Merge pull request #233 from Privado-Inc/dev

Javascript rule enhancement 1 (#232)

config/exclusions/javascript.yaml

@@ -0,0 +1,20 @@
+exclusions:
+  - id: Exclusions.Test
+    name: Exclude test source code
+    patterns:
+      - "(.*/(test|spec)(s)?.*)|/Test[A-Z]|Test[.]"
+
+  - id: Exclusions.JavaScript.Packages
+    name: Exclude External JavaScript Packages
+    patterns:
+      - "(node_modules)/.*"
+
+  - id: Exclusions.JavaScript.MinifiedFiles
+    name: Exclude External JavaScript MinifiedFiles
+    patterns:
+      - ".*[.]min[.]js"
+
+  - id: Exclusions.Empty
+    name: Exclude file which cannot be read
+    patterns:
+      - "<empty>|<unknownFullName>"

config/sinkSkipList/javascript.yaml

@@ -0,0 +1,16 @@
+sinkSkipList:
+  - id: SinkSkipList.ThirdParties
+    name: Skip Third Party Sinks
+    patterns:
+      - "(HTMLAnchorElement|HTMLIFrameElement|HTMLElement).*"
+      - "<operator>\\..*"
+      - "JSON\\..*"
+      - "Date.*"
+      - "this.*"
+      - "__Runtime\\..*"
+      - "(?i)(Window|__ecma\\.|Document).*"
+
+  - id: SinkSkipList.BuiltInLib
+    name: Skip built in language libraries
+    patterns:
+      - "(?i)(bunyan|winston|moment|axios|gulp-|webpack-).*"

rules/sinks/leakages/logs/javascript.yaml

@@ -1,13 +1,37 @@
 sinks:
 
+  - id: Leakages.Log.Error
+    name: Log Error
+    patterns:
+      - "(?i).*(?:console|logger|bunyan|winston|log4js|pino).*(?:error|severe|fatal)|process.stderr.*write"
+    tags:
+
+  - id: Leakages.Log.Warn
+    name: Log Warn
+    patterns:
+      - "(?i).*(?:console|logger|bunyan|winston|log4js|pino).*(warn|warning)"
+    tags:
+
+  - id: Leakages.Log.Debug
+    name: Log Debug
+    patterns:
+      - "(?i).*(?:console|logger|bunyan|winston|log4js|pino).*(debug|trace)|.*debuglog.*"
+    tags:
+
+  - id: Leakages.Log.Info
+    name: Log Info
+    patterns:
+      - "(?i).*(?:console|logger|bunyan|winston|log4js|pino).*(info)"
+    tags:
+
   - id: Leakages.Log.Console
     name: Log Console
     patterns:
-      - "console.(?:log|error|info|warn|debug)"
+      - "(?i).*(?:console|logger|bunyan|winston|log4js|pino).*(log)|process.stdout.*write"
     tags:
 
-  - id: Leakages.Log.Log4js
-    name: Log4js
+  - id: Leakages.Log.Exception
+    name: Log Exception
     patterns:
-      - "log4js.(?:error|info|warn|debug)"
-    tags:    
+      - "(?i).*(?:logger|bunyan|winston|log4js|pino).*(exception)"
+    tags:

rules/sinks/third_parties/sdk/abtasty/javascript.yaml

@@ -9,5 +9,5 @@ sinks:
     domains:
       - "abtasty.com"
     patterns:
-      - "@abtasty\\/countdown|@abtasty\\/google-form-modal|@abtasty\\/scratchcard|@abtasty\\/popin-image|@abtasty\\/scroll-tracking|@abtasty\\/snowflakes|@abtasty\\/tooltip|@abtasty\\/promotional-banner|@flagship.io\\/react-sdk|@flagship.io\\/js-sdk|vue-abtasty|@abtasty\\/widget-utils|@abtasty\\/pulsar-common-ui|@abtasty\\/widget-form-generator|@abtasty-innovation\\/module-injector|@abtasty\\/editor-ui|@abtasty-innovation\\/module-wrapper|@abtasty\\/editor-translations|@abtasty\\/nps|@abtasty\\/social-proof|@abtasty\\/banner|@abtasty\\/element-visibility|@abtasty\\/modal|@abtasty\\/time-spent-on-page|@abtasty\\/sharing-sidebar|@abtasty\\/search-and-replace|@abtasty\\/before-after-image|@abtasty\\/popin-simple|@abtasty\\/christmas-hat|@abtasty\\/progress-bar|@abtasty\\/olark|@abtasty\\/celebrate|@abtasty\\/interstitiel|@abtasty\\/popin-video|@abtasty\\/stick-on-scroll|@abtasty\\/product-image-optimization|@abtasty-innovation\\/abtasty-api|@abtasty\\/widget-quality|@abtasty\\/socialproof|@abtasty\\/weather|@abtasty\\/zopim|@abtasty-innovation\\/cb-tag|@abtasty\\/cognitivediscountmaker|@abtasty\\/antvoice|@abtasty\\/polyfill|@abtasty\\/legal-information-banner|@abtasty-innovation\\/marketside-engine|@abtasty\\/widget-example-alpaca"
+      - "@abtasty\\/countdown|@abtasty\\/scratchcard|@abtasty\\/popin-image|@abtasty\\/scroll-tracking|@abtasty\\/snowflakes|@abtasty\\/tooltip|@abtasty\\/promotional-banner|@flagship.io\\/react-sdk|@flagship.io\\/js-sdk|vue-abtasty|@abtasty\\/widget-utils|@abtasty\\/pulsar-common-ui|@abtasty\\/widget-form-generator|@abtasty-innovation\\/module-injector|@abtasty\\/editor-ui|@abtasty-innovation\\/module-wrapper|@abtasty\\/editor-translations|@abtasty\\/nps|@abtasty\\/social-proof|@abtasty\\/banner|@abtasty\\/element-visibility|@abtasty\\/modal|@abtasty\\/time-spent-on-page|@abtasty\\/sharing-sidebar|@abtasty\\/search-and-replace|@abtasty\\/before-after-image|@abtasty\\/popin-simple|@abtasty\\/christmas-hat|@abtasty\\/progress-bar|@abtasty\\/olark|@abtasty\\/celebrate|@abtasty\\/interstitiel|@abtasty\\/popin-video|@abtasty\\/stick-on-scroll|@abtasty\\/product-image-optimization|@abtasty-innovation\\/abtasty-api|@abtasty\\/widget-quality|@abtasty\\/socialproof|@abtasty\\/weather|@abtasty\\/zopim|@abtasty-innovation\\/cb-tag|@abtasty\\/cognitivediscountmaker|@abtasty\\/antvoice|@abtasty\\/polyfill|@abtasty\\/legal-information-banner|@abtasty-innovation\\/marketside-engine|@abtasty\\/widget-example-alpaca"
     tags:

