fix: not recommended patterns are now included in semgrep config CF-1809

Author: pedrobpereira

cmd/init_test.go

@@ -25,7 +25,7 @@ func TestConfigFileTemplate(t *testing.T) {
 				"node@22.2.0",
 				"python@3.11.11",
 				"eslint@8.57.0",
-				"trivy@0.65.0",
+				"trivy@0.66.0",
 				"pylint@3.3.6",
 				"pmd@7.11.0",
 			},

integration-tests/config-discover/expected/codacy.yaml

@@ -10,4 +10,4 @@ tools:
     - pmd@7.11.0
     - pylint@3.3.6
     - semgrep@1.78.0
-    - trivy@0.65.0
+    - trivy@0.66.0

integration-tests/init-with-token/expected/codacy.yaml

@@ -8,4 +8,4 @@ tools:
     - pmd@6.55.0
     - pylint@3.3.7
     - semgrep@1.78.0
-    - trivy@0.65.0
+    - trivy@0.66.0

integration-tests/init-without-token/expected/codacy.yaml

@@ -12,4 +12,4 @@ tools:
     - pylint@3.3.6
     - revive@1.7.0
     - semgrep@1.78.0
-    - trivy@0.65.0
+    - trivy@0.66.0

integration-tests/init-without-token/expected/tools-configs/semgrep.yaml

@@ -149,6 +149,24 @@ rules:
                       (.setFeature "http://xml.org/sax/features/external-general-entities" false)
                       ...)
       severity: ERROR
+    - id: bash.lang.correctness.unquoted-expansion.unquoted-variable-expansion-in-command
+      languages:
+        - bash
+      message: Variable expansions must be double-quoted so as to prevent being split into multiple pieces according to whitespace or whichever separator is specified by the IFS variable. If you really wish to split the variable's contents, you may use a variable that starts with an underscore e.g. $_X instead of $X, and semgrep will ignore it. If what you need is an array, consider using a proper bash array.
+      metadata:
+        category: correctness
+        technology:
+            - bash
+      patterns:
+        - pattern-either:
+            - pattern: |
+                ... ${$VAR} ...
+            - pattern: |
+                ... ...${$VAR}... ...
+        - metavariable-regex:
+            metavariable: $VAR
+            regex: '[*@0-9]|[A-Za-z].*'
+      severity: INFO
     - id: clojure.lang.security.use-of-md5.use-of-md5
       languages:
         - clojure

plugins/tools/trivy/plugin.yaml

@@ -1,6 +1,6 @@
 name: trivy
 description: Trivy is a comprehensive security scanner for containers and other artifacts.
-default_version: 0.65.0
+default_version: 0.66.0
 download:
   url_template: "https://github.com/aquasecurity/trivy/releases/download/v{{.Version}}/trivy_{{.Version}}_{{.OS}}-{{.Arch}}.{{.Extension}}"
   file_name_template: "trivy_{{.Version}}_{{.OS}}_{{.Arch}}"

plugins/tools/trivy/test/expected.sarif

@@ -34,7 +34,7 @@
             "text": "Package: brace-expansion\nInstalled Version: 1.1.11\nVulnerability CVE-2025-5889\nSeverity: LOW\nFixed Version: 2.0.2, 1.1.12, 3.0.1, 4.0.1\nLink: [CVE-2025-5889](https://avd.aquasec.com/nvd/cve-2025-5889)"
           },
           "ruleId": "CVE-2025-5889",
-          "ruleIndex": 0
+          "ruleIndex": 4
         },
         {
           "level": "error",
@@ -115,7 +115,7 @@
             "text": "Package: django\nInstalled Version: 1.11.29\nVulnerability CVE-2021-33203\nSeverity: MEDIUM\nFixed Version: 2.2.24, 3.1.12, 3.2.4\nLink: [CVE-2021-33203](https://avd.aquasec.com/nvd/cve-2021-33203)"
           },
           "ruleId": "CVE-2021-33203",
-          "ruleIndex": 3
+          "ruleIndex": 5
         },
         {
           "level": "warning",
@@ -142,7 +142,34 @@
             "text": "Package: django\nInstalled Version: 1.11.29\nVulnerability CVE-2024-45231\nSeverity: MEDIUM\nFixed Version: 5.1.1, 5.0.9, 4.2.16\nLink: [CVE-2024-45231](https://avd.aquasec.com/nvd/cve-2024-45231)"
           },
           "ruleId": "CVE-2024-45231",
-          "ruleIndex": 4
+          "ruleIndex": 6
+        },
+        {
+          "level": "error",
+          "locations": [
+            {
+              "message": {
+                "text": "requirements.txt: django@1.11.29"
+              },
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "requirements.txt",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "endColumn": 1,
+                  "endLine": 1,
+                  "startColumn": 1,
+                  "startLine": 1
+                }
+              }
+            }
+          ],
+          "message": {
+            "text": "Package: django\nInstalled Version: 1.11.29\nVulnerability CVE-2025-57833\nSeverity: HIGH\nFixed Version: 4.2.24, 5.1.12, 5.2.6\nLink: [CVE-2025-57833](https://avd.aquasec.com/nvd/cve-2025-57833)"
+          },
+          "ruleId": "CVE-2025-57833",
+          "ruleIndex": 3
         },
         {
           "level": "warning",
@@ -178,10 +205,10 @@
           "informationUri": "https://github.com/aquasecurity/trivy",
           "name": "Trivy",
           "rules": null,
-          "version": "0.65.0"
+          "version": "0.66.0"
         }
       }
     }
   ],
   "version": "2.1.0"
-}
+}

tools/semgrepConfigCreator.go

@@ -35,7 +35,7 @@ func FilterRulesFromFile(rulesData []byte, config []domain.PatternConfiguration)
 	// Create a map of enabled pattern IDs for faster lookup
 	enabledPatterns := make(map[string]bool)
 	for _, pattern := range config {
-		if pattern.Enabled && pattern.PatternDefinition.Enabled {
+		if pattern.Enabled {
 			// Extract rule ID from pattern ID
 			parts := strings.SplitN(pattern.PatternDefinition.Id, "_", 2)
 			if len(parts) == 2 {

tools/testdata/repositories/trivy/expected.sarif

@@ -37,7 +37,7 @@
               }
             }
           ],
-          "version": "0.65.0"
+          "version": "0.66.0"
         }
       },
       "results": [