Backport latest codacy-semgrep changes and bump opengrep to 1.15.1

Author: heliocodacy

.tool_version

@@ -1 +1 @@
-1.11.5
+1.15.1

Dockerfile

@@ -1,4 +1,4 @@
-ARG OPENGREP_VERSION=v1.11.5
+ARG OPENGREP_VERSION=v1.15.1
 
 # Build codacy-opengrep wrapper
 FROM golang:1.23-alpine3.21 as builder

docs/codacy-rules-ai.yaml

@@ -0,0 +1,24 @@
+rules:
+  - id: codacy.csharp.ai.insecure-llm-model-usage
+    languages:
+      - csharp
+    message: "Usage of Insecure LLM Model: $MODEL"
+    severity: ERROR
+    patterns:
+      - pattern-either:
+          - pattern: |
+              $CLIENT.GenerateContentAsync(..., model: "$MODEL", ...)
+          - pattern: |
+              $CLIENT.GenerateContentAsync(model: "$MODEL", ...)
+      - metavariable-regex:
+          metavariable: $MODEL
+          regex: <!-- MODEL_ALLOW_LIST -->
+    metadata:
+      category: security
+      subcategory: ai
+      description: Detects usage of insecure/unauthorized LLM models in C# codebases
+      technology:
+        - csharp
+      impact: MEDIUM
+      confidence: LOW
+      likelihood: MEDIUM

docs/codacy-rules-i18n.yaml

@@ -0,0 +1,127 @@
+rules:
+  - id: codacy.java.i18n.enforce-localized-output
+    severity: WARNING
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          # Detect direct string literals
+          - pattern: System.out.println("...");
+          - pattern: System.out.print("...");
+          - pattern: System.err.println("...");
+          - pattern: System.err.print("...");
+          # Detect string concatenation
+          - pattern: System.out.println($X + ...);
+          - pattern: System.out.print($X + ...);
+          - pattern: System.err.println($X + ...);
+          - pattern: System.err.print($X + ...);
+          # Detect String.format without ResourceBundle
+          - pattern: System.out.println(String.format(...));
+          - pattern: System.out.print(String.format(...));
+      - pattern-not: System.out.println($BUNDLE.getString(...))
+      - pattern-not: System.out.print($BUNDLE.getString(...))
+      - pattern-not: System.err.println($BUNDLE.getString(...))
+      - pattern-not: System.err.print($BUNDLE.getString(...))
+      - pattern-not: System.out.println($BUNDLE.getObject(...))
+      - pattern-not: System.out.print($BUNDLE.getObject(...))
+      # Allow println without arguments (blank lines)
+      - pattern-not: System.out.println()
+      - pattern-not: System.err.println()
+    message: >-
+      Use localized messages instead of hardcoded strings. 
+      System.out.println() should use ResourceBundle.getString() or equivalent localization method.
+      Example: System.out.println(messages.getString("key")) where messages is of type java.util.ResourceBundle
+    metadata:
+      category: codestyle
+      subcategory: i18n
+      description: Enforces use of ResourceBundle for all user-facing output to ensure proper internationalization
+      technology:
+        - java
+      impact: MEDIUM
+      confidence: LOW
+      likelihood: HIGH
+
+  - id: codacy.js.i18n.no-hardcoded-alert-concat
+    severity: WARNING
+    languages:
+      - js
+      - ts
+    pattern-either:
+      # Direct hardcoded alert strings
+      - pattern: alert("...")
+      - pattern: window.alert("...")
+      # String concatenation in alerts
+      - pattern: alert("..." + ...)
+      - pattern: alert(... + "...")
+      - pattern: window.alert("..." + ...)
+      - pattern: window.alert(... + "...")
+    pattern-not: alert(t(...))
+    message: >-
+      Avoid hardcoded or concatenated strings in alerts. Use an i18n translation function (e.g., t("key")) with interpolation.
+    metadata:
+      category: codestyle
+      subcategory: i18n
+      description: Flags hardcoded and concatenated strings in alert dialogs to enforce localization
+      technology:
+        - javascript
+        - typescript
+      impact: MEDIUM
+      confidence: LOW
+      likelihood: HIGH
+
+  - id: codacy.js.i18n.no-hardcoded-locale-date
+    severity: WARNING
+    languages:
+      - js
+      - ts
+    pattern-regex: "\\.(toLocale(Date|Time)?String)\\(\"[^\"]+\""
+    message: Avoid hardcoded locale strings in date/time formatting.
+    metadata:
+      category: codestyle
+      subcategory: i18n
+      description: Flags explicit locale strings in date/time formatting which can break localization
+      technology:
+        - javascript
+        - typescript
+      impact: MEDIUM
+      confidence: LOW
+      likelihood: HIGH
+
+  - id: codacy.js.i18n.no-hardcoded-number-format
+    severity: WARNING
+    languages:
+      - js
+      - ts
+    pattern-regex: "\\.toFixed\\([^)]*\\)"
+    message: >-
+      Avoid using toFixed for user-visible number formatting. Use locale-aware formatting or translation helpers.
+    metadata:
+      category: codestyle
+      subcategory: i18n
+      description: Flags toFixed used for UI number formatting; recommends locale-aware alternatives
+      technology:
+        - javascript
+        - typescript
+      impact: MEDIUM
+      confidence: LOW
+      likelihood: HIGH
+
+  - id: codacy.js.i18n.no-raw-jsx-text
+    severity: WARNING
+    languages:
+      - js
+      - ts
+    pattern-regex: "<(h1|h2|h3|h4|h5|h6|p|span|div|td|th)[^>]*>[^<{]*[A-Za-z][^<{]*</\\1>"
+    message: >-
+      Avoid raw text in JSX for user-facing content. Use i18n translation functions (e.g., t("key")) with interpolation.
+    metadata:
+      category: codestyle
+      subcategory: i18n
+      description: Flags raw text nodes in JSX elements to enforce localization of UI strings
+      technology:
+        - javascript
+        - typescript
+      impact: MEDIUM
+      confidence: LOW
+      likelihood: MEDIUM
+  

