April 2023
Semgrep OSS Engine
This section of release notes includes upgrades of Semgrep OSS Engine for versions ranging between 1.17.0 and 1.20.0.
Added
- Java support: With this update, private static variables that are defined just once in a static block are now considered as
final
by Constant propagation, even if they are not explicitly declared. - Metavariable comparison: You can now use the exponentiation operator
**
in your expressions when comparing metavariables. - Kotlin language support: With this update, Semgrep evaluates class fields with the correct types and can detect these fields accurately with typed metavariables. For example, a class such as the following:
class Foo {
var x: Int
} - Scala language support improvements:
-
Semgrep can now parse indented matches, such as the following:
e match
case foo => "foo"
case bar => "bar" -
Semgrep now provides improved parsing functionality for arguments with
using
keyword and splatted arguments. With this update, Semgrep can now correctly parse Scala code with constructs such as:foo(using bar)
foo(1, 2, bar*) -
Improved parsing functionality for indented
for
expressions in Scala. With this update, Semgrep can now correctly parsefor
expressions that are indented, such as:for
_ <- 5
yield ... -
Some additional Scala updates that Semgrep now supports:
enum
constructsgiven
definitionsexport
keyword- Top-level definitions
- Added proper parsing for Scala 3 style imports.
-
Changed
- Semgrep no longer reports partially analyzed files as skipped when using
--verbose
flag. If Semgrep lacks information about what lines have been skipped, it no longer reports that all lines have been skipped. For example, an error while evaluating ametavariable-pattern
operator in one rule may cause a finding to be missed and report the file as partially analyzed. However, that error did not affect any other rules, and even the affected rule can produce some findings. - Enhancement to the
--verbose
flag output. When you use the--verbose
flag in the command line, the different lists of skipped files are now sorted alphabetically. This makes it easier todiff
the outputs of two runs and quickly identify any differences in skipped files. - Taint analysis:
- Added option
taint_assume_safe_comparisons
, disabled by default, that prevents comparison operators to propagate taint, so for exampletainted != "something"
is not considered tainted. Note that this a syntactic check, if the operator is overloaded to perform a different operation this will not be detected. - Semgrep OSS Engine taint analysis now includes option
taint_assume_safe_comparisons
that prevents comparison operators to propagate taint. For example,tainted != "something"
is not considered tainted. Thetaint_assume_safe_comparisons
is disabled by default. Note that this a syntactic check, if the operator is overloaded to perform a different operation Semgrep does not detect this code.
- Added option
Semgrep Code
Changed
- Improvements to Slack notifications for Semgrep Code scans. See Semgrep Cloud Platform.
- Many Semgrep Pro rules now have rewritten messages. These new rule messages help you to better understand the detected vulnerabilities and enable you to mitigate them with ease. Updates cover all rules associated with the following Common Weakness Enumerations (CWE):
- CWE-22 - Path traversal
- CWE-78 - Command injection
- CWE-89 - SQL Injection
- CWE-94 - Code injection
- CWE-287 - Improper authentication
- CWE-798 - Hardcoded secrets
- CWE-918 - Server-Side Request Forgery (SSRF)
Semgrep Pro Engine
Added
-
Taint analysis: Semgrep Pro Engine now supports simple cases of cross-function (interprocedural) taint labels.
-
Java language support: With this update, Semgrep Pro Engine can track the propagation of taint from the arguments of a method to the called object. For example:
public void foo(int x) {
this.x = x;
}When called with a tainted argument:
o.foo(tainted);
Semgrep can track and report that the field
x
ofo
has been tainted.
Changed
- Previously, the
semgrep --pro
command required a directory as its single target. With this update,semgrep --pro
command is still limited to a single target, but in addition to a whole directory, it can now target files also.
Semgrep Supply Chain
Additions
- Semgrep Supply Chain Dependency search is now in beta. Dependency search displays all your direct and transitive dependencies on the Supply Chain > Dependencies page. You can search for any dependency in all of your repositories in the Semgrep Cloud Platform, provided that their language is supported by Semgrep Supply Chain.
- Semgrep Supply Chain now supports
package-lock.json
version 3.
Changes
- Improvements to Slack notifications for Semgrep Supply Chain scans. See Semgrep Cloud Platform.
- Semgrep Supply now parses
go.mod
for a list of dependencies. - Semgrep Supply Chain no longer parses
go.sum
for a list of dependencies. - The title of Supply Chain findings in the CLI now consists of the package name and CVE, instead of just the rule's UUID.
Semgrep Cloud Platform
Additions
- You can now add repositories from Azure Repos into the Semgrep Cloud Platform.
- Bitbucket PR comments are now available for Bitbucket Cloud users. See the Enabling Bitbucket pull request comments to enable PR comments in your repositories.
Changes
- The Semgrep Slack app has been improved. Create customized subscriptions to Semgrep findings based on Rule board policy (Monitor, Comment, or Block) and other filters for your specific Slack channels. By creating your customized subscriptions, Semgrep only sends notifications about repositories and findings relevant to developers. Security engineers can still receive notifications of all issues across the entire organization’s repositories. See Receiving Slack notifications.
- Updated the Settings > SSO page. The page now displays your current SSO settings, if any.
- Previously, Semgrep automatically associated organization accounts with their corresponding GitHub Cloud or GitLab SaaS organizations. Now, users can choose to connect their Semgrep organization accounts with their repository provider. To associate your Semgrep organization with your repository provider, sign in to Semgrep Cloud Platform, then go to Settings > Source code > then select your repository provider.
- Various improvements to UI consistency and improved layout for wide monitors.
- Fixed various bugs within the Editor and Playground.
Documentation updates
Added
- New section Semgrep add-on reconciliation of licenses and Example of license reconciliation.
- New section Updating existing open-source rules in Semgrep Registry.
- Added section Creating rules that analyze across files and Types of Semgrep Pro Engine analysis.
- Added Appendix: Token scopes.
Changed
- Notification documentation has been separated into guides for each notification channel, such as Slack or webhooks.
- Fixed embedded examples in Semgrep Pro Engine examples document.
- Our Cheat sheets now suggest the default ruleset instead of specific rules for you to scan your code.
- Updated CLI reference.
- Clarified sections Disable rules and Removing rulesets.
- Known limitations of Semgrep Pro Engine section have been expanded and moved to the Known limitations of cross-file analysis document.
- Fixed various broken links.
- Fixed various spelling issues.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.