Skip to main content

Rule updates

Welcome to monthly rule updates. This document includes selected new rules, removed false positives (FP), and other rule updates. These new rules and their updates are made by the Semgrep community and r2c.

November 2022

Community tier

New rules from Semgrep community and r2c

Updated community tier rules

Metadata required by security category

All security rules now adopt an improved set of metadata fields. These fields are required when you contribute to Semgrep Registry with rules in security category. For more details, see Including fields required by security category section.

Team tier

New and updated team tier rules

New rules for hardcoded secrets:

  • Database libraries for Python.

  • Database libraries for JavaScript and TypeScript.

  • Improve existing rules for hardcoded secrets to cover more use cases.

  • FP reduction for existing rules for hardcoded secrets.

  • FP reduction for Go net/http rules.

October 2022

Community tier

New rules from Semgrep community and r2c

Updated community tier rules

Team tier

New team rules

New rules for the Laravel PHP framework covering the following vulnerability classes:

  • Code injection
  • Command injection
  • SQL injection
  • Path traversal
  • CSRF
  • Cookie security
  • XSS
  • SSRF

New rules for Go net/http package covering the following vulnerability classes:

  • SQL injection
  • Command injection

September 2022

Community tier

New rules from Semgrep community and r2c

Changed community tier rules

New metadata keys

r2c is adding new metadata fields to better communicate the intent and importance of findings that a rule generates. The following list provides details about new metadata fields:

  • Likelihood: How likely is the impact highlighted by this finding to occur? Examples:
    • Web application user input: HIGH
    • OS environment: MEDIUM
  • Impact: How much damage can this issue cause? Examples:
    • SQL Injection: HIGH
    • Information disclosure: LOW
  • Confidence: How confident is the author that this finding is exploitable? Examples:
    • User input + formatted SQL string + SQL sink + no intermediate function calls: HIGH
    • User input + SQL sink: MEDIUM
    • Formatted SQL string: LOW
  • Subcategory: A list of subcategories that allows the author to specify the intent of the rule. Current values are:
    • Audit: This rule indicates the possible presence of a vulnerability, provided other conditions are present
    • Vuln: This rule is specifically looking for an exploitable vulnerability
  • Addtionally, language rulesets (such as p/javascript) have been altered to include only rules that match the following conditions:
    • Subcategory: Vuln
    • Impact: HIGH

Updated community tier rules

Deprecated community tier rules

These rules no longer produce findings:

August 2022

Community tier

New rules from Semgrep community and r2c

Updated community tier rules

Deprecated community tier rules

Semgrep does no longer match anything with the following rules:

Team tier

New Team tier rules

Updated Team tier rules

Added more sinks for the following rules:

July 2022

New rules from Segmrep community and r2c

New rules from Semgrep community:

New rules have been added with taint sources:

There are now 80 team tier only rules covering Java, PHP, JavaScript, and TypeScript available in the Semgrep Registry. These rules are designed to have higher precision and lower false positive rates.

Rule changes and updates

Reduced severity to INFO:

Limit sources to specific properties of Request object rather than all properties:

The python.lang.security.audit.dangerous rules have been reworked. All Python -dangerous- rules have had their confidence level changed to LOW. Renamed rules:

Added to p/default (p/default are rules that run automatically with semgrep --config p/default):

Removed from p/default in Semgrep Registry:

Expand the list with all removed rules
- ajinabraham.njsscan.archive_path_overwrite.admzip_path_overwrite- ajinabraham.njsscan.archive_path_overwrite.tar_path_overwrite- ajinabraham.njsscan.archive_path_overwrite.zip_path_overwrite- ajinabraham.njsscan.archive_path_overwrite.zip_path_overwrite2- ajinabraham.njsscan.buffer_noassert.buffer_noassert- ajinabraham.njsscan.crypto_node.node_aes_ecb- ajinabraham.njsscan.crypto_node.node_aes_noiv- ajinabraham.njsscan.crypto_node.node_insecure_random_generator- ajinabraham.njsscan.crypto_node.node_md5- ajinabraham.njsscan.crypto_node.node_sha1- ajinabraham.njsscan.crypto_node.node_weak_crypto- ajinabraham.njsscan.error_disclosure.node_error_disclosure- ajinabraham.njsscan.eval_deserialize.node_deserialize- ajinabraham.njsscan.eval_deserialize.serializetojs_deserialize- ajinabraham.njsscan.eval_drpc_deserialize.grpc_insecure_connection- ajinabraham.njsscan.eval_grpc_deserialize.grpc_insecure_connection- ajinabraham.njsscan.eval_node.eval_nodejs- ajinabraham.njsscan.eval_require.eval_require- ajinabraham.njsscan.eval_sandbox.sandbox_code_injection- ajinabraham.njsscan.eval_vm2_injection.vm2_code_injection- ajinabraham.njsscan.eval_vm2_injection.vm2_context_injection- ajinabraham.njsscan.eval_vm_injection.vm_code_injection- ajinabraham.njsscan.eval_vm_injection.vm_compilefunction_injection- ajinabraham.njsscan.eval_vm_injection.vm_runincontext_injection- ajinabraham.njsscan.eval_vm_injection.vm_runinnewcontext_injection- ajinabraham.njsscan.eval_yaml_deserialize.yaml_deserialize- ajinabraham.njsscan.exec_os_command.generic_os_command_exec- ajinabraham.njsscan.exec_os_command.generic_os_command_exec2- ajinabraham.njsscan.exec_shelljs.shelljs_os_command_exec- ajinabraham.njsscan.express_bodyparser_dos.express_bodyparser- ajinabraham.njsscan.express_hbs_lfr.express_lfr- ajinabraham.njsscan.express_hbs_lfr.express_lfr_warning- ajinabraham.njsscan.good_anti_csrf.anti_csrf_control- ajinabraham.njsscan.good_helmet_checks.helmet_header_check_crossdomain- ajinabraham.njsscan.good_helmet_checks.helmet_header_check_csp- ajinabraham.njsscan.good_helmet_checks.helmet_header_check_expect_ct- ajinabraham.njsscan.good_helmet_checks.helmet_header_dns_prefetch- ajinabraham.njsscan.good_helmet_checks.helmet_header_feature_policy- ajinabraham.njsscan.good_helmet_checks.helmet_header_frame_guard- ajinabraham.njsscan.good_helmet_checks.helmet_header_hsts- ajinabraham.njsscan.good_helmet_checks.helmet_header_ienoopen- ajinabraham.njsscan.good_helmet_checks.helmet_header_nosniff- ajinabraham.njsscan.good_helmet_checks.helmet_header_referrer_policy- ajinabraham.njsscan.good_helmet_checks.helmet_header_x_powered_by- ajinabraham.njsscan.good_helmet_checks.helmet_header_xss_filter- ajinabraham.njsscan.good_ratelimiting.rate_limit_control- ajinabraham.njsscan.hardcoded_passport.hardcoded_passport_secret- ajinabraham.njsscan.header_cookie.cookie_session_default- ajinabraham.njsscan.header_cookie.cookie_session_no_domain- ajinabraham.njsscan.header_cookie.cookie_session_no_httponly- ajinabraham.njsscan.header_cookie.cookie_session_no_maxage- ajinabraham.njsscan.header_cookie.cookie_session_no_path- ajinabraham.njsscan.header_cookie.cookie_session_no_samesite- ajinabraham.njsscan.header_cookie.cookie_session_no_secure- ajinabraham.njsscan.header_cors_star.express_cors- ajinabraham.njsscan.header_cors_star.generic_cors- ajinabraham.njsscan.header_helmet_disabled.helmet_feature_disabled- ajinabraham.njsscan.header_injection.generic_header_injection- ajinabraham.njsscan.header_xss_protection.header_xss_generic- ajinabraham.njsscan.header_xss_protection.header_xss_lusca- ajinabraham.njsscan.host_header_injection.host_header_injection- ajinabraham.njsscan.jwt_exposed_credentials.jwt_exposed_credentials- ajinabraham.njsscan.jwt_exposed_data.jwt_exposed_data- ajinabraham.njsscan.jwt_express_hardcoded.jwt_express_hardcoded- ajinabraham.njsscan.jwt_hardcoded.hardcoded_jwt_secret- ajinabraham.njsscan.jwt_none_algorithm.node_jwt_none_algorithm- ajinabraham.njsscan.jwt_not_revoked.jwt_not_revoked- ajinabraham.njsscan.layer7_object_dos.layer7_object_dos- ajinabraham.njsscan.logic_bypass.node_logic_bypass- ajinabraham.njsscan.nosql_injection.node_nosqli_js_injection- ajinabraham.njsscan.path_traversal.generic_path_traversal- ajinabraham.njsscan.regex_dos.regex_dos- ajinabraham.njsscan.regex_injection.regex_injection_dos- ajinabraham.njsscan.resolve_path_traversal.join_resolve_path_traversal- ajinabraham.njsscan.security_electron.electron_allow_http- ajinabraham.njsscan.security_electron.electron_blink_integration- ajinabraham.njsscan.security_electron.electron_context_isolation- ajinabraham.njsscan.security_electron.electron_disable_websecurity- ajinabraham.njsscan.security_electron.electron_experimental_features- ajinabraham.njsscan.security_electron.electron_nodejs_integration- ajinabraham.njsscan.security_electronjs.electron_allow_http- ajinabraham.njsscan.security_electronjs.electron_blink_integration- ajinabraham.njsscan.security_electronjs.electron_context_isolation- ajinabraham.njsscan.security_electronjs.electron_disable_websecurity- ajinabraham.njsscan.security_electronjs.electron_experimental_features- ajinabraham.njsscan.security_electronjs.electron_nodejs_integration- ajinabraham.njsscan.sequelize_tls.sequelize_tls- ajinabraham.njsscan.sequelize_tls_validation.sequelize_tls_cert_validation- ajinabraham.njsscan.sequelize_weak_tls.sequelize_weak_tls- ajinabraham.njsscan.server_side_template_injection.server_side_template_injection- ajinabraham.njsscan.sql_injection.node_knex_sqli_injection- ajinabraham.njsscan.sql_injection.node_sqli_injection- ajinabraham.njsscan.sql_injection_knex.node_knex_sqli_injection- ajinabraham.njsscan.ssrf_node.node_ssrf- ajinabraham.njsscan.ssrf_phantomjs.phantom_ssrf- ajinabraham.njsscan.ssrf_playwright.playwright_ssrf- ajinabraham.njsscan.ssrf_puppeteer.puppeteer_ssrf- ajinabraham.njsscan.ssrf_wkhtmltoimage.wkhtmltoimage_ssrf- ajinabraham.njsscan.ssrf_wkhtmltopdf.wkhtmltopdf_ssrf- ajinabraham.njsscan.timing_attack_node.node_timing_attack- ajinabraham.njsscan.tls_node.node_curl_ssl_verify_disable- ajinabraham.njsscan.tls_node.node_tls_reject- ajinabraham.njsscan.xml_entity_expansion_dos.node_entity_expansion- ajinabraham.njsscan.xpathi_node.node_xpath_injection- ajinabraham.njsscan.xss_mustache_escape.xss_disable_mustache_escape- ajinabraham.njsscan.xss_node.express_xss- ajinabraham.njsscan.xss_serialize_js.xss_serialize_javascript- ajinabraham.njsscan.xss_templates.handlebars_noescape- ajinabraham.njsscan.xss_templates.handlebars_safestring- ajinabraham.njsscan.xss_templates.squirrelly_autoescape- ajinabraham.njsscan.xxe_expat.xxe_expat- ajinabraham.njsscan.xxe_node.node_xxe- ajinabraham.njsscan.xxe_sax.xxe_sax- ajinabraham.njsscan.xxe_xml2json.xxe_xml2json- contrib.dlint.dlint-equivalent.insecure-commands-use- contrib.dlint.dlint-equivalent.insecure-compile-use- contrib.dlint.dlint-equivalent.insecure-cryptography-attribute-use- contrib.dlint.dlint-equivalent.insecure-dl-use- contrib.dlint.dlint-equivalent.insecure-duo-client-use- contrib.dlint.dlint-equivalent.insecure-eval-use- contrib.dlint.dlint-equivalent.insecure-exec-use- contrib.dlint.dlint-equivalent.insecure-gl-use- contrib.dlint.dlint-equivalent.insecure-hashlib-use- contrib.dlint.dlint-equivalent.insecure-itsdangerous-use- contrib.dlint.dlint-equivalent.insecure-marshal-use- contrib.dlint.dlint-equivalent.insecure-onelogin-attribute-use- contrib.dlint.dlint-equivalent.insecure-os-exec-use- contrib.dlint.dlint-equivalent.insecure-os-temp-use- contrib.dlint.dlint-equivalent.insecure-pickle-use- contrib.dlint.dlint-equivalent.insecure-popen2-use- contrib.dlint.dlint-equivalent.insecure-pycrypto-use- contrib.dlint.dlint-equivalent.insecure-requests-use- contrib.dlint.dlint-equivalent.insecure-shelve-use- contrib.dlint.dlint-equivalent.insecure-simplexmlrpcserver-use- contrib.dlint.dlint-equivalent.insecure-ssl-use- contrib.dlint.dlint-equivalent.insecure-subprocess-use- contrib.dlint.dlint-equivalent.insecure-tarfile-use- contrib.dlint.dlint-equivalent.insecure-tempfile-use- contrib.dlint.dlint-equivalent.insecure-urllib3-connections-use- contrib.dlint.dlint-equivalent.insecure-urllib3-warnings-use- contrib.dlint.dlint-equivalent.insecure-xml-use- contrib.dlint.dlint-equivalent.insecure-xmlsec-attribute-use- contrib.dlint.dlint-equivalent.insecure-yaml-use- contrib.dlint.dlint-equivalent.insecure-zipfile-use- generic.ci.security.use-frozen-lockfile.use-frozen-lockfile- generic.ci.security.use-frozen-lockfile.use-frozen-lockfile-npm- generic.ci.security.use-frozen-lockfile.use-frozen-lockfile-pip- generic.ci.security.use-frozen-lockfile.use-frozen-lockfile-pipenv- generic.ci.security.use-frozen-lockfile.use-frozen-lockfile-yarn- generic.html-templates.security.var-in-href.var-in-href- generic.nginx.security.request-host-used.request-host-used- generic.secrets.security.detected-google-gcm-service-account.detected-google-gcm-service-account- javascript.browser.security.raw-html-join.raw-html-join- javascript.express.security.audit.express-xml2json-xxe-event.express-xml2json-xxe-event- javascript.express.security.audit.possible-user-input-redirect.unknown-value-in-redirect- javascript.express.security.audit.remote-property-injection.remote-property-injection- javascript.express.security.audit.res-render-injection.res-render-injection- javascript.express.security.audit.xss.mustache.var-in-script-tag.var-in-script-tag- javascript.lang.correctness.no-replaceall.no-replaceall- javascript.lang.security.audit.prototype-pollution.prototype-pollution-assignment.prototype-pollution-assignment- javascript.lang.security.detect-non-literal-require.detect-non-literal-require- javascript.sequelize.security.audit.sequelize-raw-query.sequelize-raw-query- python.flask.security.xss.audit.template-unescaped-with-safe.template-unescaped-with-safe- python.flask.security.xss.audit.template-unquoted-attribute-var.template-unquoted-attribute-var- typescript.react.security.audit.react-missing-noreferrer.react-missing-noreferrer- typescript.react.security.audit.react-unsanitized-property.react-unsanitized-property

Other:


Find what you needed in this doc? Join the Slack group to ask the maintainers and the community if you need help.