diff --git a/docker-compose.yml b/docker-compose.yml index bd12038..abd26fb 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -8,7 +8,7 @@ services: - ./build/volumes/data:/data env_file: - ./.env - command: ["python", "./runner.py", "--get_dependents", "--package_names", "org.springframework.security:spring-security-core", "--language", "java", "--package_manager", "Maven", "--root_data_dir=/data"] + command: ["python", "./runner.py", "--get_dependents", "--crawl_only", "--package_names", "fastapi", "bcrypt", "--language", "python", "--package_manager", "Pypi", "--root_data_dir=/data"] deploy: resources: limits: @@ -29,7 +29,7 @@ services: - ./.env environment: - ZOEKT_URL=http://zoekt-webserver:6070/api/search - command: ["python", "./runner.py", "--construct_queries", "--search_queries", "--pattern", "password_based_authentication", "--web_framework", "fastapi", "--language", "python", "--root_data_dir=/data"] + command: ["python", "./runner.py", "--construct_queries", "--search_queries", "--pattern", "verifiable_token_authentication", "--web_framework", "fastapi", "--language", "python", "--root_data_dir=/data"] depends_on: - zoekt-webserver deploy: diff --git a/security_pattern_miner/src/context_retriever/queries_library/python/fastapi/patterns/password_based_authentication.yaml b/security_pattern_miner/src/context_retriever/queries_library/python/fastapi/patterns/password_based_authentication.yaml index 391a2d6..1173ad3 100644 --- a/security_pattern_miner/src/context_retriever/queries_library/python/fastapi/patterns/password_based_authentication.yaml +++ b/security_pattern_miner/src/context_retriever/queries_library/python/fastapi/patterns/password_based_authentication.yaml @@ -41,12 +41,12 @@ roles: hasher: description: "Calculates the hash value for a given input" queries: - - query: "CryptContext hash" + - query: "passlib CryptContext hash" description: "Files with password hashing implementations" - query: "pwd_context hash password " description: "Direct password hashing calls" - - query: "bcrypt gensalt hashpw" - description: "Bcrypt salt generation and hashing" + - query: "bcrypt hashpw" + description: "Bcrypt hashing" password_store: description: "Keeps track of hash values corresponding to each registered identity" diff --git a/security_pattern_miner/src/context_retriever/queries_library/python/fastapi/patterns/verifiable_token_authentication.yaml b/security_pattern_miner/src/context_retriever/queries_library/python/fastapi/patterns/verifiable_token_authentication.yaml index 351a80c..35f81cd 100644 --- a/security_pattern_miner/src/context_retriever/queries_library/python/fastapi/patterns/verifiable_token_authentication.yaml +++ b/security_pattern_miner/src/context_retriever/queries_library/python/fastapi/patterns/verifiable_token_authentication.yaml @@ -23,50 +23,53 @@ roles: - query: " Depends OAuth2PasswordBearer" description: "HTTP authorization credentials dependency" priority: high + - query: HTTPAuthorizationCredentials Security + description: "Authorization credentials extraction" + priority: medium + verifier: description: "Manages the verification of whether a token is valid" queries: - - query: "jwt decode SECRET_KEY algorithms" + - query: "jwt decode algorithms" description: "JWT token verification" priority: high - - query: "def verify_token jwt decode" + - query: "jwt ExpiredSignatureError" description: "Token verification functions" priority: high - - query: "jwt decode token, SECRET_KEY, algorithms" + - query: "jwt InvalidTokenError" description: "Direct JWT decode calls" priority: high - - query: "payload jwt decode JWTError" - description: "JWT decode with error handling" - priority: high - - - query: "credentials jwt decode" - description: "Extracting and verifying JWT from credentials" + - query: "jwt.exceptions DecodeError" + description: "JWT decode error handling" + priority: medium + + - query: "revoke.*token" + description: "JWT expired signature error handling" priority: medium - cryptographer_mac: + cryptography_manager: description: "Provides cryptographic primitives for MAC-based tokens (HMAC)" queries: - - query: "jwt.encode HS256 SECRET_KEY" + - query: "jwt encode HS256" description: "JWT encoding with HMAC" priority: high - - - query: "from jose import jwt" - description: "Python-jose JWT import" + + - query: "jwt encode RS256" + description: "RSA signature algorithm configuration" priority: high - - - query: "algorithm HS256 jwt.encode" - description: "HMAC algorithm configuration" + + - query: "generate.*signature" + description: "JWT verification with HMAC" priority: high - - - query: "jwt encode decode HS256" - description: "Complete HMAC JWT operations" - priority: medium - cryptographer_signature: + - query: "verify.*signature" + description: "JWT verification with HMAC" + priority: high + description: "Provides cryptographic primitives for digitally signed tokens (RSA)" queries: - query: "jwt.encode RS256 private_key" @@ -85,66 +88,23 @@ roles: description: "RSA algorithm variants" priority: medium - key_manager_hmac: - description: "Manages cryptographic keys for HMAC tokens" + key_manager: + description: "Rotate keys" queries: - - query: "SECRET_KEY = os.getenv" - description: "Secret key from environment" - priority: high - - - query: "SECRET_KEY ALGORITHM HS256 " - description: "HMAC key and algorithm configuration" - priority: high - - - query: "load_dotenv SECRET_KEY" - description: "Loading secret keys from environment" - priority: medium - - key_manager_rsa: - description: "Manages cryptographic keys for RSA signed tokens" - queries: - - query: "rsa.generate_private_key public_exponent" - description: "RSA key generation" - priority: high - - - query: "from cryptography.hazmat.primitives.asymmetric import rsa" - description: "RSA key management imports" - priority: high - - - query: "private_key public_key serialization" - description: "Public key extraction and serialization" - priority: high - - - query: "serialization PrivateFormat PKCS8" - description: "Private key serialization" - priority: medium - - - query: "serialization PublicFormat SubjectPublicKeyInfo" - description: "Public key serialization" + - query: "rotate.*key" + description: "Private key loading" priority: medium token_generator: description: "Manages the generation of new tokens" queries: - - query: "def create_access_token jwt encode" + - query: "create.*token datetime" description: "Access token creation functions" priority: high - - query: "jwt encode exp sub" - description: "JWT encoding with expiration and subject" - priority: high - - - query: "create_access_token data dict expires_delta" - description: "Token creation with expiration parameter" - priority: high - - - query: "timedelta minutes jwt encode" - description: "Token expiration time calculation" + - query: "secrets token_urlsafe" + description: "Secure token generation" priority: medium - - - query: "datetime.utcnow expires_delta" - description: "Expiration timestamp calculation" - priority: low registrar: description: "Provides the Subject a token after successful authentication" @@ -153,36 +113,10 @@ roles: description: "Token issuance endpoints" priority: high - - query: "return access token token_type bearer" + - query: "return access token bearer" description: "Token response formatting" priority: high - - query: "app post login jwt.encode" - description: "Login endpoint with JWT generation" - priority: high - - - query: "authenticate_user create_access_token" - description: "Authentication followed by token creation" - priority: medium - - token_blacklist: - description: "Tracks revoked but not yet expired tokens (optional feature)" - queries: - - query: "redis sadd revoked_tokens jwt" - description: "Token revocation with Redis" - priority: medium - - - query: "blacklist revoke token" - description: "Token blacklist management" - priority: medium - - - query: "class TokenBlacklist revoked_tokens" - description: "Token blacklist class" - priority: medium - - - query: "is_revoked token HTTPException" - description: "Revocation checking" - priority: low endpoints: