Describe the bug
semgrep patterns can identify package:
rules:
- id: package1
pattern: |
package hacknews
message: |
prohibited package
and they can identify import:
rules:
- id: import1
pattern: |
import (
"strconv"
)
message: |
prohibited import
They cannot identify the combination of a package and an import
To Reproduce
Given the golang code from https://raw.githubusercontent.com/PaulRosset/go-hacknews/master/hacknews_api.go
and the pattern:
rules:
- id: import1
pattern: |
package hacknews
...
import (
"strconv"
)
message: |
use of strconv prohibited in package hacknews
Expected behavior
the pattern should match with the file
Hey @denisa, thanks for the bug report! Could you have a quick look at the reproduction link? Seems like you copied the wrong URL.
you’re right, I can’t copy the link…
I updated the description to make it easily reproducible.
Thanks. It did seem like you were on the development version of our live editor, which Is probably why you could bump into that bug. For the record, semgrep.dev is the stable deployment.
Hi Denisa, sorry about that -- the bug has been fixed, but it may take a few days to release the version of semgrep with the fix included.
specifically @denisa should be in v0.20. Thanks for reporting this and the earlier issue!
What has been fixed @colleend ? There's no linked pulled request showing this has been fixed.
Should be closed with pull request https://github.com/returntocorp/semgrep/pull/1383 and https://github.com/returntocorp/pfff/pull/219. I'll link them to https://github.com/returntocorp/semgrep/issues/1315.
I don't think this is fully working as intended yet. We can use package in a pattern, but it appears we can _only_ use package, i.e. no ellipsis operator. Using the latest semgrep-core:
$ semgrep-core -version
semgrep-core version: v0.20.0-0-g1e89dcc, pfff: 0.38
Searching for just the package works:
$ cat test.go
package hacknews
import (
"strconv"
)
func main() {
}
$ cat test.yaml
rules:
- id: import1
message: use of strconv prohibited in package hacknews
severity: ERROR
languages: [go]
pattern: |
package hacknews
$ python -m semgrep --config test.yaml test.go
running 1 rules...
test.go
severity:error rule:import1: use of strconv prohibited in package hacknews
1:package hacknews
However, if we add a ... it fails:
rules:
- id: import1
message: use of strconv prohibited in package hacknews
severity: ERROR
languages: [go]
pattern: |
package hacknews
...
$ python -m semgrep --config test.yaml test.go
running 1 rules...
error: invalid pattern
--> test.yaml:6
6 | pattern: |
7 | package hacknews
8 | ...
Pattern could not be parsed as a Golang semgrep pattern
That means the original pattern fails as well:
rules:
- id: import1
message: use of strconv prohibited in package hacknews
severity: ERROR
languages: [go]
pattern: |
package hacknews
...
import (
"strconv"
)
$ python -m semgrep --config test.yaml test.go
running 1 rules...
error: invalid pattern
--> test.yaml:6
6 | pattern: |
7 | package hacknews
8 | ...
9 | import (
10 | "strconv"
11 | )
Pattern could not be parsed as a Golang semgrep pattern
Am I missing something else that fixed this?
I can take another look at this.
FYI: it is still broken with 0.21.0 https://semgrep.dev/s/l0ry
This is also track in https://github.com/returntocorp/semgrep/issues/1569
Fixed in #1569 👍
Thanks @colleend . @denisa if you switch to using the develop branch on the live editor, you can see your example working! https://semgrep.dev/s/l0ry?version=develop
I expect this will make it into the next release on Tues/Wed of next week.