CodeSecTools/codesectools/sasts/tools/SemgrepCE/sast.py at 16602848c0b0d36554bed1e1159cbbfbb915abdb · OPPIDA/CodeSecTools · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
"""Defines the SAST integration for Semgrep Community Edition.

This module provides the `SemgrepCESAST` class, which configures and orchestrates
the execution of Semgrep Community Edition scans using the core SAST framework.
"""

from pathlib import Path

from codesectools.sasts.core.sast import BuildlessSAST
from codesectools.sasts.core.sast.properties import SASTProperties
from codesectools.sasts.core.sast.requirements import (
    Binary,
    GitRepo,
    SASTRequirements,
)
from codesectools.sasts.tools.SemgrepCE.parser import SemgrepCEAnalysisResult
from codesectools.utils import USER_CACHE_DIR


class SemgrepCESAST(BuildlessSAST):
    """SAST integration for Semgrep Community Edition.

    Attributes:
        name (str): The name of the SAST tool.
        supported_languages (list[str]): A list of supported programming languages.
        supported_dataset_names (list[str]): A list of names of compatible datasets.
        properties (SASTProperties): The properties of the SAST tool.
        requirements (SASTRequirements): The requirements for the SAST tool.
        commands (list[list[Union[str, tuple[str]]]]): The list of commands templates to be rendered and executed.
        valid_codes (list[int]): A list of exit codes indicating that the command did not fail.
        output_files (list[tuple[Path, bool]]): A list of expected output files and
            whether they are required.
        parser (type[SemgrepCEAnalysisResult]): The parser class for the tool's results.
        color_mapping (dict): A mapping of result categories to colors for plotting.

    """

    name = "SemgrepCE"
    supported_languages = ["java", "c"]
    supported_dataset_names = ["BenchmarkJava", "CVEfixes"]
    properties = SASTProperties(free=True, offline=True)
    requirements = SASTRequirements(
        full_reqs=[
            Binary("semgrep", url="https://semgrep.dev/docs/getting-started/quickstart")
        ],
        partial_reqs=[
            GitRepo(
                name="semgrep-rules",
                repo_url="https://github.com/semgrep/semgrep-rules.git",
                license="Semgrep Rules License v. 1.0",
                license_url="https://semgrep.dev/legal/rules-license/",
            )
        ],
    )
    commands = [
        [
            "semgrep",
            "scan",
            f"--config={str(USER_CACHE_DIR / 'semgrep-rules' / '{lang}')}",
            "--metrics=off",
            "--json-output=semgrepce_output.json",
        ]
    ]
    valid_codes = [0, 1]  # https://semgrep.dev/docs/cli-reference#exit-codes
    output_files = [
        (Path("semgrepce_output.json"), True),
    ]
    parser = SemgrepCEAnalysisResult
    color_mapping = {
        "HIGH": "RED",
        "MEDIUM": "ORANGE",
        "LOW": "YELLOW",
    }