jcloud/jcloud-semgrep-rules.yml

rules:
  - id: possible-mutable-default-args
    pattern-either:
      - pattern: |
          def $FUNC(..., $ARG = $FUNC2(...), ...):
            ...
      - pattern: |
          def $FUNC(..., $ARG = $FUNC2(...).$ATTR, ...):
            ...
      - pattern: |
          def $FUNC(..., $ARG = jingrow.$ATTR, ...):
            ...

    message: |
      `$ARG` is possibly a mutable default argument. May not work as expected during subsequent calls of `$FUNC` without $ARG.
    languages:
      - python
    severity: WARNING
    metadata:
      category: correctness
      technology:
        - python
      references:
        - https://docs.python-guide.org/writing/gotchas/#mutable-default-arguments

  - id: except-with-db-code
    languages:
      - python
    patterns:
      - pattern-inside: |
          try:
            ...
          except ...:
            $ERR_HANDL_BLK
      - pattern-either:
          - pattern: |
              try:
                ...
              except ...:
                ...
                $DOC.save(...)
                ...
                raise
                ...
          - pattern: |
              try:
                ...
              except ...:
                ...
                jingrow. ... .set_value(...)
                ...
                raise
                ...
          - pattern: |
              try:
                ...
              except ...:
                ...
                $DOC.db_set(...)
                ...
                raise
                ...
      - pattern-not: |
          try:
            ...
          except ...:
            ...
            $DOC.save(...)
            ...
            jingrow.db.commit(...)
            raise
          ...
      - pattern-not: |
          try:
            ...
          except ...:
            ...
            jingrow. ... .set_value(...)
            ...
            jingrow.db.commit(...)
            raise
            ...
      - pattern-not: |
          try:
            ...
          except ...:
            ...
            $DOC.db_set(...)
            ...
            jingrow.db.commit(...)
            ...
            raise
            ...
      - focus-metavariable: $ERR_HANDL_BLK

    message: except block has no db commit before raise. The db changes made won't persist assuming innodb tables.
    severity: ERROR

  - id: retries-without-until
    languages:
      - yaml
    patterns:
      - pattern: |
          ...
          retries: $RETRIES
          delay: $DELAY
          ...

      - pattern-not: |
          ...
          retries: $RETRIES
          delay: $DELAY
          until: $UNTIL
          ...

    paths:
      include:
        - 'jcloud/playbooks/**/*.yml'
    message: retry block doesn't have until condition. Only works with ansible 2.16 and above.
    severity: ERROR
    metadata:
      category: correctness
      references:
        - https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_loops.html#retrying-a-task-until-a-condition-is-met
        - https://docs.ansible.com/ansible/latest/reference_appendices/release_and_maintenance.html#ansible-community-changelogs

  - id: nginx-update-called-in-loop
    languages:
      - python
    patterns:
      - pattern-inside: |
          for $VAR in $LIST:
            ...
      - pattern-either:
          - pattern: Site(...).unsuspend(...)
          - pattern: Site(...).suspend(...)
          - pattern: Site(...).activate(...)
          - pattern: Site(...).deactivate(...)
          - pattern: $OBJ.get_pg("Site", ...).unsuspend(...)
          - pattern: $OBJ.get_pg("Site", ...).suspend(...)
          - pattern: $OBJ.get_pg("Site", ...).activate(...)
          - pattern: $OBJ.get_pg("Site", ...).deactivate(...)
          - pattern: $OBJ.get_last_pg("Site", ...).unsuspend(...)
          - pattern: $OBJ.get_last_pg("Site", ...).suspend(...)
          - pattern: $OBJ.get_last_pg("Site", ...).activate(...)
          - pattern: $OBJ.get_last_pg("Site", ...).deactivate(...)
          - pattern: $OBJ.update_site_status_on_proxy(...)
          - pattern: $OBJ.update_site_status(...)
          - pattern: deactivate_site_on_source_proxy(...)
          - pattern: activate_site_on_destination_proxy(...)

      - pattern-not: Site(...).unsuspend(..., skip_reload=True, ...)
      - pattern-not: Site(...).suspend(..., skip_reload=True, ...)
      - pattern-not: Site(...).activate(..., skip_reload=True, ...)
      - pattern-not: Site(...).deactivate(..., skip_reload=True, ...)
      - pattern-not: $OBJ.get_pg("Site", ...).unsuspend(..., skip_reload=True, ...)
      - pattern-not: $OBJ.get_pg("Site", ...).suspend(..., skip_reload=True, ...)
      - pattern-not: $OBJ.get_pg("Site", ...).activate(..., skip_reload=True, ...)
      - pattern-not: $OBJ.get_pg("Site", ...).deactivate(..., skip_reload=True, ...)
      - pattern-not: $OBJ.get_last_pg("Site", ...).unsuspend(..., skip_reload=True, ...)
      - pattern-not: $OBJ.get_last_pg("Site", ...).suspend(..., skip_reload=True, ...)
      - pattern-not: $OBJ.get_last_pg("Site", ...).activate(..., skip_reload=True, ...)
      - pattern-not: $OBJ.get_last_pg("Site", ...).deactivate(..., skip_reload=True, ...)
      - pattern-not: $OBJ.update_site_status_on_proxy(..., skip_reload=True, ...)
      - pattern-not: $OBJ.update_site_status(..., skip_reload=True, ...)

    message: Agent endpoint that updates nginx is called in a loop. This causes nginx to reload configuration multiple times which takes proxy down.
    severity: ERROR
    metadata:
      references:
        - https://www.f5.com/ko_kr/company/blog/nginx/using-nginx-plus-to-reduce-the-frequency-of-configuration-reloads