forked from semgrep/semgrep
-
Notifications
You must be signed in to change notification settings - Fork 0
/
semgrep.yml
99 lines (94 loc) · 2.78 KB
/
semgrep.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
# See pfff/semgrep.yml for more information.
# Put semgrep-specific rules here. More general OCaml or Python rules should
# go in the semgrep-rules repository under ocaml/ or python/.
rules:
- id: no-print-in-semgrep
patterns:
- pattern-either:
- pattern: pr ...
- pattern-not-inside: |
if !Flag.debug
then ...
- pattern-not-inside: |
let $F ... =
...
[@@action]
message: you should not print anything on stdout as it may interfere with
the JSON output we must return to the semgrep python wrapper.
languages: [ocaml]
severity: ERROR
paths:
exclude:
- cli/*.ml
- scripts/*
- Test.ml
- Matching_report.ml
- Unit_*.ml
- Test_*.ml
- runner/*.ml
- experiments/*
- Check_*.ml
- id: not-using-our-pcre-wrappers
patterns:
- pattern-either:
- pattern: Pcre.regexp
- pattern: Pcre.pmatch
- pattern: Pcre.exec
- pattern: Pcre.exec_all
- pattern: Pcre.split
message: >-
You should use one of the equivalent functions in SPcre, which
automatically sets some flags and handles exceptions.
languages: [ocaml]
severity: ERROR
paths:
exclude:
- SPcre.ml
- id: no-list-map
pattern: List.map
message: >-
`List.map` creates O(N) stack depth, and can lead to a
stack overflow. Use `Common.map` instead.
fix: Common.map
languages: [ocaml]
severity: ERROR
paths:
include:
- semgrep-core/src/*
- id: use-concat-map
pattern-either:
- pattern: List.map ... |> List.flatten
- pattern: Common.map ... |> List.flatten
- pattern: List.map ... |> List.concat
- pattern: Common.map ... |> List.concat
- pattern: List.flatten ( List.map ... )
- pattern: List.flatten ( Common.map ... )
- pattern: List.concat ( List.map ... )
- pattern: List.concat ( Common.map ... )
message: >-
`List.concat_map` is more efficient and more readable than a `map` followed
by `concat`.
languages: [ocaml]
severity: ERROR
paths:
include:
- semgrep-core/src/*
- id: no-exit-code-1-in-semgrep
pattern: sys.exit(1)
fix: sys.exit(2)
message: >-
Exit code 1 is reserved for notifying users that blocking findings were found.
Please use a different exit code, or better yet, a SemgrepError exception.
For generic fatal errors, we use exit code 2.
languages: [python]
severity: ERROR
paths:
include:
- semgrep/semgrep/*
# not ready yet
# - id: no-exit-in-semgrep
# pattern: |
# exit $X
# message: do not use directly exit. raise instead UnixExit $X
# languages: [ocaml]
# severity: ERROR