feat: remove unused content from detectors (#1529)

chore: update light
Bearer · Mar 8, 2024 · faac4fb · faac4fb
1 parent 1781ef1
commit faac4fb
Show file tree

Hide file tree

Showing 55 changed files with 222 additions and 293 deletions.
diff --git a/e2e/.snapshots/TestCache b/e2e/.snapshots/TestCache
@@ -29,9 +29,8 @@ high:
             column:
                 start: 1
                 end: 37
-        content: logger.info("user info", user.email)
+        content: ""
       parent_line_number: 1
-      snippet: logger.info("user info", user.email)
       fingerprint: fa5e03644738e4c17cbbd04a580506b1_0
       old_fingerprint: 16c8aedf4ee6fe1f129aec2a9c14310c_0
       code_extract: logger.info("user info", user.email)

diff --git a/e2e/flags/.snapshots/TestReportFlagsShouldFail-format-jsonv2 b/e2e/flags/.snapshots/TestReportFlagsShouldFail-format-jsonv2
@@ -1,4 +1,4 @@
-{"source":"Bearer","version":"dev","findings":[{"cwe_ids":["42"],"id":"test_ruby_logger","title":"Ruby logger","description":"Ruby logger","documentation_url":"","line_number":1,"full_filename":"e2e/flags/testdata/simple/main.rb","filename":"main.rb","data_type":{"category_uuid":"cef587dd-76db-430b-9e18-7b031e1a193b","name":"Email Address"},"category_groups":["PII","Personal Data"],"source":{"start":1,"end":1,"column":{"start":26,"end":36}},"sink":{"start":1,"end":1,"column":{"start":1,"end":37},"content":"logger.info(\"user info\", user.email)"},"parent_line_number":1,"snippet":"logger.info(\"user info\", user.email)","fingerprint":"fa5e03644738e4c17cbbd04a580506b1_0","old_fingerprint":"8240e1537878783bac845d1163c80555_0","code_extract":"logger.info(\"user info\", user.email)","severity":"high"}]}
+{"source":"Bearer","version":"dev","findings":[{"cwe_ids":["42"],"id":"test_ruby_logger","title":"Ruby logger","description":"Ruby logger","documentation_url":"","line_number":1,"full_filename":"e2e/flags/testdata/simple/main.rb","filename":"main.rb","data_type":{"category_uuid":"cef587dd-76db-430b-9e18-7b031e1a193b","name":"Email Address"},"category_groups":["PII","Personal Data"],"source":{"start":1,"end":1,"column":{"start":26,"end":36}},"sink":{"start":1,"end":1,"column":{"start":1,"end":37},"content":""},"parent_line_number":1,"fingerprint":"fa5e03644738e4c17cbbd04a580506b1_0","old_fingerprint":"8240e1537878783bac845d1163c80555_0","code_extract":"logger.info(\"user info\", user.email)","severity":"high"}]}
 
 --
 Analyzing codebase

diff --git a/e2e/rules/.snapshots/TestAuxilary-testdata-data-auxilary b/e2e/rules/.snapshots/TestAuxilary-testdata-data-auxilary
@@ -39,9 +39,8 @@ low:
             column:
                 start: 1
                 end: 44
-        content: client.event("user", "logged_in", {}, user)
+        content: ""
       parent_line_number: 11
-      snippet: client.event("user", "logged_in", {}, user)
       fingerprint: 68427732321c4df53052a341ac8da647_0
       old_fingerprint: 4d54a4b735da21fbdcb2d2662977b033_0
       code_extract: client.event("user", "logged_in", {}, user);

diff --git a/e2e/rules/.snapshots/TestDisabledRules-testdata-data-disabled_rules b/e2e/rules/.snapshots/TestDisabledRules-testdata-data-disabled_rules
@@ -23,9 +23,8 @@ low:
             column:
                 start: 3
                 end: 7
-        content: sink
+        content: ""
       parent_line_number: 7
-      snippet: sink
       fingerprint: eb59f129d5424fb58e3bfcb5bfa83159_0
       old_fingerprint: e94b7fee5e58e735f107aa1cb3cfb75b_0
       code_extract: '  sink'

