Added
- semgrep saves logs of last run to
~/.semgrep/last.log - A new recursive operator,
-->, for join mode rules for recursively
chaining together Semgrep rules based on metavariable contents. - Semgrep now lists the scanned paths in its JSON output under the
paths.scannedkey. - When using
--verbose, the skipped paths are also listed under the
paths.skippedkey. - C#: added support for typed metavariables (#4657)
- Undocumented, experimental
metavariable-analysisfeature
supporting two kinds of analyses: prediction of regular expression
denial-of-service vulnerabilities (ReDoS,redosanalyzer, #4700)
and high-entropy string detection (entropyanalyzer, #4672). - A new subcommand
semgrep publishallows users to upload private,
unlisted, or public rules to the Semgrep Registry
Fixed
- Configure the PCRE engine with lower match-attempts and recursion limits in order
to prevent regex matching from potentially "hanging" Semgrep - Terraform: Parse heredocs respecting newlines and whitespaces, so that it is
possible to correctly match these strings withmetavariable-regexor
metavariable-pattern. Previously, Semgrep had problems analyzing e.g. embedded
YAML content. (#4582) - Treat Go raw string literals like ordinary string literals (#3938)
- Eliminate zombie uname processes (#4466)
- Fix for: semgrep always highlights one extra character
Changed
- Improved constant propagation for global constants
- PHP: Constant propagation now has built-in knowledge of
escapeshellargand
htmlspecialchars_decode, if these functions are given constant arguments,
then Semgrep assumes that their output is also constant - The environment variable used by Semgrep login changed from
SEMGREP_LOGIN_TOKENtoSEMGREP_APP_TOKEN