Extend the definition of 'analyzer' in Semgrep rules (#286)

mjambon · web-flow · commit 4a167cc716ac · 2024-09-09T16:45:22.000-07:00
This PR extends the Semgrep rule schema in accordance with the work I did on the OCaml side. The PR is semgrep/semgrep-proprietary#1641 and I'm going to push my work to it very soon. This PR also adds JSON Schema validation tests. They're useful to check that the JSON Schema is valid, that it validates valid Semgrep rules, and rejects invalid Semgrep rules - without having to rely on another git repo to test this. test plan: `make test` This will run `check-jsonschema`. `make setup` will ask the user to install it if it's missing. - [x] I ran `make setup && make` to update the generated code after editing a `.atd` file (TODO: have a CI check) - [x] I made sure we're still backward compatible with old versions of the CLI. For example, the Semgrep backend need to still be able to *consume* data generated by Semgrep 1.17.0. See https://atd.readthedocs.io/en/latest/atdgen-tutorial.html#smooth-protocol-upgrades
diff --git a/Makefile b/Makefile
@@ -74,6 +74,8 @@ clean:
 # This takes a while but ensures we use the correct versions of the atd tools.
 .PHONY: setup
 setup:
+	# Please install check-jsonschema (Python tool) if this fails:
+	check-jsonschema --version
 	opam update
 	opam install --deps-only .
 
diff --git a/rule_schema_v1.yaml b/rule_schema_v1.yaml
@@ -35,6 +35,38 @@ $defs:
     oneOf:
       - required: [ http ]
       - required: [ aws ]
+  analyzer:
+    title: Analyzer to use
+    oneOf:
+      - const: entropy
+      - const: entropy_v2
+      - const: redos
+      - type: object
+        properties:
+          kind:
+            const: entropy
+        required:
+          - kind
+        additionalProperties: false
+      - type: object
+        properties:
+          kind:
+            const: entropy_v2
+          mode:
+            oneOf:
+              - const: lax
+              - const: strict
+              - const: default
+        required:
+          - kind
+        additionalProperties: false
+      - type: object
+        properties:
+          kind:
+            const: redos
+        required:
+          - kind
+        additionalProperties: false
   # EXPERIMENTAL
   aws-request-content:
     properties:
@@ -227,7 +259,7 @@ $defs:
                   metavariable:
                     type: string
                   analyzer:
-                    type: string
+                    $ref: "#/$defs/analyzer"
   general-pattern-content:
     title: "Return finding where code matches against the following pattern"
     oneOf:
@@ -482,13 +514,10 @@ $defs:
         title: Inspect a metavariable with a given analyzer
         properties:
           analyzer:
-            type: string
-            title: Analyzer to use
+            $ref: "#/$defs/analyzer"
           metavariable:
             type: string
             title: Metavariable to analyze
-          options:
-            type: object
         required:
           - analyzer
           - metavariable
diff --git a/rule_schema_v2.atd b/rule_schema_v2.atd
@@ -432,9 +432,16 @@ type mvar = string
 
 type analyzer = [
   | Entropy <json name="entropy">
-  | EntropyV2 <json name="entropy_v2">
+  | EntropyV2 <json name="entropy_v2"> of entropy_analysis_mode
   | Redos <json name="redos">
 ]
+<json adapter.ocaml="Rule_schema_v2_adapter.Analyzer">
+
+type entropy_analysis_mode = [
+  | Lax <json name="lax">
+  | Default <json name="default">
+  | Strict <json name="strict">
+]
 
