rules: - id: error-shadow-check-types patterns: - pattern: | ..., ($ERR: error) = $FUNC(...) ... ..., $ERR = ... - pattern-not: | ..., ($ERR: error) = $FUNC(...) ... if <... $ERR == nil ...> { ... } ... ..., $ERR = ... - pattern-not: | ..., ($ERR: error) = $FUNC(...) ... if <... $ERR != nil ...> { ... } ... ..., $ERR = ... - pattern-not: | ..., ($ERR: error) = $FUNC(...) ... $ERRCHECK(..., $ERR, ...) ... ..., $ERR = ... # This case is not specific enough but semgrep doesn't let you do any # special searching within a switch statement. We will assume if there # is a switch statement it's doing error checking, though this isn't # guaranteed. - pattern-not: | ..., ($ERR: error) = $FUNC(...) ... switch { case ... } ... ..., $ERR = ... message: Potential Error Shadowing languages: - go severity: ERROR - id: error-shadow-check-regex patterns: - pattern: | ..., $ERR = $FUNC(...) ... ..., $ERR = ... - pattern-not: | ..., $ERR = $FUNC(...) ... if <... $ERR == nil ...> { ... } ... ..., $ERR = ... - pattern-not: | ..., $ERR = $FUNC(...) ... if <... $ERR != nil ...> { ... } ... ..., $ERR = ... - pattern-not: | ..., $ERR = $FUNC(...) ... $ERRCHECK(..., $ERR, ...) ... ..., $ERR = ... # This pattern is used in as a itteration mechanism for a test - pattern-not: | ..., $ERR = $FUNC(...) ... for $ERR == nil { ... } ... ..., $ERR = ... # A few places we test against logical.Err* types - pattern-not: | ..., $ERR = $FUNC(...) ... if $ERR != logical.$ERRTYPE { ... } ... ..., $ERR = ... # This case is not specific enough but semgrep doesn't let you do any # special searching within a switch statement. We will assume if there # is a switch statement it's doing error checking, though this isn't # guaranteed. - pattern-not: | ..., $ERR = $FUNC(...) ... switch ... { case ... } ... ..., $ERR = ... - pattern-not: | ..., $ERR = $FUNC(...) ... switch { case ... } ... ..., $ERR = ... - metavariable-regex: metavariable: $ERR regex: "err" message: Potential Error Shadowing (regex) languages: - go severity: ERROR