fix(sca): lowercase python packages when parsing from rule (semgrep/s…

…emgrep-proprietary#2525) synced from Pro 81a05221b7b546d457e680bafbc73ae6475b08ec
semgrep · Oct 31, 2024 · f982784 · f982784
1 parent 84bd900
commit f982784
Show file tree

Hide file tree

Showing 8 changed files with 378 additions and 0 deletions.
diff --git a/cli/src/semgrep/dependency_aware_rule.py b/cli/src/semgrep/dependency_aware_rule.py
@@ -22,6 +22,7 @@
 from semgrep.semgrep_interfaces.semgrep_output_v1 import Direct
 from semgrep.semgrep_interfaces.semgrep_output_v1 import Ecosystem
 from semgrep.semgrep_interfaces.semgrep_output_v1 import FoundDependency
+from semgrep.semgrep_interfaces.semgrep_output_v1 import Pypi
 from semgrep.semgrep_interfaces.semgrep_output_v1 import ScaInfo
 from semgrep.semgrep_interfaces.semgrep_output_v1 import Transitive
 from semgrep.semgrep_interfaces.semgrep_output_v1 import Transitivity
@@ -60,6 +61,10 @@ def parse_depends_on_yaml(entries: List[Dict[str, str]]) -> Iterator[DependencyP
         except InvalidSpecifier:
             raise SemgrepError(f"invalid semver range {semver_range}")
 
+        # Pypi package names are case insensitive
+        if ecosystem == Ecosystem(Pypi()):
+            package = package.lower()
+
         yield DependencyPattern(
             ecosystem=ecosystem, package=package, semver_range=semver_range
         )

