pypi semgrep 0.95.0
Release v0.95.0
on Python PyPI

latest releases: 1.69.0, 1.68.0, 1.67.0...
22 months ago

0.95.0 - 2022-06-02

Added

  • Sarif output format now includes fixes section
  • Rust: added support for method chaining patterns.
  • r2c-internal-project-depends-on: support for poetry and gradle lockfiles
  • M1 Mac support added to PyPi
  • Accept SEMGREP_BASELINE_REF as alias for SEMGREP_BASELINE_COMMIT
  • r2c-internal-project-depends-on:
    • pretty printing for SCA results
    • support for poetry and gradle lockfiles
  • taint-mode: Taint tracking will now analyze lambdas in their surrounding context.
    Previously, if a variable became tainted outside a lambda, and this variable was
    used inside the lambda causing the taint to reach a sink, this was not being
    detected because any nested lambdas were "opaque" to the analysis. (Taint tracking
    looked at lambdas but as isolated functions.) Now lambas are simply analyzed as if
    they were statement blocks. However, taint tracking still does not follow the flow
    of taint through the lambda's arguments!
  • Metrics now include an anonymous Event ID. This is an ID generated at send-time
    and will be used to de-duplicate events that potentially get duplicated during transmission.
  • Metrics now include an anonymous User ID. This ID is stored in the ~/.semgrep/settings.yml file. If the ID disappears, the next run will generate a new one randomly. See the Anonymous User ID in PRIVACY.md for more details.

Changed

  • The ci CLI command will now include ignored matches in output formats
    that dictate they should always be included
  • Previously, you could use $X in a message to interpolate the variable captured
    by a metavariable named $X, but there was no way to access the underlying value.
    However, sometimes that value is more important than the captured variable.
    Now you can use the syntax value($X) to interpolate the underlying
    propagated value if it exists (if not, it will just use the variable name).
    Example:
    Take a target file that looks like 
    x = 42
log(x)
    Now take a rule to find that log command: 
    - id: example_log
  message: Logged $SECRET: value($SECRET)
  pattern: log(42)
  languages: [python]
    Before, this would have given you the message Logged x: value(x). Now, it
    will give the message Logged x: 42.
  • A parameter pattern without a default value can now match a parameter
    with a default value (#5021)

Fixed

  • Numerous improvements to PHP parsing by switching to tree-sitter-php
    to parse PHP target code. Huge shoutout to Sjoerd Langkemper for most
    of the heavy lifting work
    (#3941, #2648, #2650, #3590, #3588, #3587, #3576, #3848, #3978, #4589)
  • TS: support number and boolean typed metavariables (#5350)
  • When a rule from the registry fails to parse, suggest user upgrade to
    latest version of semgrep
  • Scala: correctly handle return for taint analysis (#4975)
  • PHP: correctly handle namespace use declarations when they don't rename
    the imported name (#3964)
  • Constant propagation is now faster and memory efficient when analyzing
    large functions with lots of variables.
Check out latest releases or
releases around semgrep 0.95.0

Don't miss a new semgrep release

NewReleases is sending notifications on new releases.

Get notifications