0.108.0 - 2022-08-03
Added
- Metrics now include language-aggregated parse rates (files, bytes). The purpose
of this is to help drive parsing improvements more intelligently. See
PRIVACY.md for more details. (pa-1678)
Changed
- Updated SCA finding generation so that the following hold:
- One SCA finding per vulnerable dependency. If one rule matches multiple dependencies in one lockfile,
that will produce multiple findings. This still needs to be codified in the typed interface - No findings in files that were not targeted. If foo.py depends on Pipfile.lock,
and foo.py is targeted but Pipfile.lock is not, then we can produce reachable findings
in foo.py but not non-reachable findings in Pipfile.lock. If Pipfile.lock is included in
our targets then we can produce non-reachable findings inside of it - No massive single scan for lockfiles. (sca-127)
- One SCA finding per vulnerable dependency. If one rule matches multiple dependencies in one lockfile,
Fixed
-
Fixed issue when scan fails due to pending changes in submodule. (cli-272)
-
Semgrep CI now accepts more formats of git url for metadata provided to semgrep.dev and lets the user provide a fallback for repo name (SEMGREP_REPO_NAME) and repo url (SEMGREP_REPO_URL) if they are undefined by CI. (cli-280)
-
Fixed a crash that occurred when reporting results when join mode and taint mode were used together (gh-5839)
-
JS: Allowed decorators to appear in Semgrep patterns for class methods and fields. (pa-1677)
-
Quick fix for a regression introduced in 0.107.0 (presumably by taint labels)
that could cause some taint rules to crash Semgrep with:Invalid_argument "output_value: abstract value (Custom)" (pa-1724)
-
Increase timeout for network calls to semgrep.dev from 30s to 60s (timeout-1)