rules:
- id: frappe-codeinjection-eval
  patterns:
  - pattern-not: eval("...")
  - pattern: eval(...)
  message: |
    Detected the use of eval(). eval() can be dangerous if used to evaluate
    dynamic content. Avoid it or use safe_eval().
  languages: [python]
  severity: ERROR

- id: frappe-sqli-format-strings
  patterns:
    - pattern-inside: |
        @frappe.whitelist()
        def $FUNC(...):
            ...
    - pattern-either:
        - pattern: frappe.db.sql("..." % ...)
        - pattern: frappe.db.sql(f"...", ...)
        - pattern: frappe.db.sql("...".format(...), ...)
  message: |
      Detected use of raw string formatting for SQL queries. This can lead to sql injection vulnerabilities. Refer security guidelines - https://github.com/frappe/erpnext/wiki/Code-Security-Guidelines
  languages: [python]
  severity: WARNING