semgrep-go
This repo holds patterns for finding odd Go code.
The rules engines currently supported:
I'll accept comby patterns if you can't get them to work with either semgrep or ruleguard.
To run a single semgrep rule:
$ semgrep -f path/to/semgrep-go/rule.yml .
To run all semgrep rules:
$ semgrep -f path/to/semgrep-go/ .
To run all the ruleguard rules:
$ ruleguard -c=0 -rules path/to/semgrep-go/rules.go
Semgrep checks:
- badexponentiation: check for
2^xand10^xwhich look like exponentiation - badnilguard: check for poorly formed nil guards
- errtodo: check for TODOs in error handling code
- hmac-bytes: check for using bytes.Equal() with HMACs
- hostport: check for using fmt.Sprintf() instead of net.JoinHostPort()
- mathbits: check for places you should use math/bits instead
- mail-address: check for using fmt.Sprintf() instead of net/mail.Address.String()
- oddbitwise: check for odd bit-wise expressions
- oddcompare: check for odd comparisons
- oddcompound: check for odd compound += or -= expressions
- oddifsequence: check for an odd sequence of ifs
- oddmathbits: check for odd uses of math/bits
- parseint-downcast: check for places a parsed 64-bit int is downcast to 32-bits
- returnnil: check for odd nil-returns
- sprinterr: check for fmt.Sprint(err) instead of err.Error()
- joinpath: check for using strings.Join() to construct paths
- readfull: check for extra length check for io.ReadFull()
- nilerr: returning a nil err instead of a nil value
- errclosed: check for call strings.Contains() to detect net.ErrClosed
- hmac-hash: check for bad hash.New passed to hmac.New()
- readeof: check for ignoring io.EOF as a successful read
- writestring: check for using io.WriteString(w, string(b))
- wronglock: find incorrect lock/unlock pairs for rwmutex
Ruleguard checks are in ruleguard.rules.go.
- unconvert: check for unnecessary conversions
- timeeq: check for using == and != with time.Time values
- wrongerr: check for potentially checking the wrong error value
- errnoterror: check for variables called
errwhich are not the error type - ifbodythenbody: check for if statements with identical if and else bodies
- subtractnoteq: check for x-y==0 instead of x==y
- selfassign: check for variable self-assignments
- oddnestedif: check for odd patterns of nested-ifs.
- oddbitwise: check for odd bitwise expressions
- ifreturn: check for off if/return sequences
- oddifsequence: check for if sequences
- nestedifsequence: check for odd nested if sequences
- identicalassignments: check for
x = y ; y = xpairs. - oddcompoundop: check for odd compound operations
- constswitch: check for switch statements with expressions
- oddcomparisons: check for odd comparisons
- oddmathbits: check for odd uses of math/bits
- floateq: check for exact comparisons of floating point values
- badexponent: check for
2^xand10^x, which look like exponentiation - floatloop: check for using floats as loop counters
- urlredacted: check for logging urls without calling url.Redacted()
- sprinterr: check for calling fmt.Sprint(err) instead of err.Error()
- largeloopcopy: check for large value copies in loops
- joinpath: check for using strings.Join() to construct paths
- readfull: check for extra length check for io.ReadFull()
- nilerr: returning an nil error instead of a nil value
- errnetclosed: check for call strings.Contains() to detect net.ErrClosed
- httpheaderadd: check for use of http.Header.Add method instead of Set
- hmac-hash: check for bad hash.New passed to hmac.New()
- readeof: check for ignoring io.EOF as a successful read
- writestring: check for using io.WriteString(w, string(b)) when b is []byte
- badlock: find incorrect lock/unlock pairs for rwmutex
_
Find this useful? Buy me a coffee!