@U02M2U71Q79 Interesting project. I see in the readme that you were inspired by grape. I've also used that inspiration to use clojure.spec here: https://github.com/borkdude/grasp.

Yeah, I'm still working in the doc but grasp was also one of my inspirations . I just wrote it from "scratch" because I was trying to learn new things during the process.

Of course! :)

Also the idea was to provide a really simple API for creating rules since the security folks from my team does not know exactly how to write code.

It's this like semgrep but clojure specific? https://semgrep.dev/

it is exactly where I'm aiming @U05094X3J

yeah tooling-wise sky is the limit. something like grasp seems a reasonable baseline, not sure if that will survive a macroexpansion like -> (clj-kondo certainly does that) Something like https://github.com/clj-holmes/clj-holmes-rules/blob/295aafe4420b8e9e2ce1f9f9e795233fd8c5f189/security/weak-hash-function-md5.yml#L11 is very accurately implementable with Eastwood (tools.analyzer) tech - it will survive arbitrary macroexpansions, and values known at compile-time (e.g. "MD5" is the value of a var) Either way, 👏 && 🎩 s off!

It depends entirely on the use case. Currently grasp doesn't expand any macros. But I can imagine hooking it up with tools analyzer or so wouldn't hard and then it could. Right now it (ab)uses SCI to understand the ns form with respect to resolving symbols, but this could also be handled 1) using the clj-kondo approach, or 2) tools analyzer.

The use case can also be to grep for the surface form, not the expanded form

I'm using grasp myself mostly for statistical purposes: how do people use X, to inform choices like: how much time do I want to spend on feature X for clj-kondo or SCI or JIRA-1xxx

In the beginning of the project we tried to use tools.analyzer but we kind of get lost in the AST and we did not had the time to understand it since we're going to use it at the company we work for 😕 so the currently use case is to only grep the surface without macro expansion.

sorry for the necro; I’m curious what motivated having this as a separate tool vs integrating with semgrep (or other tools)? Are there some limitations to semgrep that make it unfit for clojure usage?

I was just on the mood to code it from scratch. But it’s in my personal todo to implement it using semgrep.

ah thanks. let me know if i can help out, as im using semgrep at work for other stuff and it would be cool to apply it to clojure too