forked from semgrep/semgrep
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathsemgrep.yml
199 lines (187 loc) · 5.83 KB
/
semgrep.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
# This file contains Semgrep rules.
# See https://semgrep.dev for more information.
#
# You can use this file locally either with:
# - docker run --rm -v "${PWD}:/home/repo" returntocorp/semgrep:develop --config semgrep.yml
# or if you have already installed semgrep:
# - semgrep --config semgrep.yml .
#
# This file is also used in CI, see .circleci/config.yml
#
# Put semgrep-specific rules here.
# Put general OCaml or Python rules in the semgrep-rules repository
# under ocaml/ or python/.
# Use semgrep-core/src/pfff/semgrep.yml for rules related to using pfff
# libraries.
rules:
- id: no-print-in-semgrep
patterns:
- pattern-either:
- pattern: pr ...
- pattern: print_string ...
- pattern-not-inside: |
if !Flag.debug
then ...
- pattern-not-inside: |
let $F ... =
...
[@@action]
message: you should not print anything on stdout as it may interfere with
the JSON output we must return to the semgrep python wrapper.
languages: [ocaml]
severity: ERROR
paths:
exclude:
- core_cli/*.ml
- cli/*.ml
- cli_*/*.ml
- Test.ml
- Matching_report.ml
- Matching_explanation.ml
- Unit_*.ml
- Test_*.ml
- runner/*.ml
- experiments/*
- Check_*.ml
- libs/*
- languages/*
- scripts/*
- id: use-pytest-mock
pattern: import unittest.mock
message: >-
Instead of importing unittest.mock,
use the pytest-mock plugin by requesting the `mocker` fixture.
languages: [python]
severity: ERROR
paths:
include:
- tests/
- id: use-state-for-global-settings
pattern: global $VAR
message: |
Instead of setting global variables,
keep your variables around on the semgrep.state.SemgrepState class.
You'll then be able to access this anywhere with:
from semgrep.state import get_state
$VAR = get_state().$VAR
languages: [python]
severity: ERROR
- id: not-using-our-pcre-wrappers
patterns:
- pattern-either:
- pattern: Pcre.regexp
- pattern: Pcre.pmatch
- pattern: Pcre.exec
- pattern: Pcre.exec_all
- pattern: Pcre.split
message: >-
You should use one of the equivalent functions in SPcre, which
automatically sets some flags and handles exceptions.
languages: [ocaml]
severity: ERROR
paths:
exclude:
- SPcre.ml
- id: no-list-map
pattern: List.map
message: >-
`List.map` creates O(N) stack depth, and can lead to a
stack overflow. Use `Common.map` instead.
fix: Common.map
languages: [ocaml]
severity: ERROR
paths:
include:
- semgrep-core/src/*
exclude:
- semgrep-core/src/profiling/*
- ppx_profiling/*
- commons/*
- graph_code/*
- lib_parsing/*
- id: use-concat-map
pattern-either:
- pattern: List.map ... |> List.flatten
- pattern: Common.map ... |> List.flatten
- pattern: List.map ... |> List.concat
- pattern: Common.map ... |> List.concat
- pattern: List.flatten ( List.map ... )
- pattern: List.flatten ( Common.map ... )
- pattern: List.concat ( List.map ... )
- pattern: List.concat ( Common.map ... )
message: >-
`List.concat_map` is more efficient and more readable than a `map` followed
by `concat`.
languages: [ocaml]
severity: ERROR
paths:
include:
- semgrep-core/src/*
- id: safe-ast-equality
patterns:
- pattern: AST_generic.$X
- metavariable-regex:
metavariable: $X
regex: equal.*
- pattern-not-inside: AST_utils.with_structural_equal ...
- pattern-not-inside: AST_utils.with_referential_equal ...
# Literals can't contain statements within them, so this is safe
- pattern-not: AST_generic.equal_literal
message: >-
The autogenerated AST_generic equality functions must be wrapped in either
`AST_utils.with_structural_equal` or `AST_utils.with_referential_equal`.
Otherwise, they will raise if any statements are compared. See
`AST_utils.ml` for more information.
languages: [ocaml]
severity: ERROR
paths:
include:
- semgrep-core/src/*
- id: no-exit-code-1-in-semgrep
pattern: sys.exit(1)
fix: sys.exit(2)
message: >-
Exit code 1 is reserved for notifying users that blocking findings were found.
Please use a different exit code, or better yet, a SemgrepError exception.
For generic fatal errors, we use exit code 2.
languages: [python]
severity: ERROR
paths:
include:
- cli/*
- id: no-env-vars-on-top-level
patterns:
- pattern-either:
- pattern: os.getenv
- pattern: os.environ
- pattern-not-inside: "def $F(...): ..."
message: >-
If you access environment variables on the top level of a module,
it'll be near impossible to mock the value of that variable in tests.
Please make sure to only access environment variables in functions,
preferably in semgrep.env.Env
languages: [python]
severity: ERROR
paths:
include:
- cli/src/*
- id: use-git-check-output-helper
pattern-either:
- pattern: subprocess.$METHOD(["git", ...], ...)
- pattern: semgrep.util.sub_check_output(["git", ...], ...)
message: >-
We have a helper function git_check_output in meta.py that
handles printing nice error+debug messages on failure. Use
that instead of using subprocess
languages: [python]
severity: ERROR
paths:
include:
- cli/src/*
# not ready yet
# - id: no-exit-in-semgrep
# pattern: |
# exit $X
# message: do not use directly exit. raise instead UnixExit $X
# languages: [ocaml]
# severity: ERROR