py delete mode 100644 tests/unit/rules/python/httpx/examples/httpx_options_verify_false.py delete mode 100644 tests/unit/rules/python/httpx/examples/httpx_patch_verify_false.py delete mode 100644 tests/unit/rules/python/httpx/examples/httpx_post_verify_false.py delete mode 100644 tests/unit/rules/python/httpx/examples/httpx_put_verify_false.py delete mode 100644 tests/unit/rules/python/httpx/examples/httpx_request_verify_false.py delete mode 100644 tests/unit/rules/python/httpx/examples/httpx_stream_verify_false.py delete mode 100644 tests/unit/rules/python/httpx/test_no_certificate_verify.py delete mode 100644 tests/unit/rules/python/jsonpickle/__init__.py delete mode 100644 tests/unit/rules/python/jsonpickle/examples/jsonpickle_decode.py delete mode 100644 tests/unit/rules/python/jsonpickle/examples/jsonpickle_unpickler_decode.py delete mode 100644 tests/unit/rules/python/jsonpickle/examples/jsonpickle_unpickler_unpickler.py delete mode 100644 tests/unit/rules/python/jsonpickle/test_jsonpickle_decode.py delete mode 100644 tests/unit/rules/python/pandas/__init__.py delete mode 100644 tests/unit/rules/python/pandas/examples/pandas_read_pickle.py delete mode 100644 tests/unit/rules/python/pandas/test_pandas_read_pickle.py delete mode 100644 tests/unit/rules/python/paramiko/__init__.py delete mode 100644 tests/unit/rules/python/paramiko/examples/host_key_auto_add_policy.py delete mode 100644 tests/unit/rules/python/paramiko/examples/host_key_auto_add_policy_import_paramiko.py delete mode 100644 tests/unit/rules/python/paramiko/examples/host_key_auto_add_policy_in_func.py delete mode 100644 tests/unit/rules/python/paramiko/examples/host_key_auto_add_policy_kwarg.py delete mode 100644 tests/unit/rules/python/paramiko/examples/host_key_auto_add_policy_single_statement.py delete mode 100644 tests/unit/rules/python/paramiko/examples/host_key_auto_add_policy_walrus.py delete mode 100644 tests/unit/rules/python/paramiko/examples/host_key_warning_policy_single_statement.py delete mode 100644 tests/unit/rules/python/paramiko/test_host_key_policy.py delete mode 100644 tests/unit/rules/python/pycrypto/__init__.py delete mode 100644 tests/unit/rules/python/pycrypto/examples/cipher_arc2.py delete mode 100644 tests/unit/rules/python/pycrypto/examples/cipher_arc4.py delete mode 100644 tests/unit/rules/python/pycrypto/examples/cipher_blowfish.py delete mode 100644 tests/unit/rules/python/pycrypto/examples/cipher_des.py delete mode 100644 tests/unit/rules/python/pycrypto/examples/cipher_xor.py delete mode 100644 tests/unit/rules/python/pycrypto/examples/dsa_generate_1024.py delete mode 100644 tests/unit/rules/python/pycrypto/examples/dsa_generate_2048.py delete mode 100644 tests/unit/rules/python/pycrypto/examples/dsa_generate_4096.py delete mode 100644 tests/unit/rules/python/pycrypto/examples/hash_md2.py delete mode 100644 tests/unit/rules/python/pycrypto/examples/hash_md4.py delete mode 100644 tests/unit/rules/python/pycrypto/examples/hash_md5.py delete mode 100644 tests/unit/rules/python/pycrypto/examples/hash_ripemd.py delete mode 100644 tests/unit/rules/python/pycrypto/examples/hash_sha.py delete mode 100644 tests/unit/rules/python/pycrypto/examples/rsa_generate_1024.py delete mode 100644 tests/unit/rules/python/pycrypto/examples/rsa_generate_2048.py delete mode 100644 tests/unit/rules/python/pycrypto/examples/rsa_generate_4096.py delete mode 100644 tests/unit/rules/python/pycrypto/test_pycrypto_weak_cipher.py delete mode 100644 tests/unit/rules/python/pycrypto/test_pycrypto_weak_hash.py delete mode 100644 tests/unit/rules/python/pycrypto/test_pycrypto_weak_key.py delete mode 100644 tests/unit/rules/python/pycryptodomex/__init__.py delete mode 100644 tests/unit/rules/python/pycryptodomex/examples/cipher_arc2.py delete mode 100644 tests/unit/rules/python/pycryptodomex/examples/cipher_arc4.py delete mode 100644 tests/unit/rules/python/pycryptodomex/examples/cipher_blowfish.py delete mode 100644 tests/unit/rules/python/pycryptodomex/examples/cipher_des.py delete mode 100644 tests/unit/rules/python/pycryptodomex/examples/cipher_xor.py delete mode 100644 tests/unit/rules/python/pycryptodomex/examples/dsa_generate_1024.py delete mode 100644 tests/unit/rules/python/pycryptodomex/examples/dsa_generate_2048.py delete mode 100644 tests/unit/rules/python/pycryptodomex/examples/dsa_generate_4096.py delete mode 100644 tests/unit/rules/python/pycryptodomex/examples/hash_md2.py delete mode 100644 tests/unit/rules/python/pycryptodomex/examples/hash_md4.py delete mode 100644 tests/unit/rules/python/pycryptodomex/examples/hash_md5.py delete mode 100644 tests/unit/rules/python/pycryptodomex/examples/hash_ripemd.py delete mode 100644 tests/unit/rules/python/pycryptodomex/examples/hash_sha.py delete mode 100644 tests/unit/rules/python/pycryptodomex/examples/rsa_generate_1024.py delete mode 100644 tests/unit/rules/python/pycryptodomex/examples/rsa_generate_2048.py delete mode 100644 tests/unit/rules/python/pycryptodomex/examples/rsa_generate_4096.py delete mode 100644 tests/unit/rules/python/pycryptodomex/test_pycryptodomex_weak_cipher.py delete mode 100644 tests/unit/rules/python/pycryptodomex/test_pycryptodomex_weak_hash.py delete mode 100644 tests/unit/rules/python/pycryptodomex/test_pycryptodomex_weak_key.py delete mode 100644 tests/unit/rules/python/pyghmi/__init__.py delete mode 100644 tests/unit/rules/python/pyghmi/examples/command_command.py delete mode 100644 tests/unit/rules/python/pyghmi/examples/command_command_no_password.py delete mode 100644 tests/unit/rules/python/pyghmi/examples/command_console.py delete mode 100644 tests/unit/rules/python/pyghmi/examples/command_console_no_password.py delete mode 100644 tests/unit/rules/python/pyghmi/test_pyghmi_cleartext.py delete mode 100644 tests/unit/rules/python/pyopenssl/__init__.py delete mode 100644 tests/unit/rules/python/pyopenssl/examples/generate_key_dsa_1024.py delete mode 100644 tests/unit/rules/python/pyopenssl/examples/generate_key_dsa_2048.py delete mode 100644 tests/unit/rules/python/pyopenssl/examples/generate_key_dsa_4096.py delete mode 100644 tests/unit/rules/python/pyopenssl/examples/generate_key_rsa_1024.py delete mode 100644 tests/unit/rules/python/pyopenssl/examples/generate_key_rsa_2048.py delete mode 100644 tests/unit/rules/python/pyopenssl/examples/generate_key_rsa_4096.py delete mode 100644 tests/unit/rules/python/pyopenssl/examples/ssl_context_sslv2.py delete mode 100644 tests/unit/rules/python/pyopenssl/examples/ssl_context_sslv23.py delete mode 100644 tests/unit/rules/python/pyopenssl/examples/ssl_context_sslv3.py delete mode 100644 tests/unit/rules/python/pyopenssl/examples/ssl_context_tlsv1.py delete mode 100644 tests/unit/rules/python/pyopenssl/examples/ssl_context_tlsv11.py delete mode 100644 tests/unit/rules/python/pyopenssl/examples/ssl_context_tlsv12.py delete mode 100644 tests/unit/rules/python/pyopenssl/test_pyopenssl_weak_key.py delete mode 100644 tests/unit/rules/python/pyopenssl/test_ssl_context.py delete mode 100644 tests/unit/rules/python/requests/__init__.py delete mode 100644 tests/unit/rules/python/requests/examples/requests_delete_verify_false.py delete mode 100644 tests/unit/rules/python/requests/examples/requests_get_verify_as_var.py delete mode 100644 tests/unit/rules/python/requests/examples/requests_get_verify_false.py delete mode 100644 tests/unit/rules/python/requests/examples/requests_get_verify_true.py delete mode 100644 tests/unit/rules/python/requests/examples/requests_get_verify_unset.py delete mode 100644 tests/unit/rules/python/requests/examples/requests_head_verify_false.py delete mode 100644 tests/unit/rules/python/requests/examples/requests_options_verify_false.py delete mode 100644 tests/unit/rules/python/requests/examples/requests_patch_verify_false.py delete mode 100644 tests/unit/rules/python/requests/examples/requests_post_verify_false.py delete mode 100644 tests/unit/rules/python/requests/examples/requests_put_verify_false.py delete mode 100644 tests/unit/rules/python/requests/examples/requests_request_verify_false.py delete mode 100644 tests/unit/rules/python/requests/examples/requests_session_as_context_get_verify_false.py delete mode 100644 tests/unit/rules/python/requests/examples/requests_session_delete_verify_false.py delete mode 100644 tests/unit/rules/python/requests/examples/requests_session_get_verify_false.py delete mode 100644 tests/unit/rules/python/requests/examples/requests_session_head_verify_false.py delete mode 100644 tests/unit/rules/python/requests/examples/requests_session_options_verify_false.py delete mode 100644 tests/unit/rules/python/requests/examples/requests_session_patch_verify_false.py delete mode 100644 tests/unit/rules/python/requests/examples/requests_session_post_verify_false.py delete mode 100644 tests/unit/rules/python/requests/examples/requests_session_put_verify_false.py delete mode 100644 tests/unit/rules/python/requests/examples/requests_session_request_verify_false.py delete mode 100644 tests/unit/rules/python/requests/test_no_certificate_verify.py diff --git a/docs/source/rules/python/index.rst b/docs/source/rules/python/index.rst index 84bea366..9b594151 100644 --- a/docs/source/rules/python/index.rst +++ b/docs/source/rules/python/index.rst @@ -6,8 +6,3 @@ Python :maxdepth: 1 stdlib/index - -.. toctree:: - :maxdepth: 1 - - third_party/index diff --git a/docs/source/rules/python/stdlib/assert.rst b/docs/source/rules/python/stdlib/assert.rst new file mode 100644 index 00000000..0cd55ad5 --- /dev/null +++ b/docs/source/rules/python/stdlib/assert.rst @@ -0,0 +1,5 @@ +------- +PRE0001 +------- + +.. automodule:: precli.rules.python.stdlib.assert diff --git a/docs/source/rules/python/stdlib/assert/assert.rst b/docs/source/rules/python/stdlib/assert/assert.rst deleted file mode 100644 index 01b5757f..00000000 --- a/docs/source/rules/python/stdlib/assert/assert.rst +++ /dev/null @@ -1,5 +0,0 @@ -------- -PRE0001 -------- - -.. automodule:: precli.rules.python.stdlib.assert.assert diff --git a/docs/source/rules/python/stdlib/assert/index.rst b/docs/source/rules/python/stdlib/assert/index.rst deleted file mode 100644 index 21c11fae..00000000 --- a/docs/source/rules/python/stdlib/assert/index.rst +++ /dev/null @@ -1,8 +0,0 @@ -assert -====== - -.. toctree:: - :maxdepth: 1 - :glob: - - * diff --git a/docs/source/rules/python/stdlib/crypt/crypt_weak_hash.rst b/docs/source/rules/python/stdlib/crypt/crypt_weak_hash.rst deleted file mode 100644 index 705ef159..00000000 --- a/docs/source/rules/python/stdlib/crypt/crypt_weak_hash.rst +++ /dev/null @@ -1,5 +0,0 @@ -======= -PRE0002 -======= - -.. automodule:: precli.rules.python.stdlib.crypt.crypt_weak_hash diff --git a/docs/source/rules/python/stdlib/crypt/index.rst b/docs/source/rules/python/stdlib/crypt/index.rst deleted file mode 100644 index 415d7e8a..00000000 --- a/docs/source/rules/python/stdlib/crypt/index.rst +++ /dev/null @@ -1,8 +0,0 @@ -crypt -===== - -.. toctree:: - :maxdepth: 1 - :glob: - - * diff --git a/docs/source/rules/python/stdlib/crypt_weak_hash.rst b/docs/source/rules/python/stdlib/crypt_weak_hash.rst new file mode 100644 index 00000000..15039ec0 --- /dev/null +++ b/docs/source/rules/python/stdlib/crypt_weak_hash.rst @@ -0,0 +1,5 @@ +======= +PRE0002 +======= + +.. automodule:: precli.rules.python.stdlib.crypt_weak_hash diff --git a/docs/source/rules/python/stdlib/ftplib/ftp_cleartext.rst b/docs/source/rules/python/stdlib/ftplib/ftp_cleartext.rst deleted file mode 100644 index 660f6f08..00000000 --- a/docs/source/rules/python/stdlib/ftplib/ftp_cleartext.rst +++ /dev/null @@ -1,5 +0,0 @@ -======= -PRE0003 -======= - -.. automodule:: precli.rules.python.stdlib.ftplib.ftp_cleartext diff --git a/docs/source/rules/python/stdlib/ftplib/index.rst b/docs/source/rules/python/stdlib/ftplib/index.rst deleted file mode 100644 index 06fc926e..00000000 --- a/docs/source/rules/python/stdlib/ftplib/index.rst +++ /dev/null @@ -1,8 +0,0 @@ -ftplib -====== - -.. toctree:: - :maxdepth: 1 - :glob: - - * diff --git a/docs/source/rules/python/stdlib/ftplib_cleartext.rst b/docs/source/rules/python/stdlib/ftplib_cleartext.rst new file mode 100644 index 00000000..fbe0040b --- /dev/null +++ b/docs/source/rules/python/stdlib/ftplib_cleartext.rst @@ -0,0 +1,5 @@ +======= +PRE0003 +======= + +.. automodule:: precli.rules.python.stdlib.ftplib_cleartext diff --git a/docs/source/rules/python/stdlib/hashlib/hashlib_weak_hash.rst b/docs/source/rules/python/stdlib/hashlib/hashlib_weak_hash.rst deleted file mode 100644 index b71d515a..00000000 --- a/docs/source/rules/python/stdlib/hashlib/hashlib_weak_hash.rst +++ /dev/null @@ -1,5 +0,0 @@ -======= -PRE0004 -======= - -.. automodule:: precli.rules.python.stdlib.hashlib.hashlib_weak_hash diff --git a/docs/source/rules/python/stdlib/hashlib/index.rst b/docs/source/rules/python/stdlib/hashlib/index.rst deleted file mode 100644 index 50b30679..00000000 --- a/docs/source/rules/python/stdlib/hashlib/index.rst +++ /dev/null @@ -1,8 +0,0 @@ -hashlib -======= - -.. toctree:: - :maxdepth: 1 - :glob: - - * diff --git a/docs/source/rules/python/stdlib/hashlib_weak_hash.rst b/docs/source/rules/python/stdlib/hashlib_weak_hash.rst new file mode 100644 index 00000000..dffdbaa4 --- /dev/null +++ b/docs/source/rules/python/stdlib/hashlib_weak_hash.rst @@ -0,0 +1,5 @@ +======= +PRE0004 +======= + +.. automodule:: precli.rules.python.stdlib.hashlib_weak_hash diff --git a/docs/source/rules/python/stdlib/hmac/hmac_timing_attack.rst b/docs/source/rules/python/stdlib/hmac/hmac_timing_attack.rst deleted file mode 100644 index e24eec7d..00000000 --- a/docs/source/rules/python/stdlib/hmac/hmac_timing_attack.rst +++ /dev/null @@ -1,5 +0,0 @@ -======= -PRE0005 -======= - -.. automodule:: precli.rules.python.stdlib.hmac.hmac_timing_attack diff --git a/docs/source/rules/python/stdlib/hmac/hmac_weak_hash.rst b/docs/source/rules/python/stdlib/hmac/hmac_weak_hash.rst deleted file mode 100644 index 7ba85f2e..00000000 --- a/docs/source/rules/python/stdlib/hmac/hmac_weak_hash.rst +++ /dev/null @@ -1,5 +0,0 @@ -======= -PRE0005 -======= - -.. automodule:: precli.rules.python.stdlib.hmac.hmac_weak_hash diff --git a/docs/source/rules/python/stdlib/hmac/index.rst b/docs/source/rules/python/stdlib/hmac/index.rst deleted file mode 100644 index ac9fb828..00000000 --- a/docs/source/rules/python/stdlib/hmac/index.rst +++ /dev/null @@ -1,8 +0,0 @@ -hmac -==== - -.. toctree:: - :maxdepth: 1 - :glob: - - * diff --git a/docs/source/rules/python/stdlib/hmac_timing_attack.rst b/docs/source/rules/python/stdlib/hmac_timing_attack.rst new file mode 100644 index 00000000..4432c06f --- /dev/null +++ b/docs/source/rules/python/stdlib/hmac_timing_attack.rst @@ -0,0 +1,5 @@ +======= +PRE0005 +======= + +.. automodule:: precli.rules.python.stdlib.hmac_timing_attack diff --git a/docs/source/rules/python/stdlib/hmac_weak_hash.rst b/docs/source/rules/python/stdlib/hmac_weak_hash.rst new file mode 100644 index 00000000..f354e96e --- /dev/null +++ b/docs/source/rules/python/stdlib/hmac_weak_hash.rst @@ -0,0 +1,5 @@ +======= +PRE0005 +======= + +.. automodule:: precli.rules.python.stdlib.hmac_weak_hash diff --git a/docs/source/rules/python/stdlib/imaplib/imap_cleartext.rst b/docs/source/rules/python/stdlib/imaplib/imap_cleartext.rst deleted file mode 100644 index ccb5342c..00000000 --- a/docs/source/rules/python/stdlib/imaplib/imap_cleartext.rst +++ /dev/null @@ -1,5 +0,0 @@ -======= -PRE0005 -======= - -.. automodule:: precli.rules.python.stdlib.imaplib.imap_cleartext diff --git a/docs/source/rules/python/stdlib/imaplib/index.rst b/docs/source/rules/python/stdlib/imaplib/index.rst deleted file mode 100644 index 36e30e59..00000000 --- a/docs/source/rules/python/stdlib/imaplib/index.rst +++ /dev/null @@ -1,8 +0,0 @@ -imaplib -======= - -.. toctree:: - :maxdepth: 1 - :glob: - - * diff --git a/docs/source/rules/python/stdlib/imaplib_cleartext.rst b/docs/source/rules/python/stdlib/imaplib_cleartext.rst new file mode 100644 index 00000000..6468f830 --- /dev/null +++ b/docs/source/rules/python/stdlib/imaplib_cleartext.rst @@ -0,0 +1,5 @@ +======= +PRE0005 +======= + +.. automodule:: precli.rules.python.stdlib.imaplib_cleartext diff --git a/docs/source/rules/python/stdlib/index.rst b/docs/source/rules/python/stdlib/index.rst index 343dd08a..bf7dfebd 100644 --- a/docs/source/rules/python/stdlib/index.rst +++ b/docs/source/rules/python/stdlib/index.rst @@ -1,85 +1,8 @@ Standard Library ================ -.. list-table:: Active Rules - :widths: auto - :header-rows: 1 - - * - ID - - Module - - Name - - Level - * - :doc:`assert/assert` - - `assert `_ - - assert - - Warning - * - :doc:`crypt/crypt_weak_hash` - - `crypt `_ - - reversible_one_way_hash - - Warning - * - :doc:`ftplib/ftp_cleartext` - - `ftplib `_ - - cleartext_transmission - - Warning or Error - * - :doc:`hashlib/hashlib_weak_hash` - - `hashlib `_ - - reversible_one_way_hash - - Error - * - :doc:`hmac/hmac_weak_hash` - - `hmac `_ - - reversible_one_way_hash - - Error - * - :doc:`json/json_load` - - `json `_ - - deserialization_of_untrusted_data - - Warning - * - :doc:`logging/insecure_listen_config` - - `logging `_ - - code_injection - - Warning - * - :doc:`marshal/marshal_load` - - `marshal `_ - - deserialization_of_untrusted_data - - Warning - * - :doc:`pickle/pickle_load` - - `pickle `_ - - deserialization_of_untrusted_data - - Warning - * - :doc:`shelve/shelve_open` - - `shelve `_ - - deserialization_of_untrusted_data - - Warning - * - :doc:`ssl/create_unverified_context` - - `ssl `_ - - improper_certificate_validation - - Warning - * - :doc:`ssl/insecure_tls_version` - - `ssl `_ - - inadequate_encryption_strength - - Error - * - :doc:`telnetlib/telnetlib_cleartext` - - `telnetlib `_ - - cleartext_transmission - - Error - .. toctree:: - :hidden: :maxdepth: 1 + :glob: - assert/index - crypt/index - ftplib/index - hashlib/index - hmac/index - imaplib/index - json/index - logging/index - marshal/index - nntplib/index - pickle/index - poplib/index - shelve/index - smtplib/index - ssl/index - telnetlib/index - tempfile/index + * diff --git a/docs/source/rules/python/stdlib/json/index.rst b/docs/source/rules/python/stdlib/json/index.rst deleted file mode 100644 index d13fe9ae..00000000 --- a/docs/source/rules/python/stdlib/json/index.rst +++ /dev/null @@ -1,8 +0,0 @@ -json -==== - -.. toctree:: - :maxdepth: 1 - :glob: - - * diff --git a/docs/source/rules/python/stdlib/json/json_load.rst b/docs/source/rules/python/stdlib/json/json_load.rst deleted file mode 100644 index 6fd9cda9..00000000 --- a/docs/source/rules/python/stdlib/json/json_load.rst +++ /dev/null @@ -1,5 +0,0 @@ -======= -PRE0006 -======= - -.. automodule:: precli.rules.python.stdlib.json.json_load diff --git a/docs/source/rules/python/stdlib/json_load.rst b/docs/source/rules/python/stdlib/json_load.rst new file mode 100644 index 00000000..8eed649f --- /dev/null +++ b/docs/source/rules/python/stdlib/json_load.rst @@ -0,0 +1,5 @@ +======= +PRE0006 +======= + +.. automodule:: precli.rules.python.stdlib.json_load diff --git a/docs/source/rules/python/stdlib/logging/index.rst b/docs/source/rules/python/stdlib/logging/index.rst deleted file mode 100644 index c73e2a70..00000000 --- a/docs/source/rules/python/stdlib/logging/index.rst +++ /dev/null @@ -1,8 +0,0 @@ -logging -======= - -.. toctree:: - :maxdepth: 1 - :glob: - - * diff --git a/docs/source/rules/python/stdlib/logging/insecure_listen_config.rst b/docs/source/rules/python/stdlib/logging/insecure_listen_config.rst deleted file mode 100644 index 2916ff18..00000000 --- a/docs/source/rules/python/stdlib/logging/insecure_listen_config.rst +++ /dev/null @@ -1,5 +0,0 @@ -======= -PRE0007 -======= - -.. automodule:: precli.rules.python.stdlib.logging.insecure_listen_config diff --git a/docs/source/rules/python/stdlib/logging_insecure_listen_config.rst b/docs/source/rules/python/stdlib/logging_insecure_listen_config.rst new file mode 100644 index 00000000..03b96ab0 --- /dev/null +++ b/docs/source/rules/python/stdlib/logging_insecure_listen_config.rst @@ -0,0 +1,5 @@ +======= +PRE0007 +======= + +.. automodule:: precli.rules.python.stdlib.logging_insecure_listen_config diff --git a/docs/source/rules/python/stdlib/marshal/index.rst b/docs/source/rules/python/stdlib/marshal/index.rst deleted file mode 100644 index b6b18fc3..00000000 --- a/docs/source/rules/python/stdlib/marshal/index.rst +++ /dev/null @@ -1,8 +0,0 @@ -marshal -======= - -.. toctree:: - :maxdepth: 1 - :glob: - - * diff --git a/docs/source/rules/python/stdlib/marshal/marshal_load.rst b/docs/source/rules/python/stdlib/marshal/marshal_load.rst deleted file mode 100644 index 4fe9fcee..00000000 --- a/docs/source/rules/python/stdlib/marshal/marshal_load.rst +++ /dev/null @@ -1,5 +0,0 @@ -======= -PRE0008 -======= - -.. automodule:: precli.rules.python.stdlib.marshal.marshal_load diff --git a/docs/source/rules/python/stdlib/marshal_load.rst b/docs/source/rules/python/stdlib/marshal_load.rst new file mode 100644 index 00000000..3b022aec --- /dev/null +++ b/docs/source/rules/python/stdlib/marshal_load.rst @@ -0,0 +1,5 @@ +======= +PRE0008 +======= + +.. automodule:: precli.rules.python.stdlib.marshal_load diff --git a/docs/source/rules/python/stdlib/nntplib/index.rst b/docs/source/rules/python/stdlib/nntplib/index.rst deleted file mode 100644 index 5310e662..00000000 --- a/docs/source/rules/python/stdlib/nntplib/index.rst +++ /dev/null @@ -1,8 +0,0 @@ -nntplib -======= - -.. toctree:: - :maxdepth: 1 - :glob: - - * diff --git a/docs/source/rules/python/stdlib/nntplib/nntp_cleartext.rst b/docs/source/rules/python/stdlib/nntplib/nntp_cleartext.rst deleted file mode 100644 index c41a995e..00000000 --- a/docs/source/rules/python/stdlib/nntplib/nntp_cleartext.rst +++ /dev/null @@ -1,5 +0,0 @@ -======= -PRE0008 -======= - -.. automodule:: precli.rules.python.stdlib.nntplib.nntp_cleartext diff --git a/docs/source/rules/python/stdlib/nntplib_cleartext.rst b/docs/source/rules/python/stdlib/nntplib_cleartext.rst new file mode 100644 index 00000000..1af86199 --- /dev/null +++ b/docs/source/rules/python/stdlib/nntplib_cleartext.rst @@ -0,0 +1,5 @@ +======= +PRE0008 +======= + +.. automodule:: precli.rules.python.stdlib.nntplib_cleartext diff --git a/docs/source/rules/python/stdlib/pickle/index.rst b/docs/source/rules/python/stdlib/pickle/index.rst deleted file mode 100644 index 153f3c25..00000000 --- a/docs/source/rules/python/stdlib/pickle/index.rst +++ /dev/null @@ -1,8 +0,0 @@ -pickle -====== - -.. toctree:: - :maxdepth: 1 - :glob: - - * diff --git a/docs/source/rules/python/stdlib/pickle/pickle_load.rst b/docs/source/rules/python/stdlib/pickle/pickle_load.rst deleted file mode 100644 index d5b16549..00000000 --- a/docs/source/rules/python/stdlib/pickle/pickle_load.rst +++ /dev/null @@ -1,5 +0,0 @@ -======= -PRE0009 -======= - -.. automodule:: precli.rules.python.stdlib.pickle.pickle_load diff --git a/docs/source/rules/python/stdlib/pickle_load.rst b/docs/source/rules/python/stdlib/pickle_load.rst new file mode 100644 index 00000000..c4757c1f --- /dev/null +++ b/docs/source/rules/python/stdlib/pickle_load.rst @@ -0,0 +1,5 @@ +======= +PRE0009 +======= + +.. automodule:: precli.rules.python.stdlib.pickle_load diff --git a/docs/source/rules/python/stdlib/poplib/index.rst b/docs/source/rules/python/stdlib/poplib/index.rst deleted file mode 100644 index 566e293b..00000000 --- a/docs/source/rules/python/stdlib/poplib/index.rst +++ /dev/null @@ -1,8 +0,0 @@ -poplib -====== - -.. toctree:: - :maxdepth: 1 - :glob: - - * diff --git a/docs/source/rules/python/stdlib/poplib/pop_cleartext.rst b/docs/source/rules/python/stdlib/poplib/pop_cleartext.rst deleted file mode 100644 index d8d50916..00000000 --- a/docs/source/rules/python/stdlib/poplib/pop_cleartext.rst +++ /dev/null @@ -1,5 +0,0 @@ -======= -PRE0009 -======= - -.. automodule:: precli.rules.python.stdlib.poplib.pop_cleartext diff --git a/docs/source/rules/python/stdlib/poplib_cleartext.rst b/docs/source/rules/python/stdlib/poplib_cleartext.rst new file mode 100644 index 00000000..153e8448 --- /dev/null +++ b/docs/source/rules/python/stdlib/poplib_cleartext.rst @@ -0,0 +1,5 @@ +======= +PRE0009 +======= + +.. automodule:: precli.rules.python.stdlib.poplib_cleartext diff --git a/docs/source/rules/python/stdlib/shelve/index.rst b/docs/source/rules/python/stdlib/shelve/index.rst deleted file mode 100644 index c2174317..00000000 --- a/docs/source/rules/python/stdlib/shelve/index.rst +++ /dev/null @@ -1,8 +0,0 @@ -shelve -====== - -.. toctree:: - :maxdepth: 1 - :glob: - - * diff --git a/docs/source/rules/python/stdlib/shelve/shelve_open.rst b/docs/source/rules/python/stdlib/shelve/shelve_open.rst deleted file mode 100644 index 922e9f84..00000000 --- a/docs/source/rules/python/stdlib/shelve/shelve_open.rst +++ /dev/null @@ -1,5 +0,0 @@ -======= -PRE0010 -======= - -.. automodule:: precli.rules.python.stdlib.shelve.shelve_open diff --git a/docs/source/rules/python/stdlib/shelve_open.rst b/docs/source/rules/python/stdlib/shelve_open.rst new file mode 100644 index 00000000..85977247 --- /dev/null +++ b/docs/source/rules/python/stdlib/shelve_open.rst @@ -0,0 +1,5 @@ +======= +PRE0010 +======= + +.. automodule:: precli.rules.python.stdlib.shelve_open diff --git a/docs/source/rules/python/stdlib/smtplib/index.rst b/docs/source/rules/python/stdlib/smtplib/index.rst deleted file mode 100644 index 2687e03e..00000000 --- a/docs/source/rules/python/stdlib/smtplib/index.rst +++ /dev/null @@ -1,8 +0,0 @@ -smtplib -======= - -.. toctree:: - :maxdepth: 1 - :glob: - - * diff --git a/docs/source/rules/python/stdlib/smtplib/smtp_cleartext.rst b/docs/source/rules/python/stdlib/smtplib/smtp_cleartext.rst deleted file mode 100644 index 633b2d50..00000000 --- a/docs/source/rules/python/stdlib/smtplib/smtp_cleartext.rst +++ /dev/null @@ -1,5 +0,0 @@ -======= -PRE0010 -======= - -.. automodule:: precli.rules.python.stdlib.smtplib.smtp_cleartext diff --git a/docs/source/rules/python/stdlib/smtplib_cleartext.rst b/docs/source/rules/python/stdlib/smtplib_cleartext.rst new file mode 100644 index 00000000..5803927f --- /dev/null +++ b/docs/source/rules/python/stdlib/smtplib_cleartext.rst @@ -0,0 +1,5 @@ +======= +PRE0010 +======= + +.. automodule:: precli.rules.python.stdlib.smtplib_cleartext diff --git a/docs/source/rules/python/stdlib/ssl/create_unverified_context.rst b/docs/source/rules/python/stdlib/ssl/create_unverified_context.rst deleted file mode 100644 index 5a23290c..00000000 --- a/docs/source/rules/python/stdlib/ssl/create_unverified_context.rst +++ /dev/null @@ -1,5 +0,0 @@ -======= -PRE0011 -======= - -.. automodule:: precli.rules.python.stdlib.ssl.create_unverified_context diff --git a/docs/source/rules/python/stdlib/ssl/index.rst b/docs/source/rules/python/stdlib/ssl/index.rst deleted file mode 100644 index c0a0c8da..00000000 --- a/docs/source/rules/python/stdlib/ssl/index.rst +++ /dev/null @@ -1,8 +0,0 @@ -ssl -=== - -.. toctree:: - :maxdepth: 1 - :glob: - - * diff --git a/docs/source/rules/python/stdlib/ssl/insecure_tls_version.rst b/docs/source/rules/python/stdlib/ssl/insecure_tls_version.rst deleted file mode 100644 index a9f74692..00000000 --- a/docs/source/rules/python/stdlib/ssl/insecure_tls_version.rst +++ /dev/null @@ -1,5 +0,0 @@ -======= -PRE0012 -======= - -.. automodule:: precli.rules.python.stdlib.ssl.insecure_tls_version diff --git a/docs/source/rules/python/stdlib/ssl_create_unverified_context.rst b/docs/source/rules/python/stdlib/ssl_create_unverified_context.rst new file mode 100644 index 00000000..03e20ac3 --- /dev/null +++ b/docs/source/rules/python/stdlib/ssl_create_unverified_context.rst @@ -0,0 +1,5 @@ +======= +PRE0011 +======= + +.. automodule:: precli.rules.python.stdlib.ssl_create_unverified_context diff --git a/docs/source/rules/python/stdlib/ssl_insecure_tls_version.rst b/docs/source/rules/python/stdlib/ssl_insecure_tls_version.rst new file mode 100644 index 00000000..d4c81b76 --- /dev/null +++ b/docs/source/rules/python/stdlib/ssl_insecure_tls_version.rst @@ -0,0 +1,5 @@ +======= +PRE0012 +======= + +.. automodule:: precli.rules.python.stdlib.ssl_insecure_tls_version diff --git a/docs/source/rules/python/stdlib/telnetlib/index.rst b/docs/source/rules/python/stdlib/telnetlib/index.rst deleted file mode 100644 index aec276ea..00000000 --- a/docs/source/rules/python/stdlib/telnetlib/index.rst +++ /dev/null @@ -1,8 +0,0 @@ -telnetlib -========= - -.. toctree:: - :maxdepth: 1 - :glob: - - * diff --git a/docs/source/rules/python/stdlib/telnetlib/telnetlib_cleartext.rst b/docs/source/rules/python/stdlib/telnetlib/telnetlib_cleartext.rst deleted file mode 100644 index 343cca97..00000000 --- a/docs/source/rules/python/stdlib/telnetlib/telnetlib_cleartext.rst +++ /dev/null @@ -1,5 +0,0 @@ -======= -PRE0013 -======= - -.. automodule:: precli.rules.python.stdlib.telnetlib.telnetlib_cleartext diff --git a/docs/source/rules/python/stdlib/telnetlib_cleartext.rst b/docs/source/rules/python/stdlib/telnetlib_cleartext.rst new file mode 100644 index 00000000..20e6120a --- /dev/null +++ b/docs/source/rules/python/stdlib/telnetlib_cleartext.rst @@ -0,0 +1,5 @@ +======= +PRE0013 +======= + +.. automodule:: precli.rules.python.stdlib.telnetlib_cleartext diff --git a/docs/source/rules/python/stdlib/tempfile/index.rst b/docs/source/rules/python/stdlib/tempfile/index.rst deleted file mode 100644 index 571691fa..00000000 --- a/docs/source/rules/python/stdlib/tempfile/index.rst +++ /dev/null @@ -1,8 +0,0 @@ -tempfile -======== - -.. toctree:: - :maxdepth: 1 - :glob: - - * diff --git a/docs/source/rules/python/stdlib/tempfile/mktemp_race_condition.rst b/docs/source/rules/python/stdlib/tempfile/mktemp_race_condition.rst deleted file mode 100644 index ef3c90eb..00000000 --- a/docs/source/rules/python/stdlib/tempfile/mktemp_race_condition.rst +++ /dev/null @@ -1,5 +0,0 @@ -======= -PRE0013 -======= - -.. automodule:: precli.rules.python.stdlib.tempfile.mktemp_race_condition diff --git a/docs/source/rules/python/stdlib/tempfile_mktemp_race_condition.rst b/docs/source/rules/python/stdlib/tempfile_mktemp_race_condition.rst new file mode 100644 index 00000000..08e47647 --- /dev/null +++ b/docs/source/rules/python/stdlib/tempfile_mktemp_race_condition.rst @@ -0,0 +1,5 @@ +======= +PRE0013 +======= + +.. automodule:: precli.rules.python.stdlib.tempfile_mktemp_race_condition diff --git a/docs/source/rules/python/third_party/PRE0014_cryptography_weak_hash.rst b/docs/source/rules/python/third_party/PRE0014_cryptography_weak_hash.rst deleted file mode 100644 index 55884efc..00000000 --- a/docs/source/rules/python/third_party/PRE0014_cryptography_weak_hash.rst +++ /dev/null @@ -1,5 +0,0 @@ -------------------------------- -PRE0014: cryptography_weak_hash -------------------------------- - -.. automodule:: precli.rules.python.third_party.cryptography.cryptography_weak_hash diff --git a/docs/source/rules/python/third_party/PRE0015_dill_load.rst b/docs/source/rules/python/third_party/PRE0015_dill_load.rst deleted file mode 100644 index f4cab603..00000000 --- a/docs/source/rules/python/third_party/PRE0015_dill_load.rst +++ /dev/null @@ -1,5 +0,0 @@ ------------------- -PRE0015: dill_load ------------------- - -.. automodule:: precli.rules.python.third_party.dill.dill_load diff --git a/docs/source/rules/python/third_party/PRE0016_no_certificate_verify.rst b/docs/source/rules/python/third_party/PRE0016_no_certificate_verify.rst deleted file mode 100644 index d118ec8a..00000000 --- a/docs/source/rules/python/third_party/PRE0016_no_certificate_verify.rst +++ /dev/null @@ -1,5 +0,0 @@ ------------------------------- -PRE0016: no_certificate_verify ------------------------------- - -.. automodule:: precli.rules.python.third_party.httpx.no_certificate_verify diff --git a/docs/source/rules/python/third_party/PRE0017_jsonpickle_decode.rst b/docs/source/rules/python/third_party/PRE0017_jsonpickle_decode.rst deleted file mode 100644 index fb58dd70..00000000 --- a/docs/source/rules/python/third_party/PRE0017_jsonpickle_decode.rst +++ /dev/null @@ -1,5 +0,0 @@ --------------------------- -PRE0017: jsonpickle_decode --------------------------- - -.. automodule:: precli.rules.python.third_party.jsonpickle.jsonpickle_decode diff --git a/docs/source/rules/python/third_party/PRE0018_pandas_read_pickle.rst b/docs/source/rules/python/third_party/PRE0018_pandas_read_pickle.rst deleted file mode 100644 index 3fbabc83..00000000 --- a/docs/source/rules/python/third_party/PRE0018_pandas_read_pickle.rst +++ /dev/null @@ -1,5 +0,0 @@ ---------------------------- -PRE0018: pandas_read_pickle ---------------------------- - -.. automodule:: precli.rules.python.third_party.pandas.pandas_read_pickle diff --git a/docs/source/rules/python/third_party/PRE0019_paramiko_no_host_key_verify.rst b/docs/source/rules/python/third_party/PRE0019_paramiko_no_host_key_verify.rst deleted file mode 100644 index 77c0e883..00000000 --- a/docs/source/rules/python/third_party/PRE0019_paramiko_no_host_key_verify.rst +++ /dev/null @@ -1,5 +0,0 @@ ------------------------------------- -PRE0019: paramiko_no_host_key_verify ------------------------------------- - -.. automodule:: precli.rules.python.third_party.paramiko.paramiko_no_host_key_verify diff --git a/docs/source/rules/python/third_party/PRE0020_pyghmi_cleartext.rst b/docs/source/rules/python/third_party/PRE0020_pyghmi_cleartext.rst deleted file mode 100644 index ec57bb95..00000000 --- a/docs/source/rules/python/third_party/PRE0020_pyghmi_cleartext.rst +++ /dev/null @@ -1,5 +0,0 @@ -------------------------- -PRE0020: pyghmi_cleartext -------------------------- - -.. automodule:: precli.rules.python.third_party.pyghmi.pyghmi_cleartext diff --git a/docs/source/rules/python/third_party/PRE0021_pycrypto_weak_hash.rst b/docs/source/rules/python/third_party/PRE0021_pycrypto_weak_hash.rst deleted file mode 100644 index 511acfe3..00000000 --- a/docs/source/rules/python/third_party/PRE0021_pycrypto_weak_hash.rst +++ /dev/null @@ -1,5 +0,0 @@ ---------------------------- -PRE0021: pycrypto_weak_hash ---------------------------- - -.. automodule:: precli.rules.python.third_party.pycrypto.pycrypto_weak_hash diff --git a/docs/source/rules/python/third_party/PRE0022_pycryptodomex_weak_hash.rst b/docs/source/rules/python/third_party/PRE0022_pycryptodomex_weak_hash.rst deleted file mode 100644 index 76e41d2a..00000000 --- a/docs/source/rules/python/third_party/PRE0022_pycryptodomex_weak_hash.rst +++ /dev/null @@ -1,5 +0,0 @@ --------------------------------- -PRE0022: pycryptodomex_weak_hash --------------------------------- - -.. automodule:: precli.rules.python.third_party.pycryptodomex.pycryptodomex_weak_hash diff --git a/docs/source/rules/python/third_party/PRE0023_insecure_tls_method.rst b/docs/source/rules/python/third_party/PRE0023_insecure_tls_method.rst deleted file mode 100644 index 87d8c0b7..00000000 --- a/docs/source/rules/python/third_party/PRE0023_insecure_tls_method.rst +++ /dev/null @@ -1,5 +0,0 @@ ----------------------------- -PRE0023: insecure_tls_method ----------------------------- - -.. automodule:: precli.rules.python.third_party.pyopenssl.insecure_tls_method diff --git a/docs/source/rules/python/third_party/PRE0024_yaml_load.rst b/docs/source/rules/python/third_party/PRE0024_yaml_load.rst deleted file mode 100644 index 59b930ce..00000000 --- a/docs/source/rules/python/third_party/PRE0024_yaml_load.rst +++ /dev/null @@ -1,5 +0,0 @@ ------------------- -PRE0024: yaml_load ------------------- - -.. automodule:: precli.rules.python.third_party.PyYAML.yaml_load diff --git a/docs/source/rules/python/third_party/PRE0025_no_certificate_verify.rst b/docs/source/rules/python/third_party/PRE0025_no_certificate_verify.rst deleted file mode 100644 index a13c7605..00000000 --- a/docs/source/rules/python/third_party/PRE0025_no_certificate_verify.rst +++ /dev/null @@ -1,5 +0,0 @@ ------------------------------- -PRE0025: no_certificate_verify ------------------------------- - -.. automodule:: precli.rules.python.third_party.requests.no_certificate_verify diff --git a/docs/source/rules/python/third_party/index.rst b/docs/source/rules/python/third_party/index.rst deleted file mode 100644 index 2c556a5d..00000000 --- a/docs/source/rules/python/third_party/index.rst +++ /dev/null @@ -1,8 +0,0 @@ -Third-Party -=========== - -.. toctree:: - :maxdepth: 1 - :glob: - - * diff --git a/precli/rules/go/golang_org_x_crypto/__init__.py b/precli/rules/go/golang_org_x_crypto/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/precli/rules/go/golang_org_x_crypto/ssh_insecure_ignore_hostkey.py b/precli/rules/go/golang_org_x_crypto/ssh_insecure_ignore_hostkey.py deleted file mode 100644 index 07324d0d..00000000 --- a/precli/rules/go/golang_org_x_crypto/ssh_insecure_ignore_hostkey.py +++ /dev/null @@ -1,175 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -r""" -===================================== -Improper Hostkey Validation Using SSH -===================================== - -The ``golang.org_x_crypto_ssh`` package includes a number of standard methods -for accessing SSH servers. A client should always verify the host key of the -SSH server in order to avoid a number of security risks including: - -- Man-in-the-middle attacks -- Session hijacking -- Data theft - -In the case of a host key that is unknown to the client, the host key callback -should reject the key to cancel the connection. - -------- -Example -------- - -.. code-block:: go - :linenos: - :emphasize-lines: 14 - - package main - - import ( - "fmt" - "golang.org/x/crypto/ssh" - ) - - func main() { - config := &ssh.ClientConfig{ - User: "username", - Auth: []ssh.AuthMethod{ - ssh.Password("password"), - }, - HostKeyCallback: ssh.InsecureIgnoreHostKey(), - } - - serverAddress := "example.com:22" - - conn, err := ssh.Dial("tcp", serverAddress, config) - if err != nil { - fmt.Println("Failed to dial:", err) - return - } - defer conn.Close() - - session, err := conn.NewSession() - if err != nil { - fmt.Println("Failed to create session:", err) - return - } - defer session.Close() - - output, err := session.CombinedOutput("ls -l") - if err != nil { - fmt.Println("Failed to execute command:", err) - return - } - } - ------------ -Remediation ------------ - -Implement a HostKeyCallback fucntion in order to reject connection if the -host key is unknown to the client. - -.. code-block:: go - :linenos: - :emphasize-lines: 9-22, 29 - - package main - - import ( - "fmt" - "golang.org/x/crypto/ssh" - ) - - func main() { - hostKeyCallback := func(hostname string, remote net.Addr, key ssh.PublicKey) error { - // Here, we hardcode the known host key (for example purposes) - // In a real-world application, you should replace this with your - // actual host key - knownHostPublicKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte("ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ...")) - if err != nil { - return err - } - - if ssh.KeysEqual(knownHostPublicKey, key) { - return nil // host key matches - } - return fmt.Errorf("unknown host key for %s", hostname) - } - - config := &ssh.ClientConfig{ - User: "username", - Auth: []ssh.AuthMethod{ - ssh.Password("password"), - }, - HostKeyCallback: hostKeyCallback, - } - - serverAddress := "example.com:22" - - conn, err := ssh.Dial("tcp", serverAddress, config) - if err != nil { - fmt.Println("Failed to dial:", err) - return - } - defer conn.Close() - - session, err := conn.NewSession() - if err != nil { - fmt.Println("Failed to create session:", err) - return - } - defer session.Close() - - output, err := session.CombinedOutput("ls -l") - if err != nil { - fmt.Println("Failed to execute command:", err) - return - } - } - -.. seealso:: - - - `Improper Hostkey Validation Using SSH `_ - - `ssh package - golang.org_x_crypto_ssh - Go Packages `_ - - `CWE-295: Improper Certificate Validation `_ - -.. versionadded:: 1.0.0 - -""" # noqa: E501 -from precli.core.config import Config -from precli.core.level import Level -from precli.core.location import Location -from precli.core.result import Result -from precli.rules import Rule - - -class SshInsecureIgnoreHostKey(Rule): - def __init__(self, id: str): - super().