diff --git a/e2e/rules/.snapshots/TestExpectedRule-testdata-data-expected_rule b/e2e/rules/.snapshots/TestExpectedRule-testdata-data-expected_rule
@@ -1,4 +1,4 @@
-{"source":"Bearer","version":"dev","findings":[{"cwe_ids":["319"],"id":"expected_rule","title":"","description":"","documentation_url":"","line_number":3,"full_filename":"e2e/rules/testdata/data/expected_rule/main.rb","filename":"main.rb","source":{"start":3,"end":3,"column":{"start":3,"end":7}},"sink":{"start":3,"end":3,"column":{"start":3,"end":7},"content":"sink"},"parent_line_number":3,"snippet":"sink","fingerprint":"c50ecec7e1fcfba6cce5fcfab129556c_0","old_fingerprint":"6630ae26e5210b1e43bb4c02426e6be7_0","code_extract":"  sink","severity":"low"},{"cwe_ids":["319"],"id":"expected_rule","title":"","description":"","documentation_url":"","line_number":8,"full_filename":"e2e/rules/testdata/data/expected_rule/main.rb","filename":"main.rb","source":{"start":8,"end":8,"column":{"start":3,"end":7}},"sink":{"start":8,"end":8,"column":{"start":3,"end":7},"content":"sink"},"parent_line_number":8,"snippet":"sink","fingerprint":"c50ecec7e1fcfba6cce5fcfab129556c_1","old_fingerprint":"6630ae26e5210b1e43bb4c02426e6be7_1","code_extract":"  sink","severity":"low"}],"expected_findings":[{"rule_id":"expected_rule","location":{"start":3,"end":3,"column":{"start":3,"end":7}}},{"rule_id":"expected_rule","location":{"start":8,"end":8,"column":{"start":3,"end":7}}}]}
+{"source":"Bearer","version":"dev","findings":[{"cwe_ids":["319"],"id":"expected_rule","title":"","description":"","documentation_url":"","line_number":3,"full_filename":"e2e/rules/testdata/data/expected_rule/main.rb","filename":"main.rb","source":{"start":3,"end":3,"column":{"start":3,"end":7}},"sink":{"start":3,"end":3,"column":{"start":3,"end":7},"content":""},"parent_line_number":3,"fingerprint":"c50ecec7e1fcfba6cce5fcfab129556c_0","old_fingerprint":"6630ae26e5210b1e43bb4c02426e6be7_0","code_extract":"  sink","severity":"low"},{"cwe_ids":["319"],"id":"expected_rule","title":"","description":"","documentation_url":"","line_number":8,"full_filename":"e2e/rules/testdata/data/expected_rule/main.rb","filename":"main.rb","source":{"start":8,"end":8,"column":{"start":3,"end":7}},"sink":{"start":8,"end":8,"column":{"start":3,"end":7},"content":""},"parent_line_number":8,"fingerprint":"c50ecec7e1fcfba6cce5fcfab129556c_1","old_fingerprint":"6630ae26e5210b1e43bb4c02426e6be7_1","code_extract":"  sink","severity":"low"}],"expected_findings":[{"rule_id":"expected_rule","location":{"start":3,"end":3,"column":{"start":3,"end":7}}},{"rule_id":"expected_rule","location":{"start":8,"end":8,"column":{"start":3,"end":7}}}]}
 
 --
 Analyzing codebase

diff --git a/e2e/rules/.snapshots/TestReferenceFilters-testdata-data-reference_filters b/e2e/rules/.snapshots/TestReferenceFilters-testdata-data-reference_filters
@@ -23,9 +23,8 @@ high:
             column:
                 start: 1
                 end: 6
-        content: x.foo
+        content: ""
       parent_line_number: 1
-      snippet: x.foo
       fingerprint: df1f6d9ee9f4ee60085d0046163b3701_0
       old_fingerprint: 52f7dcd9f1ba09f3a9f8c1ad305c8a89_0
       code_extract: x.foo

