Missing taint findings, possibly due to `focus-metavariable`
dvrylc opened this issue · comments
Describe the bug
I've raised this on Slack and Lewis referred me here, saying that it might be a bug with focus-metavariable
.
Refer to this playground for an example. Source and sink are correctly identified but somehow no match is found.
Also worth mentioning that this seems to be a regression. My org maintains a set of custom rules along with a test suite and we found out about this bug because the tests started failing after upgrading from 1.64.0 to the latest version.
What is the priority of the bug to you?
- P0: blocking your adoption of Semgrep or workflow
- P1: important to fix or quite annoying
- P2: regular bug that should get fixed
Environment
Reproducible on playground and locally.
This example works: https://semgrep.dev/playground/s/d8qdP
Note that all I did was remove the type annotations. Perhaps an IL issue.