__init__( - id=id, - name="improper_certificate_validation", - full_descr=__doc__, - cwe_id=295, - message="'{}' will bypass host key verification and make the " - "client vulnerable to man-in-the-middle attacks.", - targets=("call"), - wildcards={}, - config=Config(enabled=False), - ) - - def analyze(self, context: dict, **kwargs: dict) -> Result: - call = kwargs.get("call") - - if ( - call.name_qualified - == "golang.org/x/crypto/ssh.InsecureIgnoreHostKey" - ): - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=call.function_node, - ), - level=Level.ERROR, - message=self.message.format("InsecureIgnoreHostKey"), - ) diff --git a/precli/rules/go/golang_org_x_crypto/weak_cipher.py b/precli/rules/go/golang_org_x_crypto/weak_cipher.py deleted file mode 100644 index 3fb1457f..00000000 --- a/precli/rules/go/golang_org_x_crypto/weak_cipher.py +++ /dev/null @@ -1,155 +0,0 @@ -# Copyright 2024 Secure Saurce LLC -r""" -==================================================================== -Use of a Broken or Risky Cryptographic Algorithm in X Crypto Package -==================================================================== - -Using weak ciphers for cryptographic algorithms can pose significant security -risks, and it's generally advised to avoid them in favor of stronger, more -secure algorithms. Here's some guidance that advises against using weak -ciphers like Blowfish, CAST5, TEA/XTEA, and Twofish: - -Blowfish: Developed in 1993, Blowfish is a block cipher known for its -simplicity. However, its small block size of 64 bits makes it susceptible to -birthday attacks in modern contexts. This vulnerability is significant when -encrypting large amounts of data, which is common in current applications. - -CAST5 (CAST-128): CAST5, a symmetric encryption algorithm, suffers from -similar issues as Blowfish due to its 64-bit block size. While it was -considered secure for its time, modern applications typically require -algorithms with larger block sizes for enhanced security. - -TEA/XTEA: The Tiny Encryption Algorithm (TEA) and its successor, eXtended -TEA (XTEA), are lightweight block ciphers. They are notable for their -simplicity and ease of implementation but have known vulnerabilities, -including susceptibility to differential cryptanalysis. These weaknesses -make them less suitable for applications where strong security is a priority. - -Twofish: As a finalist in the Advanced Encryption Standard (AES) competition, -Twofish is a respected algorithm. However, it was not selected as the -standard, and over time, AES has become the more tested and trusted choice -in most cryptographic applications. - -In summary, there is a consensus among reputable standards organizations, -industry experts, and security professionals that weak ciphers like Blowfish, -CAST5, TEA/XTEA, and Twofish should be avoided due to their known -vulnerabilities and weaknesses. Instead, it is advisable to use stronger, -more secure cryptographic algorithms and adhere to industry best practices -and regulatory requirements for encryption and security. - -------- -Example -------- - -.. code-block:: go - :linenos: - :emphasize-lines: 11 - - package main - - import ( - "log" - "golang.org/x/crypto/twofish" - ) - - func main() { - key := []byte("examplekey123456") - - _, err := twofish.NewCipher(key) - if err != nil { - log.Fatalf("Failed to create cipher: %v", err) - } - } - ------------ -Remediation ------------ - -It is advisable to use stronger, more secure cryptographic algorithms such as -AES. - -.. code-block:: go - :linenos: - :emphasize-lines: 5,11 - - package main - - import ( - "log" - "crypto/aes" - ) - - func main() { - key := []byte("examplekey123456") - - _, err := aes.NewCipher(key) - if err != nil { - log.Fatalf("Failed to create cipher: %v", err) - } - } - -.. seealso:: - - - `Use of a Broken or Risky Cryptographic Algorithm in Crypto Package `_ - - `blowfish package - golang.org_x_crypto_twofish - Go Packages `_ - - `cast5 package - golang.org_x_crypto_twofish - Go Packages `_ - - `tea package - golang.org_x_crypto_twofish - Go Packages `_ - - `twofish package - golang.org_x_crypto_twofish - Go Packages `_ - - `xtea package - golang.org_x_crypto_twofish - Go Packages `_ - - `CWE-327: Use of a Broken or Risky Cryptographic Algorithm `_ - -.. versionadded:: 1.0.0 - -""" # noqa: E501 -from precli.core.config import Config -from precli.core.level import Level -from precli.core.location import Location -from precli.core.result import Result -from precli.rules import Rule - - -class WeakCipher(Rule): - def __init__(self, id: str): - super().__init__( - id=id, - name="use_of_a_broken_or_risky_cryptographic_algorithm", - full_descr=__doc__, - cwe_id=327, - message="Weak ciphers like {} should be avoided due to their " - "known vulnerabilities and weaknesses.", - targets=("call"), - wildcards={}, - config=Config(enabled=False), - ) - - def analyze(self, context: dict, **kwargs: dict) -> Result: - call = kwargs.get("call") - - if call.name_qualified in [ - "golang.org/x/crypto/blowfish.NewCipher", - "golang.org/x/crypto/blowfish.NewSaltedCipher", - "golang.org/x/crypto/cast5.NewCipher", - "golang.org/x/crypto/tea.NewCipher", - "golang.org/x/crypto/tea.NewCipherWithRounds", - "golang.org/x/crypto/twofish.NewCipher", - "golang.org/x/crypto/xtea.NewCipher", - ]: - # TODO: Need to remove arguments for NewSaltedCipher and - # NewCipherWithRounds - fixes = Rule.get_fixes( - context=context, - deleted_location=Location(node=call.function_node), - description="It is advisable to use a stronger, more " - "secure cryptographic algorithm like AES.", - inserted_content="aes.NewCipher", - ) - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=call.function_node, - ), - level=Level.ERROR, - message=self.message.format(call.name), - fixes=fixes, - ) diff --git a/precli/rules/go/golang_org_x_crypto/weak_hash.py b/precli/rules/go/golang_org_x_crypto/weak_hash.py deleted file mode 100644 index 42b8ba2d..00000000 --- a/precli/rules/go/golang_org_x_crypto/weak_hash.py +++ /dev/null @@ -1,142 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -r""" -=========================================== -Reversible One Way Hash in X Crypto Package -=========================================== - -The Go ``golang.org/x/crypto`` package provides a number of functions for -hashing data. However, some of the hash algorithms supported by hashlib are -insecure and should not be used. These insecure hash algorithms include ``MD4`` -and ``RIPEMD160``. - -The MD4 hash algorithm is a cryptographic hash function that was designed in -the late 1980s. MD4 is no longer considered secure, and passwords hashed with -MD4 can be easily cracked by attackers. - -RIPEMD is a cryptographic hash function that was designed in 1996. It is -considered to be a secure hash function, but it is not as secure as -SHA-256, SHA-384, or SHA-512. In 2017, a collision attack was found for -RIPEMD-160. This means that it is possible to find two different messages -that have the same RIPEMD-160 hash. While this does not mean that RIPEMD-160 -is completely insecure, it does mean that it is not as secure as it once was. - -------- -Example -------- - -.. code-block:: go - :linenos: - :emphasize-lines: 4,9 - - package main - - import ( - "golang.org/x/crypto/md4" - "fmt" - ) - - func main() { - h := md4.New() - h.Write([]byte("hello world\n")) - fmt.Printf("%x", h.Sum(nil)) - } - ------------ -Remediation ------------ - -The recommendation is to swap the insecure hashing method to one of the more -secure alternatives, ``sha256`` or ``sha512``. - -.. code-block:: go - :linenos: - :emphasize-lines: 4,9 - - package main - - import ( - "crypto/sha256" - "fmt" - ) - - func main() { - h := sha256.New() - h.Write([]byte("hello world\n")) - fmt.Printf("%x", h.Sum(nil)) - } - -.. seealso:: - - - `Reversible One Way Hash in X Crypto Package `_ - - `md4 package - golang.org_x_crypto_md4 - Go Packages `_ - - `ripemd160 package - golang.org_x_crypto_ripemd160 - Go Packages `_ - - `CWE-328: Use of Weak Hash `_ - - `NIST Policy on Hash Functions `_ - -.. versionadded:: 1.0.0 - -""" # noqa: E501 -from precli.core.config import Config -from precli.core.level import Level -from precli.core.location import Location -from precli.core.result import Result -from precli.rules import Rule - - -class WeakHash(Rule): - def __init__(self, id: str): - super().__init__( - id=id, - name="reversible_one_way_hash", - full_descr=__doc__, - cwe_id=328, - message="Use of weak hash function '{}' does not meet security " - "expectations.", - targets=("call"), - wildcards={}, - config=Config(enabled=False), - ) - - def analyze(self, context: dict, **kwargs: dict) -> Result: - call = kwargs.get("call") - - if call.name_qualified in [ - "golang.org/x/crypto/md4.New", - "golang.org/x/crypto/ripemd160.New", - ]: - fixes = Rule.get_fixes( - context=context, - deleted_location=Location(node=call.function_node), - description="Use a more secure hashing algorithm like sha256.", - inserted_content="sha256.New", - ) - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=call.function_node, - ), - level=Level.ERROR, - message=self.message.format(call.name_qualified), - fixes=fixes, - ) - elif call.name_qualified in [ - "golang.org/x/crypto/md4.Sum", - "golang.org/x/crypto/ripemd160.Sum", - ]: - fixes = Rule.get_fixes( - context=context, - deleted_location=Location(node=call.function_node), - description="Use a more secure hashing algorithm like sha256.", - inserted_content="sha256.Sum", - ) - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=call.function_node, - ), - level=Level.ERROR, - message=self.message.format(call.name_qualified), - fixes=fixes, - ) diff --git a/precli/rules/python/Django/__init__.py b/precli/rules/python/Django/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/precli/rules/python/Flask/__init__.py b/precli/rules/python/Flask/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/precli/rules/python/Flask/flask_run_debug.py b/precli/rules/python/Flask/flask_run_debug.py deleted file mode 100644 index 89e75558..00000000 --- a/precli/rules/python/Flask/flask_run_debug.py +++ /dev/null @@ -1,119 +0,0 @@ -# Copyright 2024 Secure Saurce LLC -r""" -================================== -Code Injection in Flask App Config -================================== - -Using the ``Flask`` app with debug mode set to True in a production -environment is considered bad for several reasons: - - 1. Security Risk: Debug mode provides detailed error pages with stack traces - and environment variable information when exceptions occur. This - information can reveal sensitive data and application internals to - potential attackers. - 2. Performance Issues: Debug mode may affect the performance of your Flask - app. It’s designed for development, not optimized for production traffic. - 3. Automatic Reloading: Flask’s debug mode includes a feature that - automatically reloads the application when it detects a code change. This - is helpful during development but can be disruptive and unpredictable in - a production environment. - 4. Exposes Development Tools: Debug mode can enable interactive debugging - tools (like the Werkzeug debugger), which can be a major security - vulnerability if exposed publicly. - 5. Lack of Logging: Relying on debug mode means you might not have proper - logging set up, which is essential for monitoring and troubleshooting - production applications. - -------- -Example -------- - -.. code-block:: python - :linenos: - :emphasize-lines: 5 - - from flask import Flask - - - app = Flask(__name__) - app.run(debug=True) - ------------ -Remediation ------------ - -To avoid this vulnerability, either set the keyword argument of ``debug`` to -False or avoid passing a ``debug`` keyword whenever the intended code is for -production use. - -.. code-block:: python - :linenos: - :emphasize-lines: 5 - - from flask import Flask - - - app = Flask(__name__) - app.run(debug=False) - -.. seealso:: - - - `Code Injection in Flask App Config `_ - - `Quickstart — Flask Documentation (2.3.x) `_ - - `Debugging Applications — Werkzeug Documentation (3.0.x) `_ - - `How Patreon Got Hacked Publicly Exposed Werkzeug Debugger `_ - - `CWE-94: Improper Control of Generation of Code ('Code Injection') `_ - -.. versionadded:: 1.0.0 - -""" # noqa: E501 -from precli.core.config import Config -from precli.core.level import Level -from precli.core.location import Location -from precli.core.result import Result -from precli.rules import Rule - - -class FlaskRunDebug(Rule): - def __init__(self, id: str): - super().__init__( - id=id, - name="code_injection", - full_descr=__doc__, - cwe_id=94, - message="Flask debug mode is unsafe as it exposes the Werkzeug " - "debugger which can allow remote code injection.", - targets=("call"), - wildcards={ - "flask.*": [ - "Flask", - ] - }, - config=Config(enabled=False), - ) - - def analyze(self, context: dict, **kwargs: dict) -> Result: - call = kwargs.get("call") - - if call.name_qualified in ["flask.Flask.run"]: - argument = call.get_argument(name="debug") - debug = argument.value - - if debug is True: - fixes = Rule.get_fixes( - context=context, - deleted_location=Location(node=argument.node), - description="Turn the debug mode off for code intended " - "for production environments.", - inserted_content="False", - ) - - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=argument.node, - ), - level=Level.ERROR, - fixes=fixes, - ) diff --git a/precli/rules/python/Jinja2/__init__.py b/precli/rules/python/Jinja2/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/precli/rules/python/M2Crypto/__init__.py b/precli/rules/python/M2Crypto/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/precli/rules/python/M2Crypto/m2crypto_weak_key.py b/precli/rules/python/M2Crypto/m2crypto_weak_key.py deleted file mode 100644 index ed54772b..00000000 --- a/precli/rules/python/M2Crypto/m2crypto_weak_key.py +++ /dev/null @@ -1,194 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -r""" -================================================================= -Inadequate Encryption Strength Using Weak Keys in M2Crypto Module -================================================================= - -Using weak key sizes for cryptographic algorithms like RSA and DSA can -compromise the security of your encryption and digital signatures. Here's -a brief overview of the risks associated with weak key sizes for these -algorithms: - -RSA (Rivest-Shamir-Adleman): -RSA is widely used for both encryption and digital signatures. Weak key sizes -in RSA can be vulnerable to factorization attacks, such as the famous RSA-129 -challenge, which was factored in 1994 after 17 years of effort. Using small -key sizes makes it easier for attackers to factor the modulus and recover -the private key. - -It's generally recommended to use RSA key sizes of 2048 bits or more for -security in the present day, with 3072 bits or higher being increasingly -preferred for long-term security. - -DSA (Digital Signature Algorithm): -DSA is used for digital signatures and relies on the discrete logarithm -problem. Using weak key sizes in DSA can make it susceptible to attacks that -involve solving the discrete logarithm problem, like the GNFS (General -Number Field Sieve) algorithm. - -For DSA, key sizes of 2048 bits or more are recommended for modern security. -Note that DSA is not as commonly used as RSA or ECC for new applications, and -ECDSA (Elliptic Curve Digital Signature Algorithm) is often preferred due to -its efficiency and strong security properties. - -EC (Elliptic Curve): -Elliptic Curve cryptography provides strong security with relatively small -key sizes compared to RSA and DSA. However, even in the case of EC, using -weak curve parameters or small key sizes can expose you to vulnerabilities. -The strength of an EC key depends on the curve's properties and the size of -the prime used. - -Recommended EC key sizes depend on the curve you select, but for modern -applications, curves like NIST P-256 (secp256r1) with a 256-bit key size -are considered secure. Larger curves, like NIST P-384 or P-521, can provide -even higher security margins. - -------- -Example -------- - -.. code-block:: python - :linenos: - :emphasize-lines: 4 - - from M2Crypto import RSA - - - new_key = RSA.gen_key(1024, 65537) - ------------ -Remediation ------------ - -Its recommended to increase the key size to at least 2048 for DSA and RSA -algorithms. - -.. code-block:: python - :linenos: - :emphasize-lines: 4 - - from M2Crypto import RSA - - - new_key = RSA.gen_key(2048, 65537) - -.. seealso:: - - - `Inadequate Encryption Strength Using Weak Keys in M2Crypto Module `_ - - `m2crypto _ m2crypto · GitLab `_ - - `CWE-326: Inadequate Encryption Strength `_ - -.. versionadded:: 1.0.0 - -""" # noqa: E501 -import re - -from precli.core.config import Config -from precli.core.level import Level -from precli.core.location import Location -from precli.core.result import Result -from precli.rules import Rule - - -class M2CryptoWeakKey(Rule): - def __init__(self, id: str): - super().__init__( - id=id, - name="inadequate_encryption_strength", - full_descr=__doc__, - cwe_id=326, - message="Using {} key sizes less than {} bits is considered " - "vulnerable to attacks.", - targets=("call"), - wildcards={ - "M2Crypto.RSA.*": [ - "gen_key", - ], - "M2Crypto.DSA.*": [ - "gen_params", - ], - "M2Crypto.*": [ - "RSA.gen_key", - "DSA.gen_params", - ], - }, - config=Config(enabled=False), - ) - - def analyze(self, context: dict, **kwargs: dict) -> Result: - call = kwargs.get("call") - - if call.name_qualified == "M2Crypto.RSA.gen_key": - arg0 = call.get_argument(position=0, name="bits") - bits = arg0.value - - if isinstance(bits, int) and bits < 2048: - fixes = Rule.get_fixes( - context=context, - deleted_location=Location(node=arg0.node), - description="Use a minimum key size of 2048 for RSA keys.", - inserted_content="2048", - ) - - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=arg0.node, - ), - level=Level.ERROR if bits <= 1024 else Level.WARNING, - message=self.message.format("RSA", 2048), - fixes=fixes, - ) - elif call.name_qualified == "M2Crypto.DSA.gen_params": - arg0 = call.get_argument(position=0, name="bits") - bits = arg0.value - - if isinstance(bits, int) and bits < 2048: - fixes = Rule.get_fixes( - context=context, - deleted_location=Location(node=arg0.node), - description="Use a minimum key size of 2048 for DSA keys.", - inserted_content="2048", - ) - - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=arg0.node, - ), - level=Level.ERROR if bits <= 1024 else Level.WARNING, - message=self.message.format("DSA", 2048), - fixes=fixes, - ) - elif call.name_qualified == "M2Crypto.EC.gen_params": - arg0 = call.get_argument(position=0, name="curve") - curve = arg0.value - result = re.search(r"NID_sec[p|t](\d{3})(?:r1|r2|k1){1}", curve) - if not result: - result = re.search(r"NID_prime(\d{3})v[1|2|3]", curve) - if not result: - result = re.search( - r"NID_c2[p|t]nb(\d{3})(?:v1|v2|v3|w1|r1){1}", curve - ) - key_size = int(result.group(1)) if result else 224 - - if key_size < 224: - fixes = Rule.get_fixes( - context=context, - deleted_location=Location(node=arg0.identifier_node), - description="Use a curve with a minimum size of 224 bits.", - inserted_content="NID_secp256k1", - ) - - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=arg0.identifier_node, - ), - level=Level.ERROR if key_size < 160 else Level.WARNING, - message=self.message.format("EC", 224), - fixes=fixes, - ) diff --git a/precli/rules/python/Mako/__init__.py b/precli/rules/python/Mako/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/precli/rules/python/PyYAML/__init__.py b/precli/rules/python/PyYAML/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/precli/rules/python/PyYAML/yaml_load.py b/precli/rules/python/PyYAML/yaml_load.py deleted file mode 100644 index 3ee634f0..00000000 --- a/precli/rules/python/PyYAML/yaml_load.py +++ /dev/null @@ -1,126 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -r""" -====================================================== -Deserialization of Untrusted Data in the PyYAML Module -====================================================== - -The Python ``PyYAML`` module provides a way to parse and generate YAML data. -However, it is important to be aware that malicious YAML strings can be used -to attack applications that use the json module. For example, a malicious YAML -string could be used to cause the decoder to consume considerable CPU and -memory resources, which could lead to a denial-of-service attack. - -------- -Example -------- - -.. code-block:: python - :linenos: - :emphasize-lines: 4 - - import yaml - - - yaml.load("{}") - ------------ -Remediation ------------ - -To avoid this vulnerability, it is important to only parse YAML data from -trusted sources. If you are parsing YAML data from an untrusted source, you -should first sanitize the data to remove any potential malicious code. You -can also switch to the ``safe_load`` function or use the ``SafeLoader`` value -to the ``Loader`` argument. - -.. code-block:: python - :linenos: - :emphasize-lines: 4 - - import yaml - - - yaml.safe_load("{}") - -.. seealso:: - - - `Deserialization of Untrusted Data in the PyYAML Module `_ - - `PyYAML Documentation `_ - - `CWE-502: Deserialization of Untrusted Data `_ - -.. versionadded:: 1.0.0 - -""" # noqa: E501 -from precli.core.config import Config -from precli.core.location import Location -from precli.core.result import Result -from precli.rules import Rule - - -class YamlLoad(Rule): - def __init__(self, id: str): - super().__init__( - id=id, - name="deserialization_of_untrusted_data", - full_descr=__doc__, - cwe_id=502, - message="Usage of '{}' can allow instantiation of arbitrary " - "objects.", - targets=("call"), - wildcards={ - "yaml.*": [ - "load", - "SafeLoader", - "CSafeLoader", - ] - }, - config=Config(enabled=False), - ) - - def analyze(self, context: dict, **kwargs: dict) -> Result: - call = kwargs.get("call") - - if call.name_qualified in ["yaml.load"]: - argument = call.get_argument(position=1, name="Loader") - loader = argument.value - - if loader is not None: - if isinstance(loader, str) and loader not in ( - "yaml.CSafeLoader", - "yaml.SafeLoader", - ): - fixes = Rule.get_fixes( - context=context, - deleted_location=Location( - node=argument.identifier_node - ), - description="Use 'SafeLoader' as the 'Loader' argument" - " to safely load YAML files.", - inserted_content="SafeLoader", - ) - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=argument.identifier_node, - ), - message=self.message.format(call.name_qualified), - fixes=fixes, - ) - else: - fixes = Rule.get_fixes( - context=context, - deleted_location=Location(node=call.identifier_node), - description="Use 'yaml.safe_load' to safely load YAML " - "files.", - inserted_content="safe_load", - ) - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=call.identifier_node, - ), - message=self.message.format(call.name_qualified), - fixes=fixes, - ) diff --git a/precli/rules/python/Twisted/__init__.py b/precli/rules/python/Twisted/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/precli/rules/python/aiohttp/__init__.py b/precli/rules/python/aiohttp/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/precli/rules/python/aiohttp/no_certificate_verify.py b/precli/rules/python/aiohttp/no_certificate_verify.py deleted file mode 100644 index 3cc1cf8b..00000000 --- a/precli/rules/python/aiohttp/no_certificate_verify.py +++ /dev/null @@ -1,128 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -r""" -==================================================== -Improper Certificate Validation Using Aiohttp Module -==================================================== - -The ``aiohttp`` package includes a number of asynchronous methods for accessing -HTTP servers. The common parameter in these methods is ``ssl`` to denote -whether to verify the server's host certificate. If unset, the default value -is to verify certificates. However, by setting the value to False, the code is -subject to a number of security risks including: - -- Man-in-the-middle attacks -- Session hijacking -- Data theft - -------- -Example -------- - -.. code-block:: python - :linenos: - :emphasize-lines: 4 - - import aiohttp - - - async with aiohttp.ClientSession() as session: - async with session.get('http://python.org', ssl=False) as response: - print(await response.text()) - ------------ -Remediation ------------ - -Setting the value of the ssl argument to None or removing the keyword -argument accomplish the same effect of ensuring that certificates are verified. - -.. code-block:: python - :linenos: - :emphasize-lines: 4 - - import aiohttp - - - async with aiohttp.ClientSession() as session: - async with session.get('http://python.org', ssl=None) as response: - print(await response.text()) - -.. seealso:: - - - `Improper Certificate Validation Using Requests Module `_ - - `Advanced Client Usage — aiohttp documentation `_ - - `CWE-295: Improper Certificate Validation `_ - -.. versionadded:: 1.0.0 - -""" # noqa: E501 -from precli.core.config import Config -from precli.core.level import Level -from precli.core.location import Location -from precli.core.result import Result -from precli.rules import Rule - - -class NoCertificateVerify(Rule): - def __init__(self, id: str): - super().__init__( - id=id, - name="improper_certificate_validation", - full_descr=__doc__, - cwe_id=295, - message="The '{}' function is set to not verify certificates.", - targets=("call"), - wildcards={ - "aiohttp.ClientSession.*": [ - "delete", - "get", - "head", - "options", - "patch", - "post", - "put", - "request", - "ws_connect", - ] - }, - config=Config(enabled=False), - ) - - def analyze(self, context: dict, **kwargs: dict) -> Result: - call = kwargs.get("call") - - if call.name_qualified in [ - "aiohttp.ClientSession.delete", - "aiohttp.ClientSession.get", - "aiohttp.ClientSession.head", - "aiohttp.ClientSession.options", - "aiohttp.ClientSession.patch", - "aiohttp.ClientSession.post", - "aiohttp.ClientSession.put", - "aiohttp.ClientSession.request", - "aiohttp.ClientSession.ws_connect", - ]: - argument = call.get_argument(name="ssl") - ssl = argument.value - if ssl is None: - argument = call.get_argument(name="verify_ssl") - ssl = argument.value - - if ssl is False: - fixes = Rule.get_fixes( - context=context, - deleted_location=Location(node=argument.node), - description="Set the 'ssl' argument to 'None' to ensure" - " the server's certificate is verified.", - inserted_content="None", - ) - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=argument.node, - ), - level=Level.ERROR, - message=self.message.format(call.name_qualified), - fixes=fixes, - ) diff --git a/precli/rules/python/cryptography/__init__.py b/precli/rules/python/cryptography/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/precli/rules/python/cryptography/cryptography_weak_cipher.py b/precli/rules/python/cryptography/cryptography_weak_cipher.py deleted file mode 100644 index eb7f4785..00000000 --- a/precli/rules/python/cryptography/cryptography_weak_cipher.py +++ /dev/null @@ -1,209 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -r""" -======================================================================= -Use of a Broken or Risky Cryptographic Algorithm in Cryptography Module -======================================================================= - -Using weak ciphers for cryptographic algorithms can pose significant security -risks, and it's generally advised to avoid them in favor of stronger, more -secure algorithms. Here's some guidance that advises against using weak -ciphers like ARC4, IDEA, and Blowfish: - -1. **NIST Recommendations**: The National Institute of Standards and -Technology (NIST) is a widely recognized authority on cryptographic standards. -NIST advises against using weak ciphers in their Special Publication -800-175B: "Guide to Secure Web Services." They recommend the use of stronger -ciphers like AES (Advanced Encryption Standard) and SHA-256 for cryptographic -purposes. - -2. **IETF Standards**: The Internet Engineering Task Force (IETF) publishes -standards and guidelines for secure network communication. IETF has deprecated -or discouraged the use of weak ciphers in various RFCs (Request for -Comments). For example, RFC 7465 advises against using SSLv3 and RC4 due to -their vulnerabilities. - -3. **OWASP Guidelines**: The Open Web Application Security Project (OWASP) -provides guidelines for secure web applications. Their guidance explicitly -recommends avoiding weak ciphers, including ARC4, IDEA, and Blowfish, due to -known security weaknesses. - -4. **PCI DSS Compliance**: The Payment Card Industry Data Security Standard -(PCI DSS) mandates the use of strong cryptographic algorithms. Using weak -ciphers is discouraged and can lead to non-compliance with PCI DSS -requirements. - -5. **Industry Best Practices**: Various cybersecurity experts and -organizations, such as SANS Institute, CERT/CC (Computer Emergency Response -Team Coordination Center), and security vendors, provide guidance on best -practices for cryptographic algorithms. These resources typically recommend -avoiding the use of weak ciphers. - -6. **Security Research**: Academic papers and security research often -highlight the vulnerabilities of weak ciphers like ARC4, IDEA, and Blowfish. -These findings reinforce the importance of avoiding these ciphers in -security-critical applications. - -7. **Compliance Standards**: Depending on your industry and location, -there may be specific regulatory requirements that prohibit the use of -weak ciphers. Ensure compliance with applicable regulations by using strong, -approved cryptographic algorithms. - -8. **TLS/SSL Configuration**: If you are configuring web servers or other -network services that use TLS/SSL for encryption, it's essential to configure -your server to support only strong ciphersuites and protocols. Weak ciphers, -such as RC4, have known vulnerabilities and should be disabled. - -In summary, there is a consensus among reputable standards organizations, -industry experts, and security professionals that weak ciphers like ARC4, -IDEA, and Blowfish should be avoided due to their known vulnerabilities and -weaknesses. Instead, it is advisable to use stronger, more secure -cryptographic algorithms and adhere to industry best practices and regulatory -requirements for encryption and security. - -------- -Example -------- - -.. code-block:: python - :linenos: - :emphasize-lines: 8,9 - - import os - - from cryptography.hazmat.primitives.ciphers import Cipher - from cryptography.hazmat.primitives.ciphers import algorithms - - - key = os.urandom(32) - algorithm = algorithms.ARC4(key) - cipher = Cipher(algorithm, mode=None) - encryptor = cipher.encryptor() - ct = encryptor.update(b"a secret message") - ------------ -Remediation ------------ - -It is advisable to use stronger, more secure cryptographic algorithms such as -AES. - -.. code-block:: python - :linenos: - :emphasize-lines: 10,11 - - import os - - from cryptography.hazmat.primitives.ciphers import Cipher - from cryptography.hazmat.primitives.ciphers import algorithms - from cryptography.hazmat.primitives.ciphers import modes - - - key = os.urandom(32) - iv = os.urandom(16) - algorithm = algorithms.AES(key) - cipher = Cipher(algorithm, mode=modes.CBC(iv)) - encryptor = cipher.encryptor() - ct = encryptor.update(b"a secret message") + encryptor.finalize() - -.. seealso:: - - - `Use of a Broken or Risky Cryptographic Algorithm in Cryptography Module `_ - - `Symmetric encryption — Cryptography documentation `_ - - `CWE-327: Use of a Broken or Risky Cryptographic Algorithm `_ - -.. versionadded:: 1.0.0 - -""" # noqa: E501 -from precli.core.config import Config -from precli.core.level import Level -from precli.core.location import Location -from precli.core.result import Result -from precli.rules import Rule - - -WEAK_CIPHERS = [ - "cryptography.hazmat.primitives.ciphers.algorithms.ARC4", - "cryptography.hazmat.primitives.ciphers.algorithms.Blowfish", - "cryptography.hazmat.primitives.ciphers.algorithms.IDEA", -] - - -class CryptographyWeakCipher(Rule): - def __init__(self, id: str): - super().__init__( - id=id, - name="use_of_a_broken_or_risky_cryptographic_algorithm", - full_descr=__doc__, - cwe_id=327, - message="Weak ciphers like {} should be avoided due to their " - "known vulnerabilities and weaknesses.", - targets=("call"), - wildcards={ - "cryptography.hazmat.primitives.ciphers.algorithms.*": [ - "ARC4", - "Blowfish", - "IDEA", - ], - "cryptography.hazmat.primitives.ciphers.*": [ - "Cipher", - "algorithms.ARC4", - "algorithms.Blowfish", - "algorithms.IDEA", - ], - }, - config=Config(enabled=False), - ) - - def analyze(self, context: dict, **kwargs: dict) -> Result: - call = kwargs.get("call") - - if call.name_qualified in WEAK_CIPHERS: - fixes = Rule.get_fixes( - context=context, - deleted_location=Location(node=call.identifier_node), - description="It is advisable to use a stronger, more " - "secure cryptographic algorithm like AES.", - inserted_content="AES", - ) - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=call.identifier_node, - ), - level=Level.ERROR, - message=self.message.format(call.name), - fixes=fixes, - ) - elif call.name_qualified in [ - "cryptography.hazmat.primitives.ciphers.Cipher", - ]: - arg0 = call.get_argument(position=0, name="algorithm") - algorithm = arg0.value - arg1 = call.get_argument(position=1, name="mode") - - if arg1.node is not None: - loc_node = arg1.node - content = "CBC(os.urandom(16))" - else: - loc_node = arg0.node - content = f"{arg0.node.text.decode()}, CBC(os.urandom(16))" - - if algorithm in WEAK_CIPHERS: - fixes = Rule.get_fixes( - context=context, - deleted_location=Location(node=loc_node), - description="The AES cipher is a block cipher requiring " - "a mode such as CBC to be specified.", - inserted_content=content, - ) - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=arg0.identifier_node, - ), - level=Level.ERROR, - message=self.message.format(algorithm), - fixes=fixes, - ) diff --git a/precli/rules/python/cryptography/cryptography_weak_cipher_mode.py b/precli/rules/python/cryptography/cryptography_weak_cipher_mode.py deleted file mode 100644 index 5b33bb99..00000000 --- a/precli/rules/python/cryptography/cryptography_weak_cipher_mode.py +++ /dev/null @@ -1,127 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -r""" -=============================================================== -Use of a Risky Cryptographic Cipher Mode in Cryptography Module -=============================================================== - -Using weak cipher modes, such as Electronic Codebook (ECB), for cryptographic -algorithms is generally discouraged due to significant security vulnerabilities -associated with them. - -ECB mode is highly vulnerable to various attacks, primarily because it -encrypts each block of plaintext independently. As a result, identical -plaintext blocks will produce identical ciphertext blocks. This can leak -information about the underlying data, and patterns within the data may be -discernible, making it easier for attackers to exploit these patterns. - -ECB mode also does not provide diffusion, which means that changes in the -plaintext have a limited impact on the ciphertext. This lack of diffusion -makes it easier for attackers to manipulate or infer information from the -ciphertext. - -Because of the determinism in ECB mode, it is susceptible to chosen-plaintext -attacks, where an attacker can manipulate the input data to reveal patterns -or vulnerabilities in the encryption. - -ECB mode is designed for block ciphers, which means it can only encrypt data -in fixed-size blocks. If you need to encrypt larger messages, you would have -to implement additional techniques (e.g., chaining modes) which can be -complex and prone to implementation errors. - -------- -Example -------- - -.. code-block:: python - :linenos: - :emphasize-lines: 10 - - import os - - from cryptography.hazmat.primitives.ciphers import Cipher - from cryptography.hazmat.primitives.ciphers import algorithms - from cryptography.hazmat.primitives.ciphers import modes - - - key = os.urandom(32) - algorithm = algorithms.AES(key) - mode = modes.ECB() - cipher = Cipher(algorithm, mode=mode) - encryptor = cipher.encryptor() - ct = encryptor.update(b"a secret message") + encryptor.finalize() - ------------ -Remediation ------------ - -It is advisable to use a secure cryptographic algorithms such as CBC. - -.. code-block:: python - :linenos: - :emphasize-lines: 9,11 - - import os - - from cryptography.hazmat.primitives.ciphers import Cipher - from cryptography.hazmat.primitives.ciphers import algorithms - from cryptography.hazmat.primitives.ciphers import modes - - - key = os.urandom(32) - iv = os.urandom(16) - algorithm = algorithms.AES(key) - mode = modes.CBC(iv) - cipher = Cipher(algorithm, mode=mode) - encryptor = cipher.encryptor() - ct = encryptor.update(b"a secret message") + encryptor.finalize() - -.. seealso:: - - - `Use of a Risky Cryptographic Cipher Mode in Cryptography Module `_ - - `Symmetric encryption — Cryptography documentation `_ - - `CWE-327: Use of a Broken or Risky Cryptographic Algorithm `_ - -.. versionadded:: 1.0.0 - -""" # noqa: E501 -from precli.core.config import Config -from precli.core.level import Level -from precli.core.location import Location -from precli.core.result import Result -from precli.rules import Rule - - -class CryptographyWeakCipherMode(Rule): - def __init__(self, id: str): - super().