diff --git a/rules/go/third_parties/open_telemetry.yml b/rules/go/third_parties/open_telemetry.yml new file mode 100644 index 000000000..66eb54eb3 --- /dev/null +++ b/rules/go/third_parties/open_telemetry.yml @@ -0,0 +1,127 @@ +imports: + - go_shared_lang_datatype + - go_shared_lang_instance +patterns: + - pattern: $.$<_>($<...>$$<...>) + filters: + - variable: SPAN + detection: go_third_parties_open_telemetry_span + scope: cursor + - variable: DATA_TYPE + detection: go_shared_lang_datatype + scope: result + - pattern: $.Start($<_>, $$<...>) + filters: + - variable: TRACER + detection: go_third_parties_open_telemetry_tracer + scope: cursor + - variable: DATA_TYPE + detection: go_shared_lang_datatype + scope: result + - pattern: | + $.KeyValue{$<_>: $} + filters: + - variable: PACKAGE + detection: go_third_parties_open_telemetry_attribute_package + scope: cursor + - variable: DATA_TYPE + detection: go_shared_lang_datatype + scope: result +languages: + - go +auxiliary: + - id: go_third_parties_open_telemetry_span + patterns: + - pattern: $.Start($<...>) + filters: + - variable: TRACER + detection: go_third_parties_open_telemetry_tracer + scope: cursor + - pattern: $ + filters: + - variable: SPAN + detection: go_shared_lang_instance + scope: cursor + filters: + - variable: PACKAGE + detection: go_third_parties_open_telemetry_trace_package + scope: cursor + - variable: TYPE + values: + - Span + - id: go_third_parties_open_telemetry_tracer + patterns: + - pattern: $.Tracer($<...>) + filters: + - variable: PACKAGE + detection: go_third_parties_open_telemetry_package + scope: cursor + - pattern: $.Tracer($<...>) + filters: + - variable: PROVIDER + detection: go_third_parties_open_telemetry_tracer_provider + scope: cursor + - pattern: $ + filters: + - variable: TRACER + detection: go_shared_lang_instance + scope: cursor + filters: + - variable: PACKAGE + detection: go_third_parties_open_telemetry_trace_package + scope: cursor + - variable: TYPE + values: + - Tracer + - id: go_third_parties_open_telemetry_tracer_provider + patterns: + - pattern: $.GetTracerProvider() + filters: + - variable: PACKAGE + detection: go_third_parties_open_telemetry_package + scope: cursor + - pattern: $ + filters: + - variable: PROVIDER + detection: go_shared_lang_instance + scope: cursor + filters: + - variable: PACKAGE + detection: go_third_parties_open_telemetry_trace_package + scope: cursor + - variable: TYPE + values: + - TracerProvider + - id: go_third_parties_open_telemetry_attribute_package + patterns: + - import $"go.opentelemetry.io/otel/attribute" + - import ($"go.opentelemetry.io/otel/attribute") + - id: go_third_parties_open_telemetry_trace_package + patterns: + - import $"go.opentelemetry.io/otel/trace" + - import ($"go.opentelemetry.io/otel/trace") + - id: go_third_parties_open_telemetry_package + patterns: + - import $"go.opentelemetry.io/otel" + - import ($"go.opentelemetry.io/otel") +skip_data_types: + - "Unique Identifier" +metadata: + description: "Leakage of sensitive data to Open Telemetry" + remediation_message: | + ## Description + Leaking sensitive data to third-party loggers is a common cause of data + leaks and can lead to data breaches. This rule looks for instances of + sensitive data sent to Open Telemetry. + + ## Remediations + + When logging errors or events, ensure all sensitive data is removed. + + ## Resources + - [Open Telemetry Docs](https://opentelemetry.io/docs/) + cwe_id: + - 201 + id: go_third_parties_open_telemetry + documentation_url: https://docs.bearer.com/reference/rules/go_third_parties_open_telemetry +severity: high diff --git a/tests/go/third_parties/open_telemetry/test.js b/tests/go/third_parties/open_telemetry/test.js new file mode 100644 index 000000000..0b34864a1 --- /dev/null +++ b/tests/go/third_parties/open_telemetry/test.js @@ -0,0 +1,20 @@ +const { + createNewInvoker, + getEnvironment, +} = require("../../../helper.js") +const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) + +describe(ruleId, () => { + const invoke = createNewInvoker(ruleId, ruleFile, testBase) + + test("open_telemetry", () => { + const testCase = "main.go" + + const results = invoke(testCase) + + expect(results).toEqual({ + Missing: [], + Extra: [] + }) + }) +}) \ No newline at end of file diff --git a/tests/go/third_parties/open_telemetry/testdata/main.go b/tests/go/third_parties/open_telemetry/testdata/main.go new file mode 100644 index 000000000..b5379dded --- /dev/null +++ b/tests/go/third_parties/open_telemetry/testdata/main.go @@ -0,0 +1,34 @@ +package main + +import ( + "context" + + "go.opentelemetry.io/otel" + "go.opentelemetry.io/otel/attribute" +) + +func main() { + tracer := otel.GetTracerProvider().Tracer("example.com/foo") + // bearer:expected go_third_parties_open_telemetry + ctx, span := tracer.Start(context.TODO(), user.email) + ctx, span = tracer.Start(context.TODO(), user.id) + + // bearer:expected go_third_parties_open_telemetry + span.SetName(user.email) + span.SetName(user.id) + + // bearer:expected go_third_parties_open_telemetry + attr := attribute.KeyValue{Key: "foo", Value: user.email} + attr = attribute.KeyValue{Key: "foo", Value: user.id} + + // bearer:expected go_third_parties_open_telemetry + span.SetAttributes([]attribute.KeyValue{{Key: "foo", Value: user.email}}...) + span.SetAttributes([]attribute.KeyValue{{Key: "foo", Value: user.id}}...) + + tracer2 := otel.Tracer("foo") + ctx2, span2 := tracer2.Start(context.TODO(), "my-span") + + // bearer:expected go_third_parties_open_telemetry + span2.AddEvent(user.email) + span2.AddEvent(user.id) +}