Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

July Update #295

Merged
merged 2 commits into from
Jul 31, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3,936 changes: 2,523 additions & 1,413 deletions assets/semgrep_rules/generated/nonfree/audit.yaml

Large diffs are not rendered by default.

197 changes: 4 additions & 193 deletions assets/semgrep_rules/generated/nonfree/others.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -49,13 +49,15 @@ rules:
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
references:
- https://chromestatus.com/feature/6140064063029248
vulnerability_class:
- Improper Validation
source: https://semgrep.dev/r/html.security.missing-noreferrer.missing-noreferrer
shortlink: https://sg.run/Gekn
semgrep.dev:
rule:
rule_id: 6JUjBL
version_id: 6xTrvK
url: https://semgrep.dev/playground/r/6xTrvK/html.security.missing-noreferrer.missing-noreferrer
version_id: yeTXA4
url: https://semgrep.dev/playground/r/yeTXA4/html.security.missing-noreferrer.missing-noreferrer
origin: community
patterns:
- pattern: a()
Expand Down Expand Up @@ -810,174 +812,6 @@ rules:
languages:
- hcl
severity: INFO
- id: trailofbits.go.iterate-over-empty-map.iterate-over-empty-collection
patterns:
- pattern: |
$C = make(map[$T1] $T2, ...)
...
for $K := range $C { ... }
- pattern-not: |
$C = make(map[$T1] $T2, ...)
...
$C[$X] = $V
...
for $K := range $C { ... }
- pattern-not: |
$C = make(map[$T1] $T2, ...)
...
$C[$X]++
...
for $K := range $C { ... }
- pattern-not: |
$C = make(map[$T1] $T2, ...)
...
$C[$X]--
...
for $K := range $C { ... }
- pattern-not: |
$C = make(map[$T1] $T2, ...)
...
$CODEC.Unmarshal($C)
...
for $K := range $C { ... }
message: 'Iteration over a possibly empty map `$C`. This is likely a bug or redundant
code.

'
languages:
- go
severity: ERROR
metadata:
license: CC-BY-NC-SA-4.0
source: https://semgrep.dev/r/trailofbits.go.iterate-over-empty-map.iterate-over-empty-collection
shortlink: https://sg.run/WOeg
semgrep.dev:
rule:
rule_id: 7KUp1e
version_id: GxTZ6g
url: https://semgrep.dev/playground/r/GxTZ6g/trailofbits.go.iterate-over-empty-map.iterate-over-empty-collection
origin: community
- id: trailofbits.go.nondeterministic-select.nondeterministic-select
patterns:
- pattern: |
$TICKER := time.NewTicker(...)
...
for {
...
select {
case <- $DONECHAN: return
case <- $TICKER.C: ...
}
}
- pattern-not: |
$TICKER := time.NewTicker(...)
...
for {
select {
case <-$DONECHAN: return
default:
}
...
select {
case <- $DONECHAN: return
case <- $TICKER.C: ...
}
}
message: |
Logic executed as a result of ticker `$TICKER` may execute more times than desired.
When both `$TICKER` and `$DONECHAN` are written to at the same time, the scheduler randomly picks a
case to execute. As a result, the `$TICKER.C` may excute one more time than expected.
severity: WARNING
languages:
- go
metadata:
license: CC-BY-NC-SA-4.0
source: https://semgrep.dev/r/trailofbits.go.nondeterministic-select.nondeterministic-select
shortlink: https://sg.run/K8dX
semgrep.dev:
rule:
rule_id: 8GUxqz
version_id: A8TG5P
url: https://semgrep.dev/playground/r/A8TG5P/trailofbits.go.nondeterministic-select.nondeterministic-select
origin: community
- id: trailofbits.go.questionable-assignment.questionable-assignment
patterns:
- pattern-either:
- pattern: "..., $X . $Y, ..., err = ..."
- pattern: "..., $X . $Y, ..., err := ..."
message: Should `$X` be modified when an error could be returned?
languages:
- go
severity: WARNING
metadata:
license: CC-BY-NC-SA-4.0
source: https://semgrep.dev/r/trailofbits.go.questionable-assignment.questionable-assignment
shortlink: https://sg.run/qq6y
semgrep.dev:
rule:
rule_id: gxUYAJ
version_id: BjT7rO
url: https://semgrep.dev/playground/r/BjT7rO/trailofbits.go.questionable-assignment.questionable-assignment
origin: community
- id: trailofbits.go.sleep-used-for-synchronizations.sleep-used-for-synchronizations
patterns:
- pattern-either:
- pattern: |
...
go func(...) {
...
}(...)
time.Sleep(...)
...
- pattern: |
...
go $FOO(...)
time.Sleep(...)
...
- pattern-inside: func $FUNC(...){ ... }
message: Using `time.Sleep` for synchronizations is generally considered bad practice.
languages:
- go
severity: WARNING
metadata:
license: CC-BY-NC-SA-4.0
source: https://semgrep.dev/r/trailofbits.go.sleep-used-for-synchronizations.sleep-used-for-synchronizations
shortlink: https://sg.run/YXK4
semgrep.dev:
rule:
rule_id: 3qUEpL
version_id: K3TYje
url: https://semgrep.dev/playground/r/K3TYje/trailofbits.go.sleep-used-for-synchronizations.sleep-used-for-synchronizations
origin: community
- id: trailofbits.go.unchecked-type-assertion.unchecked-type-assertion
patterns:
- pattern-either:
- patterns:
- pattern: "$FOO, $A := <... $X.($TYPE) ...>\n"
- metavariable-regex:
metavariable: "$A"
regex: "^_$"
- patterns:
- pattern: "$FOO := <... $X.($TYPE) ...>\n"
- metavariable-regex:
metavariable: "$FOO"
regex: "^[^,]*$"
message: 'Unchecked type assertion.

'
severity: ERROR
languages:
- go
metadata:
license: CC-BY-NC-SA-4.0
source: https://semgrep.dev/r/trailofbits.go.unchecked-type-assertion.unchecked-type-assertion
shortlink: https://sg.run/054W
semgrep.dev:
rule:
rule_id: ZqUgpe
version_id: zyT183
url: https://semgrep.dev/playground/r/zyT183/trailofbits.go.unchecked-type-assertion.unchecked-type-assertion
origin: community
- id: trailofbits.python.numpy-in-pytorch-modules.numpy-in-pytorch-modules
message: Usage of NumPy library inside PyTorch `$MODULE` module was found. Avoid
mixing these libraries for efficiency and proper ONNX loading
Expand Down Expand Up @@ -1035,29 +869,6 @@ rules:
url: https://semgrep.dev/playground/r/nWTbb8/trailofbits.python.pytorch-tensor.pytorch-tensor
origin: community
pattern: torch.Tensor(...)
- id: trailofbits.python.torch-tensor.torch-tensor
message: Avoid using `torch.Tensor()` to directly create a tensor for efficiency
and proper parsing
languages:
- python
severity: WARNING
metadata:
category: performance
subcategory:
- audit
confidence: HIGH
references:
- https://pytorch.org/docs/stable/tensors.html
license: CC-BY-NC-SA-4.0
source: https://semgrep.dev/r/trailofbits.python.torch-tensor.torch-tensor
shortlink: https://sg.run/x4zL
semgrep.dev:
rule:
rule_id: ReUqz0
version_id: 7ZTq5z
url: https://semgrep.dev/playground/r/7ZTq5z/trailofbits.python.torch-tensor.torch-tensor
origin: community
pattern: torch.Tensor(...)
- id: typescript.react.best-practice.define-styled-components-on-module-level.define-styled-components-on-module-level
patterns:
- pattern-inside: |
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,13 +18,15 @@ rules:
cwe:
- 'CWE-611: Improper Restriction of XML External Entity Reference'
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- XML Injection
source: https://semgrep.dev/r/contrib.dlint.dlint-equivalent.insecure-xml-use
shortlink: https://sg.run/5QOW
semgrep.dev:
rule:
rule_id: zdUkvA
version_id: 0bToER
url: https://semgrep.dev/playground/r/0bToER/contrib.dlint.dlint-equivalent.insecure-xml-use
version_id: BjT9E3
url: https://semgrep.dev/playground/r/BjT9E3/contrib.dlint.dlint-equivalent.insecure-xml-use
origin: community
pattern-either:
- patterns:
Expand Down Expand Up @@ -62,13 +64,15 @@ rules:
likelihood: MEDIUM
impact: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
source: https://semgrep.dev/r/go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion
shortlink: https://sg.run/oxEN
semgrep.dev:
rule:
rule_id: NbUk4X
version_id: qkT7o6
url: https://semgrep.dev/playground/r/qkT7o6/go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion
version_id: l4T58p
url: https://semgrep.dev/playground/r/l4T58p/go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion
origin: community
languages:
- go
Expand Down Expand Up @@ -201,13 +205,15 @@ rules:
references:
- https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authentication
source: https://semgrep.dev/r/javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash
shortlink: https://sg.run/Eb5w
semgrep.dev:
rule:
rule_id: QrU96W
version_id: BjTPr2
url: https://semgrep.dev/playground/r/BjTPr2/javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash
version_id: gETqOo
url: https://semgrep.dev/playground/r/gETqOo/javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash
origin: community
- id: python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-blowfish
pattern: cryptography.hazmat.primitives.ciphers.algorithms.Blowfish(...)
Expand Down
Loading
Loading