semgrep v0.115 releases: Fast and syntax-aware semantic code pattern search
Semgrep
Semgrep is a command-line tool for offline static analysis. Use pre-built or custom rules to enforce code and security standards in your codebase. You can try it now with our interactive live editor.
Semgrep combines the convenient and iterative style of grep with the powerful features of an Abstract Syntax Tree (AST) matcher and limited dataflow. Easily find function calls, class or method definitions, and more without having to understand ASTs or wrestle with regexes.
Motivation
Semgrep exists because:
- Insecure code is easy to write
- The future of security involves automatically guiding developers towards a “paved road” made of default-safe frameworks (i.e. React or Object-relational Mappers)
- grep isn’t expressive enough and traditional static analysis tools (SAST) are too complicated/slow for paved road automation
The AppSec, Developer, and DevOps communities deserve a static analysis tool that is fast, easy to use, code-aware, multi-lingual and open source!
Overview
Semgrep is optimized for:
- Speed: Fast enough to run on every build, commit, or file save
- Finding bugs that matter: Run your own specialized rules or choose OWASP 10 checks from the Semgrep Registry. Rules match source code at the Abstract Syntax Tree (AST) level, unlike regexes that match strings and aren’t semantically aware.
- Ease of customization: Rules look like the code you’re searching for, no static analysis Ph.D. required. They don’t require compiled code, only source, reducing iteration time.
- Ease of integration. Highly portable and many CI and git-hook integrations already exist. Output –json and pipe results into your existing systems.
- Polyglot environments: Don’t learn and maintain multiple tools for your polyglot environment (e.g. ESLint, find-sec-bugs, RuboCop, Gosec). Use the same syntax and concepts independent of language.
Language Support
Go · Java · JavaScript · JSX · JSON · Python · Ruby · TypeScript · TSX
Pattern Syntax Teaser
One of the most unique and useful things about Semgrep is how easy it is to write and iterate on queries.
The goal is to make it as easy as possible to go from an idea in your head to find the code patterns you intend to.
Example: Say you want to find all calls to a function named exec, and you don’t care about the arguments. With Semgrep, you could simply supply the pattern exec(…) and you’d match:
| Use case | Semgrep rule |
|---|---|
| Ban dangerous APIs | Prevent use of exec |
| Search routes and authentication | Extract Spring routes |
| Enforce the use secure defaults | Securely set Flask cookies |
| Tainted data flowing into sinks | ExpressJS dataflow into sandbox.run |
| Enforce project best-practices | Use assertEqual for == checks, Always check subprocess calls |
| Codify project-specific knowledge | Verify transactions before making them |
| Audit security hotspots | Finding XSS in Apache Airflow, Hardcoded credentials |
| Audit configuration files | Find S3 ARN uses |
| Migrate from deprecated APIs | DES is deprecated, Deprecated Flask APIs, Deprecated Bokeh APIs |
| Apply automatic fixes | Use listenAndServeTLS |
Changelog v0.115
Added
- Adds support for a .semgrepconfig file. Users can add metadata (such as a list of tags) to the .semgrepconfig YAML file which will automatically be assigned to the project. (app-2112)
- Modify the CLI output to separate non-blocking and blocking findings and show a list of the blocking rules that fired. (app-2306)
Changed
- generic mode: allow text input without human-readable indentation up to 500
bytes. This value is subject to change. This relaxing is intended to
facilitate testing where someone might copy-paste a long line without a
trailing newline. Semgrep users should not expect files that are not
human-readable to be processed in semgrep’s generic mode, or in any mode for
the matter. (gh-6071) - Changed behavior for renamed files on diff scans (scans in which a baseline ref is provided).
Semgrep will not show old issues to developers when they rename a file now. (gh-6157)
Fixed
- Fixed nondeterministic failure of test_api test due to invalid settings file by
configuring home directory to temporary directory. (app-2166) - Change default behavior of Jenkins CI configurations. If the SEMGREP_REPO_NAME environment variable is set, use it. Otherwise, default autodetection. (app-2331)
- Dockerfile mode: Fix failure to match where image name and image alias should
be the same. The problem was due to some names and identifiers being
fragmented due to parsing rules and not pieced back together. (gh-5229) - Scala: add support for ellipsis in match body (e.g.,
$X match { ... }) (gh-6131) - Added a fix for a bug involving parsing of TS imports, where they were not allowed to appear as patterns to a rule. (pa-1910)
Install & Use
Copyright (C) 2020 returntocorp
