luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/tools/semgrep/ci/error-shadowing.yml
Hridoy Roy 7e0abe3c7e
Add Semgrep Rules to OSS (#14513) 
* add semgrep yml

* add semgrep ci job

* remove replication semgrep rule in oss

* fix makefile

* add semgrep to ci

* upwind triple if in ui.go semgrep refactoring
2022-03-18 11:14:03 -07:00

124 lines
3.2 KiB
YAML
Raw Blame History

rules:
- id: error-shadow-check-types
patterns:
- pattern: |
..., ($ERR: error) = $FUNC(...)
...
..., $ERR = ...
- pattern-not: |
..., ($ERR: error) = $FUNC(...)
...
if <... $ERR == nil ...> {
...
}
...
..., $ERR = ...
- pattern-not: |
..., ($ERR: error) = $FUNC(...)
...
if <... $ERR != nil ...> {
...
}
...
..., $ERR = ...
- pattern-not: |
..., ($ERR: error) = $FUNC(...)
...
$ERRCHECK(..., $ERR, ...)
...
..., $ERR = ...
# This case is not specific enough but semgrep doesn't let you do any
# special searching within a switch statement. We will assume if there
# is a switch statement it's doing error checking, though this isn't
# guaranteed.
- pattern-not: |
..., ($ERR: error) = $FUNC(...)
...
switch {
case ...
}
...
..., $ERR = ...
message: Potential Error Shadowing
languages:
- go
severity: ERROR
- id: error-shadow-check-regex
patterns:
- pattern: |
..., $ERR = $FUNC(...)
...
..., $ERR = ...
- pattern-not: |
..., $ERR = $FUNC(...)
...
if <... $ERR == nil ...> {
...
}
...
..., $ERR = ...
- pattern-not: |
..., $ERR = $FUNC(...)
...
if <... $ERR != nil ...> {
...
}
...
..., $ERR = ...
- pattern-not: |
..., $ERR = $FUNC(...)
...
$ERRCHECK(..., $ERR, ...)
...
..., $ERR = ...
# This pattern is used in as a itteration mechanism for a test
- pattern-not: |
..., $ERR = $FUNC(...)
...
for $ERR == nil {
...
}
...
..., $ERR = ...
# A few places we test against logical.Err* types
- pattern-not: |
..., $ERR = $FUNC(...)
...
if $ERR != logical.$ERRTYPE {
...
}
...
..., $ERR = ...
# This case is not specific enough but semgrep doesn't let you do any
# special searching within a switch statement. We will assume if there
# is a switch statement it's doing error checking, though this isn't
# guaranteed.
- pattern-not: |
..., $ERR = $FUNC(...)
...
switch ... {
case ...
}
...
..., $ERR = ...
- pattern-not: |
..., $ERR = $FUNC(...)
...
switch {
case ...
}
...
..., $ERR = ...
- metavariable-regex:
metavariable: $ERR
regex: "err"
message: Potential Error Shadowing (regex)
languages:
- go
severity: ERROR
Reference in a new issue View git blame Copy permalink