semgrep / semgrep Goto Github PK

Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.

License: GNU Lesser General Public License v2.1

Makefile 0.36% OCaml 74.53% Standard ML 1.30% Python 11.75% JavaScript 3.08% C 3.22% Java 4.19% Shell 0.43% Dockerfile 0.14% Go 0.45% HTML 0.04% Max 0.01% HCL 0.01% Jsonnet 0.09% Mustache 0.03% Jinja 0.01% Vue 0.01% Ruby 0.31% Rust 0.01% Scala 0.08%

static-analysis static-code-analysis java go sast semgrep r2c c python ruby javascript typescript

semgrep's Introduction

Code scanning at ludicrous speed.

This repository contains the source code for Semgrep OSS (open-source software). Semgrep OSS is a fast, open-source, static analysis tool for searching code, finding bugs, and enforcing code standards at editor, commit, and CI time. Semgrep is a semantic grep for code: where grep "2" would only match the exact string 2, Semgrep would match x = 1; y = x + 1 when searching for 2. And it does this in 30+ languages! Semgrep rules look like the code you already write; no abstract syntax trees, regex wrestling, or painful DSLs: read more below.

For companies who need SAST, SCA, and Secret scanning, we provide a product suite on top of Semgrep OSS that scans code and package dependencies for known issues, software vulnerabilities, and finds secrets with high accuracy:

Semgrep Code to find bugs & vulnerabilities using the deeper, interfile-analysis enabled Pro engine and high-accuracy Pro rules in addition to the community rules
Semgrep Supply Chain to find dependencies with known vulnerabilities function-level reachability analysis
Semgrep Secrets to find hard-coded credentials that shouldn't be checked into source code

Semgrep analyzes code locally on your computer or in your build environment: by default, code is never uploaded. Get started →.

Language support

Semgrep Code supports 30+ languages, including:

Apex · Bash · C · C++ · C# · Clojure · Dart · Dockerfile · Elixir · HTML · Go · Java · JavaScript · JSX · JSON · Julia · Jsonnet · Kotlin · Lisp · Lua · OCaml · PHP · Python · R · Ruby · Rust · Scala · Scheme · Solidity · Swift · Terraform · TypeScript · TSX · YAML · XML · Generic (ERB, Jinja, etc.)

Semgrep Supply Chain supports 12 languages across 15 package managers, including:

C# (NuGet) · Dart (Pub) · Go (Go modules, go mod) · Java (Gradle, Maven) · Javascript/Typescript (npm, Yarn, Yarn 2, Yarn 3, pnpm) · Kotlin (Gradle, Maven) · PHP (Composer) · Python (pip, pip-tool, Pipenv, Poetry) · Ruby (RubyGems) · Rust (Cargo) · Scala (Maven) · Swift (SwiftPM)

For more information, see Supported languages.

For new users, we recommend starting with the Semgrep AppSec Platform because it provides a visual interface, a demo project, result triaging and exploration workflows, and makes setup in CI/CD fast. Scans are still local and code isn't uploaded. Alternatively, you can also start with the CLI and navigate the terminal output to run one-off searches.

Option 1: Getting started from the Semgrep Appsec Platform (Recommended)

Register on semgrep.dev
Explore the demo findings to learn how Semgrep works
Scan your project by navigating to Projects > Scan New Project > Run scan in CI
Select your version control system and follow the onboarding steps to add your project. After this setup, Semgrep will scan your project after every pull request.
[Optional] If you want to run Semgrep locally, follow the steps in the CLI section.

Notes:

If there are any issues, please ask for help in the Semgrep Slack.

Option 2: Getting started from the CLI

Install Semgrep CLI

# For macOS
$ brew install semgrep

# For Ubuntu/WSL/Linux/macOS
$ python3 -m pip install semgrep

# To try Semgrep without installation run via Docker
$ docker run -it -v "${PWD}:/src" semgrep/semgrep semgrep login
$ docker run -e SEMGREP_APP_TOKEN=<TOKEN> --rm -v "${PWD}:/src" semgrep/semgrep semgrep ci

Run semgrep login to create your account and login to Semgrep.

