Announcing Semgrep’s experimental support for Julia

Semgrep adds experimental support for the Julia programming language

Brandon Wu
May 3rd, 2023
Share

With over 25 different languages supported, Semgrep has carved out a niche for itself as something of a polyglot static and software composition analysis tool. At Semgrep, our mission is to profoundly impact software security, and we believe that that is best done by making excellent security available for everyone, even across language boundaries.

On our mission to lower this “language barrier,” as it were, we’re ecstatic to announce experimental support for the Julia coding language! Semgrep’s parse rate currently sits at a formidable 99.3%, which would qualify it for “beta” status on parse rate alone, which is one of the metrics we use to determine a language’s maturity. Basic Semgrep functionalities like metavariables and ellipses are also supported in the matching engine.

This work would not have been possible if not for Avik Sengupta of JuliaHub and Sergio Vargas, who worked on re-vamping the Julia tree-sitter grammar, which is instrumental for Semgrep’s adoption of a language. Their hard work ensured that Semgrep can parse Julia code before converting into its generic representation.

The Semgrep Registry currently does not contain any Julia rules, but you can use the playground to write your own right now! Some rules (graciously provided by Avik Sengupta) which may be useful include:

rules:
  - id: open-tmp-path
      patterns:
        - pattern-either:
            - pattern: |
                open($X, ...) do
                ...
                end
            - pattern: open($X, ...)
        - metavariable-regex:
            metavariable: $X
            regex: '\"\/tmp/.*'
      message: Do not open file in /tmp directly. Use `mktemp` instead.
      languages:
        - julia
      severity: WARNING
      metadata:
        category: best-practice
        technology:
          - julia
        license: LGPL

This rule checks for correctness, by matching instances of chained assignments using the

const modifier. This can be a mistake, because the right-hand-side is not actually constant.

This rule checks for opening a /tmp path, instead of the best-practice use of mktemp.

rules:
  - id: unused-function-parameter
      patterns:
        - pattern-not:
            patterns:
              - pattern: |
                  function $F(..., $X, ...)
                    ...
                    $BODY
                  end
              - metavariable-pattern:
                  metavariable: $BODY
                  pattern: |
                    $X
        - pattern: |
            function $F(..., $X, ...)
              ...
            end
      message: Unused function parameter $X
      languages: [julia]
      severity: WARNING
      metadata:
        category: best-practice
        technology:
          - julia
        license: LGPL

And finally, this rule checks for unused function parameters, which can often be a mistake in programming.

That’s all for now. Have fun with Julia!

About

Semgrep lets security teams partner with developers and shift left organically, without introducing friction. Semgrep gives security teams confidence that they are only surfacing true, actionable issues to developers, and makes it easy for developers to fix these issues in their existing environments.

Featured posts from the Semgrep blog, written by our engineering team

July 31, 2024
AppSec guides, not gates: Introducing secure guardrails with Semgrep
Isaac Evans
May 21, 2024
Rapidly deploy code scans across your organization with Semgrep managed scanning
Pablo Estrada
May 16, 2024
Overrated and underperforming: transitive reachability analysis
Kyle Kelly

Find and fix the issues that matter before build time

Semgrep helps organizations shift left without the developer productivity tax.
Get started in minutes Book a demo