kandi background
Explore Kits

semgrep | Lightweight static analysis for many languages | Code Analyzer library

 by   returntocorp Java Version: v0.57.0 License: LGPL-2.1

 by   returntocorp Java Version: v0.57.0 License: LGPL-2.1

Download this library from

kandi X-RAY | semgrep Summary

semgrep is a Java library typically used in Code Quality, Code Analyzer applications. semgrep has no bugs, it has no vulnerabilities, it has build file available, it has a Weak Copyleft License and it has medium support. You can install using 'pip install semgrep' or download it from GitHub, PyPI.
Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
Support
Support
Quality
Quality
Security
Security
License
License
Reuse
Reuse

kandi-support Support

  • semgrep has a medium active ecosystem.
  • It has 4600 star(s) with 189 fork(s). There are 62 watchers for this library.
  • It had no major release in the last 12 months.
  • There are 215 open issues and 1168 have been closed. On average issues are closed in 70 days. There are 11 open pull requests and 0 closed requests.
  • It has a neutral sentiment in the developer community.
  • The latest version of semgrep is v0.57.0
semgrep Support
Best in #Code Analyzer
Average in #Code Analyzer
semgrep Support
Best in #Code Analyzer
Average in #Code Analyzer

quality kandi Quality

  • semgrep has 0 bugs and 0 code smells.
semgrep Quality
Best in #Code Analyzer
Average in #Code Analyzer
semgrep Quality
Best in #Code Analyzer
Average in #Code Analyzer

securitySecurity

  • semgrep has no vulnerabilities reported, and its dependent libraries have no vulnerabilities reported.
  • semgrep code analysis shows 0 unresolved vulnerabilities.
  • There are 0 security hotspots that need review.
semgrep Security
Best in #Code Analyzer
Average in #Code Analyzer
semgrep Security
Best in #Code Analyzer
Average in #Code Analyzer

license License

  • semgrep is licensed under the LGPL-2.1 License. This license is Weak Copyleft.
  • Weak Copyleft licenses have some restrictions, but you can use them in commercial projects.
semgrep License
Best in #Code Analyzer
Average in #Code Analyzer
semgrep License
Best in #Code Analyzer
Average in #Code Analyzer

buildReuse

  • semgrep releases are available to install and integrate.
  • Deployable package is available in PyPI.
  • Build file is available. You can build the component from source.
  • Installation instructions, examples and code snippets are available.
  • It has 71579 lines of code, 2359 functions and 1032 files.
  • It has high code complexity. Code complexity directly impacts maintainability of the code.
semgrep Reuse
Best in #Code Analyzer
Average in #Code Analyzer
semgrep Reuse
Best in #Code Analyzer
Average in #Code Analyzer
Top functions reviewed by kandi - BETA

kandi has reviewed semgrep and discovered the below as its top functions. This is intended to give you an instant insight into semgrep implemented functionality, and help decide if they suit your requirements.

  • Get a Triangle
  • Checks whether the line intersects with two lines .
  • Handle a vertex at a vertex
  • Interpolate quad points
  • Return an object in the pool .
  • Return a vertex in the pool .
  • Return a face in the pool .
  • Return next line in the pool .
  • Return next sprite in the current pool .
  • Sorting function

semgrep Key Features

Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.

semgrep Examples and Code Snippets

Getting started

copy iconCopydownload iconDownload
# For macOS
$ brew install semgrep

# For Ubuntu/WSL/Linux/macOS
$ python3 -m pip install semgrep

# To try Semgrep without installation run via Docker
$ docker run --rm -v "${PWD}:/src" returntocorp/semgrep --help

Upgrading

copy iconCopydownload iconDownload
# Using Homebrew
$ brew upgrade semgrep

# Using pip
$ python3 -m pip install --upgrade semgrep

# Using Docker
$ docker pull returntocorp/semgrep:latest

Changing Gitlab SAST json report names

copy iconCopydownload iconDownload
docker run --volume "$PWD":/code --env=LM_REPORT_VERSION="2.1" --env=CI_PROJECT_DIR=/code registry.gitlab.com/gitlab-org/security-products/analyzers/license-finder:latest

Run License Scanning Analyzer:
  stage: sast
  script:
    - docker run --volume "$PWD":/code --env=LM_REPORT_VERSION="2.1" --env=CI_PROJECT_DIR=/code registry.gitlab.com/gitlab-org/security-products/analyzers/license-finder:latest
    - mv gl-license-scanning-report.json license-scanning-report.json
  artifacts:
    reports:
      license_scanning: license-scanning-report.json
----------------------- 
docker run --volume "$PWD":/code --env=LM_REPORT_VERSION="2.1" --env=CI_PROJECT_DIR=/code registry.gitlab.com/gitlab-org/security-products/analyzers/license-finder:latest