Logging into Semgrep gets you access to:

Semgrep Supply Chain: A dependency scanner that detects reachable vulnerabilities in third party libraries
Semgrep Code's Pro rules: 600+ high confidence rules written by Semgrep's security research team
Semgrep Code's Pro engine: An advanced code analysis engine, designed to detect complex vulnerabilities, and reduce false positives

Go to your app's root directory and run semgrep ci. This will scan your project to check for vulnerabilities in your source code and its dependencies.
Try writing your own query interactively with -e. For example, a check for Python == where the left and right hand sides are the same (potentially a bug): $ semgrep -e '$X == $X' --lang=py path/to/src

Semgrep Ecosystem

The Semgrep ecosystem includes the following products:

Semgrep Code - Scan your code with Semgrep's proprietary rules (written by our Security Research team) using our cross-file and cross-function analysis. Designed to find OWASP Top 10 vulnerabilities and protect against critical security risks. Semgrep Code is available on both free and paid tiers.
Semgrep Supply Chain (SSC) - A high-signal dependency scanner that detects reachable vulnerabilities in open source third-party libraries and functions across the software development life cycle (SDLC). Semgrep Supply Chain is available on both free and paid tiers.
Semgrep Secrets [NEW!] - Secrets detection that uses semantic analysis, improved entropy analysis, and validation together to accurately detect sensitive credentials in developer workflows. Book a demo to request early access to the product.
Semgrep AppSec Platform - Deploy, manage, and monitor Semgrep at scale, with free and paid tiers. Integrates with continuous integration (CI) providers such as GitHub, GitLab, CircleCI, and more.
Semgrep OSS Engine - The open-source engine and community-contributed rules at the heart of everything (this project).

To learn more about Semgrep, visit:

Semgrep Playground - An online interactive tool for writing and sharing rules.
Semgrep Registry - 2,000+ community-driven rules covering security, correctness, and dependency vulnerabilities.

Join hundreds of thousands of other developers and security engineers already using Semgrep at companies like GitLab, Dropbox, Slack, Figma, Shopify, HashiCorp, Snowflake, and Trail of Bits.

Semgrep is developed and commercially supported by Semgrep, Inc., a software security company.

Semgrep Rules

Semgrep rules look like the code you already write; no abstract syntax trees, regex wrestling, or painful DSLs. Here's a quick rule for finding Python print() statements.

Run it online in Semgrep’s Playground by clicking here.

Examples

Visit Docs > Rule examples for use cases and ideas.

Use case	Semgrep rule
Ban dangerous APIs	Prevent use of exec
Search routes and authentication	Extract Spring routes
Enforce the use secure defaults	Securely set Flask cookies
Tainted data flowing into sinks	ExpressJS dataflow into sandbox.run
Enforce project best-practices	Use assertEqual for == checks, Always check subprocess calls
Codify project-specific knowledge	Verify transactions before making them
Audit security hotspots	Finding XSS in Apache Airflow, Hardcoded credentials
Audit configuration files	Find S3 ARN uses
Migrate from deprecated APIs	DES is deprecated, Deprecated Flask APIs, Deprecated Bokeh APIs
Apply automatic fixes	Use listenAndServeTLS

Extensions

Visit Docs > Extensions to learn about using Semgrep in your editor or pre-commit. When integrated into CI and configured to scan pull requests, Semgrep will only report issues introduced by that pull request; this lets you start using Semgrep without fixing or ignoring pre-existing issues!

Documentation

Browse the full Semgrep documentation on the website. If you’re new to Semgrep, check out Docs > Getting started or the interactive tutorial.

Metrics

Using remote configuration from the Registry (like --config=p/ci) reports pseudonymous rule metrics to semgrep.dev.

Using configs from local files (like --config=xyz.yml) does not enable metrics.

To disable Registry rule metrics, use --metrics=off.

The Semgrep privacy policy describes the principles that guide data-collection decisions and the breakdown of the data that are and are not collected when the metrics are enabled.

