Skip to content

Latest commit

 

History

History
68 lines (50 loc) · 3.89 KB

README.md

File metadata and controls

68 lines (50 loc) · 3.89 KB

Trail of Bits public Semgrep rules

This repository contains Semgrep rules developed by Trail of Bits and made available to the public. They are part of our ongoing development efforts and are used in our security audits, vulnerability reseach, and internal projects. They will evolve over time as we identify new techniques.

Using Semgrep

The easiest way to run the rules is to run them from the Semgrep registry. To do so, navigate to the root folder of your project and run the following:

$ semgrep --config "p/trailofbits"

Alternatively, you can clone this repository, navigate to the root folder of your project, and run individual rules using the command below :

$ semgrep --config /path/to/semgrep-rules/semgreprule.yml

To run all rules from the cloned repository:

$ semgrep --config /path/to/semgrep-rules/ .

Useful flags

Semgrep will run against all supported code files except for those in your .gitignore file. If you want to run the rules against all files and directories, including those in your .gitignore, add the --no-git-ignore flag.

$ semgrep --config /path/to/semgrep-rules/ . --no-git-ignore

You can also tell Semgrep to ignore files and directories that match any pattern. For instance, if you want to tell Semgrep to ignore all Go test files you can run the following:

$ $ semgrep --config /path/to/semgrep-rules/ . --exclude='*_test.go'

Use -o to output results to a file:

$ semgrep --config /path/to/semgrep-rules/hanging-goroutine.yml -o leaks.txt'

Rules

Rule ID Language What it Finds
anonymous-race-condition Go Race conditions within anonymous goroutines
hanging-goroutine Go Goroutine leaks
iterate-over-empty-collection Go Iterations over empty collection
nil-check-after-call Go Possible nil dereferences
questionable-assignment Go Possible unintentional assignment when an error occurs
nondeterministic-select Go Nondeterministic select logic.
servercodec-readrequestbody-unhandled-nil Go Possible incorrect ServerCodec interface implementation
sleep-used-for-synchronizations Go Uses time.Sleep for goroutine synchronization
string-to-int-signedness-cast Go Integer underflows
sync-mutex-value-copied Go Copying of sync.Mutex via value receivers
waitgroup-add-called-inside-goroutine Go Calls to sync.WaitGroup.Add inside of anonymous goroutines
waitgroup-wait-inside-loop Go Calls to sync.WaitGroup.Wait inside a loop
racy-append-to-slice Go Concurrent calls to append from multiple goroutines
racy-write-to-map Go Concurrent writes to the same map in multiple goroutines
unchecked-type-assertion Go Unchecked type assertion
missing-unlock-before-return Go Missing mutex unlock before returning from a function. This could cause panics resulting from double lock operations
missing-runlock-on-rwmutex Go Missing RUnlock on an RWMutex lock before returning from a function.
tarfile-extractall-traversal Python Potential path traversal in call to extractall for a tarfile
panic-in-function-returning-result Rust Calling unwrap or expect in a function returning a Result