Merge branch 'develop' into fix-run-as-non-root-security-context-pod-…

…level
semgrep · Dec 18, 2024 · dbe5d2b · dbe5d2b
2 parents 9c0540b + 1a75469
commit dbe5d2b
Show file tree

Hide file tree

Showing 94 changed files with 84 additions and 148 deletions.
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -10,9 +10,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
-    - uses: actions/setup-python@v2
+    - uses: actions/setup-python@v5
       with:
-        python-version: '3.7'
+        python-version: '3.10'
     - uses: pre-commit/[email protected]
       env:
         SKIP: yamlfmt
diff --git a/LICENSE b/LICENSE
@@ -1,11 +1 @@
-“Commons Clause” License Condition v1.0
-
-The Software is provided to you by the Licensor under the License, as defined below, subject to the following condition.
-
-Without limiting other conditions in the License, the grant of rights under the License will not include, and the License does not grant to you, the right to Sell the Software.
-
-For purposes of the foregoing, “Sell” means practicing any or all of the rights granted to you under the License to provide to third parties, for a fee or other consideration (including without limitation fees for hosting or consulting/ support services related to the Software), a product or service whose value derives, entirely or substantially, from the functionality of the Software. Any license notice or attribution required by the License must also include this Commons Clause License Condition notice.
-
-Software: semgrep-rules (https://github.com/semgrep/semgrep-rules)
-License: LGPL 2.1 (GNU Lesser General Public License, Version 2.1)
-Licensor: Semgrep, Inc. (https://semgrep.dev)
+Semgrep Rules License v1.0. For more details, visit https://semgrep.dev/legal/rules-license
diff --git a/README.md b/README.md
@@ -28,11 +28,12 @@ You can also learn how to write rules using the [interactive, example-based Semg
 
 ## Contributing
 
-We welcome Semgrep rule contributions directly to this repository! When submitting your contribution to this repository, we’ll ask you to make Semgrep, Inc. a joint owner of your contributions. While you still own copyright rights to your rule, joint ownership allows Semgrep, Inc. to license these contributions to other [Semgrep Registry](https://semgrep.dev/r) users pursuant to the LGPL 2.1 under the [Commons Clause](https://commonsclause.com/). See full [license details](https://github.com/returntocorp/semgrep-rules/blob/develop/LICENSE).
+We welcome Semgrep rule contributions directly to this repository! When submitting your contribution, you grant Semgrep, Inc. a license to use, modify, and distribute your contribution under the [Semgrep Rules License v. 1.0](https://semgrep.dev/legal/rules-license). This ensures your rule can be shared with other Semgrep Registry users.
 
-Note: To contribute, review the **[Contributing to Semgrep rules](https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/)** documentation.
+To contribute, please review our  **[Contributing to Semgrep rules](https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/)** guidelines.
+
+You can also reach out to us at [email protected], and we will help import your rules for others to use!
 
-You can also contact us at [email protected] to make Semgrep rule contributions. We will import your rules for everyone to use!
 
 ## Additional information
 

diff --git a/dockerfile/best-practice/remove-package-cache.yaml b/dockerfile/best-practice/remove-package-cache.yaml
@@ -16,4 +16,3 @@ rules:
       category: best-practice
       technology:
         - dockerfile
-      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
diff --git a/generic/secrets/security/detected-artifactory-password.yaml b/generic/secrets/security/detected-artifactory-password.yaml
@@ -44,4 +44,3 @@ rules:
         - audit
       likelihood: LOW
       impact: HIGH
-      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
diff --git a/generic/secrets/security/detected-aws-account-id.yaml b/generic/secrets/security/detected-aws-account-id.yaml
@@ -55,4 +55,3 @@ rules:
         - audit
       likelihood: LOW
       impact: HIGH
-      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
diff --git a/generic/secrets/security/detected-google-api-key.yaml b/generic/secrets/security/detected-google-api-key.yaml
@@ -15,7 +15,6 @@ rules:
     technology:
     - secrets
     - google
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     confidence: LOW
     owasp:
     - A07:2021 - Identification and Authentication Failures

