diff --git a/tests/go/lang/logger/__snapshots__/test.js.snap b/tests/go/lang/logger/__snapshots__/test.js.snap index 4753086e0..a2045637d 100644 --- a/tests/go/lang/logger/__snapshots__/test.js.snap +++ b/tests/go/lang/logger/__snapshots__/test.js.snap @@ -12,7 +12,7 @@ exports[`go_lang_logger bad 1`] = ` "title": "Sensitive data in a logger message detected.", "description": "## Description\\n\\nLeaking sensitive data to loggers is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to loggers.\\n\\n## Remediations\\n\\n❌ Avoid using sensitive data in logger messages:\\n\\n\`\`\`go\\nlogger.info(f\\"User is: '{user.email}'\\")\\n\`\`\`\\n\\n✅ If you need to identify a user, ensure to use their unique identifier instead of their personal identifiable information:\\n\\n\`\`\`go\\nlogger.info(f\\"User is: '{user.uuid}'\\")\\n\`\`\`\\n\\n## Resources\\n- [OWASP logging cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/go_lang_logger", - "line_number": 20, + "line_number": 27, "full_filename": "/tmp/bearer-scan/bad.go", "filename": ".", "data_type": { @@ -24,27 +24,27 @@ exports[`go_lang_logger bad 1`] = ` "Personal Data" ], "source": { - "start": 20, - "end": 20, + "start": 24, + "end": 24, "column": { - "start": 3, - "end": 7 + "start": 10, + "end": 19 } }, "sink": { - "start": 29, - "end": 29, + "start": 27, + "end": 27, "column": { "start": 2, "end": 23 }, - "content": "log.Error().Msg(user)" + "content": "log.Error().Msg(name)" }, - "parent_line_number": 29, - "snippet": "log.Error().Msg(user)", + "parent_line_number": 27, + "snippet": "log.Error().Msg(name)", "fingerprint": "3d34def450156dc98ba7c995e89bc3dd_0", "old_fingerprint": "1a0df3e5fa545e7c7c38ca47ea248bbd_0", - "code_extract": "\\tlog.Error().Msg(user) // expect detection" + "code_extract": "\\tlog.Error().Msg(name) // expect detection" }, { "cwe_ids": [ @@ -55,39 +55,39 @@ exports[`go_lang_logger bad 1`] = ` "title": "Sensitive data in a logger message detected.", "description": "## Description\\n\\nLeaking sensitive data to loggers is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to loggers.\\n\\n## Remediations\\n\\n❌ Avoid using sensitive data in logger messages:\\n\\n\`\`\`go\\nlogger.info(f\\"User is: '{user.email}'\\")\\n\`\`\`\\n\\n✅ If you need to identify a user, ensure to use their unique identifier instead of their personal identifiable information:\\n\\n\`\`\`go\\nlogger.info(f\\"User is: '{user.uuid}'\\")\\n\`\`\`\\n\\n## Resources\\n- [OWASP logging cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/go_lang_logger", - "line_number": 21, + "line_number": 28, "full_filename": "/tmp/bearer-scan/bad.go", "filename": ".", "data_type": { - "category_uuid": "94007e1e-57d8-43e8-90f2-246236dc5dde", - "name": "Gender" + "category_uuid": "14124881-6b92-4fc5-8005-ea7c1c09592e", + "name": "Fullname" }, "category_groups": [ "PII", "Personal Data" ], "source": { - "start": 21, - "end": 21, + "start": 25, + "end": 25, "column": { - "start": 3, - "end": 9 + "start": 14, + "end": 27 } }, "sink": { - "start": 29, - "end": 29, + "start": 28, + "end": 28, "column": { "start": 2, - "end": 23 + "end": 24 }, - "content": "log.Error().Msg(user)" + "content": "log.Error().Msg(other)" }, - "parent_line_number": 29, - "snippet": "log.Error().Msg(user)", + "parent_line_number": 28, + "snippet": "log.Error().Msg(other)", "fingerprint": "3d34def450156dc98ba7c995e89bc3dd_1", "old_fingerprint": "1a0df3e5fa545e7c7c38ca47ea248bbd_1", - "code_extract": "\\tlog.Error().Msg(user) // expect detection" + "code_extract": "\\tlog.Error().Msg(other) // expect detection" }, { "cwe_ids": [ @@ -98,7 +98,7 @@ exports[`go_lang_logger bad 1`] = ` "title": "Sensitive data in a logger message detected.", "description": "## Description\\n\\nLeaking sensitive data to loggers is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to loggers.\\n\\n## Remediations\\n\\n❌ Avoid using sensitive data in logger messages:\\n\\n\`\`\`go\\nlogger.info(f\\"User is: '{user.email}'\\")\\n\`\`\`\\n\\n✅ If you need to identify a user, ensure to use their unique identifier instead of their personal identifiable information:\\n\\n\`\`\`go\\nlogger.info(f\\"User is: '{user.uuid}'\\")\\n\`\`\`\\n\\n## Resources\\n- [OWASP logging cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/go_lang_logger", - "line_number": 24, + "line_number": 29, "full_filename": "/tmp/bearer-scan/bad.go", "filename": ".", "data_type": { @@ -110,70 +110,27 @@ exports[`go_lang_logger bad 1`] = ` "Personal Data" ], "source": { - "start": 24, - "end": 24, + "start": 20, + "end": 20, "column": { - "start": 10, - "end": 19 + "start": 3, + "end": 7 } }, "sink": { - "start": 27, - "end": 27, + "start": 29, + "end": 29, "column": { "start": 2, "end": 23 }, - "content": "log.Error().Msg(name)" + "content": "log.Error().Msg(user)" }, - "parent_line_number": 27, - "snippet": "log.Error().Msg(name)", + "parent_line_number": 29, + "snippet": "log.Error().Msg(user)", "fingerprint": "3d34def450156dc98ba7c995e89bc3dd_2", "old_fingerprint": "1a0df3e5fa545e7c7c38ca47ea248bbd_2", - "code_extract": "\\tlog.Error().Msg(name) // expect detection" - }, - { - "cwe_ids": [ - "209", - "532" - ], - "id": "go_lang_logger", - "title": "Sensitive data in a logger message detected.", - "description": "## Description\\n\\nLeaking sensitive data to loggers is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to loggers.\\n\\n## Remediations\\n\\n❌ Avoid using sensitive data in logger messages:\\n\\n\`\`\`go\\nlogger.info(f\\"User is: '{user.email}'\\")\\n\`\`\`\\n\\n✅ If you need to identify a user, ensure to use their unique identifier instead of their personal identifiable information:\\n\\n\`\`\`go\\nlogger.info(f\\"User is: '{user.uuid}'\\")\\n\`\`\`\\n\\n## Resources\\n- [OWASP logging cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/go_lang_logger", - "line_number": 25, - "full_filename": "/tmp/bearer-scan/bad.go", - "filename": ".", - "data_type": { - "category_uuid": "14124881-6b92-4fc5-8005-ea7c1c09592e", - "name": "Fullname" - }, - "category_groups": [ - "PII", - "Personal Data" - ], - "source": { - "start": 25, - "end": 25, - "column": { - "start": 14, - "end": 27 - } - }, - "sink": { - "start": 28, - "end": 28, - "column": { - "start": 2, - "end": 24 - }, - "content": "log.Error().Msg(other)" - }, - "parent_line_number": 28, - "snippet": "log.Error().Msg(other)", - "fingerprint": "3d34def450156dc98ba7c995e89bc3dd_3", - "old_fingerprint": "1a0df3e5fa545e7c7c38ca47ea248bbd_3", - "code_extract": "\\tlog.Error().Msg(other) // expect detection" + "code_extract": "\\tlog.Error().Msg(user) // expect detection" } ] }" diff --git a/tests/go/lang/weak_hash_md5/__snapshots__/test.js.snap b/tests/go/lang/weak_hash_md5/__snapshots__/test.js.snap index 846d2ae9f..f1024f592 100644 --- a/tests/go/lang/weak_hash_md5/__snapshots__/test.js.snap +++ b/tests/go/lang/weak_hash_md5/__snapshots__/test.js.snap @@ -55,7 +55,7 @@ exports[`go_lang_weak_hash_md5 bad 1`] = ` "title": "Weak hashing library (MD5) detected.", "description": "## Description\\n\\nA weak hashing library can lead to data breaches and greater security risk.\\n\\n## Remediations\\nAccording to [OWASP](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption), MD5 and its predecessors are considered weak hash algorithms and therefore shouldn't be used.