惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Forbes - Security
Forbes - Security
GbyAI
GbyAI
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
S
SegmentFault 最新的问题
Y
Y Combinator Blog
Recorded Future
Recorded Future
博客园 - Franky
I
InfoQ
T
The Blog of Author Tim Ferriss
Recent Announcements
Recent Announcements
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
博客园_首页
阮一峰的网络日志
阮一峰的网络日志
T
Tailwind CSS Blog
Cyberwarzone
Cyberwarzone
The Register - Security
The Register - Security
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
雷峰网
雷峰网
P
Palo Alto Networks Blog
G
GRAHAM CLULEY
Cloudbric
Cloudbric
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
MongoDB | Blog
MongoDB | Blog
F
Full Disclosure
Google DeepMind News
Google DeepMind News
Recent Commits to openclaw:main
Recent Commits to openclaw:main
C
Check Point Blog
爱范儿
爱范儿
The GitHub Blog
The GitHub Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
W
WeLiveSecurity
T
Threat Research - Cisco Blogs
U
Unit 42
N
Netflix TechBlog - Medium
The Cloudflare Blog
Spread Privacy
Spread Privacy
Microsoft Azure Blog
Microsoft Azure Blog
美团技术团队
T
Troy Hunt's Blog
Engineering at Meta
Engineering at Meta
H
Heimdal Security Blog
TaoSecurity Blog
TaoSecurity Blog
C
Cybersecurity and Infrastructure Security Agency CISA
T
Tenable Blog
B
Blog
S
Securelist
H
Hacker News: Front Page
Google Online Security Blog
Google Online Security Blog
G
Google Developers Blog

EINDEX's Blog

2 2024-ending #1 Mid-Autumn Festival improving-your-code-review-process-with-semgrep webmentions
semgrep-with-custom-rules
EINDEX · 1970-01-01 · via EINDEX's Blog

semgrep-with-custom-rulesBlur image

/ Update

Improve code reviews with Semgrep: enforce standards, detect vulnerabilities, and enhance code quality. Integrate Semgrep for better code before release.

In this post, we will discuss how Semgrep can be integrated into your code review process. If you are unfamiliar with Semgrep, we recommend checking out our previous article on the topic, titled “Improving Your Code Review Process With Semgrep”.

Codereview and Semgrep#

Code review is a crucial step in the software development workflow, as it allows team members to review and critique each other’s code.

However, code review can sometimes be a source of contention, with debates over code style or disagreements over team coding standards.

Additionally, there may be cases where the team lacks domain expertise, leading to the inclusion of vulnerabilities in the code. Semgrep can help address these issues by promoting consistent coding practices and identifying potential vulnerabilities.

Let’s take a closer look at how Semgrep can be utilized in the code review process.

Cases#

In this section, we will examine three cases where Semgrep custom rules can be utilized to improve code quality.

Case 1: Preventing the use of System.out in Java. It is not uncommon for team members to use System.out for logging or debugging purposes. However, this practice can be problematic. The following custom rule can help address this issue:

rules:
  - id: logging-via-system-out
    pattern: System.out.$PRINT($ARG);
    message: Using system out as logging method.
    languages: [java]
    severity: WARNING

yaml

If your team has established logging standards, the fix function can be used to automatically replace instances of System.out with a preferred logging method. For example:

rules:
  - id: logging-via-system-out
    pattern: System.out.$PRINT($ARG);
    message: Using system out as logging method.
    fix: log.info($ALG)
    languages: [java]
    severity: WARNING

yaml

Case 2: Disallowing system calls. In some situations, it may be desirable to prohibit system commands in order to protect the user’s device or cloud machine. The following custom rule can be used to detect and prevent the execution of system commands:

rules:
  - id: java-rec-checker
    patterns:
      - pattern-inside: $FUN(...,$ARG,...){...}
      - pattern-either:
          - pattern: Runtime.getRuntime().exec(..., $ARG, ...);
          - patterns:
              - pattern: Process $PROCESS = Runtime.getRuntime();
              - pattern: $PROCESS.exec(..., $ARG, ...);
    message: RCE risk from user input.
    languages: [java]
    severity: ERROR

yaml

Case 3: Ensuring that all request mappings have authentication checks. It is important to ensure that all request mappings have proper permission checks in place. The following custom rule can be used to identify instances where these checks are missing:

rules:
  - id: vaild-permission-check-on-all-request-mapping
    patterns:
      - pattern-inside: |
          @$CONTROLLER_ANNOTATION
          public class $CONTROLLER {
            ...
          }
      - pattern: |
          @$MAPPING_ANNOTATION(...)
          public $RET $METHOD(...){...}
      - pattern-not: |
          @$MAPPING_ANNOTATION(...)
          @$PERMISSION_ANNOTATION(...)
          public $RET $METHOD(...){...}
      - metavariable-regex:
          metavariable: $CONTROLLER_ANNOTATION
          regex: (.*Controller$)
      - metavariable-regex:
          metavariable: $MAPPING_ANNOTATION
          regex: (.*Mapping$)
      - metavariable-regex:
          metavariable: $PERMISSION_ANNOTATION
          regex: (.*Permission$)
    message: Should check user permission on all request mapping
    languages: [java]
    severity: WARNING

yaml

Summarize#

This article has discussed how Semgrep can be integrated into the code review process to improve code quality and consistency.

By using custom rules, Semgrep can enforce team coding standards and detect potential vulnerabilities in the code.

By incorporating Semgrep into the code review workflow, teams can more effectively identify and address issues before code is released to production.