April 2023

Semgrep OSS Engine

This section of release notes includes upgrades of Semgrep OSS Engine for versions ranging between 1.17.0 and 1.20.0.

Added

• Java support: With this update, private static variables that are defined just once in a static block are now considered as final by Constant propagation, even if they are not explicitly declared.
• Metavariable comparison: You can now use the exponentiation operator ** in your expressions when comparing metavariables.
• Kotlin language support: With this update, Semgrep evaluates class fields with the correct types and can detect these fields accurately with typed metavariables. For example, a class such as the following:

  class Foo {
      var x: Int
  }
  
• Scala language support improvements:
  • Semgrep can now parse indented matches, such as the following:

    e match
    case foo => "foo"
    case bar => "bar"
  • Semgrep now provides improved parsing functionality for arguments with using keyword and splatted arguments. With this update, Semgrep can now correctly parse Scala code with constructs such as:

    foo(using bar)
    foo(1, 2, bar*)
  • Improved parsing functionality for indented for expressions in Scala. With this update, Semgrep can now correctly parse for expressions that are indented, such as:

    for
      _ <- 5
      yield ...
  • Some additional Scala updates that Semgrep now supports:
    • enum constructs
    • given definitions
    • export keyword
    • Top-level definitions
    • Added proper parsing for Scala 3 style imports.

Changed

• Semgrep no longer reports partially analyzed files as skipped when using --verbose flag. If Semgrep lacks information about what lines have been skipped, it no longer reports that all lines have been skipped. For example, an error while evaluating a metavariable-pattern operator in one rule may cause a finding to be missed and report the file as partially analyzed. However, that error did not affect any other rules, and even the affected rule can produce some findings.
• Enhancement to the --verbose flag output. When you use the --verbose flag in the command line, the different lists of skipped files are now sorted alphabetically. This makes it easier to diff the outputs of two runs and quickly identify any differences in skipped files.
• Taint analysis:
  • Added option taint_assume_safe_comparisons, disabled by default, that prevents comparison operators to propagate taint, so for example tainted != "something" is not considered tainted. Note that this a syntactic check, if the operator is overloaded to perform a different operation this will not be detected.
  • Semgrep OSS Engine taint analysis now includes option taint_assume_safe_comparisons that prevents comparison operators to propagate taint. For example, tainted != "something" is not considered tainted. The taint_assume_safe_comparisons is disabled by default. Note that this a syntactic check, if the operator is overloaded to perform a different operation Semgrep does not detect this code.

Semgrep Code

Changed

• Improvements to Slack notifications for Semgrep Code scans. See Semgrep Cloud Platform.
• Many Semgrep Pro rules now have rewritten messages. These new rule messages help you to better understand the detected vulnerabilities and enable you to mitigate them with ease. Updates cover all rules associated with the following Common Weakness Enumerations (CWE):
  • CWE-22 - Path traversal
  • CWE-78 - Command injection
  • CWE-89 - SQL Injection
  • CWE-94 - Code injection
  • CWE-287 - Improper authentication
  • CWE-798 - Hardcoded secrets
  • CWE-918 - Server-Side Request Forgery (SSRF)

Semgrep Pro Engine

Added

• Taint analysis: Semgrep Pro Engine now supports simple cases of cross-function (interprocedural) taint labels.
• Java language support: With this update, Semgrep Pro Engine can track the propagation of taint from the arguments of a method to the called object. For example:

  public void foo(int x) {
      this.x = x;
  }
  When called with a tainted argument:

  o.foo(tainted);
  Semgrep can track and report that the field x of o has been tainted.

Changed

• Previously, the semgrep --pro command required a directory as its single target. With this update, semgrep --pro command is still limited to a single target, but in addition to a whole directory, it can now target files also.

Semgrep Supply Chain

Additions

• Semgrep Supply Chain Dependency search is now in beta. Dependency search displays all your direct and transitive dependencies on the Supply Chain > Dependencies page. You can search for any dependency in all of your repositories in the Semgrep Cloud Platform, provided that their language is supported by Semgrep Supply Chain.
• Semgrep Supply Chain now supports package-lock.json version 3.

Changes

• Improvements to Slack notifications for Semgrep Supply Chain scans. See Semgrep Cloud Platform.
• Semgrep Supply now parses go.mod for a list of dependencies.
• Semgrep Supply Chain no longer parses go.sum for a list of dependencies.
• The title of Supply Chain findings in the CLI now consists of the package name and CVE, instead of just the rule's UUID.

Semgrep Cloud Platform

Additions

• You can now add repositories from Azure Repos into the Semgrep Cloud Platform.
• Bitbucket PR comments are now available for Bitbucket Cloud users. See the Enabling Bitbucket pull request comments to enable PR comments in your repositories.

Changes

• The Semgrep Slack app has been improved. Create customized subscriptions to Semgrep findings based on Rule board policy (Monitor, Comment, or Block) and other filters for your specific Slack channels. By creating your customized subscriptions, Semgrep only sends notifications about repositories and findings relevant to developers. Security engineers can still receive notifications of all issues across the entire organization’s repositories. See Receiving Slack notifications.
• Updated the Settings > SSO page. The page now displays your current SSO settings, if any.
• Previously, Semgrep automatically associated organization accounts with their corresponding GitHub Cloud or GitLab SaaS organizations. Now, users can choose to connect their Semgrep organization accounts with their repository provider. To associate your Semgrep organization with your repository provider, sign in to Semgrep Cloud Platform, then go to Settings > Source code > then select your repository provider.
• Various improvements to UI consistency and improved layout for wide monitors.
• Fixed various bugs within the Editor and Playground.

Documentation updates

Added

• New section Semgrep add-on reconciliation of licenses and Example of license reconciliation.
• New section Updating existing open-source rules in Semgrep Registry.
• Added section Creating rules that analyze across files and Types of Semgrep Pro Engine analysis.
• Added Appendix: Token scopes.

Changed

• Notification documentation has been separated into guides for each notification channel, such as Slack or webhooks.
• Fixed embedded examples in Semgrep Pro Engine examples document.
• Our Cheat sheets now suggest the default ruleset instead of specific rules for you to scan your code.
• Updated CLI reference.
• Clarified sections Disabling rules and Removing rulesets.
• Known limitations of Semgrep Pro Engine section have been expanded and moved to the Supported languages document.
• Fixed various broken links.
• Fixed various spelling issues.