Original Post: Scaling Semgrep rule coverage by spidering language documentation
Summary:
Semgrep has significantly expanded its C# rule coverage for the .NET standard library, addressing vulnerabilities such as XML External Entities, Cross-Site Scripting, path traversal, SQL injection, and more. Developers can update their Semgrep coverage using various tools like Semgrep CLI or view rules on the Semgrep registry. To enhance coverage, r2c’s Security Research team uses an automated tool written in Go with the Colly library to scrape Microsoft’s .NET documentation for security advisories. This method helps identify specific issues in .NET classes and generates new test cases for Semgrep. Future improvements may include advanced techniques like fuzzy matching and sentiment analysis to enhance documentation scraping.
Go here to read the Original Post