Closed
Conversation
* fix for CODE-9032 * add test
## Link to an issue, if relevant (internal Slack thread) ### ~~Adding a new~~ Revising a rule? Look over this PR checklist - The issue or PR has links, references, or examples. - The rule has **true positive** and **true negative** test cases in a file that matches the rule name. > If the rule is `my-rule`, the test file name should be `my-rule.js`. > > True positives are marked by comments with `ruleid: <my-rule>` and true negatives are marked by comments with `ok: <my-rule>`. - The rule has a good message. A good message includes: > 1. A description of the pattern (e.g., missing parameter, dangerous flag, out-of-order function calls). > 1. A description of why this pattern was detected (e.g., logic bug, introduces a security vulnerability, bad practice). > 1. An alternative that resolves the issue (e.g., use another function, validate data first, discard the dangerous flag).
This updates aws-cloudfront-insecure-tls rule to account for the addition of aws cloudfront support for TLSv1.2_2025 and TLSv1.3_2025
Co-authored-by: Pieter De Cremer <pieter@Mac.localdomain>
Co-authored-by: Pieter De Cremer <pieter@Mac.localdomain>
A GitHub Action may still be vulnerable when a more complicated pattern is used, like an || operator.
* Add owasp 2025 mapping * fix metadata of twilio twiml injection rule --------- Co-authored-by: Pieter De Cremer <pieter@Mac.localdomain>
Removed reference to github.com/ravisastryk/go-safeinput for automatic protection in the warning message about unsafe deserialization.
![semgrep-zcs-prod-semgrep[bot]](https://avatars.githubusercontent.com/u/29760937?s=60&v=4){kind=small}
| | exception Not_found -> 3 | ||
| try | ||
| (* ruleid:hashtbl-find-outside-try *) | ||
| if Hashtbl.find h 1 |
There was a problem hiding this comment.
'Hashtbl.find' raises the 'Not_found' exception. Handle the exception or use 'Hashtbl.find_opt' instead. If you have proof that the key exists in the table, use 'assert false' as the exception handler to demonstrate awareness of the issue. If your code uses the syntax 'match Hashtbl.find ... with exception Not_found -> ...', it's fine and we apologize for not detecting it. Consider using 'Hashtbl.find_opt' to please Semgrep and stay safe.
🌟 Removed in commit 180e65d 🌟
Several Java and Go test files for rules had duplicate names where they weren't actually allowed by the language. This caused issues for naming in Semgrep, which assumes that this should be impossible. This commit replaces those duplicate names with distinct names.
Disambiguate duplicate function/method names that lead to odd shadowing of results. All the actual matches are preserved. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Created automatically with the Argo bot using the Argo workflow in release-workflow.yaml