Original Post: Type-awareness in semantic grep
Semgrep, an open source static analysis tool by r2c, now supports specifying types in code patterns, allowing for more precise detection of bugs, antipatterns, and best practice enforcement. In Java, you use types in patterns with syntax like (Type $VAR), and in Golang with ($VAR : Type). This enhancement addresses issues with traditional regex by reducing irrelevant results and understanding code more contextually. Semgrep uses a "generic AST" (Abstract Syntax Tree) for structural comparison of patterns to the given code. Typed metavariables remember and match the types of variables, improving precision by filtering out unwanted matches. This feature currently supports Java and Golang, with more language support in progress.
For example, a Java code pattern to catch SQL injection vulnerabilities can be simplified with typed metavariables:
- pattern: query((String $X))Additionally, Golang syntax adaptation allows patterns like:
- pattern: ($X : float) == $YUnder the hood, Semgrep uses unique IDs for variables and their types, enhancing pattern matching accuracy. While useful, the feature is still being developed and does not yet support complex cases like function applications or field accesses in structs. The extension aims to support more languages in the future, focusing first on statically typed languages.
The blog also acknowledges contributions from various team members and mentors.
Go here to read the Original Post