You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
ament_semgrep is a wrapper for the ament build system, to perform static analysis of ROS code using Semgrep. Semgrep is a versatile, open source static analysis engine. It can be run with a variety of rulesets to detect code defects and vulnerabilities in several languages including C/C++ and Python. ament_semgrep provides the command line tool, and ament_cmake_semgrep is a CMake integration to run the tests over an ament package as part of the tests.
What is the project state?
The project currently offers similar features to other ament wrappers included in the ament_lint repository, such as the ability to generate an XUnit compliant XML results file. The main development has been completed and the project is ready to use. The maintainers expect that the project will be used, validated and iterated upon, if necessary, over time.
The semgrep rosdep key has been added to rosdistro, so the project can use ROS tooling for easy install. However, at the moment it cannot be added to a ROS 2 distro as it depends on pip packaging for install on Linux.
What is your motivation for wanting it under the Security Working Group?
This tool contributes to facilitating the use of security linters in ROS projects, which is in line with the working group mission of fostering and promoting security in ROS. The addition of this project would encourage WG members to contribute to it and promote its use in the ROS community, and kickstart the development of a set of security related SAST linters.
How do you expect the Security Working Group to contribute to it?
We expect the Security Working Group to support and promote the use of this tool in the ROS community.
Description
ament_semgrepis a wrapper for the ament build system, to perform static analysis of ROS code using Semgrep. Semgrep is a versatile, open source static analysis engine. It can be run with a variety of rulesets to detect code defects and vulnerabilities in several languages including C/C++ and Python.ament_semgrepprovides the command line tool, andament_cmake_semgrepis a CMake integration to run the tests over an ament package as part of the tests.The project currently offers similar features to other ament wrappers included in the ament_lint repository, such as the ability to generate an XUnit compliant XML results file. The main development has been completed and the project is ready to use. The maintainers expect that the project will be used, validated and iterated upon, if necessary, over time.
The
semgreprosdep key has been added torosdistro, so the project can use ROS tooling for easy install. However, at the moment it cannot be added to a ROS 2 distro as it depends on pip packaging for install on Linux.This tool contributes to facilitating the use of security linters in ROS projects, which is in line with the working group mission of fostering and promoting security in ROS. The addition of this project would encourage WG members to contribute to it and promote its use in the ROS community, and kickstart the development of a set of security related SAST linters.
We expect the Security Working Group to support and promote the use of this tool in the ROS community.
Existing URLs
https://github.com/florcabral/ament_semgrep
Requirements
colcon testruns successfullySponsors (if applicable)
The text was updated successfully, but these errors were encountered: