I'm running this ruleset in CI as:
git clone https://github.com/apiiro/malicious-code-ruleset.git ../malicious-code-ruleset
mv ../malicious-code-ruleset/dynamic_execution/javascript_typescript ../dynamic_execution-javascript_typescript
rm -rf ../malicious-code-ruleset/dynamic_execution/*
mv ../dynamic_execution-javascript_typescript ../malicious-code-ruleset/dynamic_execution/javascript_typescript
mv ../malicious-code-ruleset/obfuscation/javascript_typescript ../obfuscation-javascript_typescript
rm -rf ../malicious-code-ruleset/obfuscation/*
mv ../obfuscation-javascript_typescript ../malicious-code-ruleset/obfuscation/javascript_typescript
semgrep --config ../malicious-code-ruleset
which worked fine until today when I started getting the following error:
┌─────────────┐
│ Scan Status │
└─────────────┘
Scanning 94 files tracked by git with 11 Code rules:
Language Rules Files Origin Rules
────────────────────────── ────────────────
js 11 32 Custom 11
ts 11 3
bash 1 3
Error: [ERROR] Rule parse error in rule malicious-code-ruleset.obfuscation.javascript_typescript.javascript-obfuscation-conditions:
Invalid pattern for JavaScript: Stdlib.Parsing.Parse_error
----- pattern -----
switch ($VAR) { case ... }
----- end pattern -----
The following reproduces the problem for me locally:
git clone git@github.com:ericcornelissen/shescape.git
cd shescape
docker run -it --rm --volume $PWD:/src --entrypoint sh docker.io/semgrep/semgrep@sha256:8f85dbfb5d38592d0b916caac855cf18facba40674988caf763d52b9fe916694
git clone https://github.com/apiiro/malicious-code-ruleset.git ../malicious-code-ruleset
mv ../malicious-code-ruleset/dynamic_execution/javascript_typescript ../dynamic_execution-javascript_typescript
rm -rf ../malicious-code-ruleset/dynamic_execution/*
mv ../dynamic_execution-javascript_typescript ../malicious-code-ruleset/dynamic_execution/javascript_typescript
mv ../malicious-code-ruleset/obfuscation/javascript_typescript ../obfuscation-javascript_typescript
rm -rf ../malicious-code-ruleset/obfuscation/*
mv ../obfuscation-javascript_typescript ../malicious-code-ruleset/obfuscation/javascript_typescript
semgrep --config ../malicious-code-ruleset
echo $?
This fetches a21246b and outputs:
Cloning into 'shescape'...
remote: Enumerating objects: 10529, done.
remote: Counting objects: 100% (793/793), done.
remote: Compressing objects: 100% (264/264), done.
remote: Total 10529 (delta 718), reused 529 (delta 529), pack-reused 9736 (from 3)
Receiving objects: 100% (10529/10529), 5.08 MiB | 6.77 MiB/s, done.
Resolving deltas: 100% (8122/8122), done.
Unable to find image 'semgrep/semgrep@sha256:8f85dbfb5d38592d0b916caac855cf18facba40674988caf763d52b9fe916694' locally
docker.io/semgrep/semgrep@sha256:8f85dbfb5d38592d0b916caac855cf18facba40674988caf763d52b9fe916694: Pulling from semgrep/semgrep
f18232174bc9: Already exists
413f5566a9eb: Pull complete
ab59c435ad5f: Pull complete
af914bc91b8b: Pull complete
ef0bf3b45cbc: Pull complete
b0da76e168f6: Pull complete
3bddbe000dae: Pull complete
bd9ddc54bea9: Pull complete
a9a26edfbb81: Pull complete
10ecc8642397: Pull complete
018a3e9bb83f: Pull complete
211d02e4b66c: Pull complete
c04df5da021d: Pull complete
d49069c5c442: Pull complete
0c8adfb742ee: Pull complete
cbe8f753ccc4: Pull complete
274cd369c284: Pull complete
Digest: sha256:8f85dbfb5d38592d0b916caac855cf18facba40674988caf763d52b9fe916694
Status: Downloaded newer image for semgrep/semgrep@sha256:8f85dbfb5d38592d0b916caac855cf18facba40674988caf763d52b9fe916694
Cloning into '../malicious-code-ruleset'...
remote: Enumerating objects: 758, done.
remote: Counting objects: 100% (758/758), done.
remote: Compressing objects: 100% (389/389), done.
remote: Total 758 (delta 504), reused 609 (delta 359), pack-reused 0 (from 0)
Receiving objects: 100% (758/758), 106.87 KiB | 2.09 MiB/s, done.
Resolving deltas: 100% (504/504), done.
┌──── ○○○ ────┐
│ Semgrep CLI │
└─────────────┘
METRICS: Using configs from the Registry (like --config=p/ci) reports pseudonymous rule metrics to semgrep.dev.
To disable Registry rule metrics, use "--metrics=off".
When using configs only from local files (like --config=xyz.yml) metrics are sent only when the user is logged in.
More information: https://semgrep.dev/docs/metrics
Scanning 94 files (only git-tracked) with 11 Code rules:
CODE RULES
Language Rules Files Origin Rules
────────────────────────── ────────────────
js 11 32 Custom 11
ts 11 3
bash 1 3
SUPPLY CHAIN RULES
No rules to run.
PROGRESS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
[ERROR] Rule parse error in rule malicious-code-ruleset.obfuscation.javascript_typescript.javascript-obfuscation-conditions:
Invalid pattern for JavaScript: Stdlib.Parsing.Parse_error
----- pattern -----
switch ($VAR) { case ... }
----- end pattern -----
┌──────────────┐
│ Scan Summary │
└──────────────┘
✅ Scan completed successfully.
• Findings: 0 (0 blocking)
• Rules run: 11
• Targets scanned: 38
• Parsed lines: ~100.0%
• Scan skipped:
◦ Files matching .semgrepignore patterns: 184
• Scan was limited to files tracked by git
• For a detailed list of skipped files and lines, run semgrep with the --verbose flag
Ran 11 rules on 38 files: 0 findings.
2
I'm running this ruleset in CI as:
which worked fine until today when I started getting the following error:
The following reproduces the problem for me locally:
This fetches a21246b and outputs: