brotherton-erpnext/.github/helper/semgrep_rules/frappe_correctness.yml

# This file specifies rules for correctness according to how frappe doctype data model works.

rules:
- id: frappe-modifying-but-not-comitting
  patterns:
    - pattern: |
        def $METHOD(self, ...):
          ...
          self.$ATTR = ...
    - pattern-not: |
        def $METHOD(self, ...):
          ...
          self.$ATTR = ...
          ...
          self.db_set(..., self.$ATTR, ...)
    - pattern-not: |
        def $METHOD(self, ...):
          ...
          self.$ATTR = $SOME_VAR
          ...
          self.db_set(..., $SOME_VAR, ...)
    - pattern-not: |
        def $METHOD(self, ...):
          ...
          self.$ATTR = $SOME_VAR
          ...
          self.save()
    - metavariable-regex:
        metavariable: '$ATTR'
        # this is negative look-ahead, add more attrs to ignore like (ignore|ignore_this_too|ignore_me)
        regex: '^(?!ignore_linked_doctypes|status_updater)(.*)$'
    - metavariable-regex:
        metavariable: "$METHOD"
        regex: "(on_submit|on_cancel)"
  message: |
    DocType modified in self.$METHOD. Please check if modification of self.$ATTR is commited to database.
  languages: [python]
  severity: ERROR

- id: frappe-modifying-but-not-comitting-other-method
  patterns:
  - pattern: |
      class $DOCTYPE(...):
        def $METHOD(self, ...):
          ...
          self.$ANOTHER_METHOD()
          ...

        def $ANOTHER_METHOD(self, ...):
          ...
          self.$ATTR = ...
  - pattern-not: |
      class $DOCTYPE(...):
        def $METHOD(self, ...):
          ...
          self.$ANOTHER_METHOD()
          ...

        def $ANOTHER_METHOD(self, ...):
          ...
          self.$ATTR = ...
          ...
          self.db_set(..., self.$ATTR, ...)
  - pattern-not: |
      class $DOCTYPE(...):
        def $METHOD(self, ...):
          ...
          self.$ANOTHER_METHOD()
          ...

        def $ANOTHER_METHOD(self, ...):
          ...
          self.$ATTR = $SOME_VAR
          ...
          self.db_set(..., $SOME_VAR, ...)
  - pattern-not: |
      class $DOCTYPE(...):
        def $METHOD(self, ...):
          ...
          self.$ANOTHER_METHOD()
          ...
          self.save()
        def $ANOTHER_METHOD(self, ...):
          ...
          self.$ATTR = ...
  - metavariable-regex:
      metavariable: "$METHOD"
      regex: "(on_submit|on_cancel)"
  message: |
    self.$ANOTHER_METHOD is called from self.$METHOD, check if changes to self.$ATTR are commited to database.
  languages: [python]
  severity: ERROR

- id: frappe-print-function-in-doctypes
  pattern: print(...)
  message: |
      Did you mean to leave this print statement in? Consider using msgprint or logger instead of print statement.
  languages: [python]
  severity: WARNING
  paths:
      include:
        - "*/**/doctype/*"

- id: frappe-modifying-child-tables-while-iterating
  pattern-either:
    - pattern: |
        for $ROW in self.$TABLE:
            ...
            self.remove(...)
    - pattern: |
        for $ROW in self.$TABLE:
            ...
            self.append(...)
  message: |
      Child table being modified while iterating on it.
  languages: [python]
  severity: ERROR
  paths:
      include:
        - "*/**/doctype/*"

- id: frappe-same-key-assigned-twice
  pattern-either:
    - pattern: |
        {..., $X: $A, ..., $X: $B, ...}
    - pattern: |
        dict(..., ($X, $A), ..., ($X, $B), ...)
    - pattern: |
        _dict(..., ($X, $A), ..., ($X, $B), ...)
  message: |
      key `$X` is uselessly assigned twice. This could be a potential bug.
  languages: [python]
  severity: ERROR

- id: frappe-manual-commit
  patterns:
    - pattern: frappe.db.commit()
    - pattern-not-inside: |
        try:
          ...
        except ...:
          ...
  message: |
    Manually commiting a transaction is highly discouraged. Read about the transaction model implemented by Frappe Framework before adding manual commits: https://frappeframework.com/docs/user/en/api/database#database-transaction-model If you think manual commit is required then add a comment explaining why and `// nosemgrep` on the same line.
  paths:
      exclude:
        - "**/patches/**"
        - "**/demo/**"
  languages: [python]
  severity: ERROR

- id: frappe-using-db-sql
  pattern-either:
    - pattern: frappe.db.sql(...)
    - pattern: frappe.db.sql_ddl(...)
    - pattern: frappe.db.sql_list(...)
  paths:
    exclude:
      - "test_*.py"
  message: |
    The PR contains a SQL query that may be re-written with frappe.qb (https://frappeframework.com/docs/user/en/api/query-builder) or the Database API (https://frappeframework.com/docs/user/en/api/database)
  languages: [python]
  severity: ERROR
ci(semgrep): Add semgrep testing (#24871) Adds semgrep testing in CI. Refer to: - https://github.com/frappe/frappe/pull/12524 - https://github.com/frappe/frappe/pull/12577 2021-04-16 16:14:49 +00:00			`# This file specifies rules for correctness according to how frappe doctype data model works.`

			`rules:`
ci: enable semgrep check on v13 branches and update rules (#25647) * ci: enable semgrep on v13 branches * ci: break semgrep steps for nicer output * ci: update semgrep rules inline with frappe repo 2021-05-11 12:57:20 +00:00			`- id: frappe-modifying-but-not-comitting`
ci(semgrep): Add semgrep testing (#24871) Adds semgrep testing in CI. Refer to: - https://github.com/frappe/frappe/pull/12524 - https://github.com/frappe/frappe/pull/12577 2021-04-16 16:14:49 +00:00			`patterns:`
ci: enable semgrep check on v13 branches and update rules (#25647) * ci: enable semgrep on v13 branches * ci: break semgrep steps for nicer output * ci: update semgrep rules inline with frappe repo 2021-05-11 12:57:20 +00:00			`- pattern: \|`
			`def $METHOD(self, ...):`
ci(semgrep): Add semgrep testing (#24871) Adds semgrep testing in CI. Refer to: - https://github.com/frappe/frappe/pull/12524 - https://github.com/frappe/frappe/pull/12577 2021-04-16 16:14:49 +00:00			`...`
ci: enable semgrep check on v13 branches and update rules (#25647) * ci: enable semgrep on v13 branches * ci: break semgrep steps for nicer output * ci: update semgrep rules inline with frappe repo 2021-05-11 12:57:20 +00:00			`self.$ATTR = ...`
			`- pattern-not: \|`
			`def $METHOD(self, ...):`
			`...`
			`self.$ATTR = ...`
			`...`
			`self.db_set(..., self.$ATTR, ...)`
			`- pattern-not: \|`
			`def $METHOD(self, ...):`
			`...`
			`self.$ATTR = $SOME_VAR`
			`...`
			`self.db_set(..., $SOME_VAR, ...)`
			`- pattern-not: \|`
			`def $METHOD(self, ...):`
			`...`
			`self.$ATTR = $SOME_VAR`
			`...`
			`self.save()`
ci(semgrep): add correctness rule for on_cancel Changes done to doctype object in `on_submit` are not commited to database. Add rule to catch similar bugs. 2021-04-17 10:17:34 +00:00			`- metavariable-regex:`
			`metavariable: '$ATTR'`
			`# this is negative look-ahead, add more attrs to ignore like (ignore\|ignore_this_too\|ignore_me)`
ci: enable semgrep check on v13 branches and update rules (#25647) * ci: enable semgrep on v13 branches * ci: break semgrep steps for nicer output * ci: update semgrep rules inline with frappe repo 2021-05-11 12:57:20 +00:00			`regex: '^(?!ignore_linked_doctypes\|status_updater)(.*)$'`
			`- metavariable-regex:`
			`metavariable: "$METHOD"`
			`regex: "(on_submit\|on_cancel)"`
ci(semgrep): Add semgrep testing (#24871) Adds semgrep testing in CI. Refer to: - https://github.com/frappe/frappe/pull/12524 - https://github.com/frappe/frappe/pull/12577 2021-04-16 16:14:49 +00:00			`message: \|`
ci: enable semgrep check on v13 branches and update rules (#25647) * ci: enable semgrep on v13 branches * ci: break semgrep steps for nicer output * ci: update semgrep rules inline with frappe repo 2021-05-11 12:57:20 +00:00			`DocType modified in self.$METHOD. Please check if modification of self.$ATTR is commited to database.`
ci(semgrep): Add semgrep testing (#24871) Adds semgrep testing in CI. Refer to: - https://github.com/frappe/frappe/pull/12524 - https://github.com/frappe/frappe/pull/12577 2021-04-16 16:14:49 +00:00			`languages: [python]`
			`severity: ERROR`

ci: enable semgrep check on v13 branches and update rules (#25647) * ci: enable semgrep on v13 branches * ci: break semgrep steps for nicer output * ci: update semgrep rules inline with frappe repo 2021-05-11 12:57:20 +00:00			`- id: frappe-modifying-but-not-comitting-other-method`
ci(semgrep): add correctness rule for on_cancel Changes done to doctype object in `on_submit` are not commited to database. Add rule to catch similar bugs. 2021-04-17 10:17:34 +00:00			`patterns:`
ci: enable semgrep check on v13 branches and update rules (#25647) * ci: enable semgrep on v13 branches * ci: break semgrep steps for nicer output * ci: update semgrep rules inline with frappe repo 2021-05-11 12:57:20 +00:00			`- pattern: \|`
			`class $DOCTYPE(...):`
			`def $METHOD(self, ...):`
ci(semgrep): add correctness rule for on_cancel Changes done to doctype object in `on_submit` are not commited to database. Add rule to catch similar bugs. 2021-04-17 10:17:34 +00:00			`...`
ci: enable semgrep check on v13 branches and update rules (#25647) * ci: enable semgrep on v13 branches * ci: break semgrep steps for nicer output * ci: update semgrep rules inline with frappe repo 2021-05-11 12:57:20 +00:00			`self.$ANOTHER_METHOD()`
			`...`

			`def $ANOTHER_METHOD(self, ...):`
			`...`
			`self.$ATTR = ...`
			`- pattern-not: \|`
			`class $DOCTYPE(...):`
			`def $METHOD(self, ...):`
			`...`
			`self.$ANOTHER_METHOD()`
			`...`

			`def $ANOTHER_METHOD(self, ...):`
			`...`
			`self.$ATTR = ...`
			`...`
			`self.db_set(..., self.$ATTR, ...)`
			`- pattern-not: \|`
			`class $DOCTYPE(...):`
			`def $METHOD(self, ...):`
			`...`
			`self.$ANOTHER_METHOD()`
			`...`

			`def $ANOTHER_METHOD(self, ...):`
			`...`
			`self.$ATTR = $SOME_VAR`
			`...`
			`self.db_set(..., $SOME_VAR, ...)`
			`- pattern-not: \|`
			`class $DOCTYPE(...):`
			`def $METHOD(self, ...):`
			`...`
			`self.$ANOTHER_METHOD()`
			`...`
			`self.save()`
			`def $ANOTHER_METHOD(self, ...):`
			`...`
			`self.$ATTR = ...`
			`- metavariable-regex:`
			`metavariable: "$METHOD"`
			`regex: "(on_submit\|on_cancel)"`
ci(semgrep): add correctness rule for on_cancel Changes done to doctype object in `on_submit` are not commited to database. Add rule to catch similar bugs. 2021-04-17 10:17:34 +00:00			`message: \|`
ci: enable semgrep check on v13 branches and update rules (#25647) * ci: enable semgrep on v13 branches * ci: break semgrep steps for nicer output * ci: update semgrep rules inline with frappe repo 2021-05-11 12:57:20 +00:00			`self.$ANOTHER_METHOD is called from self.$METHOD, check if changes to self.$ATTR are commited to database.`
ci(semgrep): add correctness rule for on_cancel Changes done to doctype object in `on_submit` are not commited to database. Add rule to catch similar bugs. 2021-04-17 10:17:34 +00:00			`languages: [python]`
			`severity: ERROR`

ci(semgrep): Add semgrep testing (#24871) Adds semgrep testing in CI. Refer to: - https://github.com/frappe/frappe/pull/12524 - https://github.com/frappe/frappe/pull/12577 2021-04-16 16:14:49 +00:00			`- id: frappe-print-function-in-doctypes`
			`pattern: print(...)`
			`message: \|`
			`Did you mean to leave this print statement in? Consider using msgprint or logger instead of print statement.`
			`languages: [python]`
			`severity: WARNING`
			`paths:`
			`include:`
			`- "//doctype/"`

			`- id: frappe-modifying-child-tables-while-iterating`
			`pattern-either:`
			`- pattern: \|`
			`for $ROW in self.$TABLE:`
			`...`
			`self.remove(...)`
			`- pattern: \|`
			`for $ROW in self.$TABLE:`
			`...`
			`self.append(...)`
			`message: \|`
			`Child table being modified while iterating on it.`
			`languages: [python]`
			`severity: ERROR`
			`paths:`
			`include:`
			`- "//doctype/"`

			`- id: frappe-same-key-assigned-twice`
			`pattern-either:`
			`- pattern: \|`
			`{..., $X: $A, ..., $X: $B, ...}`
			`- pattern: \|`
			`dict(..., ($X, $A), ..., ($X, $B), ...)`
			`- pattern: \|`
			`_dict(..., ($X, $A), ..., ($X, $B), ...)`
			`message: \|`
			key `$X` is uselessly assigned twice. This could be a potential bug.
			`languages: [python]`
			`severity: ERROR`
ci: rule to fail PRs that add a new manual commit (#27928) Manual commits are frequent source of bugs, confusions or undefined behaviour. All new manual commits should be explcitly ignored with explanation on why it's added. This will only fail for new additions. Existing ones need to be cleaned up manually. 2021-10-12 17:31:37 +00:00
			`- id: frappe-manual-commit`
			`patterns:`
			`- pattern: frappe.db.commit()`
			`- pattern-not-inside: \|`
			`try:`
			`...`
			`except ...:`
			`...`
			`message: \|`
			Manually commiting a transaction is highly discouraged. Read about the transaction model implemented by Frappe Framework before adding manual commits: https://frappeframework.com/docs/user/en/api/database#database-transaction-model If you think manual commit is required then add a comment explaining why and `// nosemgrep` on the same line.
			`paths:`
			`exclude:`
			`- "/patches/"`
			`- "/demo/"`
			`languages: [python]`
			`severity: ERROR`
ci: Rule Added for using frappe.qb over db.sql* (#28000) ERPNext port of https://github.com/frappe/frappe/pull/14481 Co-authored-by: Ankush Menat <ankush@iwebnotes.com> Co-authored-by: abhishek <as7122000@gmail.com> 2021-10-19 08:50:09 +00:00
			`- id: frappe-using-db-sql`
			`pattern-either:`
			`- pattern: frappe.db.sql(...)`
			`- pattern: frappe.db.sql_ddl(...)`
			`- pattern: frappe.db.sql_list(...)`
			`paths:`
			`exclude:`
			`- "test_*.py"`
			`message: \|`
			`The PR contains a SQL query that may be re-written with frappe.qb (https://frappeframework.com/docs/user/en/api/query-builder) or the Database API (https://frappeframework.com/docs/user/en/api/database)`
			`languages: [python]`
			`severity: ERROR`