Semgrep's February 2022 Updates

Semgrep’s weekly release cadence lets us ship features quickly, but it falls short when it comes to highlighting larger features. This post looks back through the last few months’ releases to highlight the biggest new features that landed.

If you need a reminder: Semgrep is a fast, open-source static analysis tool for finding bugs and enforcing code standards. Semgrep App is a hosted application that helps your team make the most of Semgrep. The App’s free tier has no limits on users or repositories.

Application security issues can have a significant impact on an organization and its customers. Traditional SAST tools are complicated and slow and hence not for everyone.

r2c’s mission is to empower everyone to use static analysis. Keeping that in mind, we are excited to announce Semgrep February 2022 updates which focus on improving collaboration between developer and security teams, making rule-writing at scale easy, and improving software reliability by adding deep analysis features.

Here’s what’s new:

• Developer Feedback: See what developers really think about rules in their workflow

• Editor: Easier to write customized rules

• Extended language and analysis support: More breadth & depth that make Semgrep awesome(r)

• Deep analysis features: Symbolic propagation and taint tracking

• Language support

• Conclusion

Developer Feedback: See what developers really think about rules in their workflow

When it comes to security, developers and security teams might not always speak the same language. It’s not enough to throw findings over the fence - security teams must collaborate with developers. In many cases, this friction is caused by rules that the developers think are not useful or are confusing. Talking to our customers, we have seen that the security teams are cognizant of what they inject into the developer’s CI/CD workflow.

With the addition of Semgrep’s Developer Feedback (available in Team tier), security teams can measure sentiment about rules running in CI/CD, enabling them to be on the same page as developers.

Developer’s view of Semgrep’s Developer Feedback

With Developer Feedback, security teams can see what rules perform well or poorly across projects and teams. Using this information, the security teams can tune the rules they run to make sure developers see only the most effective findings rather than "spam".

This information, along with additional data about project and rule performance, can be seen in the new Dashboard.

Editor: Easier to write customized rules

Rules are written either by the developer team or the security team or by a combination of these teams. As the number of rules grew, we heard from customers that it is difficult to collaborate on those rules with different stakeholders - leading to a lot of back and forth. In earlier versions of Semgrep, the Playground was used to create and manage rules. Although simple to use, the Playground lacked some functionality such as creating and adding private rules.

The Editor gives a single pane of glass to security and developer teams to collaborate on adding, deploying, and enforcing rules. Evaluating rules using testing is easy with the Editor as it instantly gives much more information about how a rule is performing, thus reducing the number of false positives.

For Team tier users, we’re introducing private rules using the Editor, ensuring authors can trust the security of their rule at each step of the creation process.

Authors don’t need to write each rule from scratch. The Editor allows authors to easily leverage the huge database of rules in the Semgrep registry, fork or copy an existing rule from the registry, edit it, and add it to your repository.

Copy or fork an existing rule

Thus, the Editor acts as a Swiss army knife for Security Engineers as it gives them the flexibility to create new rules from existing ones, the ability to save private rules, evaluate rules using tests, and information about which rules exist, where they are running, and their visibility - all in one place!

Extended Language and Analysis Support: More breadth & depth that make Semgrep awesome(r)

Meanwhile, Semgrep added support for seven new languages, deep analysis features such as symbolic propagation and improved taint-tracking, and a 2-3x speedup!

Semgrep scan time on Python projects

Deep Analysis Features - Symbolic Propagation and Taint Tracking

Symbolic propagation is the generalization of constant propagation. Semgrep already supports constant propagation. With constant propagation, intermediate constant assignments can be unfolded and substituted. However, the same was not true for variable assignments. For example, a rule such as - $OBJ.foo().bar()would not work on the following code because of intermediate assignments.

1def test(obj):
2   x = obj.foo()
3   # ruleid: test
4   x.bar()

Instead, you would also had to add -

1$VAR = $OBJ.foo();
2...
3$VAR.bar()

In order to match the above code.

With symbolic propagation, $OBJ.foo().bar() would work as is! (just set options: symbolic_propagation: true)

For more details check out the documentation and for more examples, you can refer to this blog.

Taint Tracking helps increase security by preventing injection vulnerabilities. Earlier, in order to find injection vulnerabilities, you had to write complex rules such as this. With improved taint-tracking, you can find injection vulnerabilities and minimize false positives using sanitizers. Read the blog to learn more about taint-tracking.

Language Support

We now support more commonly used languages. Since November, we've promoted 7 languages to new maturity levels:

This makes our total 24+ languages! See the full list.

Conclusion

The best way to learn about these features is to experiment with them. Please check out the Semgrep Playground or sign up to use Semgrep App in production! Join the r2c Community Slack to say “hi” or ask questions — there’s a friendly and active community ready to help!