\\n\\n❌ Avoid libraries and algorithms with known weaknesses:\\n\\n\`\`\`go\\nmd5.Sum([]byte('password'))\\n\`\`\`\\n\\n✅ Instead, we recommend using sha256:\\n\\n\`\`\`go\\nsha256.Sum256([]byte('string'))\\n\`\`\`\\n", "documentation_url": "https://docs.bearer.com/reference/rules/go_lang_weak_hash_md5", - "line_number": 18, + "line_number": 19, "full_filename": "/tmp/bearer-scan/bad.go", "filename": ".", "data_type": { diff --git a/tests/go/lang/weak_hash_sha1/__snapshots__/test.js.snap b/tests/go/lang/weak_hash_sha1/__snapshots__/test.js.snap index b9a047ef5..a577960a6 100644 --- a/tests/go/lang/weak_hash_sha1/__snapshots__/test.js.snap +++ b/tests/go/lang/weak_hash_sha1/__snapshots__/test.js.snap @@ -55,7 +55,7 @@ exports[`go_lang_weak_hash_sha1 bad 1`] = ` "title": "Weak hashing library (SHA1) detected.", "description": "## Description\\n\\nA weak hashing library can lead to data breaches and greater security risk.\\n\\n## Remediations\\nAccording to [OWASP](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption), MD5 and its predecessors are considered weak hash algorithms and therefore shouldn't be used.\\n\\n❌ Avoid libraries and algorithms with known weaknesses:\\n\\n\`\`\`go\\nsha1.Sum([]byte('password'))\\n\`\`\`\\n\\n✅ Instead, we recommend using sha256:\\n\\n\`\`\`go\\nsha256.Sum256([]byte('string'))\\n\`\`\`\\n", "documentation_url": "https://docs.bearer.com/reference/rules/go_lang_weak_hash_sha1", - "line_number": 17, + "line_number": 18, "full_filename": "/tmp/bearer-scan/bad.go", "filename": ".", "data_type": { diff --git a/tests/go/lang/weak_password_encryption_md5/__snapshots__/test.js.snap b/tests/go/lang/weak_password_encryption_md5/__snapshots__/test.js.snap index afe71a0ef..59c0b9c63 100644 --- a/tests/go/lang/weak_password_encryption_md5/__snapshots__/test.js.snap +++ b/tests/go/lang/weak_password_encryption_md5/__snapshots__/test.js.snap @@ -55,7 +55,7 @@ exports[`go_lang_weak_password_encryption_md5 bad 1`] = ` "title": "Weak password encryption algorithm (MD5) used for password detected.", "description": "## Description\\n\\nA weak hashing library can lead to data breaches and greater security risk.\\n\\n## Remediations\\nAccording to [OWASP](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption), MD5 and its predecessors are considered weak hash algorithms and therefore shouldn't be used.\\n\\n❌ Do not use encryption for passwords, wherever possible:\\n\\n\`\`\`go\\nmd5.Sum([]byte('password'))\\n\`\`\`\\n\\n✅ Instead, we recommend using sha256:\\n\\n\`\`\`go\\nsha256.Sum256([]byte('string'))\\n\`\`\`\\n", "documentation_url": "https://docs.bearer.com/reference/rules/go_lang_weak_password_encryption_md5", - "line_number": 16, + "line_number": 17, "full_filename": "/tmp/bearer-scan/bad.go", "filename": ".", "data_type": { diff --git a/tests/go/lang/weak_password_encryption_sha1/__snapshots__/test.js.snap b/tests/go/lang/weak_password_encryption_sha1/__snapshots__/test.js.snap index 49798eed0..5fa4f8547 100644 --- a/tests/go/lang/weak_password_encryption_sha1/__snapshots__/test.js.snap +++ b/tests/go/lang/weak_password_encryption_sha1/__snapshots__/test.js.snap @@ -55,7 +55,7 @@ exports[`go_lang_weak_password_encryption_sha1 bad 1`] = ` "title": "Weak password encryption algorithm (SHA1) used for password detected.", "description": "## Description\\n\\nA weak hashing library can lead to data breaches and greater security risk.\\n\\n## Remediations\\nAccording to [OWASP](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption), MD5 and its predecessors are considered weak hash algorithms and therefore shouldn't be used.\\n\\n❌ Do not use encryption for passwords, wherever possible:\\n\\n\`\`\`go\\nsha1.Sum([]byte('password'))\\n\`\`\`\\n\\n✅ Instead, we recommend using sha256:\\n\\n\`\`\`go\\nsha256.Sum256([]byte('string'))\\n\`\`\`\\n", "documentation_url": "https://docs.bearer.com/reference/rules/go_lang_weak_password_encryption_sha1", - "line_number": 16, + "line_number": 17, "full_filename": "/tmp/bearer-scan/bad.go", "filename": ".", "data_type": { diff --git a/tests/javascript/lang/exception/__snapshots__/test.js.snap b/tests/javascript/lang/exception/__snapshots__/test.js.snap index 7c21ed60d..b51269f05 100644 --- a/tests/javascript/lang/exception/__snapshots__/test.js.snap +++ b/tests/javascript/lang/exception/__snapshots__/test.js.snap @@ -60,7 +60,7 @@ exports[`javascript_lang_exception reject 1`] = ` "title": "Sensitive data in a exception message detected.", "description": "## Description\\n\\nLeaking sensitive data to an exception is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to exceptions.\\n\\n## Remediations\\n\\n❌ Avoid using sensitive data in exception messages:\\n\\n\`\`\`javascript\\nthrow new CustomError(\`Error with \${user.email}\`)\\n\`\`\`\\n\\n✅ If you need to identify a user, ensure to use their unique identifier instead of their personal identifiable information:\\n\\n\`\`\`javascript\\nthrow new CustomError(\`Error with \${user.uuid}\`)\\n\`\`\`\\n\\n", "documentation_url": "https://docs.bearer.com/reference/rules/javascript_lang_exception", - "line_number": 5, + "line_number": 7, "full_filename": "/tmp/bearer-scan/reject.js", "filename": ".", "data_type": { @@ -102,7 +102,7 @@ exports[`javascript_lang_exception reject 1`] = ` "title": "Sensitive data in a exception message detected.", "description": "## Description\\n\\nLeaking sensitive data to an exception is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to exceptions.\\n\\n## Remediations\\n\\n❌ Avoid using sensitive data in exception messages:\\n\\n\`\`\`javascript\\nthrow new CustomError(\`Error with \${user.email}\`)\\n\`\`\`\\n\\n✅ If you need to identify a user, ensure to use their unique identifier instead of their personal identifiable information:\\n\\n\`\`\`javascript\\nthrow new CustomError(\`Error with \${user.uuid}\`)\\n\`\`\`\\n\\n", "documentation_url": "https://docs.bearer.com/reference/rules/javascript_lang_exception", - "line_number": 14, + "line_number": 16, "full_filename": "/tmp/bearer-scan/reject.js", "filename": ".", "data_type": { diff --git a/tests/javascript/lang/file_generation/__snapshots__/test.js.snap b/tests/javascript/lang/file_generation/__snapshots__/test.js.snap index 348d0ded2..dbc1dbb1b 100644 --- a/tests/javascript/lang/file_generation/__snapshots__/test.js.snap +++ b/tests/javascript/lang/file_generation/__snapshots__/test.js.snap @@ -11,91 +11,7 @@ exports[`javascript_lang_file_generation file_generation 1`] = ` "title": "Sensitive data detected as part of a dynamic file generation.", "description": "## Description\\n\\nIt is not uncommon to generate logs, backups, or data exports to static file formats. This rule checks if code exists to write sensitive data to static files.\\n\\n## Remediations\\n\\nAvoid writing sensitive data to logs, backups, or exports whenever possible. Instead obfuscate and/or filter the data to exclude sensitive information.