-
Notifications
You must be signed in to change notification settings - Fork 616
/
Copy path.semgrep.yml
88 lines (87 loc) · 3.54 KB
/
.semgrep.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
rules:
- id: rfc-5737-ip-address
languages:
- go
message: Where a real IPv4 address isn't needed, use IPv4 addresses from RFC5737.
paths:
include:
- '*.go'
patterns:
- pattern-regex: '(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)'
- pattern-not-regex: '10\.\d+\.\d+.\d+'
- pattern-not-regex: '192\.168\.\d+.\d+'
- pattern-not-regex: '192\.0\.2\.\d+' # 192.0.2.0/24 (TEST-NET-1, rfc5737)
- pattern-not-regex: '198\.51\.100\.\d+' # 198.51.100.0/24 (TEST-NET-2, rfc5737)
- pattern-not-regex: '203\.0\.113\.\d+' # 203.0.113.0/24 (TEST-NET-3, rfc5737)
severity: WARNING
- id: rfc-3849-ip-address
languages:
- generic
message: Where a real IPv6 address isn't needed, use IPv6 addresses from RFC3849.
paths:
include:
- '*.go'
patterns:
- pattern-regex: '(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))'
severity: WARNING
- id: calling-errors-wrap
languages: [go]
message: 'Do not call `errors.Wrap`. Use `fmt.Errorf(".. : %w", err)` instead.'
patterns:
- pattern-either:
- pattern: |
errors.Wrap(...)
severity: WARNING
- id: no-use-of-stdlib-json
languages:
- go
message: Favour "github.com/goccy/go-json" instead of "encoding/json" to allow better customisation of marshaling and unmarshaling JSON attributes. See https://github.com/cloudflare/cloudflare-go/pull/1360 for full details.
paths:
include:
- '*.go'
patterns:
- pattern-regex: '\"encoding\/json\"'
fix-regex:
regex: \".*\"
replacement: '"github.com/goccy/go-json"'
severity: WARNING
- id: use-pointers-for-booleans
languages:
- go
message: |
Booleans should always be represented as pointers in structs with an omitempty marshaling tag (most commonly as JSON). This ensures you can determine unset, false and truthy values.
paths:
include:
- '*.go'
patterns:
- pattern-regex: "bool"
- pattern-not-regex: "\\*bool"
- pattern-either:
- pattern-inside: |
type $STRUCTNAME struct {
...
}
severity: WARNING
metadata:
references:
- https://github.com/cloudflare/cloudflare-go/blob/master/docs/conventions.md#booleans
- id: use-pointers-for-time
languages:
- go
message: |
time.Time should always be represented as pointers in structs.
paths:
include:
- '*.go'
patterns:
- pattern-regex: "time\\.Time"
- pattern-not-regex: "\\*time\\.Time"
- pattern-either:
- pattern-inside: |
type $STRUCTNAME struct {
...
}
severity: WARNING
metadata:
references:
- https://github.com/cloudflare/cloudflare-go/blob/master/docs/conventions.md#timetime