Run License Scanning Analyzer:
  stage: sast
  script:
    - docker run --volume "$PWD":/code --env=LM_REPORT_VERSION="2.1" --env=CI_PROJECT_DIR=/code registry.gitlab.com/gitlab-org/security-products/analyzers/license-finder:latest
    - mv gl-license-scanning-report.json license-scanning-report.json
  artifacts:
    reports:
      license_scanning: license-scanning-report.json

Community Discussions

Trending Discussions on semgrep
  • Changing Gitlab SAST json report names
Trending Discussions on semgrep

QUESTION

Changing Gitlab SAST json report names

Asked 2021-Oct-27 at 15:54

Issue

Note: My CI contains a code complexity checker which can be ignored. This question is mainly focused on SAST.

I have recently setup a SAST pipeline for one of my Gitlab projects. The Gitlab-ce and Gitlab-runner instances are self-hosted. When the SAST scan is completed, the downloaded artifacts / json reports all contain the same name gl-sast-report.json. In this example, the artifacts bandit-sast and semgrep-sast both product gl-sast-report.json when downloaded.

SAST configuration

stages:
- CodeScan
- CodeComplexity

sast:
  stage: CodeScan
  tags:
    - sast

code_quality:
  stage: CodeComplexity
  artifacts:
    paths: [gl-code-quality-report.json]
  services:
  tags:
    - cq-sans-dind

include:
- template: Security/SAST.gitlab-ci.yml
- template: Code-Quality.gitlab-ci.yml

Completed SAST results

enter image description here
enter image description here

End Goal

  1. If possible, how could I change the name of the artifacts for bandit-sast and semgrep-sast?
  2. If question one is possible, does this mean I have to manually specify each analyser for various projects. Currently, based on my .gitlab-ci.yml the SAST analysers are automatically detected based on the project language.

ANSWER

Answered 2021-Oct-27 at 15:54

If you're using the pre-built SAST images, this isn't possible, even if you run the docker command manually like so:

docker run --volume "$PWD":/code --env=LM_REPORT_VERSION="2.1" --env=CI_PROJECT_DIR=/code registry.gitlab.com/gitlab-org/security-products/analyzers/license-finder:latest

When using these SAST (and DAST) images, the report file will always have the name in the docs, however if you ran the docker command manually like above, you could rename the file before it's uploaded as an artifact, but it would still have the same json structure/content.

Run License Scanning Analyzer:
  stage: sast
  script:
    - docker run --volume "$PWD":/code --env=LM_REPORT_VERSION="2.1" --env=CI_PROJECT_DIR=/code registry.gitlab.com/gitlab-org/security-products/analyzers/license-finder:latest
    - mv gl-license-scanning-report.json license-scanning-report.json
  artifacts:
    reports:
      license_scanning: license-scanning-report.json

The only way to change the json structure/content is to implement the SAST tests manually without using the provided images at all. You can see all the available SAST analyzers in this Gitlab repo.

For the License Finder analyzer as an example, the Dockerfile says the entrypoint for the image is the run.sh script.

You can see on line 20 of run.sh it sets the name of the file to 'gl-license-scanning-report.json', but we can change the name by running the docker image manually so this doesn't really help. However, we can see that the actual analyzing comes from the scan_project function, which you could replicate.

So while it is possible to manually run these analyzers without the pre-built images, it will be much more difficult to get them to work.

Source https://stackoverflow.com/questions/69142796

Community Discussions, Code Snippets contain sources that include Stack Exchange Network

Vulnerabilities

No vulnerabilities reported

Install semgrep

To install Semgrep use Homebrew or pip, or run without installation via Docker:.

Support

Go · Java · JavaScript · JSX · JSON · Python · Ruby · TypeScript · TSX. See supported languages for the complete list.

DOWNLOAD this Library from

Reuse Trending Solutions

Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from
over 430 million Knowledge Items
Find more libraries
Reuse Solution Kits and Libraries Curated by Popular Use Cases

Save this library and start creating your kit

Explore Related Topics

Share this Page

share link
Reuse Code Quality Kits
Consider Popular Code Analyzer Libraries
Try Top Libraries by returntocorp
Compare Code Analyzer Libraries with Highest Support
Compare Code Analyzer Libraries with Highest Quality
Compare Code Analyzer Libraries with Highest Security
Compare Code Analyzer Libraries with Permissive License
Compare Code Analyzer Libraries with Highest Reuse
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from
over 430 million Knowledge Items
Find more libraries
Reuse Solution Kits and Libraries Curated by Popular Use Cases

Save this library and start creating your kit

  • © 2022 Open Weaver Inc.
  • © 2022 Open Weaver Inc.