diff --git a/...ncy_awarepython-pipfile-case-insensitive-package.yaml-dependency_awarepipfile/results.txt b/...ncy_awarepython-pipfile-case-insensitive-package.yaml-dependency_awarepipfile/results.txt
@@ -0,0 +1,108 @@
+=== command
+SEMGREP_USER_AGENT_APPEND="pytest" SEMGREP_SETTINGS_FILE="<MASKED>" SEMGREP_VERSION_CACHE_PATH="<MASKED>" SEMGREP_ENABLE_VERSION_CHECK="0" SEMGREP_SEND_METRICS="off" semgrep --strict --config rules/dependency_aware/python-pipfile-case-insensitive-package.yaml --json targets/dependency_aware/pipfile
+=== end of command
+
+=== exit code
+0
+=== end of exit code
+
+=== stdout - plain
+{
+  "errors": [],
+  "interfile_languages_used": [],
+  "paths": {
+    "scanned": [
+      "targets/dependency_aware/pipfile/Pipfile.lock",
+      "targets/dependency_aware/pipfile/sca-pipfile.py"
+    ]
+  },
+  "results": [
+    {
+      "check_id": "rules.dependency_aware.python-pipfile-sca",
+      "end": {
+        "col": 6,
+        "line": 1,
+        "offset": 5
+      },
+      "extra": {
+        "engine_kind": "OSS",
+        "fingerprint": "0x42",
+        "is_ignored": false,
+        "lines": "bad()",
+        "message": "oh no",
+        "metadata": {},
+        "metavars": {},
+        "sca_info": {
+          "dependency_match": {
+            "dependency_pattern": {
+              "ecosystem": "pypi",
+              "package": "pandas",
+              "semver_range": "<= 1.4.2"
+            },
+            "found_dependency": {
+              "allowed_hashes": {
+                "sha256": [
+                  "149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1",
+                  "ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb"
+                ]
+              },
+              "ecosystem": "pypi",
+              "line_number": 29,
+              "lockfile_path": "targets/dependency_aware/pipfile/Pipfile.lock",
+              "package": "pandas",
+              "transitivity": "unknown",
+              "version": "1.4.0"
+            },
+            "lockfile": "targets/dependency_aware/pipfile/Pipfile.lock"
+          },
+          "reachability_rule": true,
+          "reachable": true,
+          "sca_finding_schema": 20220913
+        },
+        "severity": "WARNING",
+        "validation_state": "NO_VALIDATOR"
+      },
+      "path": "targets/dependency_aware/pipfile/sca-pipfile.py",
+      "start": {
+        "col": 1,
+        "line": 1,
+        "offset": 0
+      }
+    }
+  ],
+  "skipped_rules": [],
+  "version": "0.42"
+}
+=== end of stdout - plain
+
+=== stderr - plain
+
+
+┌─────────────┐
+│ Scan Status │
+└─────────────┘
+  Scanning 2 files tracked by git with 0 Code rules, 1 Supply Chain rule:
+
+
+  CODE RULES
+  Nothing to scan.
+
+  SUPPLY CHAIN RULES
+  Scanning 1 file.
+
+
+┌──────────────┐
+│ Scan Summary │
+└──────────────┘
+
+Ran 1 rule on 2 files: 1 finding.
+
+=== end of stderr - plain
+
+=== stdout - color
+<same as above: stdout - plain>
+=== end of stdout - color
+
+=== stderr - color
+<same as above: stderr - plain>
+=== end of stderr - color
diff --git a/...dency_awarepython-poetry-case-insensitive-package.yaml-dependency_awarepoetry/results.txt b/...dency_awarepython-poetry-case-insensitive-package.yaml-dependency_awarepoetry/results.txt
@@ -0,0 +1,103 @@
+=== command
+SEMGREP_USER_AGENT_APPEND="pytest" SEMGREP_SETTINGS_FILE="<MASKED>" SEMGREP_VERSION_CACHE_PATH="<MASKED>" SEMGREP_ENABLE_VERSION_CHECK="0" SEMGREP_SEND_METRICS="off" semgrep --strict --config rules/dependency_aware/python-poetry-case-insensitive-package.yaml --json targets/dependency_aware/poetry
+=== end of command
+
+=== exit code
+0
+=== end of exit code
+
+=== stdout - plain
+{
+  "errors": [],
+  "interfile_languages_used": [],
+  "paths": {
+    "scanned": [
+      "targets/dependency_aware/poetry/poetry.lock",
+      "targets/dependency_aware/poetry/sca-poetry.py"
+    ]
+  },
+  "results": [
+    {
+      "check_id": "rules.dependency_aware.python-poetry-sca",
+      "end": {
+        "col": 6,
+        "line": 1,
+        "offset": 5
+      },
+      "extra": {
+        "engine_kind": "OSS",
+        "fingerprint": "0x42",
+        "is_ignored": false,
+        "lines": "bad()",
+        "message": "oh no",
+        "metadata": {},
+        "metavars": {},
+        "sca_info": {
+          "dependency_match": {
+            "dependency_pattern": {
+              "ecosystem": "pypi",
+              "package": "faker",
+              "semver_range": "<= 13.11.1"
+            },
+            "found_dependency": {
+              "allowed_hashes": {},
+              "ecosystem": "pypi",
+              "line_number": 17,
+              "lockfile_path": "targets/dependency_aware/poetry/poetry.lock",
+              "package": "faker",
+              "transitivity": "direct",
+              "version": "13.11.1"
+            },
+            "lockfile": "targets/dependency_aware/poetry/poetry.lock"
+          },
+          "reachability_rule": true,
+          "reachable": true,
+          "sca_finding_schema": 20220913
+        },
+        "severity": "WARNING",
+        "validation_state": "NO_VALIDATOR"
+      },
+      "path": "targets/dependency_aware/poetry/sca-poetry.py",
+      "start": {
+        "col": 1,
+        "line": 1,
+        "offset": 0
+      }
+    }
+  ],
+  "skipped_rules": [],
+  "version": "0.42"
+}
+=== end of stdout - plain
+
+=== stderr - plain
+
+
+┌─────────────┐
+│ Scan Status │
+└─────────────┘
+  Scanning 3 files tracked by git with 0 Code rules, 1 Supply Chain rule:
+
+
+  CODE RULES
+  Nothing to scan.
+
+  SUPPLY CHAIN RULES
+  Scanning 1 file.
+
+
+┌──────────────┐
+│ Scan Summary │
+└──────────────┘
+
+Ran 1 rule on 2 files: 1 finding.
+
+=== end of stderr - plain
+
+=== stdout - color
+<same as above: stdout - plain>
+=== end of stdout - color
+
+=== stderr - color
+<same as above: stderr - plain>
+=== end of stderr - color
diff --git a/...ython-requirements-case-insensitive-package.yaml-dependency_awarerequirements/results.txt b/...ython-requirements-case-insensitive-package.yaml-dependency_awarerequirements/results.txt
@@ -0,0 +1,103 @@
+=== command
+SEMGREP_USER_AGENT_APPEND="pytest" SEMGREP_SETTINGS_FILE="<MASKED>" SEMGREP_VERSION_CACHE_PATH="<MASKED>" SEMGREP_ENABLE_VERSION_CHECK="0" SEMGREP_SEND_METRICS="off" semgrep --strict --config rules/dependency_aware/python-requirements-case-insensitive-package.yaml --json targets/dependency_aware/requirements
+=== end of command
+
+=== exit code
+0
+=== end of exit code
+
+=== stdout - plain
+{
+  "errors": [],
+  "interfile_languages_used": [],
+  "paths": {
+    "scanned": [
+      "targets/dependency_aware/requirements/foo.py",
+      "targets/dependency_aware/requirements/requirements.txt"
+    ]
+  },
+  "results": [
+    {
+      "check_id": "rules.dependency_aware.python-requirements-sca",
+      "end": {
+        "col": 6,
+        "line": 1,
+        "offset": 5
+      },
+      "extra": {
+        "engine_kind": "OSS",
+        "fingerprint": "0x42",
+        "is_ignored": false,
+        "lines": "bad()",
+        "message": "oh no",
+        "metadata": {},
+        "metavars": {},
+        "sca_info": {
+          "dependency_match": {
+            "dependency_pattern": {
+              "ecosystem": "pypi",
+              "package": "pandas",
+              "semver_range": "<= 1.4.2"
+            },
+            "found_dependency": {
+              "allowed_hashes": {},
+              "ecosystem": "pypi",
+              "line_number": 37,
+              "lockfile_path": "targets/dependency_aware/requirements/requirements.txt",
+              "package": "pandas",
+              "transitivity": "direct",
+              "version": "1.4.2"
+            },
+            "lockfile": "targets/dependency_aware/requirements/requirements.txt"
+          },
+          "reachability_rule": true,
+          "reachable": true,
+          "sca_finding_schema": 20220913
+        },
+        "severity": "WARNING",
+        "validation_state": "NO_VALIDATOR"
+      },
+      "path": "targets/dependency_aware/requirements/foo.py",
+      "start": {
+        "col": 1,
+        "line": 1,
+        "offset": 0
+      }
+    }
+  ],
+  "skipped_rules": [],
+  "version": "0.42"
+}
+=== end of stdout - plain
+
+=== stderr - plain
+
+
+┌─────────────┐
+│ Scan Status │
+└─────────────┘
+  Scanning 3 files tracked by git with 0 Code rules, 1 Supply Chain rule:
+
+
+  CODE RULES
+  Nothing to scan.
+
+  SUPPLY CHAIN RULES
+  Scanning 1 file.
+
+
+┌──────────────┐
+│ Scan Summary │
+└──────────────┘
+
+Ran 1 rule on 2 files: 1 finding.
+
+=== end of stderr - plain
+
+=== stdout - color
+<same as above: stdout - plain>
+=== end of stdout - color
+
+=== stderr - color
+<same as above: stderr - plain>
+=== end of stderr - color
diff --git a/cli/tests/default/e2e-other/test_ssc.py b/cli/tests/default/e2e-other/test_ssc.py
@@ -346,6 +346,35 @@ def test_ssc__requirements_lockfiles(
     )
 
