Fork me on GitHub
Matheus Bernardes14:11:57

Introducing a CLI SAST (Static application security testing) tool which was build with the intent to find vulnerable Clojure code via that use a simple but it can also be used to find any kind of By now we're going to focus our efforts to properly document and test all the projects in the clj-holmes ecosystem but please fell free to open discussions and contribute with it.

πŸ‘ 13
πŸš€ 7

@U02M2U71Q79 Interesting project. I see in the readme that you were inspired by grape. I've also used that inspiration to use clojure.spec here:

Matheus Bernardes17:11:07

Yeah, I'm still working in the doc but grasp was also one of my inspirations t-hanks. I just wrote it from "scratch" because I was trying to learn new things during the process.


Of course! :)

Matheus Bernardes17:11:45

Also the idea was to provide a really simple API for creating rules since the security folks from my team does not know exactly how to write code.


It's this like semgrep but clojure specific?

Matheus Bernardes19:11:23

it is exactly where I'm aiming @U05094X3J


yeah tooling-wise sky is the limit. something like grasp seems a reasonable baseline, not sure if that will survive a macroexpansion like -> (clj-kondo certainly does that) Something like is very accurately implementable with Eastwood (tools.analyzer) tech - it will survive arbitrary macroexpansions, and values known at compile-time (e.g. "MD5" is the value of a var) Either way, πŸ‘ && 🎩 s off!

t-hanks 1

It depends entirely on the use case. Currently grasp doesn't expand any macros. But I can imagine hooking it up with tools analyzer or so wouldn't hard and then it could. Right now it (ab)uses SCI to understand the ns form with respect to resolving symbols, but this could also be handled 1) using the clj-kondo approach, or 2) tools analyzer.


The use case can also be to grep for the surface form, not the expanded form


I'm using grasp myself mostly for statistical purposes: how do people use X, to inform choices like: how much time do I want to spend on feature X for clj-kondo or SCI or JIRA-1xxx

Matheus Bernardes11:11:12

In the beginning of the project we tried to use tools.analyzer but we kind of get lost in the AST and we did not had the time to understand it since we're going to use it at the company we work for πŸ˜• so the currently use case is to only grep the surface without macro expansion.


sorry for the necro; I’m curious what motivated having this as a separate tool vs integrating with semgrep (or other tools)? Are there some limitations to semgrep that make it unfit for clojure usage?

Matheus Bernardes12:11:27

I was just on the mood to code it from scratch. But it’s in my personal todo to implement it using semgrep.

βœ… 1

ah thanks. let me know if i can help out, as im using semgrep at work for other stuff and it would be cool to apply it to clojure too

πŸ‘€ 1

Release [com.wsscode/pathom3 "2021.11.16-alpha"]! This release includes: β€’ Add extension point ::p.error/wrap-attribute-error β€’ Fix batch calls with distinct parameters β€’ Add pco/final-value helper to mark a value as final

❀️ 12
πŸŽ‰ 2