 (* --------------------------- *)
 (* Focus condition *)
diff --git a/rule_schema_v2_adapter.ml b/rule_schema_v2_adapter.ml
@@ -69,3 +69,97 @@ module ProjectDependsOn = struct
   let restore  (_atd : Yojson.Safe.t) : Yojson.Safe.t =
     failwith "Rule_schema_v2_adapter.ProjectDependsOn.restore not implemented"
 end
+
+(* This is the name of the field that contains the variant constructor
+   in the user-friendly YAML convention we use to represent variants.
+   See 'normalize_variant'. *)
+let kind_field_name = "kind"
+
+(*
+   A generic representation for variants. The parameters, if any, must be
+   an ATD record (JSON object, Yojson assoc).
+
+     type t = [
+       | A <json name="a">
+       | B <json name="b"> of b
+     ]
+
+     type b = {
+       (* all the fields are optional *)
+       ?k: int option;
+     }
+
+   1. OCaml A is represented as JSON "A". The adapter doesn't change it.
+   2. OCaml B {k = 42} is represented as JSON {"kind": "B", "k": 42}
+      which the adapter converts to JSON ["kind", {"k", 42}].
+
+   Additionally, the alternate notations {"kind": "A"} and "B" can be
+   supported in addition to "A" and {"kind": "B"}. This requires specifying
+   the constructors for which the alternate notation is supported.
+   Constructors that don't expect an argument must be listed as 'enum'.
+   Constructors that expect an object argument must be listed as 'obj'.
+   This gives us the following call:
+
+     normalize_generic_variant ~enum:["a"] ~obj:["b"] json
+
+   Without specifying 'enum' or 'obj', YAML/JSON interpretation will be
+   stricter by not tolerating the alternate notations {"kind": "A"} or "B".
+
+   YAML example:
+
+     - a
+
+     - kind: b
+       k: 42
+
+     # assuming default properties:
+     - kind: b
+
+     # shorthand for {kind: b}:
+     - b
+
+     # long form for "a":
+     - kind: a
+
+   TODO: make the ATD tools (atdgen, atdpy, ...) support these alternate
+   formats as well?
+   This would allow us to make adapters generic i.e. without
+   having to specify the 'enum' and 'obj' options. In the example above,
+   atdgen would read "b" as ["b", {}] and would read ["a", {}] or ["a", null]
+   as "a" without complaining.
+*)
+let normalize_variant
+    ?(enum = [])
+    ?(obj = [])
+    (orig : Yojson.Safe.t ) : Yojson.Safe.t =
+  match orig with
+  | `Assoc props ->
+      (match List.partition (fun (k, _v) -> k = kind_field_name) props with
+       | [_, `String kind], [] when List.mem kind enum -> `String kind
+       | [_, `String kind], other_fields ->
+           `List [`String kind; `Assoc other_fields]
+       | _missing_or_duplicate_kind, _ -> orig
+      )
+  | `String kind when List.mem kind obj -> `List [`String kind; `Assoc []]
+  | _string_or_malformed -> orig
+
+(* Unlike 'normalize_variant', this if fully generic.
+   (because we're going from a strict format to a looser format) *)
+let restore_variant
+  (atd : Yojson.Safe.t ) : Yojson.Safe.t =
+  match atd with
+  | `String _ as str -> str
+  | `List [`String _ as kind; `Assoc fields] ->
+      `Assoc ((kind_field_name, kind) :: fields)
+  | _malformed -> atd
+
+module Analyzer = struct
+  let normalize orig =
+    normalize_variant
+      ~enum:["entropy"; "redos"]
+      ~obj:["entropy_v2"]
+      orig
+
+  let restore (atd : Yojson.Safe.t) : Yojson.Safe.t =
+    restore_variant atd
+end
diff --git a/tests/Makefile b/tests/Makefile
@@ -2,6 +2,7 @@
 .PHONY: test
 test:
 	./test-ast
+	$(MAKE) -C jsonschema test
 
 .PHONY: clean
 clean:
diff --git a/tests/jsonschema/Makefile b/tests/jsonschema/Makefile
@@ -0,0 +1,4 @@
+# Validate sample YAML data against JSON Schemas
+.PHONY: test
+test:
+	./validate ../../rule_schema_v1.yaml rules
diff --git a/tests/jsonschema/rules/entropy-misspelled.fail.yaml b/tests/jsonschema/rules/entropy-misspelled.fail.yaml
@@ -0,0 +1,10 @@
+rules:
+  - id: test-entropy
+    patterns:
+      - pattern: "$STRING"
+      - metavariable-analysis:
+          metavariable: $STRING
+          analyzer: entropt
+    message: Semgrep found a match
+    languages: [python]
+    severity: WARNING
diff --git a/tests/jsonschema/rules/entropy-mode.fail.yaml b/tests/jsonschema/rules/entropy-mode.fail.yaml
@@ -0,0 +1,13 @@
+rules:
+  - id: test-entropy
+    patterns:
+      - pattern: "$STRING"
+      - metavariable-analysis:
+          metavariable: $STRING
+          analyzer:
+            kind: entropy
+            # illegal option for 'entropy':
+            mode: strict
+    message: Semgrep found a match
+    languages: [python]
+    severity: WARNING
diff --git a/tests/jsonschema/rules/entropy-short.ok.yaml b/tests/jsonschema/rules/entropy-short.ok.yaml
@@ -0,0 +1,10 @@
+rules:
+  - id: test-entropy
+    patterns:
+      - pattern: "$STRING"
+      - metavariable-analysis:
+          metavariable: $STRING
+          analyzer: entropy
+    message: Semgrep found a match
+    languages: [python]
+    severity: WARNING
diff --git a/tests/jsonschema/rules/entropy_v2-invalid-mode.fail.yaml b/tests/jsonschema/rules/entropy_v2-invalid-mode.fail.yaml
@@ -0,0 +1,12 @@
+rules:
+  - id: test-entropy
+    patterns:
+      - pattern: "$STRING"
+      - metavariable-analysis:
+          metavariable: $STRING
+          analyzer:
+            kind: entropy_v2
+            mode: badass
+    message: Semgrep found a match
+    languages: [python]
+    severity: WARNING
diff --git a/tests/jsonschema/rules/entropy_v2-mode.ok.yaml b/tests/jsonschema/rules/entropy_v2-mode.ok.yaml
@@ -0,0 +1,12 @@
+rules:
+  - id: test-entropy
+    patterns:
+      - pattern: "$STRING"
+      - metavariable-analysis:
+          metavariable: $STRING
+          analyzer:
+            kind: entropy_v2
+            mode: strict
+    message: Semgrep found a match
+    languages: [python]
+    severity: WARNING
diff --git a/tests/jsonschema/rules/entropy_v2-no-mode.ok.yaml b/tests/jsonschema/rules/entropy_v2-no-mode.ok.yaml
@@ -0,0 +1,11 @@
+rules:
+  - id: test-entropy
+    patterns:
+      - pattern: "$STRING"
+      - metavariable-analysis:
+          metavariable: $STRING
+          analyzer:
+            kind: entropy_v2
+    message: Semgrep found a match
+    languages: [python]
+    severity: WARNING
diff --git a/tests/jsonschema/rules/entropy_v2-short.ok.yaml b/tests/jsonschema/rules/entropy_v2-short.ok.yaml
@@ -0,0 +1,10 @@
+rules:
+  - id: test-entropy
+    patterns:
+      - pattern: "$STRING"
+      - metavariable-analysis:
+          metavariable: $STRING
+          analyzer: entropy_v2
+    message: Semgrep found a match
+    languages: [python]
+    severity: WARNING
diff --git a/tests/jsonschema/validate b/tests/jsonschema/validate
@@ -0,0 +1,33 @@
+#! /usr/bin/env bash
+#
+# Use a JSON Schema validator to check input files that should pass or fail.
+#
+# A file with the .ok.yaml extension is expected to pass validation.
+# A file with the .fail.yaml extenstion is expected to fail.
+#
+set -eu
+
+schema_file=$1
+input_dir=$2
+
+# Check that check-jsonschema is installed
+# Installation instructions:
+#   https://github.com/python-jsonschema/check-jsonschema
+check-jsonschema --version
+
+# Check well-formed files
+check-jsonschema --schemafile "$schema_file" "$input_dir"/*.ok.yaml
+
+exit_code=0
+
+# Check that malformed files are detected
+for input_file in "$input_dir"/*.fail.yaml; do
+  if check-jsonschema --schemafile "$schema_file" "$input_file"; then
+    echo "*** $input_file: should have failed validation" >&2
+    exit_code=1
+  else
+    echo "XFAIL (failed as expected)"
+  fi
+done
+
+exit "$exit_code"
