1.16.0 - 2023-03-30
Added
- Kotlin: Added support for typed metavariables. You can write a pattern like:
($X : String)
to find all instances of expressions with type String. (pa-2648) - Scala: Semgrep can now parse programs that contain quoted expressions, context
parameter clauses usingusing, and soft modifiers likeinlineandopen. (pa-2672) - Scala: Can now parse programs containing matches on types, such as:
type t = K match {
case Int => String
} (pa-2673) - Parsing rules can take multiple seconds at the start of a scan.
When running in an interactive terminal with more than 500 rules,
Semgrep will show a progress bar for this step. (rule-progress)
Changed
- Supply Chain scans will now understand
maven_dep_tree.txtfiles
that are made of multiple smallermaven_dep_tree.txtfiles concatenated withcat. (maven-dep-forest) - Findings of a scan are now printed with section headers per group for the following categories:
Code Blocking, Code Non-blocking, Supply Chain Reachable, Supply Chain Unreachable findings. (results-headings) - Switched to using go.mod files to read go dependencies for Semgrep Supply Chain, instead of go.sum files (sc-gomod)
Fixed
- Clojure: parse 'foo/bar' as two separate tokens, so one can use
metavariable in it and get '$X/bar' to match 'foo/bar' (gh-7311) - HTML/XML: support attribute as pattern (e.g.,
foo="true") (gh-7344) - Improved significantly the time to parse big rulesets such as p/default
from 20s to a few seconds by parsing patterns lazily and by
not using /tmp to parse those patterns. (pa-2597) - Pipfiles with a line comment or inline comment will now parse correctly. (sc-664)