\\n\\n\\n", "documentation_url": "https://docs.bearer.com/reference/rules/javascript_lang_file_generation", - "line_number": 7, - "full_filename": "/tmp/bearer-scan/file_generation.js", - "filename": ".", - "data_type": { - "category_uuid": "14124881-6b92-4fc5-8005-ea7c1c09592e", - "name": "Firstname" - }, - "category_groups": [ - "PII", - "Personal Data" - ], - "source": { - "start": 7, - "end": 7, - "column": { - "start": 35, - "end": 49 - } - }, - "sink": { - "start": 15, - "end": 18, - "column": { - "start": 1, - "end": 3 - }, - "content": "fs.writeFile(\\"data.csv\\", JSON.stringify(users), \\"utf-8\\", (err) => {\\n if (err) console.log(err)\\n else console.log(\\"Data saved\\")\\n})" - }, - "parent_line_number": 15, - "snippet": "fs.writeFile(\\"data.csv\\", JSON.stringify(users), \\"utf-8\\", (err) => {\\n if (err) console.log(err)\\n else console.log(\\"Data saved\\")\\n})", - "fingerprint": "7162a96ee591e4689c1fa24bfcc02fd5_0", - "old_fingerprint": "e07392ef7687a29685f9b9f7fd673469_0", - "code_extract": "fs.writeFile(\\"data.csv\\", JSON.stringify(users), \\"utf-8\\", (err) => {\\n if (err) console.log(err)\\n else console.log(\\"Data saved\\")\\n})" - }, - { - "cwe_ids": [ - "313" - ], - "id": "javascript_lang_file_generation", - "title": "Sensitive data detected as part of a dynamic file generation.", - "description": "## Description\\n\\nIt is not uncommon to generate logs, backups, or data exports to static file formats. This rule checks if code exists to write sensitive data to static files.\\n\\n## Remediations\\n\\nAvoid writing sensitive data to logs, backups, or exports whenever possible. Instead obfuscate and/or filter the data to exclude sensitive information.\\n\\n\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/javascript_lang_file_generation", - "line_number": 9, - "full_filename": "/tmp/bearer-scan/file_generation.js", - "filename": ".", - "data_type": { - "category_uuid": "cef587dd-76db-430b-9e18-7b031e1a193b", - "name": "Email Address" - }, - "category_groups": [ - "PII", - "Personal Data" - ], - "source": { - "start": 9, - "end": 9, - "column": { - "start": 10, - "end": 20 - } - }, - "sink": { - "start": 15, - "end": 18, - "column": { - "start": 1, - "end": 3 - }, - "content": "fs.writeFile(\\"data.csv\\", JSON.stringify(users), \\"utf-8\\", (err) => {\\n if (err) console.log(err)\\n else console.log(\\"Data saved\\")\\n})" - }, - "parent_line_number": 15, - "snippet": "fs.writeFile(\\"data.csv\\", JSON.stringify(users), \\"utf-8\\", (err) => {\\n if (err) console.log(err)\\n else console.log(\\"Data saved\\")\\n})", - "fingerprint": "7162a96ee591e4689c1fa24bfcc02fd5_2", - "old_fingerprint": "e07392ef7687a29685f9b9f7fd673469_2", - "code_extract": "fs.writeFile(\\"data.csv\\", JSON.stringify(users), \\"utf-8\\", (err) => {\\n if (err) console.log(err)\\n else console.log(\\"Data saved\\")\\n})" - }, - { - "cwe_ids": [ - "313" - ], - "id": "javascript_lang_file_generation", - "title": "Sensitive data detected as part of a dynamic file generation.", - "description": "## Description\\n\\nIt is not uncommon to generate logs, backups, or data exports to static file formats. This rule checks if code exists to write sensitive data to static files.\\n\\n## Remediations\\n\\nAvoid writing sensitive data to logs, backups, or exports whenever possible. Instead obfuscate and/or filter the data to exclude sensitive information.\\n\\n\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/javascript_lang_file_generation", - "line_number": 10, + "line_number": 15, "full_filename": "/tmp/bearer-scan/file_generation.js", "filename": ".", "data_type": { @@ -125,8 +41,8 @@ exports[`javascript_lang_file_generation file_generation 1`] = ` }, "parent_line_number": 15, "snippet": "fs.writeFile(\\"data.csv\\", JSON.stringify(users), \\"utf-8\\", (err) => {\\n if (err) console.log(err)\\n else console.log(\\"Data saved\\")\\n})", - "fingerprint": "7162a96ee591e4689c1fa24bfcc02fd5_3", - "old_fingerprint": "e07392ef7687a29685f9b9f7fd673469_3", + "fingerprint": "7162a96ee591e4689c1fa24bfcc02fd5_0", + "old_fingerprint": "e07392ef7687a29685f9b9f7fd673469_0", "code_extract": "fs.writeFile(\\"data.csv\\", JSON.stringify(users), \\"utf-8\\", (err) => {\\n if (err) console.log(err)\\n else console.log(\\"Data saved\\")\\n})" } ] diff --git a/tests/javascript/lang/jwt/__snapshots__/test.js.snap b/tests/javascript/lang/jwt/__snapshots__/test.js.snap index e32265d00..9fdcc2507 100644 --- a/tests/javascript/lang/jwt/__snapshots__/test.js.snap +++ b/tests/javascript/lang/jwt/__snapshots__/test.js.snap @@ -11,7 +11,7 @@ exports[`javascript_lang_jwt insecure 1`] = ` "title": "Sensitive data in a JWT detected.", "description": "## Description\\n\\nJWTs are not a secure place to store sensitive data. This rule looks for any sensitive data types saved to a JWT.\\n\\n## Remediations\\n\\n❌ Avoid storing sensitive data in JWTs:\\n\\n\`\`\`javascript\\n const jwt = require('jsonwebtoken');\\n const token = jwt.sign({ user: { email: 'jhon@gmail.com' }});\\n\`\`\`\\n\\n✅ If you need to store user's information, use their unique database identifier instead of personal identifiable information:\\n\\n\`\`\`javascript\\n const jwt = require('jsonwebtoken');\\n const token = jwt.sign({ user: user.uuid });\\n\`\`\`\\n\\n## Resources\\n - [OWASP sensitive data exposure](https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/javascript_lang_jwt", - "line_number": 3, + "line_number": 2, "full_filename": "/tmp/bearer-scan/insecure.js", "filename": ".", "data_type": { diff --git a/tests/javascript/lang/logger/__snapshots__/test.js.snap b/tests/javascript/lang/logger/__snapshots__/test.js.snap index e850342bd..027666fad 100644 --- a/tests/javascript/lang/logger/__snapshots__/test.js.snap +++ b/tests/javascript/lang/logger/__snapshots__/test.js.snap @@ -12,7 +12,7 @@ exports[`javascript_lang_logger child 1`] = ` "title": "Sensitive data in a logger message detected.", "description": "## Description\\n\\nLeaking sensitive data to loggers is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to loggers.\\n\\n## Remediations\\n\\n❌ Avoid using sensitive data in logger messages:\\n\\n\`\`\`javascript\\nlogger.info(\`User is: \${user.email}\`)\\n\`\`\`\\n\\n✅ If you need to identify a user, use their unique identifier instead of their personal identifiable information:\\n\\n\`\`\`javascript\\nlogger.info(\`User is: \${user.uuid}\`)\\n\`\`\`\\n## Resources\\n- [OWASP logging cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/javascript_lang_logger", - "line_number": 3, + "line_number": 7, "full_filename": "/tmp/bearer-scan/child.js", "filename": ".", "data_type": { @@ -53,49 +53,6 @@ exports[`javascript_lang_logger child 1`] = ` exports[`javascript_lang_logger child_level 1`] = ` "{ "high": [ - { - "cwe_ids": [ - "1295", - "532" - ], - "id": "javascript_lang_logger", - "title": "Sensitive data in a logger message detected.", - "description": "## Description\\n\\nLeaking sensitive data to loggers is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to loggers.