From 9fa526953c914cfbbb883e106b52441d73f360dc Mon Sep 17 00:00:00 2001 From: julianladisch Date: Wed, 4 Dec 2024 20:49:26 +0100 Subject: [PATCH] [False Positive][False Negative] Outdated/Banned SSL/TLS protocols (#649) * [False Positive][False Negative] Outdated/Banned SSL/TLS protocols ## Rule ID DS169125 Do not use outdated SSL/TLS protocols DS169126 An Outdated or Banned SSL/TLS Protocol is Used ## What the rule matched DS169125 * TLSv1.2 * TLSv1.3 DS169126 * TLSv12 * TLSv1.2 * TLSv13 * TLSv1.3 ## Why should this not be matched? https://github.com/microsoft/DevSkim/blob/v1.0.33/guidance/DS169126.md says: > Use TLSv1.3 if possible or TLSv1.2 if 1.3 cannot be used. ## What the rule did not match (false negative) DS169125 * TLSv1_0 * TLSv11 * TLSv1_1 ## Why should this be matched? https://github.com/microsoft/DevSkim/blob/v1.0.33/guidance/DS169126.md says: >TLSv1 - Weak, strongly consider disabling unless absolutely required. >TLSv1.1 - Weak, strongly consider disabling unless absolutely required. It already matches TLSv10 and TLSv1.0, therefore it should also match TLSv1_0. It already matches TLSv1.1, therefore it should also match TLSv11 and TLSv1_1. * Update Changelog.md --------- Co-authored-by: Gabe Stocco <98900+gfs@users.noreply.github.com> --- Changelog.md | 4 ++ .../security/cryptography/protocol.json | 48 +++++++++++-------- 2 files changed, 33 insertions(+), 19 deletions(-) diff --git a/Changelog.md b/Changelog.md index d530a7dd..4785f9aa 100644 --- a/Changelog.md +++ b/Changelog.md @@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [1.0.49] - 2024-12-03 +## Rules +Fixed false positives and false negatives in outdated/banned SSL/TLS protocols. #649 + ## [1.0.48] - 2024-11-20 ### Dependencies Update VS Code Extension Dependencies diff --git a/rules/default/security/cryptography/protocol.json b/rules/default/security/cryptography/protocol.json index 641496c0..c27ada01 100644 --- a/rules/default/security/cryptography/protocol.json +++ b/rules/default/security/cryptography/protocol.json @@ -82,7 +82,7 @@ "rule_info": "DS169126.md", "patterns": [ { - "pattern": "(SSLv?2|SSLv?3|TLSv?1|TLSv?10)", + "pattern": "(SSLv?2|SSLv?3|TLSv?1(?![._]?[2-9])|TLSv?1[._]?[01])", "type": "RegexWord", "scopes": [ "code" @@ -90,9 +90,23 @@ } ], "must-match": [ + "SSLv2", "SSLv3", "TLSv1", - "TLSv10" + "TLSv10", + "TLSv1_0", + "TLSv1.0", + "TLSv11", + "TLSv1_1", + "TLSv1.1" + ], + "must-not-match": [ + "TLSv12", + "TLSv1_2", + "TLSv1.2", + "TLSv13", + "TLSv1_3", + "TLSv1.3" ] }, { @@ -129,36 +143,32 @@ ] }, { - "pattern": "TLSv1(?!_[2-9])", - "type": "regex", - "scopes": [ - "code" - ] - }, - { - "pattern": "TLSv1(0|_0)", + "pattern": "TLSv1(?![._]?[2-9])", "type": "regex", "scopes": [ "code" ] - }, - { - "pattern": "TLSv1_1", - "type": "string", - "scopes": [ - "code" - ] } ], "must-match": [ "SSLv3", "TLSv1", "TLSv10", + "TLSv1.0", + "TLSv1_0", + "TLSv11", + "TLSv1.1", + "TLSv1_1", + "TLSv1X9", "SSLv2_client" ], "must-not-match":[ + "TLSv12", "TLSv1_2", - "TLSv1_3" + "TLSv1.2", + "TLSv13", + "TLSv1_3", + "TLSv1.3" ] }, { @@ -474,4 +484,4 @@ "must-not-match": [ ] } -] \ No newline at end of file +]