Added
- A
metavariable-comparisonoperator for evaluating numeric comparisons on metavariable values, such ascomparison: $KEY_SIZE < 2048. This is a safe alternative topattern-where-pythonsnippets. Check the full documentation of this feature! - Matching 1-to-N attributes with a
...wildcard in JSX tags' attribute lists, such as<$TAG attr="1" ... /> - Matching only the function signature without the function body, such as
function foo(...). This is useful to have cleaner match output when the body content doesn't matter in a rule. This works on JavaScript, TypeScript, and Java code currently. - SARIF output now includes the exact CWE and OWASP categories as tags. Thanks @hunt3rkillerz!
- Matching of annotation patterns for Java (like
@SomeAnnot(...)) in any context.
Fixed
- PHP superglobals such as
$_GET, which start with a dollar sign just like Semgrep metavariables, are now correctly interpreted as PHP code instead of Semgrep pattern code. - Calls to
isset(...)in PHP look like function calls, but technically are not functions calls. Now you can match them anyway! - It's now possible to write unit tests for OCaml rules.
- JavaScript's special identifiers, such as
this, can now be captured into a metavariable. - A Java pattern for
implements Bwill now also match code that doesimplements A, B, C. - Addressed off by one errors when applying autofixes
- Missing characters in metavariable interpolation in messages
- And many more minor code parser fixes!