Finding bugs  in solidity language, smart contracts and static code analysis is divided into 2 periods for me.

Before familiarizing with the @semgrep tool and after that.

Before that, I used to choose Linux tools and commands and by chaining them, I found the pattern I was looking for, which sometimes became difficult. 

But after getting familiar with this excellent tool, the work became much easier, and by writing a rule and taking some points into consideration, it is possible to reduce the false positive a lot.

I intend to publish some information about this tool and the bugs I found with it.