__init__( - id=id, - name="use_of_risky_cryptographic_cipher_mode", - full_descr=__doc__, - cwe_id=327, - message="ECB mode is highly vulnerable to various attacks.", - targets=("call"), - wildcards={ - "cryptography.hazmat.primitives.ciphers.modes.*": [ - "ECB", - ], - "cryptography.hazmat.primitives.ciphers.*": [ - "modes.ECB", - ], - }, - config=Config(enabled=False), - ) - - def analyze(self, context: dict, **kwargs: dict) -> Result: - call = kwargs.get("call") - - if call.name_qualified in [ - "cryptography.hazmat.primitives.ciphers.modes.ECB", - ]: - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=call.identifier_node, - ), - level=Level.ERROR, - ) diff --git a/precli/rules/python/cryptography/cryptography_weak_hash.py b/precli/rules/python/cryptography/cryptography_weak_hash.py deleted file mode 100644 index 20d36c66..00000000 --- a/precli/rules/python/cryptography/cryptography_weak_hash.py +++ /dev/null @@ -1,104 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -r""" -============================================== -Reversible One Way Hash in Cryptography Module -============================================== - -The Python module ``cryptography`` provides a number of functions for hashing -data. However, some of the hash algorithms supported by ``cryptography`` are -insecure and should not be used. These insecure hash algorithms include ``MD5`` -and ``SHA1``. - -The MD5 hash algorithm is a cryptographic hash function that was designed in -the early 1990s. MD5 is no longer considered secure, and passwords hashed with -MD5 can be easily cracked by attackers. - -The SHA-1 hash algorithm is also a cryptographic hash function that was -designed in the early 1990s. SHA-1 is no longer considered secure, and -passwords hashed with SHA-1 can be easily cracked by attackers. - -------- -Example -------- - -.. code-block:: python - :linenos: - :emphasize-lines: 4 - - import cryptography - - - cryptography.hazmat.primitives.hashes.MD5() - ------------ -Remediation ------------ - -The recommendation is to swap the insecure hashing method to one of the more -secure alternatives, ``SHA256`` or ``SHA512``. - -.. code-block:: python - :linenos: - :emphasize-lines: 4 - - import cryptography - - - cryptography.hazmat.primitives.hashes.SHA256() - -.. seealso:: - - - `Reversible One Way Hash in Cryptography Module `_ - - `Message digests (Hashing) — Cryptography `_ - - `CWE-328: Use of Weak Hash `_ - - `NIST Policy on Hash Functions `_ - -.. versionadded:: 1.0.0 - -""" # noqa: E501 -from precli.core.config import Config -from precli.core.level import Level -from precli.core.location import Location -from precli.core.result import Result -from precli.rules import Rule - - -class CryptographyWeakHash(Rule): - def __init__(self, id: str): - super().__init__( - id=id, - name="reversible_one_way_hash", - full_descr=__doc__, - cwe_id=328, - message="Use of weak hash function '{}' does not meet security " - "expectations.", - targets=("call"), - wildcards={ - "cryptography.hazmat.primitives.hashes.*": [ - "MD5", - "SHA1", - ], - "cryptography.hazmat.primitives.*": [ - "hashes.MD5", - "hashes.SHA1", - ], - }, - config=Config(enabled=False), - ) - - def analyze(self, context: dict, **kwargs: dict) -> Result: - call = kwargs.get("call") - - if call.name_qualified in [ - "cryptography.hazmat.primitives.hashes.MD5", - "cryptography.hazmat.primitives.hashes.SHA1", - ]: - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=call.identifier_node, - ), - level=Level.ERROR, - message=self.message.format(call.name_qualified), - ) diff --git a/precli/rules/python/cryptography/cryptography_weak_key.py b/precli/rules/python/cryptography/cryptography_weak_key.py deleted file mode 100644 index 64c33ea7..00000000 --- a/precli/rules/python/cryptography/cryptography_weak_key.py +++ /dev/null @@ -1,245 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -r""" -===================================================================== -Inadequate Encryption Strength Using Weak Keys in Cryptography Module -===================================================================== - -Using weak key sizes for cryptographic algorithms like RSA, DSA, and EC -(Elliptic Curve) can compromise the security of your encryption and digital -signatures. Here's a brief overview of the risks associated with weak key -sizes for these algorithms: - -RSA (Rivest-Shamir-Adleman): -RSA is widely used for both encryption and digital signatures. Weak key sizes -in RSA can be vulnerable to factorization attacks, such as the famous RSA-129 -challenge, which was factored in 1994 after 17 years of effort. Using small -key sizes makes it easier for attackers to factor the modulus and recover -the private key. - -It's generally recommended to use RSA key sizes of 2048 bits or more for -security in the present day, with 3072 bits or higher being increasingly -preferred for long-term security. - -DSA (Digital Signature Algorithm): -DSA is used for digital signatures and relies on the discrete logarithm -problem. Using weak key sizes in DSA can make it susceptible to attacks that -involve solving the discrete logarithm problem, like the GNFS (General -Number Field Sieve) algorithm. - -For DSA, key sizes of 2048 bits or more are recommended for modern security. -Note that DSA is not as commonly used as RSA or ECC for new applications, and -ECDSA (Elliptic Curve Digital Signature Algorithm) is often preferred due to -its efficiency and strong security properties. - -EC (Elliptic Curve): -Elliptic Curve cryptography provides strong security with relatively small -key sizes compared to RSA and DSA. However, even in the case of EC, using -weak curve parameters or small key sizes can expose you to vulnerabilities. -The strength of an EC key depends on the curve's properties and the size of -the prime used. - -Recommended EC key sizes depend on the curve you select, but for modern -applications, curves like NIST P-256 (secp256r1) with a 256-bit key size -are considered secure. Larger curves, like NIST P-384 or P-521, can provide -even higher security margins. - -------- -Example -------- - -.. code-block:: python - :linenos: - :emphasize-lines: 4 - - from cryptography.hazmat.primitives.asymmetric import rsa - - - rsa.generate_private_key(key_size=1024) - ------------ -Remediation ------------ - -Its recommended to increase the key size to at least 2048 for DSA and RSA -algorithms. - -.. code-block:: python - :linenos: - :emphasize-lines: 4 - - from cryptography.hazmat.primitives.asymmetric import rsa - - - rsa.generate_private_key(65537, key_size=3072) - -.. seealso:: - - - `Inadequate Encryption Strength Using Weak Keys in Cryptography Module `_ - - `Asymmetric algorithms — Cryptography documentation `_ - - `CWE-326: Inadequate Encryption Strength `_ - -.. versionadded:: 1.0.0 - -""" # noqa: E501 -from precli.core.config import Config -from precli.core.level import Level -from precli.core.location import Location -from precli.core.result import Result -from precli.rules import Rule - - -CURVE_SIZES = { - "cryptography.hazmat.primitives.asymmetric.ec.BrainpoolP256R1": 256, - "cryptography.hazmat.primitives.asymmetric.ec.BrainpoolP384R1": 384, - "cryptography.hazmat.primitives.asymmetric.ec.BrainpoolP512R1": 512, - "cryptography.hazmat.primitives.asymmetric.ec.SECP192R1": 192, - "cryptography.hazmat.primitives.asymmetric.ec.SECP224R1": 224, - "cryptography.hazmat.primitives.asymmetric.ec.SECP256K1": 256, - "cryptography.hazmat.primitives.asymmetric.ec.SECP256R1": 256, - "cryptography.hazmat.primitives.asymmetric.ec.SECP384R1": 384, - "cryptography.hazmat.primitives.asymmetric.ec.SECP521R1": 521, - "cryptography.hazmat.primitives.asymmetric.ec.SECT163K1": 163, - "cryptography.hazmat.primitives.asymmetric.ec.SECT163R2": 163, - "cryptography.hazmat.primitives.asymmetric.ec.SECT233K1": 233, - "cryptography.hazmat.primitives.asymmetric.ec.SECT233R1": 233, - "cryptography.hazmat.primitives.asymmetric.ec.SECT283K1": 283, - "cryptography.hazmat.primitives.asymmetric.ec.SECT283R1": 283, - "cryptography.hazmat.primitives.asymmetric.ec.SECT409K1": 409, - "cryptography.hazmat.primitives.asymmetric.ec.SECT409R1": 409, - "cryptography.hazmat.primitives.asymmetric.ec.SECT571K1": 571, - "cryptography.hazmat.primitives.asymmetric.ec.SECT571R1": 570, -} - - -class CryptographyWeakKey(Rule): - def __init__(self, id: str): - super().__init__( - id=id, - name="inadequate_encryption_strength", - full_descr=__doc__, - cwe_id=326, - message="Using {} key sizes less than {} bits is considered " - "vulnerable to attacks.", - targets=("call"), - wildcards={ - "cryptography.hazmat.primitives.asymmetric.*": [ - "dsa", - "rsa", - "ec", - ], - "cryptography.hazmat.primitives.*": [ - "asymmetric.dsa", - "asymmetric.rsa", - "asymmetric.ec", - ], - }, - config=Config(enabled=False), - ) - - def analyze(self, context: dict, **kwargs: dict) -> Result: - call = kwargs.get("call") - - if call.name_qualified in [ - "cryptography.hazmat.primitives.asymmetric.dsa." - "generate_private_key", - "cryptography.hazmat.primitives.asymmetric.dsa." - "generate_parameters", - ]: - argument = call.get_argument(position=0, name="key_size") - key_size = argument.value - - if isinstance(key_size, int) and key_size < 2048: - fixes = Rule.get_fixes( - context=context, - deleted_location=Location(node=argument.node), - description="Use a minimum key size of 2048 for DSA keys.", - inserted_content="2048", - ) - - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=argument.node, - ), - level=Level.ERROR if key_size <= 1024 else Level.WARNING, - message=self.message.format("DSA", 2048), - fixes=fixes, - ) - elif call.name_qualified in [ - "cryptography.hazmat.primitives.asymmetric.rsa." - "generate_private_key", - ]: - argument = call.get_argument(position=1, name="key_size") - key_size = argument.value - - if isinstance(key_size, int) and key_size < 2048: - fixes = Rule.get_fixes( - context=context, - deleted_location=Location(node=argument.node), - description="Use a minimum key size of 2048 for RSA keys.", - inserted_content="2048", - ) - - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=argument.node, - ), - level=Level.ERROR if key_size <= 1024 else Level.WARNING, - message=self.message.format("RSA", 2048), - fixes=fixes, - ) - elif call.name_qualified in [ - "cryptography.hazmat.primitives.asymmetric.ec." - "generate_private_key", - ]: - argument = call.get_argument(position=0, name="curve") - curve = argument.value - key_size = CURVE_SIZES[curve] if curve in CURVE_SIZES else 224 - - if key_size < 224: - fixes = Rule.get_fixes( - context=context, - deleted_location=Location(node=argument.identifier_node), - description="Use a curve with a minimum size of 224 bits.", - inserted_content="SECP256R1", - ) - - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=argument.identifier_node, - ), - level=Level.ERROR if key_size < 160 else Level.WARNING, - message=self.message.format("EC", 224), - fixes=fixes, - ) - elif call.name_qualified in [ - "cryptography.hazmat.primitives.asymmetric.ec." - "derive_private_key", - ]: - argument = call.get_argument(position=1, name="curve") - curve = argument.value - key_size = CURVE_SIZES[curve] if curve in CURVE_SIZES else 224 - - if key_size < 224: - fixes = Rule.get_fixes( - context=context, - deleted_location=Location(node=argument.identifier_node), - description="Use a curve with a minimum size of 224 bits.", - inserted_content="SECP256R1", - ) - - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=argument.identifier_node, - ), - level=Level.ERROR if key_size < 160 else Level.WARNING, - message=self.message.format("EC", 224), - fixes=fixes, - ) diff --git a/precli/rules/python/dill/__init__.py b/precli/rules/python/dill/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/precli/rules/python/dill/dill_load.py b/precli/rules/python/dill/dill_load.py deleted file mode 100644 index d0218ae1..00000000 --- a/precli/rules/python/dill/dill_load.py +++ /dev/null @@ -1,84 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -r""" -==================================================== -Deserialization of Untrusted Data in the Dill Module -==================================================== - -The Python ``dill`` module provides a way to serialize and deserialize Python -objects. However, it is important to be aware that malicious data can be used -to attack applications that use the ``dill`` module. For example, malicious -data could be used to cause the decoder to execute arbitrary code. - -------- -Example -------- - -.. code-block:: python - :linenos: - :emphasize-lines: 5 - - import dill - - - pick = dill.dumps({'a': 'b', 'c': 'd'}) - dill.loads(pick) - ------------ -Remediation ------------ - -To avoid this vulnerability, it is important to only deserialize data from -trusted sources. If you are deserializing data from an untrusted source, you -should first sanitize the data to remove any potential malicious code. - -.. seealso:: - - - `Deserialization of Untrusted Data in the Dill Module `_ - - `dill package documentation `_ - - `CWE-502: Deserialization of Untrusted Data `_ - -.. versionadded:: 1.0.0 - -""" # noqa: E501 -from precli.core.config import Config -from precli.core.location import Location -from precli.core.result import Result -from precli.rules import Rule - - -class DillLoad(Rule): - def __init__(self, id: str): - super().__init__( - id=id, - name="deserialization_of_untrusted_data", - full_descr=__doc__, - cwe_id=502, - message="Potential unsafe usage of '{}' that can allow " - "instantiation of arbitrary objects.", - targets=("call"), - wildcards={ - "dill.*": [ - "load", - "loads", - "Unpickler", - ] - }, - config=Config(enabled=False), - ) - - def analyze(self, context: dict, **kwargs: dict) -> Result: - call = kwargs.get("call") - - if call.name_qualified in [ - "dill.load", - "dill.loads", - "dill.Unpickler", - ]: - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=call.function_node, - ), - message=self.message.format(call.name_qualified), - ) diff --git a/precli/rules/python/httpx/__init__.py b/precli/rules/python/httpx/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/precli/rules/python/httpx/no_certificate_verify.py b/precli/rules/python/httpx/no_certificate_verify.py deleted file mode 100644 index 7bbac466..00000000 --- a/precli/rules/python/httpx/no_certificate_verify.py +++ /dev/null @@ -1,125 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -r""" -================================================== -Improper Certificate Validation Using Httpx Module -================================================== - -The ``httpx`` package includes a number of standard methods for accessing -HTTP servers. The common parameter in these methods is ``verify`` to denote -whether to verify the server's host certificate. If unset, the default -value is True to verify. However, by setting the value to False, the code -is subject to a number of security risks including: - -- Man-in-the-middle attacks -- Session hijacking -- Data theft - -------- -Example -------- - -.. code-block:: python - :linenos: - :emphasize-lines: 4 - - import httpx - - - httpx.get("https://localhost", verify=False) - ------------ -Remediation ------------ - -Setting the value of the verify argument to True or removing the keyword -argument accomplish the same effect of ensuring that certificates are verified. - -.. code-block:: python - :linenos: - :emphasize-lines: 4 - - import httpx - - - httpx.get("https://localhost", verify=True) - -.. seealso:: - - - `Improper Certificate Validation Using Httpx Module `_ - - `HTTPX `_ - - `CWE-295: Improper Certificate Validation `_ - -.. versionadded:: 1.0.0 - -""" # noqa: E501 -from precli.core.config import Config -from precli.core.level import Level -from precli.core.location import Location -from precli.core.result import Result -from precli.rules import Rule - - -class NoCertificateVerify(Rule): - def __init__(self, id: str): - super().__init__( - id=id, - name="improper_certificate_validation", - full_descr=__doc__, - cwe_id=295, - message="The '{}' function is set to not verify certificates.", - targets=("call"), - wildcards={ - "httpx.*": [ - "AsyncClient", - "Client", - "delete", - "get", - "head", - "options", - "patch", - "post", - "put", - "request", - "stream", - ] - }, - config=Config(enabled=False), - ) - - def analyze(self, context: dict, **kwargs: dict) -> Result: - call = kwargs.get("call") - - if call.name_qualified in [ - "httpx.AsyncClient", - "httpx.Client", - "httpx.delete", - "httpx.get", - "httpx.head", - "httpx.options", - "httpx.patch", - "httpx.post", - "httpx.put", - "httpx.request", - "httpx.stream", - ]: - argument = call.get_argument(name="verify") - version = argument.value - - if version is False: - fixes = Rule.get_fixes( - context=context, - deleted_location=Location(node=argument.node), - description="Set the 'verify' argument to 'True' to ensure" - " the server's certificate is verified.", - inserted_content="True", - ) - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=argument.node, - ), - level=Level.ERROR, - message=self.message.format(call.name_qualified), - fixes=fixes, - ) diff --git a/precli/rules/python/jsonpickle/__init__.py b/precli/rules/python/jsonpickle/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/precli/rules/python/jsonpickle/jsonpickle_decode.py b/precli/rules/python/jsonpickle/jsonpickle_decode.py deleted file mode 100644 index 989244b4..00000000 --- a/precli/rules/python/jsonpickle/jsonpickle_decode.py +++ /dev/null @@ -1,87 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -r""" -====================================================== -Deserialization of Untrusted Data in JsonPickle Module -====================================================== - -The Python ``jsonpickle`` module is a serialization module that can be used -to serialize and deserialize Python objects to and from JSON. Pickle is not -secure because it can be used to deserialize malicious code. For example, -an attacker could create a pickle file that contains malicious code and then -trick a user into opening the file. When the user opens the file, the -malicious code would be executed. - -------- -Example -------- - -.. code-block:: python - :linenos: - :emphasize-lines: 5 - - import jsonpickle - - - pick = jsonpickle.encode({'a': 'b', 'c': 'd'}) - jsonpickle.decode(pick) - ------------ -Remediation ------------ - -Consider signing data with hmac if you need to ensure that pickle data has -not been tampered with. - -.. seealso:: - - - `Deserialization of Untrusted Data in JsonPickle Module `_ - - `jsonpickle Documentation `_ - - `CWE-502: Deserialization of Untrusted Data `_ - - `pickle — Python object serialization `_ - -.. versionadded:: 1.0.0 - -""" # noqa: E501 -from precli.core.config import Config -from precli.core.location import Location -from precli.core.result import Result -from precli.rules import Rule - - -class JsonpickleDecode(Rule): - def __init__(self, id: str): - super().__init__( - id=id, - name="deserialization_of_untrusted_data", - full_descr=__doc__, - cwe_id=502, - message="Potential unsafe usage of '{}' that can allow " - "instantiation of arbitrary objects.", - targets=("call"), - wildcards={ - "jsonpickle.*": [ - "decode", - ], - "jsonpickle.unpickler.*": [ - "decode", - ], - }, - config=Config(enabled=False), - ) - - def analyze(self, context: dict, **kwargs: dict) -> Result: - call = kwargs.get("call") - - if call.name_qualified in [ - "jsonpickle.decode", - "jsonpickle.unpickler.decode", - "jsonpickle.unpickler.Unpickler", - ]: - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=call.function_node, - ), - message=self.message.format(call.name_qualified), - ) diff --git a/precli/rules/python/ldap3/__init__.py b/precli/rules/python/ldap3/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/precli/rules/python/pandas/__init__.py b/precli/rules/python/pandas/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/precli/rules/python/pandas/pandas_read_pickle.py b/precli/rules/python/pandas/pandas_read_pickle.py deleted file mode 100644 index a7558bc5..00000000 --- a/precli/rules/python/pandas/pandas_read_pickle.py +++ /dev/null @@ -1,91 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -r""" -================================================== -Deserialization of Untrusted Data in Pandas Module -================================================== - -The Python ``pandas`` module is a data analysis and manipulation tool. It -contains a fucntion to read serialized data using the pickle format. Pickle -is not secure because it can be used to deserialize malicious code. For -example, an attacker could create a pickle file that contains malicious -code and then trick a user into opening the file. When the user opens the -file, the malicious code would be executed. - -------- -Example -------- - -.. code-block:: python - :linenos: - :emphasize-lines: 12 - - import pickle - import pandas as pd - - - df = pd.DataFrame( - { - "col_A": [1, 2] - } - ) - pick = pickle.dumps(df) - - pd.read_pickle(pick) - ------------ -Remediation ------------ - -Consider signing data with hmac if you need to ensure that pickle data has -not been tampered with. - -Alternatively if you need to serialize sensitive data, you could use a secure -serialization format, such as JSON or XML. These formats are designed to be -secure and cannot be used to execute malicious code. - -.. seealso:: - - - `Deserialization of Untrusted Data in Pandas Module `_ - - `Input_output — pandas `_ - - `CWE-502: Deserialization of Untrusted Data `_ - - `pickle — Python object serialization `_ - -.. versionadded:: 1.0.0 - -""" # noqa: E501 -from precli.core.config import Config -from precli.core.location import Location -from precli.core.result import Result -from precli.rules import Rule - - -class PandasReadPickle(Rule): - def __init__(self, id: str): - super().__init__( - id=id, - name="deserialization_of_untrusted_data", - full_descr=__doc__, - cwe_id=502, - message="Potential unsafe usage of '{}' that can allow " - "instantiation of arbitrary objects.", - targets=("call"), - wildcards={ - "pandas.*": [ - "read_pickle", - ] - }, - config=Config(enabled=False), - ) - - def analyze(self, context: dict, **kwargs: dict) -> Result: - call = kwargs.get("call") - - if call.name_qualified in ["pandas.read_pickle"]: - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=call.function_node, - ), - message=self.message.format(call.name_qualified), - ) diff --git a/precli/rules/python/paramiko/__init__.py b/precli/rules/python/paramiko/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/precli/rules/python/paramiko/paramiko_no_host_key_verify.py b/precli/rules/python/paramiko/paramiko_no_host_key_verify.py deleted file mode 100644 index 8fa500b8..00000000 --- a/precli/rules/python/paramiko/paramiko_no_host_key_verify.py +++ /dev/null @@ -1,135 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -r""" -===================================================== -Improper Certificate Validation Using Paramiko Module -===================================================== - -The ``paramiko`` package includes a number of standard methods for accessing -SSH servers. A client should always verify the host key of the SSH server -in order to avoid a number of security risks including: - -- Man-in-the-middle attacks -- Session hijacking -- Data theft - -In the case of a host key that is unknown to the client, the policy should -be set to no longer proceed with the connection. - -------- -Example -------- - -.. code-block:: python - :linenos: - :emphasize-lines: 5 - - from paramiko import client - - - ssh_client = client.SSHClient() - ssh_client.set_missing_host_key_policy(client.AutoAddPolicy) - ------------ -Remediation ------------ - -Set the missing host key policy to ``RejectPolicy`` in order to reject a -connection if the host key is unknown to the client. - -.. code-block:: python - :linenos: - :emphasize-lines: 5 - - from paramiko import client - - - ssh_client = client.SSHClient() - ssh_client.set_missing_host_key_policy(client.RejectPolicy) - -.. seealso:: - - - `Improper Certificate Validation Using Paramiko Module `_ - - `Paramiko’s documentation `_ - - `CWE-295: Improper Certificate Validation `_ - -.. versionadded:: 1.0.0 - -""" # noqa: E501 -from precli.core.config import Config -from precli.core.level import Level -from precli.core.location import Location -from precli.core.result import Result -from precli.rules import Rule - - -class ParamikoNoHostKeyVerify(Rule): - def __init__(self, id: str): - super().__init__( - id=id, - name="improper_certificate_validation", - full_descr=__doc__, - cwe_id=295, - message="The '{}' missing host key policy will not properly " - "verify the SSH server's host key.", - targets=("call"), - wildcards={ - "paramiko.client.*": [ - "SSHClient", - "AutoAddPolicy", - "WarningPolicy", - ], - "paramiko.*": [ - "SSHClient", - "AutoAddPolicy", - "WarningPolicy", - ], - }, - config=Config(enabled=False), - ) - - def analyze(self, context: dict, **kwargs: dict) -> Result: - call = kwargs.get("call") - - if call.name_qualified in [ - "paramiko.SSHClient.set_missing_host_key_policy", - "paramiko.client.SSHClient.set_missing_host_key_policy", - ]: - argument = call.get_argument(position=0, name="policy") - policy = argument.value - - fixes = Rule.get_fixes( - context=context, - deleted_location=Location(node=argument.identifier_node), - description="Use 'RejectPolicy' as the 'policy' argument" - " to safely reject unknown host keys.", - inserted_content="RejectPolicy", - ) - - if policy in [ - "paramiko.AutoAddPolicy", - "paramiko.client.AutoAddPolicy", - ]: - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=argument.identifier_node, - ), - level=Level.ERROR, - message=self.message.format("AutoAddPolicy"), - fixes=fixes, - ) - if policy in [ - "paramiko.WarningPolicy", - "paramiko.client.WarningPolicy", - ]: - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=argument.identifier_node, - ), - level=Level.WARNING, - message=self.message.format("WarningPolicy"), - fixes=fixes, - ) diff --git a/precli/rules/python/pycrypto/__init__.py b/precli/rules/python/pycrypto/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/precli/rules/python/pycrypto/pycrypto_weak_cipher.py b/precli/rules/python/pycrypto/pycrypto_weak_cipher.py deleted file mode 100644 index a56c7c40..00000000 --- a/precli/rules/python/pycrypto/pycrypto_weak_cipher.py +++ /dev/null @@ -1,178 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -r""" -=================================================================== -Use of a Broken or Risky Cryptographic Algorithm in PyCrypto Module -=================================================================== - -Using weak ciphers for cryptographic algorithms can pose significant security -risks, and it's generally advised to avoid them in favor of stronger, more -secure algorithms. Here's some guidance that advises against using weak -ciphers like ARC4, IDEA, and Blowfish: - -1. **NIST Recommendations**: The National Institute of Standards and -Technology (NIST) is a widely recognized authority on cryptographic standards. -NIST advises against using weak ciphers in their Special Publication -800-175B: "Guide to Secure Web Services." They recommend the use of stronger -ciphers like AES (Advanced Encryption Standard) and SHA-256 for cryptographic -purposes. - -2. **IETF Standards**: The Internet Engineering Task Force (IETF) publishes -standards and guidelines for secure network communication. IETF has deprecated -or discouraged the use of weak ciphers in various RFCs (Request for -Comments). For example, RFC 7465 advises against using SSLv3 and RC4 due to -their vulnerabilities. - -3. **OWASP Guidelines**: The Open Web Application Security Project (OWASP) -provides guidelines for secure web applications. Their guidance explicitly -recommends avoiding weak ciphers, including ARC4, IDEA, and Blowfish, due to -known security weaknesses. - -4. **PCI DSS Compliance**: The Payment Card Industry Data Security Standard -(PCI DSS) mandates the use of strong cryptographic algorithms. Using weak -ciphers is discouraged and can lead to non-compliance with PCI DSS -requirements. - -5. **Industry Best Practices**: Various cybersecurity experts and -organizations, such as SANS Institute, CERT/CC (Computer Emergency Response -Team Coordination Center), and security vendors, provide guidance on best -practices for cryptographic algorithms. These resources typically recommend -avoiding the use of weak ciphers. - -6. **Security Research**: Academic papers and security research often -highlight the vulnerabilities of weak ciphers like ARC4, IDEA, and Blowfish. -These findings reinforce the importance of avoiding these ciphers in -security-critical applications. - -7. **Compliance Standards**: Depending on your industry and location, -there may be specific regulatory requirements that prohibit the use of -weak ciphers. Ensure compliance with applicable regulations by using strong, -approved cryptographic algorithms. - -8. **TLS/SSL Configuration**: If you are configuring web servers or other -network services that use TLS/SSL for encryption, it's essential to configure -your server to support only strong ciphersuites and protocols. Weak ciphers, -such as RC4, have known vulnerabilities and should be disabled. - -In summary, there is a consensus among reputable standards organizations, -industry experts, and security professionals that weak ciphers like ARC4, -IDEA, and Blowfish should be avoided due to their known vulnerabilities and -weaknesses. Instead, it is advisable to use stronger, more secure -cryptographic algorithms and adhere to industry best practices and regulatory -requirements for encryption and security. - -------- -Example -------- - -.. code-block:: python - :linenos: - :emphasize-lines: 9 - - from Crypto.Cipher import ARC4 - from Crypto.Hash import SHA - from Crypto import Random - - - key = b'Very long and confidential key' - nonce = Random.new().read(16) - tempkey = SHA.new(key + nonce).digest() - cipher = ARC4.new(tempkey) - msg = nonce + cipher.encrypt(b'Open the pod bay doors, HAL') - ------------ -Remediation ------------ - -It is advisable to use stronger, more secure cryptographic algorithms such as -AES. - -.. code-block:: python - :linenos: - :emphasize-lines: 1,9 - - from Crypto.Cipher import AES - from Crypto.Hash import SHA - from Crypto import Random - - - key = b'Very long and confidential key' - nonce = Random.new().read(16) - tempkey = SHA.new(key + nonce).digest() - cipher = AES.new(tempkey) - msg = nonce + cipher.encrypt(b'Open the pod bay doors, HAL') - -.. seealso:: - - - `Use of a Broken or Risky Cryptographic Algorithm in PyCrypto Module `_ - - `PyCrypto - The Python Cryptography Toolkit `_ - - `CWE-327: Use of a Broken or Risky Cryptographic Algorithm `_ - -.. versionadded:: 1.0.0 - -""" # noqa: E501 -from precli.core.config import Config -from precli.core.level import Level -from precli.core.location import Location -from precli.core.result import Result -from precli.rules import Rule - - -WEAK_CIPHERS = [ - "Crypto.Cipher.ARC2.new", - "Crypto.Cipher.ARC4.new", - "Crypto.Cipher.Blowfish.new", - "Crypto.Cipher.DES.new", - "Crypto.Cipher.XOR.new", -] - - -class PycryptoWeakCipher(Rule): - def __init__(self, id: str): - super().__init__( - id=id, - name="use_of_a_broken_or_risky_cryptographic_algorithm", - full_descr=__doc__, - cwe_id=327, - message="Weak ciphers like {} should be avoided due to their " - "known vulnerabilities and weaknesses.", - targets=("call"), - wildcards={ - "Crypto.Cipher.*": [ - "ARC2.new", - "ARC4.new", - "Blowfish.new", - "DES.new", - "XOR.new", - ], - "Crypto.*": [ - "Cipher.ARC2.new", - "Cipher.ARC4.new", - "Cipher.Blowfish.new", - "Cipher.DES.new", - "Cipher.XOR.new", - ], - }, - config=Config(enabled=False), - ) - - def analyze(self, context: dict, **kwargs: dict) -> Result: - call = kwargs.get("call") - - if call.name_qualified in WEAK_CIPHERS: - fixes = Rule.get_fixes( - context=context, - deleted_location=Location(node=call.identifier_node), - description="It is advisable to use a stronger, more " - "secure cryptographic algorithm like AES.", - inserted_content="AES", - ) - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=call.identifier_node, - ), - level=Level.ERROR, - message=self.message.format(call.name), - fixes=fixes, - ) diff --git a/precli/rules/python/pycrypto/pycrypto_weak_hash.py b/precli/rules/python/pycrypto/pycrypto_weak_hash.py deleted file mode 100644 index e58c403d..00000000 --- a/precli/rules/python/pycrypto/pycrypto_weak_hash.py +++ /dev/null @@ -1,128 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -r""" -========================================== -Reversible One Way Hash in PyCrypto Module -========================================== - -The Python module ``pycrypto`` provides a number of functions for hashing -data. However, some of the hash algorithms supported by ``pycrypto`` are -insecure and should not be used. These insecure hash algorithms include -``MD2``, ``MD4``, ``MD5``, ``RIPEMD`` and ``SHA``. - -The MD4 hash algorithm is a cryptographic hash function that was designed in -the late 1980s. MD4 is no longer considered secure, and passwords hashed with -MD4 can be easily cracked by attackers. - -The MD5 hash algorithm is a cryptographic hash function that was designed in -the early 1990s. MD5 is no longer considered secure, and passwords hashed -with MD5 can be easily cracked by attackers. - -RIPEMD is a cryptographic hash function that was designed in 1996. It is -considered to be a secure hash function, but it is not as secure as -SHA-256, SHA-384, or SHA-512. In 2017, a collision attack was found for -RIPEMD-160. This means that it is possible to find two different messages -that have the same RIPEMD-160 hash. While this does not mean that RIPEMD-160 -is completely insecure, it does mean that it is not as secure as it once was. - -The SHA hash algorithm is also a cryptographic hash function that was -designed in the early 1990s. SHA-1 is no longer considered secure, and -passwords hashed with SHA-1 can be easily cracked by attackers. - -------- -Example -------- - -.. code-block:: python - :linenos: - :emphasize-lines: 4 - - from Crypto.Hash import MD2 - - - h = MD2.new() - h.update(b'Hello') - print h.hexdigest() - ------------ -Remediation ------------ - -The recommendation is to swap the insecure hashing method to one of the more -secure alternatives, ``SHA256``, ``SHA384``, or ``SHA512``. - -.. code-block:: python - :linenos: - :emphasize-lines: 4 - - from Crypto.Hash import SHA256 - - - h = SHA256.new() - h.update(b'Hello') - print h.hexdigest() - -.. seealso:: - - - `Reversible One Way Hash in PyCrypto Module `_ - - `PyCrypto - The Python Cryptography Toolkit `_ - - `CWE-328: Use of Weak Hash `_ - - `NIST Policy on Hash Functions `_ - -.. versionadded:: 1.0.0 - -""" # noqa: E501 -from precli.core.config import Config -from precli.core.level import Level -from precli.core.location import Location -from precli.core.result import Result -from precli.rules import Rule - - -class PycryptoWeakHash(Rule): - def __init__(self, id: str): - super().__init__( - id=id, - name="reversible_one_way_hash", - full_descr=__doc__, - cwe_id=328, - message="Use of weak hash function '{}' does not meet security " - "expectations.", - targets=("call"), - wildcards={ - "Crypto.*": [ - "Hash.MD2.new", - "Hash.MD4.new", - "Hash.MD5.new", - "Hash.RIPEMD.new", - "Hash.SHA.new", - ], - "Crypto.Hash.*": [ - "MD2.new", - "MD4.new", - "MD5.new", - "RIPEMD.new", - "SHA.new", - ], - }, - config=Config(enabled=False), - ) - - def analyze(self, context: dict, **kwargs: dict) -> Result: - call = kwargs.get("call") - - if call.name_qualified in [ - "Crypto.Hash.MD2.new", - "Crypto.Hash.MD4.new", - "Crypto.Hash.MD5.new", - "Crypto.Hash.RIPEMD.new", - "Crypto.Hash.SHA.new", - ]: - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=call.function_node, - ), - level=Level.ERROR, - message=self.message.format(call.name_qualified), - ) diff --git a/precli/rules/python/pycrypto/pycrypto_weak_key.py b/precli/rules/python/pycrypto/pycrypto_weak_key.py deleted file mode 100644 index edca6b75..00000000 --- a/precli/rules/python/pycrypto/pycrypto_weak_key.py +++ /dev/null @@ -1,148 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -r""" -================================================================= -Inadequate Encryption Strength Using Weak Keys in PyCrypto Module -================================================================= - -Using weak key sizes for cryptographic algorithms like RSA and DSA can -compromise the security of your encryption and digital signatures. Here's -a brief overview of the risks associated with weak key sizes for these -algorithms: - -RSA (Rivest-Shamir-Adleman): -RSA is widely used for both encryption and digital signatures. Weak key sizes -in RSA can be vulnerable to factorization attacks, such as the famous RSA-129 -challenge, which was factored in 1994 after 17 years of effort. Using small -key sizes makes it easier for attackers to factor the modulus and recover -the private key. - -It's generally recommended to use RSA key sizes of 2048 bits or more for -security in the present day, with 3072 bits or higher being increasingly -preferred for long-term security. - -DSA (Digital Signature Algorithm): -DSA is used for digital signatures and relies on the discrete logarithm -problem. Using weak key sizes in DSA can make it susceptible to attacks that -involve solving the discrete logarithm problem, like the GNFS (General -Number Field Sieve) algorithm. - -For DSA, key sizes of 2048 bits or more are recommended for modern security. -Note that DSA is not as commonly used as RSA or ECC for new applications, and -ECDSA (Elliptic Curve Digital Signature Algorithm) is often preferred due to -its efficiency and strong security properties. - -------- -Example -------- - -.. code-block:: python - :linenos: - :emphasize-lines: 4 - - from Crypto.PublicKey import DSA - - - key = DSA.generate(1024) - ------------ -Remediation ------------ - -Its recommended to increase the key size to at least 2048 for DSA and RSA -algorithms. - -.. code-block:: python - :linenos: - :emphasize-lines: 4 - - from Crypto.PublicKey import DSA - - - key = DSA.generate(2048) - -.. seealso:: - - - `Inadequate Encryption Strength Using Weak Keys in PyCrypto Module `_ - - `PyCrypto - The Python Cryptography Toolkit `_ - - `CWE-326: Inadequate Encryption Strength `_ - -.. versionadded:: 1.0.0 - -""" # noqa: E501 -from precli.core.config import Config -from precli.core.level import Level -from precli.core.location import Location -from precli.core.result import Result -from precli.rules import Rule - - -class PycryptoWeakKey(Rule): - def __init__(self, id: str): - super().