-
Notifications
You must be signed in to change notification settings - Fork 209
/
Copy pathpress-semgrep-rules.yml
125 lines (119 loc) · 3.06 KB
/
press-semgrep-rules.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
rules:
- id: possible-mutable-default-args
pattern-either:
- pattern: |
def $FUNC(..., $ARG = $FUNC2(...), ...):
...
- pattern: |
def $FUNC(..., $ARG = $FUNC2(...).$ATTR, ...):
...
- pattern: |
def $FUNC(..., $ARG = frappe.$ATTR, ...):
...
message: |
`$ARG` is possibly a mutable default argument. May not work as expected during subsequent calls of `$FUNC` without $ARG.
languages:
- python
severity: WARNING
metadata:
category: correctness
technology:
- python
references:
- https://docs.python-guide.org/writing/gotchas/#mutable-default-arguments
- id: except-with-db-code
languages:
- python
patterns:
- pattern-inside: |
try:
...
except ...:
$ERR_HANDL_BLK
- pattern-either:
- pattern: |
try:
...
except ...:
...
$DOC.save(...)
...
raise
...
- pattern: |
try:
...
except ...:
...
frappe. ... .set_value(...)
...
raise
...
- pattern: |
try:
...
except ...:
...
$DOC.db_set(...)
...
raise
...
- pattern-not: |
try:
...
except ...:
...
$DOC.save(...)
...
frappe.db.commit(...)
raise
...
- pattern-not: |
try:
...
except ...:
...
frappe. ... .set_value(...)
...
frappe.db.commit(...)
raise
...
- pattern-not: |
try:
...
except ...:
...
$DOC.db_set(...)
...
frappe.db.commit(...)
...
raise
...
- focus-metavariable: $ERR_HANDL_BLK
message: except block has no db commit before raise. The db changes made won't persist assuming innodb tables.
severity: ERROR
- id: retries-without-until
languages:
- yaml
patterns:
- pattern: |
...
retries: $RETRIES
delay: $DELAY
...
- pattern-not: |
...
retries: $RETRIES
delay: $DELAY
until: $UNTIL
...
paths:
include:
- 'press/playbooks/**/*.yml'
message: retry block doesn't have until condition. Only works with ansible 2.16 and above.
severity: ERROR
metadata:
category: correctness
references:
- https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_loops.html#retrying-a-task-until-a-condition-is-met
- https://docs.ansible.com/ansible/latest/reference_appendices/release_and_maintenance.html#ansible-community-changelogs