docs/multiple-tests/ai/patterns.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module name="root">
+    <module name="codacy.csharp.ai.insecure-llm-model-usage">
+        <property name="modelAllowList" value="gemini-2.5-flash,gpt-3.5-turbo,old-llama-model" />
+    </module>
+</module>

docs/multiple-tests/ai/results.xml

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8"?>
+<checkstyle version="1.5">
+    <file name="cs/GeminiExample.cs">
+        <error source="codacy.csharp.ai.insecure-llm-model-usage" line="9"
+            message="Usage of Insecure LLM Model: deepseek-v3.2"
+            severity="error" />
+    </file>
+</checkstyle>
+            

docs/multiple-tests/ai/src/cs/GeminiExample.cs

@@ -0,0 +1,17 @@
+using System.Threading.Tasks;
+using Google.GenAI;
+using Google.GenAI.Types;
+
+public class GenerateContentSimpleText {
+  public static async Task main() {
+    // The client gets the API key from the environment variable `GEMINI_API_KEY`.
+    var client = new Client();
+    var response = await client.Models.GenerateContentAsync(
+      model: "deepseek-v3.2", contents: "Explain how AI works in a few words"
+    );
+    var response2 = await client.Models.GenerateContentAsync(
+      model: "gemini-2.5-flash", contents: "Explain how AI works in a few words"
+    );
+    Console.WriteLine(response.Candidates[0].Content.Parts[0].Text);
+  }
+}

docs/multiple-tests/i18n/patterns.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module name="root">
+    <module name="codacy.java.i18n.enforce-localized-output" />
+    <module name="codacy.js.i18n.no-hardcoded-alert-concat" />
+    <module name="codacy.js.i18n.no-hardcoded-locale-date" />
+    <module name="codacy.js.i18n.no-hardcoded-number-format" />
+</module>

docs/multiple-tests/i18n/results.xml

@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="utf-8"?>
+<checkstyle version="1.5">
+    <file name="UILayer.java">
+        <error source="codacy.java.i18n.enforce-localized-output" line="12"
+            message="Use localized messages instead of hardcoded strings."
+            severity="warning" />
+        <error source="codacy.java.i18n.enforce-localized-output" line="22"
+            message="Use localized messages instead of hardcoded strings."
+            severity="warning" />
+    </file>
+    <file name="OrderApp.java">
+        <error source="codacy.java.i18n.enforce-localized-output" line="18"
+            message="Use localized messages instead of hardcoded strings."
+            severity="warning" />
+        <error source="codacy.java.i18n.enforce-localized-output" line="30"
+            message="Use localized messages instead of hardcoded strings."
+            severity="warning" />
+    </file>
+    <file name="OrderService.java">
+        <error source="codacy.java.i18n.enforce-localized-output" line="13"
+            message="Use localized messages instead of hardcoded strings."
+            severity="warning" />
+        <error source="codacy.java.i18n.enforce-localized-output" line="24"
+            message="Use localized messages instead of hardcoded strings."
+            severity="warning" />
+    </file>
+    <file name="PaymentService.java">
+        <error source="codacy.java.i18n.enforce-localized-output" line="17"
+            message="Use localized messages instead of hardcoded strings."
+            severity="warning" />
+    </file>
+    <file name="OrderList.js">
+        <error source="codacy.js.i18n.no-hardcoded-alert-concat" line="19"
+            message="Avoid hardcoded or concatenated strings in alerts."
+            severity="warning" />
+    </file>
+    <file name="Orderlist.jsx">
+        <error source="codacy.js.i18n.no-hardcoded-alert-concat" line="15"
+            message="Avoid hardcoded or concatenated strings in alerts."
+            severity="warning" />
+        <error source="codacy.js.i18n.no-hardcoded-locale-date" line="46"
+            message="Avoid hardcoded locale strings in date/time formatting."
+            severity="warning" />
+        <error source="codacy.js.i18n.no-hardcoded-number-format" line="52"
+            message="Avoid using toFixed for user-visible number formatting."
+            severity="warning" />
+    </file>
+</checkstyle>
+            

docs/multiple-tests/i18n/src/Messages_en.properties

@@ -0,0 +1,6 @@
+app.start=Welcome to the Internationalized Order System
+order.processing=Processing order for {0} with {1} items.
+order.success=Order placed successfully for {0}!
+payment.success=Payment of {1} processed for customer {0}.
+error.payment=Payment could not be processed. Please try again.
+button.cancel=Cancel