yaml.semgrep.metadata-category.metadata-category

profile photo of semgrepsemgrep
Author
225
Download Count*
LGPL Commons Clause
License

This Semgrep rule is missing a valid 'category' field in the 'metadata'. 'category' must be one of 'security', 'correctness', 'best-practice', 'performance', 'maintainability', or 'portability'.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: metadata-category
    message: This Semgrep rule is missing a valid 'category' field in the
      'metadata'. 'category' must be one of 'security', 'correctness',
      'best-practice', 'performance', 'maintainability', or 'portability'.
    severity: INFO
    patterns:
      - pattern-inside: "rules: [..., $RULE, ...]"
      - pattern: "id: $RULEID"
      - pattern-not-inside: |
          - ...
            metadata:
              ...
              category: $CATEGORY
    languages:
      - yaml
    metadata:
      category: best-practice
      technology:
        - semgrep
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

metadata-category.test.yaml

rules:
  # ruleid: metadata-category
  - id: unchecked-subprocess-call
    patterns:
      - pattern-either:
          - pattern: |
              subprocess.call(...)
          - pattern: |
              subprocess.call(...)
      - pattern-not-inside: |
          $S = subprocess.call(...)
      - pattern-not-inside: |
          subprocess.call(...) == $X
    message: >-
      bad stuff
    severity: WARNING
    fix: subprocess.check_call(...)
  # ok: metadata-category
  - id: subprocess-run
    patterns: subprocess.run(...)
    message: >-
      bad stuff
    severity: WARNING
    fix: subprocess.check_call(...)
    metadata:
      category: python
  - metadata:
      category: python
    # ok: metadata-category
    id: subprocess-run-2
    patterns: subprocess.run(...)
    message: >-
      bad stuff
    severity: WARNING
    fix: subprocess.check_call(...)