1.31.0 - 2023-07-07

Added

• Make CLI hit the new endpoint for the reliable fixed status on the Semgrep app. (cod-16)

• feat(rule syntax): Metavariable Type Extension for Semgrep Rule Syntax 2.0

  This PR introduces the changes made in Semgrep rule syntax 1.0 to version 2.0 as well.

  rule syntax 2.0

  rules:

  • id: no-string-eqeq
    message: find errors
    severity: WARNING
    languages:
    • java
      match:
      all:
      • not: null == (String $Y)
      • $X == (String $Y)

  rule syntax 2.0 after proposed change

  rules:

  • id: no-string-eqeq
    message: find errors
    severity: WARNING
    languages:
    • java
      match:
      all:
      • not: null == $Y
      • $X == $Y
        where:
      • metavariable: $Y
        type: String (gh-8183)

• Rust: Added the ability to taint macro calls through its arguments, in macro calls
  with multiple arguments. (pa-2902)

• Add severity and suggested upgrade versions to Supply Chain findings (sc-772)

• Added support for pnpm lockfile versions >= 6.0 (sc-824)

• (sc-866)

Fixed

• Fixed an issue leading to incorrect autofix results involving JS/TS arrow functions (e.g. () => {}). (gh-7353)
• Dockerfile support: single-quoted strings are now parsed without an error. (gh-7780)
• Fixes Go issue with patterns like make(...); make(...,$X); make($A,$B). (gh-8171)
• Fixed rust attribute patterns to allow matching on simple attribute syntax. (pa-2903)
• Rust: Fixed a bug where standalone metavariable patterns
  were not matching as expected (pa-2915)
• Fixed python semgrep pattern parsing to also parse match statements, by chaining in the python tree-sitter parser, and adding metavariable support to the python tree-sitter parser. (pa-6442)
• poetry.lock parsing: handle empty toml tables, quoted table keys, and arbitrarily placed comments (sc-834)