This is the multi-page printable view of this section.
Click here to print.
Return to the regular view of this page.
SAST Rules
Endor Labs uses Semgrep compatible rules for SAST scans. Endor Labs includes hundreds of rules for various languages, including rules created by Endor Labs and vetted third-party rules. To this end, Endor Labs reviews existing open source rules and complements them with Endor Labs rules to cover additional technologies or vulnerability types.
You can edit existing rules in your tenant to make modifications specific to your environment. You can also create new custom rules with the rule designer based on your requirements. You can also use the rule designer to add any Semgrep rules as a custom rule.
Refer to Semgrep Rules Documentation for more information on how to write a rule.
From the left sidebar, navigate to Policies and Rules and select SAST RULES to view all SAST rules in the system.
You can use the toggle against a rule to enable or disable the rule during the scan.
You can search for rules based on various parameters like rule name, languages, CWE, and tags.
Rule Permissions
You can create SAST rules in your tenants, and can edit, delete, or propagate them to child namespaces. But you cannot edit rules that are marked as Endor Labs or 3rd Party. You can choose to disable the rule to not apply them during scanning or clone them to modify the rules.
The following sections provide more information on the actions you can do with SAST rules.
1 - Clone a SAST rule
You can clone an existing SAST rule and use that as a base to build your own rule.
Cloning a rule provides the following benefits:
- You can make changes to a rule and review the results instead of directly editing an existing rule.
- You can create a clone of a rule that you do not have permission to edit and make your changes.
To clone a SAST rule:
-
From the left sidebar, navigate to Policies and Rules and select SAST RULES.
-
Click on the three dots menu next to a rule and select Clone.
A copy of the rule appears in the list of rules with the rule name in the format, <original rule name\>-\<number of the clone\>. For example, if you clone the rule Arbitrary Code Execution - Unsanitized inputs for the first time, a clone rule is created with the name, Arbitrary Code Execution - Unsanitized inputs-1.
-
Click edit to the cloned rule to edit the cloned rule according to your requirements.
See Edit a SAST Rule for more information.
3 - Edit a SAST rule
You can edit only the custom SAST rules. You cannot edit or delete Endor Labs or third-party rules.
To edit a SAST rule:
-
From the left sidebar, navigate to Policies and Rules and select SAST RULES.
-
Click edit next to a rule and select Edit Rule.
-
After you complete the edits, click Save to save the rule.
You can also delete or disable a rule from the Edit SAST Rule screen.
4 - Import SAST rules
You can import Semgrep-compatible SAST rules that you create as yaml files. The files must have yaml or yml extensions and the rules should be inside a gzip or tar archive.
Import SAST rules through the user interface
You can bulk import rules through the user interface.
-
From the left sidebar, navigate to Policies and Rules and select SAST RULES.
-
Click Import.
-
Click Browse and select the archive file that contains the rules.
-
Enter the version of the rule, if required.
If you do not enter a version and the rules already exist in the system, the rule upload may fail.
Import SAST rules with endorctl
You can bulk import a number of rules using the following command.
endorctl rule-set import --file-path <file> --rule-version <version> -n namespace
| Option |
Description |
-n, --namespace |
Namespace of the project with which you are working. Mandatory. |
—-file-path |
The path to the file that contains the rule set that should be imported. Supported file types are .tar and .gz. |
—rule-version |
The semantic version that applies to all the rules in the set. The command fails if there are any rules that exist with this version. |
5 - Add metadata to a SAST rule
You can add metadata to the custom SAST rule that you create or when you clone an existing Endor Labs rule in the metadata section.
The following example shows the SAST rule template with the metadata section.
rules:
- id: <lang>-<rulename>
languages:
- < java | js | py >
< patterns, mode, options >
message: < Rule message that provides details about the matched pattern and informs about how to mitigate any related issues, and can be shown in our UI. >
severity: < INFO | WARNING | ERROR >
metadata:
version: 1.0.0
description: A customer visible description for this rule.
explanation: |
An explanation of the issue.
remediation: |
Possible remediation steps you can take to fix the issue.
cwe:
- "CWE-xxx: <cwe title from https://cwe.mitre.org/data/definitions/xxx.html>"
likelihood: < HIGH | MEDIUM | LOW >
impact: < HIGH | MEDIUM | LOW >
confidence: < HIGH | MEDIUM | LOW >
You can add the following metadata information to the rule:
-
explanation: An explanation of the issue.
-
remediation: Possible remediation steps you can take to fix the issue.
-
cwe: The CWE ID of the issue. The OWASP or SANS-25 category of the CWE ID will automatically appear under Rule Tags in Findings if such a mapping can be established.
