Possibility to create rules for "absence of code"

[htrgouvea]

Currently ZARN works by searching for the presence of dangerous functions/that may present risks and trying to infer whether they are "reachable" through user input. But there are some categories of vulnerabilities/risks that occur through the absence of a code (or a combination of both factors), example: #14

It would be interesting to have an implementation of this feature.

[htrgouvea]

Example:

  - id: '0005'
    category: warn
    name: "Lorem Ipsum"
    message: "Lorem Ipsum"
    type: presence
    sample:
      - md5
   - id: '0006'
    category: warn
    name: "Other rule"
    message: "Other message"
    type: absence
    sample:
      - strict
      - warnings

For rules with type "presence" the current behavior remains the same. For the "absence" rules, the search will be carried out for the absence of the item.

[andersonbosa]

@htrgouvea, I would like to do this upgrade, can you assign it to me?

[htrgouvea]

Hi @andersonbosa, of course! This task is with you for up to 5 days, if there is no update during this period I will remove it but in case of updates, I will keep it. Thanks!

[htrgouvea]

Hi @andersonbosa! It's been 4 days since the assignment to you, we're close to the limit and I haven't had any updates yet. If you update me on something, I can increase this deadline.

[htrgouvea]

Hi @andersonbosa, I saw that you made an update after my comment. However, the content of the update does not match the issue. Let me know if you're still interested in resolving this point. Thanks.

[htrgouvea]

Due to the lack of response, I am allowing the possibility of someone else being responsible for the issue.

[giovannism20]

Hey @htrgouvea, can I get the assign of this task ?

[htrgouvea]

Of course @giovannism20!

[andersonbosa]

Hey guys,

Sorry for my delay here. I had some personal issues and was away for a few days... @htrgouvea I'm sorry I left you in the dark about this :pray:

[htrgouvea]

Thanks @andersonbosa