semgrep 1.60.1

Release v1.60.1

on Python PyPI

1.60.1 - 2024-02-09

Added

• Rule syntax: Metavariables by the name of $_ are now anonymous, meaning that
  they do not unify within a single pattern or across patterns, and essentially
  just unconditionally specify some expression.

  For instance, the pattern foo($_, $_) may match the code foo(1, 2).

  This will change the behavior of existing rules that use the metavariable
  $_, if they rely on unification still happening. This can be fixed by simply
  giving the metavariable a real name like $A. (ea-837)

• Added infrastructure for semgrep supply chain in semgrep-core. Not fully functional yet. (ssc-port)

Changed

• Dataflow: Simplified the IL translation for Python with statements to let
  symbolic propagation assume that with foo() as x: ... entails x = foo(),
  so that e.g. Session().execute("...") matches:

  with Session() as s:
      s.execute("SELECT * from T") (CODE-6633)
  

Fixed

• Output: Semgrep CLI now no longer sometimes interpolated metavariables twice, if
  the message that was substituted for a metavariable itself contained a valid
  metavariable to be interpolated (ea-838)