pypi semgrep 0.85.0
Release v0.85.0
on Python PyPI

latest releases: 1.96.0, 1.95.0, 1.94.0...
2 years ago

Added

  • C#: use latest tree-sitter-c-sharp with support for most C# 10.0 features
  • HTML: support for metavariables on tags (e.g., `<$TAG>...</$TAG>) (#4078)
  • Scala: The data-flow engine can now handle expression blocks. This used to
    cause some false negatives during taint analysis, which will now be reported.
  • Dockerfile: allow e.g. CMD ... to match both CMD ls and CMD ["ls"] (#4770).
  • When scanning multiple languages,
    Semgrep will now print a table of how many rules and files are used for each language.

Fixed

  • Fixed Deep expression matching and metavariables interaction. Semgrep will
    not stop anymore at the first match and will enumarate all possible matchings
    if a metavariable is used in a deep expression pattern
    (e.g., <... $X ...>). This can introduce some performance regressions.

  • JSX: ellipsis in JSX body (e.g., <div>...</div>) now matches any
    children (#4678 and #4717)

  • ℹ️ During a --baseline-commit scan,
    Semgrep temporarily deletes files that were created since the baseline commit,
    and restores them at the end of the scan.

    Previously, when scanning a subdirectory of a git repo with --baseline-commit,
    Semgrep would delete all newly created files under the repo root,
    but restore only the ones in the subdirectory.
    Now, Semgrep only ever deletes files in the scanned subdirectory.

  • Previous releases allowed incompatible versions (21.1.0 & 21.2.0)
    of the attrs dependency to be installed.
    semgrep now correctly requires attrs 21.3.0 at the minimum.

  • package-lock.json parsing defaults to packages instead of dependencies as the source of dependencies

  • package-lock.json parsing will ignore dependencies with non-standard versions, and will succesfully parse
    dependencies with no integrity field

Changed

  • File targeting logic has been mostly rewritten. (#4776)
    These inconsistencies were fixed in the process:

    • ℹ️ "Explicitly targeted file" refers to a file
      that's directly passed on the command line.

      Previously, explicitly targeted files would be unaffected by most global filtering:
      global include/exclude patterns and the file size limit.
      Now .semgrepignore patterns don't affect them either,
      so they are unaffected by all global filtering,

    • ℹ️ With --skip-unknown-extensions,
      Semgrep scans only the explicitly targeted files that are applicable to the language you're scanning.

      Previously, --skip-unknown-extensions would skip based only on file extension,
      even though extensionless shell scripts expose their language via the shebang of the first line.
      As a result, explicitly targeted shell files were always skipped when --skip-unknown-extensions was set.
      Now, this flag decides if a file is the correct language with the same logic as other parts of Semgrep:
      taking into account both extensions and shebangs.

  • Semgrep scans with --baseline-commit are now much faster.
    These optimizations were added:

    • ℹ️ When --baseline-commit is set,
      Semgrep first runs the current scan,
      then switches to the baseline commit,
      and runs the baseline scan.

      The current scan now excludes files
      that are unchanged between the baseline and the current commit
      according to git status output.

    • The baseline scan now excludes rules and files that had no matches in the current scan.

    • When git ls-files is unavailable or --disable-git-ignore is set,
      Semgrep walks the file system to find all target files.
      Semgrep now walks the file system 30% faster compared to previous versions.

  • The output format has been updated to visually separate lines
    with headings and indentation.

Check out latest releases or
releases around semgrep 0.85.0

Don't miss a new semgrep release

NewReleases is sending notifications on new releases.

Get notifications