New language R with experimental support (#2360)
Thanks to Zythosec for some contributions.
Autodetection of CI env now supports Azure Pipelines, Bitbucket, Buildkite, Circle CI, Jenkins,
and Travis CI in addition to GitHub and GitLab
You can now disable version checks with an environment variable by setting
SEMGREP_ENABLE_VERSION_CHECK=0
Dataflow: spread operators in record expressions (e.g. {...foo}) are now translated into the Dataflow IL
An experimental LSP daemon mode for semgrep. Try it with semgrep lsp --config auto!
Changed
Rules are now downloaded from the Semgrep Registry in JSON format instead of YAML.
This speeds up rule parsing in the Semgrep CLI,
making a semgrep --config auto run on the semgrep Python package in 14s instead of 16s.
Fixed
Fixed a bug where --disable-version-check would still send a request
when a scan resulted in zero findings.
Fixed a regression in 0.97 where the Docker image's working directory changed from /src without notice.
This also could cause permission issues when running the image.
Go: single pattern field can now match toplevel fields in a composite
literal (#5452)
PHP: metavariable-pattern: works again when used with language: php (#5443)
PHP: booleans are propagated by constant propagation (#5509)
Dataflow: XML elements (e.g. JSX elements) have now a basic translation to the
Dataflow IL, meaning that dataflow analysis (constant propagation, taint tracking)
can now operate inside these elements (#5115)
Java: you can now use a metavariable in a package directive (#5420),
for example, package $X, which is useful to bind the package
name and use it in the error message.
Fixed
The output of semgrep ci should be clear it is exiting with error code 0
when there are findings but none of them being blockers
Java: support for Sealed classes and Text Blocks via tree-sitter-java
New language R with experimental support (#2360)
Thanks to Zythosec for some contributions.
Autodetection of CI env now supports Azure Pipelines, Bitbucket, Buildkite, Circle CI, Jenkins,
and Travis CI in addition to GitHub and GitLab
You can now disable version checks with an environment variable by setting
SEMGREP_ENABLE_VERSION_CHECK=0
Dataflow: spread operators in record expressions (e.g. {...foo}) are now translated into the Dataflow IL
An experimental LSP daemon mode for semgrep. Try it with semgrep lsp --config auto!
taint-mode: New experimental pattern-propagators feature that allows to specify
arbitrary patterns for the propagation of taint by side-effect. In particular,
this allows to specify how taint propagates through side-effectful function calls.
For example, you can specify that when tainted data is added to an array then the
array itself becomes tainted. (#4509)
Changed
Rules are now downloaded from the Semgrep Registry in JSON format instead of YAML.
This speeds up rule parsing in the Semgrep CLI,
making a semgrep --config auto run on the semgrep Python package in 14s instead of 16s.
Fixed
Fixed a bug where --disable-version-check would still send a request
when a scan resulted in zero findings.
Fixed a regression in 0.97 where the Docker image's working directory changed from /src without notice.
This also could cause permission issues when running the image.
Go: single pattern field can now match toplevel fields in a composite
literal (#5452)
PHP: metavariable-pattern: works again when used with language: php (#5443)
PHP: booleans are propagated by constant propagation (#5509)
Dataflow: XML elements (e.g. JSX elements) have now a basic translation to the
Dataflow IL, meaning that dataflow analysis (constant propagation, taint tracking)
can now operate inside these elements (#5115)
Java: you can now use a metavariable in a package directive (#5420),
for example, package $X, which is useful to bind the package
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
dependabot[bot]
commented
2 years ago
Bumps semgrep from 0.76.2 to 0.98.0.
Release notes
Sourced from semgrep's releases.
... (truncated)
Changelog
Sourced from semgrep's changelog.
... (truncated)
Commits
7895689chore: Bump version to 0.98.0bf5ce3cfix: Match TyN pattern against TyExpr (N ...) source (#5540)d2afc7eauto-create the git tag in addition to the branch (#5535)995163bfix(js): ParseNewas a separate construct fromCall(#5510)726ea1aopti: new -use_parsing_cache option to semgrep-core (#5539)f13f70bupdate to latest semgrep-rules and small changes (#5537)8b1f5f7R: add tests for experimental maturity (#5536)c4fc58arefactor: Improve encapsulation of Xpattern_matcher cache (#5530)ba145ddtest: Fix syntax error in misc_naming_recursion test (#5529)a9dd183Update workflow to allow checks to run without open/close PR (#5519)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)