Add lint to validate options

.github/workflows/semgrep-rule-lints.yaml

@@ -34,6 +34,7 @@ jobs:
             --config yaml/semgrep/metadata-likelihood-incorrect-value.yaml \
             --config yaml/semgrep/metadata-impact-incorrect-value.yaml \
             --config yaml/semgrep/metadata-subcategory-incorrect-value.yaml \
+            --config yaml/semgrep/metadata-incorrect-option.yaml \
             --config yaml/semgrep/metadata-technology.yaml \
             --config yaml/semgrep/metadata-category.yaml \
             --config yaml/semgrep/multi-line-message.yaml \

go/gorilla/security/audit/handler-assignment-from-multiple-sources.yaml

@@ -1,7 +1,5 @@
 rules:
 - id: handler-assignment-from-multiple-sources
-  options:
-    taint_unified_mvars: true
   metadata:
     cwe:
     - 'CWE-289: Authentication Bypass by Alternate Name'

swift/lang/storage/sensitive-storage-userdefaults.yaml

@@ -27,7 +27,7 @@ rules:
   languages:
   - swift
   options:
-    taint_propagation: true
+    symbolic_propagation: true
   patterns:
   - pattern-either:
     - patterns:

yaml/semgrep/metadata-incorrect-option.test.yaml

@@ -0,0 +1,37 @@
+rules:
+  - id: swift-user-defaults
+    message: Potentially sensitive data was observed to be stored in UserDefaults,
+      which is not adequate protection of sensitive information. For data of a
+      sensitive nature, applications should leverage the Keychain.
+    severity: WARNING
+    metadata:
+      likelihood: LOW
+      impact: HIGH
+      confidence: MEDIUM
+      category: security
+      cwe:
+        - "CWE-311: Missing Encryption of Sensitive Data"
+      masvs:
+        - "MASVS-STORAGE-1: The app securely stores sensitive data"
+      owasp:
+        - A03:2017 - Sensitive Data Exposure
+        - A04:2021 - Insecure Design
+      references:
+        - https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html
+        - https://mas.owasp.org/MASVS/controls/MASVS-STORAGE-1/
+      subcategory:
+        - vuln
+      technology:
+        - ios
+        - macos
+      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
+      vulnerability_class:
+        - Cryptographic Issues
+    languages:
+      - swift
+    options:
+      # ruleid: metadata-incorrect-option
+      taint_propagation: true
+      # ruleid: metadata-incorrect-option
+      value: 2
+    patterns:

yaml/semgrep/metadata-incorrect-option.yaml

@@ -0,0 +1,25 @@
+rules:
+  - id: metadata-incorrect-option
+    message: >-
+        It looks like $KEY is not in the default list of expected options, if this is a new key update this rule
+    languages:
+      - yaml
+    severity: INFO
+    metadata:
+      references:
+        - https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository
+      category: correctness
+      technology:
+        - semgrep
+    patterns:
+      - pattern-inside: |
+          rules: ...
+      - pattern-inside: |
+          options:
+            $A
+      - focus-metavariable: $A
+      - pattern: |
+          $KEY: $VALUE
+      - metavariable-regex:
+          metavariable: $KEY
+          regex: (?!options|constant_propagation|symbolic_propagation|taint_unify_mvars|taint_assume_safe_functions|taint_assume_safe_indexes|taint_assume_safe_comparisons|taint_assume_safe_booleans|taint_assume_safe_numbers|ac_matching|commutative_boolop|flddef_assign|arrow_is_function|let_is_var|go_deeper_expr|go_deeper_stmt|implicit_deep_exprstmt|implicit_ellipsis|xml_singleton_loose_matching|xml_attrs_implicit_ellipsis|xml_children_ordered|generic_engine|generic_multiline|generic_braces|generic_extra_braces|generic_extra_word_characters|generic_caseless|generic_ellipsis_max_span|generic_comment_style|interfile|generic_engine)