A collection of opinionated rules for best practices in popular languages. Recommended for users who want really strict coding standards.
Find common bugs, errors, and logic issues in popular languages.
Default ruleset for OCaml, by Semgrep
This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters.
Comparison to boolean. Just use `$X`
Comparison to boolean. Just use `not $X`
You should not re-raise exceptions using 'raise' because it loses track of where the exception was raised originally, leading to a useless and possibly confusing stack trace. Instead, you should obtain a stack backtrace as soon as the exception is caught using 'try ... with exn -> let trace = Printexc.get_raw_backtrace () in ...', and keep it around until you re-raise the exception using 'Printexc.raise_with_backtrace exn trace'. You must collect the stack backtrace before calling another function which might internally raise and catch exceptions. To avoid false positives from Semgrep, write 'raise (Foo args)' instead of 'let e = Foo args in raise e'.
You should not use Hashtbl.find outside of a try, or you should use Hashtbl.find_opt
Useless else. Just remove the else branch;
Backwards if. Rewrite the code as 'if not $E then $E2'.
You should not use List.find outside of a try, or you should use List.find_opt
You should use `incr`
You should use `decr`
Use instead `Str.first_chars`
Use instead `Str.string_after`
Use instead `Str.last_chars`
Pervasives is deprecated and will not be available after 4.10. Use Stdlib.
You probably want the structural equality operator =
You probably want the structural inequality operator <>
This comparison is useless because the expressions being compared are identical. This is expected to always return the same result, 0, unless your code is really strange.
This is always true. If testing for floating point NaN, use `Float.is_nan` instead.
Useless if. Both branches are equal.
You probably want $X = , which is faster.
You probably want $X <> , which is faster.
'input_line' leaves a '\r' (CR) character when reading lines from a Windows text file, whose lines end in "\r\n" (CRLF). This is a problem for any Windows file that is being read either on a Unix-like platform or on Windows in binary mode. If the code already takes care of removing any trailing '\r' after reading the line, add a '(* nosemgrep *)' comment to disable this warning.
'open_in' behaves differently on Windows and on Unix-like systems with respect to line endings. To get the same behavior everywhere, use 'open_in_bin' or 'open_in_gen [Open_binary]'. If you really want CRLF-to-LF translations to take place when running on Windows, use 'open_in_gen [Open_text]'.
'open_out' behaves differently on Windows and on Unix-like systems with respect to line endings. To get the same behavior everywhere, use 'open_out_bin' or 'open_out_gen [Open_binary]'. If you really want LF-to-CRLF translations to take place when running on Windows, use 'open_out_gen [Open_text]'.
You should probably use Filename.get_temp_dirname().
Digest uses MD5 and should not be used for security purposes. Consider using SHA256 instead.
Executing external programs might lead to comand or argument injection vulnerabilities.
When attacker supplied data is passed to Filename.concat directory traversal attacks might be possible.
Creating a Hashtbl without the optional random number parameter makes it prone to DoS attacks when attackers are able to fill the table with malicious content. Hashtbl.randomize or the R flag in the OCAMLRUNPARAM are other ways to randomize it.
Marshaling is currently not type-safe and can lead to insecure behaviour when untrusted data is marshalled. Marshalling can lead to out-of-bound reads as well.
Filename.temp_file might lead to race conditions, since the file could be altered or replaced by a symlink before being opened.
Unsafe functions do not perform boundary checks or have other side effects, use with care.