pypi semgrep 0.87.0
Release v0.87.0
on Python PyPI

latest releases: 1.71.0, 1.70.0, 1.69.0...
2 years ago

0.87.0 - 2022-04-07

Added

  • New focus-metavariable operator that lets you focus (or "zoom in") the match
    on the code region delimited by a metavariable. This operator is useful for
    narrowing down the code matched by a rule, to focus on what really matters. (#4453)
  • semgrep ci uses "GITHUB_SERVER_URL" to generate urls if it is available
  • You can now set NO_COLOR=1 to force-disable colored output

Changed

  • taint-mode: We no longer force the unification of metavariables between
    sources and sinks by default. It is not clear that this is the most natural
    behavior; and we realized that, in fact, it was confusing even for experienced
    Semgrep users. Instead, each set of metavariables is now considered independent.
    The metavariables available to the rule message are all metavariables bound by
    pattern-sinks, plus the subset of metavariables bound by pattern-sources
    that do not collide with the ones bound by pattern-sinks. We do not expect
    this change to break many taint rules because source-sink metavariable
    unification had a bug (see #4464) that prevented metavariables bound by a
    pattern-inside to be unified, thus limiting the usefulness of the feature.
    Nonetheless, it is still possible to force metavariable unification by setting
    taint_unify_mvars: true in the rule's options.
  • r2c-internal-project-depends-on: this is now a rule key, and not part of the pattern language.
    The depends-on-either key can be used analgously to pattern-either
  • r2c-internal-project-depends-on: each rule with this key will now distinguish between
    reachable and unreachable findings. A reachable finding is one with both a dependency match
    and a pattern match: a vulnerable dependency was found and the vulnerable part of the dependency
    (according to the patterns in the rule) is used somewhere in code. An unreachable finding
    is one with only a dependency match. Reachable findings are reported as coming from the
    code that was pattern matched. Unreachable findings are reported as coming from the lockfile
    that was dependency matched. Both kinds of findings specify their kind, along with all matched
    dependencies, in the extra field of semgrep's JSON output, using the dependency_match_only
    and dependency_matches fields, respectively.
  • r2c-internal-project-depends-on: a finding will only be considered reachable if the file
    containing the pattern match actually depends on the dependencies in the lockfile containing the
    dependency match. A file depends on a lockfile if it is the nearest lockfile going up the
    directory tree.
  • The returntocorp/semgrep Docker image no longer sets semgrep as the entrypoint.
    This means that semgrep is no longer prepended automatically to any command you run in the image.
    This makes it possible to use the image in CI executors that run provisioning commands within the image.

Fixed

  • - is now parsed as a valid identifier in Scala
  • new $OBJECT(...) will now work properly as a taint sink (#4858)
  • JS/TS: ...{$X}... will no longer match str
  • taint-mode: Metavariables bound by a pattern-inside are now available to the
    rule message. (#4464)
  • parsing: fail fast on in semgrep-core if rules fail to validate (broken since 0.86.5)
  • Setting either SEMGREP_URL or SEMGREP_APP_URL
    now updates the URL used both for Semgrep App communication,
    and for fetching Semgrep Registry rules.
  • The pre-commit hook exposed from semgrep's repository no longer fails
    when trying to install with recent setuptools versions.
Check out latest releases or
releases around semgrep 0.87.0

Don't miss a new semgrep release

NewReleases is sending notifications on new releases.

Get notifications