Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
LGPL-2.1 License
Bot releases are visible (Hide)
Published by github-actions[bot] over 4 years ago
$CONST = "..."
...
def $FUNC(...):
return foo($CONST)
will match
GLOBAL_CONST = "SOME_CONST"
def fetch_global_const():
return foo(GLOBAL_CONST)
Published by github-actions[bot] over 4 years ago
--disable-version-check
--dryrun
flag to show result of autofixes without modifying any files}
and )
.-v
or -q
--include-dir
and --exclude-dir
functionaity into --include
and--exclude
respectivelyPublished by github-actions[bot] over 4 years ago
nosem
comments and the--disable-nosem
flag #900
--no-git-ignore
flag is used--verbose
flag is usedPublished by github-actions[bot] over 4 years ago
pattern_id
when using nested pattern operators #828
...
now works inside for loops in javascript{x: 1}
) differently from assignment ({x = 1}
)Published by github-actions[bot] over 4 years ago
import javax.crypto.$ANYTHING
--debugging-json
flag for use on semgrep.liveelse
blockselse
blocks; write two patterns to capture bothPublished by github-actions[bot] over 4 years ago
--exclude-tests
flag - prefer --exclude
or --exclude-dir
--r2c
flag - this was completely unusedPublished by github-actions[bot] over 4 years ago
semgrep --version
on ubuntu was not returning the correct versionPublished by github-actions[bot] over 4 years ago
pattern-regex
functionality - see docs for more information.$X = 1 + 2 + ...
will match
foo = 1 + 2 + 3 + 4
f"..."
will match
f"foo {1 + 1}"
but not
"foo"
Published by github-actions[bot] over 4 years ago
--exclude
, --include
, --exclude-dir
, and --include-dir
flagsgrep
's behavior.--sarif
flag to receive output formatted according to the$REQ
must be the same variable name for this to match:
- patterns:
- pattern-inside: |
$TYPE $METHOD(..., HttpServletRequest $REQ, ...) {
...
}
- pattern: $REQ.getQueryString(...);
%
token in python f-string formatPublished by github-actions[bot] over 4 years ago
Published by github-actions[bot] over 4 years ago
-j/--jobs
flag for specifying number of subprocesses to use to run checks in parallel.foo();
will now match
return foo();
var $X = {"=~/[lL]ocation/": $Y};
will now match
var x = {"Location": 1};
WARNING
, and red if ERROR
. e.g. WARNING rule:tests.equivalence-tests$x
)metadata
field in rule.yaml. Entire metadata object is attached tosemgrep --config some/hidden/.directory
_
. $USERS_2
is now_
though.semgrep
CLI, such as semgrep --version
, are now 60% faster.f"{foo:,f}"
in PythonPublished by github-actions[bot] over 4 years ago
if <... $X = True ...>:
...
will now match
if foo == bar and baz == True:
return 1
$X = ...
...
bar($X)
now matches with
QUX = "qux"
function baz() {
function foo() {
bar(QUX)
}
}
python2
is a valid supported languagefoo();
will now match
var x = foo();
"..."
was matching empty list
foo("...")
does not match
foo()
Published by brendongo over 4 years ago
var $F = "hello"
will now match any of the following expressions:
var foo = "hello";
let bar = "hello";
const baz = "hello";
Print out --dump-ast
Print out version with --version
Allow ... in arrays
[..., 1]
will now match
[3, 2, 1]
Support Metavariable match on keyword arguments in python:
foo(..., $K=$B, ...)
will now match
foo(1, 2, bar=baz, 3)
Support constant propogation in f-strings in python:
$M = "..."
...
$Q = f"...{$M}..."
will now match
foo = "bar"
baz = f"qux {foo}"
Constant propogation in javascript:
api("literal");
will now match with any of the following:
api("literal");
const LITERAL = "literal";
api(LITERAL);
const LIT = "lit";
api(LIT + "eral");
const LIT = "lit";
api(`${LIT}eral`);
Deep statement matching:
Elipsis operator (...
) will also include going deeper in scope (i.e. if-else, try-catch, loop, etc.)
foo()
...
bar()
will now match
foo()
if baz():
try:
bar()
except Exception:
pass
Unified import resolution in python:
import foo.bar.baz
will now match any of the following statements:
import foo.bar.baz
import foo.bar.baz.qux
import foo.bar.baz as flob
import foo.bar.baz.qux as flob
from foo.bar import baz
from foo.bar.baz import qux
from foo.bar import baz as flob
from foo.bar.bax import qux as flob
Support for anonymous functions in javascript:
function() {
...
}
will now match
var bar = foo(
//matches the following line
function () { console.log("baz"); }
);
Support arrow function in javascript
(a) => { ... }
will now match:
foo( (a) => { console.log("foo"); });
foo( a => console.log("foo"));
// arrows are normalized in regular Lambda, so an arrow pattern
// will match also old-style anynonous function.
foo(function (a) { console.log("foo"); });
Python implicit string concatenation
$X = "..."
will now match
# python implicitly concatenates strings
foo = "bar" "baz" "qux"
Resolve alias in attributes and decorators in python
@foo.bar.baz
def $X(...):
...
will now match
from foo.bar import baz
@baz
def qux():
print("hello")
var {foo, bar} = qux;
will now match
var {bar, baz, foo} = qux;
var $F = {
two: 2,
one: 1
};
will now match both
var foo = {
two: 2,
one: 1
};
var bar = {
one: 1,
two: 2
};
Published by ievans over 4 years ago
Main features:
pattern: dangerous1("...")
will match:
const Bar = "password"
func foo() {
dangerous1(Bar);
}
pattern: import foo.bar.a2
matches code: from foo.bar import a1, a2
pattern: bar();
matches code: print(bar())
Full changelog:
With returntocorp/pfff#44, adds support for the following:
code: from foo.bar import a1, a2
pattern: import foo.bar.a2
We use the conversion to generic_ast to normalize code: from foo.bar import a1, a2 into:
from foo.bar import a1
from foo.bar import a2
Published by ievans over 4 years ago
Breaking change: Python is no longer the default language when using -e EXPR
.
Other changes: colored output, better config search, improvements to Golang, Javascript, and Java support.
Changelog:
Published by DrewDennison over 4 years ago
Fixes for Javascript parsing issues and issues observed on 1.5% of PyPi repos. Error rate is now 0.08% on PyPi, mainly out-of-memory errors.
Published by DrewDennison over 4 years ago
TODO
Published by DrewDennison over 4 years ago
Bugfixes for Java, Python, Golang, and Javascript as well as better error output when parsing YAML file syntax.
Published by DrewDennison over 4 years ago
Default output is one line per finding. use --json
to enable old/json output
Published by DrewDennison over 4 years ago
Add --generate-config
and other bug-fixes