Skip to main content

Compare Semgrep to Endor Labs

Prioritization

Both Endor Labs and Semgrep support the prioritization of findings so that AppSec teams focus on the most impactful findings. While both companies offer findings filters based on criteria like reachability and EPSS scores, Semgrep offers support for statuses in addition to the basic reachability statuses of reachable and not reachable, such as always reachable and conditionally reachable.

Furthermore, Semgrep Assistant uses AI to help organization admins receive information on top backlog tasks, allowing them to prioritize findings from all products, including the SAST and SCA products, not just those resulting from dependency vulnerability scans.

Reachability for transitive dependencies

Reachability has been a fundamental part of Semgrep Supply Chain from the beginning. Supply Chain offers advanced reachability analysis for direct dependencies in the form of dataflow reachability, offering accuracy beyond that offered by Endor Labs. This coverage is offered for seven languages and counting.

Vulnerable functions

Semgrep doesn't just identify a vulnerability as reachable when a vulnerable function is called -- it also takes into account how the vulnerable function is called and what data flows into that function. These functions are achieved through the use of Semgrep's rule syntax; when a rule is written, all possible permutations of the vulnerability are encapsulated in the rule. This functionality is something that Endor Labs doesn't have.

Semgrep's security research team doesn't just focus on analyzing a vulnerable function when writing rules. The team extends the scope of analysis to all the third-party callers of the vulnerable functions, not just the reported third-party function that's vulnerable. This extends the set of vulnerable functions greatly. The following rule demonstrates this functionality:

---
rules:
- id: ssc-a462c702-1797-4f92-a577-2232cc25ab08
message: Affected versions of paddlepaddle are vulnerable to Improper Limitation
Of A Pathname To A Restricted Directory ('Path Traversal') in the
`download` and `_check_exists_and_download` of `paddle.dataset.common`.
severity: HIGH
metadata:
confidence: HIGH
category: security
cve: CVE-2024-0818
cwe:
- "CWE-22: Improper Limitation of a Pathname to a Restricted Directory
('Path Traversal')"
ghsa: GHSA-2rp8-hff9-c5wr
owasp:
- A01:2021 - Broken Access Control
- A05:2017 - Broken Access Control
- A06:2021 - Vulnerable and Outdated Components
publish-date: 2024-03-07T15:30:38Z
references:
- https://github.com/advisories/GHSA-2rp8-hff9-c5wr
- https://nvd.nist.gov/vuln/detail/CVE-2024-0818
sca-fix-versions: []
sca-kind: reachable
sca-schema: 20230302
sca-severity: CRITICAL
sca-vuln-database-identifier: CVE-2024-0818
technology:
- python
r2c-internal-project-depends-on:
depends-on-either:
- namespace: pypi
package: paddlepaddle
version: <=2.6.0
languages:
- python
patterns:
- pattern-either:
- pattern: paddle.dataset.common.download(...)
- pattern: paddle.dataset.common._check_exists_and_download(...)

The vulnerable function is download, as shown by the fix commit. The function _check_exists_and_download calls download, which you can see in the source code. Thus, both functions are flagged in the rule in the final three lines.

Learn more about how the security research team writes rules in A day in the life: Supply Chain Security Researcher

Policies and flexibility

Semgrep Supply Chain results in a failed CI job only when there are critical or high-severity findings. However, Semgrep supports notifications and integration with Jira to create tickets for all Supply Chain findings, and it offers the ability to only leave comments on PRs or block a change regarding license detection.

The policies for Semgrep's other products, Semgrep Code and Semgrep Secrets, provide extensive flexibility, especially with respect to a developer's workflow, by allowing results to appear:

  • Only in the AppSec team’s view (monitor mode)
  • In the AppSec team's view and in the developer’s workflow, while not failing the CI job (comment mode)
  • In the AppSec team's view and in the developer’s workflow, while also failing the CI job (block mode)

Dependency lifecycle management

To help you manage your findings, Semgrep provides information, including EPSS probabilities, severity levels, transitivity information, and multiple levels of dataflow reachability.

Accuracy of results

Semgrep has reachability analysis for over 80% of critical CVEs dating back to 2017 and 100% of critical and high severity CVEs dating back to May 2022. Endor Labs' reachability data, however, dates back to 2018.


Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.