https://blog.rodolpheg.xyz/tags/research/Recent content in Research on RORO's blogHugofr-frcontact@rodolpheg.xyz (0xRo)contact@rodolpheg.xyz (0xRo)Wed, 08 Apr 2026 00:00:00 +0000https://blog.rodolpheg.xyz/posts/semgrep-architecture/Wed, 08 Apr 2026 00:00:00 +0000contact@rodolpheg.xyz (0xRo)https://blog.rodolpheg.xyz/posts/semgrep-architecture/<blockquote> <p><strong>Semgrep</strong> (Semantic Grep) is a multi-language static analysis tool that matches code by its <em>structure</em> &ndash; not just its text &ndash; using a unified Abstract Syntax Tree and a rich pattern language. This document covers the full internal architecture from CLI entry-point to taint sink detection.</p> </blockquote> <h2 id="table-of-contents">Table of Contents</h2> <ol start="0"> <li><a href="#0-introduction">Introduction</a> <ul> <li><a href="#01-what-is-sast">What is SAST?</a></li> <li><a href="#02-history-of-semgrep">History of Semgrep</a></li> </ul> </li> <li><a href="#1-high-level-architecture">High-Level Architecture</a></li> <li><a href="#2-component-breakdown">Component Breakdown</a></li> <li><a href="#3-the-full-analysis-pipeline">The Full Analysis Pipeline</a></li> <li><a href="#4-target-discovery--filtering">Target Discovery &amp; Filtering</a></li> <li><a href="#5-rule-parsing--optimization">Rule Parsing &amp; Optimization</a></li> <li><a href="#6-parsing--the-universal-ast">Parsing &amp; the Universal AST</a></li> <li><a href="#7-the-matching-engine">The Matching Engine</a></li> <li><a href="#8-the-intermediate-language-il--cfg">The Intermediate Language (IL) &amp; CFG</a></li> <li><a href="#9-taint-analysis-dataflow">Taint Analysis (Dataflow)</a></li> <li><a href="#10-output--reporting-pipeline">Output &amp; Reporting Pipeline</a></li> <li><a href="#11-osemgrep--rpc-architecture">OSemgrep / RPC Architecture</a></li> <li><a href="#12-key-data-structures">Key Data Structures</a></li> </ol> <hr> <h2 id="-1-why">-1. Why?</h2> <p>I have been working as a DevSecOps engineer for nearly four years now. When I started, I had little exposure to tooling like SAST, SCA, or DAST. My mindset was firmly rooted in offensive security. Penetration testing was the goal, the dream.</p>https://blog.rodolpheg.xyz/posts/understanding-code-property-graphs/Tue, 05 Aug 2025 00:00:00 +0000contact@rodolpheg.xyz (0xRo)https://blog.rodolpheg.xyz/posts/understanding-code-property-graphs/<p>When I first started developing tools for source code auditing, my primary need was to track tainted data flows through complex codebases during manual code reviews. Initially, I turned to Tree-Sitter, which proved excellent for single-file analysis with its fast, incremental parsing capabilities. However, as I scaled to larger codebases with complex cross-file dependencies and data flows, Tree-Sitter&rsquo;s AST-only approach became limiting. The challenge wasn&rsquo;t just parsing individual files. It was understanding how data flows between functions, across modules, and through various execution paths during thorough manual security assessments.</p>https://blog.rodolpheg.xyz/posts/code-auditing--101/Sat, 02 Aug 2025 00:00:00 +0000contact@rodolpheg.xyz (0xRo)https://blog.rodolpheg.xyz/posts/code-auditing--101/<h2 id="topics-covered">Topics covered</h2> <p>This post explores the evolution from manual code review to automated security testing, covering:</p> <ul> <li>The reality of manual code review and its limitations</li> <li>Understanding vulnerabilities vs weaknesses</li> <li>How SAST tools work under the hood</li> <li>Taint analysis and data flow tracking</li> <li>Sink-to-source vs source-to-sink methodologies</li> <li>Mitigation strategies: whitelisting vs blacklisting</li> <li>Dealing with false positives in practice</li> <li>Choosing and implementing SAST tools at scale</li> <li>The complementary relationship between manual and automated testing</li> </ul> <p>It&rsquo;s 3 AM. You&rsquo;re on your fifth cup of coffee, eyes bloodshot, staring at line 2,847 of a 10,000-line pull request. Somewhere in this maze of curly braces and semicolons lurks a SQL injection vulnerability that could bring down your entire application. Welcome to the glamorous world of manual code review!</p>