\\n\\n## Remediations\\n\\n❌ Avoid using sensitive data in logger messages:\\n\\n\`\`\`javascript\\nlogger.info(\`User is: \${user.email}\`)\\n\`\`\`\\n\\n✅ If you need to identify a user, use their unique identifier instead of their personal identifiable information:\\n\\n\`\`\`javascript\\nlogger.info(\`User is: \${user.uuid}\`)\\n\`\`\`\\n## Resources\\n- [OWASP logging cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/javascript_lang_logger", - "line_number": 3, - "full_filename": "/tmp/bearer-scan/child_level.js", - "filename": ".", - "data_type": { - "category_uuid": "cef587dd-76db-430b-9e18-7b031e1a193b", - "name": "Email Address" - }, - "category_groups": [ - "PII", - "Personal Data" - ], - "source": { - "start": 3, - "end": 3, - "column": { - "start": 3, - "end": 27 - } - }, - "sink": { - "start": 7, - "end": 7, - "column": { - "start": 1, - "end": 18 - }, - "content": "logger.child(ctx)" - }, - "parent_line_number": 7, - "snippet": "logger.child(ctx)", - "fingerprint": "327449cd47ed82672cc47bf9cfccdb4a_0", - "old_fingerprint": "02e247f69b1c812c168a85bc9af2be8d_0", - "code_extract": "logger.child(ctx).info(user.name);" - }, { "cwe_ids": [ "1295", @@ -135,8 +92,8 @@ exports[`javascript_lang_logger child_level 1`] = ` }, "parent_line_number": 7, "snippet": "logger.child(ctx).info(user.name)", - "fingerprint": "327449cd47ed82672cc47bf9cfccdb4a_1", - "old_fingerprint": "02e247f69b1c812c168a85bc9af2be8d_1", + "fingerprint": "327449cd47ed82672cc47bf9cfccdb4a_0", + "old_fingerprint": "02e247f69b1c812c168a85bc9af2be8d_0", "code_extract": "logger.child(ctx).info(user.name);" } ] diff --git a/tests/javascript/lang/session/__snapshots__/test.js.snap b/tests/javascript/lang/session/__snapshots__/test.js.snap index b12d4fd8c..1d719326b 100644 --- a/tests/javascript/lang/session/__snapshots__/test.js.snap +++ b/tests/javascript/lang/session/__snapshots__/test.js.snap @@ -13,7 +13,7 @@ exports[`javascript_lang_session session_leak 1`] = ` "title": "Sensitive data stored in HTML local storage detected.", "description": "## Description\\n\\nSensitive data should not be stored in a \`localStorage\` session. This policy looks for any sensitive data stored within the localstorage.\\n\\n## Remediations\\n\\nIt's best to avoid storing sensitive data in \`localStorage\` whenever possible. To keep session data safe, use a server-based session storage solution instead.\\n\\n❌ If you do need do store data in \`localStorage\`, avoid including sensitive data:\\n\\n\`\`\`javascript\\nlocalStorage.setItem('user', email)\\n\`\`\`\\n\\n✅ Instead, use a unique identifier:\\n\\n\`\`\`javascript\\nlocalStorage.setItem('user', user.uuid)\\n\`\`\`\\n\\n## Resources\\n - [OWASP sensitive data exposure](https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/javascript_lang_session", - "line_number": 1, + "line_number": 3, "full_filename": "/tmp/bearer-scan/session_leak.js", "filename": ".", "data_type": { diff --git a/tests/javascript/react/google_analytics/__snapshots__/test.js.snap b/tests/javascript/react/google_analytics/__snapshots__/test.js.snap index 2fa5a0510..00715fac3 100644 --- a/tests/javascript/react/google_analytics/__snapshots__/test.js.snap +++ b/tests/javascript/react/google_analytics/__snapshots__/test.js.snap @@ -11,7 +11,7 @@ exports[`javascript_react_google_analytics insecure 1`] = ` "title": "Sensitive data sent to Google Analytics detected.", "description": "## Description\\n\\nLeaking sensitive data to third-party analytics tools is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to Google Analytics.\\n\\n## Remediations\\n\\nWhen sending data to analytics libraries, ensure all sensitive data is removed.\\n\\n\\n", "documentation_url": "https://docs.bearer.com/reference/rules/javascript_react_google_analytics", - "line_number": 5, + "line_number": 2, "full_filename": "/tmp/bearer-scan/insecure.js", "filename": ".", "data_type": { diff --git a/tests/javascript/third_parties/airbrake/__snapshots__/test.js.snap b/tests/javascript/third_parties/airbrake/__snapshots__/test.js.snap index 472e9817d..6450470f6 100644 --- a/tests/javascript/third_parties/airbrake/__snapshots__/test.js.snap +++ b/tests/javascript/third_parties/airbrake/__snapshots__/test.js.snap @@ -53,7 +53,7 @@ exports[`javascript_third_parties_airbrake datatype_in_notify 1`] = ` "title": "Sensitive data sent to Airbrake detected.", "description": "## Description\\nLeaking sensitive data to third-party loggers is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to Airbrake.\\n\\n## Remediations\\n\\nWhen logging errors or events, ensure all sensitive data is removed.\\n\\nIf you really need to identify users, use unique identifiers from the database.\\n\\n\`\`\`javascript\\nairbrake.notify({\\n error: err,\\n params: { user: user.uuid },\\n});\\n\`\`\`\\n\\n## Resources\\n- [Airbrake Docs](https://docs.airbrake.io/)\\n- [OWASP logging cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/javascript_third_parties_airbrake", - "line_number": 18, + "line_number": 16, "full_filename": "/tmp/bearer-scan/datatype_in_notify.js", "filename": ".", "data_type": { diff --git a/tests/javascript/third_parties/algolia/__snapshots__/test.js.snap b/tests/javascript/third_parties/algolia/__snapshots__/test.js.snap index 57f123a83..5221dd5c4 100644 --- a/tests/javascript/third_parties/algolia/__snapshots__/test.js.snap +++ b/tests/javascript/third_parties/algolia/__snapshots__/test.js.snap @@ -60,7 +60,7 @@ exports[`javascript_third_parties_algolia datatype_in_save_object 1`] = ` "title": "Sensitive data sent to Algolia detected.", "description": "## Description\\nLeaking sensitive data to third-party data tools is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to Algolia.\\n\\n## Remediations\\nIf you really need to identify users, use unique identifiers from the database.\\n\\n\`\`\`javascript\\n const algoliaSearch = require('algoliasearch')\\n const myAlgolia = algoliaSearch(\\"123\\", \\"123\\")\\n const index = myAlgolia.initIndex(user.uuid)\\n\`\`\`\\n\\n## Resources\\n- [Algolia docs](https://www.algolia.com/doc/)\\n- [OWASP logging cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/javascript_third_parties_algolia", - "line_number": 7, + "line_number": 8, "full_filename": "/tmp/bearer-scan/datatype_in_save_object.js", "filename": ".", "data_type": { diff --git a/tests/javascript/third_parties/bugsnag/__snapshots__/test.js.snap b/tests/javascript/third_parties/bugsnag/__snapshots__/test.js.snap index c4db99edc..fab65538c 100644 --- a/tests/javascript/third_parties/bugsnag/__snapshots__/test.js.snap +++ b/tests/javascript/third_parties/bugsnag/__snapshots__/test.js.snap @@ -157,7 +157,7 @@ exports[`javascript_third_parties_bugsnag datatype_in_start 1`] = ` "title": "Sensitive data sent to Bugsnag detected.", "description": "## Description\\nLeaking sensitive data to third-party loggers is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to Bugsnag.\\n\\n## Remediations\\n\\nWhen logging errors or events, ensure all sensitive data is removed.\\n\\nIf you really need to identify users, use unique identifiers from the database.\\n\\n\`\`\`javascript\\n import { Bugsnag } from \\"@bugsnag/js\\"\\n\\n var bugSession = Bugsnag.startSession()\\n bugSession.notify(user.uuid)\\n\`\`\`\\n\\n## Resources\\n- [Bugsnag Docs](https://docs.bugsnag.com/platforms/javascript/)\\n- [OWASP logging cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/javascript_third_parties_bugsnag", - "line_number": 3, + "line_number": 1, "full_filename": "/tmp/bearer-scan/datatype_in_start.js", "filename": ".", "data_type": { @@ -190,90 +190,6 @@ exports[`javascript_third_parties_bugsnag datatype_in_start 1`] = ` "fingerprint": "4ed64b524e1062cd19e85082c56d7357_0", "old_fingerprint": "16c296d0999c2d095505c981bdb4e7df_0", "code_extract": "Bugsnag.start({\\n onError: function (e) {\\n e.setUser(user.id, user.email, user.name)\\n e.addMetadata('user location', {\\n country: user.home_country,\\n })\\n },\\n onSession: function (session) {\\n session.setUser(user.email)\\n }\\n})" - }, - { - "cwe_ids": [ - "201" - ], - "id": "javascript_third_parties_bugsnag", - "title": "Sensitive data sent to Bugsnag detected.", - "description": "## Description\\nLeaking sensitive data to third-party loggers is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to Bugsnag.\\n\\n## Remediations\\n\\nWhen logging errors or events, ensure all sensitive data is removed.