Ability to Specify Code Assumptions

[andrew-konstantinov]

Is your feature request related to a problem? Please describe.
Production code often depends on runtime feature flags, external services and so on. As a result many code branches are essentially unreachable under normal conditions, however AFAIK currently there is no way to express this in Semgrep, which leads to a high number of false positives. A very simple example could be:

fun test1() {
    val id = source()

    val shouldDoSanitization = isSanitizationEnabled(id)
    if (shouldDoSanitization) {
        id = sanitize(id)
    } else {
        // ok: sanitization-behind-a-feature-flag
        sink(id)
    }
}

In this case I'd like to express that isSanitizationEnabled is going to return true, but I couldn't find a way to do this in Semgrep documentation.

Describe the solution you'd like
Introduce a mechanism to specify code assumptions, such as:

• return values (in the example above express that isSanitizationEnabled always returns true here)
• variable values (in the example above express that shouldDoSanitization becomes true here)
• control flow: assume a certain branch is always taken or always unreachable

Describe alternatives you've considered
Multiple sanitization rules could be defined as a workaround, in order to account for various code patterns, but these are dependent on heuristics and therefore less precise, also currently this approach does not work in Semgrep due to another bug (#10167 (comment)).

Use case

1. Reduce amount of False Positives by making Semgrep understand sanitization patterns in production code
2. Reduce amount of False Negatives by streamlining and simplifying Semgrep rules due to relying more on Taint Mode & Cross-file Analysis instead of heuristics

[navhits]

This is nice to have