Fix #673, add version check and recommend upgrading when applicable (#…

…1107) * Fix #673, add version check and recommend upgrading when applicable * Appease semgrep * Use semver compare instead of string compare * Add README Upgrading section
semgrep · Jun 23, 2020 · ab29820 · ab29820
1 parent ab32bd8
commit ab29820
Show file tree

Hide file tree

Showing 6 changed files with 101 additions and 12 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,7 @@ This project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html
 - Support for a new configuration language: JSON. You can now write
   JSON semgrep patterns with -lang json
 - Support for '...' inside set and dictionaries
+- Version check to recommend updating when out-of-date, disable with `--disable-version-check`
 
 ### Fixed
 - Fix the range of function calls and statement blocks, which fixes the

diff --git a/README.md b/README.md
@@ -313,6 +313,28 @@ Currently, the easiest way to integrate Semgrep into CI is via a GitHub action w
 
 Semgrep can also output results in the standardized Static Analysis Results Interchange Format ([SARIF](https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html)) with the `--sarif` flag, if you use tools that accept this format.
 
+## Upgrading
+
+How you upgrade Semgrep will depend on how you installed it.
+
+From Homebrew:
+
+```bash
+$ brew upgrade semgrep
+```
+
+From PyPI:
+
+```bash
+$ python -m pip install --upgrade semgrep
+```
+
+From Docker:
+
+```bash
+$ docker pull returntocorp/semgrep:latest
+```
+
 ## Resources
 
 Learn more:

diff --git a/mypy.ini b/mypy.ini
@@ -48,6 +48,10 @@ ignore_missing_imports = True
 [mypy-tqdm.*]
 ignore_missing_imports = True
 
+# packaging
+[mypy-packaging.*]
+ignore_missing_imports = True
+
 [mypy-semgrep.rule_match]
 disallow_any_decorated = False
 warn_return_any = False

diff --git a/semgrep/Pipfile.lock b/semgrep/Pipfile.lock
diff --git a/semgrep/semgrep/cli.py b/semgrep/semgrep/cli.py
@@ -3,6 +3,8 @@
 import multiprocessing
 import os
 
+from packaging import version
+
 import semgrep.config_resolver
 import semgrep.semgrep_main
 import semgrep.test
@@ -15,6 +17,7 @@
 from semgrep.error import SemgrepError
 from semgrep.output import managed_output
 from semgrep.output import OutputSettings
+from semgrep.util import debug_print
 from semgrep.util import print_error
 from semgrep.util import print_msg
 
@@ -244,6 +247,11 @@ def cli() -> None:
         action="store_true",
         help="Always include ANSI color in the output, even if not writing to a TTY",
     )
+    parser.add_argument(
+        "--disable-version-check",
+        action="store_true",
+        help="Disable checking for latest version.",
+    )
 
     ### Parse and validate
     args = parser.parse_args()
@@ -282,6 +290,38 @@ def cli() -> None:
         error_on_findings=args.error,
     )
 
+    if not args.disable_version_check:
+        quick_timeout = 2  # Don't block user's too long
+        endpoint = os.environ.get(
+            "VERSION_CHECK_URL", "https://semgrep.live/api/check-version"
+        )
+        try:
+            import requests
+
+            resp = requests.get(
+                endpoint,
+                headers={"User-Agent": f"Semgrep/{__VERSION__}"},
+                timeout=quick_timeout,
+            )
+        except Exception as e:
+            debug_print(f"Could not connect to version check URL: {e}")
+        else:
+            if resp.status_code != requests.codes.OK:
+                debug_print(
+                    f"Received HTTP error code from version check URL: {resp.status_code}"
+                )
+            try:
+                resp_json = resp.json()
+            except ValueError:
+                debug_print(f"Could not decode JSON object from version check URL.")
+            else:
+                latest_version = version.Version(resp_json["latest"])
+                installed_version = version.Version(__VERSION__)
+                if latest_version > installed_version:
+                    print_msg(
+                        "A new version of Semgrep is available. Please see https://github.com/returntocorp/semgrep#upgrading for more information."
+                    )
+
     if args.test:
         # the test code (which isn't a "test" per se but is actually machinery to evaluate semgrep performance)
         # uses managed_output internally

diff --git a/semgrep/setup.py b/semgrep/setup.py
@@ -130,6 +130,7 @@ def run(self):
         "requests>=2.22.0",
         "attrs>=19.3.0",
         "tqdm>=4.46.1",
+        "packaging>=20.4",
     ],
     entry_points={"console_scripts": ["semgrep=semgrep.__main__:main"]},
     packages=setuptools.find_packages(),