--details / -d adjustment (#138)

CHANGELOG.md

@@ -8,6 +8,8 @@
     * Implemented all `credo` "Code Readability" adjustments
     * Took advantage of _some_ `credo` refactoring opportunities
     * Added (sub)module documentation that was missing for some vulnerabilities and unified presentation of others
+  * Bug fixes
+    * Fixed `--details` / `-d` not displaying correct information
   * Misc
     * Added `mix credo --strict` to project
     * Improvements to GitHub CI

lib/sobelow/ci.ex

@@ -9,7 +9,14 @@ defmodule Sobelow.CI do
   Read more about Command Injection here:
   https://www.owasp.org/index.php/Command_Injection
 
-  Command Injection checks can be ignored with the
+  If you wish to learn more about the specific vulnerabilities
+  found within the Command Injection category, you may run the
+  following commands to find out more:
+
+        $ mix sobelow -d CI.OS
+        $ mix sobelow -d CI.System
+
+  Command Injection checks of all types can be ignored with the
   following command:
 
       $ mix sobelow -i CI

lib/sobelow/ci/os.ex

@@ -27,8 +27,4 @@ defmodule Sobelow.CI.OS do
   def parse_def(fun) do
     Parse.get_erlang_fun_vars_and_meta(fun, 0, :cmd, :os)
   end
-
-  def details do
-    Sobelow.CI.details()
-  end
 end

lib/sobelow/ci/system.ex

@@ -27,8 +27,4 @@ defmodule Sobelow.CI.System do
   def parse_def(fun) do
     Parse.get_fun_vars_and_meta(fun, 0, :cmd, [:System])
   end
-
-  def details do
-    Sobelow.CI.details()
-  end
 end

lib/sobelow/config.ex

@@ -9,7 +9,20 @@ defmodule Sobelow.Config do
   This can include things like missing headers,
   insecure cookies, and more.
 
-  Configuration checks can be ignored with the
+  If you wish to learn more about the specific vulnerabilities
+  found within the Configuration category, you may run the
+  following commands to find out more:
+
+            $ mix sobelow -d Config.CSP
+            $ mix sobelow -d Config.CSRF
+            $ mix sobelow -d Config.CSRFRoute
+            $ mix sobelow -d Config.CSWH
+            $ mix sobelow -d Config.Headers
+            $ mix sobelow -d Config.Secrets
+            $ mix sobelow -d Config.HTTPS
+            $ mix sobelow -d Config.HSTS
+
+  Configuration checks of all types can be ignored with the
   following command:
 
       $ mix sobelow -i Config
@@ -196,4 +209,8 @@ defmodule Sobelow.Config do
   def get_version({:@, _, nil} = ast, acc), do: {ast, acc}
   def get_version({:@, _, [{:version, _, [vsn]}]}, _acc) when is_binary(vsn), do: {vsn, vsn}
   def get_version(ast, acc), do: {ast, acc}
+
+  def details do
+    @moduledoc
+  end
 end

lib/sobelow/dos.ex

@@ -9,7 +9,15 @@ defmodule Sobelow.DOS do
   Read more about Denial of Service here:
   https://owasp.org/www-community/attacks/Denial_of_Service
 
-  Denial of Service checks can be ignored with the
+  If you wish to learn more about the specific vulnerabilities
+  found within the Denial of Service category, you may run the
+  following commands to find out more:
+
+          $ mix sobelow -d DOS.StringToAtom
+          $ mix sobelow -d DOS.ListToAtom
+          $ mix sobelow -d DOS.BinToAtom
+
+  Denial of Service checks of all types can be ignored with the
   following command:
 
       $ mix sobelow -i DOS
@@ -24,4 +32,8 @@ defmodule Sobelow.DOS do
       apply(mod, :run, [fun, meta_file])
     end)
   end
+
+  def details do
+    @moduledoc
+  end
 end

lib/sobelow/misc.ex

@@ -6,7 +6,13 @@ defmodule Sobelow.Misc do
   checks that don't fall neatly into the other
   detection categories.
 
-  Miscellaneous checks can be ignored with the
+  If you wish to learn more about the specific vulnerabilities
+  found within the Miscellaneous category, you may run the
+  following commands to find out more:
+
+            $ mix sobelow -d Misc.BinToTerm
+
+  Miscellaneous checks of all types can be ignored with the
   following command:
 
       $ mix sobelow -i Misc
@@ -21,4 +27,8 @@ defmodule Sobelow.Misc do
       apply(mod, :run, [fun, meta_file])
     end)
   end
+
+  def details do
+    @moduledoc
+  end
 end

lib/sobelow/rce.ex

@@ -6,7 +6,14 @@ defmodule Sobelow.RCE do
   untrusted user input being executed or interpreted by
   the system and may result in complete system compromise.
 
-  Code Execution checks can be ignored with the
+  If you wish to learn more about the specific vulnerabilities
+  found within the Remote Code Execution category, you may run the
+  following commands to find out more:
+
+          $ mix sobelow -d RCE.EEx
+          $ mix sobelow -d RCE.CodeModule
+
+  Remote Code Execution checks of all types can be ignored with the
   following command:
 
       $ mix sobelow -i RCE

lib/sobelow/rce/code_module.ex

@@ -35,8 +35,4 @@ defmodule Sobelow.RCE.CodeModule do
   def parse_def(fun, code_fun) do
     Parse.get_fun_vars_and_meta(fun, 0, code_fun, [:Code])
   end
-
-  def details do
-    Sobelow.RCE.details()
-  end
 end

lib/sobelow/sql.ex

@@ -2,15 +2,22 @@ defmodule Sobelow.SQL do
   @moduledoc """
   # SQL Injection
 
-  SQL injection occurs when untrusted input is interpolated
+  SQL Injection occurs when untrusted input is interpolated
   directly into a SQL query. In a typical Phoenix application,
   this would mean using the `Ecto.Adapters.SQL.query` method
   and not using the parameterization feature.
 
   Read more about SQL injection here:
   https://www.owasp.org/index.php/SQL_Injection
 
-  SQL injection checks can be ignored with the following command:
+  If you wish to learn more about the specific vulnerabilities
+  found within the SQL Injection category, you may run the
+  following commands to find out more:
+
+            $ mix sobelow -d SQL.Query
+            $ mix sobelow -d SQL.Stream
+
+  SQL Injection checks of all types can be ignored with the following command:
 
       $ mix sobelow -i SQL
   """

lib/sobelow/sql/query.ex

@@ -36,8 +36,4 @@ defmodule Sobelow.SQL.Query do
   def parse_repo_query_def(fun) do
     Parse.get_fun_vars_and_meta(fun, 0, :query, :Repo)
   end
-
-  def details do
-    Sobelow.SQL.details()
-  end
 end

lib/sobelow/sql/stream.ex

@@ -28,8 +28,4 @@ defmodule Sobelow.SQL.Stream do
   def parse_sql_def(fun) do
     Parse.get_fun_vars_and_meta(fun, 1, :stream, {:required, :SQL})
   end
-
-  def details do
-    Sobelow.SQL.details()
-  end
 end

lib/sobelow/traversal.ex

@@ -10,7 +10,15 @@ defmodule Sobelow.Traversal do
   Read more about Path Traversal here:
   https://www.owasp.org/index.php/Path_Traversal
 
-  Path Traversal checks can be ignored with the following command:
+  If you wish to learn more about the specific vulnerabilities
+  found within the Path Traversal category, you may run the
+  following commands to find out more:
+
+            $ mix sobelow -d Traversal.SendFile
+            $ mix sobelow -d Traversal.FileModule
+            $ mix sobelow -d Traversal.SendDownload
+
+  Path Traversal checks of all types can be ignored with the following command:
 
       $ mix sobelow -i Traversal
   """

lib/sobelow/traversal/file_module.ex

@@ -62,8 +62,4 @@ defmodule Sobelow.Traversal.FileModule do
   def parse_second_def(fun, type) do
     Parse.get_fun_vars_and_meta(fun, 1, type, [:File])
   end
-
-  def details do
-    Sobelow.Traversal.details()
-  end
 end

lib/sobelow/traversal/send_download.ex

@@ -37,10 +37,6 @@ defmodule Sobelow.Traversal.SendDownload do
     {findings, params, {fun_name, line_no}}
   end
 
-  def details do
-    Sobelow.Traversal.details()
-  end
-
   defp download_type_binary?({:send_download, _, opts}), do: type_binary?(opts)
 
   defp download_type_binary?({{:., _, [{_, _, _}, :send_download]}, _, opts}),

lib/sobelow/traversal/send_file.ex

@@ -28,8 +28,4 @@ defmodule Sobelow.Traversal.SendFile do
   def parse_def(fun) do
     Parse.get_fun_vars_and_meta(fun, 2, :send_file, :Conn)
   end
-
-  def details do
-    Sobelow.Traversal.details()
-  end
 end

lib/sobelow/vuln.ex

@@ -5,7 +5,18 @@ defmodule Sobelow.Vuln do
   An application with known vulnerabilities is more easily subjected
   to automated or targeted attacks.
 
-  Known Vulnerable checks can be ignored with the following command:
+  If you wish to learn more about the specific vulnerabilities
+  found within the Known Vulnerable Dependencies category, you may run the
+  following commands to find out more:
+
+            $ mix sobelow -d Vuln.PlugNull
+            $ mix sobelow -d Vuln.CookieRCE
+            $ mix sobelow -d Vuln.HeaderInject
+            $ mix sobelow -d Vuln.Redirect
+            $ mix sobelow -d Vuln.Coherence
+            $ mix sobelow -d Vuln.Ecto
+
+  Known Vulnerable checks of all types can be ignored with the following command:
 
       $ mix sobelow -i Vuln
   """

lib/sobelow/vuln/coherence.ex

@@ -43,8 +43,4 @@ defmodule Sobelow.Vuln.Coherence do
       end
     end
   end
-
-  def details do
-    Sobelow.Vuln.details()
-  end
 end

lib/sobelow/vuln/cookie_rce.ex

@@ -40,8 +40,4 @@ defmodule Sobelow.Vuln.CookieRCE do
       end
     end
   end
-
-  def details do
-    Sobelow.Vuln.details()
-  end
 end

lib/sobelow/vuln/ecto.ex

@@ -43,8 +43,4 @@ defmodule Sobelow.Vuln.Ecto do
       end
     end
   end
-
-  def details do
-    Sobelow.Vuln.details()
-  end
 end

lib/sobelow/vuln/header_inject.ex

@@ -46,8 +46,4 @@ defmodule Sobelow.Vuln.HeaderInject do
       end
     end
   end
-
-  def details do
-    Sobelow.Vuln.details()
-  end
 end

lib/sobelow/vuln/plug_null.ex

@@ -40,8 +40,4 @@ defmodule Sobelow.Vuln.PlugNull do
       end
     end
   end
-
-  def details do
-    Sobelow.Vuln.details()
-  end
 end

lib/sobelow/vuln/redirect.ex

@@ -40,8 +40,4 @@ defmodule Sobelow.Vuln.Redirect do
       end
     end
   end
-
-  def details do
-    Sobelow.Vuln.details()
-  end
 end

lib/sobelow/xss.ex

@@ -10,7 +10,16 @@ defmodule Sobelow.XSS do
   Read more about XSS here:
   https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
 
-  XSS checks can be ignored with the following command:
+  If you wish to learn more about the specific vulnerabilities
+  found within the Cross-Site Scripting category, you may run the
+  following commands to find out more:
+
+            $ mix sobelow -d XSS.SendResp
+            $ mix sobelow -d XSS.ContentType
+            $ mix sobelow -d XSS.Raw
+            $ mix sobelow -d XSS.HTML
+
+  XSS checks of all types can be ignored with the following command:
 
       $ mix sobelow -i XSS
   """

lib/sobelow/xss/html.ex

@@ -25,8 +25,4 @@ defmodule Sobelow.XSS.HTML do
   def parse_def(fun) do
     Parse.get_fun_vars_and_meta(fun, 1, :html, :Controller)
   end
-
-  def details do
-    Sobelow.XSS.details()
-  end
 end

lib/sobelow/xss/raw.ex

@@ -111,10 +111,6 @@ defmodule Sobelow.XSS.Raw do
     Parse.get_fun_vars_and_meta(fun, 0, :raw, :HTML)
   end
 
-  def details do
-    Sobelow.XSS.details()
-  end
-
   defp add_finding(t_name, line_no, filename, fun_name, fun, var, severity, finding) do
     finding =
       %Finding{

lib/sobelow/xss/send_resp.ex

@@ -26,10 +26,6 @@ defmodule Sobelow.XSS.SendResp do
     Parse.get_fun_vars_and_meta(fun, 2, :send_resp, :Conn)
   end
 
-  def details do
-    Sobelow.XSS.details()
-  end
-
   @doc false
   def get_content_type({:put_resp_content_type, _, opts}), do: hd(opts)
   def get_content_type({{_, _, [_, :put_resp_content_type]}, _, opts}), do: hd(opts)