Zoekt search

docker-compose.yml

@@ -8,7 +8,7 @@ services:
       - ./build/volumes/data:/data
     env_file:
       - ./.env
-    command: ["python", "./runner.py", "--get_dependents", "--package_names", "org.springframework.security:spring-security-core", "--language", "java", "--package_manager", "Maven", "--root_data_dir=/data"]
+    command: ["python", "./runner.py", "--get_dependents", "--crawl_only", "--package_names", "fastapi", "bcrypt", "--language", "python", "--package_manager", "Pypi", "--root_data_dir=/data"]
     deploy:
       resources:
         limits:
@@ -29,7 +29,7 @@ services:
       - ./.env
     environment:
       - ZOEKT_URL=http://zoekt-webserver:6070/api/search
-    command: ["python", "./runner.py", "--construct_queries", "--search_queries", "--pattern", "password_based_authentication", "--web_framework", "fastapi", "--language", "python", "--root_data_dir=/data"]
+    command: ["python", "./runner.py", "--construct_queries", "--search_queries", "--pattern", "verifiable_token_authentication", "--web_framework", "fastapi", "--language", "python", "--root_data_dir=/data"]
     depends_on:
       - zoekt-webserver
     deploy:

security_pattern_miner/src/context_retriever/queries_library/python/fastapi/patterns/password_based_authentication.yaml

@@ -41,12 +41,12 @@ roles:
   hasher:
     description: "Calculates the hash value for a given input"
     queries:
-      - query: "CryptContext hash"
+      - query: "passlib CryptContext hash"
         description: "Files with password hashing implementations"
       - query: "pwd_context hash password "
         description: "Direct password hashing calls"
-      - query: "bcrypt gensalt hashpw"
-        description: "Bcrypt salt generation and hashing"
+      - query: "bcrypt hashpw"
+        description: "Bcrypt hashing"
 
   password_store:
     description: "Keeps track of hash values corresponding to each registered identity"

security_pattern_miner/src/context_retriever/queries_library/python/fastapi/patterns/verifiable_token_authentication.yaml

@@ -23,50 +23,53 @@ roles:
       - query: " Depends OAuth2PasswordBearer"
         description: "HTTP authorization credentials dependency"
         priority: high
+      - query: HTTPAuthorizationCredentials Security
+        description: "Authorization credentials extraction"
+        priority: medium
+
 
   verifier:
     description: "Manages the verification of whether a token is valid"
     queries:
-      - query: "jwt decode SECRET_KEY algorithms"
+      - query: "jwt decode algorithms"
         description: "JWT token verification"
         priority: high
 
-      - query: "def verify_token jwt decode"
+      - query: "jwt ExpiredSignatureError"
         description: "Token verification functions"
         priority: high
 
-      - query: "jwt decode token, SECRET_KEY, algorithms"
+      - query: "jwt InvalidTokenError"
         description: "Direct JWT decode calls"
         priority: high
 
-      - query: "payload jwt decode JWTError"
-        description: "JWT decode with error handling"
-        priority: high
-      
-      - query: "credentials jwt decode"
-        description: "Extracting and verifying JWT from credentials"
+      - query: "jwt.exceptions DecodeError"
+        description: "JWT decode error handling"
+        priority: medium
+
+      - query: "revoke.*token"
+        description: "JWT expired signature error handling"
         priority: medium
 
-  cryptographer_mac:
+  cryptography_manager:
     description: "Provides cryptographic primitives for MAC-based tokens (HMAC)"
     queries:
-      - query: "jwt.encode HS256 SECRET_KEY"
+      - query: "jwt encode HS256"
         description: "JWT encoding with HMAC"
         priority: high
-      
-      - query: "from jose import jwt"
-        description: "Python-jose JWT import"
+
+      - query: "jwt encode RS256"
+        description: "RSA signature algorithm configuration"
         priority: high
-      
-      - query: "algorithm HS256 jwt.encode"
-        description: "HMAC algorithm configuration"
+
+      - query: "generate.*signature"
+        description: "JWT verification with HMAC"
         priority: high
-
-      - query: "jwt encode decode HS256"
-        description: "Complete HMAC JWT operations"
-        priority: medium
 
