0.123.0 - 2022-11-29
Added
- CLI: Added deep traces to
--dataflow-traces
(pa-2116)
Changed
- Reachable Supply Chain findings will no longer block pull requests when using
semgrep ci
.
Note that unreachable findings have been non-blocking already. (sca-nonblocking)
Fixed
- Fix matching issue related to JS imports with multiple imported values (gh-5305)
- DeepSemgrep: Keep only the shortest trace originating from a taint source. This
also prevents falling into infinite loops when inferring taint signatures for
mutually recursive procedures. (pa-2224) - taint-mode: Improved taint tracking for array-like accesses. Previously, if
x.a.b[i].c
got tainted, Semgrep would trackx.a.b
as tainted, and thus
x.a.b[i].d
would be incorrectly considered as tainted too. Now Semgrep will
do the right thing and trackx.a.b[*].c
as tainted, andx.a.b[i].d
will
not be considered tainted. (pa-2225) - Java:
private
, singly-assigned class variables now permit constant propagation (pa-2230) - JS/TS: Allow dependencies to @Injectable and @component classes in Angular JS to be visible outside the scope of the constructor. (pa-2233)
- Fix matching issue related to Python imports with multiple imported values (python-imports)
- Supply Chain findings from a yarn.lock lockfile were marked as 'transitive'
when we couldn't find the matching package.json file.
These findings will now be marked as having 'unknown' transitivity. (sc-425) - Make
$X(...)
matchthis()
andsuper()
. (this-match)