UNPKG

mcp-server-semgrep

Version:

MCP Server for Semgrep Integration - static code analysis with AI

github.com/Szowesgad/mcp-server-semgrep

Szowesgad/mcp-server-semgrep

42 lines (41 loc) 1.34 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
rules: - id: subprocess-shell-true patterns: - pattern: subprocess.$FUNC(..., shell=$TRUE, ...) - metavariable-pattern: metavariable: $TRUE pattern: | True - pattern-not: subprocess.$FUNC("...", shell=True, ...) - focus-metavariable: $TRUE message: >- Found 'subprocess' function '$FUNC' with 'shell=True'. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use 'shell=False' instead. fix: | False metadata: source-rule-url: https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html owasp: - A01:2017 - Injection - A03:2021 - Injection cwe: - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" references: - https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess - https://docs.python.org/3/library/subprocess.html category: security technology: - python cwe2022-top25: true cwe2021-top25: true subcategory: - 'secure default' likelihood: HIGH impact: LOW confidence: MEDIUM languages: [python] severity: ERROR