\\n\\nIf you really need to identify users, use unique identifiers from the database.\\n\\n\`\`\`javascript\\n import { Bugsnag } from \\"@bugsnag/js\\"\\n\\n var bugSession = Bugsnag.startSession()\\n bugSession.notify(user.uuid)\\n\`\`\`\\n\\n## Resources\\n- [Bugsnag Docs](https://docs.bugsnag.com/platforms/javascript/)\\n- [OWASP logging cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/javascript_third_parties_bugsnag", - "line_number": 5, - "full_filename": "/tmp/bearer-scan/datatype_in_start.js", - "filename": ".", - "data_type": { - "category_uuid": "c6622b62-bc22-4c0c-a2e4-5fc97d99e11a", - "name": "Country" - }, - "category_groups": [ - "PII", - "Personal Data" - ], - "source": { - "start": 5, - "end": 5, - "column": { - "start": 16, - "end": 33 - } - }, - "sink": { - "start": 1, - "end": 11, - "column": { - "start": 1, - "end": 3 - }, - "content": "Bugsnag.start({\\n onError: function (e) {\\n e.setUser(user.id, user.email, user.name)\\n e.addMetadata('user location', {\\n country: user.home_country,\\n })\\n },\\n onSession: function (session) {\\n session.setUser(user.email)\\n }\\n})" - }, - "parent_line_number": 1, - "snippet": "Bugsnag.start({\\n onError: function (e) {\\n e.setUser(user.id, user.email, user.name)\\n e.addMetadata('user location', {\\n country: user.home_country,\\n })\\n },\\n onSession: function (session) {\\n session.setUser(user.email)\\n }\\n})", - "fingerprint": "4ed64b524e1062cd19e85082c56d7357_2", - "old_fingerprint": "16c296d0999c2d095505c981bdb4e7df_2", - "code_extract": "Bugsnag.start({\\n onError: function (e) {\\n e.setUser(user.id, user.email, user.name)\\n e.addMetadata('user location', {\\n country: user.home_country,\\n })\\n },\\n onSession: function (session) {\\n session.setUser(user.email)\\n }\\n})" - }, - { - "cwe_ids": [ - "201" - ], - "id": "javascript_third_parties_bugsnag", - "title": "Sensitive data sent to Bugsnag detected.", - "description": "## Description\\nLeaking sensitive data to third-party loggers is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to Bugsnag.\\n\\n## Remediations\\n\\nWhen logging errors or events, ensure all sensitive data is removed.\\n\\nIf you really need to identify users, use unique identifiers from the database.\\n\\n\`\`\`javascript\\n import { Bugsnag } from \\"@bugsnag/js\\"\\n\\n var bugSession = Bugsnag.startSession()\\n bugSession.notify(user.uuid)\\n\`\`\`\\n\\n## Resources\\n- [Bugsnag Docs](https://docs.bugsnag.com/platforms/javascript/)\\n- [OWASP logging cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/javascript_third_parties_bugsnag", - "line_number": 9, - "full_filename": "/tmp/bearer-scan/datatype_in_start.js", - "filename": ".", - "data_type": { - "category_uuid": "cef587dd-76db-430b-9e18-7b031e1a193b", - "name": "Email Address" - }, - "category_groups": [ - "PII", - "Personal Data" - ], - "source": { - "start": 9, - "end": 9, - "column": { - "start": 21, - "end": 31 - } - }, - "sink": { - "start": 1, - "end": 11, - "column": { - "start": 1, - "end": 3 - }, - "content": "Bugsnag.start({\\n onError: function (e) {\\n e.setUser(user.id, user.email, user.name)\\n e.addMetadata('user location', {\\n country: user.home_country,\\n })\\n },\\n onSession: function (session) {\\n session.setUser(user.email)\\n }\\n})" - }, - "parent_line_number": 1, - "snippet": "Bugsnag.start({\\n onError: function (e) {\\n e.setUser(user.id, user.email, user.name)\\n e.addMetadata('user location', {\\n country: user.home_country,\\n })\\n },\\n onSession: function (session) {\\n session.setUser(user.email)\\n }\\n})", - "fingerprint": "4ed64b524e1062cd19e85082c56d7357_3", - "old_fingerprint": "16c296d0999c2d095505c981bdb4e7df_3", - "code_extract": "Bugsnag.start({\\n onError: function (e) {\\n e.setUser(user.id, user.email, user.name)\\n e.addMetadata('user location', {\\n country: user.home_country,\\n })\\n },\\n onSession: function (session) {\\n session.setUser(user.email)\\n }\\n})" } ] }" diff --git a/tests/javascript/third_parties/datadog/__snapshots__/test.js.snap b/tests/javascript/third_parties/datadog/__snapshots__/test.js.snap index be7bfe6c8..2e76f19d2 100644 --- a/tests/javascript/third_parties/datadog/__snapshots__/test.js.snap +++ b/tests/javascript/third_parties/datadog/__snapshots__/test.js.snap @@ -11,7 +11,7 @@ exports[`javascript_third_parties_datadog insecure 1`] = ` "title": "Sensitive data sent to Datadog detected.", "description": "## Description\\nLeaking sensitive data to third-party loggers is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to Datadog.\\n\\n## Remediations\\n\\nWhen logging errors or events, ensure all sensitive data is removed.\\n\\nIf you really need to identify users, use unique identifiers from the database.\\n\\n\`\`\`javascript\\n const StatsD = require(\\"hot-shots\\");\\n const client = new StatsD({\\n port: 8020,\\n globalTags: { env: process.env.NODE_ENV },\\n errorHandler: errorHandler,\\n });\\n\\n client.event(user.uuid, \\"logged_in\\", {});\\n\`\`\`\\n\\n## Resources\\n- [Datadog docs](https://docs.datadoghq.com)\\n- [Scrubbing data](https://docs.datadoghq.com/tracing/configure_data_security/?tab=mongodb#scrub-sensitive-data-from-your-spans)\\n- [OWASP logging cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/javascript_third_parties_datadog", - "line_number": 3, + "line_number": 11, "full_filename": "/tmp/bearer-scan/insecure.js", "filename": ".", "data_type": { diff --git a/tests/javascript/third_parties/elasticsearch/__snapshots__/test.js.snap b/tests/javascript/third_parties/elasticsearch/__snapshots__/test.js.snap index 154956002..04ffcad2a 100644 --- a/tests/javascript/third_parties/elasticsearch/__snapshots__/test.js.snap +++ b/tests/javascript/third_parties/elasticsearch/__snapshots__/test.js.snap @@ -11,7 +11,7 @@ exports[`javascript_third_parties_elasticsearch insecure 1`] = ` "title": "Sensitive data sent to ElasticSearch detected.", "description": "## Description\\n\\nLeaking sensitive data to database is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to elasticsearch.\\n\\n## Remediations\\n\\n\\n", "documentation_url": "https://docs.bearer.com/reference/rules/javascript_third_parties_elasticsearch", - "line_number": 1, + "line_number": 2, "full_filename": "/tmp/bearer-scan/insecure.js", "filename": ".", "data_type": { diff --git a/tests/javascript/third_parties/google_analytics/__snapshots__/test.js.snap b/tests/javascript/third_parties/google_analytics/__snapshots__/test.js.snap index 678640be7..6e0ccb091 100644 --- a/tests/javascript/third_parties/google_analytics/__snapshots__/test.js.snap +++ b/tests/javascript/third_parties/google_analytics/__snapshots__/test.js.snap @@ -11,7 +11,7 @@ exports[`javascript_third_parties_google_analytics insecure 1`] = ` "title": "Sensitive data sent to Google Analytic detected.", "description": "## Description\\n\\nLeaking sensitive data to third-party analytics tools is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to Google Analytics.\\n\\n## Remediations\\n\\nWhen sending data to analytics libraries, ensure all sensitive data is removed.\\n\\nIf you really need to identify users, use unique identifiers from the database.