semgrep · r2c-argo · Sep 8, 2023 · Sep 11, 2023 · Sep 12, 2023 · Sep 12, 2023
diff --git a/.github/workflows/semgrep-rule-lints.yaml b/.github/workflows/semgrep-rule-lints.yaml
@@ -34,6 +34,7 @@ jobs:
             --config yaml/semgrep/metadata-likelihood-incorrect-value.yaml \
             --config yaml/semgrep/metadata-impact-incorrect-value.yaml \
             --config yaml/semgrep/metadata-subcategory-incorrect-value.yaml \
+            --config yaml/semgrep/metadata-incorrect-option.yaml \
             --config yaml/semgrep/metadata-technology.yaml \
             --config yaml/semgrep/metadata-category.yaml \
             --config yaml/semgrep/multi-line-message.yaml \

diff --git a/csharp/lang/security/insecure-deserialization/javascript-serializer.cs b/csharp/lang/security/insecure-deserialization/javascript-serializer.cs
@@ -11,6 +11,11 @@ public void JavascriptSerializerDeserialization(string json)
                 // ruleid: insecure-javascriptserializer-deserialization
                 var serializer = new JavaScriptSerializer(new SimpleTypeResolver());
                 serializer.DeserializeObject(json);
+
+                var resolver = new SimpleTypeResolver()
+                // ruleid: insecure-javascriptserializer-deserialization
+                var serializer2 = new JavaScriptSerializer(resolver);
+                serializer2.DeserializeObject(json);
             }
             catch (Exception e)
             {

diff --git a/csharp/lang/security/insecure-deserialization/javascript-serializer.yaml b/csharp/lang/security/insecure-deserialization/javascript-serializer.yaml
@@ -30,4 +30,4 @@ rules:
       using System.Web.Script.Serialization;
       ...
   - pattern: |
-      new JavaScriptSerializer(new SimpleTypeResolver());
+      new JavaScriptSerializer((SimpleTypeResolver $RESOLVER))
diff --git a/generic/nginx/security/missing-internal.conf b/generic/nginx/security/missing-internal.conf
@@ -19,3 +19,11 @@ server {
         proxy_pass $1://$2/$3;
     }
 }
+
+server {
+    location / {
+        # ok: missing-internal
+        proxy_pass  http:/backend:42/;
+        set         $false  'positive';
+    }
+}
diff --git a/generic/nginx/security/missing-internal.yaml b/generic/nginx/security/missing-internal.yaml
@@ -1,18 +1,24 @@
 rules:
 - id: missing-internal
+  options:
+    generic_ellipsis_max_span: 0
+    generic_engine: aliengrep
   patterns:
-  - pattern-inside: |
-      location ... {
-        ...
-        ...
-      }
-  - pattern-not-inside: |
-      location ... {
-        ...
-        internal;
-        ...
-      }
-  - pattern: proxy_pass ...$...;
+    - pattern-inside: |
+        location ... {
+          ....
+          ....
+        }
+    - pattern-not-inside: |
+        location ... {
+          ....
+          internal;
+          ....
+        }
+    - pattern: proxy_pass $...URL;
+    - metavariable-regex:
+        metavariable: $...URL
+        regex: (.*\$.*)
   paths:
     include:
     - '*.conf'

diff --git a/generic/secrets/gitleaks/generic-api-key.txt b/generic/secrets/gitleaks/generic-api-key.txt
@@ -17,7 +17,7 @@ private const string UserCreationPasswordSecretKey =@"6da89121079f83b2eb6acccf82
 // ruleid: generic-api-key
 app.secret=edf10572-880c-4dd9-aaf0-6ec402f678db
 // ruleid: generic-api-key
-val PASSWORD = "Iv1.6213212547e00438__globPaths__123"
+val PASSWORD = "Iv1.6213212547e00438__globaths__123"
 eironment:
       POSTGRES_DB: postgres
       POSTGRES_USER: as2user
@@ -34,7 +34,7 @@ this.cmfPassword.foo = "thiscmfPassword1"
 const connectionToken = `12345-123-abc`;
  this._perfKey = 'network_XMLHttpRequest_' + String(friendlyName);
 
-// todook: generic-api-key
+// ok: generic-api-key
 this.txtCfmPassword.Name = "txtCfmPassword";
 