Upgrading

To upgrade, run the command below associated with how you installed Semgrep:

# Using Homebrew
$ brew upgrade semgrep

# Using pip
$ python3 -m pip install --upgrade semgrep

# Using Docker
$ docker pull semgrep/semgrep:latest

semgrep's People

Contributors

Stargazers

Watchers

Forkers

christydennison clintgibler ulziibay drewdennison ejin-luo sylvestre rcoh meghajakhotia madhuakula olivierh59500 dskrish layzhi stephengroat xyproto wireghoul modulexcite ajinabraham timb-machine-mirrors bhakiyakalimuthu aryx etsangsplk donfanning santhoshinty pbehnke saaspeter kartikeyap montanablood27 morg0n kannans mtkis22 vitthals defreez herbygillot tolidano studiovc pecigonzalo mbarkhau polling-repo-continua mmyjona tu-cao mbrukman fwip zeta1999 santandersecurityresearch ktzgraph louisianatiger disconnect3d salewski jeshventhraja petermulller christofersimbar nutmag isp1r0 shmsr fjsnogueira stewartpond iagoabal intfrr kursatoguzhanakinci srenatus unshorn hamid-k hunt3rkillerz thedevappsecguy ilaif ericyao2013 sjord tengineerio rongqinglee cracert humble-desser bonedaddy gavrias securepo feliperalmeida joefound misswhite aircup chgg-kboberg icysun aramrami skysec asll666 rayleyva techini dmitris tbugfinder trdyer ruin0x11 aantn inyongnation doanhnhq-uit babubhaiya-36 bollwyvl dacer250 acumenix zythosec denis-feier blueoceandevops lemonstar0

semgrep's Issues

Re-enable failing tests

re-enable tests https://github.com/returntocorp/sgrep/blob/develop/Makefile#L8

cc @aryx

unclear boolean composition rules

We currently produce internal python errors if unsupported yaml file stuff happens, eg nesting queries under pattern-inside. This should be tested and cleaned up for better UX.

should match functions at any level

Describe the bug
pattern: def __eq__(...): ... will match

def __eq__(self, other):
    pass

but not:

class A:
    def __eq__(self, other):
        pass

or:

def A():
    def __eq__(...): 
        pass
    return __eq__

Fixing this would fix false positives in https://github.com/returntocorp/sgrep-rules/blob/master/python/deadcode/useless-eqeq.yaml

sgrep doesn't differentiate between absolute vs. relative imports

In the following code chunk
https://dev.massive.ret2.co/triager/triage/538/68217?selected_regions=%5B%7B%22rows%22%3A%5B0%2C0%5D%7D%5D

if __name__ == '__main__':
    from forget_mult import ForgetMult
else:
    from .forget_mult import ForgetMult

sgrep thinks the if and the else branches have the same code. Not quite. The if branch has the absolute import whereas the else branch has the relative import. These 2 behaviors are not identical.

command to validate a pattern

It would be helpful to have an sgrep command that validates whether a pattern can be parsed for a particular language flag. For instance, this could be used in a repl to indicate to the user whether the pattern is valid at every keystroke.

Python decorator support

desired:

code:

@alpha @beta @charlie('xyz')
def foo():
    x = 42

should be matched by these patterns:

@alpha
def (...):
    ...

@charlie(...)
def (...):
    ...

@charlie("xyz")
def (...):
    ...

ocaml error running rules with `return $X`

Describe the bug
Fatal error: exception (Failure "empty list, max_min_ii_by_pos")

To Reproduce
Steps to reproduce the behavior:

sgrep-lint --no-rewrite-rule-ids -f python/smells/return-in-init.yaml python/smells/return-in-init.py from semgrep/semgrep-rules#12

Expected behavior
Not an ocaml exception :)

fix python syntax bugs in sgrep

sgrep technical documentation

Sgrep spelling error

This text on the sgrep readme looks like:
Knows about code equivalences: one pattern can match many equivalent variations on### }the code

There is an extra character in this sentence ({). The sentence should look like:

To repro:
go to- https://github.com/returntocorp/sgrep
Read

Failure "empty list, max_min_ii_by_pos" on Python project

git clone https://github.com/dulwich/dulwich /tmp/dulwich && cd /tmp/dulwich && git checkout 9e0de26619ad35762a0394894c53637627039ab2 && cd -

sgrep-lint /tmp/dulwich/ --config=r2c
running 60 rules from 26 yaml files (0 yaml files were invalid)
Fatal error: exception (Failure "empty list, max_min_ii_by_pos")
non-zero return code while invoking sgrep with:
	sgrep -lang python -rules_file /var/folders/fc/v6k2jq7n3zb03_z3gc0zcxw80000gn/T/tmpe0_5vgbc /tmp/dulwich
Command '['sgrep', '-lang', 'python', '-rules_file', '/var/folders/fc/v6k2jq7n3zb03_z3gc0zcxw80000gn/T/tmpe0_5vgbc', '/tmp/dulwich']' returned non-zero exit status 2.


