Skip to content

mobbeitan/rules

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
semgrep/javascript/nodejs/express
semgrep/javascript/nodejs/express
 
 
Article.MD
Article.MD
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

How to contribute

Before you contribute start with a bit of research. Check if there are any rules for what you're about to add. You can see the entire rules set under /rules/<engine>/<language>/<framework>/, If no rule is found, let's get started.

[Important] Do not plagiarise other sources. While it's useful to read blogs and look at what others are doing, plagiarism will not be accepted.

1. Select a rule name and its folder

Our rules repo is set to hold rules to multiple different open-source engines. As such, the hierarchy we use to store the rules starts on the engine, followed by langauge, and framework (when applicable) each rule should be located in the folder of the framework it is written for. Make sure the name you pick for the rule is as descriptive as possible, this will make it easier for others to find that such a rule already exists.

e.g. for a detailed rule name, if you want to create rules for insecure issues related to the httponly attribute from a cookie when using cookie-parser in the express javascript framework using the semgrep engine one of your rule names can be nodejs-express-cookie-parser-cookie-no-httponly and it should be located under

|-- rules
|   -- semgrep                             <-- Same as the engine you chose
|       -- javascript                      <-- The language you're writting the rule for
|          -- nodejs                       <-- The framework you're writting the rule for
|             -- express                   <-- In this case, the rule is for a framework of a framework so adding another layer

as we encourage contributors to write rules that not only detect issues but can also fix them, you may have multiple rules for similar vulnerabilities to address different contexts and formatting styles. In these cases, you should re-use the message and metadata in the different rules.

2. Create your rule

When creating the rule, follow the guidelines provided for the open-source engine you want to use. It is very important to include a description of the problem and how to fix it with references to external resources such as a CWE and OWASP categorization.

Each rule should also incldue at least one good and bad code samples for testing. You can take a look at this rule and code for example.

About

No description, website, or topics provided.

Resources

Readme

License

LGPL-2.1 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • JavaScript 100.0%