Semgrep

FOLIO Security Team administers FOLIO’s Semgrep account.

https://semgrep.dev/ is free for public repositories. If you belong to https://github.com/orgs/folio-org/people you can access https://semgrep.dev/orgs/semgrep_folio_org/.

FOLIO uses managed scans for all repositories in the https://github.com/folio-org organisation. A repository is scanned once per week.

Auto-scan new GitHub repositories is disabled on https://semgrep.dev/orgs/semgrep_folio_org/settings/source-code because Auto-scan adds them with “Managed diff scans” enabled. To add new repositories use the “Sync projects” feature and disable “Managed diff scans” for them.

We have disabled “Managed diff scans” to avoid Semgrep comments on pull requests, only “Managed full scans” are enabled. Example: https://semgrep.dev/orgs/semgrep_folio_org/projects/3481261/settings

Semgrep’s supply chain analysis of the dependencies includes vulnerability reports and license compliance. The current configuration of the supply chain analysis requires that the module has a lock file committed to the GitHub repository. We haven’t enabled the beta feature that allows Java, C#, Kotlin, and Python code without a lock file.

Use semgrep APIs to search and export scan results: https://semgrep.dev/api/v1/docs/

GitHub App

For managed scans we have installed both the public and the private Semgrep GitHub app in the folio-org GitHub organization. For details see

• https://semgrep.dev/docs/deployment/managed-scanning/github

• https://semgrep.dev/docs/deployment/checklist#permissions-when-adding-repositories-into-semgrep-appsec-platform-through-managed-scanning-or-using-ai-features – explaining all permissions the private apps needs for managed scanning

Code

Semgrep runs a static code analysis on the source code.

Semgrep has found three issues that Snyk hadn’t found:

• ​MODREP-23: Cross-site Scripting (XSS) in server.go error response

• ​MODLD-684: Replace SpEL ExpressionParser with Java code

• MODINVIMP-32: Fix SAXParser XML External Entity (XXE) vulnerabilities

Licenses

Link to Semgrep license complicance check: https://semgrep.dev/orgs/semgrep_folio_org/supply-chain/dependencies. To select a module enter its name into the “Project” search slot, for the Stripes front end (UI) enter “folio-org/platform-complete” as project name:

• platform-complete: https://semgrep.dev/orgs/semgrep_folio_org/supply-chain/dependencies?repos=3481355

Note: The current Semgrep supply chain analysis configuration requires that the module has a lock file in the GitHub repository. Most modules don’t have a lock file and Semgrep shows “No matching dependencies”.

See FOLIO’s third party dependency license policy at https://github.com/folio-org/tech-council/blob/master/MODULE_ACCEPTANCE_CRITERIA.MD:

• Inclusion of third party dependencies complies with ASF 3rd Party License Policy

  • Uses README for Category B Appropriately Labelled Condition

  • org.z3950.zing:cql-java is allowed if appropriately labelled, even if it is LGPL-2.1-only

  • org.marc4j:marc4j is allowed if appropriately labelled, even if it is LGPL-2.1-or-later

  • org.hibernate.* is allowed if appropriately labelled, even if it is LGPL-2.1-or-later

We use this mapping from ASF 3rd Party License Policy Category to Semgrep License Policy:

• Category A → Allowed

• Category B → Comment

• Category X → Blocked

“Allowed” is green, “Comment” is orange, “Blocked” is red on the dependency report: https://semgrep.dev/orgs/semgrep_folio_org/supply-chain/dependencies Click on the “Comment” or “Blocked” button to show only projects with at least one dependency with such a license.

Semgrep uses SPDX license identifiers, see https://spdx.org/licenses/ for the mapping of name and identifier.

See Semgrep License configuration: https://semgrep.dev/orgs/semgrep_folio_org/supply-chain/settings

False positives require Semgrep license exceptionsPreview.

Some false positives cannot be ignored in Semgrep. Example: The website dev.folio.org has the https://github.com/folio-org/folio-org.github.io repository that uses Jekyll. The build uses GPL licensed libraries which is fine but shows up as forbidden license in semgrep. We cannot exclude that repository when we still want semgrep to report vulnerabilities in Jekyll dependencies.

Semgrep doesn’t allow different set of allowed licenses for runtime dependencies and build/test dependencies.

To fetch the complete license configuration (policy and exceptions) the https://semgrep.dev/api/sca/deployments/{{deploymentId}}/license_policy API can be used. It returns a JSON. The API is not documented but can be used with a SEMGREP_APP_TOKEN. It is also used in the semgrep UI so that you can manually copy and paste the JSON from the browser developer tools without the need of a token, a login to semgrep is sufficient.