Documentation or examples on how and where I can use YmlPath

[JaneX8]

I would like to use YmlPath which is supposedly supported by DevSkim but I cant get it to work and can't find any examples or documentation about it.

[gfs]

Hi @JaneX8,

Agree there is a gap in the documentation here - you should be able to mostly follow the examples in the ApplicationInspector wiki as a stopgap: https://github.com/microsoft/ApplicationInspector/wiki/3.6-Structured-Data-Queries-(XPath,-JSONPath,-YamlPath), except that DevSkim rules require tags.

For example, in DevSkim you could do the following:

Test File named test.yml:

hash_name:
  a_key: 0
  b_key: 1
  c_key: 2
  d_key: 3
  e_key: 4

Test Rule named test.json:

[{
    "name": "YamlPathValidate",
    "id": "YmlPath",
    "tags": ["test"],
    "description": "find documents where a_key as subkey of hash_name is 0",
    "severity": "critical",
    "patterns": [
      {
        "pattern": "0",
        "ymlpaths" : ["/hash_name/a_key"],
        "type": "string",
        "scopes": [
          "code"
        ],
        "modifiers": [
          "i"
        ],
        "confidence": "high"
      }
    ]
  }]

Then run devskim analyze -I test.yml -i -r test.json.

[JaneX8]

Thanks, that's a helpful direction. Can you point me in the direction as to what syntax is used exactly or what implementation? To my understanding ymlpath isn't standardized and there are multiple different syntaxes. Which are we using? What is the underlying library, that would be very helpful.

I also would like to know if I can use ymlpaths in conditions.

Also note that "Sample XML Rule" here is followed with a JSON example. https://github.com/microsoft/ApplicationInspector/wiki/3.6-Structured-Data-Queries-(XPath,-JSONPath,-YamlPath)#sample-xml-rule.

[gfs]

This uses my own implementation of YamlPath (https://github.com/gfs/yamlpathforyamldotnet) based on https://github.com/wwkimball/yamlpath/wiki/Segments-of-a-YAML-Path.

You can use yamlpaths in conditions, but not with the search_in portion of the condition, the condition is against the full file.

As for the XML example, perhaps the wording is unclear, that is an example of a rule that uses xpaths to search xml documents, but the rule format itself is always json.

[JaneX8]

Thank you. Any idea how I would match the two entries under /dfds/abc/test/* starting with XX?

dfds:
    xyz:
      - kqe: afa
        asf:
          - 1801
    abc:
      - asd: something
        test:
          - "anything1"
          - "XXanything2"
          - "XXanything3"

[gfs]

Does this rule help?

[{
    "name": "YamlPathValidate",
    "id": "YmlPath",
    "tags": ["test"],
    "description": "values under a key named test that start with XX",
    "severity": "critical",
    "patterns": [
      {
        "pattern":"XX\\w*",
        "ymlpaths" : ["/**/test/*"],
        "type": "regex",
        "scopes": [
          "code"
        ],
        "modifiers": [
          "i"
        ],
        "confidence": "high"
      }
    ]
  }]