open-vault/tools/semgrep/ci/error-shadowing.yml

127 lines
3.3 KiB
YAML
Raw Permalink Normal View History

# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
rules:
- id: error-shadow-check-types
patterns:
- pattern: |
..., ($ERR: error) = $FUNC(...)
...
..., $ERR = ...
- pattern-not: |
..., ($ERR: error) = $FUNC(...)
...
if <... $ERR == nil ...> {
...
}
...
..., $ERR = ...
- pattern-not: |
..., ($ERR: error) = $FUNC(...)
...
if <... $ERR != nil ...> {
...
}
...
..., $ERR = ...
- pattern-not: |
..., ($ERR: error) = $FUNC(...)
...
$ERRCHECK(..., $ERR, ...)
...
..., $ERR = ...
# This case is not specific enough but semgrep doesn't let you do any
# special searching within a switch statement. We will assume if there
# is a switch statement it's doing error checking, though this isn't
# guaranteed.
- pattern-not: |
..., ($ERR: error) = $FUNC(...)
...
switch {
case ...
}
...
..., $ERR = ...
message: Potential Error Shadowing
languages:
- go
severity: ERROR
- id: error-shadow-check-regex
patterns:
- pattern: |
..., $ERR = $FUNC(...)
...
..., $ERR = ...
- pattern-not: |
..., $ERR = $FUNC(...)
...
if <... $ERR == nil ...> {
...
}
...
..., $ERR = ...
- pattern-not: |
..., $ERR = $FUNC(...)
...
if <... $ERR != nil ...> {
...
}
...
..., $ERR = ...
- pattern-not: |
..., $ERR = $FUNC(...)
...
$ERRCHECK(..., $ERR, ...)
...
..., $ERR = ...
# This pattern is used in as a itteration mechanism for a test
- pattern-not: |
..., $ERR = $FUNC(...)
...
for $ERR == nil {
...
}
...
..., $ERR = ...
# A few places we test against logical.Err* types
- pattern-not: |
..., $ERR = $FUNC(...)
...
if $ERR != logical.$ERRTYPE {
...
}
...
..., $ERR = ...
# This case is not specific enough but semgrep doesn't let you do any
# special searching within a switch statement. We will assume if there
# is a switch statement it's doing error checking, though this isn't
# guaranteed.
- pattern-not: |
..., $ERR = $FUNC(...)
...
switch ... {
case ...
}
...
..., $ERR = ...
- pattern-not: |
..., $ERR = $FUNC(...)
...
switch {
case ...
}
...
..., $ERR = ...
- metavariable-regex:
metavariable: $ERR
regex: "err"
message: Potential Error Shadowing (regex)
languages:
- go
severity: ERROR