UNPKG

mcp-server-semgrep

Version:

MCP Server for Semgrep Integration - static code analysis with AI

github.com/Szowesgad/mcp-server-semgrep

Szowesgad/mcp-server-semgrep

120 lines (119 loc) 3.56 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
rules: - id: jdbc-sql-formatted-string metadata: cwe: - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" owasp: - A01:2017 - Injection - A03:2021 - Injection source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SQL_INJECTION_SPRING_JDBC asvs: section: 'V5: Validation, Sanitization and Encoding Verification Requirements' control_id: 5.3.5 Injection control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements version: '4' category: security technology: - jdbc references: - https://owasp.org/Top10/A03_2021-Injection cwe2022-top25: true cwe2021-top25: true subcategory: - audit likelihood: LOW impact: HIGH confidence: LOW message: >- Possible JDBC injection detected. Use the parameterized query feature available in queryForObject instead of concatenating or formatting strings: 'jdbc.queryForObject("select * from table where name = ?", Integer.class, parameterName);' patterns: - pattern-inside: | $JDBC = new JdbcTemplate(...); ... - pattern-either: # Unsafe queryForObject - pattern: $JDBC.queryForObject($STR + $VAR, ...); - pattern: $JDBC.queryForObject(String.format(...), ...); - pattern: | String $Q = $STR + $VAR; ... $JDBC.queryForObject($Q, ...); - pattern: | String $Q = String.format(...); ... $JDBC.queryForObject($Q, ...); - pattern: | StringBuilder $Q = new StringBuilder(...); ... $Q.append($STR + $VAR); ... $JDBC.queryForObject($Q, ...); - pattern: $JDBC.queryForList($STR + $VAR); - pattern: $JDBC.queryForList(String.format(...)); - pattern: | String $Q = $STR + $VAR; ... $JDBC.queryForList($Q); - pattern: | String $Q = String.format(...); ... $JDBC.queryForList($Q); - pattern: | StringBuilder $Q = new StringBuilder(...); ... $Q.append($STR + $VAR); ... $JDBC.queryForList($Q, ...); - pattern: $JDBC.update($STR + $VAR); - pattern: $JDBC.update(String.format(...)); - pattern: | String $Q = $STR + $VAR; ... $JDBC.update($Q); - pattern: | String $Q = String.format(...); ... $JDBC.update($Q); - pattern: | StringBuilder $Q = new StringBuilder(...); ... $Q.append($STR + $VAR); ... $JDBC.update($Q, ...); - pattern: $JDBC.execute($STR + $VAR); - pattern: $JDBC.execute(String.format(...)); - pattern: | String $Q = $STR + $VAR; ... $JDBC.execute($Q); - pattern: | String $Q = String.format(...); ... $JDBC.execute($Q); - pattern: | StringBuilder $Q = new StringBuilder(...); ... $Q.append($STR + $VAR); ... $JDBC.execute($Q, ...); - pattern: $JDBC.insert($STR + $VAR); - pattern: $JDBC.insert(String.format(...)); - pattern: | String $Q = $STR + $VAR; ... $JDBC.insert($Q); - pattern: | String $Q = String.format(...); ... $JDBC.insert($Q); - pattern: | StringBuilder $Q = new StringBuilder(...); ... $Q.append($STR + $VAR); ... $JDBC.insert($Q, ...); severity: WARNING languages: - java