mirror of
https://github.com/OpenMaxIO/openmaxio-object-browser
synced 2026-07-01 07:41:18 -07:00
implement semgrep in github worflow for project (#1979)
This commit is contained in:
36
.github/workflows/jobs.yaml
vendored
36
.github/workflows/jobs.yaml
vendored
@@ -24,6 +24,7 @@ jobs:
|
|||||||
- no-warnings-and-make-assets
|
- no-warnings-and-make-assets
|
||||||
- reuse-golang-dependencies
|
- reuse-golang-dependencies
|
||||||
- vulnerable-dependencies-checks
|
- vulnerable-dependencies-checks
|
||||||
|
- semgrep-static-code-analysis
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
strategy:
|
strategy:
|
||||||
@@ -92,6 +93,7 @@ jobs:
|
|||||||
- no-warnings-and-make-assets
|
- no-warnings-and-make-assets
|
||||||
- reuse-golang-dependencies
|
- reuse-golang-dependencies
|
||||||
- vulnerable-dependencies-checks
|
- vulnerable-dependencies-checks
|
||||||
|
- semgrep-static-code-analysis
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
strategy:
|
strategy:
|
||||||
@@ -160,6 +162,7 @@ jobs:
|
|||||||
- no-warnings-and-make-assets
|
- no-warnings-and-make-assets
|
||||||
- reuse-golang-dependencies
|
- reuse-golang-dependencies
|
||||||
- vulnerable-dependencies-checks
|
- vulnerable-dependencies-checks
|
||||||
|
- semgrep-static-code-analysis
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
strategy:
|
strategy:
|
||||||
@@ -256,6 +259,22 @@ jobs:
|
|||||||
curl -L -o nancy https://github.com/sonatype-nexus-community/nancy/releases/download/${nancy_version}/nancy-${nancy_version}-linux-amd64 && chmod +x nancy
|
curl -L -o nancy https://github.com/sonatype-nexus-community/nancy/releases/download/${nancy_version}/nancy-${nancy_version}-linux-amd64 && chmod +x nancy
|
||||||
go list -deps -json ./... | jq -s 'unique_by(.Module.Path)|.[]|select(has("Module"))|.Module' | ./nancy sleuth
|
go list -deps -json ./... | jq -s 'unique_by(.Module.Path)|.[]|select(has("Module"))|.Module' | ./nancy sleuth
|
||||||
|
|
||||||
|
semgrep-static-code-analysis:
|
||||||
|
name: "semgrep checks"
|
||||||
|
runs-on: ${{ matrix.os }}
|
||||||
|
container:
|
||||||
|
image: "returntocorp/semgrep"
|
||||||
|
strategy:
|
||||||
|
matrix:
|
||||||
|
os: [ ubuntu-latest ]
|
||||||
|
steps:
|
||||||
|
- name: Check out source code
|
||||||
|
uses: actions/checkout@v2
|
||||||
|
- name: Scanning code on ${{ matrix.os }}
|
||||||
|
continue-on-error: false
|
||||||
|
run: |
|
||||||
|
semgrep --config semgrep.yaml $(pwd)/portal-ui --error
|
||||||
|
|
||||||
no-warnings-and-make-assets:
|
no-warnings-and-make-assets:
|
||||||
name: "React Code Has No Warnings and then Make Assets"
|
name: "React Code Has No Warnings and then Make Assets"
|
||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
@@ -350,6 +369,7 @@ jobs:
|
|||||||
- no-warnings-and-make-assets
|
- no-warnings-and-make-assets
|
||||||
- reuse-golang-dependencies
|
- reuse-golang-dependencies
|
||||||
- vulnerable-dependencies-checks
|
- vulnerable-dependencies-checks
|
||||||
|
- semgrep-static-code-analysis
|
||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
@@ -428,6 +448,7 @@ jobs:
|
|||||||
- no-warnings-and-make-assets
|
- no-warnings-and-make-assets
|
||||||
- reuse-golang-dependencies
|
- reuse-golang-dependencies
|
||||||
- vulnerable-dependencies-checks
|
- vulnerable-dependencies-checks
|
||||||
|
- semgrep-static-code-analysis
|
||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
@@ -506,6 +527,7 @@ jobs:
|
|||||||
- no-warnings-and-make-assets
|
- no-warnings-and-make-assets
|
||||||
- reuse-golang-dependencies
|
- reuse-golang-dependencies
|
||||||
- vulnerable-dependencies-checks
|
- vulnerable-dependencies-checks
|
||||||
|
- semgrep-static-code-analysis
|
||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
@@ -585,6 +607,7 @@ jobs:
|
|||||||
- no-warnings-and-make-assets
|
- no-warnings-and-make-assets
|
||||||
- reuse-golang-dependencies
|
- reuse-golang-dependencies
|
||||||
- vulnerable-dependencies-checks
|
- vulnerable-dependencies-checks
|
||||||
|
- semgrep-static-code-analysis
|
||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
timeout-minutes: 5
