With over 25 different languages supported, Semgrep has carved out a niche for itself as something of a polyglot static and software composition analysis tool. At Semgrep, our mission is to profoundly impact software security, and we believe that that is best done by making excellent security available for everyone, even across language boundaries.
On our mission to lower this “language barrier,” as it were, we’re ecstatic to announce experimental support for the Julia coding language! Semgrep’s parse rate currently sits at a formidable 99.3%, which would qualify it for “beta” status on parse rate alone, which is one of the metrics we use to determine a language’s maturity. Basic Semgrep functionalities like metavariables and ellipses are also supported in the matching engine.
This work would not have been possible if not for Avik Sengupta of JuliaHub and Sergio Vargas, who worked on re-vamping the Julia tree-sitter grammar, which is instrumental for Semgrep’s adoption of a language. Their hard work ensured that Semgrep can parse Julia code before converting into its generic representation.
The Semgrep Registry currently does not contain any Julia rules, but you can use the playground to write your own right now! Some rules (graciously provided by Avik Sengupta) which may be useful include:
1rules:
2 - id: open-tmp-path
3 patterns:
4 - pattern-either:
5 - pattern: |
6 open($X, ...) do
7 ...
8 end
9 - pattern: open($X, ...)
10 - metavariable-regex:
11 metavariable: $X
12 regex: '\"\/tmp/.*'
13 message: Do not open file in /tmp directly. Use `mktemp` instead.
14 languages:
15 - julia
16 severity: WARNING
17 metadata:
18 category: best-practice
19 technology:
20 - julia
21 license: LGPLThis rule checks for correctness, by matching instances of chained assignments using the
const modifier. This can be a mistake, because the right-hand-side is not actually constant.
This rule checks for opening a /tmp path, instead of the best-practice use of mktemp.
1rules:
2 - id: unused-function-parameter
3 patterns:
4 - pattern-not:
5 patterns:
6 - pattern: |
7 function $F(..., $X, ...)
8 ...
9 $BODY
10 end
11 - metavariable-pattern:
12 metavariable: $BODY
13 pattern: |
14 $X
15 - pattern: |
16 function $F(..., $X, ...)
17 ...
18 end
19 message: Unused function parameter $X
20 languages: [julia]
21 severity: WARNING
22 metadata:
23 category: best-practice
24 technology:
25 - julia
26 license: LGPLAnd finally, this rule checks for unused function parameters, which can often be a mistake in programming.
That’s all for now. Have fun with Julia!
About
Semgrep lets security teams partner with developers and shift left organically, without introducing friction. Semgrep gives security teams confidence that they are only surfacing true, actionable issues to developers, and makes it easy for developers to fix these issues in their existing environments.
