pypi semgrep 1.71.0
Release v1.71.0
on Python PyPI

latest releases: 1.95.0, 1.94.0, 1.93.0...
6 months ago

1.71.0 - 2024-05-03

Added

  • Pro: const-prop: Previously inter-procedural const-prop could only infer whether
    a function returned an arbitrary string constant. Now it will be able to infer
    whether a function returns a concrete constant value, e.g.: 

    def bar():
  return "bar"

def test():
  x = bar()
  foo(x) # now also matches pattern `foo("bar")`, previously only `foo("...")`
``` (flow-61)

  • Python: const-prop: Semgrep will now recognize "..." * N expression as arbitrary
    constant string literals (thus matching the pattern "..."). (flow-75)

Changed

  • The --beta-testing-secrets-enabled option, deprecated for several months, is now removed. Use --secrets as its replacement. (gh-9987)

Fixed

  • When using semgrep --test --json, we now report in the
    config_missing_fixtests field in the JSON output not just rule files
    containing a fix: without a corresponding ".fixed" test file; we now also
    report rule files using a fix-regex: but without a corresponding a
    .fixed test file, and the fix: or fix-regex: can be in
    any rule in the file (not just the first rule). (fixtest)

  • Fixes matching for go struct field tags metadata.

    For example given the program: 

    type Rectangle struct {
    Top    int `json:"top"`
    Left   int `json:"left"`
    Width  int `json:"width"`
    Height int `json:"height"`
}

    The pattern, 

    type Rectangle struct {
    ...
    $NAME $TYPE $TAGS
    ...
}

    will now match each field and the $TAGS metavariable will be
    bound when used in susequent patterns. (saf-949)

  • Matching: Patterns of statements ending in ellipsis metavariables, such as 

    x = 1
$...STMTS

    will now properly extend the match range to accommodate whatever is captured by
    the ellipsis metavariable ($...STMTS). (saf-961)

  • The SARIF output format should have the tag "security" when the "cwe"
    section is present in the rule. Moreover, duplicate tags should be
    de-duped.

    Osemgrep wasn't doing this before, but with this fix, now it does. (saf-991)

  • Fixed bug in mix.lock parser where it was possible to fail on a python None error. Added handler for arbitrary exceptions during lockfile parsing. (sc-1466)

  • Moved --historical-secrets to the "Pro Engine" option group, instead of
    "Output formats", where it was previously (in error). (scrt-570)

Check out latest releases or
releases around semgrep 1.71.0

Don't miss a new semgrep release

NewReleases is sending notifications on new releases.

Get notifications