If I run semgrep on the command line, I get a very nice output.
However, if I save to a file, I get all sorts of terminal ANSI escape sequences when I open it in a text editor:
Findings:
[36m[22m[24m ....lib/_baseutils.py [0m
[1m[24mpython.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2[0m
Detected direct use of jinja2. If not done properly, this may bypass HTML escaping which
opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the
Flask method 'render_template()' and templates with a '.html' extension in order to
prevent XSS.
Details: https://sg.run/RoKe
2252┆ templateEnv = [1m[24mEnvironment(loader=templateLoader)[0m
⋮┆----------------------------------------
Yes, I know I can cat out.txt
and it looks beautiful again. But how do I get a format that looks ok in a text editor? (Actually, the best would be a markdown, since the urls would work).
Now, I've tested --json
flag, but that's over complicated for human readability. --vim
, --emacs
was ok, but a bit terse, like missing the rules urls. And too long being in a single line. The rest of the output formats like --junit
look even lesss promising.
I guess I could sed
the output to strip out those terminal characters. Any other ideas to look at?
If the normal terminal printout is what you want you can use the fact that semgrep
supports the somewhat standard NO_COLOR
environment variable. So running:
env NO_COLOR=1 semgrep <command> > <file>
should get you a file sans-ANSI escape sequences.