[PLUTO-1411] add Semgrep test (#109)

zhamborova · web-flow · commit 027361f1d958 · 2025-05-08T17:37:41.000+02:00
diff --git a/.github/workflows/it-test.yml b/.github/workflows/it-test.yml
@@ -1,13 +1,10 @@
-name: Pylint plugin test
+name: plugin it-test
 
 permissions:
   contents: write
 
 on:
   push:
-    paths:
-      - 'plugins/tools/pylint/**'
-
 
 jobs:
   test:
@@ -27,19 +24,32 @@ jobs:
           go build -o cli-v2 ./cli-v2.go
           chmod +x cli-v2
 
-      - name: Run Pylint plugin tests
+      - name: Run plugin tests
         run: |
-          # Store the path to the CLI
-          CLI_PATH="$(pwd)/cli-v2"
-          # Change to test directory
-          cd plugins/tools/pylint/test/src
-          # Install the plugin
-          "$CLI_PATH" install
-          # Run analysis
-          "$CLI_PATH" analyze --tool pylint --format sarif --output actual.sarif
-          # Convert absolute paths to relative paths in the output
-          sed -i 's|file:///home/runner/work/codacy-cli-v2/codacy-cli-v2/|file:///|g' actual.sarif
-          # Compare with expected output
-          jq --sort-keys . expected.sarif > expected.sorted.json
-          jq --sort-keys . actual.sarif > actual.sorted.json
-          diff expected.sorted.json actual.sorted.json
+          run_test() {
+            local tool=$1
+            local jq_filter=$2
+            echo "Running $tool tests..."
+            # Store the path to the CLI
+            CLI_PATH="$(pwd)/cli-v2"
+            # Change to test directory
+            cd plugins/tools/$tool/test/src
+            # Install the plugin
+            "$CLI_PATH" install
+            # Run analysis
+            "$CLI_PATH" analyze --tool $tool --format sarif --output actual.sarif
+            # Convert absolute paths to relative paths in the output
+            sed -i 's|file:///home/runner/work/codacy-cli-v2/codacy-cli-v2/|file:///|g' actual.sarif
+            # Compare with expected output
+            jq --sort-keys "$jq_filter" expected.sarif > expected.sorted.json
+            jq --sort-keys "$jq_filter" actual.sarif > actual.sorted.json
+            diff expected.sorted.json actual.sorted.json
+            # Go back to root directory
+            cd ../../../../..
+          }
+
+          # Run Pylint tests with simple sorting
+          run_test "pylint" "."
+
+          # Run Semgrep tests with rules sorting
+          run_test "semgrep" ".runs[0].tool.driver.rules |= if . then sort_by(.id) else . end"
diff --git a/plugins/tools/semgrep/test/src/.codacy/codacy.yaml b/plugins/tools/semgrep/test/src/.codacy/codacy.yaml
@@ -0,0 +1,4 @@
+runtimes:
+    - python@3.11.11
+tools:
+    - semgrep@1.78.0
diff --git a/plugins/tools/semgrep/test/src/.codacy/tools-configs/semgrep.yml b/plugins/tools/semgrep/test/src/.codacy/tools-configs/semgrep.yml
@@ -0,0 +1,21 @@
+rules:
+  - id: python.requests.security.no-http-url
+    pattern: requests.get("http://...")
+    message: "Insecure HTTP URL in requests.get()"
+    severity: WARNING
+    languages: [python]
+
+  - id: python.cryptography.bad-cryptography
+    pattern: |
+      from cryptography.fernet import Fernet
+      key = Fernet.generate_key()
+      f = Fernet(key)
+    message: "Using Fernet for encryption without proper key management"
+    severity: WARNING
+    languages: [python]
+
+  - id: python.security.audit.avoid-assert
+    pattern: assert $X
+    message: "Use of assert statement in production code"
+    severity: WARNING
+    languages: [python] 
diff --git a/plugins/tools/semgrep/test/src/expected.sarif b/plugins/tools/semgrep/test/src/expected.sarif
@@ -0,0 +1,86 @@
+{
+  "version": "2.1.0",
+  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+  "runs": [
+    {
+      "invocations": [
+        {
+          "executionSuccessful": true,
+          "toolExecutionNotifications": []
+        }
+      ],
+      "results": [],
+      "tool": {
+        "driver": {
+          "name": "Semgrep OSS",
