One common issue when writing custom rules involves the unsuccessful exclusion of cases usingDocumentation Index
Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt
Use this file to discover all available pages before exploring further.
pattern-not.
If you are trying to exclude a specific case where a pattern is unacceptable unless it is accompanied by another pattern, try pattern-not-inside instead of pattern-not.
Background
In Semgrep, a pattern that’s inside another pattern can mean one of two things:- The pattern is wholly within an outer pattern
- The pattern is at the same level as another pattern, but includes less code
pattern-not in your rule means that Semgrep expects the matches to be the same “size” (same amount of code), and does not match if that’s not the case.
Example
The example rulefind-unverified-transactions is a good example: make_transaction($T) is acceptable only if verify_transaction($T) is also present.
To successfully match the target code, the rule uses pattern and pattern-not:
pattern-inside, the rule doesn’t work — try it out if you like!
pattern-not operates, you can see that this rule fails because the matches are not the same size. The pattern-not match is at the same level, but it is “larger” (contains more code).
If you switch to pattern-not-inside:
Further information
See this video for more information about the difference betweenpattern-not and pattern-not-inside.