Reporting false negatives with shouldafound
Directly report code which Semgrep did not match as you expected with the shouldafound
option. The shouldafound
enables you to report false negatives (vulnerabilities which were not detected) without leaving your command-line interface (CLI).
Shouldafound is useful in contexts such as:
- A bug report uncovers an SQL injection vulnerability that needs to be caught by Semgrep.
- You found issues manually during a code review, but you want Semgrep to find these issues automatically next time.
- A security consultant reviews customer code and adds anonymized versions of their finding so Semgrep can help them find that issue automatically in the future.
This example guides you through steps to report false negatives with Semgrep CLI:
See the following example file
file.go
:package main
import "fmt"
func main() {
fmt.Println("foo")
}In your command-line, run the following command:
semgrep shouldafound --email "my@email.com" \
-m "Semgrep missed vulnerable code here" \
--start 5 --end 7 path/to/my/file.goSpecify lines of code to report as false negatives using
--start
and--end
options. The example above reports all lines between 5 and 7.This sends the following information to semgrep.dev:
{
"email": "my@email.com",
"lines": "func main() {\n fmt.Println(\"foo\")\n}\n",
"message": "Semgrep missed vulnerable code here",
"path": "path/to/my/file.go"
}Press y to send this information to r2c:
OK to send? [y/N]: y
Note: Anonymize the data you send to us, as
shouldafound
creates Semgrep Playground links which are public to anyone with access to the URL.
If you send the code, you receive the following notice in your command-line:
Sent feedback. Thanks for your contribution!
You can view and extend the generated rule template here: https://semgrep.dev/s/ylAk
Find what you needed in this doc? Join the Semgrep Community Slack group to ask the maintainers and the community if you need help.