diff --git a/...estRubyRailsDefaultEncryptionSchema-testdata-data-ruby_rails_default_encryption_schema_rb b/...estRubyRailsDefaultEncryptionSchema-testdata-data-ruby_rails_default_encryption_schema_rb
@@ -14,45 +14,77 @@ warning:
             ## Resources
             - [Ruby on Rails Active Record encryption](https://guides.rubyonrails.org/active_record_encryption.html)
         documentation_url: ""
-      line_number: 4
+      line_number: 3
       full_filename: e2e/rules/testdata/data/ruby_rails_default_encryption_schema_rb/db/schema.rb
       filename: db/schema.rb
       category_groups:
         - PII
         - Personal Data
       source:
         location:
-            start: 4
-            end: 4
+            start: 3
+            end: 3
             column:
                 start: 14
-                end: 20
+                end: 21
       sink:
         location:
             start: 2
             end: 8
             column:
                 start: 3
                 end: 6
-        content: |-
-            create_table "users", force: :cascade do |t|
-                t.string "email", null: false
-                t.string "name"
-                t.string "encrypted_password", null: false
-                t.datetime "created_at", null: false
-                t.datetime "updated_at", null: false
-              end
+        content: ""
       parent_line_number: 2
-      snippet: |-
-        create_table "users", force: :cascade do |t|
+      fingerprint: a6e77c6d42db8f03ffbe5acae290f72c_0
+      old_fingerprint: 4b6d6e98ae7d9908efdf9a7984c7db05_0
+      code_extract: |4-
+          create_table "users", force: :cascade do |t|
             t.string "email", null: false
             t.string "name"
             t.string "encrypted_password", null: false
             t.datetime "created_at", null: false
             t.datetime "updated_at", null: false
           end
-      fingerprint: a6e77c6d42db8f03ffbe5acae290f72c_0
-      old_fingerprint: 4b6d6e98ae7d9908efdf9a7984c7db05_0
+    - rule:
+        cwe_ids:
+            - "312"
+        id: ruby_rails_default_encryption
+        title: Missing application-level encryption of sensitive data detected.
+        description: |
+            ## Description
+            Application-level encryption greatly reduces the risk of a data breach or data leak by making data unreadable. This rule checks if sensitive data types found in records are encrypted.
+
+            ## Remediations
+            Whenever storing sensitive data to a datastore, make sure to encrypt the entire record, or the field itself.
+
+            ## Resources
+            - [Ruby on Rails Active Record encryption](https://guides.rubyonrails.org/active_record_encryption.html)
+        documentation_url: ""
+      line_number: 4
+      full_filename: e2e/rules/testdata/data/ruby_rails_default_encryption_schema_rb/db/schema.rb
+      filename: db/schema.rb
+      category_groups:
+        - PII
+        - Personal Data
+      source:
+        location:
+            start: 4
+            end: 4
+            column:
+                start: 14
+                end: 20
+      sink:
+        location:
+            start: 2
+            end: 8
+            column:
+                start: 3
+                end: 6
+        content: ""
+      parent_line_number: 2
+      fingerprint: a6e77c6d42db8f03ffbe5acae290f72c_1
+      old_fingerprint: 4b6d6e98ae7d9908efdf9a7984c7db05_1
       code_extract: |4-
           create_table "users", force: :cascade do |t|
             t.string "email", null: false

diff --git a/...RailsDefaultEncryptionStructure-testdata-data-ruby_rails_default_encryption_structure_sql b/...RailsDefaultEncryptionStructure-testdata-data-ruby_rails_default_encryption_structure_sql
@@ -34,27 +34,58 @@ warning:
             column:
                 start: 1
                 end: 2
-        content: |-
-            CREATE TABLE public.users (
-              id bigint NOT NULL,
-              name character varying,
-              password character varying,
-              created_at timestamp(6) without time zone NOT NULL,
-              updated_at timestamp(6) without time zone NOT NULL,
-              email character varying DEFAULT ''::character varying NOT NULL
-            )
+        content: ""
       parent_line_number: 1
-      snippet: |-
+      fingerprint: e5e17cede9a731da09a639c9c78af007_0
+      old_fingerprint: 86b02d158d5ef7e6b68f6979f4f789aa_0
+      code_extract: |-
         CREATE TABLE public.users (
           id bigint NOT NULL,
           name character varying,
           password character varying,
           created_at timestamp(6) without time zone NOT NULL,
           updated_at timestamp(6) without time zone NOT NULL,
           email character varying DEFAULT ''::character varying NOT NULL
-        )
-      fingerprint: e5e17cede9a731da09a639c9c78af007_0
-      old_fingerprint: 86b02d158d5ef7e6b68f6979f4f789aa_0
+        );
+    - rule:
+        cwe_ids:
+            - "312"
+        id: ruby_rails_default_encryption
+        title: Missing application-level encryption of sensitive data detected.
+        description: |
+            ## Description
+            Application-level encryption greatly reduces the risk of a data breach or data leak by making data unreadable. This rule checks if sensitive data types found in records are encrypted.
+
+            ## Remediations
+            Whenever storing sensitive data to a datastore, make sure to encrypt the entire record, or the field itself.
+
+            ## Resources
+            - [Ruby on Rails Active Record encryption](https://guides.rubyonrails.org/active_record_encryption.html)
+        documentation_url: ""
+      line_number: 7
+      full_filename: e2e/rules/testdata/data/ruby_rails_default_encryption_structure_sql/db/structure.sql
+      filename: db/structure.sql
+      category_groups:
+        - PII
+        - Personal Data
+      source:
+        location:
+            start: 7
+            end: 7
+            column:
+                start: 3
+                end: 8
+      sink:
+        location:
+            start: 1
+            end: 8
+            column:
+                start: 1
+                end: 2
+        content: ""
+      parent_line_number: 1
+      fingerprint: e5e17cede9a731da09a639c9c78af007_1
+      old_fingerprint: 86b02d158d5ef7e6b68f6979f4f789aa_1
       code_extract: |-
         CREATE TABLE public.users (
           id bigint NOT NULL,

