Extend the definition of 'analyzer' in Semgrep rules (#286)

This PR extends the Semgrep rule schema in accordance with the work I
did on the OCaml side. The PR is
semgrep/semgrep-proprietary#1641 and I'm going
to push my work to it very soon.

This PR also adds JSON Schema validation tests. They're useful to check
that the JSON Schema is valid, that it validates valid Semgrep rules,
and rejects invalid Semgrep rules - without having to rely on another
git repo to test this.

test plan: `make test`

This will run `check-jsonschema`. `make setup` will ask the user to
install it if it's missing.

- [x] I ran `make setup && make` to update the generated code after
editing a `.atd` file (TODO: have a CI check)
- [x] I made sure we're still backward compatible with old versions of
the CLI.
For example, the Semgrep backend need to still be able to *consume* data
generated
	  by Semgrep 1.17.0.
See
https://atd.readthedocs.io/en/latest/atdgen-tutorial.html#smooth-protocol-upgrades

Author: mjambon

Makefile

@@ -74,6 +74,8 @@ clean:
 # This takes a while but ensures we use the correct versions of the atd tools.
 .PHONY: setup
 setup:
+	# Please install check-jsonschema (Python tool) if this fails:
+	check-jsonschema --version
 	opam update
 	opam install --deps-only .
 

rule_schema_v1.yaml

@@ -35,6 +35,38 @@ $defs:
     oneOf:
       - required: [ http ]
       - required: [ aws ]
+  analyzer:
+    title: Analyzer to use
+    oneOf:
+      - const: entropy
+      - const: entropy_v2
+      - const: redos
+      - type: object
+        properties:
+          kind:
+            const: entropy
+        required:
+          - kind
+        additionalProperties: false
+      - type: object
+        properties:
+          kind:
+            const: entropy_v2
+          mode:
+            oneOf:
+              - const: lax
+              - const: strict
+              - const: default
+        required:
+          - kind
+        additionalProperties: false
+      - type: object
+        properties:
+          kind:
+            const: redos
+        required:
+          - kind
+        additionalProperties: false
   # EXPERIMENTAL
   aws-request-content:
     properties:
@@ -227,7 +259,7 @@ $defs:
                   metavariable:
                     type: string
                   analyzer:
-                    type: string
+                    $ref: "#/$defs/analyzer"
   general-pattern-content:
     title: "Return finding where code matches against the following pattern"
     oneOf:
@@ -482,13 +514,10 @@ $defs:
         title: Inspect a metavariable with a given analyzer
         properties:
           analyzer:
-            type: string
-            title: Analyzer to use
+            $ref: "#/$defs/analyzer"
           metavariable:
             type: string
             title: Metavariable to analyze
-          options:
-            type: object
         required:
           - analyzer
           - metavariable

rule_schema_v2.atd

@@ -432,9 +432,16 @@ type mvar = string
 
 type analyzer = [
   | Entropy <json name="entropy">
-  | EntropyV2 <json name="entropy_v2">
+  | EntropyV2 <json name="entropy_v2"> of entropy_analysis_mode
   | Redos <json name="redos">
 ]
+<json adapter.ocaml="Rule_schema_v2_adapter.Analyzer">
+
+type entropy_analysis_mode = [
+  | Lax <json name="lax">
+  | Default <json name="default">
+  | Strict <json name="strict">
+]
 
 (* --------------------------- *)
 (* Focus condition *)