+          "rules": [
+            {
+              "defaultConfiguration": {
+                "level": "warning"
+              },
+              "fullDescription": {
+                "text": "Insecure HTTP URL in requests.get()"
+              },
+              "help": {
+                "markdown": "Insecure HTTP URL in requests.get()",
+                "text": "Insecure HTTP URL in requests.get()"
+              },
+              "id": "codacy.tools-configs.python.requests.security.no-http-url",
+              "name": "codacy.tools-configs.python.requests.security.no-http-url",
+              "properties": {
+                "precision": "very-high",
+                "tags": []
+              },
+              "shortDescription": {
+                "text": "Semgrep Finding: codacy.tools-configs.python.requests.security.no-http-url"
+              }
+            },
+            {
+              "defaultConfiguration": {
+                "level": "warning"
+              },
+              "fullDescription": {
+                "text": "Use of assert statement in production code"
+              },
+              "help": {
+                "markdown": "Use of assert statement in production code",
+                "text": "Use of assert statement in production code"
+              },
+              "id": "codacy.tools-configs.python.security.audit.avoid-assert",
+              "name": "codacy.tools-configs.python.security.audit.avoid-assert",
+              "properties": {
+                "precision": "very-high",
+                "tags": []
+              },
+              "shortDescription": {
+                "text": "Semgrep Finding: codacy.tools-configs.python.security.audit.avoid-assert"
+              }
+            },
+            {
+              "defaultConfiguration": {
+                "level": "warning"
+              },
+              "fullDescription": {
+                "text": "Using Fernet for encryption without proper key management"
+              },
+              "help": {
+                "markdown": "Using Fernet for encryption without proper key management",
+                "text": "Using Fernet for encryption without proper key management"
+              },
+              "id": "codacy.tools-configs.python.cryptography.bad-cryptography",
+              "name": "codacy.tools-configs.python.cryptography.bad-cryptography",
+              "properties": {
+                "precision": "very-high",
+                "tags": []
+              },
+              "shortDescription": {
+                "text": "Semgrep Finding: codacy.tools-configs.python.cryptography.bad-cryptography"
+              }
+            }
+          ],
+          "semanticVersion": "1.78.0"
+        }
+      }
+    }
+  ]
+}
diff --git a/plugins/tools/semgrep/test/src/test_file.py b/plugins/tools/semgrep/test/src/test_file.py
@@ -0,0 +1,35 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+"""
+Test file for semgrep analysis
+"""
+
+import os
+import sys
+import subprocess
+
+def unsafe_command_execution():
+    """Function with unsafe command execution"""
+    user_input = "ls -la"
+    os.system(user_input)  # semgrep: python.lang.security.audit.subprocess-shell-true.subprocess-shell-true
+    subprocess.run(user_input, shell=True)  # semgrep: python.lang.security.audit.subprocess-shell-true.subprocess-shell-true
+
+def hardcoded_password():
+    """Function with hardcoded password"""
+    password = "mysecretpassword123"  # semgrep: python.lang.security.audit.hardcoded-password.hardcoded-password
+    return password
+
+def unsafe_deserialization():
+    """Function with unsafe deserialization"""
+    import pickle
+    data = b"cos\nsystem\n(S'ls -la'\ntR."
+    pickle.loads(data)  # semgrep: python.lang.security.audit.pickle.avoid-pickle
+
+def main():
+    unsafe_command_execution()
+    hardcoded_password()
+    unsafe_deserialization()
+
+if __name__ == "__main__":
+    main() 
