semgrep / semgrep-docs Goto Github PK

While copying cli commands, the $ is copied with the command.

We could remove the $ from commands that are meant to be copied, like this section

From @msorens on the r2c community Slack:

Read an interesting thread above about // ruleid which I had not encountered before. So I then went to read about it in the docs but not able to find it. 😾 Could someone point me to info on it?

This documentation currently is available at https://github.com/returntocorp/semgrep-rules#testing-rules, but may fit nicely in the Writing Rules section of our documentation.

This section may also be an opportunity to discuss our rules template and Awesome Rulesets.

A user reported confusion around this topic. Wasn't sure if there's any way to set a policy other than making it default. I checked our docs and seems like we don't say anything about the projects page.

tagging @dlukeomalley and @chmccreery (as you implemented multi-policy, which probably needs a two-sentence explanation itself.)

When I use ctrl + f to search within in a page it moves the docs header to the middle of the page:

Repro steps:

1. Navigate to https://semgrep.dev/docs
2. Search for something in the search bar
3. Press enter / click the suggested result
4. URL changes to https://semgrep.dev/docs/#docusaurus-base-url-issue-banner-container and page does not navigate anywhere

I got an error when I ran make build-core as I was following the instructions to build semgrep-core from source.

make: *** No rule to make target `build-core'.  Stop.

This prevented me from following the recommended way to get a semgrep-core binary as I was setting up a development environment to contribute to semgrep-cli. I saw this slack thread, which showed that another person had encountered the same problem with that instruction. I ran git log -S'build-core' -- Makefile on the develop branch of semgrep and I found that the instruction fell out of date as a result of this code change which removed the Makefile target build-core.

I would like help to update the docs with the correct instruction for new contributors to build semgrep-core from source.

Search contrib.dlint.redos return nothing.

All links like contrib.dlint.redos.* are broken.

dlint.redos was removed in semgrep/semgrep-rules#1397

I came across some pages such as https://semgrep.dev/docs/semgrep-supply-chain/overview/#transitive-dependencies-and-reachability-analysis where they link to

### Further reading
[Software supply chain security is hard](https://r2c.dev/blog/2022/software-supply-chain-security-is-hard/)
[The best free, open-source supply-chain security tool? The lockfile](https://r2c.dev/blog/2022/the-best-free-open-source-supply-chain-tool-the-lockfile/)

r2c.dev -> DNS_PROBE_FINISHED_NXDOMAIN

I'm guessing all of these should be rebased to semgrep.dev, when I do this the links are still valid.

I suspect that the old docs still live in the server, where it was not overwritten by Docusaurus.
One example is CLI reference which is still cached by Google.
The new page has an URL named CLI usage, but the page title is still CLI reference.

Update documentation and workflow examples (there may be some in semgrep-app that need to be modified as well).

I was reading the documentation provided here and I noted that there was something missing in the XSS prevention documentation: Template strings.

As noted here, template strings can introduce an XSS vector in Django, it also might be a good ideia to add a static code analysis rule for that, but I'm not sure if Semgrep already has this rule implemented.

English is not my native language, but I think this is used incorrectly a few times. E.g. under Ellipsis Metavariables

I think

You can combine ellipsis and metavariables to match

should be

You can combine ellipses and metavariables to match

Similarly,
under Function definitions

In that case you can use ellipsis in place of the name

should be

In that case you can use an ellipsis in place of the name

please add a breakdown of each semgrep permission requested and why it’s needed

We could re-use the same copy from the app, or link / embed docs in the app:

As the header says, there are some sample rules that do not contain the language and severity properties.

One example is https://github.com/returntocorp/semgrep-docs/blob/main/docs/writing-rules/rule-syntax.md#complete-useless-comparison

Thank you for a great tool! :) I've used it to find Python code that can be cleaned up, and made more consistent (mostly in unittest classes).

https://semgrep.dev/docs/ignoring-findings/ is missing this type of ignore

It was relevant in this discussion: https://r2c-community.slack.com/archives/C01CS4Q2NFN/p1607340608013900

From Ben C.:

In the Docs, https://semgrep.dev/docs/trophy-case/, is this a list of bugs that were first discovered via semgrep? Either way a lead in paragraph to explain what it is would improve the docs IMO.

https://r2c-community.slack.com/archives/CK86BJ5DW/p1604269750403100

CC @minusworld @clintgibler @mschwager

Right now all the information around inline pr comments is just in a comment in an example yaml file. It would be easier to find if it had its own header.

(After making these changes, verify that searching the docs for inline pr comments will return a relevant result, which it doesn't do currently)

docs/troubleshooting/gitlab-sast.md has SAST_EXCLUDED_PATHS: "*.py, tests" but when GitLab converts that to --exclude rules it ends up as --exclude *.py --exclude tests where there's 2 spaces before tests. This was causing semgrep to not ignore paths containing "tests" because, I imagine, it's looking for " tests". I'm not sure if there should be follow-up issues for GitLab or semgrep but for now, the docs shouldn't suggest a broken value.

Last week we had worked to change the sidebar design. We changed the colors used in the background. we also changed our global link color.

for reference:
Nav background color- #29343D
Link color- #359DFD

can we have it back?

After clicking on another sidebar item, it flashes correctly for a second and then resets to highlighting this.

Follow up to some of the discussion here: #85

Here’s one idea that partially addresses the groupings comments but doesn’t combine pages like the rule and pattern syntax pages:

cc @chmccreery @mschwager @dlukeomalley @underyx

https://semgrep.dev/docs/semgrep-ci/sample-ci-configs/#github-actions

can you please change the samples to include the permissions that the workflows need?

# Name of this GitHub Actions workflow.
name: Semgrep

on:
  ...

permissions:
   contents: read

jobs:
  semgrep:
      ...

The title of the doc doesn’t need to be included in the table of contents and causes some confusion.

Example:

I’ve seen a few places where we use them more or less interchangeably. Let’s scrub the docs for consistency and accuracy.

Feedback from @Strajk via https://www.notion.so/Semgrep-feedback-a999dd63a00c413e8ec9213ec3ca36e0

cc @pabloest

Add a link below https://semgrep.dev/docs/awesome/ for a page listing all of r2c's rulesets and descriptions of them (more advertising yay)

Semgrep-docs used to have a search bar in the top-left corner, which made it very easy to navigate.

That search bar seems to have disappeared

We provide lots of examples in the pattern syntax and rule syntax pages. It would be awesome if each of these examples had an accompanying link to a playground snippet with the code + pattern filled out. That would allow users to quickly play around with our docs examples 👍

At some point it may make sense to have a small, embeddable version of the editor that we can simply iframe in the docs examples and can be run from there. Until then, this is a step in that direction.

Getting an error when trying to open the slack link in the docs
https://r2c.dev/slack

If you try searching on https://semgrep.dev/docs/search, users can only enter 1 letter at a time and have to re click into the search box to type a new character

https://semgrep.slack.com/archives/CK86BJ5DW/p1674228062395879

# ruleid: one, two, three, four, five