0.111.0 - 2022-08-22
Added
- Introduced experimental support for Swift (gh-2232)
- Add configuration options for using a tree-sitter library installed anywhere
on the system. (gh-5944) - Updated the supply chain finding API:
- The API is now typed and defined entirely in semgrep_output_v0.atd
- Supply chain findings now have only one dependency match, not a list, and only one resolved url
- Supply chain findings now have a field called reachable and reachability_rule,
which indicate if the finding is reachable, and whether or not it was generated
by a reachability rule (rule that had a semgrep pattern) - Supply chain findings now include a schema version
- The complete finding information sent to semgrep app now includes a mapping from lockfile
paths to the number of dependencies that were present in that lockfile (sca-197)
Fixed
-
When a YAML rule file had a string that contained an ISO timestamp, that would be parsed as a datetime object, which would then be rejected by Semgrep's rule schema validator. This is now fixed by keeping strings that contain an ISO timestamp as strings. (app-2157)
-
When parsing PHP with tree-sitter, parse
$thissimilar to pfff, as an IdSpecial. This makes it possible to match$thiswhen the pattern is parsed with pfff and the program with tree-sitter. (gh-5594) -
Parse die() as exit() in tree-sitter PHP. This makes pfff and tree-sitter parse die() in the same way. (gh-5880)
-
All: Applied a fix so that qualified identifiers can unify with metavariables. Notably, this
affected Python decorators, among others. (pa-1700) -
Fixed a regression in DeepSemgrep after the experimental taint labels feature
was introduced in 0.106.0. This prevented DeepSemgrep from reporting taint
findings when e.g. the sink was wrapped by another function. (pa-1750) -
Fixed metavariable unification in JSON when one of the patterns is a single field. (pa-1763)
-
Changed symbolic propagation such that "redundant" matches are no
longer reported as findings. For instance:def foo(): x = g(5) f(x)
If we are looking for the pattern
g(5), we should not match on line 3,
since we will match on line 2 anyways, and this is just repeating information that
we already know.This patch changes it so that we do not match on line 3 anymore. (pa-1772)
-
Semgrep now passes -j to DeepSemgrep engine so --deep became noticeably faster. (pa-1776)
-
taint-mode: Due to a mistake in the instantiation of a visitor, named function
definitions were being analyzed twice! This is now fixed and you may observe
significant speed ups in some cases. (pa-1778) -
Extract mode: fixed a possible exception in normal usage introduced due to
changes in handling of search/taint rules. (pa-1786) -
Changed the fail-open message body (pm-194)