UNPKG

mcp-server-semgrep

Version:

MCP Server for Semgrep Integration - static code analysis with AI

github.com/Szowesgad/mcp-server-semgrep

Szowesgad/mcp-server-semgrep

72 lines (71 loc) 2.05 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
rules: - id: tainted-html-string message: >- Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead. metadata: cwe: - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" owasp: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection category: security technology: - aws-lambda cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM references: - https://owasp.org/Top10/A03_2021-Injection languages: - javascript - typescript severity: WARNING mode: taint pattern-sources: - patterns: - pattern-either: - pattern-inside: | exports.handler = function ($EVENT, ...) { ... } - pattern-inside: | function $FUNC ($EVENT, ...) {...} ... exports.handler = $FUNC - pattern-inside: | $FUNC = function ($EVENT, ...) {...} ... exports.handler = $FUNC - pattern: $EVENT pattern-sinks: - patterns: - pattern-either: - patterns: - pattern-either: - pattern: | "$HTMLSTR" + $EXPR - pattern: | "$HTMLSTR".concat(...) - pattern: $UTIL.format($HTMLSTR, ...) - pattern: format($HTMLSTR, ...) - metavariable-pattern: metavariable: $HTMLSTR language: generic pattern: <$TAG ... - patterns: - pattern: | `...${...}...` - pattern-regex: | .*<\w+.* - pattern-not-inside: | console.$LOG(...)