Skip to content

(EAI-1212) Semgrep Static Analysis #870

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

(EAI-1212) Semgrep Static Analysis #870

wants to merge 1 commit into from
+41 −9

Conversation

nlarew
Copy link
Collaborator

@nlarew nlarew commented Aug 7, 2025

Jira: (EAI-1212) Semgrep Static Analysis

Changes

  • Run semgrep scan on our server packages
  • This PR applies code changes to remove the regex (is this necessary?)
semgrep --config "p/default" --severity=WARNING --severity=WARNING packages/chatbot-server-mongodb-public packages/mongodb-chatbot-server

┌──── ○○○ ────┐
│ Semgrep CLI │
└─────────────┘

/opt/homebrew/Cellar/semgrep/1.128.0/libexec/lib/python3.13/site-packages/opentelemetry/instrumentation/dependencies.py:4: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  from pkg_resources import (
                                                                                                                        
Scanning 191 files (only git-tracked) with 720 Code rules:
            
  CODE RULES
                                                                                                                        
  Language      Rules   Files          Origin      Rules                                                                
 ─────────────────────────────        ───────────────────                                                               
  <multilang>       1     191          Community     720                                                                
  ts              123     152                                                                                           
  yaml             24      11                                                                                           
  json              3      11                                                                                           
  js              115       6                                                                                           
                                                                                                                        
                    
  SUPPLY CHAIN RULES
                                                                       
  💎 Sign in with `semgrep login` and run               
     `semgrep ci` to find dependency vulnerabilities and
     advanced cross-file findings.                                     
                                                                       
          
  PROGRESS
   
  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00                                                                                                                        
                  
                  
┌────────────────┐
│ 1 Code Finding │
└────────────────┘
                                                                                                   
    packages/chatbot-server-mongodb-public/src/tracing/scrubbedMessages/redactPii.ts
    ❯❱ javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
          RegExp() called with a `text` function argument, this might allow an attacker to cause a Regular    
          Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For  
          this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-      
          controlled input, consider performing input validation or use a regex checking/sanitization library 
          such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to
          ReDoS.                                                                                              
          Details: https://sg.run/gr65                                                                        
                                                                                                              
           78┆ const nameRegex = new RegExp(`\\b${keyword}\\b`, "gi");

                
                
┌──────────────┐
│ Scan Summary │
└──────────────┘
✅ Scan completed successfully.
 • Findings: 1 (1 blocking)
 • Rules run: 149
 • Targets scanned: 191
 • Parsed lines: ~100.0%
 • Scan skipped: 
   ◦ Files larger than  files 1.0 MB: 1
   ◦ Files matching .semgrepignore patterns: 21
 • Scan was limited to files tracked by git
 • For a detailed list of skipped files and lines, run semgrep with the --verbose flag
Ran 149 rules on 191 files: 1 finding.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@nlarew