Detect matches in build files (like pom.xml) only works if the tag contains Metadata
See original GitHub issueIs your feature request related to a problem? Please describe.
We are trying to create a custom rule that detects dependencies of our libraries in pom.xml or package.json. The rule looks like:
{ "name": "Our Framework: Java", "id": "OU000000", "description": "Our Framework: Java", "applies_to": [ "pom.xml" ], "tags":[ "Our.Framework.Java" ], "severity": "moderate", "patterns": [ { "pattern": "our-framework", "type": "string", "scopes": [ "all" ], "modifiers": ["i"], "confidence": "high" } ] }
But this rule never matches anything. I read in the documentation (https://github.com/microsoft/ApplicationInspector/wiki/3.5-Tags) that this rule will only work if the tag name contains Metadata. In fact, there are some buit-in rules that will never match anything like:
{ "name": "Development: Build Tool (Maven)", "id": "AI016800", "description": "Development: Build Tool (Maven)", "applies_to": [ "pom.xml" ], "tags": [ "Development.Build.Maven" ], "severity": "moderate", "patterns": [ { "pattern": "Maven", "type": "regex", "scopes": [ "code", "comment" ], "modifiers": [ "i" ], "confidence": "high" } ] }
in https://github.com/microsoft/ApplicationInspector/blob/main/AppInspector/rules/default/frameworks/build.json
Describe the solution you’d like I think that if a rule explicitly applies to a build-type file (like pom.xml), it should match even if the Tag doesn’t contains Metadata, maintaining the restriction for rules that applies to other languages.
Issue Analytics
- State:
- Created 2 years ago
- Reactions:1
- Comments:8 (6 by maintainers)
Top GitHub Comments
It works. Thanks a lot @gfs !
Please try the new build with the
-A
argument to see if this resolves your issues.