semgrep/semgrep v1.71.0 on GitHub

1.71.0 - 2024-05-03

Pro: const-prop: Previously inter-procedural const-prop could only infer whether
a function returned an arbitrary string constant. Now it will be able to infer
whether a function returns a concrete constant value, e.g.:
```
def bar():
  return "bar"

def test():
  x = bar()
  foo(x) # now also matches pattern `foo("bar")`, previously only `foo("...")`
``` (flow-61)
```
Python: const-prop: Semgrep will now recognize "..." * N expression as arbitrary
constant string literals (thus matching the pattern "..."). (flow-75)

The --beta-testing-secrets-enabled option, deprecated for several months, is now removed. Use --secrets as its replacement. (gh-9987)

Fixes matching for go struct field tags metadata.

For example given the program:

type Rectangle struct {
    Top    int `json:"top"`
    Left   int `json:"left"`
    Width  int `json:"width"`
    Height int `json:"height"`
}

The pattern,

type Rectangle struct {
    ...
    $NAME $TYPE $TAGS
    ...
}

will now match each field and the $TAGS metavariable will be
bound when used in susequent patterns. (saf-949)

Matching: Patterns of statements ending in ellipsis metavariables, such as
```
x = 1
$...STMTS
```
will now properly extend the match range to accommodate whatever is captured by
the ellipsis metavariable ($...STMTS). (saf-961)
The SARIF output format should have the tag "security" when the "cwe"
section is present in the rule. Moreover, duplicate tags should be
de-duped.
Osemgrep wasn't doing this before, but with this fix, now it does. (saf-991)
Fixed bug in mix.lock parser where it was possible to fail on a python None error. Added handler for arbitrary exceptions during lockfile parsing. (sc-1466)
Moved --historical-secrets to the "Pro Engine" option group, instead of
"Output formats", where it was previously (in error). (scrt-570)