Added
- New iteration of taint-mode that allows to specify sources/sanitizers/sinks
using arbitrary pattern formulas. This provides plenty of flexibility. Note
that we breaks compatibility with the previous taint-mode format, e.g.
- source(...)
must now be written as- pattern: source(...)
. - HTML experimental support. This does not rely on the "generic" mode
but instead really parses the HTML using tree-sitter-html. This allows
some semantic matching (e.g., matching attributes in any order). - Vue.js alpha support (#1751)
- New matching option
implicit_ellipsis
that allows disabling the implicit
...
that are added to record patterns, plus allow matching "spread fields"
(JS...x
) at any position (#3120) - Support globstar (
**
) syntax in path include/exclude (#3173)
Fixed
- Apple M1: Semgrep installed from HomeBrew no longer hangs (#2432)
- Ruby command shells are distinguished from strings (#3343)
- Java varargs are now correctly matched (#3455)
- Support for partial statements (e.g.,
try { ... }
) for Java (#3417) - Java generics are now correctly stored in the AST (#3505)
- Constant propagation now works inside Python
with
statements (#3402) - Metavariable value replacement in message/autofix no longer mixes up short and long names like $X vs $X2 (#3458)
- Fixed metavariable name collision during interpolation of message / autofix (#3483)
Thanks to Justin Timmons for the fix! - Revert
pattern: $X
optimization (#3476) - metavariable-pattern: Allow filtering using a single
pattern
or
pattern-regex
- Dataflow: Translate call chains into IL
Changed
- Faster matching times for generic mode