Expression statement patterns (e.g. foo();) used to also match when
they were a bit deeper in the expression (e.g., x = foo();).
This can now be disabled via rule options:
with implicit_deep_exprstmt: false (#5472)
The timeout for git commands Semgrep runs is now configurable by setting the
SEMGREP_GIT_COMMAND_TIMEOUT environment variable.
The unit used is seconds. The default value is 300.
Fixed
Error messages in JSON output used to contain ANSI color codes,
this was fixed so they are now uncolored (and readable!) plain text.
Release v0.102.0
Added
Scala: ellipsis are now allowed in for loop headers, so you can write patterns
like for (...; $X <- $Y if $COND; ...) { ... } to match nested for loops. (#5650)
Fixed
taint-mode: In some scenarios some statements were not being included in the
CFG used by taint tracking, and as a result some expected findings were not being
reported (i.e. false negatives). This affected mainly languages like Scala where
traditional control-flow constructs are expressions rather than statements (or,
seen in a different way, every statement returns a value). (#5652)
Changed
--verbose no longer toggles the display of timing information, use
--verbose --time to display this information.
Added a new feature that was described in CLI-123. This was done support our overarching goal to improve the tool. (cli-123)
semgrep ci will now not block builds on triage ignored issues (cli-162)
Add support to cli/scripts/compare.py for podman environments (compare-script-podman)
A new experimental 'extract' mode. This mode runs a Semgrep rule on a codebase
and "extracts" code from matches, treating it as a different language. This
allows users to supplement an existing set of rules, e.g., for JavaScript, by
writing additional rules to find JavaScript in non-JavaScript files, e.g.,
JavaScript contained in HTML or template files. While this is somewhat possible
with metavariable-pattern, this reduces the work from an M * N problem to an M
Added taint traces as part of Semgrep's JSON output. This helps explain how the sink became tainted. (pa-1271)
Changed
Metavariable-pattern now uses the same metavariable context as its parent. This will potentially
cause breaking changes for rules that reuse metavariables in the pattern. For example, consider
the following formula:
Previously, the $OBJ in the metavariable-pattern would be a new metavariable. The formula would
behave the same if that $OBJ was $A instead. Now, $OBJ will try to unify with the value bound
by $OBJ in the pattern-inside. (gh-5060)
The semgrep test output used to produce expected lines and reported lines which is difficult to read and interpret. This change introduces missed lines and incorrect lines to make it easier for the users to pinpoint the differences in output. (gh-5600)
Separator lines are no longer drawn between findings that have no source code snippet. (sca-ui)
Using ellipses in XML/HTML elements is now more permissive of whitespace.
Previously, in order to have a element with an ellipsis no leading/trailing
whitespace was permitted in the element contents, i.e., <tag>...</tag> was
the only permitted form. Now, leading or trailing whitespace is ignored when
the substantive content of the element is only an ellipsis. (xml-permissive-ellipsis)
Fixed
Semgrep App's links to repositories, code snippets, and pull requests are no longer broken for projects that run Semgrep in Circle CI, Bitbucket, and Buildkite. (cli-267)
Added a new feature that was described in GitHub Issue #1234. This was done support our overarching goal to improve the tool. (gh-1234)
When running Semgrep via Docker for Mac,
all volume-mounted files were considered executable and thus a candidate for scanning Bash code,
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
dependabot[bot]
commented
2 years ago
Bumps semgrep from 0.76.2 to 0.104.0.
Release notes
Sourced from semgrep's releases.
... (truncated)
Changelog
Sourced from semgrep's changelog.
... (truncated)
Commits
8976e37fix changelog formattinga4143a7chore: Bump version to 0.104.0dd50ccaOnly include skipped_targets in result when --debug is passed (#5721)d07d13cchore(test): Remove additional test target pollution (#5724)cee65cctest(ts): Add test for complex dots import pattern (#5695)cee144eSupport not blocking triage ignored issues (#5722)a1e0e19Add support to cli/scripts/compare.py for podman environments (#5710)b4d9c73fix(privacy): update note about config auto data (#5716)34b9e47add: clarify top level help text (#5611)0cc4d0bfix some env vars, convert ssh urls (#5719)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)