Merge pull request #28 from ajinabraham/bump-semgrep

* Semgrep bump to 0.117.0
* Tox QA
* Python version bump to 3.8+
* Migrate setup.py to Poetry

.github/workflows/publish.yml

@@ -10,19 +10,19 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
     - name: Set up Python
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@v3
       with:
         python-version: '3.x'
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
-        pip install setuptools wheel twine
+        pip install poetry==1.6.1
     - name: Build and publish
       env:
-        TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }}
-        TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
+        PYPI_TOKEN: ${{ secrets.PYPI_PASSWORD }}
       run: |
-        python setup.py sdist
-        twine upload dist/*
+        poetry config pypi-token.pypi ${PYPI_TOKEN}
+        poetry build
+        poetry publish

.github/workflows/python_test.yml

@@ -16,27 +16,33 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest]
-        python-version: [3.7, 3.8, 3.9, '3.10']
+        python-version: [3.8, 3.9, '3.10', '3.11']
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v1
+      uses: actions/setup-python@v3
       with:
         python-version: ${{ matrix.python-version }}
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
-        pip install tox
+        pip install tox poetry==1.6.1
     - name: Lint
       run: |
         tox -e lint
-    - name: Bandit
+    - name: Install libsast
       run: |
-        tox -e bandit
+        poetry install --no-interaction --no-ansi
+    - name: Bandit Scan
+      run: |
+        poetry run bandit libsast -r
     - name: Unit test
       run: |
-        tox -e py
+        poetry run pytest -v --cache-clear tests
+    - name: Python Package Test
+      run: |
+        tox -e build
     - name: Clean Up
       run: |
         tox -e clean

README.md

@@ -7,10 +7,7 @@ Made with ![Love](https://cloud.githubusercontent.com/assets/4301109/16754758/82
 [![PyPI version](https://badge.fury.io/py/libsast.svg)](https://badge.fury.io/py/libsast)
 [![platform](https://img.shields.io/badge/platform-windows%2Fosx%2Flinux-green.svg)](https://github.com/ajinabraham/libsast)
 [![License](https://img.shields.io/:license-lgpl3+-blue.svg)](https://www.gnu.org/licenses/lgpl-3.0.en.html)
-[![python](https://img.shields.io/badge/python-3.7-blue.svg)](https://www.python.org/downloads/)
-
-[![Language grade: Python](https://img.shields.io/lgtm/grade/python/g/ajinabraham/libsast.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/ajinabraham/libsast/context:python)
-[![Requirements Status](https://requires.io/github/ajinabraham/libsast/requirements.svg?branch=master)](https://requires.io/github/ajinabraham/libsast/requirements/?branch=master)
+[![python](https://img.shields.io/badge/python-3.8+-blue.svg)](https://www.python.org/downloads/)
 [![Build](https://github.com/ajinabraham/libsast/workflows/Build/badge.svg)](https://github.com/ajinabraham/libsast/actions?query=workflow%3ABuild)
 
 ### Support libsast

libsast/__init__.py

@@ -8,7 +8,7 @@
 __title__ = 'libsast'
 __authors__ = 'Ajin Abraham'
 __copyright__ = 'Copyright 2020 Ajin Abraham, OpenSecurity'
-__version__ = '1.5.2'
+__version__ = '1.5.3'
 __version_info__ = tuple(int(i) for i in __version__.split('.'))
 __all__ = [
     'Scanner',

libsast/core_matcher/helpers.py

@@ -22,7 +22,10 @@
 def download_rule(url):
     """Download Pattern File."""
     try:
-        with requests.get(url, allow_redirects=True) as r:
+        with requests.get(
+                url,
+                allow_redirects=True,
+                timeout=10) as r:
             r.raise_for_status()
             return r.text
     except requests.exceptions.RequestException:

libsast/core_sgrep/helpers.py

@@ -47,6 +47,10 @@ def invoke_semgrep(paths, scan_rules, **kwargs):
         _,
         _,
         _,
+        _,
+        _,
+        _,
+        _,
     ) = semgrep_main.main(
         output_handler=output_handler,
         target=[pt.as_posix() for pt in paths],

libsast/core_sgrep/semantic_sgrep.py

@@ -43,7 +43,9 @@ def scan(self, paths: list) -> dict:
 
     def format_output(self, results):
         """Format sgrep results."""
-        self.findings['errors'] = results['errors']
+        errs = self.findings.get('errors')
+        if errs:
+            self.findings['errors'] = errs
         smatches = self.findings['matches']
         for find in results['results']:
             file_details = {

pyproject.toml

@@ -0,0 +1,37 @@
+[tool.poetry]
+name = "libsast"
+version = "1.5.3"
+description = "A generic SAST library built on top of semgrep and regex"
+keywords = ["libsast", "SAST", "Python SAST", "SAST API", "Regex SAST", "Pattern Matcher"]
+authors = ["Ajin Abraham <[email protected]>"]
+license = "LGPL-3.0-or-later"
+readme = "README.md"
+repository = "https://github.com/ajinabraham/libsast"
+documentation = "https://github.com/ajinabraham/libsast/blob/master/README.md"
+packages = [{ include = "libsast", format = ["sdist", "wheel"]}]
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Intended Audience :: Developers",
+    "Topic :: Security",
+    "Topic :: Software Development :: Quality Assurance",
+]
+
+[tool.poetry.urls]
+"Bug Tracker" = "https://github.com/ajinabraham/libsast/issues"
+
+[tool.poetry.scripts]
+libsast = "libsast.__main__:main"
+
+[tool.poetry.dependencies]
+python = "^3.8"
+requests = ">=2.27.1"
+pyyaml = ">=6.0"
+semgrep = {version = "0.117.0", markers = "sys_platform != 'win32'"}
+
+[tool.poetry.group.dev.dependencies]
+bandit = "*"
+pytest = "*"
+
+[build-system]
+requires = ["poetry-core"]
+build-backend = "poetry.core.masonry.api"

tox.ini

@@ -1,15 +1,15 @@
 [tox]
-envlist = py37, py38
+envlist = py39, py310
 skipsdist = True
 
 [testenv]
 deps =
-    .
-    pytest
+    poetry
 commands = 
-    py.test -v --cache-clear tests
+    poetry run pytest -v --cache-clear tests
 setenv =
     SEMGREP_R2C_INTERNAL_EXPLICIT_SEMGREPIGNORE = ./tests/assets/files/.semgrepignore
+
 [testenv:lint]
 skip_install = true
 deps =
@@ -35,31 +35,32 @@ commands =
 [testenv:bandit]
 skip_install = true
 deps =
-    bandit
+    poetry
 commands =
-    bandit libsast -r
+    poetry run bandit libsast -r
 
-[testenv:publish]
+[testenv:build]
 skip_install = true
+allowlist_externals =
+    bash
 deps =
-    twine
-    wheel
+    poetry
 commands =
-    python setup.py sdist bdist_wheel
-    twine upload dist/*
+    poetry build
+    bash -c 'python -m pip install dist/*.whl'
+    libsast
 
 [testenv:clean]
 deps =
 skip_install = true
-whitelist_externals =
+allowlist_externals =
     bash
     find
     rm
 commands =
     find . -name "*.py[co]" -delete
     bash -c 'find . -name "__pycache__" -exec rm -fr \{\} \; -prune'
     bash -c 'find . -depth -name "*.egg-info" -exec rm -fr \{\} \;'
-    rm -rf .tox
     rm -rf .pytest_cache
     rm -rf build
     rm -rf dist
@@ -76,12 +77,20 @@ exclude =
     dist
     venv
 ignore =
-    D101 ; Missing docstring in public class
-    D103 ; Missing docstring in public function
-    D104 ; Missing docstring
-    D107 ; docstring is not mandatory
-    D401 ; Allow non imperative mood
-    Q003 ; Allow only ' for strings
-    I100 ; Use python sort imports
-    SF01 ; Allow Private member access
+    D101,
+    # Missing docstring in public class
+    D103,
+    # Missing docstring in public function
+    D104,
+    # Missing docstring
+    D107,
+    # docstring is not mandatory
+    D401,
+    # Allow non imperative mood
+    Q003,
+    # Allow only ' for strings
+    I100,
+    # Use python sort imports
+    SF01,
+    # Allow Private member access
 radon_max_cc = 10