Semgrep Versions Save

1.68.0 - 2024-04-08

Added

• Scan un-changed lockfiles in diff-aware scans (gh-9899)
• Languages: Added the QL language (used by CodeQL) to Semgrep (saf-947)
• SwiftPM parser will now report package url and reference. (sc-1218)
• Add support for Elixir (Mix) SCA parsing for pro engine users. (sc-1303)

Fixed

• Output for sarif format includes dataflow traces. (gh-10004)
• The environment variable LOG_LEVEL (as well as PYTEST_LOG_LEVEL) is no longer consulted by Semgrep to determine the log level. Only SEMGREP_LOG_LEVEL is consulted. PYTEST_SEMGREP_LOG_LEVEL is also consulted in the current implementation but should not be used outside of Semgrep's Pytest tests. This is to avoid accidentally affecting Semgrep when inheriting the LOG_LEVEL destined to another application. (gh-10044)
• Fixed swiftpm parser to no longer limit the amount of found packages in manifest file. (sc-1364)
• Fixed incorrect ecosystem being used for Elixir. Hex should be used instead of Mix. (sc-elixir)
• Fixed the match_based_ids of lockfile-only findings to differentiate between findings in cases where one rule produces multiple findings in one lockfile (sca-mid)
• Secrets historical scans: fixed a bug where historical scans could run on differential scans. (scrt-545)

1.54.2 - 2023-12-21

Added

• metrics: added more granular information about pro engine configurations to help differentiate scans using different engine capabilities. For instance, maintainers are now able to distinguish intraprocedural scans without secrets validation from intraprocedural scans with secrets validation. This allows us to have a better understanding of usage and more accurately identify product-specific issues (e.g., to see if something only affects secrets scans). (ea-297)

Fixed

• Revise error message when running semgrep ci without being logged in to clarify that --config is used with semgrep scan. (gh-9485)

1.54.3 - 2023-12-22

Added

• Pro only: taint-mode: Added experimental at-exit: true option for sinks, that makes a sink spec only apply on the "exit" instructions/statements of a function. That is, the instructions after which the control-flow exits the function. This is useful for writing rules to find "leaks", such as checking that file descriptors are being closed within the same function where they were opened.

  For example, given this taint rule:

  pattern-sources:
    - by-side-effect: true
      patterns:
        - pattern: $FILE = open(...)
        - focus-metavariable: $FILE
  pattern-sanitizers:
    - by-side-effect: true
      patterns:
        - pattern: $FILE.close(...)
        - focus-metavariable: $FILE
  pattern-sinks:
    - at-exit: true
      pattern: |
        def $FUN(...):
          ...
  

  Semgrep will report a finding in the code below since at print(content), after which the control flow reaches the exit of the function, the file has not yet been closed:

  def test():
      file = open("test.txt")
      content = file.read()
      print(content) # FINDING
  ``` (pa-3266)
  
  

1.67.0 - 2024-03-28

Added

• --historical-secrets flag for running Semgrep Secrets regex rules on git history (requires Semgrep Secrets). This flag is not yet implemented for --experimental. (scrt-531)

Changed

• Files with the .phtml extension are now treated as PHP files. (gh-10009)

• [IMPORTANT] Logged in users running semgrep ci will now run the pro engine by default! All semgrep ci scans will run with our proprietary languages (Apex and Elixir), as well as cross-function taint within a single file, and other single file pro optimizations we have developed. This is equivalent to semgrep ci --pro-intrafile. Users will likely see improved results if they are running semgrep ci and did not already have additional configuration to enable pro analysis.

  The current default engine does not include cross-file analysis. To scan with cross-file analysis, turn on the app toggle or pass in the flag --pro. We recommend this unless you have very large repos (talk to our support to get help enabling cross-file analysis on monorepos!)

  To revert back to our OSS analysis, pass the flag --oss-only (or use --pro-languages to continue to receive our proprietary languages).

  Reminder: because we release first to our canary image, this change will only immediately affect you if you are using semgrep/semgrep:canary. If you are using semgrep/semgrep:latest, it will affect you when we bump canary to latest. (saf-845)

Fixed

• Fixed a parsing error in Kotlin when there's a newline between the class name and the primary constructor.

  This could not parse before

  class C
  constructor(arg:Int){}
  

  because of the newline between the class name and the constructor.

  Now it's fixed. (saf-899)

1.66.2 - 2024-03-26

Added

• osemgrep now respects HTTP_PROXY and HTTPS_PROXY when making network requests (cdx-253)

Changed

• [IMPORTANT] The public rollout of inter-file differential scanning has been temporarily reverted for further polishing of the feature. We will reintroduce it in a later version. (saf-268)

Fixed

• Autofix on variable definitions should now handle the semicolon in Java, C++, and C#. (saf-928)

1.66.1 - 2024-03-25

Fixed

• Autofix on variable definitions should now handle the semicolon in Rust, Cairo, Solidity, Dart. (autofix_vardef)
• [IMPORTANT] we restored bash, jq, and curl in our semgrep docker image as some users were relying on it. We might remove them in the futur but in the mean time we restored the packages and if we remove them we will announce it more loudly. We also created a new page giving more information about our policy for our docker images: https://semgrep.dev/docs/semgrep-ci/packages-in-semgrep-docker/ (docker_bash)
• Fixed autofix application on lines containing multi-byte characters. (multibyte)

1.66.0 - 2024-03-19

Added

• Added information about interfile pre-processing to --max-memory help. (gh-9932)
• We've implemented basic support for the yield keyword in Python. The Pro engine now detects taint findings from taint sources returned by the yield keyword. (saf-281)

Changed

• osemgrep --remote will no longer clone into a tmp folder, but instead the CWD (cdx-remote)

• [IMPORTANT] Inter-file differential scanning is now enabled for all Pro users.

  Inter-file differential scanning is now enabled for all Pro users. While it may take longer than intra-file differential scanning, which is the current default for pro users, it offers deeper analysis of dataflow paths compared to intra-file differential scanning. Additionally, it is significantly faster than non-differential inter-file scanning, with scan times reduced to approximately 1/10 of the non-differential inter-file scan. Users who enable the pro engine and engage in differential PR scans on GitHub or GitLab may experience the impact of this update. If needed, users can revert to the previous intra-file differential scan behavior by configuring the --no-interfile-diff-scan command-line option. (saf-268)

Fixed

• The official semgrep docker image does not contain anymore the bash, jq, and curl utilities, to reduce its attack surface. (saf-861)

1.65.0 - 2024-03-11

Changed

• Removed the extract-mode rules experimental feature. (extract_mode)

1.64.0 - 2024-03-07

Changed

• Removed the AST caching experimental feature (--experimental --ast-caching in osemgrep and -parsing_cache_dir in semgrep-core). (ast_caching)
• Removed the Registry caching experimental feature (--experimental --registry-caching) in osemgrep. (registry_caching)

Fixed

• Clean any credentials from project URL before using it, to prevent leakage. (saf-876)
• ci: Updated logic for informational message printed when no rules are sent to correctly display when secrets is enabled (in additional to when code is). (scrt-455)

1.63.0 - 2024-02-27

Added

• Dataflow: Added support for nested record patterns such as { body: { param } } in the LHS of an assignment. Now given { body: { param } } = tainted Semgrep will correctly mark param as tainted. (flow-68)
• Matching: metavariable-regex can now match on metavariables of interpolated strings which use variables that have known values. (saf-865)
• Add support for parsing Swift Package Manager manifest and lockfiles (sc-1217)

Fixed

• fix: taint signatures do not capture changes to parameters' fields (flow-70)
• Scan summary links printed after semgrep ci scans now reflect a custom SEMGREP_APP_URL, if one is set. (saf-353)