I'm running this ruleset in CI as:
git clone https://github.com/apiiro/malicious-code-ruleset.git ../malicious-code-ruleset
semgrep --config ../malicious-code-ruleset
which worked fine until today when I started getting the following error (note that this project has no Dart source code):
METRICS: Using configs from the Registry (like --config=p/ci) reports pseudonymous rule metrics to semgrep.dev.
To disable Registry rule metrics, use "--metrics=off".
When using configs only from local files (like --config=xyz.yml) metrics are sent only when the user is logged in.
More information: https://semgrep.dev/docs/metrics
┌─────────────┐
│ Scan Status │
└─────────────┘
Scanning 94 files tracked by git with 101 Code rules:
Language Rules Files Origin Rules
────────────────────────── ────────────────
js 14 32 Custom 101
ts 14 3
bash 6 3
Error: [ERROR] Rule parse error in rule malicious-code-ruleset.dynamic_execution.dart.dart-dynamic-system-commands:
Invalid pattern for Dart: Stdlib.Parsing.Parse_error
----- pattern -----
$P = Process;
...
$P.$RUN('dart', ['-e', ...]);
----- end pattern -----
┌──────────────┐
│ Scan Summary │
└──────────────┘
✅ Scan completed successfully.
• Findings: 0 (0 blocking)
• Rules run: 17
• Targets scanned: 38
• Parsed lines: ~100.0%
• Scan skipped:
◦ Files matching .semgrepignore patterns: 184
• Scan was limited to files tracked by git
• For a detailed list of skipped files and lines, run semgrep with the --verbose flag
Ran 17 rules on 38 files: 0 findings.
I'm running this ruleset in CI as:
which worked fine until today when I started getting the following error (note that this project has no Dart source code):