[HN Gopher] Semgrep: Writing quick rules to verify ideas
___________________________________________________________________
Semgrep: Writing quick rules to verify ideas
Author : adrianomartins
Score : 39 points
Date : 2022-10-17 11:22 UTC (11 hours ago)
(HTM) web link (blog.deesee.xyz)
(TXT) w3m dump (blog.deesee.xyz)
| craigds wrote:
| I use semgrep for semantic search (and replace, sometimes).
|
| Their docs and website try very hard to suggest you should use it
| for some kind of CI process, but so far I haven't found any need
| to do so. I can maybe see it being useful in a pre-commit hook.
|
| It's VERY handy for semantic searches though - in situations
| where ripgrep would be useless due to multi-line matches.
|
| I set up this alias to make it a bit less verbose for Python
| patterns: pygrep () { pat="$1"
| shift filez="$*" bash -xc "semgrep
| --lang=python --pattern '$pat' $filez" }
|
| Usage is something like: pygrep 'myfunc(...,
| needle_arg=..., ...)'
| iib wrote:
| Don't you have to shift the arguments, so that `$1` does not
| also end in `filez`?
| craigds wrote:
| There is a `shift` in the function
| underyx wrote:
| Heya, Semgrep maintainer here. Just wanted to ask you about an
| idea I had before, how would you feel about specifying the
| language parameter in the binary name, making the invocation
| look like this? semgrep.py search
| 'myfunc(..., needle_arg=..., ...)'
|
| And then the other subcommands would remain
| semgrep scan --config auto
|
| to scan with all recommended rules and
| semgrep ci
|
| to scan in CI jobs.
| leipert wrote:
| I feel like the ,,semgrep.py" idea is not that good, because
| someone could legitimately have a semgrep.py or semgrep.js or
| similar file which wraps semgrep.
|
| Edit: thanks for maintaining semgrep, started using it
| heavily in day job and the team started writing Frontends for
| it.
| underyx wrote:
| If someone had such a wrapper, I'd expect if it's globally
| available in $PATH then it'd have a more descriptive name,
| and if it's not in $PATH, then you'd likely run it as
| `python semgrep.py` or `./semgrep.py`. Does that sound
| right to you?
| O_H_E wrote:
| >> Their docs and website try very hard to suggest you should
| use it for some kind of CI process...
|
| Just a piece of feedback for the record: I have been stuck in
| exactly the same place the few times I was interested in
| trying out a ripgrep alternative that understood semantics,
| but didn't have such an urgent need to actually understand
| how to get things going.
| underyx wrote:
| Thanks! Could you let me know what you'd change on our
| Getting Started[0] page to explain the CLI usage better?
|
| [0]: https://semgrep.dev/docs/getting-started/
| craigds wrote:
| I'd suggest adding at least one example of using `semgrep
| --pattern <pattern>`. That seems pretty well hidden in
| the docs, and for me it's the most useful option.
|
| I wasn't trying to search for things that _other people_
| thought were interesting; I wanted a tool that would
| search for some pattern I thought of - and preferably
| without having to write a yaml file.
| underyx wrote:
| Thanks a lot! I opened a pull request with your
| suggestion here: https://github.com/returntocorp/semgrep-
| docs/pull/744
|
| Edit: It's approved but that's just our CEO :D I'll wait
| for an approval from our tech writers who are in non-US
| time zones, so your suggestion will likely land tomorrow.
| Thank you!
| burntsushi wrote:
| Note that ripgrep can do multi-line searches with the -U flag.
|
| Not that this detracts from your main point. Semgrep is much
| smarter than ripgrep and goes well beyond multi line searches.
|
| I just wanted to clarify the small thing.
| craigds wrote:
| thanks for ripgrep!
___________________________________________________________________
(page generated 2022-10-17 23:01 UTC)