Undocumented, experimental metavariable-analysis feature
supporting two kinds of analyses: prediction of regular expression
denial-of-service vulnerabilities (ReDoS, redos analyzer, #4700)
and high-entropy string detection (entropy analyzer, #4672).
A new subcommand semgrep publish allows users to upload private,
unlisted, or public rules to the Semgrep Registry
Fixed
Configure the PCRE engine with lower match-attempts and recursion limits in order
to prevent regex matching from potentially "hanging" Semgrep
Terraform: Parse heredocs respecting newlines and whitespaces, so that it is
possible to correctly match these strings with metavariable-regex or
metavariable-pattern. Previously, Semgrep had problems analyzing e.g. embedded
YAML content. (#4582)
Treat Go raw string literals like ordinary string literals (#3938)
Fix for: semgrep always highlights one extra character
Changed
Improved constant propagation for global constants
PHP: Constant propagation now has built-in knowledge of escapeshellarg and
htmlspecialchars_decode, if these functions are given constant arguments,
then Semgrep assumes that their output is also constant
The environment variable used by Semgrep login changed from SEMGREP_LOGIN_TOKEN to SEMGREP_APP_TOKEN
Undocumented, experimental metavariable-analysis feature
supporting two kinds of analyses: prediction of regular expression
denial-of-service vulnerabilities (ReDoS, redos analyzer, #4700)
and high-entropy string detection (entropy analyzer, #4672).
Fixed
Configure the PCRE engine with lower match-attempts and recursion limits in order
to prevent regex matching from potentially "hanging" Semgrep
Terraform: Parse heredocs respecting newlines and whitespaces, so that it is
possible to correctly match these strings with metavariable-regex or
metavariable-pattern. Previously, Semgrep had problems analyzing e.g. embedded
YAML content. (#4582)
Treat Go raw string literals like ordinary string literals (#3938)
Improved constant propagation for global constants
PHP: Constant propagation now has built-in knowledge of escapeshellarg and
htmlspecialchars_decode, if these functions are given constant arguments,
then Semgrep assumes that their output is also constant
Experimental baseline scanning. Run with --baseline-commit GIT_COMMIT to only
show findings that currently exist but did not exist in GIT_COMMIT
Changed
Performance: send all rules directly to semgrep-core instead of invoking semgrep-core
Scans now report a breakdown of how many target paths were skipped for what reason.
--verbose mode will list all skipped paths along with the reason they were skipped
Performance: send all rules directly to semgrep-core instead of invoking semgrep-core
for each rule, reducing the overhead significantly. Other changes resulting from this:
Sarif output now includes all rules run. Error messages use full path of rules.
Progress bar reports by file instead of by rule
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
dependabot[bot]
commented
2 years ago
Bumps semgrep from 0.76.2 to 0.83.0.
Release notes
Sourced from semgrep's releases.
... (truncated)
Changelog
Sourced from semgrep's changelog.
... (truncated)
Commits
ba762dcFix broken sentenceaa5d7e3Make release scripts interactive and tolerant of human interventiondfeac3eBump to version 0.83.0a6caa32Add paths to json output (#4659)37dc245const-prop: Make basic const-prop more powerful (#4724)148f738[C#] add support for typed metavariables (#4723)28a5de8Treat Go raw string literals like ordinary string literals (#4671)ba6b5a0const-prop: Fix duplication of partial evaluation code for Generic (#4719)938aac4Eliminate uname zombies (#4718)2b94bb4Add tests for color output (#4706)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)