__init__( - id=id, - name="inadequate_encryption_strength", - full_descr=__doc__, - cwe_id=326, - message="Using {} key sizes less than {} bits is considered " - "vulnerable to attacks.", - targets=("call"), - wildcards={ - "Crypto.PublicKey.*": [ - "DSA.generate", - "RSA.generate", - ], - "Crypto.*": [ - "PublicKey.DSA.generate", - "PublicKey.RSA.generate", - ], - }, - config=Config(enabled=False), - ) - - def analyze(self, context: dict, **kwargs: dict) -> Result: - call = kwargs.get("call") - - if call.name_qualified == "Crypto.PublicKey.DSA.generate": - argument = call.get_argument(position=0, name="bits") - bits = argument.value - - if isinstance(bits, int) and bits < 2048: - fixes = Rule.get_fixes( - context=context, - deleted_location=Location(node=argument.node), - description="Use a minimum key size of 2048 for DSA keys.", - inserted_content="2048", - ) - - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=argument.node, - ), - level=Level.ERROR if bits <= 1024 else Level.WARNING, - message=self.message.format("DSA", 2048), - fixes=fixes, - ) - elif call.name_qualified == "Crypto.PublicKey.RSA.generate": - argument = call.get_argument(position=0, name="bits") - bits = argument.value - - if isinstance(bits, int) and bits < 2048: - fixes = Rule.get_fixes( - context=context, - deleted_location=Location(node=argument.node), - description="Use a minimum key size of 2048 for RSA keys.", - inserted_content="2048", - ) - - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=argument.node, - ), - level=Level.ERROR if bits <= 1024 else Level.WARNING, - message=self.message.format("RSA", 2048), - fixes=fixes, - ) diff --git a/precli/rules/python/pycryptodomex/__init__.py b/precli/rules/python/pycryptodomex/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/precli/rules/python/pycryptodomex/pycryptodomex_weak_cipher.py b/precli/rules/python/pycryptodomex/pycryptodomex_weak_cipher.py deleted file mode 100644 index 5661b34d..00000000 --- a/precli/rules/python/pycryptodomex/pycryptodomex_weak_cipher.py +++ /dev/null @@ -1,178 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -r""" -======================================================================== -Use of a Broken or Risky Cryptographic Algorithm in PyCryptodomex Module -======================================================================== - -Using weak ciphers for cryptographic algorithms can pose significant security -risks, and it's generally advised to avoid them in favor of stronger, more -secure algorithms. Here's some guidance that advises against using weak -ciphers like ARC4, IDEA, and Blowfish: - -1. **NIST Recommendations**: The National Institute of Standards and -Technology (NIST) is a widely recognized authority on cryptographic standards. -NIST advises against using weak ciphers in their Special Publication -800-175B: "Guide to Secure Web Services." They recommend the use of stronger -ciphers like AES (Advanced Encryption Standard) and SHA-256 for cryptographic -purposes. - -2. **IETF Standards**: The Internet Engineering Task Force (IETF) publishes -standards and guidelines for secure network communication. IETF has deprecated -or discouraged the use of weak ciphers in various RFCs (Request for -Comments). For example, RFC 7465 advises against using SSLv3 and RC4 due to -their vulnerabilities. - -3. **OWASP Guidelines**: The Open Web Application Security Project (OWASP) -provides guidelines for secure web applications. Their guidance explicitly -recommends avoiding weak ciphers, including ARC4, IDEA, and Blowfish, due to -known security weaknesses. - -4. **PCI DSS Compliance**: The Payment Card Industry Data Security Standard -(PCI DSS) mandates the use of strong cryptographic algorithms. Using weak -ciphers is discouraged and can lead to non-compliance with PCI DSS -requirements. - -5. **Industry Best Practices**: Various cybersecurity experts and -organizations, such as SANS Institute, CERT/CC (Computer Emergency Response -Team Coordination Center), and security vendors, provide guidance on best -practices for cryptographic algorithms. These resources typically recommend -avoiding the use of weak ciphers. - -6. **Security Research**: Academic papers and security research often -highlight the vulnerabilities of weak ciphers like ARC4, IDEA, and Blowfish. -These findings reinforce the importance of avoiding these ciphers in -security-critical applications. - -7. **Compliance Standards**: Depending on your industry and location, -there may be specific regulatory requirements that prohibit the use of -weak ciphers. Ensure compliance with applicable regulations by using strong, -approved cryptographic algorithms. - -8. **TLS/SSL Configuration**: If you are configuring web servers or other -network services that use TLS/SSL for encryption, it's essential to configure -your server to support only strong ciphersuites and protocols. Weak ciphers, -such as RC4, have known vulnerabilities and should be disabled. - -In summary, there is a consensus among reputable standards organizations, -industry experts, and security professionals that weak ciphers like ARC4, -IDEA, and Blowfish should be avoided due to their known vulnerabilities and -weaknesses. Instead, it is advisable to use stronger, more secure -cryptographic algorithms and adhere to industry best practices and regulatory -requirements for encryption and security. - -------- -Example -------- - -.. code-block:: python - :linenos: - :emphasize-lines: 9 - - from Cryptodome.Cipher import ARC4 - from Cryptodome.Hash import SHA - from Cryptodome import Random - - - key = b'Very long and confidential key' - nonce = Random.new().read(16) - tempkey = SHA.new(key + nonce).digest() - cipher = ARC4.new(tempkey) - msg = nonce + cipher.encrypt(b'Open the pod bay doors, HAL') - ------------ -Remediation ------------ - -It is advisable to use stronger, more secure cryptographic algorithms such as -AES. - -.. code-block:: python - :linenos: - :emphasize-lines: 1,9 - - from Cryptodome.Cipher import AES - from Cryptodome.Hash import SHA - from Cryptodome import Random - - - key = b'Very long and confidential key' - nonce = Random.new().read(16) - tempkey = SHA.new(key + nonce).digest() - cipher = AES.new(tempkey) - msg = nonce + cipher.encrypt(b'Open the pod bay doors, HAL') - -.. seealso:: - - - `Use of a Broken or Risky Cryptographic Algorithm in PyCrypto Module `_ - - `PyCryptodome `_ - - `CWE-327: Use of a Broken or Risky Cryptographic Algorithm `_ - -.. versionadded:: 1.0.0 - -""" # noqa: E501 -from precli.core.config import Config -from precli.core.level import Level -from precli.core.location import Location -from precli.core.result import Result -from precli.rules import Rule - - -WEAK_CIPHERS = [ - "Cryptodome.Cipher.ARC2.new", - "Cryptodome.Cipher.ARC4.new", - "Cryptodome.Cipher.Blowfish.new", - "Cryptodome.Cipher.DES.new", - "Cryptodome.Cipher.XOR.new", -] - - -class PycryptodomexWeakCipher(Rule): - def __init__(self, id: str): - super().__init__( - id=id, - name="use_of_a_broken_or_risky_cryptographic_algorithm", - full_descr=__doc__, - cwe_id=327, - message="Weak ciphers like {} should be avoided due to their " - "known vulnerabilities and weaknesses.", - targets=("call"), - wildcards={ - "Cryptodome.Cipher.*": [ - "ARC2.new", - "ARC4.new", - "Blowfish.new", - "DES.new", - "XOR.new", - ], - "Cryptodome.*": [ - "Cipher.ARC2.new", - "Cipher.ARC4.new", - "Cipher.Blowfish.new", - "Cipher.DES.new", - "Cipher.XOR.new", - ], - }, - config=Config(enabled=False), - ) - - def analyze(self, context: dict, **kwargs: dict) -> Result: - call = kwargs.get("call") - - if call.name_qualified in WEAK_CIPHERS: - fixes = Rule.get_fixes( - context=context, - deleted_location=Location(node=call.identifier_node), - description="It is advisable to use a stronger, more " - "secure cryptographic algorithm like AES.", - inserted_content="AES", - ) - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=call.identifier_node, - ), - level=Level.ERROR, - message=self.message.format(call.name), - fixes=fixes, - ) diff --git a/precli/rules/python/pycryptodomex/pycryptodomex_weak_hash.py b/precli/rules/python/pycryptodomex/pycryptodomex_weak_hash.py deleted file mode 100644 index c70dc3f7..00000000 --- a/precli/rules/python/pycryptodomex/pycryptodomex_weak_hash.py +++ /dev/null @@ -1,133 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -r""" -=============================================== -Reversible One Way Hash in PyCryptodomex Module -=============================================== - -The Python module ``pycryptodomex`` provides a number of functions for hashing -data. However, some of the hash algorithms supported by ``pycryptodomex`` are -insecure and should not be used. These insecure hash algorithms include -``MD2``, ``MD4``, ``MD5``, ``RIPEMD`` and ``SHA``. - -The MD4 hash algorithm is a cryptographic hash function that was designed in -the late 1980s. MD4 is no longer considered secure, and passwords hashed with -MD4 can be easily cracked by attackers. - -The MD5 hash algorithm is a cryptographic hash function that was designed in -the early 1990s. MD5 is no longer considered secure, and passwords hashed -with MD5 can be easily cracked by attackers. - -RIPEMD is a cryptographic hash function that was designed in 1996. It is -considered to be a secure hash function, but it is not as secure as -SHA-256, SHA-384, or SHA-512. In 2017, a collision attack was found for -RIPEMD-160. This means that it is possible to find two different messages -that have the same RIPEMD-160 hash. While this does not mean that RIPEMD-160 -is completely insecure, it does mean that it is not as secure as it once was. - -The SHA hash algorithm is also a cryptographic hash function that was -designed in the early 1990s. SHA-1 is no longer considered secure, and -passwords hashed with SHA-1 can be easily cracked by attackers. - -------- -Example -------- - -.. code-block:: python - :linenos: - :emphasize-lines: 4 - - from Cryptodome.Hash import MD2 - - - h = MD2.new() - h.update(b'Hello') - print h.hexdigest() - ------------ -Remediation ------------ - -The recommendation is to swap the insecure hashing method to one of the more -secure alternatives, ``SHA256``, ``SHA384``, or ``SHA512``. - -.. code-block:: python - :linenos: - :emphasize-lines: 4 - - from Cryptodome.Hash import SHA256 - - - h = SHA256.new() - h.update(b'Hello') - print h.hexdigest() - -.. seealso:: - - - `Reversible One Way Hash in PyCryptodomex Module `_ - - `PyCryptodome `_ - - `CWE-328: Use of Weak Hash `_ - - `NIST Policy on Hash Functions `_ -.. versionadded:: 1.0.0 - -""" # noqa: E501 -from precli.core.config import Config -from precli.core.level import Level -from precli.core.location import Location -from precli.core.result import Result -from precli.rules import Rule - - -class PycryptodomexWeakHash(Rule): - def __init__(self, id: str): - super().__init__( - id=id, - name="reversible_one_way_hash", - full_descr=__doc__, - cwe_id=328, - message="Use of weak hash function '{}' does not meet security " - "expectations.", - targets=("call"), - wildcards={ - "Cryptodome.*": [ - "Hash.MD2.new", - "Hash.MD4.new", - "Hash.MD5.new", - "Hash.RIPEMD.new", - "Hash.RIPEMD160.new", - "Hash.SHA.new", - "Hash.SHA1.new", - ], - "Cryptodome.Hash.*": [ - "MD2.new", - "MD4.new", - "MD5.new", - "RIPEMD.new", - "RIPEMD160.new", - "SHA.new", - "SHA1.new", - ], - }, - config=Config(enabled=False), - ) - - def analyze(self, context: dict, **kwargs: dict) -> Result: - call = kwargs.get("call") - - if call.name_qualified in [ - "Cryptodome.Hash.MD2.new", - "Cryptodome.Hash.MD4.new", - "Cryptodome.Hash.MD5.new", - "Cryptodome.Hash.RIPEMD.new", - "Cryptodome.Hash.RIPEMD160.new", - "Cryptodome.Hash.SHA.new", - "Cryptodome.Hash.SHA1.new", - ]: - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=call.function_node, - ), - level=Level.ERROR, - message=self.message.format(call.name_qualified), - ) diff --git a/precli/rules/python/pycryptodomex/pycryptodomex_weak_key.py b/precli/rules/python/pycryptodomex/pycryptodomex_weak_key.py deleted file mode 100644 index a9bb687c..00000000 --- a/precli/rules/python/pycryptodomex/pycryptodomex_weak_key.py +++ /dev/null @@ -1,148 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -r""" -====================================================================== -Inadequate Encryption Strength Using Weak Keys in PyCryptodomex Module -====================================================================== - -Using weak key sizes for cryptographic algorithms like RSA and DSA can -compromise the security of your encryption and digital signatures. Here's -a brief overview of the risks associated with weak key sizes for these -algorithms: - -RSA (Rivest-Shamir-Adleman): -RSA is widely used for both encryption and digital signatures. Weak key sizes -in RSA can be vulnerable to factorization attacks, such as the famous RSA-129 -challenge, which was factored in 1994 after 17 years of effort. Using small -key sizes makes it easier for attackers to factor the modulus and recover -the private key. - -It's generally recommended to use RSA key sizes of 2048 bits or more for -security in the present day, with 3072 bits or higher being increasingly -preferred for long-term security. - -DSA (Digital Signature Algorithm): -DSA is used for digital signatures and relies on the discrete logarithm -problem. Using weak key sizes in DSA can make it susceptible to attacks that -involve solving the discrete logarithm problem, like the GNFS (General -Number Field Sieve) algorithm. - -For DSA, key sizes of 2048 bits or more are recommended for modern security. -Note that DSA is not as commonly used as RSA or ECC for new applications, and -ECDSA (Elliptic Curve Digital Signature Algorithm) is often preferred due to -its efficiency and strong security properties. - -------- -Example -------- - -.. code-block:: python - :linenos: - :emphasize-lines: 4 - - from Cryptodome.PublicKey import DSA - - - key = DSA.generate(1024) - ------------ -Remediation ------------ - -Its recommended to increase the key size to at least 2048 for DSA and RSA -algorithms. - -.. code-block:: python - :linenos: - :emphasize-lines: 4 - - from Cryptodome.PublicKey import DSA - - - key = DSA.generate(2048) - -.. seealso:: - - - `Inadequate Encryption Strength Using Weak Keys in PyCrypto Module `_ - - `PyCryptodome `_ - - `CWE-326: Inadequate Encryption Strength `_ - -.. versionadded:: 1.0.0 - -""" # noqa: E501 -from precli.core.config import Config -from precli.core.level import Level -from precli.core.location import Location -from precli.core.result import Result -from precli.rules import Rule - - -class PycryptodomexWeakKey(Rule): - def __init__(self, id: str): - super().__init__( - id=id, - name="inadequate_encryption_strength", - full_descr=__doc__, - cwe_id=326, - message="Using {} key sizes less than {} bits is considered " - "vulnerable to attacks.", - targets=("call"), - wildcards={ - "Cryptodome.PublicKey.*": [ - "DSA.generate", - "RSA.generate", - ], - "Cryptodome.*": [ - "PublicKey.DSA.generate", - "PublicKey.RSA.generate", - ], - }, - config=Config(enabled=False), - ) - - def analyze(self, context: dict, **kwargs: dict) -> Result: - call = kwargs.get("call") - - if call.name_qualified == "Cryptodome.PublicKey.DSA.generate": - argument = call.get_argument(position=0, name="bits") - bits = argument.value - - if isinstance(bits, int) and bits < 2048: - fixes = Rule.get_fixes( - context=context, - deleted_location=Location(node=argument.node), - description="Use a minimum key size of 2048 for DSA keys.", - inserted_content="2048", - ) - - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=argument.node, - ), - level=Level.ERROR if bits <= 1024 else Level.WARNING, - message=self.message.format("DSA", 2048), - fixes=fixes, - ) - elif call.name_qualified == "Cryptodome.PublicKey.RSA.generate": - argument = call.get_argument(position=0, name="bits") - bits = argument.value - - if isinstance(bits, int) and bits < 2048: - fixes = Rule.get_fixes( - context=context, - deleted_location=Location(node=argument.node), - description="Use a minimum key size of 2048 for RSA keys.", - inserted_content="2048", - ) - - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=argument.node, - ), - level=Level.ERROR if bits <= 1024 else Level.WARNING, - message=self.message.format("RSA", 2048), - fixes=fixes, - ) diff --git a/precli/rules/python/pyghmi/__init__.py b/precli/rules/python/pyghmi/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/precli/rules/python/pyghmi/pyghmi_cleartext.py b/precli/rules/python/pyghmi/pyghmi_cleartext.py deleted file mode 100644 index 4fe79e36..00000000 --- a/precli/rules/python/pyghmi/pyghmi_cleartext.py +++ /dev/null @@ -1,153 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -r""" -==================================================================== -Cleartext Transmission of Sensitive Information in the Pyghmi Module -==================================================================== - -The Python module ``pyghmi`` provides a number of functions for accessing IPMI -servers. IPMI is a protocol for accessing and administrating servers at the -hardware level. IPMI runs on the Baseboard Management Controller (BMC) and -provides access to the BIOS, disks, and other hardware. - -However, the protocol and thus the Python module does not provide adequate -security features. This means that data transmitted over the network, -including passwords, is sent in cleartext. This makes it possible for -attackers to intercept and read this data. - -The Python module ``pyghmi`` should not be used for accessing IPMI servers -on an untrusted network. - -------- -Example -------- - -.. code-block:: python - :linenos: - :emphasize-lines: 4,5,6 - - from pyghmi.ipmi import command - - - cmd = command.Command(bmc="bmc", - userid="userid", - password="ZjE4ZjI0NTE4YmI2NGJjZDliOGY3ZmJiY2UyN2IzODQK") - ------------ -Remediation ------------ - -If the IPMI protocol must be used and sensitive data will be transferred, it -is recommended to secure the connection using SSH tunneling. If available, -SSH transport networking data over an encrypted connection. - -Otherwise, it is very important to keep communication with IPMI over a private -secure network. - -.. code-block:: python - :linenos: - - import paramiko - - - # IPMI device information - ipmi_port = 623 - ipmi_username = 'your_ipmi_username' - ipmi_password = 'your_ipmi_password' - - # SSH server information - ssh_host = 'ssh.example.com' - ssh_port = 22 - ssh_username = 'your_ssh_username' - ssh_password = 'your_ssh_password' - - # Local port to forward the IPMI traffic through - local_port = 6230 - - try: - # Connect to the SSH server - ssh_client = paramiko.SSHClient() - ssh_client.set_missing_host_key_policy(paramiko.RejectPolicy()) - ssh_client.connect(ssh_host, ssh_port, ssh_username, ssh_password) - - # Set up the SSH tunnel - transport = ssh_client.get_transport() - transport.set_keepalive(30) - transport.request_port_forward('', ipmi_port) - - print('SSH tunnel established. IPMI traffic is being forwarded to localhost') - - # You can now communicate with the IPMI device through the SSH tunnel. - # For example, you can use an IPMI client or library like 'pyghmi' to interact with the IPMI device using the local_port. - - transport.cancel_port_forward('', local_port) - ssh_client.close() - - except Exception as e: - print(f'Error: {e}') - -.. seealso:: - - - `Cleartext Transmission of Sensitive Information in the Pyghmi Module `_ - - `Documentation — pyghmi documentation `_ - - `CWE-319: Cleartext Transmission of Sensitive Information `_ - - `Risks of Using the Intelligent Platform Management Interface (IPMI) CISA `_ - -.. versionadded:: 1.0.0 - -""" # noqa: E501 -from precli.core.config import Config -from precli.core.level import Level -from precli.core.location import Location -from precli.core.result import Result -from precli.rules import Rule - - -class PyghmiCleartext(Rule): - def __init__(self, id: str): - super().__init__( - id=id, - name="cleartext_transmission", - full_descr=__doc__, - cwe_id=319, - message="The '{}' module may transmit data in cleartext without " - "encryption.", - targets=("call"), - wildcards={ - "pyghmi.ipmi.command.*": [ - "Command", - "Console", - ] - }, - config=Config(enabled=False), - ) - - def analyze(self, context: dict, **kwargs: dict) -> Result: - call = kwargs.get("call") - - if call.name_qualified in [ - "pyghmi.ipmi.command.Command", - "pyghmi.ipmi.command.Console", - ]: - argument = call.get_argument(position=2, name="password") - passwd = argument.value - - if passwd is not None: - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=call.function_node, - ), - level=Level.ERROR, - message=f"The {call.name_qualified} module may " - f"transmit the password argument in cleartext.", - ) - else: - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=call.function_node, - ), - message=self.message.format(call.name_qualified), - ) diff --git a/precli/rules/python/pyjwt/__init__.py b/precli/rules/python/pyjwt/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/precli/rules/python/pyopenssl/__init__.py b/precli/rules/python/pyopenssl/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/precli/rules/python/pyopenssl/insecure_tls_method.py b/precli/rules/python/pyopenssl/insecure_tls_method.py deleted file mode 100644 index aa99a29e..00000000 --- a/precli/rules/python/pyopenssl/insecure_tls_method.py +++ /dev/null @@ -1,132 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -r""" -======================================================= -Inadequate Encryption Strength Using Weak SSL Protocols -======================================================= - -The Python ``pyopenssl`` modules provide a number of different methods that -can be used to encrypt data. However, some of these methods are no longer -considered secure and should not be used. - -The following protocols are considered weak and should not be used: - -- SSLv2_METHOD -- SSLv3_METHOD -- TLSv1_METHOD -- TLSv1_1_METHOD - -These protocols have a number of known security vulnerabilities that can be -exploited by attackers. For example, the BEAST attack can be used to steal -sensitive data, such as passwords and credit card numbers, from applications -that use SSL version 2. - -------- -Example -------- - -.. code-block:: python - :linenos: - :emphasize-lines: 4 - - import OpenSSL - - - OpenSSL.SSL.Context(method=OpenSSL.SSL.SSLv2_METHOD) - ------------ -Remediation ------------ - -If you need to connect to a server over HTTPS, you should use the -``TLS_METHOD``, ``TLS_SERVER_METHOD``, or ``TLS_CLIENT_METHOD`` methods -instead. The ``SSLv23_METHOD`` and ``TLSv1_2_METHOD`` methods are also -considered secure, but the aforementioned methods are more future proof as -they negotiate a secure version of the method for you. - -.. code-block:: python - :linenos: - :emphasize-lines: 4 - - import OpenSSL - - - OpenSSL.SSL.Context(method=OpenSSL.SSL.TLS_METHOD) - -.. seealso:: - - - `Inadequate Encryption Strength Using Weak SSL Protocols `_ - - `pyOpenSSL’s documentation `_ - - `CWE-326: Inadequate Encryption Strength `_ - -.. versionadded:: 1.0.0 - -""" # noqa: E501 -from precli.core.config import Config -from precli.core.level import Level -from precli.core.location import Location -from precli.core.result import Result -from precli.rules import Rule - - -INSECURE_METHODS = ( - "OpenSSL.SSL.SSLv2_METHOD", - "OpenSSL.SSL.SSLv3_METHOD", - "OpenSSL.SSL.TLSv1_METHOD", - "OpenSSL.SSL.TLSv1_1_METHOD", -) - - -class InsecureTlsMethod(Rule): - def __init__(self, id: str): - super().__init__( - id=id, - name="inadequate_encryption_strength", - full_descr=__doc__, - cwe_id=326, - message="The '{}' method has insufficient encryption strength.", - targets=("call"), - wildcards={ - "OpenSSL.SSL.*": [ - "Context", - "SSLv2_METHOD", - "SSLv3_METHOD", - "TLSv1_METHOD", - "TLSv1_1_METHOD", - ], - "OpenSSL.*": [ - "SSL.Context", - "SSL.SSLv2_METHOD", - "SSL.SSLv3_METHOD", - "SSL.TLSv1_METHOD", - "SSL.TLSv1_1_METHOD", - ], - }, - config=Config(enabled=False), - ) - - def analyze(self, context: dict, **kwargs: dict) -> Result: - call = kwargs.get("call") - - if call.name_qualified in ["OpenSSL.SSL.Context"]: - argument = call.get_argument(position=1, name="method") - method = argument.value - - if isinstance(method, str) and method in INSECURE_METHODS: - fixes = Rule.get_fixes( - context=context, - deleted_location=Location(node=argument.identifier_node), - description="Use 'TLS_METHOD' to auto-negotiate the " - "highest protocol version that both the client and " - "server support.", - inserted_content="TLS_METHOD", - ) - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=argument.identifier_node, - ), - level=Level.ERROR, - message=self.message.format(method), - fixes=fixes, - ) diff --git a/precli/rules/python/pyopenssl/pyopenssl_weak_key.py b/precli/rules/python/pyopenssl/pyopenssl_weak_key.py deleted file mode 100644 index a7fdc5cf..00000000 --- a/precli/rules/python/pyopenssl/pyopenssl_weak_key.py +++ /dev/null @@ -1,135 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -r""" -================================================================== -Inadequate Encryption Strength Using Weak Keys in PyOpenSSL Module -================================================================== - -Using weak key sizes for cryptographic algorithms like RSA and DSA can -compromise the security of your encryption and digital signatures. Here's -a brief overview of the risks associated with weak key sizes for these -algorithms: - -RSA (Rivest-Shamir-Adleman): -RSA is widely used for both encryption and digital signatures. Weak key sizes -in RSA can be vulnerable to factorization attacks, such as the famous RSA-129 -challenge, which was factored in 1994 after 17 years of effort. Using small -key sizes makes it easier for attackers to factor the modulus and recover -the private key. - -It's generally recommended to use RSA key sizes of 2048 bits or more for -security in the present day, with 3072 bits or higher being increasingly -preferred for long-term security. - -DSA (Digital Signature Algorithm): -DSA is used for digital signatures and relies on the discrete logarithm -problem. Using weak key sizes in DSA can make it susceptible to attacks that -involve solving the discrete logarithm problem, like the GNFS (General -Number Field Sieve) algorithm. - -For DSA, key sizes of 2048 bits or more are recommended for modern security. -Note that DSA is not as commonly used as RSA or ECC for new applications, and -ECDSA (Elliptic Curve Digital Signature Algorithm) is often preferred due to -its efficiency and strong security properties. - -------- -Example -------- - -.. code-block:: python - :linenos: - :emphasize-lines: 4 - - from OpenSSL import crypto - - - crypto.PKey().generate_key(type=crypto.TYPE_DSA, bits=1024) - ------------ -Remediation ------------ - -Its recommended to increase the key size to at least 2048 for DSA and RSA -algorithms. - -.. code-block:: python - :linenos: - :emphasize-lines: 4 - - from OpenSSL import crypto - - - crypto.PKey().generate_key(type=crypto.TYPE_DSA, bits=2048) - -.. seealso:: - - - `Inadequate Encryption Strength Using Weak Keys in PyOpenSSL Module `_ - - `crypto — Generic cryptographic module — pyOpenSSL documentation `_ - - `CWE-326: Inadequate Encryption Strength `_ - -.. versionadded:: 1.0.0 - -""" # noqa: E501 -from precli.core.config import Config -from precli.core.level import Level -from precli.core.location import Location -from precli.core.result import Result -from precli.rules import Rule - - -class PyopensslWeakKey(Rule): - def __init__(self, id: str): - super().__init__( - id=id, - name="inadequate_encryption_strength", - full_descr=__doc__, - cwe_id=326, - message="Using {} key sizes less than {} bits is considered " - "vulnerable to attacks.", - targets=("call"), - wildcards={ - "OpenSSL.crypto.*": [ - "PKey", - "TYPE_DSA", - ], - "OpenSSL.*": [ - "crypto.PKey", - "crypto.TYPE_DSA", - ], - }, - config=Config(enabled=False), - ) - - def analyze(self, context: dict, **kwargs: dict) -> Result: - call = kwargs.get("call") - - if call.name_qualified == "OpenSSL.crypto.PKey.generate_key": - arg0 = call.get_argument(position=0, name="type") - key_type = arg0.value - - if key_type == "OpenSSL.crypto.TYPE_DSA": - key = "DSA" - elif key_type == "OpenSSL.crypto.TYPE_RSA": - key = "RSA" - - arg1 = call.get_argument(position=1, name="bits") - bits = arg1.value - - if key in ["DSA", "RSA"] and bits < 2048: - fixes = Rule.get_fixes( - context=context, - deleted_location=Location(node=arg1.node), - description=f"Use a minimum key size of 2048 for " - f"{key_type} keys.", - inserted_content="2048", - ) - - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=arg1.node, - ), - level=Level.ERROR if bits <= 1024 else Level.WARNING, - message=self.message.format(key_type, 2048), - fixes=fixes, - ) diff --git a/precli/rules/python/pysnmp/__init__.py b/precli/rules/python/pysnmp/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/precli/rules/python/python-ipmi/__init__.py b/precli/rules/python/python-ipmi/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/precli/rules/python/requests/__init__.py b/precli/rules/python/requests/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/precli/rules/python/requests/no_certificate_verify.py b/precli/rules/python/requests/no_certificate_verify.py deleted file mode 100644 index 7247868b..00000000 --- a/precli/rules/python/requests/no_certificate_verify.py +++ /dev/null @@ -1,128 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -r""" -===================================================== -Improper Certificate Validation Using Requests Module -===================================================== - -The ``requests`` package includes a number of standard methods for accessing -HTTP servers. The common parameter in these methods is ``verify`` to denote -whether to verify the server's host certificate. If unset, the default value -is True to verify. However, by setting the value to False, the code is -subject to a number of security risks including: - -- Man-in-the-middle attacks -- Session hijacking -- Data theft - -------- -Example -------- - -.. code-block:: python - :linenos: - :emphasize-lines: 4 - - import requests - - - requests.get("https://localhost", verify=False) - ------------ -Remediation ------------ - -Setting the value of the verify argument to True or removing the keyword -argument accomplish the same effect of ensuring that certificates are verified. - -.. code-block:: python - :linenos: - :emphasize-lines: 4 - - import requests - - - requests.get("https://localhost", verify=True) - -.. seealso:: - - - `Improper Certificate Validation Using Requests Module `_ - - `Requests HTTP for Humans™ `_ - - `CWE-295: Improper Certificate Validation `_ - -.. versionadded:: 1.0.0 - -""" # noqa: E501 -from precli.core.config import Config -from precli.core.level import Level -from precli.core.location import Location -from precli.core.result import Result -from precli.rules import Rule - - -class NoCertificateVerify(Rule): - def __init__(self, id: str): - super().__init__( - id=id, - name="improper_certificate_validation", - full_descr=__doc__, - cwe_id=295, - message="The '{}' function is set to not verify certificates.", - targets=("call"), - wildcards={ - "requests.*": [ - "delete", - "get", - "head", - "options", - "patch", - "post", - "put", - "request", - "Session", - ] - }, - config=Config(enabled=False), - ) - - def analyze(self, context: dict, **kwargs: dict) -> Result: - call = kwargs.get("call") - - if call.name_qualified in [ - "requests.delete", - "requests.get", - "requests.head", - "requests.options", - "requests.patch", - "requests.post", - "requests.put", - "requests.request", - "requests.Session.delete", - "requests.Session.get", - "requests.Session.head", - "requests.Session.options", - "requests.Session.patch", - "requests.Session.post", - "requests.Session.put", - "requests.Session.request", - ]: - argument = call.get_argument(name="verify") - verify = argument.value - - if verify is False: - fixes = Rule.get_fixes( - context=context, - deleted_location=Location(node=argument.node), - description="Set the 'verify' argument to 'True' to ensure" - " the server's certificate is verified.", - inserted_content="True", - ) - return Result( - rule_id=self.id, - location=Location( - file_name=context["file_name"], - node=argument.node, - ), - level=Level.ERROR, - message=self.message.format(call.name_qualified), - fixes=fixes, - ) diff --git a/precli/rules/python/wsgiref/__init__.py b/precli/rules/python/wsgiref/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/setup.cfg b/setup.cfg index 86e24762..6dd296fe 100644 --- a/setup.cfg +++ b/setup.cfg @@ -42,15 +42,6 @@ precli.rules.go = # precli/rules/go/stdlib/crypto_weak_key.py GO003 = precli.rules.go.stdlib.crypto_weak_key:WeakKey - # precli/rules/go/golang_org_x_crypto/ssh_insecure_ignore_hostkey.py - GO501 = precli.rules.go.golang_org_x_crypto.ssh_insecure_ignore_hostkey:SshInsecureIgnoreHostKey - - # precli/rules/go/golang_org_x_crypto/weak_cipher.py - GO502 = precli.rules.go.golang_org_x_crypto.weak_cipher:WeakCipher - - # precli/rules/go/golang_org_x_crypto/weak_hash.py - GO503 = precli.rules.go.golang_org_x_crypto.weak_hash:WeakHash - precli.rules.python = # precli/rules/python/stdlib/assert.py PY001 = precli.rules.python.stdlib.assert:Assert @@ -112,75 +103,6 @@ precli.rules.python = # precli/rules/python/stdlib/tempfile_mktemp_race_condition.py PY020 = precli.rules.python.stdlib.tempfile_mktemp_race_condition:MktempRaceCondition - # precli/rules/python/aiohttp/no_certificate_verify.py - PY501 = precli.rules.python.aiohttp.no_certificate_verify:NoCertificateVerify - - # precli/rules/python/cryptography/cryptography_weak_cipher.py - PY502 = precli.rules.python.cryptography.cryptography_weak_cipher:CryptographyWeakCipher - - # precli/rules/python/cryptography/cryptography_weak_cipher_mode.py - PY503 = precli.rules.python.cryptography.cryptography_weak_cipher_mode:CryptographyWeakCipherMode - - # precli/rules/python/cryptography/cryptography_weak_hash.py - PY504 = precli.rules.python.cryptography.cryptography_weak_hash:CryptographyWeakHash - - # precli/rules/python/cryptography/cryptography_weak_key.py - PY505 = precli.rules.python.cryptography.cryptography_weak_key:CryptographyWeakKey - - # precli/rules/python/dill/dill_load.py - PY506 = precli.rules.python.dill.dill_load:DillLoad - - # precli/rules/python/Flask/flask_run_debug.py - PY507 = precli.rules.python.Flask.flask_run_debug:FlaskRunDebug - - # precli/rules/python/httpx/no_certificate_verify.py - PY508 = precli.rules.python.httpx.no_certificate_verify:NoCertificateVerify - - # precli/rules/python/jsonpickle/jsonpickle_decode.py - PY509 = precli.rules.python.jsonpickle.jsonpickle_decode:JsonpickleDecode - - # precli/rules/python/M2Crypto/m2crypto_weak_key.py - PY510 = precli.rules.python.M2Crypto.m2crypto_weak_key:M2CryptoWeakKey - - # precli/rules/python/pandas/pandas_read_pickle.py - PY511 = precli.rules.python.pandas.pandas_read_pickle:PandasReadPickle - - # precli/rules/python/paramiko/paramiko_no_host_key_verify.py - PY512 = precli.rules.python.paramiko.paramiko_no_host_key_verify:ParamikoNoHostKeyVerify - - # precli/rules/python/pycrypto/pycrypto_weak_cipher.py - PY513 = precli.rules.python.pycrypto.pycrypto_weak_cipher:PycryptoWeakCipher - - # precli/rules/python/pycrypto/pycrypto_weak_hash.py - PY514 = precli.rules.python.pycrypto.pycrypto_weak_hash:PycryptoWeakHash - - # precli/rules/python/pycrypto/pycrypto_weak_key.py - PY515 = precli.rules.python.pycrypto.pycrypto_weak_key:PycryptoWeakKey - - # precli/rules/python/pycryptodomex/pycryptodomex_weak_cipher.py - PY516 = precli.rules.python.pycryptodomex.pycryptodomex_weak_cipher:PycryptodomexWeakCipher - - # precli/rules/python/pycryptodomex/pycryptodomex_weak_hash.py - PY517 = precli.rules.python.pycryptodomex.pycryptodomex_weak_hash:PycryptodomexWeakHash - - # precli/rules/python/pycryptodomex/pycryptodomex_weak_key.py - PY518 = precli.rules.python.pycryptodomex.pycryptodomex_weak_key:PycryptodomexWeakKey - - # precli/rules/python/pyghmi/pyghmi_cleartext.py - PY519 = precli.rules.python.pyghmi.pyghmi_cleartext:PyghmiCleartext - - # precli/rules/python/pyopenssl/insecure_tls_method.py - PY520 = precli.rules.python.pyopenssl.insecure_tls_method:InsecureTlsMethod - - # precli/rules/python/pyopenssl/pyopenssl_weak_key.py - PY521 = precli.rules.python.pyopenssl.pyopenssl_weak_key:PyopensslWeakKey - - # precli/rules/python/PyYAML/yaml_load.py - PY522 = precli.rules.python.PyYAML.yaml_load:YamlLoad - - # precli/rules/python/requests/no_certificate_verify.py - PY523 = precli.rules.python.requests.no_certificate_verify:NoCertificateVerify - [build_sphinx] all_files = 1 build-dir = docs/build diff --git a/tests/unit/rules/go/golang_org_x_crypto/__init__.py b/tests/unit/rules/go/golang_org_x_crypto/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/tests/unit/rules/go/golang_org_x_crypto/examples/ssh_insecure_ignore_hostkey.go b/tests/unit/rules/go/golang_org_x_crypto/examples/ssh_insecure_ignore_hostkey.go deleted file mode 100644 index bdff5521..00000000 --- a/tests/unit/rules/go/golang_org_x_crypto/examples/ssh_insecure_ignore_hostkey.go +++ /dev/null @@ -1,55 +0,0 @@ -// level: ERROR -// start_line: 24 -// end_line: 24 -// start_column: 25 -// end_column: 50 -package main - -import ( - "fmt" - "golang.org/x/crypto/ssh" - "net" -) - -func main() { - // SSH client configuration with InsecureIgnoreHostKey - config := &ssh.ClientConfig{ - User: "username", - Auth: []ssh.AuthMethod{ - ssh.Password("password"), - }, - // InsecureIgnoreHostKey returns a function that can be used for - // ClientConfig.HostKeyCallback to accept any host key. It should not - // be used for production code. - HostKeyCallback: ssh.InsecureIgnoreHostKey(), - } - - // Define the SSH server address - serverAddress := "example.com:22" - - // Establish a connection to the SSH server - conn, err := ssh.Dial("tcp", serverAddress, config) - if err != nil { - fmt.Println("Failed to dial:", err) - return - } - defer conn.Close() - - // Perform operations using the connection... - // For example, creating a session - session, err := conn.NewSession() - if err != nil { - fmt.Println("Failed to create session:", err) - return - } - defer session.Close() - - // Execute a command - output, err := session.CombinedOutput("ls -l") - if err != nil { - fmt.Println("Failed to execute command:", err) - return - } - - fmt.Println(string(output)) -} diff --git a/tests/unit/rules/go/golang_org_x_crypto/examples/weak_cipher_blowfish.go b/tests/unit/rules/go/golang_org_x_crypto/examples/weak_cipher_blowfish.go deleted file mode 100644 index a941087a..00000000 --- a/tests/unit/rules/go/golang_org_x_crypto/examples/weak_cipher_blowfish.go +++ /dev/null @@ -1,21 +0,0 @@ -// level: ERROR -// start_line: 17 -// end_line: 17 -// start_column: 14 -// end_column: 32 -package main - -import ( - "log" - - "golang.org/x/crypto/blowfish" -) - -func main() { - key := []byte("examplekey123456") - - _, err := blowfish.NewCipher(key) - if err != nil { - log.Fatalf("Failed to create cipher: %v", err) - } -} diff --git a/tests/unit/rules/go/golang_org_x_crypto/examples/weak_cipher_blowfish_new_salted_cipher.go b/tests/unit/rules/go/golang_org_x_crypto/examples/weak_cipher_blowfish_new_salted_cipher.go deleted file mode 100644 index 7e6cfac8..00000000 --- a/tests/unit/rules/go/golang_org_x_crypto/examples/weak_cipher_blowfish_new_salted_cipher.go +++ /dev/null @@ -1,22 +0,0 @@ -// level: ERROR -// start_line: 18 -// end_line: 18 -// start_column: 14 -// end_column: 38 -package main - -import ( - "log" - - "golang.org/x/crypto/blowfish" -) - -func main() { - key := []byte("examplekey123456") - salt := []byte("1234567890abcdef") - - _, err := blowfish.NewSaltedCipher(key, salt) - if err != nil { - log.Fatalf("Failed to create cipher: %v", err) - } -} diff --git a/tests/unit/rules/go/golang_org_x_crypto/examples/weak_cipher_cast5.go b/tests/unit/rules/go/golang_org_x_crypto/examples/weak_cipher_cast5.go deleted file mode 100644 index a0ced64e..00000000 --- a/tests/unit/rules/go/golang_org_x_crypto/examples/weak_cipher_cast5.go +++ /dev/null @@ -1,21 +0,0 @@ -// level: ERROR -// start_line: 17 -// end_line: 17 -// start_column: 14 -// end_column: 29 -package main - -import ( - "log" - - "golang.org/x/crypto/cast5" -) - -func main() { - key := []byte("examplekey123456") - - _, err := cast5.NewCipher(key) - if err != nil { - log.Fatalf("Failed to create cipher: %v", err) - } -} diff --git a/tests/unit/rules/go/golang_org_x_crypto/examples/weak_cipher_tea.go b/tests/unit/rules/go/golang_org_x_crypto/examples/weak_cipher_tea.go deleted file mode 100644 index 571f69d2..00000000 --- a/tests/unit/rules/go/golang_org_x_crypto/examples/weak_cipher_tea.go +++ /dev/null @@ -1,21 +0,0 @@ -// level: ERROR -// start_line: 17 -// end_line: 17 -// start_column: 14 -// end_column: 27 -package main - -import ( - "log" - - "golang.org/x/crypto/tea" -) - -func main() { - key := []byte("examplekey123456") - - _, err := tea.NewCipher(key) - if err != nil { - log.Fatalf("Failed to create cipher: %v", err) - } -} diff --git a/tests/unit/rules/go/golang_org_x_crypto/examples/weak_cipher_tea_new_cipher_with_rounds.go b/tests/unit/rules/go/golang_org_x_crypto/examples/weak_cipher_tea_new_cipher_with_rounds.go deleted file mode 100644 index 11cceaa9..00000000 --- a/tests/unit/rules/go/golang_org_x_crypto/examples/weak_cipher_tea_new_cipher_with_rounds.go +++ /dev/null @@ -1,21 +0,0 @@ -// level: ERROR -// start_line: 17 -// end_line: 17 -// start_column: 14 -// end_column: 37 -package main - -import ( - "log" - - "golang.org/x/crypto/tea" -) - -func main() { - key := []byte("examplekey123456") - - _, err := tea.NewCipherWithRounds(key, 64) - if err != nil { - log.Fatalf("Failed to create cipher: %v", err) - } -} diff --git a/tests/unit/rules/go/golang_org_x_crypto/examples/weak_cipher_twofish.go b/tests/unit/rules/go/golang_org_x_crypto/examples/weak_cipher_twofish.go deleted file mode 100644 index bd016ecd..00000000 --- a/tests/unit/rules/go/golang_org_x_crypto/examples/weak_cipher_twofish.go +++ /dev/null @@ -1,63 +0,0 @@ -// level: ERROR -// start_line: 35 -// end_line: 35 -// start_column: 18 -// end_column: 35 -package main - -import ( - "crypto/cipher" - "encoding/hex" - "fmt" - "golang.org/x/crypto/twofish" - "log" -) - -// pkcs7Pad pads the plaintext to be a multiple of the block size -func pkcs7Pad(plaintext []byte, blockSize int) []byte { - padding := blockSize - len(plaintext)%blockSize - padtext := bytes.Repeat([]byte{byte(padding)}, padding) - return append(plaintext, padtext...) -} - -// pkcs7Unpad removes the padding from the plaintext -func pkcs7Unpad(plaintext []byte) []byte { - length := len(plaintext) - padLen := int(plaintext[length-1]) - return plaintext[:(length - padLen)] -} - -func main() { - // Twofish key (can be 16, 24, or 32 bytes) - key := []byte("examplekey123456") // 16 bytes for a 128-bit key - - // Create a new Twofish cipher block with the key - block, err := twofish.NewCipher(key) - if err != nil { - log.Fatalf("Failed to create cipher: %v", err) - } - - // The plaintext that needs to be encrypted - plaintext := []byte("Hello, Twofish!") - - // Pad plaintext to be a multiple of the block size - paddedPlaintext := pkcs7Pad(plaintext, twofish.BlockSize) - - ciphertext := make([]byte, len(paddedPlaintext)) - for i := 0; i < len(paddedPlaintext); i += twofish.BlockSize { - block.Encrypt(ciphertext[i:i+twofish.BlockSize], paddedPlaintext[i:i+twofish.BlockSize]) - } - - fmt.Printf("Ciphertext: %x\n", ciphertext) - - // Decrypting the ciphertext - decrypted := make([]byte, len(ciphertext)) - for i := 0; i < len(ciphertext); i += twofish.BlockSize { - block.Decrypt(decrypted[i:i+twofish.BlockSize], ciphertext[i:i+twofish.BlockSize]) - } - - // Remove padding - decrypted = pkcs7Unpad(decrypted) - - fmt.Printf("Decrypted: %s\n", decrypted) -} diff --git a/tests/unit/rules/go/golang_org_x_crypto/examples/weak_cipher_xtea.go b/tests/unit/rules/go/golang_org_x_crypto/examples/weak_cipher_xtea.go deleted file mode 100644 index d3808302..00000000 --- a/tests/unit/rules/go/golang_org_x_crypto/examples/weak_cipher_xtea.go +++ /dev/null @@ -1,21 +0,0 @@ -// level: ERROR -// start_line: 17 -// end_line: 17 -// start_column: 14 -// end_column: 28 -package main - -import ( - "log" - - "golang.org/x/crypto/xtea" -) - -func main() { - key := []byte("examplekey123456") - - _, err := xtea.NewCipher(key) - if err != nil { - log.Fatalf("Failed to create cipher: %v", err) - } -} diff --git a/tests/unit/rules/go/golang_org_x_crypto/examples/weak_hash_md4.go b/tests/unit/rules/go/golang_org_x_crypto/examples/weak_hash_md4.go deleted file mode 100644 index 91c1c6a7..00000000 --- a/tests/unit/rules/go/golang_org_x_crypto/examples/weak_hash_md4.go +++ /dev/null @@ -1,17 +0,0 @@ -// level: ERROR -// start_line: 14 -// end_line: 14 -// start_column: 9 -// end_column: 16 -package main - -import ( - "golang.org/x/crypto/md4" - "fmt" -) - -func main() { - h := md4.New() - h.Write([]byte("hello world\n")) - fmt.Printf("%x", h.Sum(nil)) -} diff --git a/tests/unit/rules/go/golang_org_x_crypto/examples/weak_hash_ripemd160.go b/tests/unit/rules/go/golang_org_x_crypto/examples/weak_hash_ripemd160.go deleted file mode 100644 index e7afd0d2..00000000 --- a/tests/unit/rules/go/golang_org_x_crypto/examples/weak_hash_ripemd160.go +++ /dev/null @@ -1,17 +0,0 @@ -// level: ERROR -// start_line: 14 -// end_line: 14 -// start_column: 9 -// end_column: 22 -package main - -import ( - "golang.org/x/crypto/ripemd160" - "fmt" -) - -func main() { - h := ripemd160.New() - h.Write([]byte("hello world\n")) - fmt.Printf("%x", h.Sum(nil)) -} diff --git a/tests/unit/rules/go/golang_org_x_crypto/test_ssh_insecure_ignore_hostkey.py b/tests/unit/rules/go/golang_org_x_crypto/test_ssh_insecure_ignore_hostkey.py deleted file mode 100644 index 9b1873f2..00000000 --- a/tests/unit/rules/go/golang_org_x_crypto/test_ssh_insecure_ignore_hostkey.py +++ /dev/null @@ -1,44 +0,0 @@ -# Copyright 2024 Secure Saurce LLC -import os - -from parameterized import parameterized - -from precli.core.level import Level -from precli.parsers import go -from precli.rules import Rule -from tests.unit.rules import test_case - - -class SshInsecureIgnoreHostkeyTests(test_case.TestCase): - def setUp(self): - super().setUp() - self.rule_id = "GO501" - self.parser = go.Go(enabled=[self.rule_id]) - self.base_path = os.path.join( - "tests", - "unit", - "rules", - "go", - "golang_org_x_crypto", - "examples", - ) - - def test_rule_meta(self): - rule = Rule.get_by_id(self.rule_id) - self.assertEqual(self.rule_id, rule.id) - self.assertEqual("improper_certificate_validation", rule.name) - self.assertEqual( - f"https://docs.securesauce.dev/rules/{self.rule_id}", rule.help_url - ) - self.assertEqual(True, rule.default_config.enabled) - self.assertEqual(Level.WARNING, rule.default_config.level) - self.assertEqual(-1.0, rule.default_config.rank) - self.assertEqual("295", rule.cwe.cwe_id) - - @parameterized.expand( - [ - "ssh_insecure_ignore_hostkey.go", - ] - ) - def test(self, filename): - self.check(filename) diff --git a/tests/unit/rules/go/golang_org_x_crypto/test_weak_cipher.py b/tests/unit/rules/go/golang_org_x_crypto/test_weak_cipher.py deleted file mode 100644 index dcddae39..00000000 --- a/tests/unit/rules/go/golang_org_x_crypto/test_weak_cipher.py +++ /dev/null @@ -1,52 +0,0 @@ -# Copyright 2024 Secure Saurce LLC -import os - -from parameterized import parameterized - -from precli.core.level import Level -from precli.parsers import go -from precli.rules import Rule -from tests.unit.rules import test_case - - -class CryptoWeakHashTests(test_case.TestCase): - def setUp(self): - super().setUp() - self.rule_id = "GO502" - self.parser = go.Go(enabled=[self.rule_id]) - self.base_path = os.path.join( - "tests", - "unit", - "rules", - "go", - "golang_org_x_crypto", - "examples", - ) - - def test_rule_meta(self): - rule = Rule.get_by_id(self.rule_id) - self.assertEqual(self.rule_id, rule.id) - self.assertEqual( - "use_of_a_broken_or_risky_cryptographic_algorithm", rule.name - ) - self.assertEqual( - f"https://docs.securesauce.dev/rules/{self.rule_id}", rule.help_url - ) - self.assertEqual(True, rule.default_config.enabled) - self.assertEqual(Level.WARNING, rule.default_config.level) - self.assertEqual(-1.0, rule.default_config.rank) - self.assertEqual("327", rule.cwe.cwe_id) - - @parameterized.expand( - [ - "weak_cipher_blowfish.go", - "weak_cipher_blowfish_new_salted_cipher.go", - "weak_cipher_cast5.go", - "weak_cipher_tea.go", - "weak_cipher_tea_new_cipher_with_rounds.go", - "weak_cipher_twofish.go", - "weak_cipher_xtea.go", - ] - ) - def test(self, filename): - self.check(filename) diff --git a/tests/unit/rules/go/golang_org_x_crypto/test_weak_hash.py b/tests/unit/rules/go/golang_org_x_crypto/test_weak_hash.py deleted file mode 100644 index ff41ece1..00000000 --- a/tests/unit/rules/go/golang_org_x_crypto/test_weak_hash.py +++ /dev/null @@ -1,45 +0,0 @@ -# Copyright 2024 Secure Saurce LLC -import os - -from parameterized import parameterized - -from precli.core.level import Level -from precli.parsers import go -from precli.rules import Rule -from tests.unit.rules import test_case - - -class CryptoWeakHashTests(test_case.TestCase): - def setUp(self): - super().setUp() - self.rule_id = "GO503" - self.parser = go.Go(enabled=[self.rule_id]) - self.base_path = os.path.join( - "tests", - "unit", - "rules", - "go", - "golang_org_x_crypto", - "examples", - ) - - def test_rule_meta(self): - rule = Rule.get_by_id(self.rule_id) - self.assertEqual(self.rule_id, rule.id) - self.assertEqual("reversible_one_way_hash", rule.name) - self.assertEqual( - f"https://docs.securesauce.dev/rules/{self.rule_id}", rule.help_url - ) - self.assertEqual(True, rule.default_config.enabled) - self.assertEqual(Level.WARNING, rule.default_config.level) - self.assertEqual(-1.0, rule.default_config.rank) - self.assertEqual("328", rule.cwe.cwe_id) - - @parameterized.expand( - [ - "weak_hash_md4.go", - "weak_hash_ripemd160.go", - ] - ) - def test(self, filename): - self.check(filename) diff --git a/tests/unit/rules/python/Flask/__init__.py b/tests/unit/rules/python/Flask/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/tests/unit/rules/python/Flask/examples/flask_run_debug_as_var.py b/tests/unit/rules/python/Flask/examples/flask_run_debug_as_var.py deleted file mode 100644 index 7abcd9c8..00000000 --- a/tests/unit/rules/python/Flask/examples/flask_run_debug_as_var.py +++ /dev/null @@ -1,11 +0,0 @@ -# level: ERROR -# start_line: 11 -# end_line: 11 -# start_column: 14 -# end_column: 19 -from flask import Flask - - -app = Flask(__name__) -debug = True -app.run(debug=debug) diff --git a/tests/unit/rules/python/Flask/examples/flask_run_debug_false.py b/tests/unit/rules/python/Flask/examples/flask_run_debug_false.py deleted file mode 100644 index be041be1..00000000 --- a/tests/unit/rules/python/Flask/examples/flask_run_debug_false.py +++ /dev/null @@ -1,6 +0,0 @@ -# level: NONE -from flask import Flask - - -app = Flask(__name__) -app.run(debug=False) diff --git a/tests/unit/rules/python/Flask/examples/flask_run_debug_true.py b/tests/unit/rules/python/Flask/examples/flask_run_debug_true.py deleted file mode 100644 index d08155bd..00000000 --- a/tests/unit/rules/python/Flask/examples/flask_run_debug_true.py +++ /dev/null @@ -1,10 +0,0 @@ -# level: ERROR -# start_line: 10 -# end_line: 10 -# start_column: 14 -# end_column: 18 -from flask import Flask - - -app = Flask(__name__) -app.run(debug=True) diff --git a/tests/unit/rules/python/Flask/examples/flask_run_debug_unset.py b/tests/unit/rules/python/Flask/examples/flask_run_debug_unset.py deleted file mode 100644 index 77d382fb..00000000 --- a/tests/unit/rules/python/Flask/examples/flask_run_debug_unset.py +++ /dev/null @@ -1,6 +0,0 @@ -# level: NONE -from flask import Flask - - -app = Flask(__name__) -app.run() diff --git a/tests/unit/rules/python/Flask/examples/flask_run_debug_wildcard.py b/tests/unit/rules/python/Flask/examples/flask_run_debug_wildcard.py deleted file mode 100644 index 06f2f66f..00000000 --- a/tests/unit/rules/python/Flask/examples/flask_run_debug_wildcard.py +++ /dev/null @@ -1,10 +0,0 @@ -# level: ERROR -# start_line: 10 -# end_line: 10 -# start_column: 14 -# end_column: 18 -from flask import * - - -app = Flask(__name__) -app.run(debug=True) diff --git a/tests/unit/rules/python/Flask/test_flask_run_debug.py b/tests/unit/rules/python/Flask/test_flask_run_debug.py deleted file mode 100644 index 603621b1..00000000 --- a/tests/unit/rules/python/Flask/test_flask_run_debug.py +++ /dev/null @@ -1,48 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -import os - -from parameterized import parameterized - -from precli.core.level import Level -from precli.parsers import python -from precli.rules import Rule -from tests.unit.rules import test_case - - -class FlaskRunDebugTests(test_case.TestCase): - def setUp(self): - super().setUp() - self.rule_id = "PY507" - self.parser = python.Python(enabled=[self.rule_id]) - self.base_path = os.path.join( - "tests", - "unit", - "rules", - "python", - "Flask", - "examples", - ) - - def test_rule_meta(self): - rule = Rule.get_by_id(self.rule_id) - self.assertEqual(self.rule_id, rule.id) - self.assertEqual("code_injection", rule.name) - self.assertEqual( - f"https://docs.securesauce.dev/rules/{self.rule_id}", rule.help_url - ) - self.assertEqual(True, rule.default_config.enabled) - self.assertEqual(Level.WARNING, rule.default_config.level) - self.assertEqual(-1.0, rule.default_config.rank) - self.assertEqual("94", rule.cwe.cwe_id) - - @parameterized.expand( - [ - "flask_run_debug_as_var.py", - "flask_run_debug_false.py", - "flask_run_debug_true.py", - "flask_run_debug_unset.py", - "flask_run_debug_wildcard.py", - ] - ) - def test(self, filename): - self.check(filename) diff --git a/tests/unit/rules/python/M2Crypto/__init__.py b/tests/unit/rules/python/M2Crypto/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/tests/unit/rules/python/M2Crypto/examples/dsa_gen_params_1024.py b/tests/unit/rules/python/M2Crypto/examples/dsa_gen_params_1024.py deleted file mode 100644 index c66fe561..00000000 --- a/tests/unit/rules/python/M2Crypto/examples/dsa_gen_params_1024.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 25 -# end_column: 29 -from M2Crypto import DSA - - -new_key = DSA.gen_params(1024) diff --git a/tests/unit/rules/python/M2Crypto/examples/dsa_gen_params_2048.py b/tests/unit/rules/python/M2Crypto/examples/dsa_gen_params_2048.py deleted file mode 100644 index fff406e2..00000000 --- a/tests/unit/rules/python/M2Crypto/examples/dsa_gen_params_2048.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from M2Crypto import DSA - - -new_key = DSA.gen_params(2048) diff --git a/tests/unit/rules/python/M2Crypto/examples/dsa_gen_params_4096.py b/tests/unit/rules/python/M2Crypto/examples/dsa_gen_params_4096.py deleted file mode 100644 index 11b35e03..00000000 --- a/tests/unit/rules/python/M2Crypto/examples/dsa_gen_params_4096.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from M2Crypto import DSA - - -new_key = DSA.gen_params(4096) diff --git a/tests/unit/rules/python/M2Crypto/examples/ec_gen_params_nid_secp112r1.py b/tests/unit/rules/python/M2Crypto/examples/ec_gen_params_nid_secp112r1.py deleted file mode 100644 index db17389b..00000000 --- a/tests/unit/rules/python/M2Crypto/examples/ec_gen_params_nid_secp112r1.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 27 -# end_column: 40 -from M2Crypto import EC - - -new_key = EC.gen_params(EC.NID_secp112r1) diff --git a/tests/unit/rules/python/M2Crypto/examples/rsa_gen_key_1024.py b/tests/unit/rules/python/M2Crypto/examples/rsa_gen_key_1024.py deleted file mode 100644 index 9dfd417f..00000000 --- a/tests/unit/rules/python/M2Crypto/examples/rsa_gen_key_1024.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 22 -# end_column: 26 -from M2Crypto import RSA - - -new_key = RSA.gen_key(1024, 65537) diff --git a/tests/unit/rules/python/M2Crypto/examples/rsa_gen_key_2048.py b/tests/unit/rules/python/M2Crypto/examples/rsa_gen_key_2048.py deleted file mode 100644 index 9c7dc04c..00000000 --- a/tests/unit/rules/python/M2Crypto/examples/rsa_gen_key_2048.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from M2Crypto import RSA - - -new_key = RSA.gen_key(2048, 65537) diff --git a/tests/unit/rules/python/M2Crypto/examples/rsa_gen_key_4096.py b/tests/unit/rules/python/M2Crypto/examples/rsa_gen_key_4096.py deleted file mode 100644 index a9d6edcb..00000000 --- a/tests/unit/rules/python/M2Crypto/examples/rsa_gen_key_4096.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from M2Crypto import RSA - - -new_key = RSA.gen_key(4096, 65537) diff --git a/tests/unit/rules/python/M2Crypto/test_m2crypto_weak_key.py b/tests/unit/rules/python/M2Crypto/test_m2crypto_weak_key.py deleted file mode 100644 index 5a6b46cd..00000000 --- a/tests/unit/rules/python/M2Crypto/test_m2crypto_weak_key.py +++ /dev/null @@ -1,50 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -import os - -from parameterized import parameterized - -from precli.core.level import Level -from precli.parsers import python -from precli.rules import Rule -from tests.unit.rules import test_case - - -class M2cryptoWeakKeyTests(test_case.TestCase): - def setUp(self): - super().setUp() - self.rule_id = "PY510" - self.parser = python.Python(enabled=[self.rule_id]) - self.base_path = os.path.join( - "tests", - "unit", - "rules", - "python", - "M2Crypto", - "examples", - ) - - def test_rule_meta(self): - rule = Rule.get_by_id(self.rule_id) - self.assertEqual(self.rule_id, rule.id) - self.assertEqual("inadequate_encryption_strength", rule.name) - self.assertEqual( - f"https://docs.securesauce.dev/rules/{self.rule_id}", rule.help_url - ) - self.assertEqual(True, rule.default_config.enabled) - self.assertEqual(Level.WARNING, rule.default_config.level) - self.assertEqual(-1.0, rule.default_config.rank) - self.assertEqual("326", rule.cwe.cwe_id) - - @parameterized.expand( - [ - "dsa_gen_params_1024.py", - "dsa_gen_params_2048.py", - "dsa_gen_params_4096.py", - "ec_gen_params_nid_secp112r1.py", - "rsa_gen_key_1024.py", - "rsa_gen_key_2048.py", - "rsa_gen_key_4096.py", - ] - ) - def test(self, filename): - self.check(filename) diff --git a/tests/unit/rules/python/PyYAML/__init__.py b/tests/unit/rules/python/PyYAML/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/tests/unit/rules/python/PyYAML/examples/yaml_load.py b/tests/unit/rules/python/PyYAML/examples/yaml_load.py deleted file mode 100644 index a6b887fd..00000000 --- a/tests/unit/rules/python/PyYAML/examples/yaml_load.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: WARNING -# start_line: 9 -# end_line: 9 -# start_column: 5 -# end_column: 9 -import yaml - - -yaml.load("{}") diff --git a/tests/unit/rules/python/PyYAML/examples/yaml_load_from_import.py b/tests/unit/rules/python/PyYAML/examples/yaml_load_from_import.py deleted file mode 100644 index 17805c6e..00000000 --- a/tests/unit/rules/python/PyYAML/examples/yaml_load_from_import.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: WARNING -# start_line: 9 -# end_line: 9 -# start_column: 0 -# end_column: 4 -from yaml import load - - -load("{}") diff --git a/tests/unit/rules/python/PyYAML/examples/yaml_load_from_import_alias.py b/tests/unit/rules/python/PyYAML/examples/yaml_load_from_import_alias.py deleted file mode 100644 index 49e52b7b..00000000 --- a/tests/unit/rules/python/PyYAML/examples/yaml_load_from_import_alias.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: WARNING -# start_line: 9 -# end_line: 9 -# start_column: 0 -# end_column: 8 -from yaml import load as yamlload - - -yamlload("{}") diff --git a/tests/unit/rules/python/PyYAML/examples/yaml_load_from_import_wildcard.py b/tests/unit/rules/python/PyYAML/examples/yaml_load_from_import_wildcard.py deleted file mode 100644 index 877a28d7..00000000 --- a/tests/unit/rules/python/PyYAML/examples/yaml_load_from_import_wildcard.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: WARNING -# start_line: 9 -# end_line: 9 -# start_column: 0 -# end_column: 4 -from yaml import * - - -load("{}") diff --git a/tests/unit/rules/python/PyYAML/examples/yaml_load_import_alias.py b/tests/unit/rules/python/PyYAML/examples/yaml_load_import_alias.py deleted file mode 100644 index 97ac364f..00000000 --- a/tests/unit/rules/python/PyYAML/examples/yaml_load_import_alias.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: WARNING -# start_line: 9 -# end_line: 9 -# start_column: 0 -# end_column: 8 -import yaml.load as yamlload - - -yamlload("{}") diff --git a/tests/unit/rules/python/PyYAML/examples/yaml_load_import_in_async_func.py b/tests/unit/rules/python/PyYAML/examples/yaml_load_import_in_async_func.py deleted file mode 100644 index 7b8edd7d..00000000 --- a/tests/unit/rules/python/PyYAML/examples/yaml_load_import_in_async_func.py +++ /dev/null @@ -1,6 +0,0 @@ -# level: NONE -async def test_func(): - import yaml - - -yaml.load("{}", loader=yaml.Loader) diff --git a/tests/unit/rules/python/PyYAML/examples/yaml_load_import_in_class.py b/tests/unit/rules/python/PyYAML/examples/yaml_load_import_in_class.py deleted file mode 100644 index 2f072304..00000000 --- a/tests/unit/rules/python/PyYAML/examples/yaml_load_import_in_class.py +++ /dev/null @@ -1,6 +0,0 @@ -# level: NONE -class TestClass: - import yaml - - -yaml.load("{}") diff --git a/tests/unit/rules/python/PyYAML/examples/yaml_load_import_in_func.py b/tests/unit/rules/python/PyYAML/examples/yaml_load_import_in_func.py deleted file mode 100644 index f1b0cb6e..00000000 --- a/tests/unit/rules/python/PyYAML/examples/yaml_load_import_in_func.py +++ /dev/null @@ -1,6 +0,0 @@ -# level: NONE -def test_func(): - import yaml - - -yaml.load("{}") diff --git a/tests/unit/rules/python/PyYAML/examples/yaml_load_import_in_loop.py b/tests/unit/rules/python/PyYAML/examples/yaml_load_import_in_loop.py deleted file mode 100644 index 782d17df..00000000 --- a/tests/unit/rules/python/PyYAML/examples/yaml_load_import_in_loop.py +++ /dev/null @@ -1,8 +0,0 @@ -# level: WARNING -# start_line: 8 -# end_line: 8 -# start_column: 21 -# end_column: 27 -for i in range(10): - import yaml -yaml.load("{}", yaml.Loader) diff --git a/tests/unit/rules/python/PyYAML/examples/yaml_load_importlib.py b/tests/unit/rules/python/PyYAML/examples/yaml_load_importlib.py deleted file mode 100644 index 67159f93..00000000 --- a/tests/unit/rules/python/PyYAML/examples/yaml_load_importlib.py +++ /dev/null @@ -1,10 +0,0 @@ -# level: WARNING -# start_line: 10 -# end_line: 10 -# start_column: 5 -# end_column: 9 -import importlib - - -yaml = importlib.import_module("yaml") -yaml.load("{}") diff --git a/tests/unit/rules/python/PyYAML/examples/yaml_load_incomplete_import.py b/tests/unit/rules/python/PyYAML/examples/yaml_load_incomplete_import.py deleted file mode 100644 index 0ae66457..00000000 --- a/tests/unit/rules/python/PyYAML/examples/yaml_load_incomplete_import.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -import yaml - - -load("{}") diff --git a/tests/unit/rules/python/PyYAML/examples/yaml_load_invalid_import.py b/tests/unit/rules/python/PyYAML/examples/yaml_load_invalid_import.py deleted file mode 100644 index 30fe6af9..00000000 --- a/tests/unit/rules/python/PyYAML/examples/yaml_load_invalid_import.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -import os as yaml - - -yaml.load("{}") diff --git a/tests/unit/rules/python/PyYAML/examples/yaml_load_kwarg_alias_loader.py b/tests/unit/rules/python/PyYAML/examples/yaml_load_kwarg_alias_loader.py deleted file mode 100644 index a07a4219..00000000 --- a/tests/unit/rules/python/PyYAML/examples/yaml_load_kwarg_alias_loader.py +++ /dev/null @@ -1,10 +0,0 @@ -# level: WARNING -# start_line: 10 -# end_line: 10 -# start_column: 23 -# end_column: 29 -import yaml -from yaml import Loader as LOADER - - -yaml.load("{}", Loader=LOADER) diff --git a/tests/unit/rules/python/PyYAML/examples/yaml_load_kwarg_csafeloader.py b/tests/unit/rules/python/PyYAML/examples/yaml_load_kwarg_csafeloader.py deleted file mode 100644 index 9ec74169..00000000 --- a/tests/unit/rules/python/PyYAML/examples/yaml_load_kwarg_csafeloader.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -import yaml - - -yaml.load("{}", Loader=yaml.CSafeLoader) diff --git a/tests/unit/rules/python/PyYAML/examples/yaml_load_kwarg_json_safeloader.py b/tests/unit/rules/python/PyYAML/examples/yaml_load_kwarg_json_safeloader.py deleted file mode 100644 index c4add0eb..00000000 --- a/tests/unit/rules/python/PyYAML/examples/yaml_load_kwarg_json_safeloader.py +++ /dev/null @@ -1,11 +0,0 @@ -# level: WARNING -# start_line: 11 -# end_line: 11 -# start_column: 28 -# end_column: 38 -import json - -import yaml - - -yaml.load("{}", Loader=json.SafeLoader) diff --git a/tests/unit/rules/python/PyYAML/examples/yaml_load_kwarg_loader.py b/tests/unit/rules/python/PyYAML/examples/yaml_load_kwarg_loader.py deleted file mode 100644 index 0bafaf68..00000000 --- a/tests/unit/rules/python/PyYAML/examples/yaml_load_kwarg_loader.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: WARNING -# start_line: 9 -# end_line: 9 -# start_column: 28 -# end_column: 34 -import yaml - - -yaml.load("{}", Loader=yaml.Loader) diff --git a/tests/unit/rules/python/PyYAML/examples/yaml_load_kwarg_safeloader.py b/tests/unit/rules/python/PyYAML/examples/yaml_load_kwarg_safeloader.py deleted file mode 100644 index af9a371e..00000000 --- a/tests/unit/rules/python/PyYAML/examples/yaml_load_kwarg_safeloader.py +++ /dev/null @@ -1,6 +0,0 @@ -# level: NONE -import yaml -from yaml import SafeLoader - - -yaml.load("{}", Loader=SafeLoader) diff --git a/tests/unit/rules/python/PyYAML/examples/yaml_load_loader_as_var.py b/tests/unit/rules/python/PyYAML/examples/yaml_load_loader_as_var.py deleted file mode 100644 index 189ba305..00000000 --- a/tests/unit/rules/python/PyYAML/examples/yaml_load_loader_as_var.py +++ /dev/null @@ -1,6 +0,0 @@ -# level: NONE -import yaml - - -SAFE_LOADER = yaml.SafeLoader -yaml.load("{}", SAFE_LOADER) diff --git a/tests/unit/rules/python/PyYAML/examples/yaml_load_no_import.py b/tests/unit/rules/python/PyYAML/examples/yaml_load_no_import.py deleted file mode 100644 index 2896bec5..00000000 --- a/tests/unit/rules/python/PyYAML/examples/yaml_load_no_import.py +++ /dev/null @@ -1,2 +0,0 @@ -# level: NONE -yaml.load("{}") diff --git a/tests/unit/rules/python/PyYAML/examples/yaml_load_positional_csafeloader.py b/tests/unit/rules/python/PyYAML/examples/yaml_load_positional_csafeloader.py deleted file mode 100644 index 2b3f106d..00000000 --- a/tests/unit/rules/python/PyYAML/examples/yaml_load_positional_csafeloader.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -import yaml - - -yaml.load("{}", yaml.CSafeLoader) diff --git a/tests/unit/rules/python/PyYAML/examples/yaml_load_positional_loader.py b/tests/unit/rules/python/PyYAML/examples/yaml_load_positional_loader.py deleted file mode 100644 index 5d752a6a..00000000 --- a/tests/unit/rules/python/PyYAML/examples/yaml_load_positional_loader.py +++ /dev/null @@ -1,10 +0,0 @@ -# level: WARNING -# start_line: 10 -# end_line: 10 -# start_column: 16 -# end_column: 22 -import yaml -from yaml import Loader - - -yaml.load("{}", Loader) diff --git a/tests/unit/rules/python/PyYAML/examples/yaml_load_positional_safeloader.py b/tests/unit/rules/python/PyYAML/examples/yaml_load_positional_safeloader.py deleted file mode 100644 index ca86a046..00000000 --- a/tests/unit/rules/python/PyYAML/examples/yaml_load_positional_safeloader.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -import yaml - - -yaml.load("{}", yaml.SafeLoader) diff --git a/tests/unit/rules/python/PyYAML/examples/yaml_load_yaml_as_identifier.py b/tests/unit/rules/python/PyYAML/examples/yaml_load_yaml_as_identifier.py deleted file mode 100644 index 0c371eba..00000000 --- a/tests/unit/rules/python/PyYAML/examples/yaml_load_yaml_as_identifier.py +++ /dev/null @@ -1,3 +0,0 @@ -# level: NONE -yaml = "yaml" -yaml.load("{}") diff --git a/tests/unit/rules/python/PyYAML/test_yaml_load.py b/tests/unit/rules/python/PyYAML/test_yaml_load.py deleted file mode 100644 index 6085d10e..00000000 --- a/tests/unit/rules/python/PyYAML/test_yaml_load.py +++ /dev/null @@ -1,66 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -import os - -from parameterized import parameterized - -from precli.core.level import Level -from precli.parsers import python -from precli.rules import Rule -from tests.unit.rules import test_case - - -class YamlLoadTests(test_case.TestCase): - def setUp(self): - super().setUp() - self.rule_id = "PY522" - self.parser = python.Python(enabled=[self.rule_id]) - self.base_path = os.path.join( - "tests", - "unit", - "rules", - "python", - "PyYAML", - "examples", - ) - - def test_rule_meta(self): - rule = Rule.get_by_id(self.rule_id) - self.assertEqual(self.rule_id, rule.id) - self.assertEqual("deserialization_of_untrusted_data", rule.name) - self.assertEqual( - f"https://docs.securesauce.dev/rules/{self.rule_id}", rule.help_url - ) - self.assertEqual(True, rule.default_config.enabled) - self.assertEqual(Level.WARNING, rule.default_config.level) - self.assertEqual(-1.0, rule.default_config.rank) - self.assertEqual("502", rule.cwe.cwe_id) - - @parameterized.expand( - [ - "yaml_load.py", - "yaml_load_from_import.py", - "yaml_load_from_import_alias.py", - "yaml_load_from_import_wildcard.py", - "yaml_load_import_alias.py", - "yaml_load_import_in_async_func.py", - "yaml_load_import_in_class.py", - "yaml_load_import_in_func.py", - "yaml_load_import_in_loop.py", - "yaml_load_importlib.py", - "yaml_load_incomplete_import.py", - "yaml_load_invalid_import.py", - "yaml_load_kwarg_alias_loader.py", - "yaml_load_kwarg_csafeloader.py", - "yaml_load_kwarg_json_safeloader.py", - "yaml_load_kwarg_loader.py", - "yaml_load_kwarg_safeloader.py", - "yaml_load_loader_as_var.py", - "yaml_load_no_import.py", - "yaml_load_positional_csafeloader.py", - "yaml_load_positional_loader.py", - "yaml_load_positional_safeloader.py", - "yaml_load_yaml_as_identifier.py", - ] - ) - def test(self, filename): - self.check(filename) diff --git a/tests/unit/rules/python/aiohttp/__init__.py b/tests/unit/rules/python/aiohttp/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/tests/unit/rules/python/aiohttp/examples/session_delete_ssl_false.py b/tests/unit/rules/python/aiohttp/examples/session_delete_ssl_false.py deleted file mode 100644 index a617bf6f..00000000 --- a/tests/unit/rules/python/aiohttp/examples/session_delete_ssl_false.py +++ /dev/null @@ -1,11 +0,0 @@ -# level: ERROR -# start_line: 10 -# end_line: 10 -# start_column: 55 -# end_column: 60 -import aiohttp - - -async with aiohttp.ClientSession() as session: - async with session.delete("http://python.org", ssl=False) as response: - print(await response.text()) diff --git a/tests/unit/rules/python/aiohttp/examples/session_delete_verify_ssl_false.py b/tests/unit/rules/python/aiohttp/examples/session_delete_verify_ssl_false.py deleted file mode 100644 index 054a5ab6..00000000 --- a/tests/unit/rules/python/aiohttp/examples/session_delete_verify_ssl_false.py +++ /dev/null @@ -1,13 +0,0 @@ -# level: ERROR -# start_line: 11 -# end_line: 11 -# start_column: 40 -# end_column: 45 -import aiohttp - - -async with aiohttp.ClientSession() as session: - async with session.delete( - "http://python.org", verify_ssl=False - ) as response: - print(await response.text()) diff --git a/tests/unit/rules/python/aiohttp/examples/session_get_ssl_false.py b/tests/unit/rules/python/aiohttp/examples/session_get_ssl_false.py deleted file mode 100644 index 443042b0..00000000 --- a/tests/unit/rules/python/aiohttp/examples/session_get_ssl_false.py +++ /dev/null @@ -1,11 +0,0 @@ -# level: ERROR -# start_line: 10 -# end_line: 10 -# start_column: 52 -# end_column: 57 -import aiohttp - - -async with aiohttp.ClientSession() as session: - async with session.get("http://python.org", ssl=False) as response: - print(await response.text()) diff --git a/tests/unit/rules/python/aiohttp/examples/session_get_ssl_true.py b/tests/unit/rules/python/aiohttp/examples/session_get_ssl_true.py deleted file mode 100644 index 0b3d9711..00000000 --- a/tests/unit/rules/python/aiohttp/examples/session_get_ssl_true.py +++ /dev/null @@ -1,7 +0,0 @@ -# level: NONE -import aiohttp - - -async with aiohttp.ClientSession() as session: - async with session.get("http://python.org", ssl=True) as response: - print(await response.text()) diff --git a/tests/unit/rules/python/aiohttp/examples/session_get_ssl_unset.py b/tests/unit/rules/python/aiohttp/examples/session_get_ssl_unset.py deleted file mode 100644 index 4499b293..00000000 --- a/tests/unit/rules/python/aiohttp/examples/session_get_ssl_unset.py +++ /dev/null @@ -1,7 +0,0 @@ -# level: NONE -import aiohttp - - -async with aiohttp.ClientSession() as session: - async with session.get("http://python.org") as response: - print(await response.text()) diff --git a/tests/unit/rules/python/aiohttp/examples/session_get_verify_ssl_false.py b/tests/unit/rules/python/aiohttp/examples/session_get_verify_ssl_false.py deleted file mode 100644 index bbf0e66b..00000000 --- a/tests/unit/rules/python/aiohttp/examples/session_get_verify_ssl_false.py +++ /dev/null @@ -1,11 +0,0 @@ -# level: ERROR -# start_line: 10 -# end_line: 10 -# start_column: 59 -# end_column: 64 -import aiohttp - - -async with aiohttp.ClientSession() as session: - async with session.get("http://python.org", verify_ssl=False) as response: - print(await response.text()) diff --git a/tests/unit/rules/python/aiohttp/examples/session_get_verify_ssl_true.py b/tests/unit/rules/python/aiohttp/examples/session_get_verify_ssl_true.py deleted file mode 100644 index 252ee994..00000000 --- a/tests/unit/rules/python/aiohttp/examples/session_get_verify_ssl_true.py +++ /dev/null @@ -1,7 +0,0 @@ -# level: NONE -import aiohttp - - -async with aiohttp.ClientSession() as session: - async with session.get("http://python.org", verify_ssl=True) as response: - print(await response.text()) diff --git a/tests/unit/rules/python/aiohttp/examples/session_head_ssl_false.py b/tests/unit/rules/python/aiohttp/examples/session_head_ssl_false.py deleted file mode 100644 index dc64ce48..00000000 --- a/tests/unit/rules/python/aiohttp/examples/session_head_ssl_false.py +++ /dev/null @@ -1,11 +0,0 @@ -# level: ERROR -# start_line: 10 -# end_line: 10 -# start_column: 53 -# end_column: 58 -import aiohttp - - -async with aiohttp.ClientSession() as session: - async with session.head("http://python.org", ssl=False) as response: - print(await response.text()) diff --git a/tests/unit/rules/python/aiohttp/examples/session_head_verify_ssl_false.py b/tests/unit/rules/python/aiohttp/examples/session_head_verify_ssl_false.py deleted file mode 100644 index 8bd7c222..00000000 --- a/tests/unit/rules/python/aiohttp/examples/session_head_verify_ssl_false.py +++ /dev/null @@ -1,11 +0,0 @@ -# level: ERROR -# start_line: 10 -# end_line: 10 -# start_column: 60 -# end_column: 65 -import aiohttp - - -async with aiohttp.ClientSession() as session: - async with session.head("http://python.org", verify_ssl=False) as response: - print(await response.text()) diff --git a/tests/unit/rules/python/aiohttp/examples/session_options_ssl_false.py b/tests/unit/rules/python/aiohttp/examples/session_options_ssl_false.py deleted file mode 100644 index e090e5cb..00000000 --- a/tests/unit/rules/python/aiohttp/examples/session_options_ssl_false.py +++ /dev/null @@ -1,11 +0,0 @@ -# level: ERROR -# start_line: 10 -# end_line: 10 -# start_column: 56 -# end_column: 61 -import aiohttp - - -async with aiohttp.ClientSession() as session: - async with session.options("http://python.org", ssl=False) as response: - print(await response.text()) diff --git a/tests/unit/rules/python/aiohttp/examples/session_options_verify_ssl_false.py b/tests/unit/rules/python/aiohttp/examples/session_options_verify_ssl_false.py deleted file mode 100644 index 8418d130..00000000 --- a/tests/unit/rules/python/aiohttp/examples/session_options_verify_ssl_false.py +++ /dev/null @@ -1,13 +0,0 @@ -# level: ERROR -# start_line: 11 -# end_line: 11 -# start_column: 40 -# end_column: 45 -import aiohttp - - -async with aiohttp.ClientSession() as session: - async with session.options( - "http://python.org", verify_ssl=False - ) as response: - print(await response.text()) diff --git a/tests/unit/rules/python/aiohttp/examples/session_patch_ssl_false.py b/tests/unit/rules/python/aiohttp/examples/session_patch_ssl_false.py deleted file mode 100644 index a2bdb75f..00000000 --- a/tests/unit/rules/python/aiohttp/examples/session_patch_ssl_false.py +++ /dev/null @@ -1,11 +0,0 @@ -# level: ERROR -# start_line: 10 -# end_line: 10 -# start_column: 54 -# end_column: 59 -import aiohttp - - -async with aiohttp.ClientSession() as session: - async with session.patch("http://python.org", ssl=False) as response: - print(await response.text()) diff --git a/tests/unit/rules/python/aiohttp/examples/session_patch_verify_ssl_false.py b/tests/unit/rules/python/aiohttp/examples/session_patch_verify_ssl_false.py deleted file mode 100644 