Documentation and sample mistakes and inconsistencies #595
Description
When writing a JSONschema rule, I got my hands on all samples and rules I could find. I've downloaded all files I could get my hands on to do some comparison. From:
- https://github.com/Microsoft/DevSkim/tree/main/rules/default
- https://github.com/microsoft/ApplicationInspector/tree/main/AppInspector/rules/default
As the documentation on writing custom rules lacks a lot in my opinion, I consider all the rules itself also documentation for now. Also I'm referencing sometimes to the ApplicationInspector repo as that seems to have some more details needed to understand this repo. Below are some (likely) mistakes I noticed in the documentation:
1. XML or JSON
https://github.com/microsoft/ApplicationInspector/wiki/3.6-Structured-Data-Queries-(XPath,-JSONPath,-YamlPath)#sample-xml-rule contains a JSON rule, not an XML rule as the title suggests. However, if it describes JSON rules for XML validation, (which I suspect) that's what should be the description of the titles and the document.
2. Incorrect rule format - missing array
The formatting of this rule is incorrect. The whole structure should be enclosed in [] as in [{...}]. https://github.com/microsoft/DevSkim/wiki/Sample-Rule#rule-sample. Like the other rules and examples in ApplicationInspector.
3. Rule sample without tags
https://github.com/microsoft/ApplicationInspector/wiki/3.6-Structured-Data-Queries-(XPath,-JSONPath,-YamlPath)#sample-rule this sample does not contains tags: []. From the documentation it's unclear to me when to use or not to use tags. For now I assume it's always required.
4. Wrong encoding?
Not sure why exactly but https://github.com/microsoft/ApplicationInspector/blob/main/AppInspector/rules/default/frameworks/rust.json seems to be the only rule saved with encoding UTF-8 with BOM while all other rules I could find are UTF-8 only. Is encoding of custom rules defined, a requirement and documented?
5. Invalid JSON (due to trailing comma)
Error: Parse error on line 133:
... }, ], "must-mat
----------------------^
Expecting 'STRING', 'NUMBER', 'NULL', 'TRUE', 'FALSE', '{', '[', got ']'
Error: Parse error on line 88:
...058, 830," ], }, { "name": "
---------------------^
Expecting 'STRING', got '}'
Test for yourself here: https://jsonlint.com/.
6. Inconsistent use of lowercase and CamelCase severity.
Lets decide what it should be and consistently apply it.
"low",
"medium",
"high",
"critical",
"moderate",
"important",
"manualreview",
"bestpractice",
"unspecified",
"Critical",
"ManualReview",
"BestPractice"
- Mostly
ManualReviewis used while here its lowercase: https://github.com/microsoft/DevSkim/blob/9fa526953c914cfbbb883e106b52441d73f360dc/rules/default/security/frameworks/dotnet_framework.json#L142 - 137 times
criticaland 9 timesCritical.Criticalseems to be mainly used in the Wiki Samples (3.6 and 3.7) in both repos. - While most seem lowercase only,
BestPracticeonly occurs 3x in suggested_api.json in CamelCase.
7. Limited example files
I have access to less than 200 files that contain valid DevSkim rules. Having more working examples would severely help properly defining a JSONschema.
8. patterns.type case
232x RegexWord
16x RegexWord
9. patterns.confidence case
9x High
1004x high
10. depends_on_tags
Is depends_on_tags a thing? It isn't used in any rule I could find. Only in the three wiki (3.7) examples. Maybe it needs more documentation and example rules.
11. "recommendation": "", shouldn't be used if its optional
"recommendation": "", is often used (29x) but it should not exist at all if its optional. If it exists it should contain something.
Other findings:
-
(multiple times in this file) - like post_quantum
"_comment": ""also appears several times in Wiki samples of DevSkim repo and in many other rules.
I'm planning to use the validation scripts and my JSONschema that lead to all these findings as soon as it is ready.