Dataflow: XML elements (e.g. JSX elements) have now a basic translation to the
Dataflow IL, meaning that dataflow analysis (constant propagation, taint tracking)
can now operate inside these elements (#5115)
Java: you can now use a metavariable in a package directive (#5420),
for example, package $X, which is useful to bind the package
name and use it in the error message.
Fixed
The output of semgrep ci should be clear it is exiting with error code 0
when there are findings but none of them being blockers
Java: support for Sealed classes and Text Blocks via tree-sitter-java
(#3787, #4644)
The JUnit XML output should serialize the failure messages as a single
string instead of a python list of strings.
Typescript: update to latest tree-sitter-typescript, with support
for 'abstract' modifier in more places
Scala: stop parsing parenthesized expressions as unary tuples
yarn.lock files with no depenencies, and with dependencies that lack URLs, now parse
Scala: fixed bug where typed patterns inside classes caused an exception during name resolution
metavariable-regex: patterns are now unanchored as specified by the
documentation (#4807)
When a logged in CI scan encounters a Git failure,
we now print a helpful error message instead of a traceback.
Generic mode: new option generic_ellipsis_max_span for controlling
how many lines an ellipsis can match (#5211)
Generic mode: new option generic_comment_style for ignoring
comments that follow the specified syntax (C style, C++ style, or
Shell style) (#3428)
Metrics now include a list of features used during an execution.
Examples of such features are: languages scanned, CLI options passed, keys used in rules, or certain code paths reached, such as using an :include instruction in a .semgrepignore file.
These strings will NOT include user data or specific settings. As an example, with semgrep scan --output=secret.txt we might send "option/output" but will NOT send "option/output=secret.txt".
Changed
The output summarizing a scan's results has been simplified.
Dataflow: XML elements (e.g. JSX elements) have now a basic translation to the
Dataflow IL, meaning that dataflow analysis (constant propagation, taint tracking)
can now operate inside these elements (#5115)
Java: you can now use a metavariable in a package directive (#5420),
for example, package $X, which is useful to bind the package
name and use it in the error message.
Fixed
The output of semgrep ci should be clear it is exiting with error code 0
when there are findings but none of them being blockers
Java: support for Sealed classes and Text Blocks via tree-sitter-java
(#3787, #4644)
The JUnit XML output should serialize the failure messages as a single
string instead of a python list of strings.
Typescript: update to latest tree-sitter-typescript, with support
for 'abstract' modifier in more places
Scala: stop parsing parenthesized expressions as unary tuples
yarn.lock files with no depenencies, and with dependencies that lack URLs, now parse
Scala: fixed bug where typed patterns inside classes caused an exception during name resolution
metavariable-regex: patterns are now unanchored as specified by the
documentation (#4807)
Generic mode: new option generic_ellipsis_max_span for controlling
how many lines an ellipsis can match (#5211)
Generic mode: new option generic_comment_style for ignoring
comments that follow the specified syntax (C style, C++ style, or
Shell style) (#3428)
Metrics now include a list of features used during an execution.
Examples of such features are: languages scanned, CLI options passed, keys used in rules, or certain code paths reached, such as using an :include instruction in a .semgrepignore file.
These strings will NOT include user data or specific settings. As an example, with semgrep scan --output=secret.txt we might send "option/output" but will NOT send "option/output=secret.txt".
Changed
The output summarizing a scan's results has been simplified.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
dependabot[bot]
commented
2 years ago
Bumps semgrep from 0.76.2 to 0.97.0.
Release notes
Sourced from semgrep's releases.
... (truncated)
Changelog
Sourced from semgrep's changelog.
... (truncated)
Commits
ea2980cchore: Bump version to 0.97.08598287fix: typo (#5467)d961adffix: release script accept changes to version.ml (#5466)e641758fix: changelog (#5465)696a0c9fix(rule): Make full hash consistent regardless of metadata (#5463)07c6b87fix(junit_xml_output): failure content should not be a python list of string ...f43d4e4ci: Make python test jobs faster (#5444)692078aAdd untyped SCA output to app findings + test RuleMatch to app finding conver...1c6b89fPush image if on develop (#5462)68e629eci(tests): Fix lack of auth to push semgrep-dev image (#5456)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)