|
timeout-minutes: 5
|
||||||
strategy:
|
strategy:
|
||||||
@@ -654,6 +677,7 @@ jobs:
|
|||||||
- no-warnings-and-make-assets
|
- no-warnings-and-make-assets
|
||||||
- reuse-golang-dependencies
|
- reuse-golang-dependencies
|
||||||
- vulnerable-dependencies-checks
|
- vulnerable-dependencies-checks
|
||||||
|
- semgrep-static-code-analysis
|
||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
@@ -722,6 +746,7 @@ jobs:
|
|||||||
- no-warnings-and-make-assets
|
- no-warnings-and-make-assets
|
||||||
- reuse-golang-dependencies
|
- reuse-golang-dependencies
|
||||||
- vulnerable-dependencies-checks
|
- vulnerable-dependencies-checks
|
||||||
|
- semgrep-static-code-analysis
|
||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
@@ -790,6 +815,7 @@ jobs:
|
|||||||
- no-warnings-and-make-assets
|
- no-warnings-and-make-assets
|
||||||
- reuse-golang-dependencies
|
- reuse-golang-dependencies
|
||||||
- vulnerable-dependencies-checks
|
- vulnerable-dependencies-checks
|
||||||
|
- semgrep-static-code-analysis
|
||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
@@ -863,6 +889,7 @@ jobs:
|
|||||||
- no-warnings-and-make-assets
|
- no-warnings-and-make-assets
|
||||||
- reuse-golang-dependencies
|
- reuse-golang-dependencies
|
||||||
- vulnerable-dependencies-checks
|
- vulnerable-dependencies-checks
|
||||||
|
- semgrep-static-code-analysis
|
||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
@@ -900,6 +927,7 @@ jobs:
|
|||||||
- no-warnings-and-make-assets
|
- no-warnings-and-make-assets
|
||||||
- reuse-golang-dependencies
|
- reuse-golang-dependencies
|
||||||
- vulnerable-dependencies-checks
|
- vulnerable-dependencies-checks
|
||||||
|
- semgrep-static-code-analysis
|
||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
@@ -937,6 +965,7 @@ jobs:
|
|||||||
- no-warnings-and-make-assets
|
- no-warnings-and-make-assets
|
||||||
- reuse-golang-dependencies
|
- reuse-golang-dependencies
|
||||||
- vulnerable-dependencies-checks
|
- vulnerable-dependencies-checks
|
||||||
|
- semgrep-static-code-analysis
|
||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
@@ -974,6 +1003,7 @@ jobs:
|
|||||||
- no-warnings-and-make-assets
|
- no-warnings-and-make-assets
|
||||||
- reuse-golang-dependencies
|
- reuse-golang-dependencies
|
||||||
- vulnerable-dependencies-checks
|
- vulnerable-dependencies-checks
|
||||||
|
- semgrep-static-code-analysis
|
||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
@@ -1011,6 +1041,7 @@ jobs:
|
|||||||
- no-warnings-and-make-assets
|
- no-warnings-and-make-assets
|
||||||
- reuse-golang-dependencies
|
- reuse-golang-dependencies
|
||||||
- vulnerable-dependencies-checks
|
- vulnerable-dependencies-checks
|
||||||
|
- semgrep-static-code-analysis
|
||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
@@ -1048,6 +1079,7 @@ jobs:
|
|||||||
- no-warnings-and-make-assets
|
- no-warnings-and-make-assets
|
||||||
- reuse-golang-dependencies
|
- reuse-golang-dependencies
|
||||||
- vulnerable-dependencies-checks
|
- vulnerable-dependencies-checks
|
||||||
|
- semgrep-static-code-analysis
|
||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
@@ -1085,6 +1117,7 @@ jobs:
|
|||||||
- no-warnings-and-make-assets
|
- no-warnings-and-make-assets
|
||||||
- reuse-golang-dependencies
|
- reuse-golang-dependencies
|
||||||
- vulnerable-dependencies-checks
|
- vulnerable-dependencies-checks
|
||||||
|
- semgrep-static-code-analysis
|
||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
@@ -1122,6 +1155,7 @@ jobs:
|
|||||||
- no-warnings-and-make-assets
|
- no-warnings-and-make-assets
|
||||||
- reuse-golang-dependencies
|
- reuse-golang-dependencies
|
||||||
- vulnerable-dependencies-checks
|
- vulnerable-dependencies-checks
|
||||||
|
- semgrep-static-code-analysis
|
||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
@@ -1167,6 +1201,7 @@ jobs:
|
|||||||
- no-warnings-and-make-assets
|
- no-warnings-and-make-assets
|
||||||
- reuse-golang-dependencies
|
- reuse-golang-dependencies
|
||||||
- vulnerable-dependencies-checks
|
- vulnerable-dependencies-checks
|
||||||
|
- semgrep-static-code-analysis
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
strategy:
|
strategy:
|
||||||
@@ -1235,6 +1270,7 @@ jobs:
|
|||||||
- no-warnings-and-make-assets
|
- no-warnings-and-make-assets
|
||||||
- reuse-golang-dependencies
|
- reuse-golang-dependencies
|
||||||
- vulnerable-dependencies-checks
|
- vulnerable-dependencies-checks
|
||||||
|
- semgrep-static-code-analysis
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v2
|
- uses: actions/checkout@v2
|
||||||
|
|||||||
33
.semgrepignore
Normal file
33
.semgrepignore
Normal file
@@ -0,0 +1,33 @@
|
|||||||
|
# Ignore git items
|
||||||
|
.gitignore
|
||||||
|
.git/
|
||||||
|
:include .gitignore
|
||||||
|
|
||||||
|
# Common large paths
|
||||||
|
node_modules/
|
||||||
|
portal-ui/node_modules/
|
||||||
|
build/
|
||||||
|
dist/
|
||||||
|
.idea/
|
||||||
|
vendor/
|
||||||
|
.env/
|
||||||
|
.venv/
|
||||||
|
.tox/
|
||||||
|
*.min.js
|
||||||
|
|
||||||
|
# Common test paths
|
||||||
|
test/
|
||||||
|
tests/
|
||||||
|
*_test.go
|
||||||
|
|
||||||
|
# Semgrep rules folder
|
||||||
|
.semgrep
|
||||||
|
|
||||||
|
# Semgrep-action log folder
|
||||||
|
.semgrep_logs/
|
||||||
|
|
||||||
|
# Ignore VsCode files
|
||||||
|
.vscode/
|
||||||
|
*.code-workspace
|
||||||
|
*~
|
||||||
|
.eslintcache
|
||||||
78
semgrep.yaml
Normal file
78
semgrep.yaml
Normal file
@@ -0,0 +1,78 @@
|
|||||||
|
rules:
|
||||||
|
- id: js-func-encode-uri-Component
|
||||||
|
patterns:
|
||||||
|
- pattern: encodeURIComponent($X)
|
||||||
|
- pattern-not-inside: |
|
||||||
|
export const encodeURLString = (...) => {
|
||||||
|
...
|
||||||
|
};
|
||||||
|
message: Use encodeURLString() instead of encodeURIComponent()
|
||||||
|
languages:
|
||||||
|
- typescript
|
||||||
|
- javascript
|
||||||
|
severity: WARNING
|
||||||
|
fix: encodeURLString($X)
|
||||||
|
- id: js-func-encode-uri
|
||||||
|
patterns:
|
||||||
|
- pattern: encodeURI($X)
|
||||||
|
message: Use encodeURLString() instead of encodeURI()
|
||||||
|
languages:
|
||||||
|
- typescript
|
||||||
|
- javascript
|
||||||
|
severity: WARNING
|
||||||
|
fix: encodeURLString($X)
|
||||||
|
- id: js-dangerous-func-document-write
|
||||||
|
patterns:
|
||||||
|
- pattern: document.write(...)
|
||||||
|
message: Don't render html directly into the page, use React components instead
|
||||||
|
languages:
|
||||||
|
- typescript
|
||||||
|
- javascript
|
||||||
|
severity: WARNING
|
||||||
|
- id: js-dangerous-func-assign-document-write
|
||||||
|
patterns:
|
||||||
|
- pattern: |
|
||||||
|
$X1 = document
|
||||||
|
...
|
||||||
|
$X1.write(...)
|
||||||
|
message: Don't render html directly into the page, use React components instead
|
||||||
|
languages:
|
||||||
|
- typescript
|
||||||
|
- javascript
|
||||||
|
severity: WARNING
|
||||||
|
- id: js-dangerous-func-document-writeln
|
||||||
|
patterns:
|
||||||
|
- pattern: document.writeln(...)
|
||||||
|
message: Don't render html directly into the page, use React components instead
|
||||||
|
languages:
|
||||||
|
- typescript
|
||||||
|
- javascript
|
||||||
|
severity: WARNING
|
||||||
|
- id: js-dangerous-func-assign-document-writeln
|
||||||
|
patterns:
|
||||||
|
- pattern: |
|
||||||
|
$X1 = document
|
||||||
|
...
|
||||||
|
$X1.writeln(...)
|
||||||
|
message: Don't render html directly into the page, use React components instead
|
||||||
|
languages:
|
||||||
|
- typescript
|
||||||
|
- javascript
|
||||||
|
severity: WARNING
|
||||||
|
- id: react-dangerouslysetinnerhtml
|
||||||
|
languages:
|
||||||
|
- typescript
|
||||||
|
- javascript
|
||||||
|
message: "Setting HTML from code is risky because it’s easy to inadvertently expose your users to a cross-site scripting (XSS) attack."
|
||||||
|
pattern-either:
|
||||||
|
- pattern: |
|
||||||
|
<$X dangerouslySetInnerHTML=... />
|
||||||
|
- pattern: |
|
||||||
|
{dangerouslySetInnerHTML: ...}
|
||||||
|
- pattern: |
|
||||||
|
$X1.innerHTML=...
|
||||||
|
- pattern: |
|
||||||
|
$X1.outerHTML=...
|
||||||
|
- pattern: |
|
||||||
|
$X1.insertAdjacentHTML=...
|
||||||
|
severity: WARNING
|
||||||
Reference in New Issue
Block a user