Added
- new --show-supported-languages CLI flag to display the list of languages
supported by semgrep. Thanks to John Wu for his contribution! (#4754) --validatewill check that metavariable-x doesn't use an invalid
metavariable- Add r2c-internal-project-depends on support for Java, Go, Ruby, and Rust
- PHP: .tpl files are now considered PHP files (#4763)
- Scala: Support for custom string interpolators (#4655)
- Scala: Support parsing Scala scripts that contain plain definitions outside
an Object or Class - JSX: JSX singleton elements (a.k.a XML elements), e.g.,
<foo />used to
match also more complex JSX elements, e.g.,<foo >some child</foo>.
This can now be disabled via ruleoptions:
withxml_singleton_loose_matching: false(#4730) - JSX: new matching option
xml_attrs_implicit_ellipsisthat allows
disabling the implicit...that was added to JSX attributes patterns. - new focus-metavariable: experimental operator (#4735) (the syntax may change
in the near futur)
Fixed
- Report parse errors even when invoked with
--strict - Show correct findings count when using
--config auto(#4674) - Kotlin: store trailing lambdas in the AST (#4741)
- Autofix: Semgrep no longer errors during
--dry-runs where one fix changes the line numbers in a file that also has a second autofix. - Performance regression when running with --debug (#4761)
- Allow metrics flag and metrics env var at the same time if both are set to the same value (#4703)
- Scan
yarn.lockdependencies that do not specify a hash - Run
project-depends-onrules with onlypattern-insideat their leaves - Dockerfile patterns no longer need a trailing newline (#4773)