 // ok: generic-api-key
@@ -207,4 +207,4 @@ clientToken: "pub4306832bdc5f2b8b980c492ec2c11ef3",
 // ok: generic-api-key
 keys: 'privkey1.json',
 // ok: generic-api-key
-"Keywords": "asdsadsadsaUSAdusadusadsa",
+"Keywords": "asdsadsadsaUSAdusadusadsa",
diff --git a/generic/secrets/gitleaks/generic-api-key.yaml b/generic/secrets/gitleaks/generic-api-key.yaml
@@ -68,4 +68,7 @@ rules:
         regex: (?!(^0x0*|^pub)|.*\.(bin|json|exe)$|.*(?i)(Client|Factory)$|(^__[A-Za-z]+__$)|^(12345|abcd)|^\d+(\.\d+)?$)
        # Remove AAAAA, BBBBB, CCCCC, and .....
     - pattern-not-regex: (\w|\.)\1{5}
-
+    # stopwords from https://github.com/gitleaks/gitleaks/blob/d9f86d6123d9ef2558c4852a522a7a071d6a6fe9/cmd/generate/config/rules/stopwords.go#L4
+    - metavariable-regex:
+        metavariable: $CONTENT
+        regex: (?!(?i).*(client|endpoint|vpn|_ec2_|aws_|authorize|author|define|config|credential|setting|sample|xxxxxx|000000|buffer|delete|aaaaaa|fewfwef|getenv|env_|system|example|ecdsa|sha256|sha1|sha2|md5|alert|wizard|target|onboard|welcome|page|exploit|experiment|expire|rabbitmq|scraper|widget|music|dns_|dns-|yahoo|want|json|action|script|fix_|fix-|develop|compas|stripe|service|master|metric|tech|gitignore|rich|open|stack|irc_|irc-|sublime|kohana|has_|has-|\.\.\.|fabric|wordpres|role|osx_|osx-|boost|addres|queue|working|sandbox|internet|print|vision|tracking|being|generator|traffic|world|pull|rust|watcher|small|auth|full|hash|more|install|auto|complete|learn|paper|installer|research|acces|last|binding|spine|into|chat|algorithm|resource|uploader|video|maker|next|proc|lock|robot|snake|patch|matrix|drill|terminal|term|stuff|genetic|generic|identity|audit|pattern|audio|web_|web-|crud|problem|statu|cms-|cms_|arch|coffee|workflow|changelog|another|uiview|content|kitchen|gnu_|gnu-|gnu.|conf|couchdb|client|opencv|rendering|update|concept|varnish|gui_|gui-|gui.|version|shared|extra|product|still|not_|not-|not.|drop|ring|png_|png-|png.|actively|import|output|backup|start|embedded|registry|pool|semantic|instagram|bash|system|ninja|drupal|jquery|polyfill|physic|league|guide|pack|synopsi|sketch|injection|svg_|svg-|svg.|friendly|wave|convert|manage|camera|link|slide|timer|wrapper|gallery|url_|url-|url.|todomvc|requirej|party|http|payment|async|library|home|coco|gaia|display|universal|func|metadata|hipchat|under|room|config|personal|realtime|resume|database|testing|tiny|basic|forum|meetup|yet_|yet-|yet.|cento|dead|fluentd|editor|utilitie|run_|run-|run.|box_|box-|box.|bot_|bot-|bot.|making|sample|group|monitor|ajax|parallel|cassandra|ultimate|site|get_|get-|get.|gen_|gen-|gen.|gem_|gem-|gem.|extended|image|knife|asset|nested|zero|plugin|bracket|mule|mozilla|number|act_|act-|act.|map_|map-|map.|micro|debug|openshift|chart|expres|backend|task|source|translate|jbos|composer|sqlite|profile|mustache|mqtt|yeoman|have|builder|smart|like|oauth|school|guideline|captcha|filter|bitcoin|bridge|color|toolbox|discovery|new_|new-|new.|dashboard|when|setting|level|post|standard|port|platform|yui_|yui-|yui.|grunt|animation|haskell|icon|latex|cheat|lua_|lua-|lua.|gulp|case|author|without|simulator|wifi|directory|lisp|list|flat|adventure|story|storm|gpu_|gpu-|gpu.|store|caching|attention|solr|logger|demo|shortener|hadoop|finder|phone|pipeline|range|textmate|showcase|app_|app-|app.|idiomatic|edit|our_|our-|our.|out_|out-|out.|sentiment|linked|why_|why-|why.|local|cube|gmail|job_|job-|job.|rpc_|rpc-|rpc.|contest|tcp_|tcp-|tcp.|usage|buildout|weather|transfer|automated|sphinx|issue|sas_|sas-|sas.|parallax|jasmine|addon|machine|solution|dsl_|dsl-|dsl.