An error occurred while invoking the sgrep engine; please help us fix this by filing an an issue at https://sgrep.dev

Exception when searching for string inside method call

Describe the bug
Searching for this code:

logging.info(
        f"Current bento version is {current_version}, latest is {latest_version}"
    )

I'd like to identify that bento should be uppercase.

rules:
    - id: bento
      patterns:
        - pattern: $X("=~/.*bento.*/")
      message: Bento should be capitalized.
      languages: [python]
      severity: ERROR

The error is:

running 1 rules from 1 yaml files (0 yaml files were invalid)
Fatal error: exception (Failure "get_pos: Ab or FakeTok")
Traceback (most recent call last):
  File "/bin/sgrep-lint", line 851, in <module>
    main(args)
  File "/bin/sgrep-lint", line 701, in main
    output_json = invoke_sgrep(all_patterns, targets)
  File "/bin/sgrep-lint", line 325, in invoke_sgrep
    output = subprocess.check_output(cmd, shell=False)
  File "/usr/lib/python3.8/subprocess.py", line 411, in check_output
    return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
  File "/usr/lib/python3.8/subprocess.py", line 512, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '['sgrep', '-lang', 'python', '-rules_file', '/tmp/tmpu09opzct', '/home/repo']' returned non-zero exit status 2.

To Reproduce
Steps to reproduce the behavior:

git clone [email protected]:returntocorp/bento.git
Run the above rule

set `--version` during the build so it matches the git tag

Update sgrep version and sgrep-lint version on release based on tag or git hash

constant propagation for Python

sgrep not working on js files

See slack

integrate tree-sitter java parser into sgrep

sgrep $X != $X rule should take into account unicode operator

Sgrep should not fire on this line:
assert gzutil.hash(b"\xe4") != gzutil.hash("\xe4")

https://dev.massive.ret2.co/triager/triage/528/67933?check_ids=sgrep-rules.python.deadcode.eqeq-is-bad&selected_regions=%5B%7B%22rows%22%3A%5B0%2C0%5D%7D%5D

Change default output to line based

Change default output from json to line based. Add --json

Report invalid keys in yaml

Given a rule like:

- id: foo
- pattern:
- pattern-inside:

We should complain that only pattern or patterns are valid top-level keys.

pattern match expressions and statements with the same pattern

$X.pop(...) doesn't match x = l.pop(0) or print(l.pop(0)

fixing this would make it simpler to match pattern anywhere in the AST

e.g. I have to have 12 patterns when I should only need 4 semgrep/semgrep-rules@dcf2c5a#diff-ea429333db3631ca837612d41864864a

unfriendly error if the input directory is empty

If find doesn't find anything, it will return 1 and we will throw a confusing error to the user inside sgrep core.

/ # sgrep -lang python -rules_file /analyzer/data/basic.yml /analysis/inputs/public/source-code
Fatal error: exception Common.CmdError(_, "CMD = find  '/analysis/inputs/public/source-code' -type f | grep -v /.hg/ |grep -v /CVS/ | grep -v /.git/ |grep -v /_darcs/| grep -v /.svn/ | grep -v .git_annot | grep -v .marshall, RESULT = ")

Desired behavior: don't raise an exception if there are no files returned

consecutive statements not matched (javascript and python)

See semgrep/semgrep-rules#44

expect that:

            $X = $Y;
            $X = $Z;

will match:

var x = 1;
x = 2;
x = 3;

But it does not.

can't parse `assert(...)` in Java

Test case in semgrep/semgrep-rules#53;

in java/basic-rules.yaml, pattern in rule eqeq-is-bad can't be parsed for language java: assert(...)

Minimal:

> sgrep -lang=java -e "assert(...)" any.java
Fatal error: exception (Failure "fail to parse pattern: 'assert(...)' in lang java")

Exception finding patterns inside nested function calls

Describe the bug
To identify the code:

click.echo(click.style(f"Detected project with {projects}\n", fg="blue", err=True))

rules:
    - id: use-click-secho
      pattern: click.echo(click.style($X, ...))
      message: Use `click.secho($X)` instead. It combines click.echo() and click.style().
      languages: [python]
      severity: ERROR

I get the following exception:

Fatal error: exception (Failure "get_pos: Ab or FakeTok")
Traceback (most recent call last):
  File "/bin/sgrep-lint", line 851, in <module>
    main(args)
  File "/bin/sgrep-lint", line 701, in main
    output_json = invoke_sgrep(all_patterns, targets)
  File "/bin/sgrep-lint", line 325, in invoke_sgrep
    output = subprocess.check_output(cmd, shell=False)
  File "/usr/lib/python3.8/subprocess.py", line 411, in check_output
    return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
  File "/usr/lib/python3.8/subprocess.py", line 512, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '['sgrep', '-lang', 'python', '-rules_file', '/tmp/tmpckk6dtz6', '/home/repo']' returned non-zero exit status 2.

multiple reports for golang

On sgrep-rules branch ie/golang2: the pattern if (false) { ... } reports three times on a single line:
(see PR for file contents: https://github.com/returntocorp/sgrep-rules/pull/54/files)

sgrep-rules (ie/golang2)> sgrep-lint --strict --no-rewrite-rule-ids -f go/deadcode/useless-eqeq.yaml go/deadcode/useless-eqeq.go
running 2 rules from 1 yaml files (0 yaml files were invalid)
go/deadcode/useless-eqeq.go:8 eqeq-is-bad - useless comparison operation `y == y` or `y != y`
go/deadcode/useless-eqeq.go:13 hardcoded-eq-true-or-false - useless if statement, always the same behavior
go/deadcode/useless-eqeq.go:13 hardcoded-eq-true-or-false - useless if statement, always the same behavior
go/deadcode/useless-eqeq.go:13 hardcoded-eq-true-or-false - useless if statement, always the same behavior

support context lines with -C like grep

In the default (non-JSON) output mode, it would be great to have

> sgrep -C 3 -e "foo(...)" .
--
_build/foo.py-    someline
_build/foo.py-    someline2
_build/foo.py:    foo(x=1)
_build/foo.py-    somelin3
_build/foo.py-    someline4

can't parse go if statements in expressions

Minimal example:

> sgrep -lang go -e "if (true)" README.md
Fatal error: exception (Failure "fail to parse pattern: 'if (true)' in lang go")
> sgrep -lang go -e "if (true) { ... } " README.md
Fatal error: exception (Failure "fail to parse pattern: 'if (true) { ... } ' in lang go")

subpattern where-python:`arbitrary python code`

We'd like to make rule files even more pluggable and dynamic. To that end, it would be valuable to have python / javascript scriptability that can execute arbitrary code to decide whether or not a rule should fire. For instance:

pattern-with-guard:
    pattern: foo($X)
    where-python: "0 <= vars['$X'] <= 100"

Specifically, many of the checks @mschwager wrote in dlint would be good candidates for this pattern. Eg https://github.com/dlint-py/dlint/blob/master/dlint/linters/bad_urllib3_kwarg_use.py could become:

pattern-with-guard:
    pattern: urllib3.PoolManager(cert_reqs=$X)
    where-python: "vars['$X'] in ['CERT_NONE', 'NONE']"

pipe error messages to stderr

sgrep-core should pipe output to stderr especially when outputting json/r2c mode, these issues should be collected under the errors key

using latest sgrep-lint with the --config=r2c option on

git clone https://github.com/yaml/pyyaml /tmp/pyyaml && cd /tmp/pyyaml && git checkout 5986257f9fc978d4a61b6e0001df554f80e565cb && cd -

The following is output to stdout, but it should really go to stderr:

PB: Ast_c_build, on /analysis/inputs/public/source-code/ext/_yaml.h (exn = (Failure "/analysis/inputs/public/source-code/ext/_yaml.h:23:0: no ifdef"))

Full reference, see failure at https://dev.massive.ret2.co/jobs/544?page=1&sort_on=repo_url&sort_by=asc

issues with javascript parsing elipsis operator

> cat foo.js
var x = 1;
var y = "foobar";

docker run --rm -v (pwd):/home/repo returntocorp/sgrep:latest -e '$X = ...' -l javascript foo.js
in manual, pattern in rule - can't be parsed for language javascript: $X = ...
invalid patterns found inside rules; aborting

report parse errors to sgrep-lint

Right now, if a file fails to parse, it is silently ignored.

