|
|
|
|
|
|
by underyx
1357 days ago
|
|
|
Hey, I work on OP's product, and just wanted to mention that reachability is not always about a function being called. Sometimes insecure behavior is triggered by setting options to a certain value[0]. Other times it's feasible to mark usages of an insecure function as safe when we know that the passed argument comes from a trusted source[1]. The Semgrep rules we write understand these nuances instead of just flagging function calls. [0]: e.g. https://nvd.nist.gov/vuln/detail/CVE-2021-28957 [1]: e.g. https://nvd.nist.gov/vuln/detail/CVE-2014-0081 |
|
|