1.52.0 - 2023-12-05
Added
- Java: Semgrep will now recognize
String.format(...)expressions as constant
strings when all their arguments are constant, but it will still not know
what exact string it is. For example, codeString.format("Abc %s", "123")
will match pattern"..."but it will not match pattern"Abc 123". (pa-3284)
Changed
- Inter-file diff scan will be gradually introduced to a small percentage of
users through a slow rollout process. Users who enable the pro engine and
engage in differential PR scans on Github or Gitlab may experience the impact
of this update. (ea-268) - secrets: now performs more aggressive deduplication for instances where an
invalid and valid match are reported at the same range. Instead of reporting
both, we now report only the valid match when they are otherwise visually
identical. (scrt-271)
Fixed
-
In expression-based languages, definitions are also expressions.
This change allows dataflow to properly handle definition expressions.
For example, the pattern
0 == 0will matchx == 0indef f(c) do x = (y = 0) x == 0 end
because now dataflow is able to handle the expression
y = 0. (pa-3262) -
In version 1.14.0 (pa-2477) we made sink-matching more precise when the sink
specification was like:pattern-sinks: - patterns: - pattern: sink($X, ...) - focus-metavariable: $X
Where the sink specification most likely has the intent to specify the first
argument ofsinkas a sink, andsink(ok1 if tainted else ok2)should NOT
produce a finding, becausetaintedis not really what is being passed to
thesinkfunction.But we only intercepted the most simple pattern above, and more complex sink
specifications that had the same intent were not properly recognized.Now we have generalized that pattern to cover more complex cases like:
patterns: - pattern-either: - patterns: - pattern-inside: | def foo(...): ... - pattern: sink1($X) - patterns: - pattern: sink2($X) - pattern-not: bar(...) - focus-metavariable: $X ``` (pa-3284)
-
Updated the parser used for Rust (rust)