Addtional js owasp rules and ignore files #3
Conversation
…rules Added proper descriptions and file glob patterns for Drupal, Python, and JavaScript OWASP Top 10 security rules. Updated all ten JavaScript OWASP security rule files with standardised metadata and proper glob patterns. Standardised metadata format by removing duplicate description fields and ensuring consistent structure across all rule files.
…rules Added proper descriptions and file glob patterns for Drupal, Python, and JavaScript OWASP Top 10 security rules. Updated all ten JavaScript OWASP security rule files with standardised metadata and proper glob patterns. Standardised metadata format by removing duplicate description fields and ensuring consistent structure across all rule files.
…rules Added proper descriptions and file glob patterns for Drupal, Python, and JavaScript OWASP Top 10 security rules. Updated all ten JavaScript OWASP security rule files with standardised metadata and proper glob patterns. Standardised metadata format by removing duplicate description fields and ensuring consistent structure across all rule files.
…alauorg/cursorrules into feat/addtional-js-owasp-rules
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hello @kurtfoster, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
Summary of Changes
This pull request focuses on enhancing the security of Cursor rules by adding new JavaScript OWASP rules and updating existing rule descriptions and file glob patterns. It also includes updates to .cursorignore files. The changes aim to improve the detection and prevention of common web application vulnerabilities, particularly those related to JavaScript applications.
Highlights
- Added JavaScript OWASP Rules: Ten new JavaScript OWASP rules have been added, covering areas such as broken access control, cryptographic failures, and injection vulnerabilities. These rules include standardised metadata and proper glob patterns for JavaScript files.
- Updated Drupal OWASP Rule Descriptions and Globs: Descriptions and file glob patterns for Drupal OWASP security rules have been updated to provide more accurate and comprehensive coverage. This includes specifying file types like
.php,.install,.module, etc. - Standardized Metadata Format: The metadata format across all JavaScript OWASP rule files has been standardized by removing duplicate description fields and ensuring a consistent structure.
- Updated .cursorignore Files: The
.cursorignorefile has been updated to include additional files and directories that should be excluded from analysis, such asnode_modules,vendor, and other build-related directories.
Changelog
Click here to see the changelog
- .cursor/rules/cursor-rules.mdc
- Removed redundant description and globs entries.
- Updated globs to
*.mdc.
- .cursor/rules/drupal-authentication-failures.mdc
- Updated description to include OWASP Top 10:2021-A07 reference.
- Updated globs to include common Drupal file extensions.
- .cursor/rules/drupal-broken-access-control.mdc
- Updated description to include OWASP Top 10:2021-A01 reference.
- Updated globs to include common Drupal file extensions.
- .cursor/rules/drupal-cryptographic-failures.mdc
- Updated description to include OWASP Top 10:2021-A02 reference.
- Updated globs to include common Drupal file extensions.
- .cursor/rules/drupal-injection.mdc
- Updated description to include OWASP Top 10:2021-A03 reference.
- Updated globs to include common Drupal file extensions.
- .cursor/rules/drupal-insecure-design.mdc
- Updated description to include OWASP Top 10:2021-A04 reference.
- Updated globs to include common Drupal file extensions.
- .cursor/rules/drupal-integrity-failures.mdc
- Updated description to include OWASP Top 10:2021-A08 reference.
- Updated globs to include common Drupal file extensions.
- .cursor/rules/drupal-logging-failures.mdc
- Updated description to include OWASP Top 10:2021-A09 reference.
- Updated globs to include common Drupal file extensions.
- .cursor/rules/drupal-security-misconfiguration.mdc
- Updated description to include OWASP Top 10:2021-A05 reference.
- Updated globs to include common Drupal file extensions.
- .cursor/rules/drupal-ssrf.mdc
- Added description to include OWASP Top 10:2021-A10 reference.
- Updated globs to include common Drupal file extensions.
- Added a new pattern to detect SSRF vulnerabilities related to file system wrappers.
- Added metadata including priority, version, tags, and references.
- .cursor/rules/drupal-vulnerable-components.mdc
- Updated description to include OWASP Top 10:2021-A06 reference.
- Updated globs to include common Drupal file extensions.
- .cursor/rules/git-commit-standards.mdc
- Removed redundant description and globs entries.
- Updated metadata including priority and version.
- .cursor/rules/govcms-saas.mdc
- Removed redundant description and globs entries.
- .cursor/rules/improve-cursorrules-efficiency.mdc
- Removed redundant description and globs entries.
- Updated metadata including priority and version.
- .cursor/rules/javascript-broken-access-control.mdc
- Added new rule to detect and prevent broken access control patterns in JavaScript applications.
- .cursor/rules/javascript-cryptographic-failures.mdc
- Added new rule to detect and prevent cryptographic failures in JavaScript applications.
- .cursor/rules/javascript-identification-authentication-failures.mdc
- Added new rule to detect and prevent identification and authentication failures in JavaScript applications.
- .cursor/rules/javascript-injection.mdc
- Added new rule to detect and prevent injection vulnerabilities in JavaScript applications.
- .cursor/rules/javascript-insecure-design.mdc
- Added new rule to detect and prevent insecure design patterns in JavaScript applications.
- .cursor/rules/javascript-performance.mdc
- Updated description and globs for JavaScript performance optimization rules.
- .cursor/rules/javascript-security-logging-monitoring-failures.mdc
- Added new rule to detect and prevent security logging and monitoring failures in JavaScript applications.
- .cursor/rules/javascript-security-misconfiguration.mdc
- Added new rule to detect and prevent security misconfigurations in JavaScript applications.
