Stack Overflow
Stack Overflow

Questions tagged [semgrep]

semgrep is an open-source tool for analyzing code in many languages, and a SaaS web services for monitoring issues found by semgrep. Use this tag for semgrep package, rules, or SaaS.

29 questions
7
votes
2 answers

Why is GitLab CI SAST not exluding directories that I ask it to exclude?

I have enabled SAST scanning in GitLab CI (GitLab Community Edition) 14.5.2. The SAST runs tools like semgrep and ESLint run over the source code and scan for vulnerabilities. This works... except it's not excluding paths and files from the results…
locka
  • 5,809
  • 3
  • 33
  • 38
5
votes
1 answer

How do I save or export reports/findings/results from Semgrep?

When I run a scan, the findings are printed out on the CLI. How can I see or store these results? I can use piping (|) or output redirection (>) - but is there a semgrep-y or formatted way of saving these findings?
s-santillan
  • 181
  • 1
  • 9
3
votes
1 answer

Using environment variable in pre-commit hook arguments

I am struggling to use an environment variable into the arguments section of pre-commit hooks config following is an example spinet to show what I am trying to do - repo: https://github.com/returntocorp/semgrep rev: "v0.1.2" hooks: - id:…
Krishan Gopal
  • 4,073
  • 1
  • 16
  • 19
3
votes
1 answer

Semgrep rule for a try/catch block

I recently tried to create a Semgrep rule for Java code which detects if for a database connection happening in a try/catch block a proper rollback is done. So what it needs to do is: A Connection object is created using getConnection(...) either…
mat
  • 1,645
  • 15
  • 36
3
votes
1 answer

Semgrep not finding two lines of code with a 'patterns' section

I have a Semgrep rule: rules: - id: create-chat-client patterns: - pattern: var $X = GrpcChannel.ForAddress(...); - pattern: var $Y = new ChatService.ChatServiceClient($X); languages: - csharp message:
Shawn Wildermuth
  • 7,318
  • 3
  • 23
  • 28
3
votes
0 answers

script.sh: Syntax error: "(" unexpected script returned exit code 2

Trying to set body parameter for post method in jenkins, build fails because of error unexpected "(" script returned with error status 2. Following is the attached code stage in jenkins: script{ sh ("pip install semgrep") semgrep_result =…
pooja waghe
  • 31
  • 4
3
votes
1 answer

Semgrep: Looking for wrong import

How would I go on about making Semgrep check if my codebase is importing functions from the wrong place? E.g. in my django project: from gettext import gettext but we should really do from django.utils.translation import gettext Any ideas on how to…
turbzcoding
  • 173
  • 1
  • 6
2
votes
2 answers

How to fix "SemgrepError Error while running rules: 0 bytes read on a total of 2 expected bytes" error for SemGrep analyzer?

I am trying to integrate Gitlab SAST into my pipeline and facing the following error for SemGrep analyzer during generation of the report. The error: [DEBU] [Semgrep] [2022-10-11T10:02:55Z] [/go/src/buildapp/analyze.go:137] METRICS: Using configs…
Egor
  • 523
  • 4
  • 15
2
votes
2 answers

regex matching duplicates in a comma separated list

I'm trying to regex match any duplicate words (i.e. alphanumeric and can have dashes) in some yaml with a PCRE tool. I have found a consecutive, duplicate regex matcher: (?<=,|^)([^,]*)(,\1)+(?=,|$) it will…
torrho
  • 1,823
  • 4
  • 16
  • 21
2
votes
1 answer

How does Semgrep handle two conflicting Typed Metavariable classes?

Semgrep allows you to specify types in your patterns, but if I happen to have two different classes with the same simple type, but a different fully qualified name, how can I disambiguate between the two when writing a rule where I only want to…
fortuna
  • 1,176
  • 1
  • 8
  • 8
2
votes
1 answer

Semgrep: Is it possible to match a function based on its body, instead of its name?

The question is in the title. As an example, say I am interested in catching all calls of functions that use a certain global variable (foo here). I tried the following: rules: - id: dont-call-functions-using-foo message: "don't call functions…
Pamplemousse
  • 154
  • 1
  • 13
1
vote
0 answers

Load XSLT in Java code and parse it securely

How to fix sonar issues in below code import org.springframework.core.io.ClassPathResource; import org.xml.sax.InputSource; import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilderFactory; import…
firstpostcommenter
  • 2,328
  • 4
  • 30
  • 59
1
vote
1 answer

Enforcing dictionary access via .get(...) to prevent KeyErrors

I frequently run into KeyErrors triggered by situations like d: dict[str, int] = {"a": 1} foo = "bar" ... d[foo] # boom Our team uses mypy for type checking. If it were possible to automatically detect the use of d[foo], and disallow it in favour…
sk29910
  • 2,326
  • 1
  • 18
  • 23
1
vote
1 answer

Need help to fix 'ensure that user-controlled variables in file paths are validated' semgrep scan issue

I have a function to which I pass a file name suppose the file name is of the following format 'abc-zyx-anony-detect-v1.zip' , it can contain special characters as _ or - Now when we run the semgrep scan on it ,the scan shows an error as …
Swarup
  • 11
  • 4
1
vote
0 answers

SQL Injection with Semgrep/Spotbugs

For SAST checks in our CI pipeline we use Semgrep and SpotBugs scanners. This scanner finds the following situation as an instance of SQL Injection. Repository Class Query q = em.createNativeQuery(FIND_PRODUCTS_BY_IDENTIFER); …
Naveen Neelayyagari
  • 115
  • 4
1
2