elsapet

## Description & Reproduction We're seeing some false positives with this rule, in some cases around the `Passwordless` library methods, which are matching by the current rule patterns ## Expected...

## Description A "fix" for path traversal is to replace dangerous characters like `.../.../` with empty strings. We tighten the JS Express rule around path traversal to exclude cases where...

For our newer JS rules, the remediation copy is missing or incomplete. We list the affected rules here, for copy review purposes: ### AWS See https://github.com/Bearer/bearer/pull/750 - [x] [code_injection](https://github.com/Bearer/bearer/blob/main/pkg/commands/process/settings/rules/javascript/aws_lambda/code_injection.yml) -...

For our newer Ruby rules, the remediation copy is missing or incomplete. We list the affected rules here, for copy review purposes: ### Lang - [ ] [deserialization_of_user_input](https://github.com/Bearer/bearer/blob/main/pkg/commands/process/settings/rules/ruby/lang/deserialization_of_user_input.yml) - [...

## Description & Reproduction Javascript rules `javascript_lang_exception` and `javascript_lang_logger` trigger if there is a property access in the exception or logger call and the receiver object has data types. Code...

## Description & Reproduction There is destructured assignment in JavaScript: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Destructuring_assignment It is common to use auxiliary rules to catch assignment as well as the object itself (e.g. to catch...

Perhaps we want to validate the format of the rules YAML. This could start simply e.g. validate required attributes are present.

We should consider adding to the rule metadata a list of the libraries (gems, etc) included in the rule's patterns, so that it is easy to know which libraries are...

As we do with the Request object, we should be agnostic about what the Response object is named in TS. e.g. patterns concerning the Response object should match on `whatever`...

For some Golang rules, dynamic input is considered as any argument passed to a function. We should see if it generates too many false positives, and revisit the scope if...