0.86.0 - 2022-03-24
Added
- Semgrep can now output findings in GitLab's SAST report and secret scanning
report formats with--gitlab-sast
and--gitlab-secrets
. - JSON output now includes a fingerprint of each finding.
This fingerprint remains consistent when matching code is just moved around
or reindented. - Go: use latest tree-sitter-go with support for Go 1.18 generics (#4823)
- Terraform: basic support for constant propagation of locals (#1147)
and variables (#4816) - HTML: you can now use metavariable ellipsis inside <script> (#4841)
(e.g.,<script>$...JS</script>
) - A
semgrep ci
subcommand that auto-detects settings from your CI environment
and can upload findings to Semgrep App when logged in.
Changed
- SARIF output will include matching code snippet (#4812)
- semgrep-core should now be more tolerant to rules using futur extensions by
skipping those rules instead of just crashing (#4835) - Removed
tests
from published python wheel - Findings are now considered identical between baseline and current scans
based on the same logic as Semgrep CI uses, which means:- Two findings are now identical after whitespace changes such as re-indentation
- Two findings are now identical after a nosemgrep comment is added
- Findings are now different if the same code triggered them on different lines
- Docker image now runs as root to allow the docker image to be used in CI/CD pipelines
- Support XDG Base directory specification (#4818)
Fixed
- Entropy analysis: strings made of repeated characters such as
'xxxxxxxxxxxxxx'
are no longer reported has having high entropy (#4833) - Symlinks found in directories are skipped from being scanned again.
This is a fix for a regression introduced in 0.85.0. - HTML: multiline raw text tokens now contain the newline characters (#4855)
- Go: fix unicode parsing bugs (#4725) by switching to latest tree-sitter-go
- Constant propagation: A conditional expression where both alternatives are
constant will also be considered constant (#4301) - Constant propagation now recognizes operators
++
and--
as side-effectful
(#4667)
0.86.1…0.86.4 - 2022-03-25
Fixed
- Network timeouts during rule download are now less likely.
- Some finding fingerprints were not matching what semgrep-agent would return.
- The fingerprint of findings ignored with
# nosemgrep
is supposed to be the same
as if the ignore comment wasn't there.
This has previously only worked for single-line findings, including insemgrep-agent
.
Now the fingerprint is consistent as expected for multiline findings as well. --timeout-threshold
default set to 3 instead of 0