\\n\\n\`\`\`javascript\\n gtag(\\"event\\", \\"screen_view\\", {\\n user: {\\n subscribed: true,\\n },\\n });\\n\`\`\`\\n\\n## Resources\\n- [OWASP logging cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/javascript_third_parties_google_analytics", - "line_number": 3, + "line_number": 1, "full_filename": "/tmp/bearer-scan/insecure.js", "filename": ".", "data_type": { diff --git a/tests/javascript/third_parties/google_tag_manager/__snapshots__/test.js.snap b/tests/javascript/third_parties/google_tag_manager/__snapshots__/test.js.snap index 5f7fdec20..2cdd3fa00 100644 --- a/tests/javascript/third_parties/google_tag_manager/__snapshots__/test.js.snap +++ b/tests/javascript/third_parties/google_tag_manager/__snapshots__/test.js.snap @@ -11,7 +11,7 @@ exports[`javascript_third_parties_google_tag_manager insecure 1`] = ` "title": "Sensitive data sent to Google Tag Manager detected.", "description": "## Description\\n\\nLeaking sensitive data to third parties is a common cause of data leaks and can lead to data breaches. This rule looks for instances of leaking sensitive data to third parties using google tag manager.\\n\\n❌ Avoid sending sensitive data to third parties:\\n\\n\`\`\`javascript\\ndatalayer.push({\\n user: {\\n email: user.email\\n }\\n})\\n\`\`\`\\n\\n✅ If you need to identify a user, ensure to use their unique identifier instead of their personal identifiable information:\\n\\n\`\`\`javascript\\ndatalayer.push({\\n user: {\\n uuid: user.uuid\\n }\\n})\\n\`\`\`\\n\\n## Resources\\n- [OWASP logging cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/javascript_third_parties_google_tag_manager", - "line_number": 4, + "line_number": 3, "full_filename": "/tmp/bearer-scan/insecure.js", "filename": ".", "data_type": { diff --git a/tests/javascript/third_parties/honeybadger/__snapshots__/test.js.snap b/tests/javascript/third_parties/honeybadger/__snapshots__/test.js.snap index da598343e..5a25a9444 100644 --- a/tests/javascript/third_parties/honeybadger/__snapshots__/test.js.snap +++ b/tests/javascript/third_parties/honeybadger/__snapshots__/test.js.snap @@ -11,7 +11,7 @@ exports[`javascript_third_parties_honeybadger insecure 1`] = ` "title": "Sensitive data sent to Honeybadger detected.", "description": "## Description\\n\\nLeaking sensitive data to third-party error logging tools is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to Honeybadger.\\n\\n## Remediations\\n\\nWhen sending data to logging libraries, ensure all sensitive data is removed.\\n\\nIf you really need to identify users, use unique identifiers from the database.\\n\\n\`\`\`javascript\\n const Honeybadger = require(\\"@honeybadger-io/js\\");\\n\\n let context = { user: { uuid: \\"aacd05fd-8f5b-4bc6-aa8b-35e5fbf37325\\" } };\\n\\n Honeybadger.setContext(context);\\n\`\`\`\\n\\n## Resources\\n- [OWASP logging cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/javascript_third_parties_honeybadger", - "line_number": 3, + "line_number": 5, "full_filename": "/tmp/bearer-scan/insecure.js", "filename": ".", "data_type": { diff --git a/tests/javascript/third_parties/new_relic/__snapshots__/test.js.snap b/tests/javascript/third_parties/new_relic/__snapshots__/test.js.snap index 345d94fd0..607335cd2 100644 --- a/tests/javascript/third_parties/new_relic/__snapshots__/test.js.snap +++ b/tests/javascript/third_parties/new_relic/__snapshots__/test.js.snap @@ -11,7 +11,7 @@ exports[`javascript_third_parties_new_relic datatype_in_interaction_set_attribut "title": "Sensitive data sent to New Relic detected.", "description": "## Description\\nLeaking sensitive data to third-party loggers is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to New Relic.\\n\\n## Remediations\\n\\nWhen logging errors or events, ensure all sensitive data is removed.\\n\\n## Resources\\n- [New Relic Docs](https://docs.newrelic.com/)\\n- [Log obfuscation](https://docs.newrelic.com/docs/logs/ui-data/obfuscation-ui/)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/javascript_third_parties_new_relic", - "line_number": 6, + "line_number": 5, "full_filename": "/tmp/bearer-scan/datatype_in_interaction_set_attribute.js", "filename": ".", "data_type": { @@ -45,48 +45,6 @@ exports[`javascript_third_parties_new_relic datatype_in_interaction_set_attribut "old_fingerprint": "d4a33ef10c96118848e50cbe6babe62c_0", "code_extract": " newrelic.interaction()\\n .setAttribute(\\"username\\", user.first_name)" }, - { - "cwe_ids": [ - "201" - ], - "id": "javascript_third_parties_new_relic", - "title": "Sensitive data sent to New Relic detected.", - "description": "## Description\\nLeaking sensitive data to third-party loggers is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to New Relic.\\n\\n## Remediations\\n\\nWhen logging errors or events, ensure all sensitive data is removed.\\n\\n## Resources\\n- [New Relic Docs](https://docs.newrelic.com/)\\n- [Log obfuscation](https://docs.newrelic.com/docs/logs/ui-data/obfuscation-ui/)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/javascript_third_parties_new_relic", - "line_number": 7, - "full_filename": "/tmp/bearer-scan/datatype_in_interaction_set_attribute.js", - "filename": ".", - "data_type": { - "category_uuid": "e354099e-b80c-47b5-a86c-8d936b520387", - "name": "Interactions" - }, - "category_groups": [ - "PII", - "Personal Data" - ], - "source": { - "start": 7, - "end": 7, - "column": { - "start": 34, - "end": 48 - } - }, - "sink": { - "start": 5, - "end": 7, - "column": { - "start": 3, - "end": 49 - }, - "content": "newrelic.interaction()\\n .setAttribute(\\"username\\", user.first_name)\\n .setAttribute(\\"postal-code\\", user.post_code)" - }, - "parent_line_number": 5, - "snippet": "newrelic.interaction()\\n .setAttribute(\\"username\\", user.first_name)\\n .setAttribute(\\"postal-code\\", user.post_code)", - "fingerprint": "63161101404765527f0dada7fd00b64e_1", - "old_fingerprint": "d4a33ef10c96118848e50cbe6babe62c_1", - "code_extract": " newrelic.interaction()\\n .setAttribute(\\"username\\", user.first_name)\\n .setAttribute(\\"postal-code\\", user.post_code);" - }, { "cwe_ids": [ "201" diff --git a/tests/javascript/third_parties/open_telemetry/__snapshots__/test.js.snap b/tests/javascript/third_parties/open_telemetry/__snapshots__/test.js.snap index 495b095dc..10160e327 100644 --- a/tests/javascript/third_parties/open_telemetry/__snapshots__/test.js.snap +++ b/tests/javascript/third_parties/open_telemetry/__snapshots__/test.js.snap @@ -11,7 +11,7 @@ exports[`javascript_third_parties_open_telemetry datatype_in_add_event 1`] = ` "title": "Sensitive data sent to Open Telemetry detected.", "description": "## Description\\nLeaking sensitive data to third-party loggers is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to Open Telemetry.\\n\\n## Remediations\\n\\nWhen logging errors or events, ensure all sensitive data is removed.\\n\\n## Resources\\n- [Open Telemetry Docs](https://opentelemetry.io/docs/)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/javascript_third_parties_open_telemetry", - "line_number": 5, + "line_number": 4, "full_filename": "/tmp/bearer-scan/datatype_in_add_event.js", "filename": ".", "data_type": { @@ -199,7 +199,7 @@ exports[`javascript_third_parties_open_telemetry datatype_in_set_status 1`] = ` "title": "Sensitive data sent to Open Telemetry detected.", "description": "## Description\\nLeaking sensitive data to third-party loggers is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to Open Telemetry.\\n\\n## Remediations\\n\\nWhen logging errors or events, ensure all sensitive data is removed.