pypi semgrep 1.75.0
Release v1.75.0
on Python PyPI

latest releases: 1.96.0, 1.95.0, 1.94.0...
5 months ago

1.75.0 - 2024-06-03

Added

  • Pro: Semgrep can now track taint through tuple/list (un)packing intra-procedurally
    (i.e., within a single function). For example: 

    t = ["ok", "taint"]
x, y = t
sink(x) # OK, no finding
sink(y) # tainted, finding
``` (code-6935)

  • Optional type matching is supported in the Pro engine for Python. For example,
    in Python, Optional[str], str | None, and Union[str, None] represent the
    same type but in different type expressions. The optional type match support
    enables matching between these expressions, allowing any optional type
    expression to match any other optional type expression when used with
    metavariable-type filtering. It's important to note that syntactic pattern
    matching still distinguishes between these types. (code-6939)

  • Add support for pnpm v9 (pnpm)

  • Added a new rule option decorators_order_matters, which allows users to make decorators/ non-keyword attributes matching stricter. The default matching for attributes is order-agnostic, but if this rule option is set to true, non-keyword attributes (e.g. decorators in Python) will be matched in order, while keyword attributes (e.g. static, inline, etc) are not affected.

    An example usage will be a rule to detect any decorator that is outside of the route() decorator in Flask, since any decorator outside of the route() decorator takes no effect.

    bad: another.func() takes no effect

    @another.func("func")
    @app.route("route")
    def f():
    pass

    ok: route() is the outermost decorator

    @app.route("route")
    @another.func("func")
    def f():
    pass (saf-435)

Fixed

  • Pro: taint-mode: Fixed issue causing findings to be missed (false negatives)
    when a global or class field was tainted, and then used in a sink after two
    or more function calls.

    For example: 

    class Test {
    string bad;

    void test() {
        bad = "taint";
        foo();
    }

    void foo() {
        bar();
    }

    void bar() {
        sink(bad); // finding no longer missed
    }
} (saf-1059)

  • [Mostly applicable to Pro Engine] Typed metavariables will now match against the inferred type of a binding even if a constant is propagated for that binding, if we are unable to infer a type from the constant. Previously, we would simply fail to match in this case. (saf-1060)

  • Removed the URLs at the end of the log when semgrep ci --dryrun is ran because dry run doesn't interact with the app so the URLs don't make sense. (saf-924)

Check out latest releases or
releases around semgrep 1.75.0

Don't miss a new semgrep release

NewReleases is sending notifications on new releases.

Get notifications