Sgrep lint should describe that $N files failed to parse (run with --verbose to see them)

pin pfff version in Dockerfile

For reproducibility and debug-ability, we ought to be pinning the commit hash of pfff in the dockerfile. This will also make builds faster as we can move the COPY line down

Remove docker mount path from `path` output

currently the output has the abs path so looks like "path": "/home/repo/tests/TODO/imports2.py". It should not have /home/repo/

Simplify boolean patterns

Issue for discussion:

I think we can make the patterns a lot simpler. i.e. pattern-either can become or and pattern-not could just be not

-r2c flag is not respected when -rules_file is specified

When using -rules_file, r2c flag does not seem to be respected. See below:

ulziibayarotgonbaatar@ulziibayars-MacBook-Pro sgrep % ./_build/default/bin/main_sgrep.exe -r2c -e "app.run()" ~/Workspace/sgrep-rules/tests/python/flask/                                                          
{
  "results": [
    {
      "check_id": "sgrep-lint-<sgrep>",
      "path": "app_run_security_config/test_avoid_using_app_run_directly.py",
      "start": { "line": 1, "col": 1 },
      "end": { "line": 1, "col": 4 },
      "extra": { "message": "found a match", "line": "EMPTY FILE" }
    },
    {
      "check_id": "sgrep-lint-<sgrep>",
      "path": "app_run_security_config/test_app_run_with_guard_no_option.py",
      "start": { "line": 8, "col": 5 },
      "end": { "line": 8, "col": 8 },
      "extra": { "message": "found a match", "line": "NO LINE" }
    },
    {
      "check_id": "sgrep-lint-<sgrep>",
      "path": "app_run_security_config/test_app_run_with_guard_no_option.py",
      "start": { "line": 4, "col": 5 },
      "end": { "line": 4, "col": 8 },
      "extra": { "message": "found a match", "line": "NO LINE" }
    }
  ]
}

ulziibayarotgonbaatar@ulziibayars-MacBook-Pro sgrep % ./_build/default/bin/main_sgrep.exe -r2c -rules_file ~/Workspace/sgrep-rules/python/flask/secure-static-file-serve.yaml ~/Workspace/sgrep-rules/tests/python/flask/
{
  "matches": [
    {
      "check_id": "avoid_send_file_without_path_sanitization",
      "path":
        "/Users/ulziibayarotgonbaatar/Workspace/sgrep-rules/tests/python/flask/send_static_file/test_send_file_without_path_sanitization.py",
      "start": { "line": 5, "col": 5, "offset": 56 },
      "end": { "line": 6, "col": 19, "offset": 91 },
      "extra": {
        "message":
          "Looks like `filename` could flow to `flask.send_file()` function. Make sure to properly sanitize filename or use `flask.send_from_directory`",
        "metavars": {
          "$X": {
            "start": { "line": 5, "col": 5, "offset": 56 },
            "end": { "line": 5, "col": 18, "offset": 69 },
            "abstract_content": "download_file"
          }
        }
      }
    }
  ],
  "errors": []
}

golang parser failing on ... cases

sgrep -lang go -e "assert(...)" anyfile.go

Reports:

Fatal error: exception (Failure "fail to parse pattern: 'assert(...)' in lang go")

don't make python the default

-lang python being the default is confusing to anyone working in a different language. We should probably force the user to be explicit, as we do in the yaml files.

It would also be good to have clear documentation, ideally in the tool, about what languages are available, their names, and what extensions will be parsed.

ship binaries for Ubuntu

Want to be able to install sgrep easily using some package manager like brew/apt

match on type of immediate

os.remove($X: int)

should match

os.remove(5)

os.remove($X: float) -> os.remove(1.0)
os.remove($X: str) -> os.remove("1.0")

Etc., for the python primitive types seen as immediates

Return $X pattern is failing in tests

Describe the bug
When the return $X is used in sgrep pattern, the rule engine is failing with the following:

Fatal error: exception (Failure "get_pos: Ab or FakeTok")

To Reproduce
Steps to reproduce the behavior:

Check out 2248c25
make build
Create the following rule file

rules:
    - id: return-in-init
      patterns:
        - pattern-inside: |
            class A(...):
              ...
        - pattern-inside: |
            def __init__(...):
              ...
        - pattern: return $X
      message: "`return` should never appear inside a class __init__ function"
      languages: [python]
      severity: ERROR

Pass in to sgrep binary:

./sgrep.py -f ~/Workspace/sgrep-rules/python/smells/return-in-init.yaml ~/Workspace/pyyaml

running 1 rules from 1 yaml files (0 yaml files were invalid)
Fatal error: exception (Failure "get_pos: Ab or FakeTok")
Traceback (most recent call last):
  File "./sgrep.py", line 779, in <module>
    main(args)
  File "./sgrep.py", line 641, in main
    output_json = invoke_sgrep(all_patterns, targets)
  File "./sgrep.py", line 291, in invoke_sgrep
    output = subprocess.check_output(cmd, shell=False)
  File "/usr/local/Cellar/python/3.7.2_2/Frameworks/Python.framework/Versions/3.7/lib/python3.7/subprocess.py", line 395, in check_output
    **kwargs).stdout
  File "/usr/local/Cellar/python/3.7.2_2/Frameworks/Python.framework/Versions/3.7/lib/python3.7/subprocess.py", line 487, in run
    output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command '['sgrep', '-rules_file', '/var/folders/7c/2qqryd9n42b9v778dlpdhqgw0000gn/T/tmp1gwgxhqz', '/Users/ulziibayarotgonbaatar/Workspace/pyyaml']' returned non-zero exit status 2.

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

OS: [e.g. iOS]
Browser [e.g. chrome, safari]
Version [e.g. 22]

Smartphone (please complete the following information):

Device: [e.g. iPhone6]
OS: [e.g. iOS8.1]
Browser [e.g. stock browser, safari]
Version [e.g. 22]

Additional context
Add any other context about the problem here.

bug with identifier equality (seen in eqeq check)

See for instance https://app.r2c.dev/triager/triage?analyzer_name=beta/sgrep&analyzer_version=0.1.16&commit=499faf4eb9f9ccf0b21dc728e974970f54bd6c52&selected_regions=%5B%7B%22rows%22%3A%5B0%2C0%5D%7D%5D

This is a false positive when it comes to the identifiers that appears to originate inside sgrep/pfff core.

python function call subtleties

https://github.com/returntocorp/sgrep-rules/blob/663a95579bb825f578068794ffc63c41cb9e3417/python/socket/bind.py#L24

    - pattern-either:
        - pattern: |
            $S = socket.socket(...)
            ...
            $S.bind(("0.0.0.0", ...))
        - pattern: |
            $S = socket.socket(...)
            ...
            $S.bind(("", ...))

is triggering on:

easy_s = socket.socket(doesnt, matter)
easy_s.bind()

But I expect it not to, given it has no arguments.

better class matching

the pattern:

class A(...)

should match

class A:
class A():
class A(ParentClass):

python equivalence: de-sugar `with`

Per https://www.python.org/dev/peps/pep-0343/

with(...) as F:
    ...

should be equivalent to:

F. __enter__()
...
F.__exit()

Specifically, if F is assigned to a file handle, it would be equivalent to enter open and exit close functionality. This may require typing to do robustly.

metrics.send(f"{function}.success", 'counter', '1', metric_tags={"source": source})

and I wrote

metrics.send(...)

and

metrics.send($X, 'counter', '...', ...)

But I got no matches

line is from Netflix/lemur@d2c7330

cc @daghan

infinite? hang when running inside docker

On bento-core at commit 1b5e4ff9
Using .sgrep.yml from https://raw.githubusercontent.com/returntocorp/sgrep-rules/1c3808ac04cc67e0468fb61a26b5dbdd6a2813ac/python/click/echo-style.yaml

time sgrep -lang python -rules_file .sgrep.yml .
{ "matches": [], "errors": [] }
       12.71 real        13.06 user         1.20 sys

But,

docker run --rm -v (pwd):/home/repo returntocorp/sgrep:develop --json

Does not return for me.

If I go into the bento/ subfolder, this problem does not occur.

semgrep / semgrep Goto Github PK

semgrep's Introduction

Code scanning at ludicrous speed.

Language support

Getting started 🚀

Option 1: Getting started from the Semgrep Appsec Platform (Recommended)

Notes:

Option 2: Getting started from the CLI

Semgrep Ecosystem

Semgrep Rules

Examples

Extensions

Documentation

Metrics

More

Upgrading

semgrep's People

Contributors

Stargazers

Watchers

Forkers

semgrep's Issues

Recommend Projects

Recommend Topics

Recommend Org