Lightweight static code analysis with semgrep
Download as PPTX, PDF0 likes282 views
This document provides an overview of Semgrep, a lightweight static code analysis tool. It discusses Semgrep's history and key features like fast scanning, easy to write rules syntax resembling code, and support for many languages. The document demonstrates writing Semgrep rules through examples and references external rule sets. It also covers limitations like lack of multi-file analysis and how Semgrep can be used via editors, CLI and CI/CD integration.
![DEEP EXPRESSION
• Deep Expression Operator: “<… [your pattern]…>”
• Scenario: XML Parser allows resolving external resources
• Solution:
https://semgrep.dev/orgs/nikhil1232/editor/s/nikhil1232:owasp-
xmltextreader
• Reference: https://rules.sonarsource.com/csharp/RSPEC-2755,
https://pvs-studio.com/en/blog/posts/csharp/0918/](https://image.slidesharecdn.com/null25feblightweightstaticcodeanalysiswithsemgrep-230301082827-9017ad59/85/Lightweight-static-code-analysis-with-semgrep-17-320.jpg)
Lightweight static code analysis with semgrep
- 1. LIGHTWEIGHT STATIC CODE ANALYSIS WITH SEMGREP Nikhil Sahoo
- 2. WHOAMI SECURITY SOFTWARE ENGINEER @MICROSOFT EX- SECURITY CONSULTANT, DELOITTE CERTS: OSCP, EWPTX, CRTP ACKNOWLEDGED AND RECEIVED HOFS FROM MULTIPLE ORGS: ORACLE, DELL, MICROSOFT, SAP, SONY ETC. LINKEDIN: HTTPS://WWW.LINKE DIN.COM/IN/NIKHIL- SAHOO-87204B106/ NIKHILSAHOO.COM
- 3. AGENDA • History • What is Semgrep? • SAST Tools Slider • Rule Syntax • Writing Rules | Demo • Usage • Limitations • QnA
- 4. HISTORY: SGREP (SYNTACTIC GREP) • Initially called Sgrep/Pfff • Written By Yoann Padioleau at Facebook for analyzing PHP code • Was used to Enforce Best Practices • Easy for developers to organize and understand the rules • Joined R2C and renamed Sgrep to Semgrep • Goal was to match based on semantics of the code Reference: https://semgrep.dev/blog/2021/semgrep-a-static-analysis-journey
- 5. WHAT IS SEMGREP? • Fast and lightweight static analysis tool to find bugs and enforce code standards. Reference: https://semgrep.dev/
- 6. PROS • Opensource • Rules look like the code you already write; no abstract syntax trees, regex wrestling • Scans in minutes • Does not require a build • Hunt Bugs at scale • Supports many languages • Very easy to write custom rules
- 10. CODE IS NOT A STRING, IT’S A TREE 🧶 String != 🌲Tree
- 13. DEMO WRITING SEMGREP RULES HTTPS://SEMGREP.DEV/PLAYGROUND/NEW
- 14. ELLIPSIS • Ellipsis Operator: “…” • Find all PHP Command Injection Functions • Solution: https://semgrep.dev/orgs/nikhil1232/editor/s/nikhil1232:owasp-php- command-inj • Reference: https://www.stackhawk.com/blog/php-command-injection/
- 15. METAVARIABLE • Metavariable Operator: “$X” • Find all user exploitable PHP Preg_Replace Functions • Solution: https://semgrep.dev/orgs/nikhil1232/editor/s/nikhil1232:owasp- metavariable-pregreplace • Reference: https://bitquark.co.uk/blog/2013/07/23/the_unexpected_dangers_of_preg _replace
- 16. CATCHING ATTRIBUTES • Scenario 1: Find all functions vulnerable to CSRF • Solution: https://semgrep.dev/orgs/nikhil1232/editor/s/nikhil1232:owasp- csrf-mvc • Scenario 2: Broken Access Control • Solution: https://semgrep.dev/orgs/nikhil1232/editor/s/nikhil1232:owasp- missing-or-broken-authorization • Reference: https://www.stackhawk.com/blog/net-csrf-protection-guide- examples-and-how-to-enable/, https://github.com/returntocorp/semgrep- rules/blob/develop/csharp/dotnet/security/audit/missing-or-broken- authorization.cs
- 17. DEEP EXPRESSION • Deep Expression Operator: “<… [your pattern]…>” • Scenario: XML Parser allows resolving external resources • Solution: https://semgrep.dev/orgs/nikhil1232/editor/s/nikhil1232:owasp- xmltextreader • Reference: https://rules.sonarsource.com/csharp/RSPEC-2755, https://pvs-studio.com/en/blog/posts/csharp/0918/
- 18. METAVARIABLE REGEX • Scenario: App not validating the expiration time of a JWT • Solution: https://semgrep.dev/orgs/nikhil1232/editor/s/nikhil1232:owasp-jwt-no- expiry • Reference: https://github.com/returntocorp/semgrep- rules/blob/develop/csharp/lang/security/ad/jwt- tokenvalidationparameters-no-expiry-validation.cs
- 19. METAVARIABLE COMPARISON • Scenario: Improper Regex Timeout • Solution: https://semgrep.dev/orgs/nikhil1232/editor/s/nikhil1232:owasp-regex- dos-infinite-timeout • Reference: https://github.com/returntocorp/semgrep- rules/blob/develop/csharp/lang/security/regular-expression-dos/regular- expression-dos-infinite-timeout.cs, https://rules.sonarsource.com/csharp/RSPEC-6444
- 20. TAINT ANALYSIS • Scenario: PHP Reflected XSS • Solution: https://semgrep.dev/orgs/nikhil1232/editor/s/nikhil1232:owasp-php-xss- taint • Reference: https://rules.sonarsource.com/php/RSPEC-5131
- 21. PATTERN-SANITIZERS • Scenario: Path.Combine() Path Traversal • Solution: https://semgrep.dev/orgs/nikhil1232/editor/s/nikhil1232:owasp-path- combine • Reference: https://www.praetorian.com/blog/pathcombine-security- issues-in-aspnet-applications/
- 22. GENERIC PATTERN MATCHING • Scenario: Debugging Enabled(Web.Config) • Solution: https://semgrep.dev/orgs/nikhil1232/editor/s/nikhil1232:owasp-net- webconfig-debug • Reference: https://portswigger.net/kb/issues/00100800_asp-net- debugging-enabled
- 24. USAGE Semgrep in Editors • IntelliJ IDEA: semgrep-idea-plugin • Microsoft Visual Studio Code: semgrep-vscode • Vim: semgrep.vim CLI Docker
- 26. TOOLS • Semgrep: https://github.com/returntocorp/semgrep • Semgrep External Rules: https://github.com/returntocorp/semgrep-rules • Semgrep Playground: https://semgrep.dev/playground • CodeQL: https://codeql.github.com/ • Devskim: https://github.com/microsoft/DevSkim
- 27. REFERENCES • https://semgrep.dev/docs/ • https://www.youtube.com/watch?v=kb8oo7Wyk84 • https://youtube.com/watch?v=O5mh8j7-An8 • https://semgrep.dev/playground/ • https://rules.sonarsource.com/ • https://semgrep.dev/blog/2021/semgrep-a-static-analysis-journey • https://github.com/returntocorp/semgrep-rules
- 28. THANK YOU