diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml new file mode 100644 index 00000000..31027f1a --- /dev/null +++ b/.github/workflows/semgrep.yml @@ -0,0 +1,26 @@ +on: + workflow_dispatch: {} + pull_request: {} + push: + branches: + - main + - master + paths: + - .github/workflows/semgrep.yml + schedule: + # random HH:MM to avoid a load spike on GitHub Actions at 00:00 + - cron: 23 9 * * * +name: Semgrep +jobs: + semgrep: + name: semgrep/ci + runs-on: ubuntu-latest + permissions: + contents: read + env: + SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} + container: + image: semgrep/semgrep + steps: + - uses: actions/checkout@v4 + - run: semgrep ci diff --git a/src/main/java/org/owasp/benchmark/helpers/Thing2.java b/src/main/java/org/owasp/benchmark/helpers/Thing2.java index 3a6c9869..40e29b4d 100644 --- a/src/main/java/org/owasp/benchmark/helpers/Thing2.java +++ b/src/main/java/org/owasp/benchmark/helpers/Thing2.java @@ -17,6 +17,12 @@ */ package org.owasp.benchmark.helpers; +import java.io.FileInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.util.ArrayList; +import java.util.List; + public class Thing2 implements ThingInterface { @Override @@ -25,4 +31,30 @@ public String doSomething(String i) { String r = new StringBuilder(i).toString(); return r; } + + // Violates S112: Generic exceptions should not be thrown + public String processInput(String input) throws Exception { + if (input == null) { + throw new Exception("Input must not be null"); + } + return input.trim(); + } + + // Violates S1168: Return empty collection instead of null + public List getItems(String category) { + if (category == null) { + return null; + } + return new ArrayList<>(); + } + + // Violates S2095: Resources should be closed + public int countBytes(String filePath) throws IOException { + InputStream stream = new FileInputStream(filePath); + int count = 0; + while (stream.read() != -1) { + count++; + } + return count; + } }