semgrep/semgrep-rules

Issues

• Exclude Slack webhook sample URL

  #3461 opened a month ago by dbarlett
  5

• [Regression] unquoted-command-substitution-in-command & unquoted-variable-expansion-in-command [BASH] causes semgrep CRASH

  #3449 opened 2 months ago by mjnowen
  1

• NextJS node modules vulnerabilities

  #3445 opened 2 months ago by Creakyinertia
  1

• dockerfile.security.missing-user has a false positive related to HEALTHCHECK CMD

  #3436 opened 2 months ago by saghaulor
  2

• Editor logs out after removing - id line from the rule.

  #3413 opened 3 months ago by or-akl
  0

• ruby dangerous-exec rule did not report dangerous usages properly

  #3396 opened 4 months ago by JazJas
  0

• False positives in storage-queue-services-logging for Azure Storage Accounts that don't use a storage queue

  #3383 opened 5 months ago by thompsonbryce
  0

• False positive in javascript.express.security.audit.xss.direct-response-write.direct-response-write

  #3381 opened 5 months ago by nbrahms
  0

• php.lang.security.injection.tainted-sql-string does not detect SQL statement with newline

  #3376 opened 5 months ago by Sjord
  0

• Semgrep rules javascript express vm2 misses real vuln. code

  #3350 opened 6 months ago by OrenGitHub
  1

• Duplicate rules for Slack webhook URL

  #3345 opened 6 months ago by Sjord
  2

• False Positive javascript.express_xss

  #3339 opened 7 months ago by aviramshm
  0

• unquoted-variable-expansion-in-command: False positive on arithmetic expressions "$((...))"

  #3328 opened 7 months ago by AfroThundr3007730
  0

• False positives in gorm-hardcoded-secret and gorm-empty-password

  #3316 opened 7 months ago by lfama
  0

• False positive in java.lang.security.system.system-setproperty-hardcoded-secret

  #3312 opened 7 months ago by Sjord
  0

• Add mapping to CWE-353

  #3134 opened 8 months ago by jmeit-fwdsec
  2

• Incorrect Javascript rule for insecure web sockets

  #3080 opened 8 months ago by iuliadmtru
  1

• java/jax-rs/security/insecure-resteasy.yaml no longer relevant?

  #3294 opened 8 months ago by JLLeitschuh
  0

• php.lang.security.non-literal-header incorrectly warns against response splitting

  #3287 opened 8 months ago by Sjord
  0

• Auto issue labeling workflow

  #3286 opened 8 months ago by atarax665
  0

• False positive on php.lang.security.injection.tainted-sql-string.tainted-sql-string

  #3252 opened 9 months ago by Sjord
  5

• use-none-for-password-default doesn't actually check for empty string

  #3253 opened 9 months ago by Sjord
  1

• CSharp: Missing or broken authorization rule confusion

  #3202 opened 10 months ago by johanlindfors
  2

• [Rule]

  #3225 opened 10 months ago by jgroc-de
  0

• False positive on unquoted-attribute-var for Angular

  #3205 opened a year ago by Sjord
  1

• Ruby Rails tainted SQL String rule has wrong metadata

  #3191 opened a year ago by 0xDC0DE
  0

• Python unverified-jwt-decode rule deprecated

  #3109 opened a year ago by spehill
  0

• Remediation wrong for rule python.aws-lambda.security.dangerous-subprocess-use.dangerous-sub

  #3162 opened a year ago by svbfromnl
  1

• regular-expression-dos message

  #3106 opened a year ago by Sjord
  1

• detected-twitter-oauth rule triggers on minimized CSS files

  #3104 opened a year ago by mtausig
  0

• [owasp.java.ssrf.java.net.url] False Negative When Detecting SSRF in the java.net.URL Sink

  #2990 opened a year ago by SaeedHashem
  0

• Issues with Rust Inside pattern matching from 1.27.0 to 1.41.0

  #3128 opened a year ago by Matthewbialek
  1

• False positive in javascript.lang.correctness.useless-assign.useless-assignment

  #3036 opened a year ago by Sjord
  1

• Issue with detect-child-process rule

  #3105 opened a year ago by joshbouncesecurity
  0

• False positive in generic.nginx.security.missing-internal.missing-internal

  #3057 opened a year ago by AlexanderSilaev
  1

• False positives because python.flask.security.injection.ssrf-requests assumes every decorator is Flask

  #3053 opened a year ago by underyx
  0

• Unpacking fails dangerous-subprocess-use-audit

  #3074 opened a year ago by CandiedCode
  0

• Python. Ignore md5 when used with usedforsecurity

  #3052 opened a year ago by SXHRYU
  0

• harden-dompurify-usage deprecation

  #3073 opened a year ago by aarongoldenthal
  4

• [Rules] [ERROR] invalid configuration file found (1 configs were invalid)

  #3059 opened a year ago by TerminalFi
  1

• Nginx false positive generic.nginx.security.insecure-redirect.insecure-redirect

  #3050 opened a year ago by SXHRYU
  1

• License confusion with Rules

  #3033 opened a year ago by InternGoUser
  1

• comments not filtered on generic mode, rule: use-frozen-lockfile-npm

  #3039 opened a year ago by nashcontrol
  0

• A false negative (miss) in asyncpg-sqli ruleset

  #3027 opened a year ago by kholia
  3

• [Rule] Dependency confusion

  #3032 opened a year ago by Sjord
  2

• Enhance Python eval() detection rule

  #2999 opened a year ago by bluemarco
  0

• c/lang/security/double-free.yaml false positive

  #2995 opened a year ago by kostya253
  0

• Confirming licensing for rules.

  #2954 opened a year ago by ajohnston9
  2

• False positive pattern in loop pointer rule

  #2972 opened a year ago by romdr
  1

• Artifactory password falsely triggering on yarn lock file

  #2959 opened a year ago by ChristianAlexander
  1