Semgrep rules for adapters

[onkarvhanumante]

• PR introduces semgrep rules for adapters code. These rules check whether,

  • response status codes are checked using utils
  • bid value in typeBid is assigned correctly
  • adapter.bidder interface is named correctly

• PR also adds unit tests for each semgrep rule. Note that semgrep looks for tests based on the rule filename and the languages specified in the rule. For example, we have rule for no-content-status.yml check. For this rule we have added no-content-status.go. This file includes patterns to be flagged by semgrep and patterns not to be flagged by semgrep.

• Note that this is initial step of integrating semgrep with adapter code reviews. As next step plan is to,

  • Run rules for existing adapters and fix them.
  • Introduce GitHub action script that scans PR changes, run semgrep tests and add semgrep result as PR comment. Refer https://github.com/onkarvhanumante/prebid-server/pull/31. Therefore message field in each semgrep rule is written using markup language used for Github comment.

• Run semgrep unit tests

~/prebid-repos/prebid-server (add-semgrep-rules*) » semgrep --test  /Users/oh0387/prebid-repos/prebid-server/.semgrep/adapter/                                                                                                                                                  
4/4: ✓ All tests passed
No tests for fixes found.

• Use following command to run semgrep tests against adapter code base

~/prebid-repos/prebid-server (add-semgrep-rules) » semgrep --gitlab-sast --config=.semgrep/adapter/ ./adapters/ | jq '[.vulnerabilities[] | {"file": .location.file, "start": .location.start_line, "end": .location.end_line, "message": (.message | gsub("\\n"; "\n"))}]' | jq -c


┌─────────────┐
│ Scan Status │
└─────────────┘
  Scanning 2492 files tracked by git with 4 Code rules:
  Scanning 191 files with 4 go rules.
  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00


┌──────────────┐
│ Scan Summary │
└──────────────┘
Some files were skipped or only partially analyzed.
  Scan was limited to files tracked by git.
  Scan skipped: 320 files matching .semgrepignore patterns
  For a full list of skipped files, run semgrep with the --verbose flag.

Ran 4 rules on 191 files: 477 findings.

A new version of Semgrep is available. See https://semgrep.dev/docs/upgrading
[{"file":"adapters/33across/33across.go","start":282,"end":282,"message":"Scope of `TtxAdapter` is limited to this adapter package. Therefore `TtxAdapter` can be renamed to `adapter`. Refer following example.\n```\n  type adapter struct {\n    endpoint string\n  }\n  func  Builder(bidderName openrtb_ext.BidderName, config config.Adapter, server config.Server) (adapters.Bidder, error) {\n    return &adapter{endpoint: \"https://www.foo.com\"}, nil\n  }\n```\n"},{"file":"adapters/acuityads/acuityads.go","start":28,"end":28,"message":"Scope of `AcuityAdsAdapter` is limited to this adapter package. Therefore `AcuityAdsAdapter` can be renamed to `adapter`. Refer following example.\n```\n  type adapter struct {\n    endpoint string\n  }\n  func  Builder(bidderName openrtb_ext.BidderName, config config.Adapter, server config.Server) (adapters.Bidder, error) {\n    return &adapter{endpoint: \"https://www.foo.com\"}, nil\n  }\n```\n"},{"file":"adapters/adgeneration/adgeneration.go","start":288,"end":288,"message":"Scope of `AdgenerationAdapter` is limited to this adapter package. Therefore `AdgenerationAdapter` can be renamed to `adapter`. Refer following example.\n```\n  type adapter struct {\n    endpoint string\n  }\n  func  Builder(bidderName openrtb_ext.BidderName, config config.Adapter, server config.Server) (adapters.Bidder, error) {\n    return &adapter{endpoint: \"https://www.foo.com\"}, nil\n  }\n```\n"},{"file":"adapters/adhese/adhese.go","start":278,"end":278,"message":"Scope of `AdheseAdapter` is limited to this adapter pa
...
{"file":"adapters/videoheroes/videoheroes.go","start":137,"end":137,"message":"Found incorrect assignment made to `Bid` Recommended to either create copy of `bid` and then assign it as `Bid`  ```\n  for _, seatBid := range response.SeatBid {\n    for _, bid := range seatBids.Bid {\n      ...\n      seatBid := bid\n      responseBid := &adapters.TypedBid{\n        Bid: &seatBid,\n        ...\n      }\n      ...\n    }\n  }\n``` Alternatively can make use of `seatBids.Bid` loop index as shown below  ```\n  for _, seatBid := range response.SeatBid {\n    for i, _ := range seatBids.Bid {\n      ...\n      responseBid := &adapters.TypedBid{\n        Bid: &seatBids.Bid[i],\n        ...\n      }\n      ...\n      ...\n    }\n  }\n```\n"}]

~/prebid-repos/prebid-server (add-semgrep-rules) »

[Sonali-More-Xandr]

LGTM!

[mansinahar]

Could you please also add a comment about how using the adapter's actual name for the adapter struct also makes it redundant with the package name. Example, foo.Foo

[onkarvhanumante]

03ee138 updates message

[mansinahar]

Nitpick: Rewrite as Refer to the following example

[onkarvhanumante]

f25485c

[mansinahar]

I think it will be helpful to give the author some explanation of why their implementation is incorrect. Can you please provide some context in the description about how the loop variable gets overridden and that can cause unexpected behavior?

[onkarvhanumante]

dc62fff adds the reasoning behind not assigning loop variable pointer value as bid

[mansinahar]

Won't we need another case here as

          - pattern: >
              for _, $BID := range ... {
                ...
                ... := append(...,  &adapters.TypedBid{
                  $KEY: &$BID,
                  ...
                })
                ...
              }

[onkarvhanumante]

we won't be reinitialising i.e := append inside loop

[mansinahar]

Ah ok! Yeah, you're right

[mansinahar]

@onkarvhanumante thanks for making the changes. I just have two minor comments about the messages.

[mansinahar]

Nitpick: Consider rewriting the last sentence as:
Consider using an index variable in the seatBids.Bid loop as shown below

[onkarvhanumante]

bd7aaff

[mansinahar]

I would recommend making this comment a little simpler such as:

You can call this simply "adapter", the $BUILDER identification is already supplied by the package name. As you have it, referencing your adapter from outside the package would be $BUILDER.$BUILDER which looks a little redundant. See example below:

(Stealing these words by Hans from an old adapter PR)

[onkarvhanumante]

bd7aaff

thanks for the updated message

[Sonali-More-Xandr]

I see that the HTTP response checks were removed from this PR. I agree that the use of utils is optional and should not block the PR from merging. It is upto the author if they want to update the adapter to use the utils or not but it is better to offer them an option. I think we should keep a semgrep rule that will add a comment as optional and let the author make decision.
thoughts?

[mansinahar]

@Sonali-More-Xandr I don't have a very strong opinion on this one so if you both think it will be valuable to have that as a warning, I won't fight it :)

[onkarvhanumante]

I see that the HTTP response checks were removed from this PR. I agree that the use of utils is optional and should not block the PR from merging. It is upto the author if they want to update the adapter to use the utils or not but it is better to offer them an option. I think we should keep a semgrep rule that will add a comment as optional and let the author make decision. thoughts?

@Sonali-More-Xandr I don't have a very strong opinion on this one so if you both think it will be valuable to have that as a warning, I won't fight it :)

For now lets have 2 semgrep rules. We can add other in new PR

[shahinrahbariasl]

Hey, our gofmt job in our build pipeline started failing due to missing package keyword in some of these files. Is that intended? Shouldn't all go files have a package declaration?