 
+@pytest.mark.parametrize(
+    "rule,target",
+    [
+        (
+            "rules/dependency_aware/python-poetry-case-insensitive-package.yaml",
+            "dependency_aware/poetry",
+        ),
+        (
+            "rules/dependency_aware/python-requirements-case-insensitive-package.yaml",
+            "dependency_aware/requirements",
+        ),
+        (
+            "rules/dependency_aware/python-pipfile-case-insensitive-package.yaml",
+            "dependency_aware/pipfile",
+        ),
+    ],
+)
+@pytest.mark.osemfail
+def test_ssc__pypi_package_name_lowercase(
+    run_semgrep_on_copied_files: RunSemgrep, snapshot, rule, target
+):
+    """
+    Pypi package names should be case insensitive
+    """
+    result = run_semgrep_on_copied_files(rule, target_name=target)
+
+    snapshot.assert_match(result.as_snapshot(), "results.txt")
+
+
 @pytest.mark.parametrize(
     "version,specifier,outcome",
     [

diff --git a/cli/tests/default/e2e/rules/dependency_aware/python-pipfile-case-insensitive-package.yaml b/cli/tests/default/e2e/rules/dependency_aware/python-pipfile-case-insensitive-package.yaml
@@ -0,0 +1,10 @@
+rules:
+  - id: python-pipfile-sca
+    pattern: bad()
+    r2c-internal-project-depends-on:
+      namespace: pypi
+      package: PanDas
+      version: <= 1.4.2
+    message: oh no
+    languages: [python]
+    severity: WARNING
diff --git a/cli/tests/default/e2e/rules/dependency_aware/python-poetry-case-insensitive-package.yaml b/cli/tests/default/e2e/rules/dependency_aware/python-poetry-case-insensitive-package.yaml
@@ -0,0 +1,10 @@
+rules:
+  - id: python-poetry-sca
+    pattern: bad()
+    r2c-internal-project-depends-on:
+      namespace: pypi
+      package: FaKer
+      version: <= 13.11.1
+    message: oh no
+    languages: [python]
+    severity: WARNING