When I open a VS Code environment that uses Dev Containers, this is the output from the Semgrep extension:

[Error - 9:36:44 PM] Client Semgrep: connection to server is erroring. Shutting down server.
[Error - 9:36:44 PM] Stopping server failed
Error: Client is not running and can't be stopped. It's current state is: starting
	at Wd.shutdown (/home/user/.vscode-server/extensions/semgrep.semgrep-1.4.1/out/main.js:39:8615)
	at Wd.stop (/home/user/.vscode-server/extensions/semgrep.semgrep-1.4.1/out/main.js:39:8194)
	at Wd.stop (/home/user/.vscode-server/extensions/semgrep.semgrep-1.4.1/out/main.js:39:27204)
	at Wd.handleConnectionError (/home/user/.vscode-server/extensions/semgrep.semgrep-1.4.1/out/main.js:39:13955)
	at runMicrotasks (<anonymous>)
	at processTicksAndRejections (node:internal/process/task_queues:96:5)

Hi there to the R2C team 👋!
Please publish this extension to the Open VSX marketplace.

Context

Unfortunately, as Microsoft prohibits usages of the Microsoft marketplace by any other products or redistribution of .vsix files from it, in order to use VS Code extensions in non-Microsoft products, we kindly ask that you take ownership of the VS Code extension namespace in Open VSX and publish this extension on Open VSX.

What is Open VSX? Why does it exist?

Open VSX is a vendor neutral alternative to the MS marketplace used by most other derivatives of VS Code like VSCodium, Gitpod, OpenVSCode, Theia-based IDEs, and so on.

How can you publish to Open VSX?

The docs to publish an extension can be found here. This process is straightforward and shouldn't take too long. Essentially, you need an authentication token and to execute the command ovsx publish to publish your extension. At Open VSX we also wrote a short doc explaining an easy way to use GitHub Actions to automate the whole publishing process.

Several users have now told us that they have Semgrep installed, and can run it from inside their VS Code terminal, but the extension is not picking it up. It may be a pip/pip3 issue (at least that seems to have resolved it for one person). Most are using apple computers.

I updated to the latest Semgrep version 1.35.0. After this, the plugin crashes with this error.

Semgrep was installed with homebrew. I did not try installing it with pip yet.

OS: MacOS 13
Machine: Macbook M1 pro
VS Code version: 1.81.1 (regular build)

the extension does not work if semgrep is installed via brew instead of pip

Hi Folks!

When trying to use this extension from behind a proxy I get a string of SSL Verification Errors from the underlying request library (requests.exceptions.SSLError).

I have configured the REQUESTS_CA_BUNDLE environment variable which works when I use commands like semgrep ci, and which I expected to work here too. However, it seems like it is being ignored/not used.

I've had a skim of the code and believe the issues lies here - environment variables appear to be hardcoded:
https://github.com/returntocorp/semgrep-vscode/blame/0d5adb81b846d2ee8399eed710c2a07b8cb4b5a5/src/lsp.ts#L65

I am not familiar with vscode extension development but I think changing this to something like this would resolve the issue:

env_vars = {
...process.env
 PYTHONUSERBASE: globalstorage_path,
}

Visual Studio Code has a feature called Code Actions, which can provide both refactorings and quick fixes for detected issues: https://code.visualstudio.com/docs/editor/refactoring#_code-actions-quick-fixes-and-refactorings

As a semgrep-vscode user, I would like the ability to not only receive suggestions from the semgrep extension, but to have the extension automatically fix the problematic code as well. An example of where these quick fixes or refactorings show up is in the tool tip when semgrep reports an issue on a piece of code (currently there are no quick fixes available):

Additional Documentation
VS Code API Documentation: https://vscode-docs.readthedocs.io/en/stable/extensionAPI/vscode-api/#CodeActionProvider
Language Extension Documentation: https://code.visualstudio.com/api/language-extensions/programmatic-language-features#possible-actions-on-errors-or-warnings
Sample Code Action Provider: https://github.com/microsoft/vscode-extension-samples/tree/master/code-actions-sample

vscode version: 1.84.1
extension version: 1.5.2
semgrep version: 1.51.0
OS: 6.6.1-arch1-1-g14

When pressing scan all files in the workspace the extension generates semgrep processes and then they die within 5-10 secs of working. It can scan very small files this way but can't handle large ones (will attach one for example).

Tried different versions of semgrep, vscode and vscode extension versions. The results are the same.

Without extension semgrep scans fine all the large files.

Tried to change extension settings. Increase job/timeouts/memory but it gives no results.

Sometimes there's nothing in developer console, sometimes it prints

[Semgrep.semgrep]Starting server failed
...
Error: Starting server failed
...

[Semgrep.semgrep]Stopping the server timed out
...
Error: Stopping the server timed out
...

The main osemgrep lsp process runs fine and doesn't die.

Example js file that I am unable to scan with the extension: https://drive.google.com/file/d/1pfCg5JoRpxMgPdaXHEb3rc27vX4eCkHH/view

The semgrep.languages option has a hardcoded list of languages the extension should activate on. We say that "by default, this is set to all supported languages".

This however isn't entirely true, because some Semgrep rules exist for languages that are not in our official supported languages list, such as pure regex rules for templating languages. We had a difficult-to-debug case of this on the community Slack: https://r2c-community.slack.com/archives/C01911CD53K/p1605701977013300?thread_ts=1605612969.007800&cid=C01911CD53K

We could make Semgrep always run, but this might be annoying for users that work in unsupported languages, as Semgrep would run in the background on every save even if it has no chance of finding any results.

We could set up some kind of release process to always bring in every language identifier that has a rule in the registry, which to a lesser extent can still be annoying like above. But this will be useful in other cases as well; the extension didn't run on TS/TSX for months because we forgot we had to manually add the language ID in the extension when semgrep started supporting these languages.

We could try to infer all languages to be scanned from the selected config value, but this would be complicated to code and might be a brittle, or even impossible approach.

These two lines... are actually a big impediment to actually using the extension:

(The above--essentially the sum total of the documentation for the plugin, not counting the config details--is what you see on the plugin page when installed in VSCode.)
Seeing that only left me with questions:

• How do you run a scan?
• Where are the results reported?
• How do I generate search patterns?
• Why would one want to?

Things that need to be added:

1. Semgrep runs a scan on Save.
2. Results are reported in two places: squiggles under the code and itemized in the Problems pane.
3. Open VSCode's command palette Cmd + Shift + P and type "semgrep" to see the available actions to generate search patterns.
4. When you run the "Suggest Semgrep Patterns for..." action, you have to first select an "interesting" line or lines of code; some things will just report "No pattern suggestions for your selected code". [And when you see this on the very first attempt of using it, you wonder what to do next.] So an example would be quite helpful.

Semgrepping changes doesn't work on the latest version (1.2.0). However, disabling the "Only git dirty" option does work - although it loads the entire workspace and takes quite a while to load.

I don't see any error message on the extension's output. I can't see any error regardless of the file being saved or only changed in the editor.

I tend to run semgrep in "--strict" mode, which is currently not possible in the vscode extension. It would be useful to be able to pass additional flags (others might have other use cases than just "--strict").

Example syntax from the Go extension (https://golangci-lint.run/usage/integrations/):
´´´
"go.lintTool":"golangci-lint",
"go.lintFlags": [
"--fast"
]

Obviously, semgrep does not work for Windows. And even if you install semgrep in WSL, if you attempt to set the path to Semgrep in the VSCode on Windows (not WSL) with something like \\wsl.localhost\Ubuntu-22.04\home\drewbitt\.local\bin\semgrep, it won't work as it's a Linux binary.

Therefore, the remaining option for a Windows solution (which doesn't revert all code/other extension execution to WSL i.e. a WSL Dev Container) would be through Docker. The existing Docker of Semgrep only supports scanning a single volume at a time and is not a continuous binary that is exposed via a port. But as this is the only possible way that semgrep can run on Windows for now, I am curious if connecting the extension to a Docker instance is a viable option/direction that the team would be interested in exploring.

Inform users if their current version of semgrep is incompatible with the current extension version. Allow some sort of updating dialogue

I've installed semgrep v1.5.2 in VSCode. Then I configured a directory of rules. These rules works fine with semgrep --config XXX project-root/

Then I opened the project folder and use Semgrep: Scan all files in workspace to scan it:

It's finished but no result is visible in the tab:

What's wrong?

With ⚠️ emoji and all that.

I came across this tool https://github.com/Threagile/threagile that lets you write threat models in YAML. It also has a YAML schema that lets you lint keys/values (if there are specific allowable values).

Would be nice to have similar functionality for writing Semgrep rules.

The metavar labelling is very useful when you are writing rules but in many contexts it adds a lot of visual noise. It be amazing to have a way to configure it from the extension settings.

Hey,
I have the following custom/test rule file:

rules:
  - id: kepten-test
    message: Checks for a magic string.
    fix-regex:
      regex: Captain
      replacement: kepten
      count: 1
    languages:
      - kotlin
      - ts
      - js
    severity: WARNING
    pattern: name = "Captain"

When I open a file which contains matching lines for this rule (e.g. const name = "Captain";) it fails with the following error:

Traceback (most recent call last):
  File "/opt/homebrew/Cellar/semgrep/0.114.0/libexec/lib/python3.10/site-packages/pylsp_jsonrpc/streams.py", line 101, in write
    body = json.dumps(message, **self._json_dumps_args)
TypeError: FixRegex(regex='Captain', replacement='kepten', count=1) is not JSON serializable

(...)

Traceback (most recent call last):
  File "/opt/homebrew/Cellar/semgrep/0.114.0/libexec/lib/python3.10/site-packages/pylsp_jsonrpc/endpoint.py", line 116, in consume
    self._handle_request(message['id'], message['method'], message.get('params'))
  File "/opt/homebrew/Cellar/semgrep/0.114.0/libexec/lib/python3.10/site-packages/pylsp_jsonrpc/endpoint.py", line 185, in _handle_request
    handler_result = handler(params)
  File "/opt/homebrew/Cellar/semgrep/0.114.0/libexec/lib/python3.10/site-packages/pylsp_jsonrpc/dispatchers.py", line 25, in handler
    return method(**(params or {}))
  File "/opt/homebrew/Cellar/semgrep/0.114.0/libexec/lib/python3.10/site-packages/semgrep/lsp/server.py", line 252, in m_text_document__code_action
    return self.compute_code_actions(textDocument["uri"], range)
  File "/opt/homebrew/Cellar/semgrep/0.114.0/libexec/lib/python3.10/site-packages/semgrep/lsp/server.py", line 712, in compute_code_actions
    fix_regex["regex"],
TypeError: 'FixRegex' object is not subscriptable

I'm using the latest (v0.114.0) version, installed via brew.

I think I managed to trace down the issue. With the below diff to the server.py file, it works (meaning it doesn't fail to show/underline in the IDE that this line is wrong and the autofix works as well - although it replaces the wrong part of the line but that's another issue I guess).

99c99
<         self._jsonrpc_stream_writer = JsonRpcStreamWriter(tx)
---
>         self._jsonrpc_stream_writer = JsonRpcStreamWriter(tx, default=lambda o: o.to_json_string())
706a707,708
>                 if type(fix_regex) is not dict:
>                     fix_regex = fix_regex.to_json()

PoC:

I use pipx so that global python tools each have their own virtualenv and don't conflict with each other. The binary ends up here, but semgrep-core is not exposed in the same way:

$ which semgrep
/Users/underyx/.local/bin/semgrep
$ which semgrep-core
semgrep-core not found

The vscode extension gives me this error on load

Traceback (most recent call last):
  File "/Users/underyx/.local/pipx/venvs/semgrep/lib/python3.11/site-packages/semgrep/commands/wrapper.py", line 35, in wrapper
    func(*args, **kwargs)
  File "/Users/underyx/.local/pipx/venvs/semgrep/lib/python3.11/site-packages/semgrep/commands/lsp.py", line 53, in lsp
    run_server()
  File "/Users/underyx/.local/pipx/venvs/semgrep/lib/python3.11/site-packages/semgrep/lsp/server.py", line 263, in run_server
    server.start()
  File "/Users/underyx/.local/pipx/venvs/semgrep/lib/python3.11/site-packages/semgrep/lsp/server.py", line 246, in start
    self.std_reader.listen(self.on_std_message)
  File "/Users/underyx/.local/pipx/venvs/semgrep/lib/python3.11/site-packages/pylsp_jsonrpc/streams.py", line 40, in listen
    message_consumer(json.loads(request_str.decode('utf-8')))
  File "/Users/underyx/.local/pipx/venvs/semgrep/lib/python3.11/site-packages/semgrep/lsp/server.py", line 200, in on_std_message
    self.start_ls()
  File "/Users/underyx/.local/pipx/venvs/semgrep/lib/python3.11/site-packages/semgrep/lsp/server.py", line 86, in start_ls
    self.core_process = subprocess.Popen(
                        ^^^^^^^^^^^^^^^^^
  File "/Users/underyx/.asdf/installs/python/3.11.0/lib/python3.11/subprocess.py", line 1022, in __init__
    self._execute_child(args, executable, preexec_fn, close_fds,
  File "/Users/underyx/.asdf/installs/python/3.11.0/lib/python3.11/subprocess.py", line 1899, in _execute_child
    raise child_exception_type(errno_num, err_msg, err_filename)
FileNotFoundError: [Errno 2] No such file or directory: 'semgrep-core'

It seems like semgrep CLI works because it manages to find the core binary which is at /Users/underyx/.local/pipx/venvs/semgrep/lib/python3.11/site-packages/semgrep/bin/semgrep-core.