Added
- New iteration of taint-mode that allows to specify sources/sanitizers/sinks
using arbitrary pattern formulas. This provides plenty of flexibility. Note
that we breaks compatibility with the previous taint-mode format, e.g.
- source(...)must now be written as- pattern: source(...). - HTML experimental support. This does not rely on the "generic" mode
but instead really parses the HTML using tree-sitter-html. This allows
some semantic matching (e.g., matching attributes in any order). - Vue.js alpha support (#1751)
- New matching option
implicit_ellipsisthat allows disabling the implicit
...that are added to record patterns, plus allow matching "spread fields"
(JS...x) at any position (#3120) - Support globstar (
**) syntax in path include/exclude (#3173)
Fixed
- Apple M1: Semgrep installed from HomeBrew no longer hangs (#2432)
- Ruby command shells are distinguished from strings (#3343)
- Java varargs are now correctly matched (#3455)
- Support for partial statements (e.g.,
try { ... }) for Java (#3417) - Java generics are now correctly stored in the AST (#3505)
- Constant propagation now works inside Python
withstatements (#3402) - Metavariable value replacement in message/autofix no longer mixes up short and long names like $X vs $X2 (#3458)
- Fixed metavariable name collision during interpolation of message / autofix (#3483)
Thanks to Justin Timmons for the fix! - Revert
pattern: $Xoptimization (#3476) - metavariable-pattern: Allow filtering using a single
patternor
pattern-regex - Dataflow: Translate call chains into IL
Changed
- Faster matching times for generic mode