UNPKG

mcp-server-semgrep

Version:

MCP Server for Semgrep Integration - static code analysis with AI

github.com/Szowesgad/mcp-server-semgrep

Szowesgad/mcp-server-semgrep

43 lines (42 loc) 1.47 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
rules: - id: wp-sql-injection-audit patterns: - pattern-either: - pattern: $wpdb->query(...) - pattern: $wpdb->get_var(...) - pattern: $wpdb->get_row(...) - pattern: $wpdb->get_col(...) - pattern: $wpdb->get_results(...) - pattern: $wpdb->replace(...) - pattern-not: $wpdb->prepare(...) - pattern-not: $wpdb->delete(...) - pattern-not: $wpdb->update(...) - pattern-not: $wpdb->insert(...) message: >- Detected unsafe API methods. This could lead to SQL Injection if the used variable in the functions are user controlled and not properly escaped or sanitized. In order to prevent SQL Injection, use safe api methods like "$wpdb->prepare" properly or escape/sanitize the data properly. paths: include: - wp-content/plugins/**/*.php languages: - php severity: WARNING metadata: confidence: LOW likelihood: LOW impact: HIGH category: security subcategory: - audit technology: - Wordpress Plugins references: - https://github.com/wpscanteam/wpscan/wiki/WordPress-Plugin-Security-Testing-Cheat-Sheet#sql-injection - https://owasp.org/www-community/attacks/SQL_Injection owasp: - A03:2021 - Injection cwe: - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"