The following image shows an example where the CWE-22 is automatically mapped to the appropriate category.
-
impact: The impact of the issue. Impact is one of the factors that determines the severity of the issue. See SAST severity matrix for more information.
-
confidence: The confidence level that the issue is real. Confidence is one of the factors that determines the severity of the issue. See SAST severity matrix for more information.
For example:
rules:
- id: python_ssl_rule-ssl-no-version
.
.
.
metadata:
explanation: |
The application was found calling an SSL module with SSL or TLS protocols that have known deficiencies. It is strongly recommended that newer applications use TLS 1.2 or 1.3 and `SSLContext.wrap_socket`.
remediation: |
If using the `pyOpenSSL` module, please note that it has been deprecated and the Python Cryptographic Authority strongly suggests moving to use the [pyca/cryptography](https://github.com/pyca/cryptography) module instead. To remediate this issue for the `ssl` module, create a new TLS context and pass in `ssl.PROTOCOL_TLS_CLIENT` for clients or `ssl.PROTOCOL_TLS_SERVER` for servers to the `ssl.SSLContext(...)` `protocol=` argument. When converting the socket to a TLS socket, use the new `SSLContext.wrap_socket` method instead.
.
.
.
When Endor Labs generates a finding based on this rule, the explanation and remediation sections appear in the finding details.
The metadata information also appears in the SARIF output.
{
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "samples/3p/gitlab/python/ssl/rule-ssl-with-bad-version.py"
},
"region": {
"startLine": 9
}
}
}
],
"message": {
"text": "Problem:\nThe application was found calling an SSL module with SSL or TLS protocols that have known deficiencies. It is strongly\nrecommended that newer applications use TLS 1.2 or 1.3 and `SSLContext.wrap_socket`.\n\nSolution:\nIf using the `pyOpenSSL` module, please note that it has been deprecated and the Python Cryptographic Authority strongly\nsuggests moving to use the [pyca/cryptography](https://github.com/pyca/cryptography) module instead.\nTo remediate this issue for the `ssl` module, create a new TLS context and pass in `ssl.PROTOCOL_TLS_CLIENT` for clients\nor `ssl.PROTOCOL_TLS_SERVER` for servers to the `ssl.SSLContext(...)` `protocol=` argument. When converting the socket\nto a TLS socket, use the new `SSLContext.wrap_socket` method instead.\n\nExample creating a TLS 1.3 client socket connection by using a newer version of Python (3.11.4) and the SSL module:\n```\nimport ssl\nimport socket\n\n# Create our initial socket\nwith socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:\n # Connect the socket\n sock.connect(('www.example.org', 443))\n\n # Create a new SSLContext with protocol set to ssl.PROTOCOL_TLS_CLIENT\n # This will auto-select the highest grade TLS protocol version (1.3)\n context = ssl.SSLContext(protocol=ssl.PROTOCOL_TLS_CLIENT)\n # Load our a certificates for server certificate authentication\n context.load_verify_locations('cert.pem')\n # Create our TLS socket, and validate the server hostname matches\n with context.wrap_socket(sock, server_hostname=\"www.example.org\") as tls_sock:\n # Send some bytes over the socket (HTTP request in this case)\\\n data = bytes('GET / HTTP/1.1\\r\\nHost: example.org\\r\\n\\r\\n', 'utf-8')\n sent_bytes = tls_sock.send(data)\n # Validate number of sent bytes\n # ...\n # Read the response\n resp = tls_sock.recv()\n # Work with the response\n # ...\n```\n\nFor more information on the ssl module see:\n- https://docs.python.org/3/library/ssl.html\n\nFor more information on pyca/cryptography and openssl see:\n- https://cryptography.io/en/latest/openssl/\n"
},
"properties": {
"explanation": "The application was found calling an SSL module with SSL or TLS protocols that have known deficiencies. It is strongly recommended that newer applications use TLS 1.2 or 1.3 and `SSLContext.wrap_socket`.\n",
"remediation": "If using the `pyOpenSSL` module, please note that it has been deprecated and the Python Cryptographic Authority strongly suggests moving to use the [pyca/cryptography](https://github.com/pyca/cryptography) module instead. To remediate this issue for the `ssl` module, create a new TLS context and pass in `ssl.PROTOCOL_TLS_CLIENT` for clients or `ssl.PROTOCOL_TLS_SERVER` for servers to the `ssl.SSLContext(...)` `protocol=` argument. When converting the socket to a TLS socket, use the new `SSLContext.wrap_socket` method instead.\n",
"tags": [
"A02:2021",
"Cryptographic-Failures",
"OWASP-Top-10"
]
}
}