|episode|menu|theme|best|adapter|debugger|chrome|tutorial|life|step|people|joomla|paypal|developer|solver|team|current|love|visual|date|data|canva|container|future|xml_|xml-|xml.|twig|nagio|spatial|original|sync|archived|refinery|science|mapping|gitlab|play|ext_|ext-|ext.|session|impact|set_|set-|set.|see_|see-|see.|migration|commit|community|shopify|what'|cucumber|statamic|mysql|location|tower|line|code|amqp|hello|send|index|high|notebook|alloy|python|field|document|soap|edition|email|php_|php-|php.|command|transport|official|upload|study|secure|angularj|akka|scalable|package|request|con_|con-|con.|flexible|security|comment|module|flask|graph|flash|apache|change|window|space|lambda|sheet|bookmark|carousel|friend|objective|jekyll|bootstrap|first|article|gwt_|gwt-|gwt.|classic|media|websocket|touch|desktop|real|read|recorder|moved|storage|validator|add-on|pusher|scs_|scs-|scs.|inline|asp_|asp-|asp.|timeline|base|encoding|ffmpeg|kindle|tinymce|pretty|jpa_|jpa-|jpa.|used|user|required|webhook|download|resque|espresso|cloud|mongo|benchmark|pure|cakephp|modx|mode|reactive|fuel|written|flickr|mail|brunch|meteor|dynamic|neo_|neo-|neo.|new_|new-|new.|net_|net-|net.|typo|type|keyboard|erlang|adobe|logging|ckeditor|message|iso_|iso-|iso.|hook|ldap|folder|reference|railscast|www_|www-|www.|tracker|azure|fork|form|digital|exporter|skin|string|template|designer|gollum|fluent|entity|language|alfred|summary|wiki|kernel|calendar|plupload|symfony|foundry|remote|talk|search|dev_|dev-|dev.|del_|del-|del.|token|idea|sencha|selector|interface|create|fun_|fun-|fun.|groovy|query|grail|red_|red-|red.|laravel|monkey|slack|supported|instant|value|center|latest|work|but_|but-|but.|bug_|bug-|bug.|virtual|tweet|statsd|studio|path|real-time|frontend|notifier|coding|tool|firmware|flow|random|mediawiki|bosh|been|beer|lightbox|theory|origin|redmine|hub_|hub-|hub.|require|pro_|pro-|pro.|ant_|ant-|ant.|any_|any-|any.|recipe|closure|mapper|event|todo|model|redi|provider|rvm_|rvm-|rvm.|program|memcached|rail|silex|foreman|activity|license|strategy|batch|streaming|fast|use_|use-|use.|usb_|usb-|usb.|impres|academy|slider|please|layer|cros|now_|now-|now.|miner|extension|own_|own-|own.|app_|app-|app.|debian|symphony|example|feature|serie|tree|project|runner|entry|leetcode|layout|webrtc|logic|login|worker|toolkit|mocha|support|back|inside|device|jenkin|contact|fake|awesome|ocaml|bit_|bit-|bit.|drive|screen|prototype|gist|binary|nosql|rest|overview|dart|dark|emac|mongoid|solarized|homepage|emulator|commander|django|yandex|gradle|xcode|writer|crm_|crm-|crm.|jade|startup|error|using|format|name|spring|parser|scratch|magic|try_|try-|try.|rack|directive|challenge|slim|counter|element|chosen|doc_|doc-|doc.|meta|should|button|packet|stream|hardware|android|infinite|password|software|ghost|xamarin|spec|chef|interview|hubot|mvc_|mvc-|mvc.|exercise|leaflet|launcher|air_|air-|air.|photo|board|boxen|way_|way-|way.|computing|welcome|notepad|portfolio|cat_|cat-|cat.|can_|can-|can.|magento|yaml|domain|card|yii_|yii-|yii.|checker|browser|upgrade|only|progres|aura|ruby_|ruby-|ruby.|polymer|util|lite|hackathon|rule|log_|log-|log.|opengl|stanford|skeleton|history|inspector|help|soon|selenium|lab_|lab-|lab.|scheme|schema|look|ready|leveldb|docker|game|minimal|logstash|messaging|within|heroku|mongodb|kata|suite|picker|win_|win-|win.|wip_|wip-|wip.|panel|started|starter|front-end|detector|deploy|editing|based|admin|capture|spree|page|bundle|goal|rpg_|rpg-|rpg.|setup|side|mean|reader|cookbook|mini|modern|seed|dom_|dom-|dom.|doc_|doc-|doc.|dot_|dot-|dot.|syntax|sugar|loader|website|make|kit_|kit-|kit.