\\n\\n## Resources\\n- [Open Telemetry Docs](https://opentelemetry.io/docs/)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/javascript_third_parties_open_telemetry", - "line_number": 9, + "line_number": 7, "full_filename": "/tmp/bearer-scan/datatype_in_set_status.js", "filename": ".", "data_type": { diff --git a/tests/javascript/third_parties/openai/__snapshots__/test.js.snap b/tests/javascript/third_parties/openai/__snapshots__/test.js.snap index 0502ad835..3db6cdfef 100644 --- a/tests/javascript/third_parties/openai/__snapshots__/test.js.snap +++ b/tests/javascript/third_parties/openai/__snapshots__/test.js.snap @@ -11,7 +11,7 @@ exports[`javascript_third_parties_openai insecure 1`] = ` "title": "Sensitive data sent to OpenAI detected.", "description": "## Description\\nLeaking sensitive data to third-party is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to OpenAI.\\n\\n## Remediations\\n\\nWhen using a third-party, ensure all sensitive data is removed.\\n", "documentation_url": "https://docs.bearer.com/reference/rules/javascript_third_parties_openai", - "line_number": 10, + "line_number": 8, "full_filename": "/tmp/bearer-scan/insecure.js", "filename": ".", "data_type": { diff --git a/tests/javascript/third_parties/rollbar/__snapshots__/test.js.snap b/tests/javascript/third_parties/rollbar/__snapshots__/test.js.snap index 3975352f3..7aa74452d 100644 --- a/tests/javascript/third_parties/rollbar/__snapshots__/test.js.snap +++ b/tests/javascript/third_parties/rollbar/__snapshots__/test.js.snap @@ -11,7 +11,7 @@ exports[`javascript_third_parties_rollbar browser_insecure 1`] = ` "title": "Sensitive data sent to Rollbar detected.", "description": "## Description\\n\\nLeaking sensitive data to third-party error logging tools is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to Rollbar.\\n\\n## Remediations\\n\\nWhen sending data to logging libraries, ensure all sensitive data is removed.\\n\\nIf you really need to identify users, use unique identifiers from the database.\\n\\n\`\`\`javascript\\n Rollbar.critical(\\"Connection error from remote Payments API\\", user.uuid);\\n\`\`\`\\n\\n## Resources\\n- [OWASP logging cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/javascript_third_parties_rollbar", - "line_number": 1, + "line_number": 3, "full_filename": "/tmp/bearer-scan/browser_insecure.js", "filename": ".", "data_type": { diff --git a/tests/javascript/third_parties/segment/__snapshots__/test.js.snap b/tests/javascript/third_parties/segment/__snapshots__/test.js.snap index fe646c59e..d1fbedfde 100644 --- a/tests/javascript/third_parties/segment/__snapshots__/test.js.snap +++ b/tests/javascript/third_parties/segment/__snapshots__/test.js.snap @@ -11,7 +11,7 @@ exports[`javascript_third_parties_segment datatype_in_alias 1`] = ` "title": "Sensitive data sent to Segment detected.", "description": "## Description\\nLeaking sensitive data to third-party analytics tools is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to Segment.\\n\\n## Remediations\\n\\nWhen sending data to analytics libraries, ensure all sensitive data is removed.\\n\\n## Resources\\n- [Segment Node.js docs](https://segment.com/docs/connections/sources/catalog/libraries/server/node/)\\n- [Segment JavaScript docs](https://segment.com/docs/connections/sources/catalog/libraries/website/javascript/)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/javascript_third_parties_segment", - "line_number": 8, + "line_number": 7, "full_filename": "/tmp/bearer-scan/datatype_in_alias.js", "filename": ".", "data_type": { @@ -60,7 +60,7 @@ exports[`javascript_third_parties_segment datatype_in_group 1`] = ` "title": "Sensitive data sent to Segment detected.", "description": "## Description\\nLeaking sensitive data to third-party analytics tools is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to Segment.\\n\\n## Remediations\\n\\nWhen sending data to analytics libraries, ensure all sensitive data is removed.\\n\\n## Resources\\n- [Segment Node.js docs](https://segment.com/docs/connections/sources/catalog/libraries/server/node/)\\n- [Segment JavaScript docs](https://segment.com/docs/connections/sources/catalog/libraries/website/javascript/)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/javascript_third_parties_segment", - "line_number": 8, + "line_number": 6, "full_filename": "/tmp/bearer-scan/datatype_in_group.js", "filename": ".", "data_type": { @@ -109,7 +109,7 @@ exports[`javascript_third_parties_segment datatype_in_identify 1`] = ` "title": "Sensitive data sent to Segment detected.", "description": "## Description\\nLeaking sensitive data to third-party analytics tools is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to Segment.\\n\\n## Remediations\\n\\nWhen sending data to analytics libraries, ensure all sensitive data is removed.\\n\\n## Resources\\n- [Segment Node.js docs](https://segment.com/docs/connections/sources/catalog/libraries/server/node/)\\n- [Segment JavaScript docs](https://segment.com/docs/connections/sources/catalog/libraries/website/javascript/)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/javascript_third_parties_segment", - "line_number": 8, + "line_number": 5, "full_filename": "/tmp/bearer-scan/datatype_in_identify.js", "filename": ".", "data_type": { @@ -143,90 +143,6 @@ exports[`javascript_third_parties_segment datatype_in_identify 1`] = ` "old_fingerprint": "cb032b072d0a7bcaf1ca43e2bdc2b5cb_0", "code_extract": "analytics.identify({\\n userId: user.id,\\n traits: {\\n name: user.fullName,\\n email: user.emailAddress,\\n plan: user.businessPlan,\\n friends: user.friendCount\\n }\\n});" }, - { - "cwe_ids": [ - "201" - ], - "id": "javascript_third_parties_segment", - "title": "Sensitive data sent to Segment detected.", - "description": "## Description\\nLeaking sensitive data to third-party analytics tools is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to Segment.\\n\\n## Remediations\\n\\nWhen sending data to analytics libraries, ensure all sensitive data is removed.\\n\\n## Resources\\n- [Segment Node.js docs](https://segment.com/docs/connections/sources/catalog/libraries/server/node/)\\n- [Segment JavaScript docs](https://segment.com/docs/connections/sources/catalog/libraries/website/javascript/)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/javascript_third_parties_segment", - "line_number": 9, - "full_filename": "/tmp/bearer-scan/datatype_in_identify.js", - "filename": ".", - "data_type": { - "category_uuid": "cef587dd-76db-430b-9e18-7b031e1a193b", - "name": "Email Address" - }, - "category_groups": [ - "PII", - "Personal Data" - ], - "source": { - "start": 9, - "end": 9, - "column": { - "start": 5, - "end": 29 - } - }, - "sink": { - "start": 5, - "end": 13, - "column": { - "start": 1, - "end": 3 - }, - "content": "analytics.identify({\\n userId: user.id,\\n traits: {\\n name: user.fullName,\\n email: user.emailAddress,\\n plan: user.businessPlan,\\n friends: user.friendCount\\n }\\n})" - }, - "parent_line_number": 5, - "snippet": "analytics.identify({\\n userId: user.id,\\n traits: {\\n name: user.fullName,\\n email: user.emailAddress,\\n plan: user.businessPlan,\\n friends: user.friendCount\\n }\\n})", - "fingerprint": "df462286e9e34d817b61a361c26e8720_1", - "old_fingerprint": "cb032b072d0a7bcaf1ca43e2bdc2b5cb_1", - "code_extract": "analytics.identify({\\n userId: user.id,\\n traits: {\\n name: user.fullName,\\n email: user.emailAddress,\\n plan: user.businessPlan,\\n friends: user.friendCount\\n }\\n});" - }, - { - "cwe_ids": [ - "201" - ], - "id": "javascript_third_parties_segment", - "title": "Sensitive data sent to Segment detected.", - "description": "## Description\\nLeaking sensitive data to third-party analytics tools is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to Segment.\\n\\n## Remediations\\n\\nWhen sending data to analytics libraries, ensure all sensitive data is removed.\\n\\n## Resources\\n- [Segment Node.js docs](https://segment.com/docs/connections/sources/catalog/libraries/server/node/)\\n- [Segment JavaScript docs](https://segment.com/docs/connections/sources/catalog/libraries/website/javascript/)\\n", - "documentation_url": "https://docs.bearer.com/reference/rules/javascript_third_parties_segment", - "line_number": 11, - "full_filename": "/tmp/bearer-scan/datatype_in_identify.js", - "filename": ".", - "data_type": { - "category_uuid": "68631dba-5696-4cc0-b6a8-0175ca99a7a2", - "name": "Friends" - }, - "category_groups": [ - "PII", - "Personal Data" - ], - "source": { - "start": 11, - "end": 11, - "column": { - "start": 5, - "end": 30 - } - }, - "sink": { - "start": 5, - "end": 13, - "column": { - "start": 1, - "end": 3 - }, - "content": "analytics.identify({\\n userId: user.id,\\n traits: {\\n name: user.fullName,\\n email: user.emailAddress,\\n plan: user.businessPlan,\\n friends: user.friendCount\\n }\\n})" - }, - "parent_line_number": 5, - "snippet": "analytics.identify({\\n userId: user.id,\\n traits: {\\n name: user.fullName,\\n email: user.emailAddress,\\n plan: user.businessPlan,\\n friends: user.friendCount\\n }\\n})", - "fingerprint": "df462286e9e34d817b61a361c26e8720_2", - "old_fingerprint": "cb032b072d0a7bcaf1ca43e2bdc2b5cb_2", - "code_extract": "analytics.identify({\\n userId: user.id,\\n traits: {\\n name: user.fullName,\\n email: user.emailAddress,\\n plan: user.businessPlan,\\n friends: user.friendCount\\n }\\n});" - }, { "cwe_ids": [ "201" @@ -284,7 +200,7 @@ exports[`javascript_third_parties_segment datatype_in_page 1`] = ` "title": "Sensitive data sent to Segment detected.", "description": "## Description\\nLeaking sensitive data to third-party analytics tools is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to Segment.\\n\\n## Remediations\\n\\nWhen sending data to analytics libraries, ensure all sensitive data is removed.\\n\\n## Resources\\n- [Segment Node.js docs](https://segment.com/docs/connections/sources/catalog/libraries/server/node/)\\n- [Segment JavaScript docs](https://segment.com/docs/connections/sources/catalog/libraries/website/javascript/)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/javascript_third_parties_segment", - "line_number": 10, + "line_number": 6, "full_filename": "/tmp/bearer-scan/datatype_in_page.js", "filename": ".", "data_type": { @@ -333,7 +249,7 @@ exports[`javascript_third_parties_segment datatype_in_track 1`] = ` "title": "Sensitive data sent to Segment detected.", "description": "## Description\\nLeaking sensitive data to third-party analytics tools is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to Segment.\\n\\n## Remediations\\n\\nWhen sending data to analytics libraries, ensure all sensitive data is removed.\\n\\n## Resources\\n- [Segment Node.js docs](https://segment.com/docs/connections/sources/catalog/libraries/server/node/)\\n- [Segment JavaScript docs](https://segment.com/docs/connections/sources/catalog/libraries/website/javascript/)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/javascript_third_parties_segment", - "line_number": 8, + "line_number": 5, "full_filename": "/tmp/bearer-scan/datatype_in_track.js", "filename": ".", "data_type": { diff --git a/tests/javascript/third_parties/sentry/__snapshots__/test.js.snap b/tests/javascript/third_parties/sentry/__snapshots__/test.js.snap index dcfb20a28..400e13d6f 100644 --- a/tests/javascript/third_parties/sentry/__snapshots__/test.js.snap +++ b/tests/javascript/third_parties/sentry/__snapshots__/test.js.snap @@ -11,7 +11,7 @@ exports[`javascript_third_parties_sentry javascript_add_breadcrumb 1`] = ` "title": "Sensitive data sent to Sentry detected.", "description": "## Description\\nLeaking sensitive data to third-party loggers is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to Sentry.\\n\\n## Remediations\\n\\nWhen logging errors or events, ensure all sensitive data is removed.\\n\\n## Resources\\n- [Sentry Docs](https://docs.sentry.io/)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/javascript_third_parties_sentry", - "line_number": 2, + "line_number": 1, "full_filename": "/tmp/bearer-scan/javascript_add_breadcrumb.js", "filename": ".", "data_type": { @@ -60,7 +60,7 @@ exports[`javascript_third_parties_sentry javascript_capture_event 1`] = ` "title": "Sensitive data sent to Sentry detected.", "description": "## Description\\nLeaking sensitive data to third-party loggers is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to Sentry.\\n\\n## Remediations\\n\\nWhen logging errors or events, ensure all sensitive data is removed.\\n\\n## Resources\\n- [Sentry Docs](https://docs.sentry.io/)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/javascript_third_parties_sentry", - "line_number": 2, + "line_number": 1, "full_filename": "/tmp/bearer-scan/javascript_capture_event.js", "filename": ".", "data_type": { @@ -109,7 +109,7 @@ exports[`javascript_third_parties_sentry javascript_capture_exception 1`] = ` "title": "Sensitive data sent to Sentry detected.", "description": "## Description\\nLeaking sensitive data to third-party loggers is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to Sentry.\\n\\n## Remediations\\n\\nWhen logging errors or events, ensure all sensitive data is removed.\\n\\n## Resources\\n- [Sentry Docs](https://docs.sentry.io/)\\n", "documentation_url": "https://docs.bearer.com/reference/rules/javascript_third_parties_sentry", - "line_number": 2, + "line_number": 1, "full_filename": "/tmp/bearer-scan/javascript_capture_exception.js", "filename": ".", "data_type": { diff --git a/tests/php/lang/http_url_using_sensitive_data/__snapshots__/test.js.snap b/tests/php/lang/http_url_using_sensitive_data/__snapshots__/test.js.snap index 26c316104..fa1b41b4e 100644 --- a/tests/php/lang/http_url_using_sensitive_data/__snapshots__/test.js.snap +++ b/tests/php/lang/http_url_using_sensitive_data/__snapshots__/test.js.snap @@ -781,7 +781,7 @@ exports[`php_lang_http_url_using_sensitive_data bad_httplug 1`] = ` "title": "Sensitive data detected in HTTP URL.", "description": "## Description\\nSensitive data should never be sent as part of the URL in HTTP requests.\\n\\n## Remediations\\nAvoid sending sensitive data in a URL as they can be seen by intermediaries,\\nor could be logged by applications:\\n\\n❌ Avoid adding sensitive data in paths:\\n\`\`\`php\\n$curl = curl_init(\\"https://example.com/users/{$user->email}\\");\\n\`\`\`\\n\\n❌ Avoid adding sensitive data in query parameters:\\n\`\`\`php\\n$query = http_build_query(['email' => $user->email]);\\n$curl = curl_init(\\"https://example.com/users?$query\\");\\n\`\`\`\\n\\n✅ Use an HTTP POST body if you need to send sensitive data:\\n\\n\`\`\`php\\n$query = http_build_query(['email' => $user->email]);\\n$curl = curl_init(\\"https://example.com/users/list\\");\\ncurl_setopt($curl, CURLOPT_POSTFIELDS, $query);\\n\`\`\`\\n\\n✅ Or avoid sending sending sensitive data altogether:\\n\\n\`\`\`php\\n$query = http_build_query(['uuid' => $user->uuid]);\\n$curl = curl_init(\\"https://example.com/users?$query\\");\\n\`\`\`\\n\\n