`.semgrepignore` is not used with absolute paths

semgrep / semgrep

Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.

https://semgrep.dev

GNU Lesser General Public License v2.1

10.6k stars 620 forks source link

`.semgrepignore` is not used with absolute paths #9960

Open sneko opened 7 months ago

sneko commented 7 months ago

Hi,

When I'm using: semgrep --metrics=off --config ./semgrep-rules.yaml .

Everything works as expected, folders into my .semgrepignore are ignored.

But if I use absolute paths, the .semgrepignore seems not considered: semgrep --metrics=off --config /Users/mynestedfolders/project/semgrep-rules.yaml /Users/mynestedfolders/project/

(note that I tried to used the --project-root parameter from the CLI as specified by semgrep scan --help but it tells me this is no a valid parameter 🤔 )

Thank you,

EDIT: I'm using v1.65.0

mjambon commented 7 months ago

It turns out that the current implementation (i.e. not --experimental, more on this later) reads the.semgrepignore` file in the current folder rather than at the project root. I think it wasn't intended this way, so it's a bug.

Now, we have a new implementation of semgrepignore in the works. It is available with --experimental. It follows the gitignore specification more closely and won't have this particular bug. Passing --project-root shouldn't be necessary, it's an option that has been useful for us for internal testing.

Suggested solutions:

cd into the project root for the duration of the semgrep job: (cd /Users/mynestedfolders/project/ && semgrep --metrics=off --config ./semgrep-rules.yaml .)
or wait for --experimental to become stable or the default (could be a while).

paleboot commented 1 month ago

It turns out that the current implementation (i.e. not --experimental, more on this later) reads the.semgrepignore` file in the current folder rather than at the project root. I think it wasn't intended this way, so it's a bug.

Now, we have a new implementation of semgrepignore in the works. It is available with --experimental. It follows the gitignore specification more closely and won't have this particular bug. Passing --project-root shouldn't be necessary, it's an option that has been useful for us for internal testing.

Suggested solutions:

cd into the project root for the duration of the semgrep job: (cd /Users/mynestedfolders/project/ && semgrep --metrics=off --config ./semgrep-rules.yaml .)

or wait for --experimental to become stable or the default (could be a while).

Hi, is there any estimate for when the new implementation will reach the stable version, and which version it might be? Thanks!