add semgrep test

zhamborova · zhamborova · commit 9a6856f4e882 · 2025-05-08T16:17:46.000+02:00
diff --git a/.github/workflows/it-test.yml b/.github/workflows/it-test.yml
@@ -1,16 +1,13 @@
-name: Pylint plugin test
+name: plugin it-test
 
 permissions:
   contents: write
 
 on:
   push:
-    paths:
-      - 'plugins/tools/pylint/**'
-
 
 jobs:
-  test:
+  pylint-test:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
@@ -43,3 +40,37 @@ jobs:
           jq --sort-keys . expected.sarif > expected.sorted.json
           jq --sort-keys . actual.sarif > actual.sorted.json
           diff expected.sorted.json actual.sorted.json
+
+  semgrep-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.21'
+          cache: true
+
+      - name: Build CLI
+        run: |
+          go build -o cli-v2 ./cli-v2.go
+          chmod +x cli-v2
+
+      - name: Run Semgrep plugin tests
+        run: |
+          # Store the path to the CLI
+          CLI_PATH="$(pwd)/cli-v2"
+          # Change to test directory
+          cd plugins/tools/semgrep/test/src
+          # Install the plugin
+          "$CLI_PATH" install
+          # Run analysis
+          "$CLI_PATH" analyze --tool semgrep --format sarif --output actual.sarif
+          # Convert absolute paths to relative paths in the output
+          sed -i 's|file:///home/runner/work/codacy-cli-v2/codacy-cli-v2/|file:///|g' actual.sarif
+          # Compare with expected output
+          jq --sort-keys '.runs[0].tool.driver.rules |= if . then sort_by(.id) else . end' expected.sarif > expected.sorted.json
+          jq --sort-keys '.runs[0].tool.driver.rules |= if . then sort_by(.id) else . end' actual.sarif > actual.sorted.json
+          diff expected.sorted.json actual.sorted.json
diff --git a/plugins/tools/semgrep/test/src/.codacy/codacy.yaml b/plugins/tools/semgrep/test/src/.codacy/codacy.yaml
@@ -0,0 +1,4 @@
+runtimes:
+    - python@3.11.11
+tools:
+    - semgrep@1.78.0
diff --git a/plugins/tools/semgrep/test/src/.codacy/tools-configs/semgrep.yml b/plugins/tools/semgrep/test/src/.codacy/tools-configs/semgrep.yml
@@ -0,0 +1,21 @@
+rules:
+  - id: python.requests.security.no-http-url
+    pattern: requests.get("http://...")
+    message: "Insecure HTTP URL in requests.get()"
+    severity: WARNING
+    languages: [python]
+
+  - id: python.cryptography.bad-cryptography
+    pattern: |
+      from cryptography.fernet import Fernet
+      key = Fernet.generate_key()
+      f = Fernet(key)
+    message: "Using Fernet for encryption without proper key management"
+    severity: WARNING
+    languages: [python]
+
+  - id: python.security.audit.avoid-assert
+    pattern: assert $X
+    message: "Use of assert statement in production code"
+    severity: WARNING
+    languages: [python] 
diff --git a/plugins/tools/semgrep/test/src/expected.sarif b/plugins/tools/semgrep/test/src/expected.sarif
@@ -0,0 +1,86 @@
+{
+  "version": "2.1.0",
+  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+  "runs": [
+    {
+      "invocations": [
+        {
+          "executionSuccessful": true,
+          "toolExecutionNotifications": []
+        }
+      ],
+      "results": [],
+      "tool": {
+        "driver": {
+          "name": "Semgrep OSS",
+          "rules": [
+            {
+              "defaultConfiguration": {
+                "level": "warning"
+              },
+              "fullDescription": {
+                "text": "Insecure HTTP URL in requests.get()"
+              },
+              "help": {
+                "markdown": "Insecure HTTP URL in requests.get()",
+                "text": "Insecure HTTP URL in requests.get()"
+              },
+              "id": "codacy.tools-configs.python.requests.security.no-http-url",
+              "name": "codacy.tools-configs.python.requests.security.no-http-url",
+              "properties": {
+                "precision": "very-high",
+                "tags": []
+              },
+              "shortDescription": {
+                "text": "Semgrep Finding: codacy.tools-configs.python.requests.security.no-http-url"
+              }
+            },
+            {
+              "defaultConfiguration": {
+                "level": "warning"
+              },
+              "fullDescription": {
+                "text": "Use of assert statement in production code"
+              },
+              "help": {
+                "markdown": "Use of assert statement in production code",
+                "text": "Use of assert statement in production code"
+              },
+              "id": "codacy.tools-configs.python.security.audit.avoid-assert",
+              "name": "codacy.tools-configs.python.security.audit.avoid-assert",
+              "properties": {
+                "precision": "very-high",
+                "tags": []
+              },
+              "shortDescription": {
+                "text": "Semgrep Finding: codacy.tools-configs.python.security.audit.avoid-assert"
+              }
+            },
+            {
+              "defaultConfiguration": {
+                "level": "warning"
+              },
+              "fullDescription": {
+                "text": "Using Fernet for encryption without proper key management"
+              },
+              "help": {
+                "markdown": "Using Fernet for encryption without proper key management",
+                "text": "Using Fernet for encryption without proper key management"
+              },
+              "id": "codacy.tools-configs.python.cryptography.bad-cryptography",
+              "name": "codacy.tools-configs.python.cryptography.bad-cryptography",
+              "properties": {
+                "precision": "very-high",
+                "tags": []
+              },
+              "shortDescription": {
+                "text": "Semgrep Finding: codacy.tools-configs.python.cryptography.bad-cryptography"
+              }
+            }
+          ],
+          "semanticVersion": "1.78.0"
+        }
+      }
+    }
+  ]
+}
diff --git a/plugins/tools/semgrep/test/src/test_file.py b/plugins/tools/semgrep/test/src/test_file.py
@@ -0,0 +1,35 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+"""
+Test file for semgrep analysis
+"""
+
+import os
+import sys
+import subprocess
+
+def unsafe_command_execution():
+    """Function with unsafe command execution"""
+    user_input = "ls -la"
+    os.system(user_input)  # semgrep: python.lang.security.audit.subprocess-shell-true.subprocess-shell-true
+    subprocess.run(user_input, shell=True)  # semgrep: python.lang.security.audit.subprocess-shell-true.subprocess-shell-true
+
+def hardcoded_password():
+    """Function with hardcoded password"""
+    password = "mysecretpassword123"  # semgrep: python.lang.security.audit.hardcoded-password.hardcoded-password
+    return password
+
+def unsafe_deserialization():
+    """Function with unsafe deserialization"""
+    import pickle
+    data = b"cos\nsystem\n(S'ls -la'\ntR."
+    pickle.loads(data)  # semgrep: python.lang.security.audit.pickle.avoid-pickle
+
+def main():
+    unsafe_command_execution()
+    hardcoded_password()
+    unsafe_deserialization()
+
+if __name__ == "__main__":
+    main() 

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +runtimes:
 +    - [email protected]
 +tools:
 +    - [email protected]