feat(exemptions): support directories of json files and fix alpha com…

…parison of semver in outdated
zotoio · Dec 3, 2024 · 1303392 · 1303392
1 parent 967cb03
commit 1303392
Show file tree

Hide file tree

Showing 13 changed files with 333 additions and 96 deletions.
diff --git a/src/archetypes/java-microservice-exemptions/team3-java-microservice-exemptions.json b/src/archetypes/java-microservice-exemptions/team3-java-microservice-exemptions.json
@@ -0,0 +1,15 @@
+[
+    {
+      "repoUrl": "[email protected]:zotoio/x-fidelity.git",
+      "rule": "outdatedFramework-global",
+      "expirationDate": "2023-12-31",
+      "reason": "Upgrading dependencies is scheduled for Q4 2024"
+    },
+    {
+      "repoUrl": "[email protected]:zotoio/x-fidelity.git",
+      "rule": "sensitiveLogging-iterative",
+      "expirationDate": "2023-09-30",
+      "reason": "Security audit and logging refactor planned for Q3 2024"
+    }
+  ]
+
diff --git a/src/archetypes/node-fullstack-exemptions/project1-node-fullstack-exemptions.json b/src/archetypes/node-fullstack-exemptions/project1-node-fullstack-exemptions.json
@@ -0,0 +1,15 @@
+[
+    {
+      "repoUrl": "[email protected]:zotoio/x-fidelity.git",
+      "rule": "outdatedFramework-global",
+      "expirationDate": "2023-12-31",
+      "reason": "Upgrading dependencies is scheduled for Q4 2024"
+    },
+    {
+      "repoUrl": "[email protected]:zotoio/x-fidelity.git",
+      "rule": "sensitiveLogging-iterative",
+      "expirationDate": "2023-09-30",
+      "reason": "Security audit and logging refactor planned for Q3 2024"
+    }
+  ]
+
diff --git a/src/archetypes/node-fullstack-exemptions/team1-node-fullstack-exemptions.json b/src/archetypes/node-fullstack-exemptions/team1-node-fullstack-exemptions.json
@@ -0,0 +1,15 @@
+[
+    {
+      "repoUrl": "[email protected]:zotoio/x-fidelity.git",
+      "rule": "outdatedFramework-global",
+      "expirationDate": "2024-12-31",
+      "reason": "Upgrading dependencies is scheduled for Q4 2024"
+    },
+    {
+      "repoUrl": "[email protected]:zotoio/x-fidelity.git",
+      "rule": "sensitiveLogging-iterative",
+      "expirationDate": "2023-09-30",
+      "reason": "Security audit and logging refactor planned for Q3 2024"
+    }
+  ]
+
diff --git a/src/archetypes/rules/noDatabases-iterative-rule.json b/src/archetypes/rules/noDatabases-iterative-rule.json
@@ -0,0 +1,31 @@
+{
+    "name": "noDatabases-iterative",
+    "conditions": {
+        "all": [
+            {
+                "fact": "fileData",
+                "path": "$.fileName",
+                "operator": "notEqual",
+                "value": "REPO_GLOBAL_CHECK"
+            },
+            {
+                "fact": "repoFileAnalysis",
+                "params": {
+                    "checkPattern": ["oracle", "mysql", "mssql", "postgres", "sqlite", "mongodb", "cassandra", "redis", "rethinkdb", "neo4j", "couchdb"],
+                    "resultFact": "fileResultsDB"
+                },
+                "operator": "fileContains",
+                "value": true
+            }
+        ]
+    },
+    "event": {
+        "type": "warning",
+        "params": {
+            "message": "code must not directly call databases",
+            "details": {
+                "fact": "fileResultsDB"
+            }
+        }
+    }
+}
diff --git a/src/archetypes/rules/nonStandardDirectoryStructure-global-rule copy.json b/src/archetypes/rules/nonStandardDirectoryStructure-global-rule copy.json
@@ -0,0 +1,30 @@
+{
+    "name": "nonStandardDirectoryStructure-global",
+    "conditions": {
+        "all": [
+            {
+                "fact": "fileData",
+                "path": "$.fileName",
+                "operator": "equal",
+                "value": "REPO_GLOBAL_CHECK"
+            },
+            {
+                "fact": "fileData",
+                "path": "$.filePath",
+                "operator": "nonStandardDirectoryStructure",
+                "value": {
+                    "fact": "standardStructure"
+                }
