0.94.0 - 2022-05-25
Added
metavariable-regex
now supports an optionalconstant-propagation
key.
When this is set totrue
, information learned from constant propagation
will be used when matching the metavariable against the regex. By default
it is set tofalse
- Dockerfile: constant propagation now works on variables declared with
ENV
shouldafound
- False Negative reporting via the CLI
Changed
- taint-mode: Let's say that e.g.
taint(x)
makesx
tainted by side-effect.
Previously, we had to rely on a trick that declared that any occurrence of
x
insidetaint(x); ...
was as taint source. Ifx
was overwritten with
safe data, this was not recognized by the taint engine. Also, iftaint(x)
occurred inside e.g. anif
block, any occurrence ofx
outside that block
was not considered tainted. Now, if you specify that the code variable itself
is a taint source (usingfocus-metavariable
), the taint engine will handle
this as expected, and it will not suffer from the aforementioned limitations.
We believe that this change should not break existing taint rules, but please
report any regressions that you may find. - taint-mode: Let's say that e.g.
sanitize(x)
sanitizesx
by side-effect.
Previously, we had to rely on a trick that declared that any occurrence of
x
insidesanitize(x); ...
was sanitized. Ifx
later overwritten with
tainted data, the taint engine would still regardx
as safe. Now, if you
specify that the code variable itself is sanitized (usingfocus-metavariable
),
the taint engine will handle this as expected and it will not suffer from such
limitation. We believe that this change should not break existing taint rules,
but please report any regressions that you may find. - The dot access ellipsis now matches field accesses in addition to method
calls. - Made error message for resource exhausion (exit code -11/-9) more actionable
- Made error message for rules with patterns missing positive terms
more actionable (#5234) - In this version, we have made several performance improvements
to the code that surrounds our source parsing and matching core.
This includes file targeting, rule fetching, and similar parts of the codebase.
Runningsemgrep scan --config auto
on the semgrep repo itself
went from 50-54 seconds to 28-30 seconds.- As part of these changes, we removed
:include .gitignore
and.git/
from the default.semgrepignore
patterns.
This should not cause any difference in which files are targeted
as other parts of Semgrep ignore these files already. - A full breakdown of our performance updates,
including some upcoming ones,
can be found here #5257 (comment)
- As part of these changes, we removed
- If a metrics event request times out, we no longer retry the request.
This avoids Semgrep waiting 10-20 seconds before exiting if these requests are slow. - The metrics collection timeout has been raised from 2 seconds to 3 seconds.
Fixed
- TS: support for template literal types after upgrading to a more recent
tree-sitter-typescript (Oct 2021) - TS: support for
override
keyword (#4220, #4798) - TS: better ASI (#4459) and accept code like
(null)(foo)
(#4468) - TS: parse correctly private properties (#5162)
- Go: Support for ellipsis in multiple return values
(e.g.,func foo() (..., error, ...) {}
) (#4896) - semgrep-core: you can use again rules stored in JSON instead of YAML (#5268)
- Python: adds support for parentheses around
with
context expressions
(e.g.,with (open(x) as a, open(y) as b): pass
) (#5092)