index 4194c541..00000000 --- a/tests/unit/rules/python/aiohttp/examples/session_patch_verify_ssl_false.py +++ /dev/null @@ -1,13 +0,0 @@ -# level: ERROR -# start_line: 11 -# end_line: 11 -# start_column: 40 -# end_column: 45 -import aiohttp - - -async with aiohttp.ClientSession() as session: - async with session.patch( - "http://python.org", verify_ssl=False - ) as response: - print(await response.text()) diff --git a/tests/unit/rules/python/aiohttp/examples/session_post_ssl_false.py b/tests/unit/rules/python/aiohttp/examples/session_post_ssl_false.py deleted file mode 100644 index 71664144..00000000 --- a/tests/unit/rules/python/aiohttp/examples/session_post_ssl_false.py +++ /dev/null @@ -1,11 +0,0 @@ -# level: ERROR -# start_line: 10 -# end_line: 10 -# start_column: 53 -# end_column: 58 -import aiohttp - - -async with aiohttp.ClientSession() as session: - async with session.post("http://python.org", ssl=False) as response: - print(await response.text()) diff --git a/tests/unit/rules/python/aiohttp/examples/session_post_verify_ssl_false.py b/tests/unit/rules/python/aiohttp/examples/session_post_verify_ssl_false.py deleted file mode 100644 index 259964c8..00000000 --- a/tests/unit/rules/python/aiohttp/examples/session_post_verify_ssl_false.py +++ /dev/null @@ -1,11 +0,0 @@ -# level: ERROR -# start_line: 10 -# end_line: 10 -# start_column: 60 -# end_column: 65 -import aiohttp - - -async with aiohttp.ClientSession() as session: - async with session.post("http://python.org", verify_ssl=False) as response: - print(await response.text()) diff --git a/tests/unit/rules/python/aiohttp/examples/session_put_ssl_false.py b/tests/unit/rules/python/aiohttp/examples/session_put_ssl_false.py deleted file mode 100644 index a8514424..00000000 --- a/tests/unit/rules/python/aiohttp/examples/session_put_ssl_false.py +++ /dev/null @@ -1,11 +0,0 @@ -# level: ERROR -# start_line: 10 -# end_line: 10 -# start_column: 52 -# end_column: 57 -import aiohttp - - -async with aiohttp.ClientSession() as session: - async with session.put("http://python.org", ssl=False) as response: - print(await response.text()) diff --git a/tests/unit/rules/python/aiohttp/examples/session_put_verify_ssl_false.py b/tests/unit/rules/python/aiohttp/examples/session_put_verify_ssl_false.py deleted file mode 100644 index 79bcdd62..00000000 --- a/tests/unit/rules/python/aiohttp/examples/session_put_verify_ssl_false.py +++ /dev/null @@ -1,11 +0,0 @@ -# level: ERROR -# start_line: 10 -# end_line: 10 -# start_column: 59 -# end_column: 64 -import aiohttp - - -async with aiohttp.ClientSession() as session: - async with session.put("http://python.org", verify_ssl=False) as response: - print(await response.text()) diff --git a/tests/unit/rules/python/aiohttp/examples/session_request_ssl_false.py b/tests/unit/rules/python/aiohttp/examples/session_request_ssl_false.py deleted file mode 100644 index de39ab12..00000000 --- a/tests/unit/rules/python/aiohttp/examples/session_request_ssl_false.py +++ /dev/null @@ -1,11 +0,0 @@ -# level: ERROR -# start_line: 10 -# end_line: 10 -# start_column: 56 -# end_column: 61 -import aiohttp - - -async with aiohttp.ClientSession() as session: - async with session.request("http://python.org", ssl=False) as response: - print(await response.text()) diff --git a/tests/unit/rules/python/aiohttp/examples/session_request_verify_ssl_false.py b/tests/unit/rules/python/aiohttp/examples/session_request_verify_ssl_false.py deleted file mode 100644 index 1b594649..00000000 --- a/tests/unit/rules/python/aiohttp/examples/session_request_verify_ssl_false.py +++ /dev/null @@ -1,13 +0,0 @@ -# level: ERROR -# start_line: 11 -# end_line: 11 -# start_column: 40 -# end_column: 45 -import aiohttp - - -async with aiohttp.ClientSession() as session: - async with session.request( - "http://python.org", verify_ssl=False - ) as response: - print(await response.text()) diff --git a/tests/unit/rules/python/aiohttp/examples/session_ws_connect_ssl_false.py b/tests/unit/rules/python/aiohttp/examples/session_ws_connect_ssl_false.py deleted file mode 100644 index 21635f44..00000000 --- a/tests/unit/rules/python/aiohttp/examples/session_ws_connect_ssl_false.py +++ /dev/null @@ -1,11 +0,0 @@ -# level: ERROR -# start_line: 10 -# end_line: 10 -# start_column: 59 -# end_column: 64 -import aiohttp - - -async with aiohttp.ClientSession() as session: - async with session.ws_connect("http://python.org", ssl=False) as response: - print(await response.text()) diff --git a/tests/unit/rules/python/aiohttp/examples/session_ws_connect_verify_ssl_false.py b/tests/unit/rules/python/aiohttp/examples/session_ws_connect_verify_ssl_false.py deleted file mode 100644 index 18ab414b..00000000 --- a/tests/unit/rules/python/aiohttp/examples/session_ws_connect_verify_ssl_false.py +++ /dev/null @@ -1,13 +0,0 @@ -# level: ERROR -# start_line: 11 -# end_line: 11 -# start_column: 40 -# end_column: 45 -import aiohttp - - -async with aiohttp.ClientSession() as session: - async with session.ws_connect( - "http://python.org", verify_ssl=False - ) as response: - print(await response.text()) diff --git a/tests/unit/rules/python/aiohttp/test_no_certificate_verify.py b/tests/unit/rules/python/aiohttp/test_no_certificate_verify.py deleted file mode 100644 index 786d686c..00000000 --- a/tests/unit/rules/python/aiohttp/test_no_certificate_verify.py +++ /dev/null @@ -1,64 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -import os - -from parameterized import parameterized - -from precli.core.level import Level -from precli.parsers import python -from precli.rules import Rule -from tests.unit.rules import test_case - - -class NoCertificateVerifyTests(test_case.TestCase): - def setUp(self): - super().setUp() - self.rule_id = "PY501" - self.parser = python.Python(enabled=[self.rule_id]) - self.base_path = os.path.join( - "tests", - "unit", - "rules", - "python", - "aiohttp", - "examples", - ) - - def test_rule_meta(self): - rule = Rule.get_by_id(self.rule_id) - self.assertEqual(self.rule_id, rule.id) - self.assertEqual("improper_certificate_validation", rule.name) - self.assertEqual( - f"https://docs.securesauce.dev/rules/{self.rule_id}", rule.help_url - ) - self.assertEqual(True, rule.default_config.enabled) - self.assertEqual(Level.WARNING, rule.default_config.level) - self.assertEqual(-1.0, rule.default_config.rank) - self.assertEqual("295", rule.cwe.cwe_id) - - @parameterized.expand( - [ - "session_delete_ssl_false.py", - "session_delete_verify_ssl_false.py", - "session_get_ssl_false.py", - "session_get_ssl_true.py", - "session_get_ssl_unset.py", - "session_get_verify_ssl_false.py", - "session_get_verify_ssl_true.py", - "session_head_ssl_false.py", - "session_head_verify_ssl_false.py", - "session_options_ssl_false.py", - "session_options_verify_ssl_false.py", - "session_patch_ssl_false.py", - "session_patch_verify_ssl_false.py", - "session_post_ssl_false.py", - "session_post_verify_ssl_false.py", - "session_put_ssl_false.py", - "session_put_verify_ssl_false.py", - "session_request_ssl_false.py", - "session_request_verify_ssl_false.py", - "session_ws_connect_ssl_false.py", - "session_ws_connect_verify_ssl_false.py", - ] - ) - def test(self, filename): - self.check(filename) diff --git a/tests/unit/rules/python/cryptography/__init__.py b/tests/unit/rules/python/cryptography/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/tests/unit/rules/python/cryptography/examples/algorithms_arc4.py b/tests/unit/rules/python/cryptography/examples/algorithms_arc4.py deleted file mode 100644 index a89a9188..00000000 --- a/tests/unit/rules/python/cryptography/examples/algorithms_arc4.py +++ /dev/null @@ -1,16 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 38 -# end_column: 41 -import os - -from cryptography.hazmat.primitives.ciphers import algorithms -from cryptography.hazmat.primitives.ciphers import Cipher - - -key = os.urandom(32) -algorithm = algorithms.ARC4(key) -cipher = Cipher(algorithm, mode=None) -encryptor = cipher.encryptor() -ct = encryptor.update(b"a secret message") diff --git a/tests/unit/rules/python/cryptography/examples/algorithms_blowfish.py b/tests/unit/rules/python/cryptography/examples/algorithms_blowfish.py deleted file mode 100644 index e6f15f4e..00000000 --- a/tests/unit/rules/python/cryptography/examples/algorithms_blowfish.py +++ /dev/null @@ -1,16 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 38 -# end_column: 41 -import os - -from cryptography.hazmat.primitives.ciphers import algorithms -from cryptography.hazmat.primitives.ciphers import Cipher - - -key = os.urandom(32) -algorithm = algorithms.Blowfish(key) -cipher = Cipher(algorithm, mode=None) -encryptor = cipher.encryptor() -ct = encryptor.update(b"a secret message") diff --git a/tests/unit/rules/python/cryptography/examples/algorithms_idea.py b/tests/unit/rules/python/cryptography/examples/algorithms_idea.py deleted file mode 100644 index 64cf2b1f..00000000 --- a/tests/unit/rules/python/cryptography/examples/algorithms_idea.py +++ /dev/null @@ -1,16 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 38 -# end_column: 41 -import os - -from cryptography.hazmat.primitives.ciphers import algorithms -from cryptography.hazmat.primitives.ciphers import Cipher - - -key = os.urandom(32) -algorithm = algorithms.IDEA(key) -cipher = Cipher(algorithm, mode=None) -encryptor = cipher.encryptor() -ct = encryptor.update(b"a secret message") diff --git a/tests/unit/rules/python/cryptography/examples/dsa_generate_parameters_1024.py b/tests/unit/rules/python/cryptography/examples/dsa_generate_parameters_1024.py deleted file mode 100644 index c3c2bd7a..00000000 --- a/tests/unit/rules/python/cryptography/examples/dsa_generate_parameters_1024.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 24 -# end_column: 28 -from cryptography.hazmat.primitives.asymmetric import dsa - - -dsa.generate_parameters(1024) diff --git a/tests/unit/rules/python/cryptography/examples/dsa_generate_parameters_2048.py b/tests/unit/rules/python/cryptography/examples/dsa_generate_parameters_2048.py deleted file mode 100644 index dc2d07b5..00000000 --- a/tests/unit/rules/python/cryptography/examples/dsa_generate_parameters_2048.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import dsa - - -dsa.generate_parameters(2048) diff --git a/tests/unit/rules/python/cryptography/examples/dsa_generate_parameters_4096.py b/tests/unit/rules/python/cryptography/examples/dsa_generate_parameters_4096.py deleted file mode 100644 index 103ece6e..00000000 --- a/tests/unit/rules/python/cryptography/examples/dsa_generate_parameters_4096.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import dsa - - -dsa.generate_parameters(4096) diff --git a/tests/unit/rules/python/cryptography/examples/dsa_generate_parameters_kwarg_1024.py b/tests/unit/rules/python/cryptography/examples/dsa_generate_parameters_kwarg_1024.py deleted file mode 100644 index 96b7f6b8..00000000 --- a/tests/unit/rules/python/cryptography/examples/dsa_generate_parameters_kwarg_1024.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 33 -# end_column: 37 -from cryptography.hazmat.primitives.asymmetric import dsa - - -dsa.generate_parameters(key_size=1024) diff --git a/tests/unit/rules/python/cryptography/examples/dsa_generate_parameters_kwarg_2048.py b/tests/unit/rules/python/cryptography/examples/dsa_generate_parameters_kwarg_2048.py deleted file mode 100644 index 8e22330c..00000000 --- a/tests/unit/rules/python/cryptography/examples/dsa_generate_parameters_kwarg_2048.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import dsa - - -dsa.generate_parameters(key_size=2048) diff --git a/tests/unit/rules/python/cryptography/examples/dsa_generate_parameters_kwarg_4096.py b/tests/unit/rules/python/cryptography/examples/dsa_generate_parameters_kwarg_4096.py deleted file mode 100644 index e87d5d1d..00000000 --- a/tests/unit/rules/python/cryptography/examples/dsa_generate_parameters_kwarg_4096.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import dsa - - -dsa.generate_parameters(key_size=4096) diff --git a/tests/unit/rules/python/cryptography/examples/dsa_generate_parameters_var_1024.py b/tests/unit/rules/python/cryptography/examples/dsa_generate_parameters_var_1024.py deleted file mode 100644 index 1920dd04..00000000 --- a/tests/unit/rules/python/cryptography/examples/dsa_generate_parameters_var_1024.py +++ /dev/null @@ -1,10 +0,0 @@ -# level: ERROR -# start_line: 10 -# end_line: 10 -# start_column: 24 -# end_column: 31 -from cryptography.hazmat.primitives.asymmetric import dsa - - -keysize = 1024 -dsa.generate_parameters(keysize) diff --git a/tests/unit/rules/python/cryptography/examples/dsa_generate_private_key_1024.py b/tests/unit/rules/python/cryptography/examples/dsa_generate_private_key_1024.py deleted file mode 100644 index 44aaaa2f..00000000 --- a/tests/unit/rules/python/cryptography/examples/dsa_generate_private_key_1024.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 25 -# end_column: 29 -from cryptography.hazmat.primitives.asymmetric import dsa - - -dsa.generate_private_key(1024) diff --git a/tests/unit/rules/python/cryptography/examples/dsa_generate_private_key_2048.py b/tests/unit/rules/python/cryptography/examples/dsa_generate_private_key_2048.py deleted file mode 100644 index ca1e3224..00000000 --- a/tests/unit/rules/python/cryptography/examples/dsa_generate_private_key_2048.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import dsa - - -dsa.generate_private_key(2048) diff --git a/tests/unit/rules/python/cryptography/examples/dsa_generate_private_key_4096.py b/tests/unit/rules/python/cryptography/examples/dsa_generate_private_key_4096.py deleted file mode 100644 index 0976371a..00000000 --- a/tests/unit/rules/python/cryptography/examples/dsa_generate_private_key_4096.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import dsa - - -dsa.generate_private_key(4096) diff --git a/tests/unit/rules/python/cryptography/examples/dsa_generate_private_key_kwarg_1024.py b/tests/unit/rules/python/cryptography/examples/dsa_generate_private_key_kwarg_1024.py deleted file mode 100644 index 4835721e..00000000 --- a/tests/unit/rules/python/cryptography/examples/dsa_generate_private_key_kwarg_1024.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 34 -# end_column: 38 -from cryptography.hazmat.primitives.asymmetric import dsa - - -dsa.generate_private_key(key_size=1024) diff --git a/tests/unit/rules/python/cryptography/examples/dsa_generate_private_key_kwarg_2048.py b/tests/unit/rules/python/cryptography/examples/dsa_generate_private_key_kwarg_2048.py deleted file mode 100644 index 21722d95..00000000 --- a/tests/unit/rules/python/cryptography/examples/dsa_generate_private_key_kwarg_2048.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import dsa - - -dsa.generate_private_key(key_size=2048) diff --git a/tests/unit/rules/python/cryptography/examples/dsa_generate_private_key_kwarg_4096.py b/tests/unit/rules/python/cryptography/examples/dsa_generate_private_key_kwarg_4096.py deleted file mode 100644 index 6e236110..00000000 --- a/tests/unit/rules/python/cryptography/examples/dsa_generate_private_key_kwarg_4096.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import dsa - - -dsa.generate_private_key(key_size=4096) diff --git a/tests/unit/rules/python/cryptography/examples/dsa_generate_private_key_var_1024.py b/tests/unit/rules/python/cryptography/examples/dsa_generate_private_key_var_1024.py deleted file mode 100644 index 6d141a5a..00000000 --- a/tests/unit/rules/python/cryptography/examples/dsa_generate_private_key_var_1024.py +++ /dev/null @@ -1,10 +0,0 @@ -# level: ERROR -# start_line: 10 -# end_line: 10 -# start_column: 25 -# end_column: 32 -from cryptography.hazmat.primitives.asymmetric import dsa - - -keysize = 1024 -dsa.generate_private_key(keysize) diff --git a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_brainpoolp256r1.py b/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_brainpoolp256r1.py deleted file mode 100644 index 322986a9..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_brainpoolp256r1.py +++ /dev/null @@ -1,7 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import ec - - -private_value = 0x63BD3B01C5CE749D87F5F7481232A93540ACDB0F7B5C014ECD9CD3 -curve = ec.BrainpoolP256R1 -ec.derive_private_key(private_value, curve) diff --git a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_brainpoolp384r1.py b/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_brainpoolp384r1.py deleted file mode 100644 index e185abfe..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_brainpoolp384r1.py +++ /dev/null @@ -1,7 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import ec - - -private_value = 0x63BD3B01C5CE749D87F5F7481232A93540ACDB0F7B5C014ECD9CD3 -curve = ec.BrainpoolP384R1 -ec.derive_private_key(private_value, curve) diff --git a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_brainpoolp512r1.py b/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_brainpoolp512r1.py deleted file mode 100644 index fa4e89b7..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_brainpoolp512r1.py +++ /dev/null @@ -1,7 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import ec - - -private_value = 0x63BD3B01C5CE749D87F5F7481232A93540ACDB0F7B5C014ECD9CD3 -curve = ec.BrainpoolP512R1 -ec.derive_private_key(private_value, curve) diff --git a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_secp192r1.py b/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_secp192r1.py deleted file mode 100644 index b67edf19..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_secp192r1.py +++ /dev/null @@ -1,11 +0,0 @@ -# level: WARNING -# start_line: 11 -# end_line: 11 -# start_column: 37 -# end_column: 42 -from cryptography.hazmat.primitives.asymmetric import ec - - -private_value = 0x63BD3B01C5CE749D87F5F7481232A93540ACDB0F7B5C014ECD9CD3 -curve = ec.SECP192R1 -ec.derive_private_key(private_value, curve) diff --git a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_secp224r1.py b/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_secp224r1.py deleted file mode 100644 index 3d5babf2..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_secp224r1.py +++ /dev/null @@ -1,7 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import ec - - -private_value = 0x63BD3B01C5CE749D87F5F7481232A93540ACDB0F7B5C014ECD9CD3 -curve = ec.SECP224R1 -ec.derive_private_key(private_value, curve) diff --git a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_secp256k1.py b/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_secp256k1.py deleted file mode 100644 index 8df7377a..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_secp256k1.py +++ /dev/null @@ -1,7 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import ec - - -private_value = 0x63BD3B01C5CE749D87F5F7481232A93540ACDB0F7B5C014ECD9CD3 -curve = ec.SECP256K1 -ec.derive_private_key(private_value, curve) diff --git a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_secp256r1.py b/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_secp256r1.py deleted file mode 100644 index c5dd0642..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_secp256r1.py +++ /dev/null @@ -1,7 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import ec - - -private_value = 0x63BD3B01C5CE749D87F5F7481232A93540ACDB0F7B5C014ECD9CD3 -curve = ec.SECP256R1 -ec.derive_private_key(private_value, curve) diff --git a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_secp384r1.py b/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_secp384r1.py deleted file mode 100644 index 3f93c873..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_secp384r1.py +++ /dev/null @@ -1,7 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import ec - - -private_value = 0x63BD3B01C5CE749D87F5F7481232A93540ACDB0F7B5C014ECD9CD3 -curve = ec.SECP384R1 -ec.derive_private_key(private_value, curve) diff --git a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_secp521r1.py b/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_secp521r1.py deleted file mode 100644 index 1ea2a3a5..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_secp521r1.py +++ /dev/null @@ -1,7 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import ec - - -private_value = 0x63BD3B01C5CE749D87F5F7481232A93540ACDB0F7B5C014ECD9CD3 -curve = ec.SECP521R1 -ec.derive_private_key(private_value, curve) diff --git a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect163k1.py b/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect163k1.py deleted file mode 100644 index 77c44775..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect163k1.py +++ /dev/null @@ -1,11 +0,0 @@ -# level: WARNING -# start_line: 11 -# end_line: 11 -# start_column: 37 -# end_column: 42 -from cryptography.hazmat.primitives.asymmetric import ec - - -private_value = 0x63BD3B01C5CE749D87F5F7481232A93540ACDB0F7B5C014ECD9CD3 -curve = ec.SECT163K1 -ec.derive_private_key(private_value, curve) diff --git a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect163r2.py b/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect163r2.py deleted file mode 100644 index e97bc401..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect163r2.py +++ /dev/null @@ -1,11 +0,0 @@ -# level: WARNING -# start_line: 11 -# end_line: 11 -# start_column: 37 -# end_column: 42 -from cryptography.hazmat.primitives.asymmetric import ec - - -private_value = 0x63BD3B01C5CE749D87F5F7481232A93540ACDB0F7B5C014ECD9CD3 -curve = ec.SECT163R2 -ec.derive_private_key(private_value, curve) diff --git a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect233k1.py b/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect233k1.py deleted file mode 100644 index 567130a7..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect233k1.py +++ /dev/null @@ -1,7 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import ec - - -private_value = 0x63BD3B01C5CE749D87F5F7481232A93540ACDB0F7B5C014ECD9CD3 -curve = ec.SECT233K1 -ec.derive_private_key(private_value, curve) diff --git a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect233r1.py b/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect233r1.py deleted file mode 100644 index ca07331a..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect233r1.py +++ /dev/null @@ -1,7 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import ec - - -private_value = 0x63BD3B01C5CE749D87F5F7481232A93540ACDB0F7B5C014ECD9CD3 -curve = ec.SECT233R1 -ec.derive_private_key(private_value, curve) diff --git a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect283k1.py b/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect283k1.py deleted file mode 100644 index 82161bc9..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect283k1.py +++ /dev/null @@ -1,7 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import ec - - -private_value = 0x63BD3B01C5CE749D87F5F7481232A93540ACDB0F7B5C014ECD9CD3 -curve = ec.SECT283K1 -ec.derive_private_key(private_value, curve) diff --git a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect283r1.py b/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect283r1.py deleted file mode 100644 index c977c57c..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect283r1.py +++ /dev/null @@ -1,7 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import ec - - -private_value = 0x63BD3B01C5CE749D87F5F7481232A93540ACDB0F7B5C014ECD9CD3 -curve = ec.SECT283R1 -ec.derive_private_key(private_value, curve) diff --git a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect409k1.py b/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect409k1.py deleted file mode 100644 index 2f39f9d5..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect409k1.py +++ /dev/null @@ -1,7 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import ec - - -private_value = 0x63BD3B01C5CE749D87F5F7481232A93540ACDB0F7B5C014ECD9CD3 -curve = ec.SECT409K1 -ec.derive_private_key(private_value, curve) diff --git a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect409r1.py b/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect409r1.py deleted file mode 100644 index 50fa6998..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect409r1.py +++ /dev/null @@ -1,7 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import ec - - -private_value = 0x63BD3B01C5CE749D87F5F7481232A93540ACDB0F7B5C014ECD9CD3 -curve = ec.SECT409R1 -ec.derive_private_key(private_value, curve) diff --git a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect571k1.py b/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect571k1.py deleted file mode 100644 index e934f744..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect571k1.py +++ /dev/null @@ -1,7 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import ec - - -private_value = 0x63BD3B01C5CE749D87F5F7481232A93540ACDB0F7B5C014ECD9CD3 -curve = ec.SECT571K1 -ec.derive_private_key(private_value, curve) diff --git a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect571r1.py b/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect571r1.py deleted file mode 100644 index 6db852bf..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_derive_private_key_sect571r1.py +++ /dev/null @@ -1,7 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import ec - - -private_value = 0x63BD3B01C5CE749D87F5F7481232A93540ACDB0F7B5C014ECD9CD3 -curve = ec.SECT571R1 -ec.derive_private_key(private_value, curve) diff --git a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_brainpoolp256r1.py b/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_brainpoolp256r1.py deleted file mode 100644 index 653312ff..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_brainpoolp256r1.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import ec - - -ec.generate_private_key(ec.BrainpoolP256R1) diff --git a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_brainpoolp384r1.py b/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_brainpoolp384r1.py deleted file mode 100644 index 2db7e311..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_brainpoolp384r1.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import ec - - -ec.generate_private_key(ec.BrainpoolP384R1) diff --git a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_brainpoolp512r1.py b/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_brainpoolp512r1.py deleted file mode 100644 index 98eeb13b..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_brainpoolp512r1.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import ec - - -ec.generate_private_key(ec.BrainpoolP512R1) diff --git a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_secp192r1.py b/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_secp192r1.py deleted file mode 100644 index 7bbc3569..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_secp192r1.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: WARNING -# start_line: 9 -# end_line: 9 -# start_column: 27 -# end_column: 36 -from cryptography.hazmat.primitives.asymmetric import ec - - -ec.generate_private_key(ec.SECP192R1) diff --git a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_secp224r1.py b/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_secp224r1.py deleted file mode 100644 index b26f57dc..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_secp224r1.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import ec - - -ec.generate_private_key(ec.SECP224R1) diff --git a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_secp256k1.py b/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_secp256k1.py deleted file mode 100644 index 6a82f5a1..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_secp256k1.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import ec - - -ec.generate_private_key(ec.SECP256K1) diff --git a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_secp256r1.py b/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_secp256r1.py deleted file mode 100644 index bd16a64f..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_secp256r1.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import ec - - -ec.generate_private_key(ec.SECP256R1) diff --git a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_secp384r1.py b/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_secp384r1.py deleted file mode 100644 index b51dcdb8..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_secp384r1.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import ec - - -ec.generate_private_key(ec.SECP384R1) diff --git a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_secp521r1.py b/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_secp521r1.py deleted file mode 100644 index 13a35829..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_secp521r1.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import ec - - -ec.generate_private_key(ec.SECP521R1) diff --git a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect163k1.py b/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect163k1.py deleted file mode 100644 index fa9b430f..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect163k1.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: WARNING -# start_line: 9 -# end_line: 9 -# start_column: 27 -# end_column: 36 -from cryptography.hazmat.primitives.asymmetric import ec - - -ec.generate_private_key(ec.SECT163K1) diff --git a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect163r2.py b/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect163r2.py deleted file mode 100644 index 6c882356..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect163r2.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: WARNING -# start_line: 9 -# end_line: 9 -# start_column: 27 -# end_column: 36 -from cryptography.hazmat.primitives.asymmetric import ec - - -ec.generate_private_key(ec.SECT163R2) diff --git a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect233k1.py b/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect233k1.py deleted file mode 100644 index 41b4e551..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect233k1.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import ec - - -ec.generate_private_key(ec.SECT233K1) diff --git a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect233r1.py b/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect233r1.py deleted file mode 100644 index e04a8337..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect233r1.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import ec - - -ec.generate_private_key(ec.SECT233R1) diff --git a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect283k1.py b/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect283k1.py deleted file mode 100644 index 4743dc4a..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect283k1.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import ec - - -ec.generate_private_key(ec.SECT283K1) diff --git a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect283r1.py b/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect283r1.py deleted file mode 100644 index a9d297c7..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect283r1.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import ec - - -ec.generate_private_key(ec.SECT283R1) diff --git a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect409k1.py b/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect409k1.py deleted file mode 100644 index e60d14a2..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect409k1.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import ec - - -ec.generate_private_key(ec.SECT409K1) diff --git a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect409r1.py b/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect409r1.py deleted file mode 100644 index 0090d9ae..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect409r1.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import ec - - -ec.generate_private_key(ec.SECT409R1) diff --git a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect571k1.py b/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect571k1.py deleted file mode 100644 index 3566de8c..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect571k1.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import ec - - -ec.generate_private_key(ec.SECT571K1) diff --git a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect571r1.py b/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect571r1.py deleted file mode 100644 index ce7496e7..00000000 --- a/tests/unit/rules/python/cryptography/examples/ec_generate_private_key_sect571r1.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import ec - - -ec.generate_private_key(ec.SECT571R1) diff --git a/tests/unit/rules/python/cryptography/examples/hashes_md5.py b/tests/unit/rules/python/cryptography/examples/hashes_md5.py deleted file mode 100644 index 029c892d..00000000 --- a/tests/unit/rules/python/cryptography/examples/hashes_md5.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 38 -# end_column: 41 -import cryptography - - -cryptography.hazmat.primitives.hashes.MD5() diff --git a/tests/unit/rules/python/cryptography/examples/hashes_sha1.py b/tests/unit/rules/python/cryptography/examples/hashes_sha1.py deleted file mode 100644 index 35c28589..00000000 --- a/tests/unit/rules/python/cryptography/examples/hashes_sha1.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 7 -# end_column: 11 -from cryptography.hazmat.primitives import hashes - - -hashes.SHA1() diff --git a/tests/unit/rules/python/cryptography/examples/modes_ecb.py b/tests/unit/rules/python/cryptography/examples/modes_ecb.py deleted file mode 100644 index d055dbcc..00000000 --- a/tests/unit/rules/python/cryptography/examples/modes_ecb.py +++ /dev/null @@ -1,18 +0,0 @@ -# level: ERROR -# start_line: 15 -# end_line: 15 -# start_column: 13 -# end_column: 16 -import os - -from cryptography.hazmat.primitives.ciphers import algorithms -from cryptography.hazmat.primitives.ciphers import Cipher -from cryptography.hazmat.primitives.ciphers import modes - - -key = os.urandom(32) -algorithm = algorithms.AES(key) -mode = modes.ECB() -cipher = Cipher(algorithm, mode=mode) -encryptor = cipher.encryptor() -ct = encryptor.update(b"a secret message") + encryptor.finalize() diff --git a/tests/unit/rules/python/cryptography/examples/rsa_generate_private_key_1024.py b/tests/unit/rules/python/cryptography/examples/rsa_generate_private_key_1024.py deleted file mode 100644 index 036d1678..00000000 --- a/tests/unit/rules/python/cryptography/examples/rsa_generate_private_key_1024.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 32 -# end_column: 36 -from cryptography.hazmat.primitives.asymmetric import rsa - - -rsa.generate_private_key(65537, 1024) diff --git a/tests/unit/rules/python/cryptography/examples/rsa_generate_private_key_2048.py b/tests/unit/rules/python/cryptography/examples/rsa_generate_private_key_2048.py deleted file mode 100644 index a63e681d..00000000 --- a/tests/unit/rules/python/cryptography/examples/rsa_generate_private_key_2048.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import rsa - - -rsa.generate_private_key(65537, 2048) diff --git a/tests/unit/rules/python/cryptography/examples/rsa_generate_private_key_4096.py b/tests/unit/rules/python/cryptography/examples/rsa_generate_private_key_4096.py deleted file mode 100644 index e8c2b659..00000000 --- a/tests/unit/rules/python/cryptography/examples/rsa_generate_private_key_4096.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import rsa - - -rsa.generate_private_key(65537, 4096) diff --git a/tests/unit/rules/python/cryptography/examples/rsa_generate_private_key_kwarg_1024.py b/tests/unit/rules/python/cryptography/examples/rsa_generate_private_key_kwarg_1024.py deleted file mode 100644 index a2fad3d1..00000000 --- a/tests/unit/rules/python/cryptography/examples/rsa_generate_private_key_kwarg_1024.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 57 -# end_column: 61 -from cryptography.hazmat.primitives.asymmetric import rsa - - -rsa.generate_private_key(public_exponent=65537, key_size=1024) diff --git a/tests/unit/rules/python/cryptography/examples/rsa_generate_private_key_kwarg_2048.py b/tests/unit/rules/python/cryptography/examples/rsa_generate_private_key_kwarg_2048.py deleted file mode 100644 index f3b33980..00000000 --- a/tests/unit/rules/python/cryptography/examples/rsa_generate_private_key_kwarg_2048.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import rsa - - -rsa.generate_private_key(public_exponent=65537, key_size=2048) diff --git a/tests/unit/rules/python/cryptography/examples/rsa_generate_private_key_kwarg_4096.py b/tests/unit/rules/python/cryptography/examples/rsa_generate_private_key_kwarg_4096.py deleted file mode 100644 index 93b0c639..00000000 --- a/tests/unit/rules/python/cryptography/examples/rsa_generate_private_key_kwarg_4096.