|protocol|human|daemon|golang|manager|countdown|connector|swagger|map_|map-|map.|mac_|mac-|mac.|man_|man-|man.|orm_|orm-|orm.|org_|org-|org.|little|zsh_|zsh-|zsh.|shop|show|workshop|money|grid|server|octopres|svn_|svn-|svn.|ember|embed|general|file|important|dropbox|portable|public|docpad|fish|sbt_|sbt-|sbt.|done|para|network|common|readme|popup|simple|purpose|mirror|single|cordova|exchange|object|design|gateway|account|lamp|intellij|math|mit_|mit-|mit.|control|enhanced|emitter|multi|add_|add-|add.|about|socket|preview|vagrant|cli_|cli-|cli.|powerful|top_|top-|top.|radio|watch|fluid|amazon|report|couchbase|automatic|detection|sprite|pyramid|portal|advanced|plu_|plu-|plu.|runtime|git_|git-|git.|uri_|uri-|uri.|haml|node|sql_|sql-|sql.|cool|core|obsolete|handler|iphone|extractor|array|copy|nlp_|nlp-|nlp.|reveal|pop_|pop-|pop.|engine|parse|check|html|nest|all_|all-|all.|chinese|buildpack|what|tag_|tag-|tag.|proxy|style|cookie|feed|restful|compiler|creating|prelude|context|java|rspec|mock|backbone|light|spotify|flex|related|shell|which|clas|webapp|swift|ansible|unity|console|tumblr|export|campfire|conway'|made|riak|hero|here|unix|unit|glas|smtp|how_|how-|how.|hot_|hot-|hot.|debug|release|diff|player|easy|right|old_|old-|old.|animate|time|push|explorer|course|training|nette|router|draft|structure|note|salt|where|spark|trello|power|method|social|via_|via-|via.|vim_|vim-|vim.|select|webkit|github|ftp_|ftp-|ftp.|creator|mongoose|led_|led-|led.|movie|currently|pdf_|pdf-|pdf.|load|markdown|phalcon|input|custom|atom|oracle|phonegap|ubuntu|great|rdf_|rdf-|rdf.|popcorn|firefox|zip_|zip-|zip.|cuda|dotfile|static|openwrt|viewer|powered|graphic|les_|les-|les.|doe_|doe-|doe.|maven|word|eclipse|lab_|lab-|lab.|hacking|steam|analytic|option|abstract|archive|reality|switcher|club|write|kafka|arduino|angular|online|title|don't|contao|notice|analyzer|learning|zend|external|staging|busines|tdd_|tdd-|tdd.|scanner|building|snippet|modular|bower|stm_|stm-|stm.|lib_|lib-|lib.|alpha|mobile|clean|linux|nginx|manifest|some|raspberry|gnome|ide_|ide-|ide.|block|statistic|info|drag|youtube|koan|facebook|paperclip|art_|art-|art.|quality|tab_|tab-|tab.|need|dojo|shield|computer|stat|state|twitter|utility|converter|hosting|devise|liferay|updated|force|tip_|tip-|tip.|behavior|active|call|answer|deck|better|principle|ches|bar_|bar-|bar.|reddit|three|haxe|just|plug-in|agile|manual|tetri|super|beta|parsing|doctrine|minecraft|useful|perl|sharing|agent|switch|view|dash|channel|repo|pebble|profiler|warning|cluster|running|markup|evented|mod_|mod-|mod.|share|csv_|csv-|csv.|response|good|house|connect|built|build|find|ipython|webgl|big_|big-|big.|google|scala|sdl_|sdl-|sdl.|sdk_|sdk-|sdk.|native|day_|day-|day.|puppet|text|routing|helper|linkedin|crawler|host|guard|merchant|poker|over|writing|free|classe|component|craft|nodej|phoenix|longer|quick|lazy|memory|clone|hacker|middleman|factory|motion|multiple|tornado|hack|ssh_|ssh-|ssh.|review|vimrc|driver|driven|blog|particle|table|intro|importer|thrift|xmpp|framework|refresh|react|font|librarie|variou|formatter|analysi|karma|scroll|tut_|tut-|tut.|apple|tag_|tag-|tag.|tab_|tab-|tab.|category|ionic|cache|homebrew|reverse|english|getting|shipping|clojure|boot|book|branch|combination|combo))
diff --git a/generic/secrets/security/detected-artifactory-password.txt b/generic/secrets/security/detected-artifactory-password.txt
@@ -1,11 +1,5 @@
 # ruleid: detected-artifactory-password
-AP6xxxxxxxxxx
-
-# ruleid: detected-artifactory-password
-AP2xxxxxxxxxx
-
-# ruleid: detected-artifactory-password
-artifactoryx:_password=AP6xxxxxxxxxx
+artifactoryx:_password=AP6abc1231321
 
 # ok: detected-artifactory-password
 integrity sha512-AP1AyUTbi2szylgr+O0OB7gkIxEGzySLITZ2GpsaoX72YMCGI2jYAc+WUhPfvUnZYiauF4zTnN4V4TGuvFjJlw==
@@ -19,9 +13,6 @@ ImageID: "SHA256:AP1AyUTbi2szylgr266fcae00707e67a2545ef34f9a29354585f93dac906749
 # ok: detected-artifactory-password
  - hasql-1.6.0.1@sha256:AP1AyUTbi2szylgr+422a3bb776a12d5cf2bb83303778f343106f9a1cc2b4fcdf73,6628
 
-# ruleid: detected-artifactory-password
-artifactoryx_password:AP6xxxxxxxxxx
-
 # ok: detected-artifactory-password
 X-JFrog-Art-Api: $PASSWORD
 
@@ -124,7 +115,7 @@ b3IgcHJvbW90ZSBwcm9kdWN0cyBkZXJpdmVkIGZyb20KIHRoaXMgc29mdHdhcmUgd2l0aG9
 
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 # ok: detected-artifactory-password
-AP6xxxxxxxxxx
+AP6abc1231321
 -----END PGP PUBLIC KEY BLOCK-----
 
 apiVersion: appprotectdos.f5.com/v1beta1

diff --git a/generic/secrets/security/detected-artifactory-password.yaml b/generic/secrets/security/detected-artifactory-password.yaml
@@ -1,35 +1,16 @@
 rules:
   - id: detected-artifactory-password
-    options:
-      generic_engine: aliengrep
-      generic_multiline: false
-      generic_caseless: true
     patterns:
-      - pattern: $ITEM
-      - metavariable-regex:
-          metavariable: $ITEM
-          regex: \bAP[\dABCDEF][a-zA-Z0-9]{8,}
-      - pattern-not-inside: |
-          sha1...
-      - pattern-not-inside: |
-          sha2...
-      - pattern-not-inside: |
-          sha3...
-      - pattern-not-inside: |
-          sha118...
-      - pattern-not-inside: |
-          sha256...
-      - pattern-not-inside: |
-          sha512...
-      - pattern-not-inside: |
-          -BEGIN ...-
-          ....
-          ...-END ...-
+      - pattern-regex: (?<ITEM>\bAP[\dABCDEF][a-zA-Z0-9]{8,})
+      - pattern-regex: .*(?i)arti[-_]?factory.*
+      - pattern-not-regex: .*(?i)sha(1|2|3|118|256|512).*
+      - pattern-not-regex: (?i)-----\s*?BEGIN[ A-Z0-9_-]*? KEY( BLOCK)?-----[\s\S]*?-----\s*?END[ A-Z0-9_-]*?\s*?-----
       - metavariable-analysis:
           analyzer: entropy
           metavariable: $ITEM
+      - pattern-not-regex: (\w|\.|\*)\1{4}
     languages:
-      - generic
+      - regex
     paths:
       exclude:
         - "*.svg"

diff --git a/go/gorilla/security/audit/handler-assignment-from-multiple-sources.yaml b/go/gorilla/security/audit/handler-assignment-from-multiple-sources.yaml
@@ -1,7 +1,5 @@
 rules:
 - id: handler-assignment-from-multiple-sources
-  options:
-    taint_unified_mvars: true
   metadata:
     cwe:
     - 'CWE-289: Authentication Bypass by Alternate Name'

diff --git a/go/gorm/security/audit/gorm-dangerous-methods-usage.yaml b/go/gorm/security/audit/gorm-dangerous-methods-usage.yaml
@@ -45,6 +45,8 @@ rules:
     - pattern: strconv.Atoi(...)
     - pattern: |
         ($X: bool)
+  options:
+    interfile: true
   metadata:
     category: security
     technology:

