yaml.semgrep.metadata-technology.metadata-technology

profile photo of semgrepsemgrep
Author
198
Download Count*
LGPL Commons Clause
License

This Semgrep rule is missing a 'technology' field in the 'metadata'. Consider adding a list of technologies based on the rule's associated library or framework, or another piece of relevant information.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: metadata-technology
    message: This Semgrep rule is missing a 'technology' field in the 'metadata'.
      Consider adding a list of technologies based on the rule's associated
      library or framework, or another piece of relevant information.
    severity: INFO
    pattern-either:
      - patterns:
          - pattern-not-inside: |
              - ...
                mode: join
          - pattern-inside: "rules: [..., $RULE, ...]"
          - pattern: $RULE
          - pattern: |
              id: ...
              ...
          - pattern-not: |
              id: ...
              ...
              metadata:
                ...
                technology:
                  - ...
      - patterns:
          - pattern-inside: |
              id: $OUTER_RULEID
              mode: join
              join:
                rules: [ ..., $INNER_RULE, ...]
                ...
              ...
          - pattern-not: |
              id: $OUTER_RULEID
              ...
              metadata:
                ...
                technology:
                  - ...
    languages:
      - yaml
    metadata:
      category: best-practice
      technology:
        - semgrep
      references:
        - https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/#technology
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

metadata-technology.test.yaml

rules:
  # ruleid: metadata-technology
  - id: unchecked-subprocess-call
    patterns:
      - pattern-either:
          - pattern: |
              subprocess.call(...)
          - pattern: |
              subprocess.call(...)
      - pattern-not-inside: |
          $S = subprocess.call(...)
      - pattern-not-inside: |
          subprocess.call(...) == $X
    message: >-
      bad stuff
    severity: WARNING
    fix: subprocess.check_call(...)
    metadata:
      category: best-practice
  # ok: metadata-technology
  - id: subprocess-run
    patterns: subprocess.run(...)
    message: >-
      bad stuff
    severity: WARNING
    fix: subprocess.check_call(...)
    metadata:
      category: python
      technology:
        - semgrep
  # ok: metadata-technology
  - metadata:
      category: python
      technology:
        - semgrep
    id: subprocess-run-2
    patterns: subprocess.run(...)
    message: >-
      bad stuff
    severity: WARNING
    fix: subprocess.check_call(...)
  # ok: metadata-technology
  - id: join-ok
    message: join-ok
    severity: WARNING
    mode: join
    metadata:
      category: python
      technology:
        - semgrep
    join:
      rules:
        - id: ok-first
          languages: [generic]
          patterns: |
            first
        - id: ok-second
          languages: [generic]
          patterns: |
            second
  # ruleid: metadata-technology
  - id: join-bad
    message: join-bad
    severity: WARNING
    mode: join
    metadata:
      category: python
    join:
      rules:
        - id: bad-first
          languages: [generic]
          patterns: |
            first
        - id: bad-second
          languages: [generic]
          patterns: |
            second