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from cryptography.hazmat.primitives.asymmetric import rsa - - -rsa.generate_private_key(public_exponent=65537, key_size=4096) diff --git a/tests/unit/rules/python/cryptography/examples/rsa_generate_private_key_var_1024.py b/tests/unit/rules/python/cryptography/examples/rsa_generate_private_key_var_1024.py deleted file mode 100644 index 4566d647..00000000 --- a/tests/unit/rules/python/cryptography/examples/rsa_generate_private_key_var_1024.py +++ /dev/null @@ -1,11 +0,0 @@ -# level: ERROR -# start_line: 11 -# end_line: 11 -# start_column: 42 -# end_column: 49 -from cryptography.hazmat.primitives.asymmetric import rsa - - -public_exponent = 65537 -keysize = 1024 -rsa.generate_private_key(public_exponent, keysize) diff --git a/tests/unit/rules/python/cryptography/test_cryptography_weak_cipher.py b/tests/unit/rules/python/cryptography/test_cryptography_weak_cipher.py deleted file mode 100644 index d91df38a..00000000 --- a/tests/unit/rules/python/cryptography/test_cryptography_weak_cipher.py +++ /dev/null @@ -1,38 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -import os - -from parameterized import parameterized - -from precli.core.level import Level -from precli.parsers import python -from precli.rules import Rule -from tests.unit.rules import test_case - - -class CryptographyWeakCipherTests(test_case.TestCase): - def setUp(self): - super().setUp() - self.rule_id = "PY502" - self.parser = python.Python(enabled=[self.rule_id]) - self.base_path = os.path.join( - "tests", - "unit", - "rules", - "python", - "cryptography", - "examples", - ) - - def test_rule_meta(self): - rule = Rule.get_by_id(self.rule_id) - self.assertEqual(self.rule_id, rule.id) - self.assertEqual( - "use_of_a_broken_or_risky_cryptographic_algorithm", rule.name - ) - self.assertEqual( - f"https://docs.securesauce.dev/rules/{self.rule_id}", rule.help_url - ) - self.assertEqual(True, rule.default_config.enabled) - self.assertEqual(Level.WARNING, rule.default_config.level) - self.assertEqual(-1.0, rule.default_config.rank) - self.assertEqual("327", rule.cwe.cwe_id) diff --git a/tests/unit/rules/python/cryptography/test_cryptography_weak_cipher_mode.py b/tests/unit/rules/python/cryptography/test_cryptography_weak_cipher_mode.py deleted file mode 100644 index 07336583..00000000 --- a/tests/unit/rules/python/cryptography/test_cryptography_weak_cipher_mode.py +++ /dev/null @@ -1,44 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -import os - -from parameterized import parameterized - -from precli.core.level import Level -from precli.parsers import python -from precli.rules import Rule -from tests.unit.rules import test_case - - -class CryptographyWeakCipherModeTests(test_case.TestCase): - def setUp(self): - super().setUp() - self.rule_id = "PY503" - self.parser = python.Python(enabled=[self.rule_id]) - self.base_path = os.path.join( - "tests", - "unit", - "rules", - "python", - "cryptography", - "examples", - ) - - def test_rule_meta(self): - rule = Rule.get_by_id(self.rule_id) - self.assertEqual(self.rule_id, rule.id) - self.assertEqual("use_of_risky_cryptographic_cipher_mode", rule.name) - self.assertEqual( - f"https://docs.securesauce.dev/rules/{self.rule_id}", rule.help_url - ) - self.assertEqual(True, rule.default_config.enabled) - self.assertEqual(Level.WARNING, rule.default_config.level) - self.assertEqual(-1.0, rule.default_config.rank) - self.assertEqual("327", rule.cwe.cwe_id) - - @parameterized.expand( - [ - "modes_ecb.py", - ] - ) - def test(self, filename): - self.check(filename) diff --git a/tests/unit/rules/python/cryptography/test_cryptography_weak_hash.py b/tests/unit/rules/python/cryptography/test_cryptography_weak_hash.py deleted file mode 100644 index d36bcf57..00000000 --- a/tests/unit/rules/python/cryptography/test_cryptography_weak_hash.py +++ /dev/null @@ -1,45 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -import os - -from parameterized import parameterized - -from precli.core.level import Level -from precli.parsers import python -from precli.rules import Rule -from tests.unit.rules import test_case - - -class CryptographyWeakHashTests(test_case.TestCase): - def setUp(self): - super().setUp() - self.rule_id = "PY504" - self.parser = python.Python(enabled=[self.rule_id]) - self.base_path = os.path.join( - "tests", - "unit", - "rules", - "python", - "cryptography", - "examples", - ) - - def test_rule_meta(self): - rule = Rule.get_by_id(self.rule_id) - self.assertEqual(self.rule_id, rule.id) - self.assertEqual("reversible_one_way_hash", rule.name) - self.assertEqual( - f"https://docs.securesauce.dev/rules/{self.rule_id}", rule.help_url - ) - self.assertEqual(True, rule.default_config.enabled) - self.assertEqual(Level.WARNING, rule.default_config.level) - self.assertEqual(-1.0, rule.default_config.rank) - self.assertEqual("328", rule.cwe.cwe_id) - - @parameterized.expand( - [ - "hashes_md5.py", - "hashes_sha1.py", - ] - ) - def test(self, filename): - self.check(filename) diff --git a/tests/unit/rules/python/cryptography/test_cryptography_weak_key.py b/tests/unit/rules/python/cryptography/test_cryptography_weak_key.py deleted file mode 100644 index 4188da94..00000000 --- a/tests/unit/rules/python/cryptography/test_cryptography_weak_key.py +++ /dev/null @@ -1,102 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -import os - -from parameterized import parameterized - -from precli.core.level import Level -from precli.parsers import python -from precli.rules import Rule -from tests.unit.rules import test_case - - -class CryptographyWeakKeyTests(test_case.TestCase): - def setUp(self): - super().setUp() - self.rule_id = "PY505" - self.parser = python.Python(enabled=[self.rule_id]) - self.base_path = os.path.join( - "tests", - "unit", - "rules", - "python", - "cryptography", - "examples", - ) - - def test_rule_meta(self): - rule = Rule.get_by_id(self.rule_id) - self.assertEqual(self.rule_id, rule.id) - self.assertEqual("inadequate_encryption_strength", rule.name) - self.assertEqual( - f"https://docs.securesauce.dev/rules/{self.rule_id}", rule.help_url - ) - self.assertEqual(True, rule.default_config.enabled) - self.assertEqual(Level.WARNING, rule.default_config.level) - self.assertEqual(-1.0, rule.default_config.rank) - self.assertEqual("326", rule.cwe.cwe_id) - - @parameterized.expand( - [ - "dsa_generate_parameters_1024.py", - "dsa_generate_parameters_2048.py", - "dsa_generate_parameters_4096.py", - "dsa_generate_parameters_kwarg_1024.py", - "dsa_generate_parameters_kwarg_2048.py", - "dsa_generate_parameters_kwarg_4096.py", - "dsa_generate_parameters_var_1024.py", - "dsa_generate_private_key_1024.py", - "dsa_generate_private_key_2048.py", - "dsa_generate_private_key_4096.py", - "dsa_generate_private_key_kwarg_1024.py", - "dsa_generate_private_key_kwarg_2048.py", - "dsa_generate_private_key_kwarg_4096.py", - "dsa_generate_private_key_var_1024.py", - "ec_derive_private_key_brainpoolp256r1.py", - "ec_derive_private_key_brainpoolp384r1.py", - "ec_derive_private_key_brainpoolp512r1.py", - "ec_derive_private_key_secp192r1.py", - "ec_derive_private_key_secp224r1.py", - "ec_derive_private_key_secp256k1.py", - "ec_derive_private_key_secp256r1.py", - "ec_derive_private_key_secp384r1.py", - "ec_derive_private_key_secp521r1.py", - "ec_derive_private_key_sect163k1.py", - "ec_derive_private_key_sect163r2.py", - "ec_derive_private_key_sect233k1.py", - "ec_derive_private_key_sect233r1.py", - "ec_derive_private_key_sect283k1.py", - "ec_derive_private_key_sect283r1.py", - "ec_derive_private_key_sect409k1.py", - "ec_derive_private_key_sect409r1.py", - "ec_derive_private_key_sect571k1.py", - "ec_derive_private_key_sect571r1.py", - "ec_generate_private_key_brainpoolp256r1.py", - "ec_generate_private_key_brainpoolp384r1.py", - "ec_generate_private_key_brainpoolp512r1.py", - "ec_generate_private_key_secp192r1.py", - "ec_generate_private_key_secp224r1.py", - "ec_generate_private_key_secp256k1.py", - "ec_generate_private_key_secp256r1.py", - "ec_generate_private_key_secp384r1.py", - "ec_generate_private_key_secp521r1.py", - "ec_generate_private_key_sect163k1.py", - "ec_generate_private_key_sect163r2.py", - "ec_generate_private_key_sect233k1.py", - "ec_generate_private_key_sect233r1.py", - "ec_generate_private_key_sect283k1.py", - "ec_generate_private_key_sect283r1.py", - "ec_generate_private_key_sect409k1.py", - "ec_generate_private_key_sect409r1.py", - "ec_generate_private_key_sect571k1.py", - "ec_generate_private_key_sect571r1.py", - "rsa_generate_private_key_1024.py", - "rsa_generate_private_key_2048.py", - "rsa_generate_private_key_4096.py", - "rsa_generate_private_key_kwarg_1024.py", - "rsa_generate_private_key_kwarg_2048.py", - "rsa_generate_private_key_kwarg_4096.py", - "rsa_generate_private_key_var_1024.py", - ] - ) - def test(self, filename): - self.check(filename) diff --git a/tests/unit/rules/python/dill/__init__.py b/tests/unit/rules/python/dill/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/tests/unit/rules/python/dill/examples/dill_load.py b/tests/unit/rules/python/dill/examples/dill_load.py deleted file mode 100644 index 3c90334c..00000000 --- a/tests/unit/rules/python/dill/examples/dill_load.py +++ /dev/null @@ -1,14 +0,0 @@ -# level: WARNING -# start_line: 14 -# end_line: 14 -# start_column: 0 -# end_column: 9 -import io - -import dill - - -file_obj = io.BytesIO() -dill.dump([1, 2, "3"], file_obj) -file_obj.seek(0) -dill.load(file_obj) diff --git a/tests/unit/rules/python/dill/examples/dill_loads.py b/tests/unit/rules/python/dill/examples/dill_loads.py deleted file mode 100644 index cd686418..00000000 --- a/tests/unit/rules/python/dill/examples/dill_loads.py +++ /dev/null @@ -1,10 +0,0 @@ -# level: WARNING -# start_line: 10 -# end_line: 10 -# start_column: 0 -# end_column: 10 -import dill - - -pick = dill.dumps({"a": "b", "c": "d"}) -dill.loads(pick) diff --git a/tests/unit/rules/python/dill/examples/dill_unpickler.py b/tests/unit/rules/python/dill/examples/dill_unpickler.py deleted file mode 100644 index b82de7ac..00000000 --- a/tests/unit/rules/python/dill/examples/dill_unpickler.py +++ /dev/null @@ -1,14 +0,0 @@ -# level: WARNING -# start_line: 14 -# end_line: 14 -# start_column: 0 -# end_column: 14 -import io - -import dill - - -file_obj = io.BytesIO() -dill.dump([1, 2, "3"], file_obj) -file_obj.seek(0) -dill.Unpickler(file_obj).load() diff --git a/tests/unit/rules/python/dill/test_dill_load.py b/tests/unit/rules/python/dill/test_dill_load.py deleted file mode 100644 index 6ffdfa07..00000000 --- a/tests/unit/rules/python/dill/test_dill_load.py +++ /dev/null @@ -1,46 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -import os - -from parameterized import parameterized - -from precli.core.level import Level -from precli.parsers import python -from precli.rules import Rule -from tests.unit.rules import test_case - - -class DillLoadTests(test_case.TestCase): - def setUp(self): - super().setUp() - self.rule_id = "PY506" - self.parser = python.Python(enabled=[self.rule_id]) - self.base_path = os.path.join( - "tests", - "unit", - "rules", - "python", - "dill", - "examples", - ) - - def test_rule_meta(self): - rule = Rule.get_by_id(self.rule_id) - self.assertEqual(self.rule_id, rule.id) - self.assertEqual("deserialization_of_untrusted_data", rule.name) - self.assertEqual( - f"https://docs.securesauce.dev/rules/{self.rule_id}", rule.help_url - ) - self.assertEqual(True, rule.default_config.enabled) - self.assertEqual(Level.WARNING, rule.default_config.level) - self.assertEqual(-1.0, rule.default_config.rank) - self.assertEqual("502", rule.cwe.cwe_id) - - @parameterized.expand( - [ - "dill_load.py", - "dill_loads.py", - "dill_unpickler.py", - ] - ) - def test(self, filename): - self.check(filename) diff --git a/tests/unit/rules/python/httpx/__init__.py b/tests/unit/rules/python/httpx/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/tests/unit/rules/python/httpx/examples/httpx_async_client_as_context_verify_false.py b/tests/unit/rules/python/httpx/examples/httpx_async_client_as_context_verify_false.py deleted file mode 100644 index 92b9988c..00000000 --- a/tests/unit/rules/python/httpx/examples/httpx_async_client_as_context_verify_false.py +++ /dev/null @@ -1,10 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 36 -# end_column: 41 -import httpx - - -async with httpx.AsyncClient(verify=False) as client: - response = await client.get("https://localhost") diff --git a/tests/unit/rules/python/httpx/examples/httpx_async_client_verify_false.py b/tests/unit/rules/python/httpx/examples/httpx_async_client_verify_false.py deleted file mode 100644 index c8eed6eb..00000000 --- a/tests/unit/rules/python/httpx/examples/httpx_async_client_verify_false.py +++ /dev/null @@ -1,10 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 34 -# end_column: 39 -import httpx - - -client = httpx.AsyncClient(verify=False) -response = client.get("https://localhost") diff --git a/tests/unit/rules/python/httpx/examples/httpx_client_as_context_verify_false.py b/tests/unit/rules/python/httpx/examples/httpx_client_as_context_verify_false.py deleted file mode 100644 index 8364d669..00000000 --- a/tests/unit/rules/python/httpx/examples/httpx_client_as_context_verify_false.py +++ /dev/null @@ -1,10 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 25 -# end_column: 30 -import httpx - - -with httpx.Client(verify=False) as client: - response = client.get("https://localhost") diff --git a/tests/unit/rules/python/httpx/examples/httpx_client_verify_false.py b/tests/unit/rules/python/httpx/examples/httpx_client_verify_false.py deleted file mode 100644 index 3ec47981..00000000 --- a/tests/unit/rules/python/httpx/examples/httpx_client_verify_false.py +++ /dev/null @@ -1,10 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 29 -# end_column: 34 -import httpx - - -client = httpx.Client(verify=False) -response = client.get("https://localhost") diff --git a/tests/unit/rules/python/httpx/examples/httpx_delete_verify_false.py b/tests/unit/rules/python/httpx/examples/httpx_delete_verify_false.py deleted file mode 100644 index 673a8117..00000000 --- a/tests/unit/rules/python/httpx/examples/httpx_delete_verify_false.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 41 -# end_column: 46 -import httpx - - -httpx.delete("https://localhost", verify=False) diff --git a/tests/unit/rules/python/httpx/examples/httpx_get_verify_false.py b/tests/unit/rules/python/httpx/examples/httpx_get_verify_false.py deleted file mode 100644 index 814288fd..00000000 --- a/tests/unit/rules/python/httpx/examples/httpx_get_verify_false.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 38 -# end_column: 43 -import httpx - - -httpx.get("https://localhost", verify=False) diff --git a/tests/unit/rules/python/httpx/examples/httpx_get_verify_true.py b/tests/unit/rules/python/httpx/examples/httpx_get_verify_true.py deleted file mode 100644 index b16fa3e4..00000000 --- a/tests/unit/rules/python/httpx/examples/httpx_get_verify_true.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -import httpx - - -httpx.get("https://localhost", verify=True) diff --git a/tests/unit/rules/python/httpx/examples/httpx_get_verify_unset.py b/tests/unit/rules/python/httpx/examples/httpx_get_verify_unset.py deleted file mode 100644 index 6ef9390d..00000000 --- a/tests/unit/rules/python/httpx/examples/httpx_get_verify_unset.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -import httpx - - -httpx.get("https://localhost") diff --git a/tests/unit/rules/python/httpx/examples/httpx_head_verify_false.py b/tests/unit/rules/python/httpx/examples/httpx_head_verify_false.py deleted file mode 100644 index 46e5f735..00000000 --- a/tests/unit/rules/python/httpx/examples/httpx_head_verify_false.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 39 -# end_column: 44 -import httpx - - -httpx.head("https://localhost", verify=False) diff --git a/tests/unit/rules/python/httpx/examples/httpx_options_verify_false.py b/tests/unit/rules/python/httpx/examples/httpx_options_verify_false.py deleted file mode 100644 index f69cb8f8..00000000 --- a/tests/unit/rules/python/httpx/examples/httpx_options_verify_false.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 42 -# end_column: 47 -import httpx - - -httpx.options("https://localhost", verify=False) diff --git a/tests/unit/rules/python/httpx/examples/httpx_patch_verify_false.py b/tests/unit/rules/python/httpx/examples/httpx_patch_verify_false.py deleted file mode 100644 index 32538f1b..00000000 --- a/tests/unit/rules/python/httpx/examples/httpx_patch_verify_false.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 40 -# end_column: 45 -import httpx - - -httpx.patch("https://localhost", verify=False) diff --git a/tests/unit/rules/python/httpx/examples/httpx_post_verify_false.py b/tests/unit/rules/python/httpx/examples/httpx_post_verify_false.py deleted file mode 100644 index 75cbf597..00000000 --- a/tests/unit/rules/python/httpx/examples/httpx_post_verify_false.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 39 -# end_column: 44 -import httpx - - -httpx.post("https://localhost", verify=False) diff --git a/tests/unit/rules/python/httpx/examples/httpx_put_verify_false.py b/tests/unit/rules/python/httpx/examples/httpx_put_verify_false.py deleted file mode 100644 index 52cf285b..00000000 --- a/tests/unit/rules/python/httpx/examples/httpx_put_verify_false.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 38 -# end_column: 43 -import httpx - - -httpx.put("https://localhost", verify=False) diff --git a/tests/unit/rules/python/httpx/examples/httpx_request_verify_false.py b/tests/unit/rules/python/httpx/examples/httpx_request_verify_false.py deleted file mode 100644 index 82d6151e..00000000 --- a/tests/unit/rules/python/httpx/examples/httpx_request_verify_false.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 48 -# end_column: 53 -import httpx - - -httpx.stream("GET", "https://localhost", verify=False) diff --git a/tests/unit/rules/python/httpx/examples/httpx_stream_verify_false.py b/tests/unit/rules/python/httpx/examples/httpx_stream_verify_false.py deleted file mode 100644 index c602b9e2..00000000 --- a/tests/unit/rules/python/httpx/examples/httpx_stream_verify_false.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 41 -# end_column: 46 -import httpx - - -httpx.stream("https://localhost", verify=False) diff --git a/tests/unit/rules/python/httpx/test_no_certificate_verify.py b/tests/unit/rules/python/httpx/test_no_certificate_verify.py deleted file mode 100644 index a393d734..00000000 --- a/tests/unit/rules/python/httpx/test_no_certificate_verify.py +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -import os - -from parameterized import parameterized - -from precli.core.level import Level -from precli.parsers import python -from precli.rules import Rule -from tests.unit.rules import test_case - - -class NoCertificateVerifyTests(test_case.TestCase): - def setUp(self): - super().setUp() - self.rule_id = "PY508" - self.parser = python.Python(enabled=[self.rule_id]) - self.base_path = os.path.join( - "tests", - "unit", - "rules", - "python", - "httpx", - "examples", - ) - - def test_rule_meta(self): - rule = Rule.get_by_id(self.rule_id) - self.assertEqual(self.rule_id, rule.id) - self.assertEqual("improper_certificate_validation", rule.name) - self.assertEqual( - f"https://docs.securesauce.dev/rules/{self.rule_id}", rule.help_url - ) - self.assertEqual(True, rule.default_config.enabled) - self.assertEqual(Level.WARNING, rule.default_config.level) - self.assertEqual(-1.0, rule.default_config.rank) - self.assertEqual("295", rule.cwe.cwe_id) - - @parameterized.expand( - [ - "httpx_async_client_as_context_verify_false.py", - "httpx_async_client_verify_false.py", - "httpx_client_as_context_verify_false.py", - "httpx_client_verify_false.py", - "httpx_delete_verify_false.py", - "httpx_get_verify_false.py", - "httpx_get_verify_true.py", - "httpx_get_verify_unset.py", - "httpx_head_verify_false.py", - "httpx_options_verify_false.py", - "httpx_patch_verify_false.py", - "httpx_post_verify_false.py", - "httpx_put_verify_false.py", - "httpx_request_verify_false.py", - "httpx_stream_verify_false.py", - ] - ) - def test(self, filename): - self.check(filename) diff --git a/tests/unit/rules/python/jsonpickle/__init__.py b/tests/unit/rules/python/jsonpickle/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/tests/unit/rules/python/jsonpickle/examples/jsonpickle_decode.py b/tests/unit/rules/python/jsonpickle/examples/jsonpickle_decode.py deleted file mode 100644 index e32b40ff..00000000 --- a/tests/unit/rules/python/jsonpickle/examples/jsonpickle_decode.py +++ /dev/null @@ -1,10 +0,0 @@ -# level: WARNING -# start_line: 10 -# end_line: 10 -# start_column: 0 -# end_column: 17 -import jsonpickle - - -pick = jsonpickle.encode({"a": "b", "c": "d"}) -jsonpickle.decode(pick) diff --git a/tests/unit/rules/python/jsonpickle/examples/jsonpickle_unpickler_decode.py b/tests/unit/rules/python/jsonpickle/examples/jsonpickle_unpickler_decode.py deleted file mode 100644 index efa0058e..00000000 --- a/tests/unit/rules/python/jsonpickle/examples/jsonpickle_unpickler_decode.py +++ /dev/null @@ -1,10 +0,0 @@ -# level: WARNING -# start_line: 10 -# end_line: 10 -# start_column: 0 -# end_column: 27 -import jsonpickle - - -pick = jsonpickle.encode({"a": "b", "c": "d"}) -jsonpickle.unpickler.decode(pick) diff --git a/tests/unit/rules/python/jsonpickle/examples/jsonpickle_unpickler_unpickler.py b/tests/unit/rules/python/jsonpickle/examples/jsonpickle_unpickler_unpickler.py deleted file mode 100644 index e1fb04a2..00000000 --- a/tests/unit/rules/python/jsonpickle/examples/jsonpickle_unpickler_unpickler.py +++ /dev/null @@ -1,10 +0,0 @@ -# level: WARNING -# start_line: 10 -# end_line: 10 -# start_column: 0 -# end_column: 30 -import jsonpickle - - -pick = jsonpickle.encode({"a": "b", "c": "d"}) -jsonpickle.unpickler.Unpickler().restore(pick) diff --git a/tests/unit/rules/python/jsonpickle/test_jsonpickle_decode.py b/tests/unit/rules/python/jsonpickle/test_jsonpickle_decode.py deleted file mode 100644 index c96e25ad..00000000 --- a/tests/unit/rules/python/jsonpickle/test_jsonpickle_decode.py +++ /dev/null @@ -1,46 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -import os - -from parameterized import parameterized - -from precli.core.level import Level -from precli.parsers import python -from precli.rules import Rule -from tests.unit.rules import test_case - - -class JsonPickleDecodeTests(test_case.TestCase): - def setUp(self): - super().setUp() - self.rule_id = "PY509" - self.parser = python.Python(enabled=[self.rule_id]) - self.base_path = os.path.join( - "tests", - "unit", - "rules", - "python", - "jsonpickle", - "examples", - ) - - def test_rule_meta(self): - rule = Rule.get_by_id(self.rule_id) - self.assertEqual(self.rule_id, rule.id) - self.assertEqual("deserialization_of_untrusted_data", rule.name) - self.assertEqual( - f"https://docs.securesauce.dev/rules/{self.rule_id}", rule.help_url - ) - self.assertEqual(True, rule.default_config.enabled) - self.assertEqual(Level.WARNING, rule.default_config.level) - self.assertEqual(-1.0, rule.default_config.rank) - self.assertEqual("502", rule.cwe.cwe_id) - - @parameterized.expand( - [ - "jsonpickle_decode.py", - "jsonpickle_unpickler_decode.py", - "jsonpickle_unpickler_unpickler.py", - ] - ) - def test(self, filename): - self.check(filename) diff --git a/tests/unit/rules/python/pandas/__init__.py b/tests/unit/rules/python/pandas/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/tests/unit/rules/python/pandas/examples/pandas_read_pickle.py b/tests/unit/rules/python/pandas/examples/pandas_read_pickle.py deleted file mode 100644 index 31ba45a1..00000000 --- a/tests/unit/rules/python/pandas/examples/pandas_read_pickle.py +++ /dev/null @@ -1,13 +0,0 @@ -# level: WARNING -# start_line: 13 -# end_line: 13 -# start_column: 0 -# end_column: 14 -import pickle - -import pandas as pd - - -df = pd.DataFrame({"col_A": [1, 2]}) -pick = pickle.dumps(df) -pd.read_pickle(pick) diff --git a/tests/unit/rules/python/pandas/test_pandas_read_pickle.py b/tests/unit/rules/python/pandas/test_pandas_read_pickle.py deleted file mode 100644 index 4a3cc19c..00000000 --- a/tests/unit/rules/python/pandas/test_pandas_read_pickle.py +++ /dev/null @@ -1,44 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -import os - -from parameterized import parameterized - -from precli.core.level import Level -from precli.parsers import python -from precli.rules import Rule -from tests.unit.rules import test_case - - -class PandasReadPickleTests(test_case.TestCase): - def setUp(self): - super().setUp() - self.rule_id = "PY511" - self.parser = python.Python(enabled=[self.rule_id]) - self.base_path = os.path.join( - "tests", - "unit", - "rules", - "python", - "pandas", - "examples", - ) - - def test_rule_meta(self): - rule = Rule.get_by_id(self.rule_id) - self.assertEqual(self.rule_id, rule.id) - self.assertEqual("deserialization_of_untrusted_data", rule.name) - self.assertEqual( - f"https://docs.securesauce.dev/rules/{self.rule_id}", rule.help_url - ) - self.assertEqual(True, rule.default_config.enabled) - self.assertEqual(Level.WARNING, rule.default_config.level) - self.assertEqual(-1.0, rule.default_config.rank) - self.assertEqual("502", rule.cwe.cwe_id) - - @parameterized.expand( - [ - "pandas_read_pickle.py", - ] - ) - def test(self, filename): - self.check(filename) diff --git a/tests/unit/rules/python/paramiko/__init__.py b/tests/unit/rules/python/paramiko/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/tests/unit/rules/python/paramiko/examples/host_key_auto_add_policy.py b/tests/unit/rules/python/paramiko/examples/host_key_auto_add_policy.py deleted file mode 100644 index 8458b27d..00000000 --- a/tests/unit/rules/python/paramiko/examples/host_key_auto_add_policy.py +++ /dev/null @@ -1,10 +0,0 @@ -# level: ERROR -# start_line: 10 -# end_line: 10 -# start_column: 46 -# end_column: 59 -from paramiko import client - - -ssh_client = client.SSHClient() -ssh_client.set_missing_host_key_policy(client.AutoAddPolicy) diff --git a/tests/unit/rules/python/paramiko/examples/host_key_auto_add_policy_import_paramiko.py b/tests/unit/rules/python/paramiko/examples/host_key_auto_add_policy_import_paramiko.py deleted file mode 100644 index 96853f9d..00000000 --- a/tests/unit/rules/python/paramiko/examples/host_key_auto_add_policy_import_paramiko.py +++ /dev/null @@ -1,10 +0,0 @@ -# level: ERROR -# start_line: 10 -# end_line: 10 -# start_column: 48 -# end_column: 61 -import paramiko - - -ssh_client = paramiko.SSHClient() -ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy) diff --git a/tests/unit/rules/python/paramiko/examples/host_key_auto_add_policy_in_func.py b/tests/unit/rules/python/paramiko/examples/host_key_auto_add_policy_in_func.py deleted file mode 100644 index e7f34f45..00000000 --- a/tests/unit/rules/python/paramiko/examples/host_key_auto_add_policy_in_func.py +++ /dev/null @@ -1,10 +0,0 @@ -# level: NONE -from paramiko import client - - -def init_ssh_client(ssh): - ssh.set_missing_host_key_policy(client.AutoAddPolicy) - - -ssh_client = client.SSHClient() -init_ssh_client(ssh_client) diff --git a/tests/unit/rules/python/paramiko/examples/host_key_auto_add_policy_kwarg.py b/tests/unit/rules/python/paramiko/examples/host_key_auto_add_policy_kwarg.py deleted file mode 100644 index 9502d6f8..00000000 --- a/tests/unit/rules/python/paramiko/examples/host_key_auto_add_policy_kwarg.py +++ /dev/null @@ -1,10 +0,0 @@ -# level: ERROR -# start_line: 10 -# end_line: 10 -# start_column: 53 -# end_column: 66 -from paramiko import client - - -ssh_client = client.SSHClient() -ssh_client.set_missing_host_key_policy(policy=client.AutoAddPolicy) diff --git a/tests/unit/rules/python/paramiko/examples/host_key_auto_add_policy_single_statement.py b/tests/unit/rules/python/paramiko/examples/host_key_auto_add_policy_single_statement.py deleted file mode 100644 index aaddd343..00000000 --- a/tests/unit/rules/python/paramiko/examples/host_key_auto_add_policy_single_statement.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 54 -# end_column: 67 -from paramiko import client - - -client.SSHClient().set_missing_host_key_policy(client.AutoAddPolicy) diff --git a/tests/unit/rules/python/paramiko/examples/host_key_auto_add_policy_walrus.py b/tests/unit/rules/python/paramiko/examples/host_key_auto_add_policy_walrus.py deleted file mode 100644 index 980a3060..00000000 --- a/tests/unit/rules/python/paramiko/examples/host_key_auto_add_policy_walrus.py +++ /dev/null @@ -1,10 +0,0 @@ -# level: ERROR -# start_line: 10 -# end_line: 10 -# start_column: 50 -# end_column: 63 -from paramiko import client - - -if (ssh_client := client.SSHClient()) is not None: - ssh_client.set_missing_host_key_policy(client.AutoAddPolicy) diff --git a/tests/unit/rules/python/paramiko/examples/host_key_warning_policy_single_statement.py b/tests/unit/rules/python/paramiko/examples/host_key_warning_policy_single_statement.py deleted file mode 100644 index 0c7f8919..00000000 --- a/tests/unit/rules/python/paramiko/examples/host_key_warning_policy_single_statement.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: WARNING -# start_line: 9 -# end_line: 9 -# start_column: 54 -# end_column: 67 -from paramiko import client - - -client.SSHClient().set_missing_host_key_policy(client.WarningPolicy) diff --git a/tests/unit/rules/python/paramiko/test_host_key_policy.py b/tests/unit/rules/python/paramiko/test_host_key_policy.py deleted file mode 100644 index efc413fb..00000000 --- a/tests/unit/rules/python/paramiko/test_host_key_policy.py +++ /dev/null @@ -1,50 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -import os - -from parameterized import parameterized - -from precli.core.level import Level -from precli.parsers import python -from precli.rules import Rule -from tests.unit.rules import test_case - - -class HostKeyPolicyTests(test_case.TestCase): - def setUp(self): - super().setUp() - self.rule_id = "PY512" - self.parser = python.Python(enabled=[self.rule_id]) - self.base_path = os.path.join( - "tests", - "unit", - "rules", - "python", - "paramiko", - "examples", - ) - - def test_rule_meta(self): - rule = Rule.get_by_id(self.rule_id) - self.assertEqual(self.rule_id, rule.id) - self.assertEqual("improper_certificate_validation", rule.name) - self.assertEqual( - f"https://docs.securesauce.dev/rules/{self.rule_id}", rule.help_url - ) - self.assertEqual(True, rule.default_config.enabled) - self.assertEqual(Level.WARNING, rule.default_config.level) - self.assertEqual(-1.0, rule.default_config.rank) - self.assertEqual("295", rule.cwe.cwe_id) - - @parameterized.expand( - [ - "host_key_auto_add_policy.py", - "host_key_auto_add_policy_import_paramiko.py", - "host_key_auto_add_policy_in_func.py", - "host_key_auto_add_policy_kwarg.py", - "host_key_auto_add_policy_single_statement.py", - "host_key_auto_add_policy_walrus.py", - "host_key_warning_policy_single_statement.py", - ] - ) - def test(self, filename): - self.check(filename) diff --git a/tests/unit/rules/python/pycrypto/__init__.py b/tests/unit/rules/python/pycrypto/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/tests/unit/rules/python/pycrypto/examples/cipher_arc2.py b/tests/unit/rules/python/pycrypto/examples/cipher_arc2.py deleted file mode 100644 index 3ee47646..00000000 --- a/tests/unit/rules/python/pycrypto/examples/cipher_arc2.py +++ /dev/null @@ -1,15 +0,0 @@ -# level: ERROR -# start_line: 14 -# end_line: 14 -# start_column: 14 -# end_column: 17 -from Crypto import Random -from Crypto.Cipher import ARC2 -from Crypto.Hash import SHA - - -key = b"Very long and confidential key" -nonce = Random.new().read(16) -tempkey = SHA.new(key + nonce).digest() -cipher = ARC2.new(tempkey) -msg = nonce + cipher.encrypt(b"Open the pod bay doors, HAL") diff --git a/tests/unit/rules/python/pycrypto/examples/cipher_arc4.py b/tests/unit/rules/python/pycrypto/examples/cipher_arc4.py deleted file mode 100644 index 884ec6a9..00000000 --- a/tests/unit/rules/python/pycrypto/examples/cipher_arc4.py +++ /dev/null @@ -1,15 +0,0 @@ -# level: ERROR -# start_line: 14 -# end_line: 14 -# start_column: 14 -# end_column: 17 -from Crypto import Random -from Crypto.Cipher import ARC4 -from Crypto.Hash import SHA - - -key = b"Very long and confidential key" -nonce = Random.new().read(16) -tempkey = SHA.new(key + nonce).digest() -cipher = ARC4.new(tempkey) -msg = nonce + cipher.encrypt(b"Open the pod bay doors, HAL") diff --git a/tests/unit/rules/python/pycrypto/examples/cipher_blowfish.py b/tests/unit/rules/python/pycrypto/examples/cipher_blowfish.py deleted file mode 100644 index e9b7ef0d..00000000 --- a/tests/unit/rules/python/pycrypto/examples/cipher_blowfish.py +++ /dev/null @@ -1,15 +0,0 @@ -# level: ERROR -# start_line: 14 -# end_line: 14 -# start_column: 18 -# end_column: 21 -from Crypto import Random -from Crypto.Cipher import Blowfish -from Crypto.Hash import SHA - - -key = b"Very long and confidential key" -nonce = Random.new().read(16) -tempkey = SHA.new(key + nonce).digest() -cipher = Blowfish.new(tempkey) -msg = nonce + cipher.encrypt(b"Open the pod bay doors, HAL") diff --git a/tests/unit/rules/python/pycrypto/examples/cipher_des.py b/tests/unit/rules/python/pycrypto/examples/cipher_des.py deleted file mode 100644 index a8fb4307..00000000 --- a/tests/unit/rules/python/pycrypto/examples/cipher_des.py +++ /dev/null @@ -1,15 +0,0 @@ -# level: ERROR -# start_line: 14 -# end_line: 14 -# start_column: 13 -# end_column: 16 -from Crypto import Random -from Crypto.Cipher import DES -from Crypto.Hash import SHA - - -key = b"Very long and confidential key" -nonce = Random.new().read(16) -tempkey = SHA.new(key + nonce).digest() -cipher = DES.new(tempkey) -msg = nonce + cipher.encrypt(b"Open the pod bay doors, HAL") diff --git a/tests/unit/rules/python/pycrypto/examples/cipher_xor.py b/tests/unit/rules/python/pycrypto/examples/cipher_xor.py deleted file mode 100644 index d9a9cd0c..00000000 --- a/tests/unit/rules/python/pycrypto/examples/cipher_xor.py +++ /dev/null @@ -1,15 +0,0 @@ -# level: ERROR -# start_line: 14 -# end_line: 14 -# start_column: 13 -# end_column: 16 -from Crypto import Random -from Crypto.Cipher import XOR -from Crypto.Hash import SHA - - -key = b"Very long and confidential key" -nonce = Random.new().read(16) -tempkey = SHA.new(key + nonce).digest() -cipher = XOR.new(tempkey) -msg = nonce + cipher.encrypt(b"Open the pod bay doors, HAL") diff --git a/tests/unit/rules/python/pycrypto/examples/dsa_generate_1024.py b/tests/unit/rules/python/pycrypto/examples/dsa_generate_1024.py deleted file mode 100644 index 259bb365..00000000 --- a/tests/unit/rules/python/pycrypto/examples/dsa_generate_1024.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 19 -# end_column: 23 -from Crypto.PublicKey import DSA - - -key = DSA.generate(1024) diff --git a/tests/unit/rules/python/pycrypto/examples/dsa_generate_2048.py b/tests/unit/rules/python/pycrypto/examples/dsa_generate_2048.py deleted file mode 100644 index 8bd021a9..00000000 --- a/tests/unit/rules/python/pycrypto/examples/dsa_generate_2048.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from Crypto.PublicKey import DSA - - -key = DSA.generate(2048) diff --git a/tests/unit/rules/python/pycrypto/examples/dsa_generate_4096.py b/tests/unit/rules/python/pycrypto/examples/dsa_generate_4096.py deleted file mode 100644 index ccec5e7a..00000000 --- a/tests/unit/rules/python/pycrypto/examples/dsa_generate_4096.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from Crypto.PublicKey import DSA - - -key = DSA.generate(4096) diff --git a/tests/unit/rules/python/pycrypto/examples/hash_md2.py b/tests/unit/rules/python/pycrypto/examples/hash_md2.py deleted file mode 100644 index 37324dec..00000000 --- a/tests/unit/rules/python/pycrypto/examples/hash_md2.py +++ /dev/null @@ -1,11 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 4 -# end_column: 11 -from Crypto.Hash import MD2 - - -h = MD2.new() -h.update(b"Hello") -h.hexdigest() diff --git a/tests/unit/rules/python/pycrypto/examples/hash_md4.py b/tests/unit/rules/python/pycrypto/examples/hash_md4.py deleted file mode 100644 index d1d18ad7..00000000 --- a/tests/unit/rules/python/pycrypto/examples/hash_md4.py +++ /dev/null @@ -1,11 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 4 -# end_column: 11 -from Crypto.Hash import MD4 - - -h = MD4.new() -h.update(b"Hello") -h.hexdigest() diff --git a/tests/unit/rules/python/pycrypto/examples/hash_md5.py b/tests/unit/rules/python/pycrypto/examples/hash_md5.py deleted file mode 100644 index 1bdf3773..00000000 --- a/tests/unit/rules/python/pycrypto/examples/hash_md5.py +++ /dev/null @@ -1,11 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 4 -# end_column: 11 -from Crypto.Hash import MD5 - - -h = MD5.new() -h.update(b"Hello") -h.hexdigest() diff --git a/tests/unit/rules/python/pycrypto/examples/hash_ripemd.py b/tests/unit/rules/python/pycrypto/examples/hash_ripemd.py deleted file mode 100644 index 08c659ec..00000000 --- a/tests/unit/rules/python/pycrypto/examples/hash_ripemd.py +++ /dev/null @@ -1,11 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 4 -# end_column: 14 -from Crypto.Hash import RIPEMD - - -h = RIPEMD.new() -h.update(b"Hello") -h.hexdigest() diff --git a/tests/unit/rules/python/pycrypto/examples/hash_sha.py b/tests/unit/rules/python/pycrypto/examples/hash_sha.py deleted file mode 100644 index 8b7a5768..00000000 --- a/tests/unit/rules/python/pycrypto/examples/hash_sha.py +++ /dev/null @@ -1,11 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 4 -# end_column: 11 -from Crypto.Hash import SHA - - -h = SHA.new() -h.update(b"Hello") -h.hexdigest() diff --git a/tests/unit/rules/python/pycrypto/examples/rsa_generate_1024.py b/tests/unit/rules/python/pycrypto/examples/rsa_generate_1024.py deleted file mode 100644 index 802ad02e..00000000 --- a/tests/unit/rules/python/pycrypto/examples/rsa_generate_1024.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 19 -# end_column: 23 -from Crypto.PublicKey import RSA - - -key = RSA.generate(1024) diff --git a/tests/unit/rules/python/pycrypto/examples/rsa_generate_2048.py b/tests/unit/rules/python/pycrypto/examples/rsa_generate_2048.py deleted file mode 100644 index c91f6df4..00000000 --- a/tests/unit/rules/python/pycrypto/examples/rsa_generate_2048.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from Crypto.PublicKey import RSA - - -key = RSA.generate(2048) diff --git a/tests/unit/rules/python/pycrypto/examples/rsa_generate_4096.py b/tests/unit/rules/python/pycrypto/examples/rsa_generate_4096.py deleted file mode 100644 index 155ac5a5..00000000 --- a/tests/unit/rules/python/pycrypto/examples/rsa_generate_4096.