semgrep/semgrep v0.86.4

Release v0.86.4

on GitHub

0.86.0 - 2022-03-24

Added

• Semgrep can now output findings in GitLab's SAST report and secret scanning
  report formats with --gitlab-sast and --gitlab-secrets.
• JSON output now includes a fingerprint of each finding.
  This fingerprint remains consistent when matching code is just moved around
  or reindented.
• Go: use latest tree-sitter-go with support for Go 1.18 generics (#4823)
• Terraform: basic support for constant propagation of locals (#1147)
  and variables (#4816)
• HTML: you can now use metavariable ellipsis inside <script> (#4841)
  (e.g., <script>$...JS</script>)
• A semgrep ci subcommand that auto-detects settings from your CI environment
  and can upload findings to Semgrep App when logged in.

Changed

• SARIF output will include matching code snippet (#4812)
• semgrep-core should now be more tolerant to rules using futur extensions by
  skipping those rules instead of just crashing (#4835)
• Removed tests from published python wheel
• Findings are now considered identical between baseline and current scans
  based on the same logic as Semgrep CI uses, which means:
  • Two findings are now identical after whitespace changes such as re-indentation
  • Two findings are now identical after a nosemgrep comment is added
  • Findings are now different if the same code triggered them on different lines
• Docker image now runs as root to allow the docker image to be used in CI/CD pipelines
• Support XDG Base directory specification (#4818)

Fixed

• Entropy analysis: strings made of repeated characters such as
  'xxxxxxxxxxxxxx' are no longer reported has having high entropy (#4833)
• Symlinks found in directories are skipped from being scanned again.
  This is a fix for a regression introduced in 0.85.0.
• HTML: multiline raw text tokens now contain the newline characters (#4855)
• Go: fix unicode parsing bugs (#4725) by switching to latest tree-sitter-go
• Constant propagation: A conditional expression where both alternatives are
  constant will also be considered constant (#4301)
• Constant propagation now recognizes operators ++ and -- as side-effectful
  (#4667)

0.86.1…0.86.4 - 2022-03-25

Fixed

• Network timeouts during rule download are now less likely.
• Some finding fingerprints were not matching what semgrep-agent would return.
• The fingerprint of findings ignored with # nosemgrep is supposed to be the same
  as if the ignore comment wasn't there.
  This has previously only worked for single-line findings, including in semgrep-agent.
  Now the fingerprint is consistent as expected for multiline findings as well.
• --timeout-threshold default set to 3 instead of 0