diff --git a/generic/secrets/security/detected-telegram-bot-api-key.yaml b/generic/secrets/security/detected-telegram-bot-api-key.yaml
@@ -16,7 +16,6 @@ rules:
     technology:
     - secrets
     - telegram
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     confidence: LOW
     owasp:
     - A07:2021 - Identification and Authentication Failures

diff --git a/generic/secrets/security/detected-username-and-password-in-uri.yaml b/generic/secrets/security/detected-username-and-password-in-uri.yaml
@@ -26,7 +26,6 @@ rules:
     technology:
     - secrets
     confidence: MEDIUM
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     cwe2022-top25: true
     cwe2021-top25: true
     subcategory:

diff --git a/go/gorilla/security/audit/handler-assignment-from-multiple-sources.yaml b/go/gorilla/security/audit/handler-assignment-from-multiple-sources.yaml
@@ -7,7 +7,6 @@ rules:
     technology:
     - gorilla
     confidence: MEDIUM
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     references:
     - https://cwe.mitre.org/data/definitions/289.html
     subcategory:

diff --git a/go/lang/security/audit/sqli/pg-orm-sqli.yaml b/go/lang/security/audit/sqli/pg-orm-sqli.yaml
@@ -84,5 +84,4 @@ rules:
         - vuln
       likelihood: LOW
       impact: HIGH
-      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     severity: ERROR
diff --git a/go/lang/security/audit/xss/no-direct-write-to-responsewriter.yaml b/go/lang/security/audit/xss/no-direct-write-to-responsewriter.yaml
@@ -11,7 +11,6 @@ rules:
     category: security
     cwe:
     - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     owasp:
     - A07:2017 - Cross-Site Scripting (XSS)
     - A03:2021 - Injection

diff --git a/go/lang/security/injection/raw-html-format.yaml b/go/lang/security/injection/raw-html-format.yaml
@@ -21,7 +21,6 @@ rules:
     - go
     references:
     - https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     confidence: MEDIUM
     cwe2022-top25: true
     cwe2021-top25: true

diff --git a/go/lang/security/injection/tainted-url-host.yaml b/go/lang/security/injection/tainted-url-host.yaml
@@ -21,7 +21,6 @@ rules:
       category: security
       technology:
         - go
-      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
       confidence: HIGH
       cwe2022-top25: true
       cwe2021-top25: true

diff --git a/java/android/best-practice/manifest-security-features.yaml b/java/android/best-practice/manifest-security-features.yaml
@@ -9,7 +9,6 @@ rules:
       Config is present.
     metadata:
       category: best-practice
-      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
       technology:
         - android
       references:
@@ -33,7 +32,6 @@ rules:
       if a Network Security Config is present.
     metadata:
       category: best-practice
-      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
       technology:
         - android
       references:

diff --git a/java/android/best-practice/network-security-config.yml b/java/android/best-practice/network-security-config.yml
@@ -10,7 +10,6 @@ rules:
     `<network-security-config>`)
   metadata:
     category: best-practice
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     technology:
     - android
     references:
@@ -40,7 +39,6 @@ rules:
     pin as a backup.
   metadata:
     category: best-practice
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     technology:
     - android
     references:
@@ -78,7 +76,6 @@ rules:
     default to trusting system CAs and disregard the pin.
   metadata:
     category: best-practice
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     technology:
     - android
     references:
@@ -108,7 +105,6 @@ rules:
     `<network-security-config>`)
   metadata:
     category: best-practice
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     technology:
     - android
     references:
@@ -141,7 +137,6 @@ rules:
     `<network-security-config>`)
   metadata:
     category: best-practice
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     technology:
     - android
     references:

diff --git a/java/lang/security/audit/xss/no-direct-response-writer.yaml b/java/lang/security/audit/xss/no-direct-response-writer.yaml
@@ -29,7 +29,6 @@ rules:
       - java
       - servlets
     interfile: true
-    license: proprietary license - copyright © Semgrep, Inc.
   languages:
     - java
   mode: taint

