Ability to Specify Code Assumptions
andrew-konstantinov opened this issue · comments
Is your feature request related to a problem? Please describe.
Production code often depends on runtime feature flags, external services and so on. As a result many code branches are essentially unreachable under normal conditions, however AFAIK currently there is no way to express this in Semgrep, which leads to a high number of false positives. A very simple example could be:
fun test1() {
val id = source()
val shouldDoSanitization = isSanitizationEnabled(id)
if (shouldDoSanitization) {
id = sanitize(id)
} else {
// ok: sanitization-behind-a-feature-flag
sink(id)
}
}
In this case I'd like to express that isSanitizationEnabled is going to return true, but I couldn't find a way to do this in Semgrep documentation.
Describe the solution you'd like
Introduce a mechanism to specify code assumptions, such as:
- return values (in the example above express that
isSanitizationEnabled
always returnstrue
here) - variable values (in the example above express that
shouldDoSanitization
becomestrue
here) - control flow: assume a certain branch is always taken or always unreachable
Describe alternatives you've considered
Multiple sanitization rules could be defined as a workaround, in order to account for various code patterns, but these are dependent on heuristics and therefore less precise, also currently this approach does not work in Semgrep due to another bug (#10167 (comment)).
Use case
- Reduce amount of False Positives by making Semgrep understand sanitization patterns in production code
- Reduce amount of False Negatives by streamlining and simplifying Semgrep rules due to relying more on Taint Mode & Cross-file Analysis instead of heuristics
This is nice to have