search

ajinabraham / libsast

Generic SAST Library
https://opensecurity.in
GNU Lesser General Public License v3.0
123 stars 19 forks source link

ImportError: Cannot import name 'semgrep_main' from 'semgrep' in libsast #40

Closed cpuu closed 6 months ago

cpuu commented 6 months ago

Issue Description:

I encountered an ImportError when trying to use libsast with semgrep. It seems like the semgrep_main function is no longer available or has been moved in the latest version of semgrep, causing libsast to fail when invoking it.

Steps to Reproduce:

Ensure Python, semgrep, and libsast are installed. Run libsast with a command similar to: $ libsast -s ./log4j.yaml ./log4j-injection.java

Expected Behavior:

libsast should successfully scan the specified files without any import errors.

Actual Behavior:

Received an ImportError indicating that semgrep_main cannot be imported from the 'semgrep' package. Here's the traceback for reference:

$ libsast -s ./log4j.yaml ./log4j-injection.java
Traceback (most recent call last):
  File "/home/cpuu/anaconda3/bin/libsast", line 8, in <module>
    sys.exit(main())
  File "/home/cpuu/anaconda3/lib/python3.10/site-packages/libsast/__main__.py", line 93, in main
    result = Scanner(options, args.path).scan()
  File "/home/cpuu/anaconda3/lib/python3.10/site-packages/libsast/scanner.py", line 65, in scan
    self.options).scan(valid_paths)
  File "/home/cpuu/anaconda3/lib/python3.10/site-packages/libsast/core_sgrep/semantic_sgrep.py", line 40, in scan
    sgrep_out = invoke_semgrep(paths, self.scan_rules)
  File "/home/cpuu/anaconda3/lib/python3.10/site-packages/libsast/core_sgrep/helpers.py", line 13, in invoke_semgrep
    from semgrep import semgrep_main
ImportError: cannot import name 'semgrep_main' from 'semgrep' (/home/cpuu/anaconda3/lib/python3.10/site-packages/semgrep/__init__.py)

To further investigate the issue, I conducted a basic test to verify the importability of semgrep in Python. Here are my findings:

Launching Python and importing semgrep as a module works without any issues, indicating that the semgrep package is installed correctly and is recognized by Python.

$ python
Python 3.10.9 (main, Mar  1 2023, 18:23:06) [GCC 11.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import semgrep

This command completes without any errors, confirming that the basic installation of semgrep is intact and functional. However, when attempting to specifically import semgrep_main from semgrep, I encounter an ImportError, which suggests that the issue is not with the semgrep package installation but rather with the accessibility or existence of the semgrep_main function within the package.

>>> from semgrep import semgrep_main
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ImportError: cannot import name 'semgrep_main' from 'semgrep' (/home/cpuu/anaconda3/lib/python3.10/site-packages/semgrep/__init__.py)

This test highlights that the issue specifically revolves around the semgrep_main import, aligning with the error encountered when using libsast.

These observations suggest that there may have been changes in the semgrep package that affected the availability of semgrep_main, leading to compatibility issues with libsast. This additional information should help in diagnosing the root cause of the ImportError and in determining the appropriate version compatibility between libsast and semgrep.

Environment:

OS: Ubuntu 22.04 (WSL Linux) Python version: 3.10.9 semgrep version: 1.62.0 libsast version: v2.0.3

Attempts to Resolve:

I've checked for updates to both libsast and semgrep but haven't found any specific information regarding changes to semgrep_main. It appears that recent updates to semgrep may have deprecated or moved this function, causing compatibility issues with libsast.

Compatibility Question:

In addition to the above issue, I would like to inquire about the compatibility of libsast with semgrep versions. Given the ImportError encountered, it appears there might be a mismatch in version compatibility between libsast and the current version of semgrep I am using (1.62.0).

Could you please provide guidance on which version of semgrep is optimized for use with libsast v2.0.3? Understanding the recommended version could help in resolving the import error and ensure smooth operation of libsast for my projects.

Thank you for your support and looking forward to your advice on this matter.

ajinabraham commented 6 months ago

libsast requires a specific semgrep version to work. https://github.com/ajinabraham/libsast/blob/09165d63062312b6ecfef6fb96177851030c9d42/pyproject.toml#L29 You might want to consider using the exact version or install libsast inside a virtualenv.

cpuu commented 6 months ago

Thank you for your response regarding the specific version dependency of libsast on semgrep (0.117.0). Based on your advice, I understand that libsast requires this exact version of semgrep to function properly, and you recommend using this version or installing libsast within a virtual environment to mitigate compatibility issues.

Given this dependency requirement, I would like to inquire about the future support plans for libsast with respect to new versions of semgrep. Your recommendation seems to imply that there might not be immediate plans to update libsast for compatibility with newer versions of semgrep. Could you please clarify if this interpretation is correct?

Furthermore, for projects that aim to stay up-to-date with the latest semgrep features and security improvements, could you provide any guidance on how to balance these needs with the current version constraints of libsast? Are there any plans to support future versions of semgrep in libsast, or should users plan to adhere to semgrep version 0.117.0 for the foreseeable future?

Thank you for your time and for providing further clarification on this matter.