0.87.0 - 2022-04-07
Added
- New
focus-metavariable
operator that lets you focus (or "zoom in") the match
on the code region delimited by a metavariable. This operator is useful for
narrowing down the code matched by a rule, to focus on what really matters. (#4453) semgrep ci
uses "GITHUB_SERVER_URL" to generate urls if it is available- You can now set
NO_COLOR=1
to force-disable colored output
Changed
- taint-mode: We no longer force the unification of metavariables between
sources and sinks by default. It is not clear that this is the most natural
behavior; and we realized that, in fact, it was confusing even for experienced
Semgrep users. Instead, each set of metavariables is now considered independent.
The metavariables available to the rule message are all metavariables bound by
pattern-sinks
, plus the subset of metavariables bound bypattern-sources
that do not collide with the ones bound bypattern-sinks
. We do not expect
this change to break many taint rules because source-sink metavariable
unification had a bug (see #4464) that prevented metavariables bound by a
pattern-inside
to be unified, thus limiting the usefulness of the feature.
Nonetheless, it is still possible to force metavariable unification by setting
taint_unify_mvars: true
in the rule'soptions
. r2c-internal-project-depends-on
: this is now a rule key, and not part of the pattern language.
Thedepends-on-either
key can be used analgously topattern-either
r2c-internal-project-depends-on
: each rule with this key will now distinguish between
reachable and unreachable findings. A reachable finding is one with both a dependency match
and a pattern match: a vulnerable dependency was found and the vulnerable part of the dependency
(according to the patterns in the rule) is used somewhere in code. An unreachable finding
is one with only a dependency match. Reachable findings are reported as coming from the
code that was pattern matched. Unreachable findings are reported as coming from the lockfile
that was dependency matched. Both kinds of findings specify their kind, along with all matched
dependencies, in theextra
field of semgrep's JSON output, using thedependency_match_only
anddependency_matches
fields, respectively.r2c-internal-project-depends-on
: a finding will only be considered reachable if the file
containing the pattern match actually depends on the dependencies in the lockfile containing the
dependency match. A file depends on a lockfile if it is the nearest lockfile going up the
directory tree.- The returntocorp/semgrep Docker image no longer sets
semgrep
as the entrypoint.
This means thatsemgrep
is no longer prepended automatically to any command you run in the image.
This makes it possible to use the image in CI executors that run provisioning commands within the image.
Fixed
-
is now parsed as a valid identifier in Scalanew $OBJECT(...)
will now work properly as a taint sink (#4858)- JS/TS:
...{$X}...
will no longer matchstr
- taint-mode: Metavariables bound by a
pattern-inside
are now available to the
rule message. (#4464) - parsing: fail fast on in semgrep-core if rules fail to validate (broken since 0.86.5)
- Setting either
SEMGREP_URL
orSEMGREP_APP_URL
now updates the URL used both for Semgrep App communication,
and for fetching Semgrep Registry rules. - The pre-commit hook exposed from semgrep's repository no longer fails
when trying to install with recent setuptools versions.