Added
- Java: Add partial support for
synchronizedblocks in the dataflow IL (#4150) - Dataflow: Add partial support for
await,yield,&, and other expressions - Field-definition-as-assignemnt equivalence that allows matching expression
patterns against field definitions. It is disabled by default but can be
enabled via ruleoptions:withflddef_assign: true(#4187) - Arrows (a.k.a short lambdas) patterns used to match also regular function
definitions. This can now be disabled via ruleoptions:with
arrow_is_function: false(#4187) - Javascript variable patterns using the 'var' keyword used to also
match variable declarations using 'let' or 'const'. This can now be
disabled via ruleoptions:withlet_is_var: false
Fixed
- Constant propagation: In a method call
x.f(y), ifxis a constant then
it will be recognized as such - Go: match correctly braces in composite literals for autofix (#4210)
- Go: match correctly parens in cast for autofix (#3387)
- Go: support ellipsis in return type parameters (#2746)
- Scala: parse
case objectwithin blocks - Scala: parse typed patterns with variables that begin with an underscore:
case _x : Int => ... - Scala: parse unicode identifiers
- semgrep-core accepts
shas an alias for bash - pattern-regex: Hexadecimal notation of Unicode code points is now
supported and assumes UTF-8 (#4240) - pattern-regex: Update documentation, specifying we use PCRE (#3974)
- Scala: parse nullary constructors with no arguments in more positions
- Scala: parse infix type operators with tuple arguments
- Scala: parse nested comments
- Scala: parse
case classwithin blocks metavariable-comparison: if a metavariable binds to a code variable that
is known to be constant, then we use that constant value in the comparison (#3727)- Expand
~when resolving config paths
Changed
- C# support is now GA
- cli: Only suggest increasing stack size when semgrep-core segfaults
- Semgrep now scans executable scripts whose shebang interpreter matches the
rule's language - CLI output no longer displays severity levels