With over 25 different languages supported, Semgrep has carved out a niche for itself as something of a polyglot static and software composition analysis tool. At Semgrep, our mission is to profoundly impact software security, and we believe that that is best done by making excellent security available for everyone, even across language boundaries.
On our mission to lower this “language barrier”, as it were, we’re ecstatic to announce experimental support for the Julia language! Semgrep’s parse rate currently sits at a formidable 99.3%, which would qualify it for “beta” status on parse rate alone, which is one of the metrics we use to determine a language’s maturity. Basic Semgrep functionalities like metavariables and ellipses are also supported in the matching engine.
This work would not have been possible if not for Avik Sengupta of JuliaHub and Sergio Vargas, who worked on re-vamping the Julia tree-sitter grammar, which is instrumental for Semgrep’s adoption of a language. Their hard work ensured that Semgrep can parse Julia code before converting into its generic representation.
The Semgrep Registry currently does not contain any Julia rules, but you can use the playground to write your own right now! Some rules (graciously provided by Avik Sengupta) which may be useful include:
1rules: 2 - id: open-tmp-path 3 patterns: 4 - pattern-either: 5 - pattern: | 6 open($X, ...) do 7 ... 8 end 9 - pattern: open($X, ...) 10 - metavariable-regex: 11 metavariable: $X 12 regex: '\"\/tmp/.*' 13 message: Do not open file in /tmp directly. Use `mktemp` instead. 14 languages: 15 - julia 16 severity: WARNING 17 metadata: 18 category: best-practice 19 technology: 20 - julia 21 license: LGPL
This rule checks for correctness, by matching instances of chained assignments using the
const modifier. This can be a mistake, because the right-hand-side is not actually constant.
This rule checks for opening a
/tmp path, instead of the best-practice use of
1rules: 2 - id: unused-function-parameter 3 patterns: 4 - pattern-not: 5 patterns: 6 - pattern: | 7 function $F(..., $X, ...) 8 ... 9 $BODY 10 end 11 - metavariable-pattern: 12 metavariable: $BODY 13 pattern: | 14 $X 15 - pattern: | 16 function $F(..., $X, ...) 17 ... 18 end 19 message: Unused function parameter $X 20 languages: [julia] 21 severity: WARNING 22 metadata: 23 category: best-practice 24 technology: 25 - julia 26 license: LGPL
And finally, this rule checks for unused function parameters, which can often be a mistake in programming.
That’s all for now. Have fun with Julia!
Semgrep is a fast, open-source, static analysis tool for finding bugs, detecting dependency vulnerabilities, and enforcing code standards.