Merge pull request #6472 from snyk/fix/cli-1308_dotSnykExcludeRules

fix: apply ignores correctly for .snyk excludes

Author: PeterSchafer

cliv2/go.mod

@@ -20,7 +20,7 @@ require (
 	github.com/snyk/cli-extension-secrets v0.0.0-20260119125200-a69877b835d2
 	github.com/snyk/container-cli v0.0.0-20250321132345-1e2e01681dd7
 	github.com/snyk/error-catalog-golang-public v0.0.0-20260108110943-21ad0c940c14
-	github.com/snyk/go-application-framework v0.0.0-20260126103810-195f34e2e0a2
+	github.com/snyk/go-application-framework v0.0.0-20260128131202-72ae858e7d08
 	github.com/snyk/go-httpauth v0.0.0-20240307114523-1f5ea3f55c65
 	github.com/snyk/snyk-iac-capture v0.6.5
 	github.com/snyk/snyk-ls v0.0.0-20260128094006-1a31e5aa396e

cliv2/go.sum

@@ -555,8 +555,8 @@ github.com/snyk/dep-graph/go v0.0.0-20251219134535-fcb262dc6d25 h1:dwJ4Kdp4c5aaW
 github.com/snyk/dep-graph/go v0.0.0-20251219134535-fcb262dc6d25/go.mod h1:hTr91da/4ze2nk9q6ZW1BmfM2Z8rLUZSEZ3kK+6WGpc=
 github.com/snyk/error-catalog-golang-public v0.0.0-20260108110943-21ad0c940c14 h1:R74dgtKtcrIOG/349YDV8arH7D09pob3lAcJc290FqI=
 github.com/snyk/error-catalog-golang-public v0.0.0-20260108110943-21ad0c940c14/go.mod h1:Ytttq7Pw4vOCu9NtRQaOeDU2dhBYUyNBe6kX4+nIIQ4=
-github.com/snyk/go-application-framework v0.0.0-20260126103810-195f34e2e0a2 h1:GPPfUrc/qgRqqkd+4FSbD+OYXVwrb9JG8vMjgN0Kmjw=
-github.com/snyk/go-application-framework v0.0.0-20260126103810-195f34e2e0a2/go.mod h1:LPR080GrK2jqNN9/hgVwKkXTVS3BlvwqmTN60lX5wdA=
+github.com/snyk/go-application-framework v0.0.0-20260128131202-72ae858e7d08 h1:spA/w4h6q+UJq054xF3rhaqIeF8UYuHPjiLGezViAYU=
+github.com/snyk/go-application-framework v0.0.0-20260128131202-72ae858e7d08/go.mod h1:LPR080GrK2jqNN9/hgVwKkXTVS3BlvwqmTN60lX5wdA=
 github.com/snyk/go-httpauth v0.0.0-20240307114523-1f5ea3f55c65 h1:CEQuYv0Go6MEyRCD3YjLYM2u3Oxkx8GpCpFBd4rUTUk=
 github.com/snyk/go-httpauth v0.0.0-20240307114523-1f5ea3f55c65/go.mod h1:88KbbvGYlmLgee4OcQ19yr0bNpXpOr2kciOthaSzCAg=
 github.com/snyk/policy-engine v1.1.2 h1:BYWigTxPjiQer4m2jYhO623KmGdmmzA3S60k9AJPT+Q=

test/fixtures/sast/shallow_sast_webgoat_with_dotSnyk/Assignment5.java

@@ -0,0 +1,70 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.challenges.challenge5;
+
+import lombok.extern.slf4j.Slf4j;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.challenges.Flag;
+import org.springframework.util.StringUtils;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+import javax.sql.DataSource;
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
+
+@RestController
+@Slf4j
+public class Assignment5 extends AssignmentEndpoint {
+
+    private final DataSource dataSource;
+
+    public Assignment5(DataSource dataSource) {
+        this.dataSource = dataSource;
+    }
+
+    @PostMapping("/challenge/5")
+    @ResponseBody
+    public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception {
+        if (!StringUtils.hasText(username_login) || !StringUtils.hasText(password_login)) {
+            return failed(this).feedback("required4").build();
+        }
+        if (!"Larry".equals(username_login)) {
+            return failed(this).feedback("user.not.larry").feedbackArgs(username_login).build();
+        }
+        try (var connection = dataSource.getConnection()) {
+            PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'");
+            ResultSet resultSet = statement.executeQuery();
+
+            if (resultSet.next()) {
+                return success(this).feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(5)).build();
+            } else {
+                return failed(this).feedback("challenge.close").build();
+            }
+        }
+    }
+}
+

test/fixtures/sast/shallow_sast_webgoat_with_dotSnyk/DeserializeTest.java

@@ -0,0 +1,93 @@
+package org.owasp.webgoat.deserialization;
+
+import static org.hamcrest.Matchers.is;
+import static org.mockito.Mockito.when;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
+
+import org.dummy.insecure.framework.VulnerableTaskHolder;
+import org.hamcrest.CoreMatchers;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.junit.MockitoJUnitRunner;
+import org.owasp.webgoat.assignments.AssignmentEndpointTest;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+
+@RunWith(MockitoJUnitRunner.class)
+public class DeserializeTest extends AssignmentEndpointTest {
+
+	private MockMvc mockMvc;
+	
+	private static String OS = System.getProperty("os.name").toLowerCase();
+	
+	@Before
+    public void setup() {
+        InsecureDeserializationTask insecureTask = new InsecureDeserializationTask();
+        init(insecureTask);
+        this.mockMvc = standaloneSetup(insecureTask).build();
+    }
+
+    @Test
+    public void success() throws Exception {
+    	if (OS.indexOf("win")>-1) {
+    		mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
+                    .header("x-request-intercepted", "true")
+                    .param("token", SerializationHelper.toString(new VulnerableTaskHolder("wait", "ping localhost -n 5"))))
+            		.andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true)));
+    	} else {
+    		mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
+                .header("x-request-intercepted", "true")
+                .param("token", SerializationHelper.toString(new VulnerableTaskHolder("wait", "sleep 5"))))
+        		.andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true)));
+    	}
+    }
+    
+    @Test
+    public void fail() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
+                .header("x-request-intercepted", "true")
+                .param("token", SerializationHelper.toString(new VulnerableTaskHolder("delete", "rm *"))))
+        		.andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false)));
+    }
+    
+    @Test
+    public void wrongVersion() throws Exception {
+    	String token = "rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAECAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfjCR4GIQgMLRSoeHQACmVjaG8gaGVsbG90AAhzYXlIZWxsbw";
+        mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
+                .header("x-request-intercepted", "true")
+                .param("token", token))
+        		.andExpect(status().isOk())
+                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("insecure-deserialization.invalidversion"))))
+        		.andExpect(jsonPath("$.lessonCompleted", is(false)));
+    }
+    
+    @Test
+    public void expiredTask() throws Exception {
+    	String token = "rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAICAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfjCR4IDC0YfvNIeHQACmVjaG8gaGVsbG90AAhzYXlIZWxsbw";
+        mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
+                .header("x-request-intercepted", "true")
+                .param("token", token))
+        		.andExpect(status().isOk())
+                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("insecure-deserialization.expired"))))
+        		.andExpect(jsonPath("$.lessonCompleted", is(false)));
+    }
+    
+
+    
+    @Test
+    public void checkOtherObject() throws Exception {
+    	String token = "rO0ABXQAVklmIHlvdSBkZXNlcmlhbGl6ZSBtZSBkb3duLCBJIHNoYWxsIGJlY29tZSBtb3JlIHBvd2VyZnVsIHRoYW4geW91IGNhbiBwb3NzaWJseSBpbWFnaW5l";
+    	mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
+                .header("x-request-intercepted", "true")
+                .param("token", token))
+        		.andExpect(status().isOk())
+                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("insecure-deserialization.stringobject"))))
+        		.andExpect(jsonPath("$.lessonCompleted", is(false)));
+    }
+    
+    
+
+}

test/fixtures/sast/shallow_sast_webgoat_with_dotSnyk/HashingAssignment.java

@@ -0,0 +1,111 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.crypto;
+
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.Random;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.xml.bind.DatatypeConverter;
+
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.springframework.http.MediaType;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+@AssignmentHints({"crypto-hashing.hints.1","crypto-hashing.hints.2"})
+public class HashingAssignment extends AssignmentEndpoint {
+	
+	public static final String[] SECRETS = {"secret","admin","password", "123456", "passw0rd"};
+
+	@RequestMapping(path="/crypto/hashing/md5",produces=MediaType.TEXT_HTML_VALUE)
+    @ResponseBody
+    public String getMd5(HttpServletRequest request) throws NoSuchAlgorithmException {
+		
+		String md5Hash = (String) request.getSession().getAttribute("md5Hash");
+		if (md5Hash == null) {
+			
+			String secret = SECRETS[new Random().nextInt(SECRETS.length)];
+	         
+		    MessageDigest md = MessageDigest.getInstance("MD5");
+		    md.update(secret.getBytes());
+		    byte[] digest = md.digest();
+		    md5Hash = DatatypeConverter
+		      .printHexBinary(digest).toUpperCase();
+			request.getSession().setAttribute("md5Hash", md5Hash);
+			request.getSession().setAttribute("md5Secret", secret);
+		}
+		return md5Hash;
+    }
+	
+	@RequestMapping(path="/crypto/hashing/sha256",produces=MediaType.TEXT_HTML_VALUE)
+    @ResponseBody
+    public String getSha256(HttpServletRequest request) throws NoSuchAlgorithmException {
+		
+		String sha256 = (String) request.getSession().getAttribute("sha256");
+		if (sha256 == null) {
+			String secret = SECRETS[new Random().nextInt(SECRETS.length)];
+		    sha256 = getHash(secret, "SHA-256");
+			request.getSession().setAttribute("sha256Hash", sha256);
+			request.getSession().setAttribute("sha256Secret", secret);
+		}
+		return sha256;
+    }
+	
+    @PostMapping("/crypto/hashing")
+    @ResponseBody
+    public AttackResult completed(HttpServletRequest request, @RequestParam String answer_pwd1, @RequestParam String answer_pwd2) {
+        
+    	String md5Secret = (String) request.getSession().getAttribute("md5Secret");
+    	String sha256Secret = (String) request.getSession().getAttribute("sha256Secret");
+    	
+    	if (answer_pwd1!=null && answer_pwd2 !=null) {
+        	if (answer_pwd1.equals(md5Secret)
+        		&& answer_pwd2.equals(sha256Secret)) {
+        		return success(this)
+        				.feedback("crypto-hashing.success")
+        				.build();
+        	} else if (answer_pwd1.equals(md5Secret)
+            		|| answer_pwd2.equals(sha256Secret)) {
+        		return failed(this).feedback("crypto-hashing.oneok").build();
+        	} 
+        } 
+        return failed(this).feedback("crypto-hashing.empty").build(); 
+    }
+    
+    public static String getHash(String secret, String algorithm) throws NoSuchAlgorithmException {
+    	MessageDigest md = MessageDigest.getInstance(algorithm);
+	    md.update(secret.getBytes());
+	    byte[] digest = md.digest();
+	    return DatatypeConverter
+	      .printHexBinary(digest).toUpperCase();
+    }
+    
+}

test/fixtures/sast/shallow_sast_webgoat_with_dotSnyk/IDORLogin.java

@@ -0,0 +1,75 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.idor;
+
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
+import org.owasp.webgoat.assignments.AttackResult;
+
+import org.owasp.webgoat.session.UserSessionData;
+import org.springframework.web.bind.annotation.*;
+
+import java.util.HashMap;
+import java.util.Map;
+
+@RestController
+@AssignmentHints({"idor.hints.idor_login"})
+public class IDORLogin extends AssignmentEndpoint {
+
+    private Map<String, Map<String, String>> idorUserInfo = new HashMap<>();
+
+    public void initIDORInfo() {
+
+        idorUserInfo.put("tom", new HashMap<String, String>());
+        idorUserInfo.get("tom").put("password", "cat");
+        idorUserInfo.get("tom").put("id", "2342384");
+        idorUserInfo.get("tom").put("color", "yellow");
+        idorUserInfo.get("tom").put("size", "small");
+
+        idorUserInfo.put("bill", new HashMap<String, String>());
+        idorUserInfo.get("bill").put("password", "buffalo");
+        idorUserInfo.get("bill").put("id", "2342388");
+        idorUserInfo.get("bill").put("color", "brown");
+        idorUserInfo.get("bill").put("size", "large");
+
+    }
+
+    @PostMapping("/IDOR/login")
+    @ResponseBody
+    public AttackResult completed(@RequestParam String username, @RequestParam String password) {
+        initIDORInfo();
+        UserSessionData userSessionData = getUserSessionData();
+
+        if (idorUserInfo.containsKey(username)) {
+            if ("tom".equals(username) && idorUserInfo.get("tom").get("password").equals(password)) {
+                userSessionData.setValue("idor-authenticated-as", username);
+                userSessionData.setValue("idor-authenticated-user-id", idorUserInfo.get(username).get("id"));
+                return success(this).feedback("idor.login.success").feedbackArgs(username).build();
+            } else {
+                return failed(this).feedback("idor.login.failure").build();
+            }
+        } else {
+            return failed(this).feedback("idor.login.failure").build();
+        }
+    }
+}