Elixir mix lockfiles fail to parse certain git definitions #10170
Labels
bug
Something isn't working
lang:elixir
parsing
Requires a fix in a parser, typically a tree-sitter or menhir grammar.
priority:medium
Describe the bug
semgrep's semdep elixir/mix parser has a bug where
:git
definitions fail when they do not use the:tag
checkout option.See: https://hexdocs.pm/mix/1.14.5/Mix.Tasks.Deps.html#module-git-options-git
This causes a
None
in theparsed_lockfile
list inmix.py
here:semgrep/cli/src/semdep/parsers/mix.py
Line 210 in 8bbbdfe
and causes an unpacking error in the following for loop on
semgrep/cli/src/semdep/parsers/mix.py
Line 192 in 8bbbdfe
I believe that the problem/solution is in the mix parser definition here:
semgrep/cli/src/semdep/parsers/mix.py
Line 106 in 8bbbdfe
ref
andbranch
To Reproduce
scan a mix.lock file with a definition like:
"mylib": {:git, "https://github.com/my_org/mylib.git", "1962a9d9a06fe559814724101e05e0a14e55beeb", [ref: "1962a9d9a06fe559814724101e05e0a14e55beeb"]},
Expected behavior
parse the lockfile completely and try to catch errors like this for mis-parsed files as well
Screenshots
N/A
What is the priority of the bug to you?
P1: important to fix or quite annoying
Environment
This is in all builds
Use case
I can parse elixir dependencies
The text was updated successfully, but these errors were encountered: