Skip to content

Adding slack workflow#585

Merged
michaelcfanning merged 6 commits into
mainfrom
users/ednakamu/addinig-slack-workflow
Dec 8, 2021
Merged

Adding slack workflow#585
michaelcfanning merged 6 commits into
mainfrom
users/ednakamu/addinig-slack-workflow

Conversation

@eddynaka

@eddynaka eddynaka commented Nov 29, 2021
edited
Loading

Copy link
Copy Markdown
Collaborator

Changes

image

For significant contributions please make sure you have completed the following items:

  • ReleaseHistory.md updated for non-trivial changes
  • Added unit tests

@eddynaka eddynaka marked this pull request as ready for review November 30, 2021 22:31
michaelcfanning
michaelcfanning reviewed Dec 8, 2021
View reviewed changes
Comment thread Src/Plugins/Security/SEC101.SecurePlaintextSecrets.json Outdated
},
{
"Id": "SEC101/048",
"Name": "DoNotExposePlaintextSecrets/SlackWorkflow",

@michaelcfanning michaelcfanning Dec 8, 2021
edited by eddynaka
Loading

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SlackWorkflow

usually a rule name has Credentials, Token or something like that as a suffix, why don't we have one here?

btw - aren't we supposed to rename all 'ApiKey' rules to 'Token'? didn't we do that rename exercise elsewhere? #Closed

@eddynaka eddynaka Dec 8, 2021

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Credentials = id + password, for example.
Token/ApiKey = you use that to authenticate.
For others, such as workflows/webhooks, we don't have a specific pattern.

Now, should we change all to 'Token', when we discussed about this, we were relying on the term used by the secret.

For example, we found a Nuget api key and not a nuget token.

@michaelcfanning michaelcfanning Dec 8, 2021

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we actually converged on 'Key' elsewhere unless there was a better term.

In any case, what name do we want here? SlackWorkflowKey?

michaelcfanning
michaelcfanning reviewed Dec 8, 2021
View reviewed changes
Comment thread Src/Plugins/Security/SEC101_048.SlackWorkflowValidator.cs Outdated

case HttpStatusCode.NotFound:
{
message = "The specified Slack webhook could not be found.";

@michaelcfanning michaelcfanning Dec 8, 2021
edited by eddynaka
Loading

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

webhook

webhook? isn't that another rule? #Closed

@eddynaka eddynaka Dec 8, 2021

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, forgot to update.
will do once u finish this review!

thanks!

michaelcfanning
michaelcfanning reviewed Dec 8, 2021
View reviewed changes
Comment thread Src/Plugins/Tests.Security/Validators/SEC101_005.SlackTokenValidatorTests.cs Outdated
namespace Microsoft.CodeAnalysis.Sarif.PatternMatcher.Plugins.Security.Validators
{
/// <summary>
/// Testing SEC101/005.SlackTokenValidator

@michaelcfanning michaelcfanning Dec 8, 2021
edited by eddynaka
Loading

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SlackTokenValidator

The name of this rule is wrong, it should be SlackApiToken. When you fix this, be sure to indicate the deprecated rule name. #Closed

@michaelcfanning michaelcfanning Dec 8, 2021

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops, I think SlackApiKey is actually the right rule name.

michaelcfanning
michaelcfanning reviewed Dec 8, 2021
View reviewed changes
Comment thread Src/Plugins/Security/SEC101_048.SlackWorkflowValidator.cs Outdated

namespace Microsoft.CodeAnalysis.Sarif.PatternMatcher.Plugins.Security
{
public class SlackWorkflowValidator : DynamicValidatorBase

@michaelcfanning michaelcfanning Dec 8, 2021
edited by eddynaka
Loading

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SlackWorkflowValidator

I think SlackWorkflowToken is the right name of this rule. #Closed

@michaelcfanning michaelcfanning Dec 8, 2021

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, SlackWorkflowKey looks right.

michaelcfanning
michaelcfanning reviewed Dec 8, 2021
View reviewed changes
Comment thread Src/Plugins/Tests.Security/Validators/SEC101_020.DropboxAccessTokenTokenValidatorTests.cs
namespace Microsoft.CodeAnalysis.Sarif.PatternMatcher.Plugins.Security.Validators
{
/// <summary>
/// Testing SEC101/020.DropboxAccessTokenValidator

@michaelcfanning michaelcfanning Dec 8, 2021
edited by eddynaka
Loading

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

DropboxAccessTokenValidator

The name of this file is wrong, SEC101_020.DropboxAccessTokenTokenValidatorTests.cs, the word 'Token' is repeated.
#Closed

michaelcfanning
michaelcfanning reviewed Dec 8, 2021
View reviewed changes
Comment thread Src/Plugins/Tests.Security/Validators/SEC101_015.AkamaiCredentialsValidatorTests.cs
{
/// <summary>
/// Testing SEC101/026.AkamaiCredentialsValidatorTests
/// Testing SEC101/015.AkamaiCredentialsValidator

@michaelcfanning michaelcfanning Dec 8, 2021
edited by eddynaka
Loading

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AkamaiCredentialsValidator

Well done fixing all these comments up, Ed!! #Closed

@eddynaka eddynaka Dec 8, 2021

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks!
i'm following ur guidance to make everything in the same format, it will facilitate in the future :)

michaelcfanning
michaelcfanning requested changes Dec 8, 2021
View reviewed changes

@michaelcfanning michaelcfanning left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🕐

michaelcfanning
michaelcfanning approved these changes Dec 8, 2021
View reviewed changes

@michaelcfanning michaelcfanning left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@michaelcfanning michaelcfanning enabled auto-merge (squash) December 8, 2021 22:33
@michaelcfanning michaelcfanning merged commit bbeae03 into main Dec 8, 2021
@eddynaka eddynaka deleted the users/ednakamu/addinig-slack-workflow branch March 8, 2022 00:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michaelcfanning michaelcfanning michaelcfanning approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@eddynaka @michaelcfanning