124 lines
3.2 KiB
YAML
124 lines
3.2 KiB
YAML
|
rules:
|
||
|
- id: error-shadow-check-types
|
||
|
patterns:
|
||
|
- pattern: |
|
||
|
..., ($ERR: error) = $FUNC(...)
|
||
|
...
|
||
|
..., $ERR = ...
|
||
|
- pattern-not: |
|
||
|
..., ($ERR: error) = $FUNC(...)
|
||
|
...
|
||
|
if <... $ERR == nil ...> {
|
||
|
...
|
||
|
}
|
||
|
...
|
||
|
..., $ERR = ...
|
||
|
- pattern-not: |
|
||
|
..., ($ERR: error) = $FUNC(...)
|
||
|
...
|
||
|
if <... $ERR != nil ...> {
|
||
|
...
|
||
|
}
|
||
|
...
|
||
|
..., $ERR = ...
|
||
|
- pattern-not: |
|
||
|
..., ($ERR: error) = $FUNC(...)
|
||
|
...
|
||
|
$ERRCHECK(..., $ERR, ...)
|
||
|
...
|
||
|
..., $ERR = ...
|
||
|
# This case is not specific enough but semgrep doesn't let you do any
|
||
|
# special searching within a switch statement. We will assume if there
|
||
|
# is a switch statement it's doing error checking, though this isn't
|
||
|
# guaranteed.
|
||
|
- pattern-not: |
|
||
|
..., ($ERR: error) = $FUNC(...)
|
||
|
...
|
||
|
switch {
|
||
|
case ...
|
||
|
}
|
||
|
...
|
||
|
..., $ERR = ...
|
||
|
message: Potential Error Shadowing
|
||
|
languages:
|
||
|
- go
|
||
|
severity: ERROR
|
||
|
|
||
|
|
||
|
- id: error-shadow-check-regex
|
||
|
patterns:
|
||
|
- pattern: |
|
||
|
..., $ERR = $FUNC(...)
|
||
|
...
|
||
|
..., $ERR = ...
|
||
|
- pattern-not: |
|
||
|
..., $ERR = $FUNC(...)
|
||
|
...
|
||
|
if <... $ERR == nil ...> {
|
||
|
...
|
||
|
}
|
||
|
...
|
||
|
..., $ERR = ...
|
||
|
- pattern-not: |
|
||
|
..., $ERR = $FUNC(...)
|
||
|
...
|
||
|
if <... $ERR != nil ...> {
|
||
|
...
|
||
|
}
|
||
|
...
|
||
|
..., $ERR = ...
|
||
|
- pattern-not: |
|
||
|
..., $ERR = $FUNC(...)
|
||
|
...
|
||
|
$ERRCHECK(..., $ERR, ...)
|
||
|
...
|
||
|
..., $ERR = ...
|
||
|
|
||
|
# This pattern is used in as a itteration mechanism for a test
|
||
|
- pattern-not: |
|
||
|
..., $ERR = $FUNC(...)
|
||
|
...
|
||
|
for $ERR == nil {
|
||
|
...
|
||
|
}
|
||
|
...
|
||
|
..., $ERR = ...
|
||
|
|
||
|
# A few places we test against logical.Err* types
|
||
|
- pattern-not: |
|
||
|
..., $ERR = $FUNC(...)
|
||
|
...
|
||
|
if $ERR != logical.$ERRTYPE {
|
||
|
...
|
||
|
}
|
||
|
...
|
||
|
..., $ERR = ...
|
||
|
# This case is not specific enough but semgrep doesn't let you do any
|
||
|
# special searching within a switch statement. We will assume if there
|
||
|
# is a switch statement it's doing error checking, though this isn't
|
||
|
# guaranteed.
|
||
|
- pattern-not: |
|
||
|
..., $ERR = $FUNC(...)
|
||
|
...
|
||
|
switch ... {
|
||
|
case ...
|
||
|
}
|
||
|
...
|
||
|
..., $ERR = ...
|
||
|
- pattern-not: |
|
||
|
..., $ERR = $FUNC(...)
|
||
|
...
|
||
|
switch {
|
||
|
case ...
|
||
|
}
|
||
|
...
|
||
|
..., $ERR = ...
|
||
|
- metavariable-regex:
|
||
|
metavariable: $ERR
|
||
|
regex: "err"
|
||
|
message: Potential Error Shadowing (regex)
|
||
|
languages:
|
||
|
- go
|
||
|
severity: ERROR
|
||
|
|