paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-05 06:23:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

semgrep: Use pattern-where-python operator to filter patterns.

Browse Source 
See https://github.com/returntocorp/semgrep/blob/experimental/docs/config/advanced.md#pattern-where-python for usage.

This helps us minimize duplication of similar patterns.
This commit is contained in:
Aman Agrawal
2020-05-18 21:31:59 +05:30
committed by Tim Abbott
parent 9442835386
commit 0504c61bfd
2 changed files with 17 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
tools/lint
View File

@@ -89,7 +89,16 @@ def run() -> None:
description="Checks commit messages for common formatting errors." description="Checks commit messages for common formatting errors."
"(config: .gitlint)") "(config: .gitlint)")
semgrep_command = ["semgrep", "--config=./tools/semgrep.yml", "--error"] semgrep_command = ["semgrep", "--config=./tools/semgrep.yml", "--error",
# This option is dangerous in the context of running
# semgrep-as-a-service on untrusted user code, since it
# causes Python code in the rules configuration to be
# executed. From our standpoint, it is required for
# `pattern-where-python` rules, and there's no real
# security impact, since if you can put arbitrary code
# into zulip.git, you can run arbitrary code in a Zulip
# development environment anyway.
"--dangerously-allow-arbitrary-code-execution-from-rules"]
linter_config.external_linter('semgrep-py', [*semgrep_command, "--lang=python"], ['py'], linter_config.external_linter('semgrep-py', [*semgrep_command, "--lang=python"], ['py'],
fix_arg='--autofix', fix_arg='--autofix',
description="Syntactic Grep (semgrep) Code Search Tool " description="Syntactic Grep (semgrep) Code Search Tool "

28
tools/semgrep.yml
View File

@@ -52,27 +52,13 @@ rules:
- id: logging-format - id: logging-format
languages: [python] languages: [python]
pattern-either: patterns:
- pattern: logging.debug(... % ...) - pattern-either:
- pattern: logging.debug(... .format(...)) - pattern: logging.$Y(... % ...)
- pattern: logger.debug(... % ...) - pattern: logging.$Y(... .format(...))
- pattern: logger.debug(... .format(...)) - pattern: logger.$Y(... % ...)
- pattern: logging.info(... % ...) - pattern: logger.$Y(... .format(...))
- pattern: logging.info(... .format(...)) - pattern-where-python: "vars['$Y'] in ['debug', 'info', 'warning', 'error', 'critical']"
- pattern: logger.info(... % ...)
- pattern: logger.info(... .format(...))
- pattern: logging.warning(... % ...)
- pattern: logging.warning(... .format(...))
- pattern: logger.warning(... % ...)
- pattern: logger.warning(... .format(...))
- pattern: logging.error(... % ...)
- pattern: logging.error(... .format(...))
- pattern: logger.error(... % ...)
- pattern: logger.error(... .format(...))
- pattern: logging.critical(... % ...)
- pattern: logging.critical(... .format(...))
- pattern: logger.critical(... % ...)
- pattern: logger.critical(... .format(...))
severity: ERROR severity: ERROR
message: "Pass format arguments to logging (https://docs.python.org/3/howto/logging.html#optimization)" message: "Pass format arguments to logging (https://docs.python.org/3/howto/logging.html#optimization)"