Comments (2)
Isaac0616
commented on July 30, 2024
Thinking it a bit more.
I think there are cases that even the Counter is not ideal.
For example:
- @web(skip_csrf_check=True)
def safe_endpoint(...):
+ @web(skip_csrf_check=True)
def sensitive_endpoint(...):is bad but won't be flagged.
To solve it, I guess we have to check the actual changed lines between commits?
from semgrep-action.
nbrahms
commented on July 30, 2024
I think we'd likely solve the 90% case by just incorporating the finding index on the file into the syntactic context.
Certainly to your point @Isaac0616 , we'd like to catch your case in the future, but we also want to avoid falsely flagging on simple refactors that touch unrelated code.
One idea we've bandied about in the past is to treat the previous and next lines as part of the syntactic context, although there are still possible false negatives in this case.
Another option would just be to make whether or not to include the line number as part of the syntactic context a configurable option, so you could choose your own noise.
from semgrep-action.
Related Issues (20)
- Failed with exit code 7 when running semgrep_app_rules.yaml with Type Script. HOT 5
- Unexpected input(s) 'publishDeployment', valid inputs are ['entryPoint', 'args', 'config', 'publishToken', 'generateSarif', 'auditOn'] HOT 1
- Semgrep Action failed with exit code 2 when no issues are found HOT 7
- Relative paths not working HOT 3
- UnknownLanguageError - This is an internal error, please file an issue HOT 1
- Output as json file? HOT 3
- Cannot run `semgrep ci` while logged in and with explicit config. Use semgrep.dev to configure rules to run. HOT 4
- semgrep --debug options makes the scan --strict and fail the whole scan HOT 7
- Python pip dependency conflict with semgrep version 0.86.0 and 0.87.0 HOT 6
- Passing verbose flag to semgrep-action HOT 3
- Semgrep-action no longer works with multiple configs HOT 1
- 0.89 fails with git error on CI HOT 7
- Warning: Unexpected input(s) 'generateSarif', valid inputs are ['entryPoint', 'args', 'config', 'publishToken'] HOT 10
- SARIF Error: instance additionalProperty "fixes" exists in instance when not allowed HOT 6
- 0.98.0 fails with git error on GHA HOT 1
- Semgrep command failing with exit code 7 internal error HOT 1
- Add exclude option in the Semgrep action yml file HOT 2
- semgrep-action@v1 fails with false success status when semgrep token is missing
- Add versioning for Semgrep rules as well
- Semgrep actions is full deprecated
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from semgrep-action.