-  cryptographer_signature:
+      - query: "verify.*signature"
+        description: "JWT verification with HMAC"
+        priority: high
+
     description: "Provides cryptographic primitives for digitally signed tokens (RSA)"
     queries:
       - query: "jwt.encode RS256 private_key"
@@ -85,66 +88,23 @@ roles:
         description: "RSA algorithm variants"
         priority: medium
 
-  key_manager_hmac:
-    description: "Manages cryptographic keys for HMAC tokens"
+  key_manager:
+    description: "Rotate keys"
     queries:
-      - query: "SECRET_KEY = os.getenv"
-        description: "Secret key from environment"
-        priority: high
-
-      - query: "SECRET_KEY ALGORITHM HS256 "
-        description: "HMAC key and algorithm configuration"
-        priority: high
-
-      - query: "load_dotenv SECRET_KEY"
-        description: "Loading secret keys from environment"
-        priority: medium
-
-  key_manager_rsa:
-    description: "Manages cryptographic keys for RSA signed tokens"
-    queries:
-      - query: "rsa.generate_private_key public_exponent"
-        description: "RSA key generation"
-        priority: high
-
-      - query: "from cryptography.hazmat.primitives.asymmetric import rsa"
-        description: "RSA key management imports"
-        priority: high
-
-      - query: "private_key public_key serialization"
-        description: "Public key extraction and serialization"
-        priority: high
-
-      - query: "serialization PrivateFormat PKCS8"
-        description: "Private key serialization"
-        priority: medium
-
-      - query: "serialization PublicFormat SubjectPublicKeyInfo"
-        description: "Public key serialization"
+      - query: "rotate.*key"
+        description: "Private key loading"
         priority: medium
 
   token_generator:
     description: "Manages the generation of new tokens"
     queries:
-      - query: "def create_access_token jwt encode"
+      - query: "create.*token datetime"
         description: "Access token creation functions"
         priority: high
 
-      - query: "jwt encode exp sub"
-        description: "JWT encoding with expiration and subject"
-        priority: high
-
-      - query: "create_access_token data dict expires_delta"
-        description: "Token creation with expiration parameter"
-        priority: high
-
-      - query: "timedelta minutes jwt encode"
-        description: "Token expiration time calculation"
+      - query: "secrets token_urlsafe"
+        description: "Secure token generation"
         priority: medium
-
-      - query: "datetime.utcnow expires_delta"
-        description: "Expiration timestamp calculation"
-        priority: low
 
   registrar:
     description: "Provides the Subject a token after successful authentication"
@@ -153,36 +113,10 @@ roles:
         description: "Token issuance endpoints"
         priority: high
 
-      - query: "return access token token_type bearer"
+      - query: "return access token bearer"
         description: "Token response formatting"
         priority: high
 
-      - query: "app post login jwt.encode"
-        description: "Login endpoint with JWT generation"
-        priority: high
-
-      - query: "authenticate_user create_access_token"
-        description: "Authentication followed by token creation"
-        priority: medium
-
-  token_blacklist:
-    description: "Tracks revoked but not yet expired tokens (optional feature)"
-    queries:
-      - query: "redis sadd revoked_tokens jwt"
-        description: "Token revocation with Redis"
-        priority: medium
-
-      - query: "blacklist revoke token"
-        description: "Token blacklist management"
-        priority: medium
-
-      - query: "class TokenBlacklist revoked_tokens"
-        description: "Token blacklist class"
-        priority: medium
-
-      - query: "is_revoked token HTTPException"
-        description: "Revocation checking"
-        priority: low
 
 
 endpoints: