Add semgrep github action (#4211)

* Add semgrep github action * Add custom semgrep rules for sensu-go * Fix nil context issues found by semgrep Signed-off-by: Eric Chlebek <[email protected]>
sensu · Mar 2, 2021 · 6b03482 · 6b03482
1 parent 711d9d9
commit 6b03482
Show file tree

Hide file tree

Showing 17 changed files with 195 additions and 67 deletions.
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -0,0 +1,23 @@
+name: Semgrep
+on: [pull_request]
+jobs:
+  semgrep:
+    runs-on: ubuntu-latest
+    name: Check
+    steps:
+      - uses: actions/checkout@v1
+      - name: Semgrep
+        id: semgrep
+        uses: returntocorp/semgrep-action@v1
+        with:
+          config: p/dgryski.semgrep-go
+  semgrep-sensu: # looks for .semgrep.yml due to missing config section
+    runs-on: ubuntu-latest
+    name: Check
+    steps:
+      - uses: actions/checkout@v1
+      - name: SemgrepSensu
+        id: semgrep-sensu
+        uses: returntocorp/semgrep-action@v1
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.semgrep.yml b/.semgrep.yml
@@ -0,0 +1,94 @@
+rules:
+  - id: resolveparams-passed-nil-context
+    patterns:
+      - pattern: |
+          $FUNC(..., graphql.ResolveParams{...}, ...)
+      - pattern-not-inside: |
+          $FUNC(..., graphql.ResolveParams{..., Context: $X, ...,}, ...)
+    message: graphql.ResolveParams literal with nil context passed to function
+    languages: [go]
+    severity: ERROR
+  - id: resolveparams-nil-context-var
+    patterns:
+      - pattern: var $X graphql.ResolveParams
+      - pattern-not-inside: |
+            var $X graphql.ResolveParams
+            ...
+            $X.Context = $Y
+    message: graphql.ResolveParams created with nil context
+    languages: [go]
+    severity: ERROR
+  - id: resolveparams-nil-context-var-2
+    patterns:
+      - pattern: $X := graphql.ResolveParams{}
+      - pattern-not-inside: |
+            $X := graphql.ResolveParams{}
+            ...
+            $X.Context = $Y
+    message: graphql.ResolveParams created with nil context
+    languages: [go]
+    severity: ERROR
+  - id: params-passed-nil-context
+    patterns:
+      - pattern: |
+          $FUNC(..., graphql.Params{...}, ...)
+      - pattern-not-inside: |
+          $FUNC(..., graphql.Params{..., Context: $X, ...,}, ...)
+    message: graphql.Params literal with nil context passed to function
+    languages: [go]
+    severity: ERROR
+  - id: params-nil-context-var
+    patterns:
+      - pattern: var $X graphql.Params
+      - pattern-not-inside: |
+            var $X graphql.Params
+            ...
+            $X.Context = $Y
+    message: graphql.Params created with nil context
+    languages: [go]
+    severity: ERROR
+  - id: params-nil-context-var-2
+    patterns:
+      - pattern: $X := graphql.Params{}
+      - pattern-not-inside: |
+            $X := graphql.Params{}
+            ...
+            $X.Context = $Y
+    message: graphql.Params created with nil context
+    languages: [go]
+    severity: ERROR
+  - id: relay-params-passed-nil-context
+    patterns:
+      - pattern: |
+          $FUNC(..., NodeResolverParams{...}, ...)
+      - pattern-not-inside: |
+          $FUNC(..., NodeResolverParams{..., Context: $X, ...,}, ...)
+    message: NodeResolverParams literal with nil context passed to function
+    languages: [go]
+    severity: ERROR
+  - id: relay-params-nil-context-var
+    patterns:
+      - pattern: var $X NodeResolverParams
+      - pattern-not-inside: |
+            var $X NodeResolverParams
+            ...
+            $X.Context = $Y
+    message: NodeResolverParams created with nil context
+    languages: [go]
+    severity: ERROR
+  - id: relay-params-nil-context-var-2
+    patterns:
+      - pattern: $X := NodeResolverParams{}
+      - pattern-not-inside: |
+            $X := NodeResolverParams{}
+            ...
+            $X.Context = $Y
+    message: NodeResolverParams created with nil context
+    languages: [go]
+    severity: ERROR
+  - id: generic-resolver-params-nil-context
+    patterns:
+      - pattern-regex: .*ResolverParams\{\}
+    message: ResolverParams created with nil context
+    languages: [go]
+    severity: ERROR
diff --git a/backend/apid/graphql/asset_test.go b/backend/apid/graphql/asset_test.go
@@ -1,6 +1,7 @@
 package graphql
 
 import (
+	"context"
 	"testing"
 
 	v2 "github.com/sensu/sensu-go/api/core/v2"
@@ -13,7 +14,7 @@ func TestAssetTypeToJSONField(t *testing.T) {
 	src := v2.FixtureAsset("name")
 	imp := &assetImpl{}
 
-	res, err := imp.ToJSON(graphql.ResolveParams{Source: src})
+	res, err := imp.ToJSON(graphql.ResolveParams{Source: src, Context: context.Background()})
 	require.NoError(t, err)
 	assert.NotEmpty(t, res)
 }
diff --git a/backend/apid/graphql/check_test.go b/backend/apid/graphql/check_test.go
@@ -40,7 +40,7 @@ func TestCheckTypeHistoryFieldImpl(t *testing.T) {
 	check := corev2.FixtureCheck("test")
 	for _, tc := range testCases {
 		t.Run(fmt.Sprintf("w/ argument of %d", tc.expectedLen), func(t *testing.T) {
-			params := schema.CheckHistoryFieldResolverParams{}
+			params := schema.CheckHistoryFieldResolverParams{ResolveParams: graphql.ResolveParams{Context: context.Background()}}
 			params.Source = check
 			params.Args.First = tc.firstArg
 
@@ -94,7 +94,7 @@ func TestCheckTypeIsSilencedField(t *testing.T) {
 
 	// return associated silence
 	impl := &checkImpl{}
-	res, err := impl.IsSilenced(graphql.ResolveParams{Source: check})
+	res, err := impl.IsSilenced(graphql.ResolveParams{Source: check, Context: context.Background()})
 	require.NoError(t, err)
 	assert.True(t, res)
 }
@@ -312,7 +312,7 @@ func TestCheckTypeToJSONField(t *testing.T) {
 	src := corev2.FixtureCheck("name")
 	imp := &checkImpl{}
 
-	res, err := imp.ToJSON(graphql.ResolveParams{Source: src})
+	res, err := imp.ToJSON(graphql.ResolveParams{Source: src, Context: context.Background()})
 	require.NoError(t, err)
 	assert.NotEmpty(t, res)
 }
@@ -321,7 +321,7 @@ func TestCheckConfigTypeToJSONField(t *testing.T) {
 	src := corev2.FixtureCheckConfig("name")
 	imp := &checkCfgImpl{}
 
-	res, err := imp.ToJSON(graphql.ResolveParams{Source: src})
+	res, err := imp.ToJSON(graphql.ResolveParams{Source: src, Context: context.Background()})
 	require.NoError(t, err)
 	assert.NotEmpty(t, res)
 }
@@ -370,7 +370,7 @@ func TestCheckTypeOutputFieldImpl(t *testing.T) {
 	check.Output = "123456789012345678901234567890"
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			params := schema.CheckOutputFieldResolverParams{}
+			params := schema.CheckOutputFieldResolverParams{ResolveParams: graphql.ResolveParams{Context: context.Background()}}
 			params.Context = context.Background()
 			params.Source = check
 			params.Args.First = tc.firstArg

diff --git a/backend/apid/graphql/entity_test.go b/backend/apid/graphql/entity_test.go
@@ -18,7 +18,7 @@ func TestEntityTypeMetadataField(t *testing.T) {
 	src := corev2.FixtureEntity("bug")
 	impl := entityImpl{}
 
-	res, err := impl.Metadata(graphql.ResolveParams{Source: src})
+	res, err := impl.Metadata(graphql.ResolveParams{Source: src, Context: context.Background()})
 	require.NoError(t, err)
 	assert.NotEmpty(t, res)
 	assert.IsType(t, v2.ObjectMeta{}, res)
@@ -35,7 +35,7 @@ func TestEntityTypeRelatedField(t *testing.T) {
 	}, nil).Once()
 
 	cfg := ServiceConfig{EntityClient: client}
-	params := schema.EntityRelatedFieldResolverParams{}
+	params := schema.EntityRelatedFieldResolverParams{ResolveParams: graphql.ResolveParams{Context: context.Background()}}
 	params.Context = contextWithLoaders(context.Background(), cfg)
 	params.Source = source
 	params.Args.Limit = 10
@@ -90,7 +90,7 @@ func TestEntityTypeLastSeenField(t *testing.T) {
 
 	entity := corev2.FixtureEntity("id")
 	entity.LastSeen = now.Unix()
-	params := graphql.ResolveParams{}
+	params := graphql.ResolveParams{Context: context.Background()}
 	params.Source = entity
 
 	impl := entityImpl{}
@@ -111,7 +111,7 @@ func TestEntityTypeEventsField(t *testing.T) {
 	}, nil).Once()
 
 	// params
-	params := schema.EntityEventsFieldResolverParams{}
+	params := schema.EntityEventsFieldResolverParams{ResolveParams: graphql.ResolveParams{Context: context.Background()}}
 	cfg := ServiceConfig{EventClient: client}
 	params.Context = contextWithLoadersNoCache(context.Background(), cfg)
 	params.Args.Filters = []string{}
@@ -175,7 +175,7 @@ func TestEntityTypeToJSONField(t *testing.T) {
 	src := corev2.FixtureEntity("name")
 	imp := &entityImpl{}
 
-	res, err := imp.ToJSON(graphql.ResolveParams{Source: src})
+	res, err := imp.ToJSON(graphql.ResolveParams{Source: src, Context: context.Background()})
 	require.NoError(t, err)
 	assert.NotEmpty(t, res)
 }
diff --git a/backend/apid/graphql/event_filter_test.go b/backend/apid/graphql/event_filter_test.go
@@ -35,7 +35,7 @@ func TestEventFilterTypeToJSONField(t *testing.T) {
 	src := corev2.FixtureEventFilter("my-filter")
 	imp := &eventFilterImpl{}
 
-	res, err := imp.ToJSON(graphql.ResolveParams{Source: src})
+	res, err := imp.ToJSON(graphql.ResolveParams{Source: src, Context: context.Background()})
 	require.NoError(t, err)
 	assert.NotEmpty(t, res)
 }
diff --git a/backend/apid/graphql/event_test.go b/backend/apid/graphql/event_test.go
@@ -41,7 +41,7 @@ func TestEventTypeIsNewIncidentFieldImpl(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(fmt.Sprintf("event %s", tc.assertion), func(t *testing.T) {
-			params := graphql.ResolveParams{}
+			params := graphql.ResolveParams{Context: context.Background()}
 			params.Source = tc.event
 
 			impl := eventImpl{}

diff --git a/backend/apid/graphql/handler_test.go b/backend/apid/graphql/handler_test.go
@@ -45,13 +45,13 @@ func TestHandlerTypeMutatorField(t *testing.T) {
 
 	// Success
 	client.On("FetchMutator", mock.Anything, mutator.Name).Return(mutator, nil).Once()
-	res, err := impl.Mutator(graphql.ResolveParams{Source: handler})
+	res, err := impl.Mutator(graphql.ResolveParams{Source: handler, Context: context.Background()})
 	require.NoError(t, err)
 	assert.NotEmpty(t, res)
 
 	// No mutator
 	handler.Mutator = ""
-	res, err = impl.Mutator(graphql.ResolveParams{Source: handler})
+	res, err = impl.Mutator(graphql.ResolveParams{Source: handler, Context: context.Background()})
 	require.NoError(t, err)
 	assert.Nil(t, res)
 }
@@ -60,7 +60,7 @@ func TestHandlerTypeToJSONField(t *testing.T) {
 	src := corev2.FixtureHandler("name")
 	imp := &handlerImpl{}
 
-	res, err := imp.ToJSON(graphql.ResolveParams{Source: src})
+	res, err := imp.ToJSON(graphql.ResolveParams{Source: src, Context: context.Background()})
 	require.NoError(t, err)
 	assert.NotEmpty(t, res)
 }
diff --git a/backend/apid/graphql/health_test.go b/backend/apid/graphql/health_test.go
@@ -1,6 +1,7 @@
 package graphql
 
 import (
+	"context"
 	"reflect"
 	"strconv"
 	"testing"
@@ -28,7 +29,7 @@ func Test_clusterHealthImpl_Etcd(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			r := &clusterHealthImpl{}
-			got, err := r.Etcd(graphql.ResolveParams{Source: tt.source})
+			got, err := r.Etcd(graphql.ResolveParams{Source: tt.source, Context: context.Background()})
 			if (err != nil) != tt.wantErr {
 				t.Errorf("clusterHealthImpl.Etcd() error = %v, wantErr %v", err, tt.wantErr)
 				return
@@ -58,7 +59,7 @@ func Test_etcdClusterHealthImpl_Alarms(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			r := &etcdClusterHealthImpl{}
-			got, err := r.Alarms(graphql.ResolveParams{Source: tt.source})
+			got, err := r.Alarms(graphql.ResolveParams{Source: tt.source, Context: context.Background()})
 			if (err != nil) != tt.wantErr {
 				t.Errorf("etcdClusterHealthImpl.Alarms() error = %v, wantErr %v", err, tt.wantErr)
 				return
@@ -88,7 +89,7 @@ func Test_etcdClusterHealthImpl_Members(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			r := &etcdClusterHealthImpl{}
-			got, err := r.Members(graphql.ResolveParams{Source: tt.source})
+			got, err := r.Members(graphql.ResolveParams{Source: tt.source, Context: context.Background()})
 			if (err != nil) != tt.wantErr {
 				t.Errorf("etcdClusterHealthImpl.Members() error = %v, wantErr %v", err, tt.wantErr)
 				return
@@ -118,7 +119,7 @@ func Test_etcdAlarmMemberImpl_MemberID(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			r := &etcdAlarmMemberImpl{}
-			got, err := r.MemberID(graphql.ResolveParams{Source: tt.source})
+			got, err := r.MemberID(graphql.ResolveParams{Source: tt.source, Context: context.Background()})
 			if (err != nil) != tt.wantErr {
 				t.Errorf("etcdAlarmMemberImpl.MemberID() error = %v, wantErr %v", err, tt.wantErr)
 				return
@@ -148,7 +149,7 @@ func Test_etcdAlarmMemberImpl_Alarm(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			r := &etcdAlarmMemberImpl{}
-			got, err := r.Alarm(graphql.ResolveParams{Source: tt.source})
+			got, err := r.Alarm(graphql.ResolveParams{Source: tt.source, Context: context.Background()})
 			if (err != nil) != tt.wantErr {
 				t.Errorf("etcdAlarmMemberImpl.Alarm() error = %v, wantErr %v", err, tt.wantErr)
 				return
@@ -178,7 +179,7 @@ func Test_etcdClusterMemberHealthImpl_MemberID(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			r := &etcdClusterMemberHealthImpl{}
-			got, err := r.MemberID(graphql.ResolveParams{Source: tt.source})
+			got, err := r.MemberID(graphql.ResolveParams{Source: tt.source, Context: context.Background()})
 			if (err != nil) != tt.wantErr {
 				t.Errorf("etcdClusterMemberHealthImpl.MemberID() error = %v, wantErr %v", err, tt.wantErr)
 				return

diff --git a/backend/apid/graphql/hook_test.go b/backend/apid/graphql/hook_test.go
@@ -1,6 +1,7 @@
 package graphql
 
 import (
+	"context"
 	"testing"
 
 	v2 "github.com/sensu/sensu-go/api/core/v2"
@@ -13,7 +14,7 @@ func TestHookConfigTypeToJSONField(t *testing.T) {
 	src := v2.FixtureHookConfig("name")
 	imp := &hookCfgImpl{}
 
-	res, err := imp.ToJSON(graphql.ResolveParams{Source: src})
+	res, err := imp.ToJSON(graphql.ResolveParams{Source: src, Context: context.Background()})
 	require.NoError(t, err)
 	assert.NotEmpty(t, res)
 }