diff --git a/e2e/rules/.snapshots/TestSanitizer-testdata-data-sanitizer b/e2e/rules/.snapshots/TestSanitizer-testdata-data-sanitizer
@@ -29,9 +29,8 @@ high:
             column:
                 start: 1
                 end: 24
-        content: log("abc" + user.email)
+        content: ""
       parent_line_number: 4
-      snippet: log("abc" + user.email)
       fingerprint: 6c505050fabde2c4ed17380d19fab254_0
       old_fingerprint: d2e829ba86a33c5a52844641617ad8a7_0
       code_extract: log("abc" + user.email)
@@ -65,9 +64,8 @@ high:
             column:
                 start: 1
                 end: 15
-        content: log("abc" + x)
+        content: ""
       parent_line_number: 5
-      snippet: log("abc" + x)
       fingerprint: 6c505050fabde2c4ed17380d19fab254_1
       old_fingerprint: d2e829ba86a33c5a52844641617ad8a7_1
       code_extract: log("abc" + x)

diff --git a/e2e/rules/.snapshots/TestSecrets-secrets b/e2e/rules/.snapshots/TestSecrets-secrets
@@ -33,9 +33,8 @@ high:
             column:
                 start: 24
                 end: 60
-        content: '    @private_key ||= ''-----BEGIN PGP PRIVATE KEY BLOCK-----asdf-----END PGP PRIVATE KEY BLOCK-----'''
+        content: ""
       parent_line_number: 3
-      snippet: '    @private_key ||= ''-----BEGIN PGP PRIVATE KEY BLOCK-----asdf-----END PGP PRIVATE KEY BLOCK-----'''
       fingerprint: d0914f16c16550b40063c4f3fb14839e_0
       old_fingerprint: 47146043fab58ba5fc86fd0c716b20d8_0
       detailed_context: PGP private key

diff --git a/e2e/rules/.snapshots/TestSimpleRuby-testdata-data-simple_ruby b/e2e/rules/.snapshots/TestSimpleRuby-testdata-data-simple_ruby
@@ -42,9 +42,8 @@ low:
             column:
                 start: 5
                 end: 29
-        content: config.force_ssl = false
+        content: ""
       parent_line_number: 7
-      snippet: config.force_ssl = false
       fingerprint: 52ee98cc601d1c1bd772ff548ee32425_0
       old_fingerprint: 28ca51516a8b388cb7065c1f0df8b093_0
       code_extract: '    config.force_ssl = false'

diff --git a/internal/commands/process/settings/policies/common.rego b/internal/commands/process/settings/policies/common.rego
@@ -8,7 +8,6 @@ build_item(location) := {
 	"sink": {
 		"start": location.source.start_line_number,
 		"end": location.source.end_line_number,
-		"content": location.source.content,
 		"column": {
 			"start": location.source.start_column_number,
 			"end": location.source.end_column_number,
@@ -49,7 +48,6 @@ build_local_item(location, data_type) := {
 	"sink": {
 		"start": location.source.start_line_number,
 		"end": location.source.end_line_number,
-		"content": location.source.content,
 		"column": {
 			"start": location.source.start_column_number,
 			"end": location.source.end_column_number,
@@ -75,7 +73,6 @@ build_item(location) := {
 	"sink": {
 		"start": location.source.start_line_number,
 		"end": location.source.end_line_number,
-		"content": location.source.content,
 		"column": {
 			"start": location.source.start_column_number,
 			"end": location.source.end_column_number,

