gitlab gitlab-org/security-products/analyzers/semgrep v5.3.0

latest releases: v5.21.0, v5.20.0, v5.19.0...
5 months ago
  • Update sast-rules version 2.5.5 (!438)
    • Add rules/lgpl-cc/java/traversal/rule-RelativePathTraversal
    • Add rules/lgpl-cc/java/xxe/rule-DocumentBuilderFactoryDisallowDoctypeDeclMissing
    • Add rules/lgpl-cc/java/inject/rule-DangerousGroovyShell
    • Add rules/lgpl-cc/java/inject/rule-MongodbNoSQLi.java
    • Add rules/gitlab/javascript/crypto/rule-NodeLibcurlSSLVerificationDisable
    • Add rules/lgpl-cc/java/crypto/rule-DisallowOldTLSVersion.java
    • Add rules/lgpl-cc/java/deserialization/rule-SnakeYamlConstructor.java
    • Add rules/lgpl-cc/java/xxe/rule-DisallowDoctypeDeclFalse.java
    • Add rules/lgpl-cc/python/flask/security/injection/path-traversal/rule-path-traversal-open
    • Add rules/lgpl-cc/java/crypto/rule-UseOfRC4
    • Add and update missing mappings for rules
    • Add missing mapping for rules/lgpl-cc/python/flask/security/injection/path-traversal/rule-path-traversal-open
    • Add rules/lgpl-cc/java/inject/rule-EnvInjection.yml
    • Add rules/lgpl-cc/python/crypto/rule-HTTPConnectionPool.yml
    • Add rules/lgpl-cc/python/flask/security/redirection/rule-flask-open-redirect.yml
    • Add java/crypto/rule-WeakTLSProtocolSSLContext.yml
    • Add rules/lgpl-cc/java/crypto/rule-HttpComponentsRequest.yml
    • Remove java/cookie/rule-CookieHTTPOnly and add rules/lgpl-cc/java/cookie/rule-CookieHTTPOnly with enhanced patterns
    • Remove java/xxe/rule-XMLStreamRdr and add rules/lgpl-cc/java/xxe/rule-XMLStreamRdr with additional patterns
    • Remove rules/lgpl/javascript/dos/rule-regex_injection_dos and enhance javascript/dos/rule-non-literal-regexp with additional patterns
    • Remove java/password/rule-HardcodeKeyEquals.yml as secret detection should be used instead.
    • Remove rules/lgpl-cc/java/password/rule-HardcodeKey.yml as secret detection should be used instead.
    • Remove rules/gitlab/scala/password/rule-HardcodeKey.yml as secret detection should be used instead.
    • Remove rules/gitlab/scala/password/rule-HardcodeKeyEquals.yml as secret detection should be used instead.
    • Remove rules/gitlab/scala/password/rule-HardcodeKeySuspiciousName.yml as secret detection should be used instead.
    • Remove rules/gitlab/scala/password/rule-HardcodeKeySuspiciousValue.yml as secret detection should be used instead.
    • Remove rules/lgpl/javascript/traversal/rule-zip_path_overwrite2.yml
    • Remove java/random/rule-PseudoRandom.yml rule (!635)
    • Remove rules/lgpl/kotlin/random/rule-PseudoRandom.yml rule (!635)
    • Remove scala/random/rule-PseudoRandom.yml rule (!635)
    • Update python/sql/rule-hardcoded-sql-expression.yml
    • Update rules/lgpl-cc/java/deserialization/rule-InsecureJmsDeserialization.yml
    • Update java/crypto/rule-WeakTLSProtocolDefaultHttpClient.yml
    • Update rules/lgpl-cc/java/inject/rule-SqlInjection.yml
    • Update python/requests/rule-request-without-timeout.yml
    • Update severity ratings across all Java, Scala, and Kotlin password related rules to match
    • Update java/password/rule-ConstantDBPassword.yml to remove patterns that try to match on password like strings
    • Update rules/lgpl/kotlin/password/rule-HardcodePassword.yml to remove patterns that try to match on password like strings
    • Update scala/password/rule-ConstantDBPassword.yml updated description
    • Update scala/password/rule-HardcodePassword.yml updated description
    • Update java/file/rule-FilenameUtils to enhance patterns and use taint mode
    • Update rules/lgpl/javascript/xml/rule-node_xpath_injection to reduce false positives
    • Update java/random/rule-PseudoRandom and rules/lgpl/kotlin/random/rule-PseudoRandom to enhance patterns
    • Update rules/lgpl/javascript/traversal/rule-generic_path_traversal to enhance patterns and use taint mode
    • Update rules/lgpl/javascript/traversal/rule-zip_path_overwrite to enhance patterns
    • Update rules/lgpl/javascript/ssrf/rule-node_ssrf to enhance patterns and use taint mode
    • Update test cases for rule rules/lgpl/javascript/xml/rule-node_xpath_injection

Don't miss a new semgrep release

NewReleases is sending notifications on new releases.