Comments (5)
My preferred UI for this in CI would be:
html-to-image-injection [javascript] [wkhtmltoimage] [security] [audit]
> server/semgrep_app/controllers/registry.py:79
╷
79│ r = wkhtmltoimage(html)
╵
= There's an HTTP request made with requests, but the raise_for_status()
utility method isn't used. This can result in request errors going
unnoticed and your code behaving in unexpected ways, such as if your
authorization API returns a 500 error while you're only checking for a
401.
And when there's lack of space
[javascript] [wkhtmltoimage] [security] [audit]
dlukeomalley:html-to-image-injection
> server/semgrep_app/controllers/registry.py:79
╷
79│ r = wkhtmltoimage(html)
╵
= There's an HTTP request made with requests, but the raise_for_status()
utility method isn't used. This can result in request errors going
unnoticed and your code behaving in unexpected ways, such as if your
authorization API returns a 500 error while you're only checking for a
401.
from semgrep-action.
@nbrahms how will we empower the user to change the config or the rule from the CI output with just the short check ID? What if rule IDs alias?
from semgrep-action.
@underyx and I have discussed this quite a bit. Our thought was that rule-ids should be unique within a rule pack or be prefixed with the rule pack they've been imported from: dlukeomalley.python:no-exec
. Not sure if this is the spirit of this ticket, but in general I'd like to move towards shorter more friendly rule-ids and rely on our output formatting to highlight their category, language, etc.
From a web UI perspective if we move towards this naming scheme we eliminate the need for ...
on rule IDs.
@underyx I think we have a ticket talking about rule ids more broadly? Can't seem to find it.
from semgrep-action.
@ievans I think the line of thinking that @DrewDennison and I had was to just leave this as an edge case for now. E.g. you just get a warning that you're overwriting a rule, for instance.
from semgrep-action.
Capturing some of the Slack discussion about these feature and adding notes:
I agree with @ievans point to avoid things like
B001
and want to avoid the equally hairy (but perhaps grokkable)javascript.wkhtmltoimage.security.audit.wkhtmltoimage-injection.wkhtmltoimage-injection
.From a UI perspective in CI, CLI, web we do a lot to account for and handle long rule IDs - they are the norm rather than the exception. To clean up output and make rules more discussable and grokkable the suggestion is to use short names.
For example, nobody in discussion says
javascript.wkhtmltoimage.security.audit.wkhtmltoimage-injection.wkhtmltoimage-injection
, they refer to it ashtml-to-image-injection
.Instead of adopting a global naming scheme with many constraints, I’d prefer to give semgrep rule authors free rein and associate a rule back to them (Pride is the sin here). So
dlukeomalley.bento:no-eval
. You know who uniquely controls the pack, what the pack is, and what the rule is.I don’t think this is needs to be a now thing necessarily, but earlier may be better to get this right and make it more like Bento with human readable short strings than Bandit or what we currently have.
from semgrep-action.
Related Issues (20)
- Failed with exit code 7 when running semgrep_app_rules.yaml with Type Script. HOT 5
- Unexpected input(s) 'publishDeployment', valid inputs are ['entryPoint', 'args', 'config', 'publishToken', 'generateSarif', 'auditOn'] HOT 1
- Semgrep Action failed with exit code 2 when no issues are found HOT 7
- Relative paths not working HOT 3
- UnknownLanguageError - This is an internal error, please file an issue HOT 1
- Output as json file? HOT 3
- Cannot run `semgrep ci` while logged in and with explicit config. Use semgrep.dev to configure rules to run. HOT 4
- semgrep --debug options makes the scan --strict and fail the whole scan HOT 7
- Python pip dependency conflict with semgrep version 0.86.0 and 0.87.0 HOT 6
- Passing verbose flag to semgrep-action HOT 3
- Semgrep-action no longer works with multiple configs HOT 1
- 0.89 fails with git error on CI HOT 7
- Warning: Unexpected input(s) 'generateSarif', valid inputs are ['entryPoint', 'args', 'config', 'publishToken'] HOT 10
- SARIF Error: instance additionalProperty "fixes" exists in instance when not allowed HOT 6
- 0.98.0 fails with git error on GHA HOT 1
- Semgrep command failing with exit code 7 internal error HOT 1
- Add exclude option in the Semgrep action yml file HOT 2
- semgrep-action@v1 fails with false success status when semgrep token is missing
- Add versioning for Semgrep rules as well
- Semgrep actions is full deprecated
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from semgrep-action.