rules/sinks/third_parties/sdk/acumatica/javascript.yaml

@@ -9,5 +9,5 @@ sinks:
     domains:
       - "acumatica.com"
     patterns:
-      - "@acumatica\\/jiraapi"
+      - "acumsrc"
     tags:

rules/sinks/third_parties/sdk/amplitude/javascript.yaml

@@ -9,5 +9,5 @@ sinks:
     domains:
       - "amplitude.com"
     patterns:
-      - "amplitude-js|react-amplitude-hooks|amplitude|amplitude-viewer|read-audio|react-native-amplitude-analytics|@analytics\\/amplitude|@itly\\/plugin-amplitude-node|vue-amplitude|@segment\\/analytics.js-integration-amplitude|gatsby-plugin-amplitude-analytics|@amplitude\\/react-amplitude|vue-amplitude-js|react-amplitude|gatsby-plugin-amplitude|@mntm\\/stats|@uptechworks\\/analytics-service-angular|@suttj\\/amplitude-js|@csod-oss\\/tracker-vendor-amplitude|node-amplitude|@rudderstack\\/rudder-integration-amplitude-react-native|@shawacademynpm\\/gatsby-plugin-amplitude-analytics|djipav|react-native-amplitude-sdk|@jtran\\/amplitude-js|@exiasr\\/gatsby-plugin-amplitude-analytics|amplitude-vue|@quintoandar\\/storybook-amplitude|@amplitude\\/analytics-connector"
+      - "@amplitude/analytics-browser|react-amplitude-hooks|amplitude|read-audio|react-native-amplitude-analytics|@analytics\\/amplitude|@itly\\/plugin-amplitude-node|vue-amplitude|@segment\\/analytics.js-integration-amplitude|gatsby-plugin-amplitude-analytics|@amplitude\\/react-amplitude|vue-amplitude-js|react-amplitude|gatsby-plugin-amplitude|@mntm\\/stats|@uptechworks\\/analytics-service-angular|@suttj\\/amplitude-js|@csod-oss\\/tracker-vendor-amplitude|node-amplitude|@rudderstack\\/rudder-integration-amplitude-react-native|@shawacademynpm\\/gatsby-plugin-amplitude-analytics|djipav|react-native-amplitude-sdk|@jtran\\/amplitude-js|@exiasr\\/gatsby-plugin-amplitude-analytics|amplitude-vue|@quintoandar\\/storybook-amplitude|@amplitude\\/analytics-connector"
     tags:

rules/sinks/third_parties/sdk/apple/javascript.yaml

@@ -9,5 +9,5 @@ sinks:
     domains:
       - "apple.com"
     patterns:
-      - "node-apple-receipt-verify"
+      - "node-apple-receipt-verify|app-store-validator"
     tags:

rules/sinks/third_parties/sdk/atlassian/javascript.yaml

@@ -19,3 +19,23 @@ sinks:
     patterns:
       - "@atlassian\\/johnson"
     tags:
+
+  - id: ThirdParties.SDK.Atlassian.Jira
+    name: Atlassian Jira
+    domains:
+      - "atlassian.com/software/jira"
+    patterns:
+      - "jira.js|create-jira-release-notes|jira-activity|jira-term|@cn-shell\\/jira|jira-linkify|jira-wrapper|jira-track|jirascope|jira-miner"
+      - "@acumatica\\/jiraapi|@itentialopensource\\/adapter-jira|cz-jira-smart-commit-clone"
+      - "@roadiehq\\/backstage-plugin-jira|@devx\\/plugin-jira-backend|coc-jira-complete|alfred-jira-search"
+      - "hubot-jira|hubot-jira-connector|hubot-jira-issue-helper|hubot-jira-lotto"
+      - "(huyhq-|@vmo11\\/)cz-jira-smart-commit"
+    tags:
+
+  - id: ThirdParties.SDK.Atlassian.BitbucketServer
+    name: Atlassian Bitbucket Server
+    domains:
+      - "bitbucket.org"
+    patterns:
+      - "bitbucket|netlify-cms-backend-bitbucket"
+    tags: