You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
Production code often depends on runtime feature flags, external services and so on. As a result many code branches are essentially unreachable under normal conditions, however AFAIK currently there is no way to express this in Semgrep, which leads to a high number of false positives. A very simple example could be:
funtest1() {
val id = source()
val shouldDoSanitization = isSanitizationEnabled(id)
if (shouldDoSanitization) {
id = sanitize(id)
} else {
// ok: sanitization-behind-a-feature-flag
sink(id)
}
}
In this case I'd like to express that isSanitizationEnabled is going to return true, but I couldn't find a way to do this in Semgrep documentation.
Describe the solution you'd like
Introduce a mechanism to specify code assumptions, such as:
return values (in the example above express that isSanitizationEnabled always returns true here)
variable values (in the example above express that shouldDoSanitization becomes true here)
control flow: assume a certain branch is always taken or always unreachable
Describe alternatives you've considered
Multiple sanitization rules could be defined as a workaround, in order to account for various code patterns, but these are dependent on heuristics and therefore less precise, also currently this approach does not work in Semgrep due to another bug (#10167 (comment)).
Use case
Reduce amount of False Positives by making Semgrep understand sanitization patterns in production code
Reduce amount of False Negatives by streamlining and simplifying Semgrep rules due to relying more on Taint Mode & Cross-file Analysis instead of heuristics
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Please describe.
Production code often depends on runtime feature flags, external services and so on. As a result many code branches are essentially unreachable under normal conditions, however AFAIK currently there is no way to express this in Semgrep, which leads to a high number of false positives. A very simple example could be:
In this case I'd like to express that isSanitizationEnabled is going to return true, but I couldn't find a way to do this in Semgrep documentation.
Describe the solution you'd like
Introduce a mechanism to specify code assumptions, such as:
isSanitizationEnabled
always returnstrue
here)shouldDoSanitization
becomestrue
here)Describe alternatives you've considered
Multiple sanitization rules could be defined as a workaround, in order to account for various code patterns, but these are dependent on heuristics and therefore less precise, also currently this approach does not work in Semgrep due to another bug (#10167 (comment)).
Use case
The text was updated successfully, but these errors were encountered: