Backport latest codacy-semgrep changes and bump opengrep to 1.15.1

.tool_version

@@ -1 +1 @@
-1.11.5
+1.15.1

Dockerfile

@@ -1,4 +1,4 @@
-ARG OPENGREP_VERSION=v1.11.5
+ARG OPENGREP_VERSION=v1.15.1
 
 # Build codacy-opengrep wrapper
 FROM golang:1.23-alpine3.21 as builder

docs/codacy-rules-ai.yaml

@@ -0,0 +1,24 @@
+rules:
+  - id: codacy.csharp.ai.insecure-llm-model-usage
+    languages:
+      - csharp
+    message: "Usage of Insecure LLM Model: $MODEL"
+    severity: ERROR
+    patterns:
+      - pattern-either:
+          - pattern: |
+              $CLIENT.GenerateContentAsync(..., model: "$MODEL", ...)
+          - pattern: |
+              $CLIENT.GenerateContentAsync(model: "$MODEL", ...)
+      - metavariable-regex:
+          metavariable: $MODEL
+          regex: <!-- MODEL_ALLOW_LIST -->
+    metadata:
+      category: security
+      subcategory: ai
+      description: Detects usage of insecure/unauthorized LLM models in C# codebases
+      technology:
+        - csharp
+      impact: MEDIUM
+      confidence: LOW
+      likelihood: MEDIUM

docs/codacy-rules-i18n.yaml

@@ -0,0 +1,127 @@
+rules:
+  - id: codacy.java.i18n.enforce-localized-output
+    severity: WARNING
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          # Detect direct string literals
+          - pattern: System.out.println("...");
+          - pattern: System.out.print("...");
+          - pattern: System.err.println("...");
+          - pattern: System.err.print("...");
+          # Detect string concatenation
+          - pattern: System.out.println($X + ...);
+          - pattern: System.out.print($X + ...);
+          - pattern: System.err.println($X + ...);
+          - pattern: System.err.print($X + ...);
+          # Detect String.format without ResourceBundle
+          - pattern: System.out.println(String.format(...));
+          - pattern: System.out.print(String.format(...));
+      - pattern-not: System.out.println($BUNDLE.getString(...))
+      - pattern-not: System.out.print($BUNDLE.getString(...))
+      - pattern-not: System.err.println($BUNDLE.getString(...))
+      - pattern-not: System.err.print($BUNDLE.getString(...))
+      - pattern-not: System.out.println($BUNDLE.getObject(...))
+      - pattern-not: System.out.print($BUNDLE.getObject(...))
+      # Allow println without arguments (blank lines)
+      - pattern-not: System.out.println()
+      - pattern-not: System.err.println()
+    message: >-
+      Use localized messages instead of hardcoded strings. 
+      System.out.println() should use ResourceBundle.getString() or equivalent localization method.
+      Example: System.out.println(messages.getString("key")) where messages is of type java.util.ResourceBundle
+    metadata:
+      category: codestyle
+      subcategory: i18n
+      description: Enforces use of ResourceBundle for all user-facing output to ensure proper internationalization
+      technology:
+        - java
+      impact: MEDIUM
+      confidence: LOW
+      likelihood: HIGH
+
+  - id: codacy.js.i18n.no-hardcoded-alert-concat
+    severity: WARNING
+    languages:
+      - js
+      - ts
+    pattern-either:
+      # Direct hardcoded alert strings
+      - pattern: alert("...")
+      - pattern: window.alert("...")
+      # String concatenation in alerts
+      - pattern: alert("..." + ...)
+      - pattern: alert(... + "...")
+      - pattern: window.alert("..." + ...)
+      - pattern: window.alert(... + "...")
+    pattern-not: alert(t(...))
+    message: >-
+      Avoid hardcoded or concatenated strings in alerts. Use an i18n translation function (e.g., t("key")) with interpolation.
+    metadata:
+      category: codestyle
+      subcategory: i18n
+      description: Flags hardcoded and concatenated strings in alert dialogs to enforce localization
+      technology:
+        - javascript
+        - typescript
+      impact: MEDIUM
+      confidence: LOW
+      likelihood: HIGH
+
+  - id: codacy.js.i18n.no-hardcoded-locale-date
+    severity: WARNING
+    languages:
+      - js
+      - ts
+    pattern-regex: "\\.(toLocale(Date|Time)?String)\\(\"[^\"]+\""
+    message: Avoid hardcoded locale strings in date/time formatting.
+    metadata:
+      category: codestyle
+      subcategory: i18n
+      description: Flags explicit locale strings in date/time formatting which can break localization
+      technology:
+        - javascript
+        - typescript
+      impact: MEDIUM
+      confidence: LOW
+      likelihood: HIGH
+
+  - id: codacy.js.i18n.no-hardcoded-number-format
+    severity: WARNING
+    languages:
+      - js
+      - ts
+    pattern-regex: "\\.toFixed\\([^)]*\\)"
+    message: >-
+      Avoid using toFixed for user-visible number formatting. Use locale-aware formatting or translation helpers.
+    metadata:
+      category: codestyle
+      subcategory: i18n
+      description: Flags toFixed used for UI number formatting; recommends locale-aware alternatives
+      technology:
+        - javascript
+        - typescript
+      impact: MEDIUM
+      confidence: LOW
+      likelihood: HIGH
+
+  - id: codacy.js.i18n.no-raw-jsx-text
+    severity: WARNING
+    languages:
+      - js
+      - ts
+    pattern-regex: "<(h1|h2|h3|h4|h5|h6|p|span|div|td|th)[^>]*>[^<{]*[A-Za-z][^<{]*</\\1>"
+    message: >-
+      Avoid raw text in JSX for user-facing content. Use i18n translation functions (e.g., t("key")) with interpolation.
+    metadata:
+      category: codestyle
+      subcategory: i18n
+      description: Flags raw text nodes in JSX elements to enforce localization of UI strings
+      technology:
+        - javascript
+        - typescript
+      impact: MEDIUM
+      confidence: LOW
+      likelihood: MEDIUM
+

docs/multiple-tests/ai/patterns.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module name="root">
+    <module name="codacy.csharp.ai.insecure-llm-model-usage">
+        <property name="modelAllowList" value="gemini-2.5-flash,gpt-3.5-turbo,old-llama-model" />
+    </module>
+</module>

docs/multiple-tests/ai/results.xml

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8"?>
+<checkstyle version="1.5">
+    <file name="cs/GeminiExample.cs">
+        <error source="codacy.csharp.ai.insecure-llm-model-usage" line="9"
+            message="Usage of Insecure LLM Model: deepseek-v3.2"
+            severity="error" />
+    </file>
+</checkstyle>
+

docs/multiple-tests/ai/src/cs/GeminiExample.cs

@@ -0,0 +1,17 @@
+using System.Threading.Tasks;
+using Google.GenAI;
+using Google.GenAI.Types;
+
+public class GenerateContentSimpleText {
+  public static async Task main() {
+    // The client gets the API key from the environment variable `GEMINI_API_KEY`.
+    var client = new Client();
+    var response = await client.Models.GenerateContentAsync(
+      model: "deepseek-v3.2", contents: "Explain how AI works in a few words"
+    );
+    var response2 = await client.Models.GenerateContentAsync(
+      model: "gemini-2.5-flash", contents: "Explain how AI works in a few words"
+    );
+    Console.WriteLine(response.Candidates[0].Content.Parts[0].Text);
+  }
+}

docs/multiple-tests/i18n/patterns.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module name="root">
+    <module name="codacy.java.i18n.enforce-localized-output" />
+    <module name="codacy.js.i18n.no-hardcoded-alert-concat" />
+    <module name="codacy.js.i18n.no-hardcoded-locale-date" />
+    <module name="codacy.js.i18n.no-hardcoded-number-format" />
+</module>

docs/multiple-tests/i18n/results.xml

@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="utf-8"?>
+<checkstyle version="1.5">
+    <file name="UILayer.java">
+        <error source="codacy.java.i18n.enforce-localized-output" line="12"
+            message="Use localized messages instead of hardcoded strings."
+            severity="warning" />
+        <error source="codacy.java.i18n.enforce-localized-output" line="22"
+            message="Use localized messages instead of hardcoded strings."
+            severity="warning" />
+    </file>
+    <file name="OrderApp.java">
+        <error source="codacy.java.i18n.enforce-localized-output" line="18"
+            message="Use localized messages instead of hardcoded strings."
+            severity="warning" />
+        <error source="codacy.java.i18n.enforce-localized-output" line="30"
+            message="Use localized messages instead of hardcoded strings."
+            severity="warning" />
+    </file>
+    <file name="OrderService.java">
+        <error source="codacy.java.i18n.enforce-localized-output" line="13"
+            message="Use localized messages instead of hardcoded strings."
+            severity="warning" />
+        <error source="codacy.java.i18n.enforce-localized-output" line="24"
+            message="Use localized messages instead of hardcoded strings."
+            severity="warning" />
+    </file>
+    <file name="PaymentService.java">
+        <error source="codacy.java.i18n.enforce-localized-output" line="17"
+            message="Use localized messages instead of hardcoded strings."
+            severity="warning" />
+    </file>
+    <file name="OrderList.js">
+        <error source="codacy.js.i18n.no-hardcoded-alert-concat" line="19"
+            message="Avoid hardcoded or concatenated strings in alerts."
+            severity="warning" />
+    </file>
+    <file name="Orderlist.jsx">
+        <error source="codacy.js.i18n.no-hardcoded-alert-concat" line="15"
+            message="Avoid hardcoded or concatenated strings in alerts."
+            severity="warning" />
+        <error source="codacy.js.i18n.no-hardcoded-locale-date" line="46"
+            message="Avoid hardcoded locale strings in date/time formatting."
+            severity="warning" />
+        <error source="codacy.js.i18n.no-hardcoded-number-format" line="52"
+            message="Avoid using toFixed for user-visible number formatting."
+            severity="warning" />
+    </file>
+</checkstyle>
+

docs/multiple-tests/i18n/src/Messages_en.properties

@@ -0,0 +1,6 @@
+app.start=Welcome to the Internationalized Order System
+order.processing=Processing order for {0} with {1} items.
+order.success=Order placed successfully for {0}!
+payment.success=Payment of {1} processed for customer {0}.
+error.payment=Payment could not be processed. Please try again.
+button.cancel=Cancel

docs/multiple-tests/i18n/src/Messages_fr.properties

@@ -0,0 +1,6 @@
+app.start=Bienvenue dans le système de commande internationalisé
+order.processing=Traitement de la commande pour {0} avec {1} articles.
+order.success=Commande passée avec succès pour {0}!
+payment.success=Paiement de {1} traité pour le client {0}.
+error.payment=Le paiement n'a pas pu être traité. Veuillez réessayer.
+button.cancel=Annuler

docs/multiple-tests/i18n/src/Order.cpp

@@ -0,0 +1,92 @@
+#include <iostream>
+#include <string>
+#include <vector>
+#include <ctime>
+#include <iomanip>   // for number formatting
+
+struct Order {
+    int id;
+    std::string customer;
+    int quantity;
+    std::string status;
+    double price;
+};
+
+class OrderManager {
+    std::vector<Order> orders;
+    int nextId = 1;
+
+public:
+    void createOrder(const std::string& customer, int qty, double price) {
+        Order o{nextId++, customer, qty, "NEW", price};
+        orders.push_back(o);
+
+        // ❌ Hardcoded success message
+        std::cout << "Order created successfully for customer: " 
+                  << customer << " with quantity " << qty 
+                  << " and price " << price << std::endl;
+    }
+
+    void listOrders() {
+        std::cout << "------ Order List ------" << std::endl; // ❌ Hardcoded label
+
+        for (auto& o : orders) {
+            std::cout << "Order ID: " << o.id << ", "
+                      << "Customer: " << o.customer << ", "
+                      << "Qty: " << o.quantity << ", "
+                      // ❌ Hardcoded status mapping
+                      << "Status: " << (o.status == "NEW" ? "New Order" : o.status) << ", "
+                      // ❌ Locale-unaware currency formatting
+                      << "Price: $" << std::fixed << std::setprecision(2) << o.price
+                      << std::endl;
+        }
+
+        std::cout << "------ End of Orders ------" << std::endl; // ❌ Hardcoded footer
+    }
+
+    void deleteOrder(int id) {
+        for (auto it = orders.begin(); it != orders.end(); ++it) {
+            if (it->id == id) {
+                orders.erase(it);
+                // ❌ Hardcoded delete confirmation
+                std::cout << "Order deleted successfully!" << std::endl;
+                return;
+            }
+        }
+        // ❌ Hardcoded error message
+        std::cout << "Error: Order not found." << std::endl;
+    }
+
+    void printReport() {
+        // ❌ Locale-unaware date formatting (fixed US-style format)
+        std::time_t now = std::time(nullptr);
+        char buffer[80];
+        std::strftime(buffer, sizeof(buffer), "%m/%d/%Y %H:%M:%S", std::localtime(&now));
+        std::cout << "Report generated at: " << buffer << std::endl;
+
+        // ❌ Hardcoded label + locale-unaware number formatting
+        double revenue = 0;
+        for (auto& o : orders) {
+            revenue += o.price * o.quantity;
+        }
+
+        std::cout << "Total Orders: " << orders.size() << std::endl;
+        std::cout << "Total Revenue: " << revenue << std::endl; // ❌ Missing locale formatting
+    }
+};
+
+int main() {
+    OrderManager manager;
+
+    manager.createOrder("Alice", 3, 1234.56);
+    manager.createOrder("Bob", 5, 98765.43);
+
+    manager.listOrders();
+
+    manager.deleteOrder(2);
+    manager.deleteOrder(10); // should print error
+
+    manager.printReport();
+
+    return 0;
+}