An important point about the ecrecover function is that in some cases when the signature is not valid, this function returns a random address instead of returning address 0.
Both cases can be seen in the code below and you can easily write a rule for it with the @semgrep tool.

```solidity
    address signer = ecrecover(hash, v, r, s);
    require(signer == owner, "MyFunction: invalid signature");
    require(signer != address(0), "ECDSA: invalid signature");
```
nostr:nevent1qqsd9p4lk64f7deejltaca8nvhj2k5pd96k8yqg6dhxwpgcvc7l92rqpzpmhxue69uhkummnw3ezumt0d5hsygx67l6vew85z2wsj0zmwtv5gg7clamt39xu7fufjvd2vt8598545cpsgqqqqqqsh9kc82