April 2021
Version 0.49.0
Additions
- Support for matching multiple arguments with a metavariable (#3009). This is done with a "spread metavariable" operator that looks like $...ARGS. This used to be available only for JavaScript and TypeScript, and is now available for the other languages (Python, Java, Go, C, Ruby, PHP, and OCaml).
- A new --optimizations [STR] command-line flag to turn on or off some optimizations. Use "none" to turn off everything and "all" to turn on everything. Just using
--optimizationsis equivalent to--optimizationsall, and not using--optimizationsis equivalent to--optimizationsnone. - JavaScript/TypeScript: Support
...inside JSX text to match any text, as in<a href="foo">...</a>. (#2963) - JavaScript/TypeScript: Support metavariables for JSX attribute values, as in
<a href=$X>some text</a>. (#2964)
Fixes
- Python: correctly parsing fstring with multiple colons
- Ruby: better matching for interpolated strings (#2826 and#2949)
- Ruby: correctly matching numbers
Changes
- Add required executionSuccessful attribute to SARIF output (#2983). Thanks toSimon Engledew!
- Remove jsx and tsx from languages, instead just use javascript or typescript (#3000)
- Add limit max characters in the output line (#2958) and add a flag to control maximum characters (defaults to 160). Thanks toAnkush Menat!
Version 0.48.0
Additions
- Taint mode: Basic cross-function analysis (#2913)
- Support for the new Java record extension and Java symbols with accented characters (#2704)
Fixes
- Capturing functions when used as both expressions and statements in JavaScript (#1007)
- Literal for ocaml tree sitter (#2885)
Changes
- The extra lines data is now consistent across scan types (e.g., semgrep-core, spacegrep, pattern-regex)
Version 0.47.0
Additions
- Java: support of for(...)
- Rust: Semgrep patterns now support top-level statements (#2910)
- Support for UTF-8 code with non-ASCII chars (#2944)
Fixes
- Single field pattern in JSON, allowing $FLD: { ... } pattern
- Config detection in files with many suffix delimiters, like this.that.check.yaml. More concretely: configs end with .yaml, YAML language tests end with .test.yaml, and everything else is handled by its respective language extension (e.g., .py).
- Single array field in YAML in a pattern is parsed as a field, not a one element array
Version 0.46.0
Additions
- YAML language support to --test
Fixes
- SARIF output now nests invocations inside runs
- Go backslashed carets in regexes can be parsed
Changes
- Deep expression matches (<... foo ...>) now match within the bodies of anonymous functions (a.k.a. lambda-expressions) and arbitrary language-specific statements (e.g., the Golang go statement)
Version 0.45.0
Additions
- --experimental flag for passing rules directly to semgrep-core (#2836)
Fixes
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.