WIP

rules/java/third_parties/bigquery.yml

@@ -0,0 +1,59 @@
+imports:
+  - java_shared_lang_datatype
+  - java_shared_lang_instance
+patterns:
+  - pattern: $<BUILDER>.addRow($<HASH_MAP>);
+    filters:
+      - variable: BUILDER
+        detection: java_third_parties_bigquery_builder
+      - variable: HASH_MAP
+        detection: java_shared_lang_instance
+        scope: cursor
+        filters:
+          - variable: JAVA_SHARED_LANG_INSTANCE_TYPE
+            regex: \A(java\.util\.)?HashMap\<\>\z
+trigger:
+  required_detection: java_third_parties_bigquery_row_with_data
+languages:
+  - java
+auxiliary:
+  - id: java_third_parties_bigquery_builder
+    patterns:
+      - pattern: $<INSERT_REQUEST>.newBuilder();
+        filters:
+          - variable: INSERT_REQUEST
+            regex: \A(com\.google\.cloud\.bigquery\.)?InsertAllRequest\z
+  - id: java_third_parties_bigquery_row_with_data
+    patterns:
+      - pattern: |
+          $<HASH_MAP>.put($<_>, $<DATA_TYPE>);
+        filters:
+          - variable: HASH_MAP
+            detection: java_shared_lang_instance
+            scope: cursor
+            filters:
+              - variable: JAVA_SHARED_LANG_INSTANCE_TYPE
+                regex: \A(java\.util\.)?HashMap\<\>\z
+          - variable: DATA_TYPE
+            detection: java_shared_lang_datatype
+            scope: result
+skip_data_types:
+  - "Unique Identifier"
+metadata:
+  description: Leakage of sensitive data to BigQuery
+  remediation_message: |
+    ## Description
+    Leaking sensitive data to third-party data tools is a common cause of data
+    leaks and can lead to data breaches. This rule looks for instances of
+    sensitive data sent to BigQuery.
+
+    ## Remediations
+    When sending data to third-party services, ensure all sensitive data is removed.
+
+    ## Resources
+    - [BigQuery docs](https://cloud.google.com/java/docs/reference/cloud-bigquery/latest)
+  cwe_id:
+    - 201
+  associated_recipe: Google Cloud BigQuery
+  id: java_third_parties_bigquery
+  documentation_url: https://docs.bearer.com/reference/rules/java_third_parties_bigquery

tests/java/third_parties/bigquery/test.js

@@ -0,0 +1,18 @@
+const {
+  createNewInvoker,
+  getEnvironment,
+} = require("../../../helper.js")
+const { ruleId, ruleFile, testBase } = getEnvironment(__dirname)
+
+describe(ruleId, () => {
+  const invoke = createNewInvoker(ruleId, ruleFile, testBase)
+
+  test("bigquery", () => {
+    const testCase = "main.java"
+
+    const results = invoke(testCase)
+
+    expect(results.Missing).toEqual([])
+    expect(results.Extra).toEqual([])
+  })
+})

tests/java/third_parties/bigquery/testdata/main.java

@@ -0,0 +1,30 @@
+// Use bearer:expected java_third_parties_bigquery to flag expected findings
+import com.google.cloud.bigquery.BigQuery;
+import com.google.cloud.bigquery.BigQueryOptions;
+import com.google.cloud.bigquery.InsertAllRequest;
+import com.google.cloud.bigquery.InsertAllResponse;
+import com.google.cloud.bigquery.TableId;
+import com.google.cloud.bigquery.InsertAllRequest.RowToInsert;
+
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+public class FooBar {
+  public static void bad(User user) {
+    BigQuery bigquery = BigQueryOptions.getDefaultInstance().getService();
+
+    TableId tableId = TableId.of("MY_DATASET_NAME", "MY_TABLE_NAME");
+
+    Map<String, String> rowContent = new HashMap<>();
+    // rowContent.put("name", user.name);
+    // rowContent.put("location", user.location);
+    // rowContent.put("email", user.email);
+
+    InsertAllResponse response = bigquery
+      .insertAll(InsertAllRequest.newBuilder(tableId)
+        .addRow(rowContent)
+        .build()
+      );
+  }
+}