From 4adb638a1b04965f5585ddbdd63cdfb864df43bf Mon Sep 17 00:00:00 2001 From: David Weinehall Date: Fri, 25 Oct 2024 14:21:13 +0300 Subject: [PATCH] Makefile: Ignore semgrep false positive One of the semgrep tests for jinja2 seems to assume that Jinja2 is only used for HTML and flags use of Jinja2 as a risk for cross site scripting. Seeing as the use in CMT is for templating YAML-files, since it's only used during the build process, and since the input variables that are used for templating are not supplied externally, we can safely ignore this warning. Signed-off-by: David Weinehall --- Makefile | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index fc345b72..c3db9c6b 100644 --- a/Makefile +++ b/Makefile @@ -176,6 +176,12 @@ unhack_sources: # --exclude-rule generic.secrets.security.detected-generic-secret.detected-generic-secret.semgrep-legacy.30980 # is necessary since it triggers on every single mention of the word secret # (which occurs a lot in various Kubernetes API names). +# --exclude-rule python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2 +# is needed since it flags the risk of cross-site scripting in a file that is: +# a.) Not used to template HTML (it's templating YAML) +# b.) Not accepting external input (it's used by the build-system) +semgrep_flags := --exclude-rule "generic.secrets.security.detected-generic-secret.detected-generic-secret.semgrep-legacy.30980" +semgrep_flags += --exclude-rule "python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2" semgrep: unhack_sources @cmd=semgrep ;\ if ! command -v $$cmd > /dev/null 2> /dev/null; then \ @@ -186,7 +192,7 @@ semgrep: unhack_sources printf -- "Note: if this is taking a very long time you might be behind a proxy;\n" ;\ printf -- "if that's the case you need to set the environment variable https_proxy\n\n" ;\ (cd tests/modified_repo ;\ - $$cmd scan --exclude-rule "generic.secrets.security.detected-generic-secret.detected-generic-secret.semgrep-legacy.30980" --timeout=0 --no-git-ignore) + $$cmd scan $(semgrep_flags) --timeout=0 --no-git-ignore) bandit: @cmd=bandit ;\