Announcing Semgrep’s experimental support for Julia

Semgrep adds experimental support for the Julia programming language

With over 25 different languages supported, Semgrep has carved out a niche for itself as something of a polyglot static and software composition analysis tool. At Semgrep, our mission is to profoundly impact software security, and we believe that that is best done by making excellent security available for everyone, even across language boundaries.

On our mission to lower this “language barrier,” as it were, we’re ecstatic to announce experimental support for the Julia coding language! Semgrep’s parse rate currently sits at a formidable 99.3%, which would qualify it for “beta” status on parse rate alone, which is one of the metrics we use to determine a language’s maturity. Basic Semgrep functionalities like metavariables and ellipses are also supported in the matching engine.

This work would not have been possible if not for Avik Sengupta of JuliaHub and Sergio Vargas, who worked on re-vamping the Julia tree-sitter grammar, which is instrumental for Semgrep’s adoption of a language. Their hard work ensured that Semgrep can parse Julia code before converting into its generic representation.

The Semgrep Registry currently does not contain any Julia rules, but you can use the playground to write your own right now! Some rules (graciously provided by Avik Sengupta) which may be useful include:

2  - id: open-tmp-path
3      patterns:
4        - pattern-either:
5            - pattern: |
6                open($X, ...) do
7                ...
8                end
9            - pattern: open($X, ...)
10        - metavariable-regex:
11            metavariable: $X
12            regex: '\"\/tmp/.*'
13      message: Do not open file in /tmp directly. Use `mktemp` instead.
14      languages:
15        - julia
16      severity: WARNING
17      metadata:
18        category: best-practice
19        technology:
20          - julia
21        license: LGPL

This rule checks for correctness, by matching instances of chained assignments using the

const modifier. This can be a mistake, because the right-hand-side is not actually constant.

This rule checks for opening a /tmp path, instead of the best-practice use of mktemp.

2  - id: unused-function-parameter
3      patterns:
4        - pattern-not:
5            patterns:
6              - pattern: |
7                  function $F(..., $X, ...)
8                    ...
9                    $BODY
10                  end
11              - metavariable-pattern:
12                  metavariable: $BODY
13                  pattern: |
14                    $X
15        - pattern: |
16            function $F(..., $X, ...)
17              ...
18            end
19      message: Unused function parameter $X
20      languages: [julia]
21      severity: WARNING
22      metadata:
23        category: best-practice
24        technology:
25          - julia
26        license: LGPL

And finally, this rule checks for unused function parameters, which can often be a mistake in programming.

That’s all for now. Have fun with Julia!


Semgrep Logo

Semgrep lets security teams partner with developers and shift left organically, without introducing friction. Semgrep gives security teams confidence that they are only surfacing true, actionable issues to developers, and makes it easy for developers to fix these issues in their existing environments.

Find and fix the issues that matter before build time

Semgrep helps organizations shift left without the developer productivity tax.

Get started in minutesBook a demo