Skip to main content

April 2021

Version 0.49.0

Additions

  • Support for matching multiple arguments with a metavariable (#3009). This is done with a "spread metavariable" operator that looks like $...ARGS. This used to be available only for JavaScript and TypeScript, and is now available for the other languages (Python, Java, Go, C, Ruby, PHP, and OCaml).
  • A new --optimizations [STR] command-line flag to turn on or off some optimizations. Use "none" to turn off everything and "all" to turn on everything. Just using --optimizations is equivalent to --optimizations all, and not using --optimizations is equivalent to --optimizations none.
  • JavaScript/TypeScript: Support ... inside JSX text to match any text, as in <a href="foo">...</a>. (#2963)
  • JavaScript/TypeScript: Support metavariables for JSX attribute values, as in <a href=$X>some text</a>. (#2964)

Fixes

  • Python: correctly parsing fstring with multiple colons
  • Ruby: better matching for interpolated strings (#2826 and#2949)
  • Ruby: correctly matching numbers

Changes

  • Add required executionSuccessful attribute to SARIF output (#2983). Thanks toSimon Engledew!
  • Remove jsx and tsx from languages, instead just use javascript or typescript (#3000)
  • Add limit max characters in the output line (#2958) and add a flag to control maximum characters (defaults to 160). Thanks toAnkush Menat!

Version 0.48.0

Additions

  • Taint mode: Basic cross-function analysis (#2913)
  • Support for the new Java record extension and Java symbols with accented characters (#2704)

Fixes

  • Capturing functions when used as both expressions and statements in JavaScript (#1007)
  • Literal for ocaml tree sitter (#2885)

Changes

  • The extra lines data is now consistent across scan types (e.g., semgrep-core, spacegrep, pattern-regex)

Version 0.47.0

Additions

  • Java: support of for(...)
  • Rust: Semgrep patterns now support top-level statements (#2910)
  • Support for UTF-8 code with non-ASCII chars (#2944)

Fixes

  • Single field pattern in JSON, allowing $FLD: { ... } pattern
  • Config detection in files with many suffix delimiters, like this.that.check.yaml. More concretely: configs end with .yaml, YAML language tests end with .test.yaml, and everything else is handled by its respective language extension (e.g., .py).
  • Single array field in YAML in a pattern is parsed as a field, not a one element array

Version 0.46.0

Additions

  • YAML language support to --test

Fixes

  • SARIF output now nests invocations inside runs
  • Go backslashed carets in regexes can be parsed

Changes

  • Deep expression matches (<... foo ...>) now match within the bodies of anonymous functions (a.k.a. lambda-expressions) and arbitrary language-specific statements (e.g., the Golang go statement)

Version 0.45.0

Additions

  • --experimental flag for passing rules directly to semgrep-core (#2836)

Fixes

  • Ellipses in template strings don't match string literals (#2780)
  • Go: correctly parse select/switch clauses like in tree-sitter (#2847)
  • Go: parse correctly 'for ...' header in Go patterns (#2838)