New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Detect the lack of a pattern in the target project #7363
Comments
interesting idea |
Do you have some updates about this proposal? |
cc @IagoAbal |
I would say it's not that hard to write a Semgrep rule to check for the absence of something. In some cases may be more tricky than others. But before we jump into something like |
Hi @IagoAbal, thank you for the answer.
but it is not possible to check:
Please consider this example:
Suppose you implement this rule now. In the case where the protection is present in only one file you will always obtain N-1 false positives, this because each rule runs separately in each single file without grouping results. Another point of view to see this: Thank you! |
I agree, this should be handled by "sql mode" or something that allows to combine results of multiple rules in arbitrary ways. |
cc @spencerdrak |
I'm not yet convinced that the best way to solve this is via a SQL post processing step. That's definitely potentially very powerful! But my concern is that, if 80% of the use cases for this step are "find the absence of a pattern", while 20% are very disparate cases, we could end up with something more complex than necessary for the 80% case, while not providing enough for the 20% cases. That's just a hypothetical. My point is, I want to understand better what the post-processing use cases are. I'm also not sure that all the negative pattern cases are nicely solvable with post-processing. For example, it seems like a common need in IaC is to look for, say, "all containers without resources specified". We can do this now using existing Semgrep, but given how common it is in IaC, it might be nice to provide some syntactic sugar for the use case. Very happy to be having this conversation! We've had this friction for a long time. |
Hi @emjin, I agree with you when you say "something more complex than necessary for the 80% case". As Semgrep user I would be very happy to have a simple negative mode that does not introduce new syntax and that perform the 3 steps I describe in the original issue:
Fast, easy and useful! 🥇 |
I don't want us to go down a SQL route, but I could see value with some conditions: Specific files
mark as finding Based on more than one condition
mark as a finding. I have seen cases where we may want to look for the existence of one thing, and based on that report another. E.g. find the use of Express.js but the application is missing a specific middleware in the app.use. |
Let's change "SQL" to "something more general". What I wouldn't like is dozens of special modes that basically just handle specific post-processing cases of Semgrep results. I would rather have a language of "post-processing operators" that can be composed, same way as we have "matching operators". |
Hi guys!
In my opinion the main lack of you fantastic tool is that it is not possible to write a rule to say:
To implement negative matching can be tricky, but I'm asking myself: Why not implement it programmatically through the CLI.
For example:
where "xc" does the following:
It could be so useful in all that situations where someone have to check the lack of something. Think about security engineers, it is fundamental to detect the lack of a specific protection or flag in the source code.
Of course, the best way to implement this feature is to define a specific mode (
mode: negative
) but maybe this solution could be more challenging to develop.I understand that it is possible to work around the problem by using a wrapper of Semgrep but it sounds like a short term solution.
Thank you so much for your great work!
The text was updated successfully, but these errors were encountered: