RUST-1920 Use semgrep to generate SARIF reports (#1088)

abr-egn · web-flow · commit bedae692aa45 · 2024-04-29T10:35:15.000-04:00
diff --git a/.evergreen/check-clippy.sh b/.evergreen/check-clippy.sh
@@ -8,13 +8,9 @@ source ./.evergreen/env.sh
 CLIPPY_VERSION=1.75.0
 
 rustup install $CLIPPY_VERSION
-cargo install clippy-sarif
 
 # Check with default features.
 cargo +$CLIPPY_VERSION clippy --all-targets -p mongodb -- -D warnings
 
 # Check with all features.
-cargo +$CLIPPY_VERSION clippy --all-targets --all-features -p mongodb -- -D warnings
-
-# Produce a SARIF report.
-cargo +$CLIPPY_VERSION clippy --all-targets --all-features -p mongodb --message-format=json -- -D warnings | clippy-sarif > clippy.sarif.json
+cargo +$CLIPPY_VERSION clippy --all-targets --all-features -p mongodb -- -D warnings
diff --git a/.evergreen/check-semgrep.sh b/.evergreen/check-semgrep.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+set -o errexit
+
+source ./.evergreen/env.sh
+
+. ${DRIVERS_TOOLS}/.evergreen/find-python3.sh
+PYTHON=$(find_python3)
+
+if [[ -f "semgrep/bin/activate" ]]; then
+    echo 'using existing virtualenv'
+    . semgrep/bin/activate
+else
+    echo 'Creating new virtualenv'  
+    ${PYTHON} -m venv semgrep
+    echo 'Activating new virtualenv'
+    . semgrep/bin/activate
+    python3 -m pip install semgrep
+fi
+
+# Generate a SARIF report
+semgrep --config p/rust --sarif > mongo-rust-driver.json.sarif
+# And human-readable output
+semgrep --config p/rust --error
diff --git a/.evergreen/config.yml b/.evergreen/config.yml
@@ -699,6 +699,11 @@ tasks:
     commands:
       - func: "check clippy"
 
+  - name: check-semgrep
+    tags: [lint]
+    commands:
+      - func: "check semgrep"
+
   - name: check-rustdoc
     tags: [lint]
     commands:
@@ -1821,6 +1826,16 @@ functions:
           ${PREPARE_SHELL}
           .evergreen/check-clippy.sh
 
+  "check semgrep":
+    - command: subprocess.exec
+      type: test
+      params:
+        working_dir: src
+        add_expansions_to_env: true
+        binary: bash
+        args:
+          - .evergreen/check-semgrep.sh
+
   "check rustdoc":
     - command: shell.exec
       type: test
diff --git a/.semgrepignore b/.semgrepignore
@@ -0,0 +1,2 @@
+benchmarks/
+src/test/
diff --git a/src/client/auth/scram.rs b/src/client/auth/scram.rs
@@ -316,6 +316,7 @@ impl ScramVersion {
     ) -> Result<Vec<u8>> {
         let normalized_password = match self {
             ScramVersion::Sha1 => {
+                // nosemgrep: insecure-hashes
                 let mut md5 = Md5::new();
                 md5.update(format!("{}:mongo:{}", username, password));
                 Cow::Owned(hex::encode(md5.finalize()))
diff --git a/src/runtime/tls_rustls.rs b/src/runtime/tls_rustls.rs
@@ -142,6 +142,7 @@ fn make_rustls_config(cfg: TlsOptions) -> Result<rustls::ClientConfig> {
     };
 
     if let Some(true) = cfg.allow_invalid_certificates {
+        // nosemgrep: rustls-dangerous
         config
             .dangerous()
             .set_certificate_verifier(Arc::new(NoCertVerifier {}));
