forked from semgrep/semgrep
-
Notifications
You must be signed in to change notification settings - Fork 0
/
semgrep.yml
156 lines (145 loc) · 4.43 KB
/
semgrep.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
# See pfff/semgrep.yml for more information.
# Put semgrep-specific rules here. More general OCaml or Python rules should
# go in the semgrep-rules repository under ocaml/ or python/.
rules:
- id: no-print-in-semgrep
patterns:
- pattern-either:
- pattern: pr ...
- pattern-not-inside: |
if !Flag.debug
then ...
- pattern-not-inside: |
let $F ... =
...
[@@action]
message: you should not print anything on stdout as it may interfere with
the JSON output we must return to the semgrep python wrapper.
languages: [ocaml]
severity: ERROR
paths:
exclude:
- cli/*.ml
- cli-lib/*.ml
- scripts/*
- Test.ml
- Matching_report.ml
- Matching_explanation.ml
- Unit_*.ml
- Test_*.ml
- runner/*.ml
- experiments/*
- Check_*.ml
- id: use-pytest-mock
pattern: import unittest.mock
message: >-
Instead of importing unittest.mock,
use the pytest-mock plugin by requesting the `mocker` fixture.
languages: [python]
severity: ERROR
paths:
include:
- tests/
- id: use-state-for-global-settings
pattern: global $VAR
message: |
Instead of setting global variables,
keep your variables around on the semgrep.state.SemgrepState class.
You'll then be able to access this anywhere with:
from semgrep.state import get_state
$VAR = get_state().$VAR
languages: [python]
severity: ERROR
- id: not-using-our-pcre-wrappers
patterns:
- pattern-either:
- pattern: Pcre.regexp
- pattern: Pcre.pmatch
- pattern: Pcre.exec
- pattern: Pcre.exec_all
- pattern: Pcre.split
message: >-
You should use one of the equivalent functions in SPcre, which
automatically sets some flags and handles exceptions.
languages: [ocaml]
severity: ERROR
paths:
exclude:
- SPcre.ml
- id: no-list-map
pattern: List.map
message: >-
`List.map` creates O(N) stack depth, and can lead to a
stack overflow. Use `Common.map` instead.
fix: Common.map
languages: [ocaml]
severity: ERROR
paths:
include:
- semgrep-core/src/*
- id: use-concat-map
pattern-either:
- pattern: List.map ... |> List.flatten
- pattern: Common.map ... |> List.flatten
- pattern: List.map ... |> List.concat
- pattern: Common.map ... |> List.concat
- pattern: List.flatten ( List.map ... )
- pattern: List.flatten ( Common.map ... )
- pattern: List.concat ( List.map ... )
- pattern: List.concat ( Common.map ... )
message: >-
`List.concat_map` is more efficient and more readable than a `map` followed
by `concat`.
languages: [ocaml]
severity: ERROR
paths:
include:
- semgrep-core/src/*
- id: no-exit-code-1-in-semgrep
pattern: sys.exit(1)
fix: sys.exit(2)
message: >-
Exit code 1 is reserved for notifying users that blocking findings were found.
Please use a different exit code, or better yet, a SemgrepError exception.
For generic fatal errors, we use exit code 2.
languages: [python]
severity: ERROR
paths:
include:
- cli/*
- id: no-env-vars-on-top-level
patterns:
- pattern-either:
- pattern: os.getenv
- pattern: os.environ
- pattern-not-inside: "def $F(...): ..."
message: >-
If you access environment variables on the top level of a module,
it'll be near impossible to mock the value of that variable in tests.
Please make sure to only access environment variables in functions,
preferably in semgrep.env.Env
languages: [python]
severity: ERROR
paths:
include:
- cli/src/*
- id: use-git-check-output-helper
pattern-either:
- pattern: subprocess.$METHOD(["git", ...], ...)
- pattern: semgrep.util.sub_check_output(["git", ...], ...)
message: >-
We have a helper function git_check_output in meta.py that
handles printing nice error+debug messages on failure. Use
that instead of using subprocess
languages: [python]
severity: ERROR
paths:
include:
- cli/src/*
# not ready yet
# - id: no-exit-in-semgrep
# pattern: |
# exit $X
# message: do not use directly exit. raise instead UnixExit $X
# languages: [ocaml]
# severity: ERROR