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from Crypto.PublicKey import RSA - - -key = RSA.generate(4096) diff --git a/tests/unit/rules/python/pycrypto/test_pycrypto_weak_cipher.py b/tests/unit/rules/python/pycrypto/test_pycrypto_weak_cipher.py deleted file mode 100644 index 1b90c9d2..00000000 --- a/tests/unit/rules/python/pycrypto/test_pycrypto_weak_cipher.py +++ /dev/null @@ -1,50 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -import os - -from parameterized import parameterized - -from precli.core.level import Level -from precli.parsers import python -from precli.rules import Rule -from tests.unit.rules import test_case - - -class PycryptoWeakCipherTests(test_case.TestCase): - def setUp(self): - super().setUp() - self.rule_id = "PY513" - self.parser = python.Python(enabled=[self.rule_id]) - self.base_path = os.path.join( - "tests", - "unit", - "rules", - "python", - "pycrypto", - "examples", - ) - - def test_rule_meta(self): - rule = Rule.get_by_id(self.rule_id) - self.assertEqual(self.rule_id, rule.id) - self.assertEqual( - "use_of_a_broken_or_risky_cryptographic_algorithm", rule.name - ) - self.assertEqual( - f"https://docs.securesauce.dev/rules/{self.rule_id}", rule.help_url - ) - self.assertEqual(True, rule.default_config.enabled) - self.assertEqual(Level.WARNING, rule.default_config.level) - self.assertEqual(-1.0, rule.default_config.rank) - self.assertEqual("327", rule.cwe.cwe_id) - - @parameterized.expand( - [ - "cipher_arc2.py", - "cipher_arc4.py", - "cipher_blowfish.py", - "cipher_des.py", - "cipher_xor.py", - ] - ) - def test(self, filename): - self.check(filename) diff --git a/tests/unit/rules/python/pycrypto/test_pycrypto_weak_hash.py b/tests/unit/rules/python/pycrypto/test_pycrypto_weak_hash.py deleted file mode 100644 index 517d952b..00000000 --- a/tests/unit/rules/python/pycrypto/test_pycrypto_weak_hash.py +++ /dev/null @@ -1,48 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -import os - -from parameterized import parameterized - -from precli.core.level import Level -from precli.parsers import python -from precli.rules import Rule -from tests.unit.rules import test_case - - -class PycryptoWeakCipherTests(test_case.TestCase): - def setUp(self): - super().setUp() - self.rule_id = "PY514" - self.parser = python.Python(enabled=[self.rule_id]) - self.base_path = os.path.join( - "tests", - "unit", - "rules", - "python", - "pycrypto", - "examples", - ) - - def test_rule_meta(self): - rule = Rule.get_by_id(self.rule_id) - self.assertEqual(self.rule_id, rule.id) - self.assertEqual("reversible_one_way_hash", rule.name) - self.assertEqual( - f"https://docs.securesauce.dev/rules/{self.rule_id}", rule.help_url - ) - self.assertEqual(True, rule.default_config.enabled) - self.assertEqual(Level.WARNING, rule.default_config.level) - self.assertEqual(-1.0, rule.default_config.rank) - self.assertEqual("328", rule.cwe.cwe_id) - - @parameterized.expand( - [ - "hash_md2.py", - "hash_md4.py", - "hash_md5.py", - "hash_ripemd.py", - "hash_sha.py", - ] - ) - def test(self, filename): - self.check(filename) diff --git a/tests/unit/rules/python/pycrypto/test_pycrypto_weak_key.py b/tests/unit/rules/python/pycrypto/test_pycrypto_weak_key.py deleted file mode 100644 index 75176357..00000000 --- a/tests/unit/rules/python/pycrypto/test_pycrypto_weak_key.py +++ /dev/null @@ -1,49 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -import os - -from parameterized import parameterized - -from precli.core.level import Level -from precli.parsers import python -from precli.rules import Rule -from tests.unit.rules import test_case - - -class PycryptoWeakKeyTests(test_case.TestCase): - def setUp(self): - super().setUp() - self.rule_id = "PY515" - self.parser = python.Python(enabled=[self.rule_id]) - self.base_path = os.path.join( - "tests", - "unit", - "rules", - "python", - "pycrypto", - "examples", - ) - - def test_rule_meta(self): - rule = Rule.get_by_id(self.rule_id) - self.assertEqual(self.rule_id, rule.id) - self.assertEqual("inadequate_encryption_strength", rule.name) - self.assertEqual( - f"https://docs.securesauce.dev/rules/{self.rule_id}", rule.help_url - ) - self.assertEqual(True, rule.default_config.enabled) - self.assertEqual(Level.WARNING, rule.default_config.level) - self.assertEqual(-1.0, rule.default_config.rank) - self.assertEqual("326", rule.cwe.cwe_id) - - @parameterized.expand( - [ - "dsa_generate_1024.py", - "dsa_generate_2048.py", - "dsa_generate_4096.py", - "rsa_generate_1024.py", - "rsa_generate_2048.py", - "rsa_generate_4096.py", - ] - ) - def test(self, filename): - self.check(filename) diff --git a/tests/unit/rules/python/pycryptodomex/__init__.py b/tests/unit/rules/python/pycryptodomex/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/tests/unit/rules/python/pycryptodomex/examples/cipher_arc2.py b/tests/unit/rules/python/pycryptodomex/examples/cipher_arc2.py deleted file mode 100644 index 823a4d25..00000000 --- a/tests/unit/rules/python/pycryptodomex/examples/cipher_arc2.py +++ /dev/null @@ -1,15 +0,0 @@ -# level: ERROR -# start_line: 14 -# end_line: 14 -# start_column: 14 -# end_column: 17 -from Cryptodome import Random -from Cryptodome.Cipher import ARC2 -from Cryptodome.Hash import SHA - - -key = b"Very long and confidential key" -nonce = Random.new().read(16) -tempkey = SHA.new(key + nonce).digest() -cipher = ARC2.new(tempkey) -msg = nonce + cipher.encrypt(b"Open the pod bay doors, HAL") diff --git a/tests/unit/rules/python/pycryptodomex/examples/cipher_arc4.py b/tests/unit/rules/python/pycryptodomex/examples/cipher_arc4.py deleted file mode 100644 index 8a0d1b41..00000000 --- a/tests/unit/rules/python/pycryptodomex/examples/cipher_arc4.py +++ /dev/null @@ -1,15 +0,0 @@ -# level: ERROR -# start_line: 14 -# end_line: 14 -# start_column: 14 -# end_column: 17 -from Cryptodome import Random -from Cryptodome.Cipher import ARC4 -from Cryptodome.Hash import SHA - - -key = b"Very long and confidential key" -nonce = Random.new().read(16) -tempkey = SHA.new(key + nonce).digest() -cipher = ARC4.new(tempkey) -msg = nonce + cipher.encrypt(b"Open the pod bay doors, HAL") diff --git a/tests/unit/rules/python/pycryptodomex/examples/cipher_blowfish.py b/tests/unit/rules/python/pycryptodomex/examples/cipher_blowfish.py deleted file mode 100644 index e98666ad..00000000 --- a/tests/unit/rules/python/pycryptodomex/examples/cipher_blowfish.py +++ /dev/null @@ -1,15 +0,0 @@ -# level: ERROR -# start_line: 14 -# end_line: 14 -# start_column: 18 -# end_column: 21 -from Cryptodome import Random -from Cryptodome.Cipher import Blowfish -from Cryptodome.Hash import SHA - - -key = b"Very long and confidential key" -nonce = Random.new().read(16) -tempkey = SHA.new(key + nonce).digest() -cipher = Blowfish.new(tempkey) -msg = nonce + cipher.encrypt(b"Open the pod bay doors, HAL") diff --git a/tests/unit/rules/python/pycryptodomex/examples/cipher_des.py b/tests/unit/rules/python/pycryptodomex/examples/cipher_des.py deleted file mode 100644 index 08f1bcca..00000000 --- a/tests/unit/rules/python/pycryptodomex/examples/cipher_des.py +++ /dev/null @@ -1,15 +0,0 @@ -# level: ERROR -# start_line: 14 -# end_line: 14 -# start_column: 13 -# end_column: 16 -from Cryptodome import Random -from Cryptodome.Cipher import DES -from Cryptodome.Hash import SHA - - -key = b"Very long and confidential key" -nonce = Random.new().read(16) -tempkey = SHA.new(key + nonce).digest() -cipher = DES.new(tempkey) -msg = nonce + cipher.encrypt(b"Open the pod bay doors, HAL") diff --git a/tests/unit/rules/python/pycryptodomex/examples/cipher_xor.py b/tests/unit/rules/python/pycryptodomex/examples/cipher_xor.py deleted file mode 100644 index a3653e10..00000000 --- a/tests/unit/rules/python/pycryptodomex/examples/cipher_xor.py +++ /dev/null @@ -1,15 +0,0 @@ -# level: ERROR -# start_line: 14 -# end_line: 14 -# start_column: 13 -# end_column: 16 -from Cryptodome import Random -from Cryptodome.Cipher import XOR -from Cryptodome.Hash import SHA - - -key = b"Very long and confidential key" -nonce = Random.new().read(16) -tempkey = SHA.new(key + nonce).digest() -cipher = XOR.new(tempkey) -msg = nonce + cipher.encrypt(b"Open the pod bay doors, HAL") diff --git a/tests/unit/rules/python/pycryptodomex/examples/dsa_generate_1024.py b/tests/unit/rules/python/pycryptodomex/examples/dsa_generate_1024.py deleted file mode 100644 index 2eaf3242..00000000 --- a/tests/unit/rules/python/pycryptodomex/examples/dsa_generate_1024.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 19 -# end_column: 23 -from Cryptodome.PublicKey import DSA - - -key = DSA.generate(1024) diff --git a/tests/unit/rules/python/pycryptodomex/examples/dsa_generate_2048.py b/tests/unit/rules/python/pycryptodomex/examples/dsa_generate_2048.py deleted file mode 100644 index 7890ed91..00000000 --- a/tests/unit/rules/python/pycryptodomex/examples/dsa_generate_2048.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from Cryptodome.PublicKey import DSA - - -key = DSA.generate(2048) diff --git a/tests/unit/rules/python/pycryptodomex/examples/dsa_generate_4096.py b/tests/unit/rules/python/pycryptodomex/examples/dsa_generate_4096.py deleted file mode 100644 index 69b424b5..00000000 --- a/tests/unit/rules/python/pycryptodomex/examples/dsa_generate_4096.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from Cryptodome.PublicKey import DSA - - -key = DSA.generate(4096) diff --git a/tests/unit/rules/python/pycryptodomex/examples/hash_md2.py b/tests/unit/rules/python/pycryptodomex/examples/hash_md2.py deleted file mode 100644 index 010aca49..00000000 --- a/tests/unit/rules/python/pycryptodomex/examples/hash_md2.py +++ /dev/null @@ -1,11 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 4 -# end_column: 11 -from Cryptodome.Hash import MD2 - - -h = MD2.new() -h.update(b"Hello") -h.hexdigest() diff --git a/tests/unit/rules/python/pycryptodomex/examples/hash_md4.py b/tests/unit/rules/python/pycryptodomex/examples/hash_md4.py deleted file mode 100644 index 89831210..00000000 --- a/tests/unit/rules/python/pycryptodomex/examples/hash_md4.py +++ /dev/null @@ -1,11 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 4 -# end_column: 11 -from Cryptodome.Hash import MD4 - - -h = MD4.new() -h.update(b"Hello") -h.hexdigest() diff --git a/tests/unit/rules/python/pycryptodomex/examples/hash_md5.py b/tests/unit/rules/python/pycryptodomex/examples/hash_md5.py deleted file mode 100644 index 61f0b089..00000000 --- a/tests/unit/rules/python/pycryptodomex/examples/hash_md5.py +++ /dev/null @@ -1,11 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 4 -# end_column: 11 -from Cryptodome.Hash import MD5 - - -h = MD5.new() -h.update(b"Hello") -h.hexdigest() diff --git a/tests/unit/rules/python/pycryptodomex/examples/hash_ripemd.py b/tests/unit/rules/python/pycryptodomex/examples/hash_ripemd.py deleted file mode 100644 index 13ec60d9..00000000 --- a/tests/unit/rules/python/pycryptodomex/examples/hash_ripemd.py +++ /dev/null @@ -1,11 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 4 -# end_column: 14 -from Cryptodome.Hash import RIPEMD - - -h = RIPEMD.new() -h.update(b"Hello") -h.hexdigest() diff --git a/tests/unit/rules/python/pycryptodomex/examples/hash_sha.py b/tests/unit/rules/python/pycryptodomex/examples/hash_sha.py deleted file mode 100644 index 760a48c7..00000000 --- a/tests/unit/rules/python/pycryptodomex/examples/hash_sha.py +++ /dev/null @@ -1,11 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 4 -# end_column: 11 -from Cryptodome.Hash import SHA - - -h = SHA.new() -h.update(b"Hello") -h.hexdigest() diff --git a/tests/unit/rules/python/pycryptodomex/examples/rsa_generate_1024.py b/tests/unit/rules/python/pycryptodomex/examples/rsa_generate_1024.py deleted file mode 100644 index 4f02a8e9..00000000 --- a/tests/unit/rules/python/pycryptodomex/examples/rsa_generate_1024.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 19 -# end_column: 23 -from Cryptodome.PublicKey import RSA - - -key = RSA.generate(1024) diff --git a/tests/unit/rules/python/pycryptodomex/examples/rsa_generate_2048.py b/tests/unit/rules/python/pycryptodomex/examples/rsa_generate_2048.py deleted file mode 100644 index 35f0d2d6..00000000 --- a/tests/unit/rules/python/pycryptodomex/examples/rsa_generate_2048.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from Cryptodome.PublicKey import RSA - - -key = RSA.generate(2048) diff --git a/tests/unit/rules/python/pycryptodomex/examples/rsa_generate_4096.py b/tests/unit/rules/python/pycryptodomex/examples/rsa_generate_4096.py deleted file mode 100644 index db374791..00000000 --- a/tests/unit/rules/python/pycryptodomex/examples/rsa_generate_4096.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from Cryptodome.PublicKey import RSA - - -key = RSA.generate(4096) diff --git a/tests/unit/rules/python/pycryptodomex/test_pycryptodomex_weak_cipher.py b/tests/unit/rules/python/pycryptodomex/test_pycryptodomex_weak_cipher.py deleted file mode 100644 index 9000d4b3..00000000 --- a/tests/unit/rules/python/pycryptodomex/test_pycryptodomex_weak_cipher.py +++ /dev/null @@ -1,50 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -import os - -from parameterized import parameterized - -from precli.core.level import Level -from precli.parsers import python -from precli.rules import Rule -from tests.unit.rules import test_case - - -class PycryptodomexWeakCipherTests(test_case.TestCase): - def setUp(self): - super().setUp() - self.rule_id = "PY516" - self.parser = python.Python(enabled=[self.rule_id]) - self.base_path = os.path.join( - "tests", - "unit", - "rules", - "python", - "pycryptodomex", - "examples", - ) - - def test_rule_meta(self): - rule = Rule.get_by_id(self.rule_id) - self.assertEqual(self.rule_id, rule.id) - self.assertEqual( - "use_of_a_broken_or_risky_cryptographic_algorithm", rule.name - ) - self.assertEqual( - f"https://docs.securesauce.dev/rules/{self.rule_id}", rule.help_url - ) - self.assertEqual(True, rule.default_config.enabled) - self.assertEqual(Level.WARNING, rule.default_config.level) - self.assertEqual(-1.0, rule.default_config.rank) - self.assertEqual("327", rule.cwe.cwe_id) - - @parameterized.expand( - [ - "cipher_arc2.py", - "cipher_arc4.py", - "cipher_blowfish.py", - "cipher_des.py", - "cipher_xor.py", - ] - ) - def test(self, filename): - self.check(filename) diff --git a/tests/unit/rules/python/pycryptodomex/test_pycryptodomex_weak_hash.py b/tests/unit/rules/python/pycryptodomex/test_pycryptodomex_weak_hash.py deleted file mode 100644 index 0eea678f..00000000 --- a/tests/unit/rules/python/pycryptodomex/test_pycryptodomex_weak_hash.py +++ /dev/null @@ -1,48 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -import os - -from parameterized import parameterized - -from precli.core.level import Level -from precli.parsers import python -from precli.rules import Rule -from tests.unit.rules import test_case - - -class PycryptodomexWeakCipherTests(test_case.TestCase): - def setUp(self): - super().setUp() - self.rule_id = "PY517" - self.parser = python.Python(enabled=[self.rule_id]) - self.base_path = os.path.join( - "tests", - "unit", - "rules", - "python", - "pycryptodomex", - "examples", - ) - - def test_rule_meta(self): - rule = Rule.get_by_id(self.rule_id) - self.assertEqual(self.rule_id, rule.id) - self.assertEqual("reversible_one_way_hash", rule.name) - self.assertEqual( - f"https://docs.securesauce.dev/rules/{self.rule_id}", rule.help_url - ) - self.assertEqual(True, rule.default_config.enabled) - self.assertEqual(Level.WARNING, rule.default_config.level) - self.assertEqual(-1.0, rule.default_config.rank) - self.assertEqual("328", rule.cwe.cwe_id) - - @parameterized.expand( - [ - "hash_md2.py", - "hash_md4.py", - "hash_md5.py", - "hash_ripemd.py", - "hash_sha.py", - ] - ) - def test(self, filename): - self.check(filename) diff --git a/tests/unit/rules/python/pycryptodomex/test_pycryptodomex_weak_key.py b/tests/unit/rules/python/pycryptodomex/test_pycryptodomex_weak_key.py deleted file mode 100644 index bf4fb33e..00000000 --- a/tests/unit/rules/python/pycryptodomex/test_pycryptodomex_weak_key.py +++ /dev/null @@ -1,49 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -import os - -from parameterized import parameterized - -from precli.core.level import Level -from precli.parsers import python -from precli.rules import Rule -from tests.unit.rules import test_case - - -class PycryptodomexWeakKeyTests(test_case.TestCase): - def setUp(self): - super().setUp() - self.rule_id = "PY518" - self.parser = python.Python(enabled=[self.rule_id]) - self.base_path = os.path.join( - "tests", - "unit", - "rules", - "python", - "pycryptodomex", - "examples", - ) - - def test_rule_meta(self): - rule = Rule.get_by_id(self.rule_id) - self.assertEqual(self.rule_id, rule.id) - self.assertEqual("inadequate_encryption_strength", rule.name) - self.assertEqual( - f"https://docs.securesauce.dev/rules/{self.rule_id}", rule.help_url - ) - self.assertEqual(True, rule.default_config.enabled) - self.assertEqual(Level.WARNING, rule.default_config.level) - self.assertEqual(-1.0, rule.default_config.rank) - self.assertEqual("326", rule.cwe.cwe_id) - - @parameterized.expand( - [ - "dsa_generate_1024.py", - "dsa_generate_2048.py", - "dsa_generate_4096.py", - "rsa_generate_1024.py", - "rsa_generate_2048.py", - "rsa_generate_4096.py", - ] - ) - def test(self, filename): - self.check(filename) diff --git a/tests/unit/rules/python/pyghmi/__init__.py b/tests/unit/rules/python/pyghmi/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/tests/unit/rules/python/pyghmi/examples/command_command.py b/tests/unit/rules/python/pyghmi/examples/command_command.py deleted file mode 100644 index d11a0622..00000000 --- a/tests/unit/rules/python/pyghmi/examples/command_command.py +++ /dev/null @@ -1,13 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 6 -# end_column: 21 -from pyghmi.ipmi import command - - -cmd = command.Command( - bmc="bmc", - userid="userid", - password="ZjE4ZjI0NTE4YmI2NGJjZDliOGY3ZmJiY2UyN2IzODQK", -) diff --git a/tests/unit/rules/python/pyghmi/examples/command_command_no_password.py b/tests/unit/rules/python/pyghmi/examples/command_command_no_password.py deleted file mode 100644 index 77e3a8ab..00000000 --- a/tests/unit/rules/python/pyghmi/examples/command_command_no_password.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: WARNING -# start_line: 9 -# end_line: 9 -# start_column: 6 -# end_column: 21 -from pyghmi.ipmi import command - - -cmd = command.Command(bmc="bmc") diff --git a/tests/unit/rules/python/pyghmi/examples/command_console.py b/tests/unit/rules/python/pyghmi/examples/command_console.py deleted file mode 100644 index 86df816f..00000000 --- a/tests/unit/rules/python/pyghmi/examples/command_console.py +++ /dev/null @@ -1,13 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 6 -# end_column: 21 -from pyghmi.ipmi import command - - -cmd = command.Console( - bmc="bmc", - userid="userid", - password="ZjE4ZjI0NTE4YmI2NGJjZDliOGY3ZmJiY2UyN2IzODQK", -) diff --git a/tests/unit/rules/python/pyghmi/examples/command_console_no_password.py b/tests/unit/rules/python/pyghmi/examples/command_console_no_password.py deleted file mode 100644 index 1f7cd3fb..00000000 --- a/tests/unit/rules/python/pyghmi/examples/command_console_no_password.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: WARNING -# start_line: 9 -# end_line: 9 -# start_column: 6 -# end_column: 21 -from pyghmi.ipmi import command - - -cmd = command.Console(bmc="bmc") diff --git a/tests/unit/rules/python/pyghmi/test_pyghmi_cleartext.py b/tests/unit/rules/python/pyghmi/test_pyghmi_cleartext.py deleted file mode 100644 index 782aacfd..00000000 --- a/tests/unit/rules/python/pyghmi/test_pyghmi_cleartext.py +++ /dev/null @@ -1,47 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -import os - -from parameterized import parameterized - -from precli.core.level import Level -from precli.parsers import python -from precli.rules import Rule -from tests.unit.rules import test_case - - -class PyghmiCleartextTests(test_case.TestCase): - def setUp(self): - super().setUp() - self.rule_id = "PY519" - self.parser = python.Python(enabled=[self.rule_id]) - self.base_path = os.path.join( - "tests", - "unit", - "rules", - "python", - "pyghmi", - "examples", - ) - - def test_rule_meta(self): - rule = Rule.get_by_id(self.rule_id) - self.assertEqual(self.rule_id, rule.id) - self.assertEqual("cleartext_transmission", rule.name) - self.assertEqual( - f"https://docs.securesauce.dev/rules/{self.rule_id}", rule.help_url - ) - self.assertEqual(True, rule.default_config.enabled) - self.assertEqual(Level.WARNING, rule.default_config.level) - self.assertEqual(-1.0, rule.default_config.rank) - self.assertEqual("319", rule.cwe.cwe_id) - - @parameterized.expand( - [ - "command_command.py", - "command_command_no_password.py", - "command_console.py", - "command_console_no_password.py", - ] - ) - def test(self, filename): - self.check(filename) diff --git a/tests/unit/rules/python/pyopenssl/__init__.py b/tests/unit/rules/python/pyopenssl/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/tests/unit/rules/python/pyopenssl/examples/generate_key_dsa_1024.py b/tests/unit/rules/python/pyopenssl/examples/generate_key_dsa_1024.py deleted file mode 100644 index 9731ab5b..00000000 --- a/tests/unit/rules/python/pyopenssl/examples/generate_key_dsa_1024.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 54 -# end_column: 58 -from OpenSSL import crypto - - -crypto.PKey().generate_key(type=crypto.TYPE_DSA, bits=1024) diff --git a/tests/unit/rules/python/pyopenssl/examples/generate_key_dsa_2048.py b/tests/unit/rules/python/pyopenssl/examples/generate_key_dsa_2048.py deleted file mode 100644 index a7f6ddff..00000000 --- a/tests/unit/rules/python/pyopenssl/examples/generate_key_dsa_2048.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from OpenSSL import crypto - - -crypto.PKey().generate_key(type=crypto.TYPE_DSA, bits=2048) diff --git a/tests/unit/rules/python/pyopenssl/examples/generate_key_dsa_4096.py b/tests/unit/rules/python/pyopenssl/examples/generate_key_dsa_4096.py deleted file mode 100644 index d6b90f0a..00000000 --- a/tests/unit/rules/python/pyopenssl/examples/generate_key_dsa_4096.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from OpenSSL import crypto - - -crypto.PKey().generate_key(type=crypto.TYPE_DSA, bits=4096) diff --git a/tests/unit/rules/python/pyopenssl/examples/generate_key_rsa_1024.py b/tests/unit/rules/python/pyopenssl/examples/generate_key_rsa_1024.py deleted file mode 100644 index c3e15d7a..00000000 --- a/tests/unit/rules/python/pyopenssl/examples/generate_key_rsa_1024.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 54 -# end_column: 58 -from OpenSSL import crypto - - -crypto.PKey().generate_key(type=crypto.TYPE_RSA, bits=1024) diff --git a/tests/unit/rules/python/pyopenssl/examples/generate_key_rsa_2048.py b/tests/unit/rules/python/pyopenssl/examples/generate_key_rsa_2048.py deleted file mode 100644 index ef34e02d..00000000 --- a/tests/unit/rules/python/pyopenssl/examples/generate_key_rsa_2048.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from OpenSSL import crypto - - -crypto.PKey().generate_key(type=crypto.TYPE_RSA, bits=2048) diff --git a/tests/unit/rules/python/pyopenssl/examples/generate_key_rsa_4096.py b/tests/unit/rules/python/pyopenssl/examples/generate_key_rsa_4096.py deleted file mode 100644 index 04f09d8b..00000000 --- a/tests/unit/rules/python/pyopenssl/examples/generate_key_rsa_4096.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -from OpenSSL import crypto - - -crypto.PKey().generate_key(type=crypto.TYPE_RSA, bits=4096) diff --git a/tests/unit/rules/python/pyopenssl/examples/ssl_context_sslv2.py b/tests/unit/rules/python/pyopenssl/examples/ssl_context_sslv2.py deleted file mode 100644 index 504a4d73..00000000 --- a/tests/unit/rules/python/pyopenssl/examples/ssl_context_sslv2.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 39 -# end_column: 51 -import OpenSSL - - -OpenSSL.SSL.Context(method=OpenSSL.SSL.SSLv2_METHOD) diff --git a/tests/unit/rules/python/pyopenssl/examples/ssl_context_sslv23.py b/tests/unit/rules/python/pyopenssl/examples/ssl_context_sslv23.py deleted file mode 100644 index f8b17138..00000000 --- a/tests/unit/rules/python/pyopenssl/examples/ssl_context_sslv23.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -import OpenSSL - - -OpenSSL.SSL.Context(method=OpenSSL.SSL.SSLv23_METHOD) diff --git a/tests/unit/rules/python/pyopenssl/examples/ssl_context_sslv3.py b/tests/unit/rules/python/pyopenssl/examples/ssl_context_sslv3.py deleted file mode 100644 index 62d9c192..00000000 --- a/tests/unit/rules/python/pyopenssl/examples/ssl_context_sslv3.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 39 -# end_column: 51 -import OpenSSL - - -OpenSSL.SSL.Context(method=OpenSSL.SSL.SSLv3_METHOD) diff --git a/tests/unit/rules/python/pyopenssl/examples/ssl_context_tlsv1.py b/tests/unit/rules/python/pyopenssl/examples/ssl_context_tlsv1.py deleted file mode 100644 index 20558436..00000000 --- a/tests/unit/rules/python/pyopenssl/examples/ssl_context_tlsv1.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 39 -# end_column: 51 -import OpenSSL - - -OpenSSL.SSL.Context(method=OpenSSL.SSL.TLSv1_METHOD) diff --git a/tests/unit/rules/python/pyopenssl/examples/ssl_context_tlsv11.py b/tests/unit/rules/python/pyopenssl/examples/ssl_context_tlsv11.py deleted file mode 100644 index 7c4d495b..00000000 --- a/tests/unit/rules/python/pyopenssl/examples/ssl_context_tlsv11.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 39 -# end_column: 53 -import OpenSSL - - -OpenSSL.SSL.Context(method=OpenSSL.SSL.TLSv1_1_METHOD) diff --git a/tests/unit/rules/python/pyopenssl/examples/ssl_context_tlsv12.py b/tests/unit/rules/python/pyopenssl/examples/ssl_context_tlsv12.py deleted file mode 100644 index daac7227..00000000 --- a/tests/unit/rules/python/pyopenssl/examples/ssl_context_tlsv12.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -import OpenSSL - - -OpenSSL.SSL.Context(method=OpenSSL.SSL.TLSv1_2_METHOD) diff --git a/tests/unit/rules/python/pyopenssl/test_pyopenssl_weak_key.py b/tests/unit/rules/python/pyopenssl/test_pyopenssl_weak_key.py deleted file mode 100644 index ff4b3b91..00000000 --- a/tests/unit/rules/python/pyopenssl/test_pyopenssl_weak_key.py +++ /dev/null @@ -1,49 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -import os - -from parameterized import parameterized - -from precli.core.level import Level -from precli.parsers import python -from precli.rules import Rule -from tests.unit.rules import test_case - - -class PyopensslWeakKeyTests(test_case.TestCase): - def setUp(self): - super().setUp() - self.rule_id = "PY521" - self.parser = python.Python(enabled=[self.rule_id]) - self.base_path = os.path.join( - "tests", - "unit", - "rules", - "python", - "pyopenssl", - "examples", - ) - - def test_rule_meta(self): - rule = Rule.get_by_id(self.rule_id) - self.assertEqual(self.rule_id, rule.id) - self.assertEqual("inadequate_encryption_strength", rule.name) - self.assertEqual( - f"https://docs.securesauce.dev/rules/{self.rule_id}", rule.help_url - ) - self.assertEqual(True, rule.default_config.enabled) - self.assertEqual(Level.WARNING, rule.default_config.level) - self.assertEqual(-1.0, rule.default_config.rank) - self.assertEqual("326", rule.cwe.cwe_id) - - @parameterized.expand( - [ - "generate_key_dsa_1024.py", - "generate_key_dsa_2048.py", - "generate_key_dsa_4096.py", - "generate_key_rsa_1024.py", - "generate_key_rsa_2048.py", - "generate_key_rsa_4096.py", - ] - ) - def test(self, filename): - self.check(filename) diff --git a/tests/unit/rules/python/pyopenssl/test_ssl_context.py b/tests/unit/rules/python/pyopenssl/test_ssl_context.py deleted file mode 100644 index 528bbd6b..00000000 --- a/tests/unit/rules/python/pyopenssl/test_ssl_context.py +++ /dev/null @@ -1,49 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -import os - -from parameterized import parameterized - -from precli.core.level import Level -from precli.parsers import python -from precli.rules import Rule -from tests.unit.rules import test_case - - -class SslContextTests(test_case.TestCase): - def setUp(self): - super().setUp() - self.rule_id = "PY520" - self.parser = python.Python(enabled=[self.rule_id]) - self.base_path = os.path.join( - "tests", - "unit", - "rules", - "python", - "pyopenssl", - "examples", - ) - - def test_rule_meta(self): - rule = Rule.get_by_id(self.rule_id) - self.assertEqual(self.rule_id, rule.id) - self.assertEqual("inadequate_encryption_strength", rule.name) - self.assertEqual( - f"https://docs.securesauce.dev/rules/{self.rule_id}", rule.help_url - ) - self.assertEqual(True, rule.default_config.enabled) - self.assertEqual(Level.WARNING, rule.default_config.level) - self.assertEqual(-1.0, rule.default_config.rank) - self.assertEqual("326", rule.cwe.cwe_id) - - @parameterized.expand( - [ - "ssl_context_sslv2.py", - "ssl_context_sslv23.py", - "ssl_context_sslv3.py", - "ssl_context_tlsv1.py", - "ssl_context_tlsv11.py", - "ssl_context_tlsv12.py", - ] - ) - def test(self, filename): - self.check(filename) diff --git a/tests/unit/rules/python/requests/__init__.py b/tests/unit/rules/python/requests/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/tests/unit/rules/python/requests/examples/requests_delete_verify_false.py b/tests/unit/rules/python/requests/examples/requests_delete_verify_false.py deleted file mode 100644 index ad69584b..00000000 --- a/tests/unit/rules/python/requests/examples/requests_delete_verify_false.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 44 -# end_column: 49 -import requests - - -requests.delete("https://localhost", verify=False) diff --git a/tests/unit/rules/python/requests/examples/requests_get_verify_as_var.py b/tests/unit/rules/python/requests/examples/requests_get_verify_as_var.py deleted file mode 100644 index a9a149df..00000000 --- a/tests/unit/rules/python/requests/examples/requests_get_verify_as_var.py +++ /dev/null @@ -1,10 +0,0 @@ -# level: ERROR -# start_line: 10 -# end_line: 10 -# start_column: 41 -# end_column: 47 -import requests - - -verify = False -requests.get("https://localhost", verify=verify) diff --git a/tests/unit/rules/python/requests/examples/requests_get_verify_false.py b/tests/unit/rules/python/requests/examples/requests_get_verify_false.py deleted file mode 100644 index 7e639ac4..00000000 --- a/tests/unit/rules/python/requests/examples/requests_get_verify_false.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 41 -# end_column: 46 -import requests - - -requests.get("https://localhost", verify=False) diff --git a/tests/unit/rules/python/requests/examples/requests_get_verify_true.py b/tests/unit/rules/python/requests/examples/requests_get_verify_true.py deleted file mode 100644 index 21776531..00000000 --- a/tests/unit/rules/python/requests/examples/requests_get_verify_true.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -import requests - - -requests.get("https://localhost", verify=True) diff --git a/tests/unit/rules/python/requests/examples/requests_get_verify_unset.py b/tests/unit/rules/python/requests/examples/requests_get_verify_unset.py deleted file mode 100644 index e494dad2..00000000 --- a/tests/unit/rules/python/requests/examples/requests_get_verify_unset.py +++ /dev/null @@ -1,5 +0,0 @@ -# level: NONE -import requests - - -requests.get("https://localhost") diff --git a/tests/unit/rules/python/requests/examples/requests_head_verify_false.py b/tests/unit/rules/python/requests/examples/requests_head_verify_false.py deleted file mode 100644 index d10f1b9c..00000000 --- a/tests/unit/rules/python/requests/examples/requests_head_verify_false.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 42 -# end_column: 47 -import requests - - -requests.head("https://localhost", verify=False) diff --git a/tests/unit/rules/python/requests/examples/requests_options_verify_false.py b/tests/unit/rules/python/requests/examples/requests_options_verify_false.py deleted file mode 100644 index 507f8dfd..00000000 --- a/tests/unit/rules/python/requests/examples/requests_options_verify_false.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 45 -# end_column: 50 -import requests - - -requests.options("https://localhost", verify=False) diff --git a/tests/unit/rules/python/requests/examples/requests_patch_verify_false.py b/tests/unit/rules/python/requests/examples/requests_patch_verify_false.py deleted file mode 100644 index 9af8f345..00000000 --- a/tests/unit/rules/python/requests/examples/requests_patch_verify_false.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 43 -# end_column: 48 -import requests - - -requests.patch("https://localhost", verify=False) diff --git a/tests/unit/rules/python/requests/examples/requests_post_verify_false.py b/tests/unit/rules/python/requests/examples/requests_post_verify_false.py deleted file mode 100644 index cca5860b..00000000 --- a/tests/unit/rules/python/requests/examples/requests_post_verify_false.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 42 -# end_column: 47 -import requests - - -requests.post("https://localhost", verify=False) diff --git a/tests/unit/rules/python/requests/examples/requests_put_verify_false.py b/tests/unit/rules/python/requests/examples/requests_put_verify_false.py deleted file mode 100644 index 9acba96a..00000000 --- a/tests/unit/rules/python/requests/examples/requests_put_verify_false.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 41 -# end_column: 46 -import requests - - -requests.put("https://localhost", verify=False) diff --git a/tests/unit/rules/python/requests/examples/requests_request_verify_false.py b/tests/unit/rules/python/requests/examples/requests_request_verify_false.py deleted file mode 100644 index d249e2ee..00000000 --- a/tests/unit/rules/python/requests/examples/requests_request_verify_false.py +++ /dev/null @@ -1,9 +0,0 @@ -# level: ERROR -# start_line: 9 -# end_line: 9 -# start_column: 52 -# end_column: 57 -import requests - - -requests.request("GET", "https://localhost", verify=False) diff --git a/tests/unit/rules/python/requests/examples/requests_session_as_context_get_verify_false.py b/tests/unit/rules/python/requests/examples/requests_session_as_context_get_verify_false.py deleted file mode 100644 index 3862231f..00000000 --- a/tests/unit/rules/python/requests/examples/requests_session_as_context_get_verify_false.py +++ /dev/null @@ -1,10 +0,0 @@ -# level: ERROR -# start_line: 10 -# end_line: 10 -# start_column: 44 -# end_column: 49 -import requests - - -with requests.Session() as session: - session.get("https://localhost", verify=False) diff --git a/tests/unit/rules/python/requests/examples/requests_session_delete_verify_false.py b/tests/unit/rules/python/requests/examples/requests_session_delete_verify_false.py deleted file mode 100644 index f8d2e31d..00000000 --- a/tests/unit/rules/python/requests/examples/requests_session_delete_verify_false.py +++ /dev/null @@ -1,10 +0,0 @@ -# level: ERROR -# start_line: 10 -# end_line: 10 -# start_column: 43 -# end_column: 48 -import requests - - -session = requests.Session() -session.delete("https://localhost", verify=False) diff --git a/tests/unit/rules/python/requests/examples/requests_session_get_verify_false.py b/tests/unit/rules/python/requests/examples/requests_session_get_verify_false.py deleted file mode 100644 index 530220c2..00000000 --- a/tests/unit/rules/python/requests/examples/requests_session_get_verify_false.py +++ /dev/null @@ -1,10 +0,0 @@ -# level: ERROR -# start_line: 10 -# end_line: 10 -# start_column: 40 -# end_column: 45 -import requests - - -session = requests.Session() -session.get("https://localhost", verify=False) diff --git a/tests/unit/rules/python/requests/examples/requests_session_head_verify_false.py b/tests/unit/rules/python/requests/examples/requests_session_head_verify_false.py deleted file mode 100644 index 5db62eed..00000000 --- a/tests/unit/rules/python/requests/examples/requests_session_head_verify_false.py +++ /dev/null @@ -1,10 +0,0 @@ -# level: ERROR -# start_line: 10 -# end_line: 10 -# start_column: 41 -# end_column: 46 -import requests - - -session = requests.Session() -session.head("https://localhost", verify=False) diff --git a/tests/unit/rules/python/requests/examples/requests_session_options_verify_false.py b/tests/unit/rules/python/requests/examples/requests_session_options_verify_false.py deleted file mode 100644 index 665143b1..00000000 --- a/tests/unit/rules/python/requests/examples/requests_session_options_verify_false.py +++ /dev/null @@ -1,10 +0,0 @@ -# level: ERROR -# start_line: 10 -# end_line: 10 -# start_column: 44 -# end_column: 49 -import requests - - -session = requests.Session() -session.options("https://localhost", verify=False) diff --git a/tests/unit/rules/python/requests/examples/requests_session_patch_verify_false.py b/tests/unit/rules/python/requests/examples/requests_session_patch_verify_false.py deleted file mode 100644 index 5652a7d2..00000000 --- a/tests/unit/rules/python/requests/examples/requests_session_patch_verify_false.py +++ /dev/null @@ -1,10 +0,0 @@ -# level: ERROR -# start_line: 10 -# end_line: 10 -# start_column: 42 -# end_column: 47 -import requests - - -session = requests.Session() -session.patch("https://localhost", verify=False) diff --git a/tests/unit/rules/python/requests/examples/requests_session_post_verify_false.py b/tests/unit/rules/python/requests/examples/requests_session_post_verify_false.py deleted file mode 100644 index 018a98e2..00000000 --- a/tests/unit/rules/python/requests/examples/requests_session_post_verify_false.py +++ /dev/null @@ -1,10 +0,0 @@ -# level: ERROR -# start_line: 10 -# end_line: 10 -# start_column: 41 -# end_column: 46 -import requests - - -session = requests.Session() -session.post("https://localhost", verify=False) diff --git a/tests/unit/rules/python/requests/examples/requests_session_put_verify_false.py b/tests/unit/rules/python/requests/examples/requests_session_put_verify_false.py deleted file mode 100644 index 082ff57c..00000000 --- a/tests/unit/rules/python/requests/examples/requests_session_put_verify_false.py +++ /dev/null @@ -1,10 +0,0 @@ -# level: ERROR -# start_line: 10 -# end_line: 10 -# start_column: 40 -# end_column: 45 -import requests - - -session = requests.Session() -session.put("https://localhost", verify=False) diff --git a/tests/unit/rules/python/requests/examples/requests_session_request_verify_false.py b/tests/unit/rules/python/requests/examples/requests_session_request_verify_false.py deleted file mode 100644 index 4ed0847a..00000000 --- a/tests/unit/rules/python/requests/examples/requests_session_request_verify_false.py +++ /dev/null @@ -1,10 +0,0 @@ -# level: ERROR -# start_line: 10 -# end_line: 10 -# start_column: 51 -# end_column: 56 -import requests - - -session = requests.Session() -session.request("GET", "https://localhost", verify=False) diff --git a/tests/unit/rules/python/requests/test_no_certificate_verify.py b/tests/unit/rules/python/requests/test_no_certificate_verify.py deleted file mode 100644 index 16a78ce4..00000000 --- a/tests/unit/rules/python/requests/test_no_certificate_verify.py +++ /dev/null @@ -1,63 +0,0 @@ -# Copyright 2023 Secure Saurce LLC -import os - -from parameterized import parameterized - -from precli.core.level import Level -from precli.parsers import python -from precli.rules import Rule -from tests.unit.rules import test_case - - -class NoCertificateVerifyTests(test_case.TestCase): - def setUp(self): - super().setUp() - self.rule_id = "PY523" - self.parser = python.Python(enabled=[self.rule_id]) - self.base_path = os.path.join( - "tests", - "unit", - "rules", - "python", - "requests", - "examples", - ) - - def test_rule_meta(self): - rule = Rule.get_by_id(self.rule_id) - self.assertEqual(self.rule_id, rule.id) - self.assertEqual("improper_certificate_validation", rule.name) - self.assertEqual( - f"https://docs.securesauce.dev/rules/{self.rule_id}", rule.help_url - ) - self.assertEqual(True, rule.default_config.enabled) - self.assertEqual(Level.WARNING, rule.default_config.level) - self.assertEqual(-1.0, rule.default_config.rank) - self.assertEqual("295", rule.cwe.cwe_id) - - @parameterized.expand( - [ - "requests_delete_verify_false.py", - "requests_get_verify_as_var.py", - "requests_get_verify_false.py", - "requests_get_verify_true.py", - "requests_get_verify_unset.py", - "requests_head_verify_false.py", - "requests_options_verify_false.py", - "requests_patch_verify_false.py", - "requests_post_verify_false.py", - "requests_put_verify_false.py", - "requests_request_verify_false.py", - "requests_session_as_context_get_verify_false.py", - "requests_session_delete_verify_false.py", - "requests_session_get_verify_false.py", - "requests_session_head_verify_false.py", - "requests_session_options_verify_false.py", - "requests_session_patch_verify_false.py", - "requests_session_post_verify_false.py", - "requests_session_put_verify_false.py", - "requests_session_request_verify_false.py", - ] - ) - def test(self, filename): - self.check(filename)