+            }
+        ]
+    },
+    "event": {
+        "type": "warning",
+        "params": {
+            "message": "directory structure does not match the standard.",
+            "details": {
+                "fact": "standardStructure"
+            }
+        }
+    }
+}
diff --git a/src/archetypes/rules/nonStandardDirectoryStructure-global-rule.json b/src/archetypes/rules/nonStandardDirectoryStructure-global-rule.json
@@ -0,0 +1,30 @@
+{
+    "name": "nonStandardDirectoryStructure-global",
+    "conditions": {
+        "all": [
+            {
+                "fact": "fileData",
+                "path": "$.fileName",
+                "operator": "equal",
+                "value": "REPO_GLOBAL_CHECK"
+            },
+            {
+                "fact": "fileData",
+                "path": "$.filePath",
+                "operator": "nonStandardDirectoryStructure",
+                "value": {
+                    "fact": "standardStructure"
+                }
+            }
+        ]
+    },
+    "event": {
+        "type": "warning",
+        "params": {
+            "message": "directory structure does not match the standard.",
+            "details": {
+                "fact": "standardStructure"
+            }
+        }
+    }
+}
diff --git a/src/archetypes/rules/openaiAnalysisA11y-global-rule.json b/src/archetypes/rules/openaiAnalysisA11y-global-rule.json
@@ -0,0 +1,31 @@
+{
+    "name": "openaiAnalysisA11yRule-global",
+    "conditions": {
+        "all": [
+            {
+                "fact": "fileData",
+                "path": "$.fileName",
+                "operator": "equal",
+                "value": "REPO_GLOBAL_CHECK"
+            },
+            {
+                "fact": "openaiAnalysis",
+                "params": {
+                    "prompt": "Identify any accessibility (a11y) issues in the codebase.",
+                    "resultFact": "openaiAnalysisA11y"
+                },
+                "operator": "openaiAnalysisHighSeverity",
+                "value": 9
+            }
+        ]
+    },
+    "event": {
+        "type": "warning",
+        "params": {
+            "message": "OpenAI analysis detected accessibility (a11y) issues in the codebase.",
+            "details": {
+                "fact": "openaiAnalysisA11y"
+            }
+        }
+    }
+}
diff --git a/src/archetypes/rules/openaiAnalysisTop5-global-rule.json b/src/archetypes/rules/openaiAnalysisTop5-global-rule.json
@@ -0,0 +1,31 @@
+{
+    "name": "openaiAnalysisTop5-global",
+    "conditions": {
+        "all": [
+            {
+                "fact": "fileData",
+                "path": "$.fileName",
+                "operator": "equal",
+                "value": "REPO_GLOBAL_CHECK"
+            },
+            {
+                "fact": "openaiAnalysis",
+                "params": {
+                    "prompt": "what are the most important 5 things to fix?",
+                    "resultFact": "openaiAnalysisTop5"
+                },
+                "operator": "openaiAnalysisHighSeverity",
+                "value": 8
+            }
+        ]
+    },
+    "event": {
+        "type": "warning",
+        "params": {
+            "message": "OpenAI analysis failed for the provided prompt.",
+            "details": {
+                "fact": "openaiAnalysisTop5"
+            }
+        }
+    }
+}
diff --git a/src/archetypes/rules/outdatedFramework-global-rule.json b/src/archetypes/rules/outdatedFramework-global-rule.json
@@ -0,0 +1,30 @@
+{
+    "name": "outdatedFramework-global",
+    "conditions": {
+        "all": [
+            {
+                "fact": "fileData",
+                "path": "$.fileName",
+                "operator": "equal",
+                "value": "REPO_GLOBAL_CHECK"
+            },
+            {
+                "fact": "repoDependencyAnalysis",
+                "params": {
+                    "resultFact": "repoDependencyResults"
+                },
+                "operator": "outdatedFramework",
+                "value": true
