Golang semgrep rule not matching every method invocation inside method body

[shivasurya]

Describe the bug
Semgrep rule isn't matching all function invocation calls inside function body. Example: Semgrep playground link. Is there any alternative way to match all possible auth.Verify method invocation within golang function

Expected behavior
Would it be possible to match every auth.Verify instance within the method body?

What is the priority of the bug to you?

• P0: blocking your adoption of Semgrep or workflow
• P1: important to fix or quite annoying
• P2: regular bug that should get fixed

Environment
Semgrep playground / Ubuntu 22.04

Use case
What will fixing this bug enable for you?

Reduce some false positives while detecting auth functions in method body.

[ievans]

hi @shivasurya , this is actually expected behavior as $X.Verify() is a statement when written in the body of a function like that, and you are looking for it in an expression context. If you only wanted to match what you have I'd write two separate patterns, e.g.: https://semgrep.dev/playground/s/5rvrl

    patterns:
      - pattern: $X.Verify()
      - pattern-inside: |
          func $RESOLVER() { 
              ...
          }

Or if you just want inside the if blocks, you could use the deep expression operator: https://semgrep.dev/docs/writing-rules/pattern-syntax/#deep-expression-operator

func $RESOLVER() {
  ...
  if <... $X.Verify() ...> {
    ...
  }
  ...
}

I'll close this issue but would welcome ideas on how we can make this behavior more intuitive!

[shivasurya]

Thanks @ievans for the quick feedback. I'm not sure if this will cover all cases in the code within function block. However, I'll try to workaround with this.