semgrep/semgrep v0.117.0

Release v0.117.0

on GitHub

0.117.0 - 2022-10-12

Added

• taint-mode: It is now possible to use pattern-propagators to propagate taint
  through higher-order iterators such as forEach in Java. For example:

    pattern-propagators:
      - pattern: $X.forEach(($Y) -> ...)
        from: $X
        to: $Y
  ``` (gh-5971)
  

Changed

• Change default behavior of Travis CI configurations. If a user manually sets their environment variables (i.e. SEMGREP_REPO_NAME, SEMGREP_REPO_URL, SEMGREP_BRANCH, SEMGREP_JOB_URL, SEMGREP_COMMIT, SEMGREP_PR_ID), use it before falling back on autodetection.

Fixed

• Scala: Fixed a bug where generators would not parse if newlines were present, in certain cases (pa-1902)
• Fixed bug where nested dependencies in package-lock.json files were not detected (sc-247)
• Removed Gradle as a separate supply chain ecosystem. Maven rules now work on Gradle projects (sc-256)
• Lockfiles are no longer subject to size filtering during file targetting, so very large lockfiles can now generate unreachable findings (sc-293)