+            }
+        ]
+    },
+    "event": {
+        "type": "fatality",
+        "params": {
+            "message": "some core framework dependencies have expired!",
+            "details": {
+                "fact": "repoDependencyResults"
+            }
+        }
+    }
+}
diff --git a/src/archetypes/rules/sensitiveLogging-iterative-rule copy.json b/src/archetypes/rules/sensitiveLogging-iterative-rule copy.json
@@ -0,0 +1,47 @@
+{
+    "name": "sensitiveLogging-iterative",
+    "conditions": {
+        "all": [
+            {
+                "fact": "fileData",
+                "path": "$.fileName",
+                "operator": "notEqual",
+                "value": "REPO_GLOBAL_CHECK"
+            },
+            {
+                "fact": "repoXFIConfig",
+                "path": "$.sensitiveFileFalsePositives",
+                "operator": "doesNotContain",
+                "value": {
+                    "fact": "fileData",
+                    "path": "$.filePath"
+                }
+            },
+            {
+                "fact": "repoFileAnalysis",
+                "params": {
+                    "checkPattern": [
+                        "(api[_-]?key|auth[_-]?token|access[_-]?token|secret[_-]?key)",
+                        "(aws[_-]?access[_-]?key[_-]?id|aws[_-]?secret[_-]?access[_-]?key)",
+                        "(password|passphrase)",
+                        "(private[_-]?key|ssh[_-]?key)",
+                        "(oauth[_-]?token|jwt[_-]?token)",
+                        "db[_-]?password"
+                    ],
+                    "resultFact": "fileResults"
+                },
+                "operator": "fileContains",
+                "value": true
+            }
+        ]
+    },
+    "event": {
+        "type": "warning",
+        "params": {
+            "message": "Potential sensitive data detected. This must not be logged or exposed. Note: You can exclude files from this check by adding their relative paths to the 'sensitiveFileFalsePositives' array in .xfi-config.json.",
+            "details": {
+                "fact": "fileResults"
+            }
+        }
+    }
+}
diff --git a/src/archetypes/rules/sensitiveLogging-iterative-rule.json b/src/archetypes/rules/sensitiveLogging-iterative-rule.json
@@ -0,0 +1,47 @@
+{
+    "name": "sensitiveLogging-iterative",
+    "conditions": {
+        "all": [
+            {
+                "fact": "fileData",
+                "path": "$.fileName",
+                "operator": "notEqual",
+                "value": "REPO_GLOBAL_CHECK"
+            },
+            {
+                "fact": "repoXFIConfig",
+                "path": "$.sensitiveFileFalsePositives",
+                "operator": "doesNotContain",
+                "value": {
+                    "fact": "fileData",
+                    "path": "$.filePath"
+                }
+            },
+            {
+                "fact": "repoFileAnalysis",
+                "params": {
+                    "checkPattern": [
+                        "(api[_-]?key|auth[_-]?token|access[_-]?token|secret[_-]?key)",
+                        "(aws[_-]?access[_-]?key[_-]?id|aws[_-]?secret[_-]?access[_-]?key)",
+                        "(password|passphrase)",
+                        "(private[_-]?key|ssh[_-]?key)",
+                        "(oauth[_-]?token|jwt[_-]?token)",
+                        "db[_-]?password"
+                    ],
+                    "resultFact": "fileResults"
+                },
+                "operator": "fileContains",
+                "value": true
+            }
+        ]
+    },
+    "event": {
+        "type": "warning",
+        "params": {
+            "message": "Potential sensitive data detected. This must not be logged or exposed. Note: You can exclude files from this check by adding their relative paths to the 'sensitiveFileFalsePositives' array in .xfi-config.json.",
+            "details": {
+                "fact": "fileResults"
+            }
+        }
+    }
+}