semgrep VS jscodeshift

Semgrep OSS Owner/Maintainer: Semgrep Age: First release on GitHub on February 6th, 2020 License: GNU Lesser General Public License v2.1

Semgrep - https://semgrep.dev

For the SAST stage, I used SonarQube tool. SonarQube is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs and code smells on more than 30 programming languages. I preferred SonarQube instead of other SAST tools because it has a detailed documentation and plugins about integration with Jenkins and SonarQube works with Java projects pretty well. Of course you can similar multi-language-supported tools such as Semgrep or language-specific tools such as Bandit.

> Not sure I understand your point.

The problem is using Treesitter (for syntax highlighting and "semantic movements") and an LSP at the same time. So if your language has a LSP, using Treesitter additionally is redundant at best and introduces inconcistency at worst.

I'm not talking about using Treesitter as the parser for the LSP.

> Most popular languages have language-specific tools

I'd say even less popular langauges like Coq^H^H^HRocq, Lean 4, Koka, Idris, Unison, ... have their "own" tools, I do not know of a language that uses a Treesitter parser in its LSP, but I do know about tools like https://semgrep.dev/ (written in OCaml) and Github's code search which use Treesitter.

Well, when I seach for "semgrep", I get a very nice corporate landing page with a "Book Demo" button. Which is a level of hassle that just isn't worth it for smaller teams, because "Book Demo" usually means "We're going to try to do a dance to see how much money we can extract from you." Which smaller teams may only want to do for a handful of key tools.

(4 years ago, I was more willing to put up with enterprise licensing. But in the last two years, I've seen way too many enterprise vendors try to squeeze every penny they can get from existing clients. An enterprise sales process now often means "Expect 30% annual price hikes once you're in too deep to back out.")

There's also an open source "semgrep" project here: https://github.com/semgrep/semgrep. But this seems to be basically a vulernability scanner, going by the README.

Whereas AST-grep seems to focus heavily on things like:

1. One-off searching: "Search my tree for this pattern."

2. Refactoring: "Replace this pattern with this other pattern."

AST-grep also includes a vulnerability scanning mode like semgrep.

It's possible that semgrep also has nice support for (1) and (2), but it isn't clearly visible on their corporate landing page or the first open source README I found.

7. Semgrep

This project is a compilation of Semgrep rules derived from the OWASP Mobile Application Security Testing Guide (MASTG) specifically for Android applications. The aim is to enhance and support Mobile Application Penetration Testing (MAPT) activities conducted by the ethical hacker community. The primary objective of these rules is to address the static tests outlined in the OWASP MASTG.

A parser can have various applications in everyday life, and you probably use some parser daily. Babel, webpack, eslint, prettier, and jscodeshift. All of them, behind the scenes, run a parser that manipulates an Abstract Syntax Tree (AST) to do what you need - we'll talk about that later, don't worry.

OP: If this is an avenue you feel like entertaining, here are some nice codemod tools that could ease the transition for you: CodeQue, Subsecond, and the old standard jscodeshift.

If that isn't enough or you find issues with it, the current de-facto standard for codemods is jscodeshift. You'll write more code, but at least you only have to write it once.

Here is the pull request https://github.com/facebook/jscodeshift/pull/549

Those are important but tough problems!

1. I feel like codemods and a setup shell prompt are the best solution to this, but this looks different for each language (eg, in JS there is https://github.com/facebook/jscodeshift). I could make UI around that for listers to provide parts of the app that should replaced and buyers to provide values for it, but it could be quite a rabbit hole. This is actually why I show the README for the repos, so users can see if the setup steps are comprehensive before buying (for paid ones).

2. I agree atomic commits can help someone navigate a new codebase. In the same spirit as my response to #1, I don't feel confident I could enforce this, but I could surface the commits on the starter repo page so potential buyers could see if the author laid things out well.

Thanks for the ideas!

