Code Review with Semgrep Custom Rules

Code Review with Semgrep Custom Rules
Semgrep custom rule online editor

In this post, we will discuss how Semgrep can be integrated into your code review process. If you are unfamiliar with Semgrep, we recommend checking out our previous article on the topic:

Improving Your Code Review Process With Semgrep

Codereview and Semgrep

Code review is a crucial step in the software development workflow, as it allows team members to review and critique each other's code.

However, code review can sometimes be a source of contention, with debates over code style or disagreements over team coding standards.

Additionally, there may be cases where the team lacks domain expertise, leading to the inclusion of vulnerabilities in the code. Semgrep can help address these issues by promoting consistent coding practices and identifying potential vulnerabilities.

Let's take a closer look at how Semgrep can be utilized in the code review process.

Cases

In this section, we will examine three cases where Semgrep custom rules can be utilized to improve code quality.

Case 1: Preventing the use of System.out in Java. It is not uncommon for team members to use System.out for logging or debugging purposes. However, this practice can be problematic. The following custom rule can help address this issue:

rules:
  - id: logging-via-system-out
    pattern: System.out.$PRINT($ARG);
    message: Using system out as logging method.
    languages: [java]
    severity: WARNING

If your team has established logging standards, the fix function can be used to automatically replace instances of System.out with a preferred logging method. For example:

rules:
  - id: logging-via-system-out
    pattern: System.out.$PRINT($ARG);
    message: Using system out as logging method.
    fix: log.info($ALG)
    languages: [java]
    severity: WARNING

Case 2: Disallowing system calls. In some situations, it may be desirable to prohibit system commands in order to protect the user's device or cloud machine. The following custom rule can be used to detect and prevent the execution of system commands:

rules:
  - id: java-rec-checker
    patterns:
      - pattern-inside: $FUN(...,$ARG,...){...}
      - pattern-either:
          - pattern: Runtime.getRuntime().exec(..., $ARG, ...);
          - patterns:
              - pattern: Process $PROCESS = Runtime.getRuntime();
              - pattern: $PROCESS.exec(..., $ARG, ...);
    message: RCE risk from user input.
    languages: [java]
    severity: ERROR

Case 3: Ensuring that all request mappings have authentication checks. It is important to ensure that all request mappings have proper permission checks in place. The following custom rule can be used to identify instances where these checks are missing:

rules:
  - id: vaild-permission-check-on-all-request-mapping
    patterns:
      - pattern-inside: |
          @$CONTROLLER_ANNOTATION
          public class $CONTROLLER {
            ...
          }
      - pattern: |
          @$MAPPING_ANNOTATION(...)
          public $RET $METHOD(...){...}
      - pattern-not: |
          @$MAPPING_ANNOTATION(...)
          @$PERMISSION_ANNOTATION(...)
          public $RET $METHOD(...){...}
      - metavariable-regex:
          metavariable: $CONTROLLER_ANNOTATION
          regex: (.*Controller$)
      - metavariable-regex:
          metavariable: $MAPPING_ANNOTATION
          regex: (.*Mapping$)
      - metavariable-regex:
          metavariable: $PERMISSION_ANNOTATION
          regex: (.*Permission$)
    message: Should check user permission on all request mapping
    languages: [java]
    severity: WARNING

Summarize

This article has discussed how Semgrep can be integrated into the code review process to improve code quality and consistency.

By using custom rules, Semgrep can enforce team coding standards and detect potential vulnerabilities in the code.

By incorporating Semgrep into the code review workflow, teams can more effectively identify and address issues before code is released to production.