rule_schema_v2_adapter.ml

@@ -69,3 +69,97 @@ module ProjectDependsOn = struct
   let restore  (_atd : Yojson.Safe.t) : Yojson.Safe.t =
     failwith "Rule_schema_v2_adapter.ProjectDependsOn.restore not implemented"
 end
+
+(* This is the name of the field that contains the variant constructor
+   in the user-friendly YAML convention we use to represent variants.
+   See 'normalize_variant'. *)
+let kind_field_name = "kind"
+
+(*
+   A generic representation for variants. The parameters, if any, must be
+   an ATD record (JSON object, Yojson assoc).
+
+     type t = [
+       | A <json name="a">
+       | B <json name="b"> of b
+     ]
+
+     type b = {
+       (* all the fields are optional *)
+       ?k: int option;
+     }
+
+   1. OCaml A is represented as JSON "A". The adapter doesn't change it.
+   2. OCaml B {k = 42} is represented as JSON {"kind": "B", "k": 42}
+      which the adapter converts to JSON ["kind", {"k", 42}].
+
+   Additionally, the alternate notations {"kind": "A"} and "B" can be
+   supported in addition to "A" and {"kind": "B"}. This requires specifying
+   the constructors for which the alternate notation is supported.
+   Constructors that don't expect an argument must be listed as 'enum'.
+   Constructors that expect an object argument must be listed as 'obj'.
+   This gives us the following call:
+
+     normalize_generic_variant ~enum:["a"] ~obj:["b"] json
+
+   Without specifying 'enum' or 'obj', YAML/JSON interpretation will be
+   stricter by not tolerating the alternate notations {"kind": "A"} or "B".
+
+   YAML example:
+
+     - a
+
+     - kind: b
+       k: 42
+
+     # assuming default properties:
+     - kind: b
+
+     # shorthand for {kind: b}:
+     - b
+
+     # long form for "a":
+     - kind: a
+
+   TODO: make the ATD tools (atdgen, atdpy, ...) support these alternate
+   formats as well?
+   This would allow us to make adapters generic i.e. without
+   having to specify the 'enum' and 'obj' options. In the example above,
+   atdgen would read "b" as ["b", {}] and would read ["a", {}] or ["a", null]
+   as "a" without complaining.
+*)
+let normalize_variant
+    ?(enum = [])
+    ?(obj = [])
+    (orig : Yojson.Safe.t ) : Yojson.Safe.t =
+  match orig with
+  | `Assoc props ->
+      (match List.partition (fun (k, _v) -> k = kind_field_name) props with
+       | [_, `String kind], [] when List.mem kind enum -> `String kind
+       | [_, `String kind], other_fields ->
+           `List [`String kind; `Assoc other_fields]
+       | _missing_or_duplicate_kind, _ -> orig
+      )
+  | `String kind when List.mem kind obj -> `List [`String kind; `Assoc []]
+  | _string_or_malformed -> orig
+
+(* Unlike 'normalize_variant', this if fully generic.
+   (because we're going from a strict format to a looser format) *)
+let restore_variant
+  (atd : Yojson.Safe.t ) : Yojson.Safe.t =
+  match atd with
+  | `String _ as str -> str
+  | `List [`String _ as kind; `Assoc fields] ->
+      `Assoc ((kind_field_name, kind) :: fields)
+  | _malformed -> atd
+
+module Analyzer = struct
+  let normalize orig =
+    normalize_variant
+      ~enum:["entropy"; "redos"]
+      ~obj:["entropy_v2"]
+      orig
+
+  let restore (atd : Yojson.Safe.t) : Yojson.Safe.t =
+    restore_variant atd
+end

tests/Makefile

@@ -2,6 +2,7 @@
 .PHONY: test
 test:
 	./test-ast
+	$(MAKE) -C jsonschema test
 
 .PHONY: clean
 clean:

tests/jsonschema/Makefile

@@ -0,0 +1,4 @@
+# Validate sample YAML data against JSON Schemas
+.PHONY: test
+test:
+	./validate ../../rule_schema_v1.yaml rules

tests/jsonschema/rules/entropy-misspelled.fail.yaml

@@ -0,0 +1,10 @@
+rules:
+  - id: test-entropy
+    patterns:
+      - pattern: "$STRING"
+      - metavariable-analysis:
+          metavariable: $STRING
+          analyzer: entropt
+    message: Semgrep found a match
+    languages: [python]
+    severity: WARNING

tests/jsonschema/rules/entropy-mode.fail.yaml

@@ -0,0 +1,13 @@
+rules:
+  - id: test-entropy
+    patterns:
+      - pattern: "$STRING"
+      - metavariable-analysis:
+          metavariable: $STRING
+          analyzer:
+            kind: entropy
+            # illegal option for 'entropy':
+            mode: strict
+    message: Semgrep found a match
+    languages: [python]
+    severity: WARNING

tests/jsonschema/rules/entropy-short.ok.yaml

@@ -0,0 +1,10 @@
+rules:
+  - id: test-entropy
+    patterns:
+      - pattern: "$STRING"
+      - metavariable-analysis:
+          metavariable: $STRING
+          analyzer: entropy
+    message: Semgrep found a match
+    languages: [python]
+    severity: WARNING

tests/jsonschema/rules/entropy_v2-invalid-mode.fail.yaml

@@ -0,0 +1,12 @@
+rules:
+  - id: test-entropy
+    patterns:
+      - pattern: "$STRING"
+      - metavariable-analysis:
+          metavariable: $STRING
+          analyzer:
+            kind: entropy_v2
+            mode: badass
+    message: Semgrep found a match
+    languages: [python]
+    severity: WARNING