diff --git a/java/spring/security/injection/tainted-sql-string.yaml b/java/spring/security/injection/tainted-sql-string.yaml
@@ -21,7 +21,6 @@ rules:
       category: security
       technology:
         - spring
-      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
       cwe2022-top25: true
       cwe2021-top25: true
       subcategory:

diff --git a/javascript/aws-lambda/security/tainted-sql-string.yaml b/javascript/aws-lambda/security/tainted-sql-string.yaml
@@ -24,7 +24,7 @@ rules:
     - vuln
     likelihood: LOW
     impact: MEDIUM
-    confidence: MEDIUM
+    confidence: LOW
   languages:
   - javascript
   - typescript

diff --git a/javascript/browser/security/open-redirect-from-function.yaml b/javascript/browser/security/open-redirect-from-function.yaml
@@ -22,7 +22,6 @@ rules:
     - https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
     technology:
     - browser
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     subcategory:
     - vuln
     likelihood: LOW

diff --git a/javascript/browser/security/open-redirect.yaml b/javascript/browser/security/open-redirect.yaml
@@ -25,7 +25,6 @@ rules:
     - https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
     technology:
     - browser
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     subcategory:
     - vuln
     likelihood: HIGH

diff --git a/javascript/browser/security/raw-html-concat.yaml b/javascript/browser/security/raw-html-concat.yaml
@@ -12,7 +12,6 @@ rules:
     category: security
     technology:
     - browser
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     cwe2022-top25: true
     cwe2021-top25: true
     subcategory:

diff --git a/javascript/express/security/audit/express-open-redirect.yaml b/javascript/express/security/audit/express-open-redirect.yaml
@@ -20,7 +20,6 @@ rules:
       likelihood: HIGH
       impact: MEDIUM
       confidence: HIGH
-      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     languages:
       - javascript
       - typescript

diff --git a/javascript/express/security/audit/xss/direct-response-write.yaml b/javascript/express/security/audit/xss/direct-response-write.yaml
@@ -26,7 +26,6 @@ rules:
     likelihood: MEDIUM
     impact: MEDIUM
     confidence: MEDIUM
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     vulnerability_class:
     - Cross-Site-Scripting (XSS)
   languages:

diff --git a/javascript/express/security/injection/tainted-sql-string.yaml b/javascript/express/security/injection/tainted-sql-string.yaml
@@ -19,7 +19,6 @@ rules:
     category: security
     technology:
     - express
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     cwe2022-top25: true
     cwe2021-top25: true
     subcategory:

diff --git a/javascript/lang/security/audit/detect-non-literal-fs-filename.yaml b/javascript/lang/security/audit/detect-non-literal-fs-filename.yaml
@@ -16,7 +16,6 @@ rules:
     category: security
     technology:
     - typescript
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     cwe2022-top25: true
     cwe2021-top25: true
     subcategory:

diff --git a/javascript/lang/security/audit/sqli/node-knex-sqli.yaml b/javascript/lang/security/audit/sqli/node-knex-sqli.yaml
@@ -23,7 +23,6 @@ rules:
     - express
     - nodejs
     - knex
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     cwe2022-top25: true
     cwe2021-top25: true
     subcategory:

diff --git a/javascript/lang/security/audit/sqli/node-mssql-sqli.yaml b/javascript/lang/security/audit/sqli/node-mssql-sqli.yaml
@@ -17,7 +17,6 @@ rules:
     category: security
     technology:
     - mssql
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     references:
     - https://www.npmjs.com/package/mssql
     cwe2022-top25: true

diff --git a/javascript/lang/security/audit/sqli/node-mysql-sqli.yaml b/javascript/lang/security/audit/sqli/node-mysql-sqli.yaml
@@ -22,7 +22,6 @@ rules:
     - mysql2
     - javascript
     - nodejs
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     cwe2022-top25: true
     cwe2021-top25: true
     subcategory:

diff --git a/javascript/lang/security/detect-child-process.yaml b/javascript/lang/security/detect-child-process.yaml
@@ -16,7 +16,6 @@ rules:
     category: security
     technology:
     - javascript
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     cwe2022-top25: true
     cwe2021-top25: true
     subcategory:

diff --git a/javascript/sequelize/security/audit/sequelize-injection-express.yaml b/javascript/sequelize/security/audit/sequelize-injection-express.yaml
@@ -27,7 +27,6 @@ rules:
       likelihood: HIGH
       impact: HIGH
       confidence: HIGH
-      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     languages:
       - javascript
       - typescript

diff --git a/json/aws/security/public-s3-bucket.yaml b/json/aws/security/public-s3-bucket.yaml
@@ -12,7 +12,6 @@ rules:
     category: security
     cwe:
     - 'CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls'
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     owasp:
     - A01:2021 - Broken Access Control
     references:

diff --git a/json/npm/security/package-dependencies-check.yml b/json/npm/security/package-dependencies-check.yml
@@ -45,7 +45,6 @@ rules:
     - https://cwe.mitre.org/data/definitions/427.html
     technology:
     - npm
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     subcategory:
     - audit
     likelihood: LOW

diff --git a/kotlin/lang/security/defaulthttpclient-is-deprecated.yaml b/kotlin/lang/security/defaulthttpclient-is-deprecated.yaml
@@ -15,7 +15,6 @@ rules:
     category: security
     technology:
     - kotlin
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     references:
     - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
     subcategory:

diff --git a/kotlin/lang/security/ecb-cipher.yaml b/kotlin/lang/security/ecb-cipher.yaml
@@ -10,7 +10,6 @@ rules:
     category: security
     technology:
     - kotlin
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     references:
     - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
     subcategory:

diff --git a/kotlin/lang/security/gcm-detection.yaml b/kotlin/lang/security/gcm-detection.yaml
@@ -8,7 +8,6 @@ rules:
     - https://cwe.mitre.org/data/definitions/323.html
     technology:
     - kotlin
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     owasp:
     - A02:2021 - Cryptographic Failures
     subcategory:

diff --git a/kotlin/lang/security/no-null-cipher.yaml b/kotlin/lang/security/no-null-cipher.yaml
@@ -16,7 +16,6 @@ rules:
     category: security
     technology:
     - kotlin
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     references:
     - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
     subcategory:

diff --git a/kotlin/lang/security/unencrypted-socket.yaml b/kotlin/lang/security/unencrypted-socket.yaml
@@ -15,7 +15,6 @@ rules:
     category: security
     technology:
     - kotlin
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     references:
     - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
     subcategory:

diff --git a/kotlin/lang/security/use-of-md5.yaml b/kotlin/lang/security/use-of-md5.yaml
@@ -15,7 +15,6 @@ rules:
     category: security
     technology:
     - kotlin
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     references:
     - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
     subcategory:

diff --git a/metadata-schema.yaml.schm b/metadata-schema.yaml.schm
@@ -3,7 +3,6 @@ schema:
   allOf:
   - type: object
     required:
-    - references
     - category
     - technology
     properties:
@@ -90,4 +89,5 @@ schema:
       - likelihood
       - impact
       - subcategory
+      - references
 
diff --git a/php/doctrine/security/audit/doctrine-dbal-dangerous-query.yaml b/php/doctrine/security/audit/doctrine-dbal-dangerous-query.yaml
@@ -9,7 +9,6 @@ rules:
     category: security
     cwe:
     - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     owasp:
     - A01:2017 - Injection
     - A03:2021 - Injection

diff --git a/php/doctrine/security/audit/doctrine-orm-dangerous-query.yaml b/php/doctrine/security/audit/doctrine-orm-dangerous-query.yaml
@@ -11,7 +11,6 @@ rules:
     category: security
     cwe:
     - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     owasp:
     - A01:2017 - Injection
     - A03:2021 - Injection

diff --git a/php/lang/security/injection/tainted-url-host.yaml b/php/lang/security/injection/tainted-url-host.yaml
@@ -23,7 +23,6 @@ rules:
     category: security
     technology:
     - php
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     cwe2022-top25: true
     cwe2021-top25: true
     subcategory: