Bear VS semgrep

Have you tried Bear? I used it for several projects and overall it works very well.

An update: I am now able to make everything work by generating `compile_commands.json` using compiledb. I'm aware that there is another tool Bear but for some reason it generates an empty `compile_commands.json` file for me.

Try https://github.com/rizsotto/Bear

Regarding the libraries, you might need to add it to clangd’s configuration. A convenient way is to have a compile_commands.json in your project (this is generated by some build tools like CMake, but if you don’t use them, have a look at bear).

Note that you need to have a compile_commands.json file. That file can easily be generated by CMake, Meson, etc. For other build systems checkout Bear https://github.com/rizsotto/Bear

make a 'gcc' command/executable that do nothing and make it first in your PATH and then run bear with make: https://github.com/rizsotto/Bear/issues/219 It is unfortunate that bear doesn't catch the output of the make command with '--dry-run' as it still prints the compile commands, it seems not that hard to support this and I think many ppl would benefit..

You could try to start with Bear: https://github.com/rizsotto/Bear In worst cases, I had to use strace to catch every gcc/g++ invocation and restructure the compile_commands.json out of the strace logs.

But it sounds like maybe you’re assuming for the purposes of using something like clangd (highly recommended for coding in cpp projects in general, you want to be using this in vscode or whatever else anyway, codelion notwithstanding I suppose) with neovim on a c++ project that you have to use cmake to produce a compilation database to use with neovim plugins (e.g. clangd via nvim-lsp et. al.). In this case, be aware that the https://github.com/rizsotto/Bear tool is a handy way to just tack it on to whatever command you’re using to run a c++ code build step, and it will give you a compile_commands.json, corresponding to the compiler commands it invoked, on a silver platter.

I guess your questionmarks are about installing "bear", he refers to this project: https://github.com/rizsotto/Bear

You just simply go to the root of your project, use bear and just open your C files. That's all.

Semgrep OSS Owner/Maintainer: Semgrep Age: First release on GitHub on February 6th, 2020 License: GNU Lesser General Public License v2.1

Semgrep - https://semgrep.dev

For the SAST stage, I used SonarQube tool. SonarQube is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs and code smells on more than 30 programming languages. I preferred SonarQube instead of other SAST tools because it has a detailed documentation and plugins about integration with Jenkins and SonarQube works with Java projects pretty well. Of course you can similar multi-language-supported tools such as Semgrep or language-specific tools such as Bandit.

> Not sure I understand your point.

The problem is using Treesitter (for syntax highlighting and "semantic movements") and an LSP at the same time. So if your language has a LSP, using Treesitter additionally is redundant at best and introduces inconcistency at worst.

I'm not talking about using Treesitter as the parser for the LSP.

> Most popular languages have language-specific tools

I'd say even less popular langauges like Coq^H^H^HRocq, Lean 4, Koka, Idris, Unison, ... have their "own" tools, I do not know of a language that uses a Treesitter parser in its LSP, but I do know about tools like https://semgrep.dev/ (written in OCaml) and Github's code search which use Treesitter.

Well, when I seach for "semgrep", I get a very nice corporate landing page with a "Book Demo" button. Which is a level of hassle that just isn't worth it for smaller teams, because "Book Demo" usually means "We're going to try to do a dance to see how much money we can extract from you." Which smaller teams may only want to do for a handful of key tools.

(4 years ago, I was more willing to put up with enterprise licensing. But in the last two years, I've seen way too many enterprise vendors try to squeeze every penny they can get from existing clients. An enterprise sales process now often means "Expect 30% annual price hikes once you're in too deep to back out.")

There's also an open source "semgrep" project here: https://github.com/semgrep/semgrep. But this seems to be basically a vulernability scanner, going by the README.

Whereas AST-grep seems to focus heavily on things like:

1. One-off searching: "Search my tree for this pattern."

2. Refactoring: "Replace this pattern with this other pattern."

AST-grep also includes a vulnerability scanning mode like semgrep.

It's possible that semgrep also has nice support for (1) and (2), but it isn't clearly visible on their corporate landing page or the first open source README I found.

7. Semgrep