That's why I've been working on a tool that automatically upgrades major versions of libraries with breaking changes, the idea is to simplify the process and save developers time and effort by having a bank of transformers (using codemod & jscodeshift) and open source them:

JSCodeshift: A toolkit for running and writing codemods.

Hi HN community, we are Jake, Tzachi and Etai, co-founders of FlyCode (https://www.flycode.com/). FlyCode makes it easy for product, UX, and marketing teams to edit web apps without coding, so they don’t have to wait on (or consume) developer time, and can iterate, test, and release faster. See a quick example here: https://www.youtube.com/watch?v=jDL5oa2nEHo

Non-technical teams frequently need to edit the copy (text), images, and links that appear in a web app. How to manage these has long been a pain on software projects. You can keep them separate from the code, in some form that non-programmers can edit, but this adds a lot of complexity and is usually brittle, as it can bypass the regular development workflows (as CI, staging envs & deploy previews). It’s simpler to keep them in the code—but then only programmers can easily edit them. Everyone else has to wait to get their changes in, plus the devs have to do a lot of edits that aren’t their main work. This slows projects down and is expensive. It also means that product/marketing/UX teams can’t do things that require rapid iteration, such as sophisticated forms of A/B or usability testing. This limits their work and ultimately is bad for both quality and revenue.

There have been many approaches to solving this dilemma, including custom built admin tools that are limited in functionality and require maintenance, offloading to CMS that require heavy integration, are normally used for simple static apps, and bind your stack to their SDKs. Or wasting a developer’s time to do it for you…

We took a new approach by automatically analyzing a codebase’s structure, similar to a compiler. This allows us to automatically populate our platform in which product/UX/marketing teams can easily use to edit their text and images. We programmatically turn those edits into code changes. Our GitHub bot then takes these code changes and creates a pull request just like a developer would—but without the latency (and boredom!). Developers retain codebase ownership, while non-developers become individual contributors to the dev process, just like the others.

We use well-established practices for parsing and editing source code (like https://github.com/facebook/jscodeshift), covering most of the major technologies used for building web apps (React, Angular, Vue, and Ruby on Rails included).

Once our software has parsed your codebase, it generates an editing portal for your app that teams can easily use to find, manage, and edit product copy, images, and links, and then auto-generate PRs. You can edit product copy regardless of whether it is in resource files or hardcoded (fun fact: some of the largest and fastest-growing tech companies have most of their strings hardcoded!), and you can replace and upload new images and icons to your product.

The integration with GitHub (https://www.flycode.com/developers) took us a long time to get right. There’s not a lot of documentation around integrating GitHub to platforms, and things like connecting an org or connection requests turned out to be non-trivial. We're particularly proud of the result because unlike with other tools, you don’t have to do any significant integration work.

Our GitHub app finds texts and images in the source code and sends them to our platform (you have full control of what and where we scan). Once a user requests a change it updates the texts and the images in the codebase and creates a pull request.

We did a Show HN earlier this year: https://news.ycombinator.com/item?id=31166924, which helped us get some serious leads, which was awesome. Since then we’ve moved out of beta, added new content types (images), launched a new UI and visual editor (EAP), and automated the onboarding of new repos.

We have a handful of companies paying for this and spent the last year focusing on making it extremely simple to use. It only takes 3 minutes to connect our GitHub app and configure the system for your team to start editing. It doesn’t require any changes to your code, or any special maintenance. You can get started here: https://app.flycode.com

We are hoping to use this launch to get some more feedback from you all! We are far from our vision to be a platform for everything front-end but are working hard every day to improve the user experience and feature requests from our early collaborators (editing links, themes, variables, JSON configuration, defining in-code A/B tests, etc.).

We're really happy to show this to you all and thank you for reading about it. For those that sign up, time yourself to check that our “3-minute connect + config” claim isn't just a sales tactic! We look forward to further conversation in the comments.

jscodeshift