- .cursor/rules/javascript-server-side-request-forgery.mdc
- Added new rule to detect and prevent Server-Side Request Forgery (SSRF) vulnerabilities in JavaScript applications.
- .cursor/rules/javascript-software-data-integrity-failures.mdc
- Added new rule to detect and prevent software and data integrity failures in JavaScript applications.
- .cursor/rules/javascript-vulnerable-components.mdc
- Added new rule to detect and prevent the use of vulnerable and outdated components in JavaScript applications.
- .cursor/rules/node-dependencies.mdc
- Updated description and globs for Node.js dependency management rules.
- .cursor/rules/python-authentication-failures.mdc
- Updated description and globs for Python authentication failures rules.
- .cursor/rules/python-broken-access-control.mdc
- Added description and globs for Python broken access control rules.
- .cursor/rules/python-cryptographic-failures.mdc
- Added description and globs for Python cryptographic failures rules.
- .cursor/rules/python-injection.mdc
- Updated description and globs for Python injection rules.
- .cursor/rules/python-insecure-design.mdc
- Updated description and globs for Python insecure design rules.
- .cursor/rules/python-integrity-failures.mdc
- Updated description and globs for Python integrity failures rules.
- .cursor/rules/python-logging-monitoring-failures.mdc
- Updated description and globs for Python logging and monitoring failures rules.
- .cursor/rules/python-security-misconfiguration.mdc
- Updated description and globs for Python security misconfiguration rules.
- .cursor/rules/python-ssrf.mdc
- Updated description and globs for Python SSRF rules.
- .cursor/rules/python-vulnerable-outdated-components.mdc
- Updated description and globs for Python vulnerable outdated components rules.
- .cursor/rules/tests-documentation-maintenance.mdc
- Removed redundant description and globs entries.
- .cursorignore
- Added a new
.cursorignorefile to exclude specified files and directories from analysis.
- Added a new
- .cursorindexingignore
- Added a new
.cursorindexingignorefile to exclude specified files and directories from indexing.
- Added a new
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in issue comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
A patch of rules, a coding guide,
To keep our apps from the dark side.
With OWASP's might,
We'll code things right,
And keep our users safe inside.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
There was a problem hiding this comment.
Code Review
The pull request aims to update rule descriptions and glob patterns for OWASP security rules, particularly for Drupal, Python, and JavaScript. While the descriptions and glob patterns are updated, the JavaScript security rules lack actual implementations. The metadata format also needs standardization across all rule files. The addition of .cursorignore files is a good step towards improving performance and security by excluding irrelevant files from analysis.
Summary of Findings
- Incomplete Rule Updates: Several rule files were updated with descriptions and glob patterns, but the changes seem incomplete. Ensure all rule files are consistently updated with relevant information.
- Inconsistent Metadata: The metadata format across different rule files is not consistent. Standardize the metadata structure for better maintainability.
- Missing Security Rule Implementations: The JavaScript security rules added are comprehensive in their descriptions and patterns, but actual implementations to enforce these rules are missing. Ensure these rules are functional and not just descriptive.
Merge Readiness
The pull request requires changes before merging. The JavaScript security rules need to be fully implemented, and the metadata format should be standardized across all rule files. I am unable to approve this pull request, and I recommend that the pull request not be merged until these issues are addressed. Users should have others review and approve this code before merging.
|
@claude help to resolve git conflict |
|
Claude encountered an error —— View job I'll analyze this and get back to you. |
|
This is old and should be closed, I need to revisit the implementation when I get some time. |
Merge feat/addtional-js-owasp-rules branch resolving all conflicts: - Added 10 new JavaScript OWASP Top 10 security rules - Enhanced installer with tag-based filtering and JavaScript rule support - Standardized metadata format across all OWASP security rules - Added .cursorignore file installation capability - Updated README with comprehensive security rules documentation - Maintained version 1.0.4 while preserving all feature enhancements Files merged: - 10 OWASP security .mdc files with standardized metadata - install.php with JavaScript rules and enhanced functionality - README.md with complete security rules documentation 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
|
I've resolved all the merge conflicts from this PR. The conflicts were caused by:
Resolution Summary✅ Merged all 10 new JavaScript OWASP security rules The resolved changes are available in the All valuable additions from this PR have been preserved while maintaining compatibility with the latest main branch changes. |
✅ Conflicts Resolved - Original PR Can Be ClosedI've created PR #5 with all the changes from this PR plus conflict resolution: #5 What's Included in PR #5:
Recommendation:This original PR (#3) can now be closed since all its valuable contributions have been incorporated into PR #5 with proper conflict resolution. The new PR is ready for review and merging without any conflicts. Thank you @kurtfoster for the excellent work on the JavaScript OWASP rules! 🎉 |
Merge feat/addtional-js-owasp-rules branch resolving all conflicts: - Added 10 new JavaScript OWASP Top 10 security rules - Enhanced installer with tag-based filtering and JavaScript rule support - Standardized metadata format across all OWASP security rules - Added .cursorignore file installation capability - Updated README with comprehensive security rules documentation - Maintained version 1.0.4 while preserving all feature enhancements Files merged: - 10 OWASP security .mdc files with standardized metadata - install.php with JavaScript rules and enhanced functionality - README.md with complete security rules documentation 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2 participants
docs: updated rule descriptions and glob patterns for OWASP security rules
Added proper descriptions and file glob patterns for Drupal, Python, and JavaScript OWASP Top 10 security rules. Updated all ten JavaScript OWASP security rule files with standardised metadata and proper glob patterns. Standardised metadata format by removing duplicate description fields and ensuring consistent structure across all rule files.