diff --git a/internal/commands/process/settings/policies/risk_policy.rego b/internal/commands/process/settings/policies/risk_policy.rego
@@ -155,7 +155,6 @@ policy_failure contains item if {
 		"sink": {
 			"start": location.source.start_line_number,
 			"end": location.source.end_line_number,
-			"content": location.source.content,
 			"column": {
 				"start": location.source.start_column_number,
 				"end": location.source.end_column_number,

diff --git a/internal/detectors/custom/custom.go b/internal/detectors/custom/custom.go
@@ -307,8 +307,6 @@ func (detector *Detector) extractData(captures []parser.Captures, rule config.Co
 
 		if rule.DetectPresence {
 			content := capture["rule"].Source(false)
-			content.Text = &rule.Pattern
-
 			var schemaSource *schema.Source
 			var source source.Source
 			if !rule.OmitParent {
@@ -318,7 +316,6 @@ func (detector *Detector) extractData(captures []parser.Captures, rule config.Co
 					EndLineNumber:     *source.EndLineNumber,
 					StartColumnNumber: *source.StartColumnNumber,
 					EndColumnNumber:   *source.EndColumnNumber,
-					Content:           *source.Text,
 				}
 			} else {
 				source = capture["rule"].Source(false)

diff --git a/internal/detectors/simple/.snapshots/TestBuildReportInterfaces b/internal/detectors/simple/.snapshots/TestBuildReportInterfaces
@@ -13,7 +13,7 @@
       StartColumnNumber: (*int)(14),
       EndLineNumber: (*int)(<nil>),
       EndColumnNumber: (*int)(<nil>),
-      Text: (*string)((len=23) "https://url.example.com")
+      Text: (*string)(<nil>)
     },
     Value: (interfaces.Interface) {
       Type: (interfaces.Type) (len=3) "url",
@@ -42,7 +42,7 @@
       StartColumnNumber: (*int)(14),
       EndLineNumber: (*int)(<nil>),
       EndColumnNumber: (*int)(<nil>),
-      Text: (*string)((len=35) "https://multi-a.example.com/foo?x=1")
+      Text: (*string)(<nil>)
     },
     Value: (interfaces.Interface) {
       Type: (interfaces.Type) (len=3) "url",
@@ -71,7 +71,7 @@
       StartColumnNumber: (*int)(53),
       EndLineNumber: (*int)(<nil>),
       EndColumnNumber: (*int)(<nil>),
-      Text: (*string)((len=31) "https://multi-b.example.com/bar")
+      Text: (*string)(<nil>)
     },
     Value: (interfaces.Interface) {
       Type: (interfaces.Type) (len=3) "url",
@@ -100,7 +100,7 @@
       StartColumnNumber: (*int)(0),
       EndLineNumber: (*int)(<nil>),
       EndColumnNumber: (*int)(<nil>),
-      Text: (*string)((len=38) "https://port1.example.com:3000/foo?x=1")
+      Text: (*string)(<nil>)
     },
     Value: (interfaces.Interface) {
       Type: (interfaces.Type) (len=3) "url",
@@ -129,7 +129,7 @@
       StartColumnNumber: (*int)(39),
       EndLineNumber: (*int)(<nil>),
       EndColumnNumber: (*int)(<nil>),
-      Text: (*string)((len=30) "https://port2.example.com:3000")
+      Text: (*string)(<nil>)
     },
     Value: (interfaces.Interface) {
       Type: (interfaces.Type) (len=3) "url",
@@ -158,7 +158,7 @@
       StartColumnNumber: (*int)(1),
       EndLineNumber: (*int)(<nil>),
       EndColumnNumber: (*int)(<nil>),
-      Text: (*string)((len=23) "http://link.example.com")
+      Text: (*string)(<nil>)
     },
     Value: (interfaces.Interface) {
       Type: (interfaces.Type) (len=3) "url",

diff --git a/internal/detectors/simple/simple.go b/internal/detectors/simple/simple.go
@@ -109,7 +109,6 @@ func extractURLs(fileInfo *file.FileInfo, line string, lineNumber int, report re
 				LanguageType:      fileInfo.LanguageTypeString(),
 				StartLineNumber:   &lineNumber,
 				StartColumnNumber: pointers.Int(globalOffset + startOffset),
-				Text:              &url,
 			})
 		}