diff --git a/go/jwt-go/security/jwt.yaml b/go/jwt-go/security/jwt.yaml
@@ -6,6 +6,8 @@ rules:
     being leaked and used by either an internal or external malicious adversary. It is recommended to
     use environment variables to securely provide credentials or retrieve credentials from a secure
     vault or HSM (Hardware Security Module).
+  options:
+    interfile: true
   metadata:
     cwe:
     - 'CWE-798: Use of Hard-coded Credentials'

diff --git a/go/lang/security/audit/md5-used-as-password.yaml b/go/lang/security/audit/md5-used-as-password.yaml
@@ -7,6 +7,8 @@ rules:
     secure password hash because it can be cracked by an attacker in a short
     amount of time. Use a suitable password hashing function such as bcrypt.
     You can use the `golang.org/x/crypto/bcrypt` package.
+  options:
+    interfile: true
   metadata:
     category: security
     technology:

diff --git a/go/lang/security/filepath-clean-misuse.yaml b/go/lang/security/filepath-clean-misuse.yaml
@@ -31,6 +31,8 @@ rules:
     - pattern: |
         "/" + ...
   fix: filepath.FromSlash(filepath.Clean("/"+strings.Trim($...INNER, "/")))
+  options:
+    interfile: true
   metadata:
     references:
     - https://pkg.go.dev/path#Clean

diff --git a/go/lang/security/injection/tainted-sql-string.yaml b/go/lang/security/injection/tainted-sql-string.yaml
@@ -9,6 +9,8 @@ rules:
     or manipulate data from the database.
     Instead, use prepared statements (`db.Query("SELECT * FROM t WHERE id = ?", id)`)
     or a safe library.
+  options:
+    interfile: true
   metadata:
     cwe:
     - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"

diff --git a/go/lang/security/injection/tainted-url-host.yaml b/go/lang/security/injection/tainted-url-host.yaml
@@ -9,6 +9,8 @@ rules:
       path or query parameter. When user-input is necessary to craft the
       request, it is recommended to follow OWASP best practices to prevent
       abuse, including using an allowlist.
+    options:
+      interfile: true
     metadata:
       cwe:
         - "CWE-918: Server-Side Request Forgery (SSRF)"

diff --git a/java/aws-lambda/security/tainted-sql-string.yaml b/java/aws-lambda/security/tainted-sql-string.yaml
@@ -9,6 +9,8 @@ rules:
     of the database. Instead, use a parameterized query which is available
     by default in most database engines. Alternatively, consider using an
     object-relational mapper (ORM) such as Sequelize which will protect your queries.
+  options:
+    interfile: true
   metadata:
     references:
     - https://owasp.org/www-community/attacks/SQL_Injection

diff --git a/java/aws-lambda/security/tainted-sqli.yaml b/java/aws-lambda/security/tainted-sqli.yaml
@@ -47,6 +47,8 @@ rules:
         - metavariable-regex:
             metavariable: $SQLCMD
             regex: (execute|query|executeUpdate)
+  options:
+    interfile: true
   metadata:
     category: security
     technology:

diff --git a/java/lang/security/audit/tainted-cmd-from-http-request.java b/java/lang/security/audit/tainted-cmd-from-http-request.java
@@ -23,6 +23,7 @@
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import java.lang.Runtime;
 
 @WebServlet(value = "/cmdi-00/BenchmarkTest00006")
 public class bad1 extends HttpServlet {
@@ -111,7 +112,8 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
         Runtime r = Runtime.getRuntime();
 
         try {
-            // ruleid: tainted-cmd-from-http-request
+            // this is vulnerable, but considered a separate issue
+            // ok: tainted-cmd-from-http-request
             Process p = r.exec(args, argsEnv);
             org.owasp.benchmark.helpers.Utils.printOSCommandResults(p, response);
         } catch (IOException e) {
@@ -172,7 +174,8 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
         Runtime r = Runtime.getRuntime();
 
         try {
-            // ruleid: tainted-cmd-from-http-request
+            // this is vulnerable, but considered a separate issue
+            // ok: tainted-cmd-from-http-request
             Process p = r.exec(args, argsEnv);
             org.owasp.benchmark.helpers.Utils.printOSCommandResults(p, response);
         } catch (IOException e) {