Static Analysis with Semgrep

Hi,

I’m very pleased announce that the Semgrep static analysis toolkit can now be used to analyse Julia code. Semgrep is a fast, open source, static analysis engine for finding bugs, detecting dependency vulnerabilities, and enforcing coding standards. Brandon Wu, who did most of the work supporting Julia[1] wrote up a blogpost about this recently: Announcing Semgrep’s experimental support for Julia

As with most static analysis tools, one needs to write relevant rules that are matched against your source code. The biggest advantage of Semgrep, IMO, is the fact that the rules are written on surface syntax, not on the AST. This makes it much easier write rules – they look very similar to the source.

I’ve made a start to begin writing some simple rules here: GitHub - JuliaComputing/semgrep-rules-julia: Julia rules for semgrep. You should look there for examples of how to write rules. It would be great if there are contributions to that – my aim is to create a comprehensive ruleset that can be widely deployed across the community.

Semgrep has additional commercial offerings, but the core CLI is LGPL licensed. (I’m not affiliated)

I’m quite excited at this technology, I think this can be the start of comprehensive and high quality static analysis across all Julia codebases. Please experiment with this and let me know if you agree … or not!

Regards

Avik

[1] Semgrep builds on top of the tree-sitter parser/grammar. Appreciation therefore to Sergio Vargas who made tons of improvement to that recently. Those improvements were critical for Semgrep’s Julia support.

Here’s a blog post that describes the motivation for semgrep, compared to other static analysis tools. I found it an useful articulation: Modern Static Analysis: how the best tools empower creativity