gitlab gitlab-org/security-products/analyzers/semgrep v4.13.4
on GitLab

latest releases: v5.20.0, v5.19.0, v5.18.0...
7 months ago
  • Update sast-rules version 2.1.3 (!393)
    • Add rules/lgpl-cc/java/xxe/rule-ExternalGeneralEntitiesTrue to detect Java XXE External General Entities set to true
    • Add rules/lgpl-cc/java/xxe/rule-TransformerfactoryDTDNotDisabled to detect Java XXE Transformerfactory DTD Not disabled
    • Add rules/lgpl-cc/java/inject/rule-SeamLogInjection to detect expression execution in Seam logging API
    • Add rules/lgpl-cc/java/xxe/rule-ExternalParameterEntitiesTrue to detect Java XXE External Parameter Entities set to True
    • Add rules/lgpl-cc/javascript/exec/rule-child-process to detect command injection
    • Add python/jwt/rule-jwt-none-alg to detect 'none' algorithm in a JWT token
    • Add rules/lgpl-cc/java/csrf/rule-SpringCSRFDisabled to find all cases of disabled CSRF in spring security module
    • Update rules/lgpl-cc/java/xxe/rule-SAXParserFactoryDisallowDoctypeDeclMissing with upgraded patterns from community rule
    • Update rules/lgpl/javascript/crypto/rule-node_tls_reject to cover more vulnerable cases i.e. reduce false negatives
    • Update metadata.category
    • Update rules/lgpl/javascript/xss/rule-express_xss to use taint instead of search mode
    • Update rules/lgpl/javascript/jwt/rule-jwt_exposed_credentials pattern with regex to match object variables containing the string 'password'
    • Update rules/lgpl/javascript/xml/rule-node_xpath_injection by converting it to the taint mode
    • Update go/crypto/rule-tlsversion
    • Update rules/lgpl/javascript/jwt/rule-hardcoded_jwt_secret
    • Split WeakHostNameVerification into java/endpoint/rule-X509TrustManager and java/endpoint/rule-HostnameVerifier
    • Split and update java/inject/rule-FileDisclosure into java/inject/rule-FileDisclosureRequestDispatcher and java/inject/rule-FileDisclosureSpringFramework
    • Remove javascript/exec/rule-child-process
    • Remove rules/lgpl/javascript/dos/rule-express_bodyparser as vulnerability nolonger exists
    • Remove rules/lgpl/javascript/crypto/rule-node_curl_ssl_verify_disable since it's obsolete
    • Remove rules/lgpl/javascript/xml/rule-xxe_sax as it's FP prone
Check out latest releases or
releases around gitlab-org/security-products/analyzers/semgrep v4.13.4

Don't miss a new semgrep release

NewReleases is sending notifications on new releases.

Get notifications