Skip to main content

    January 2023

    Semgrep Supply Chain

    Additions

    • Added a new Exposure category called Not analyzed within Semgrep App > Vulnerabilities page. Users who have enabled Historical coverage rules now see vulnerabilities detected from those rules under Not analyzed. This is because Historical coverage rules do not have reachability patterns, therefore it is not known if their findings are reachable or unreachable.
    • The Semgrep App > Advisories page displays a new tag, Reachability: review manually for rules where the reachability of a finding depends on infrastructure usage patterns, instead of code patterns. Findings that appear from these rules appear under Exposure > Reachable within Semgrep App > Vulnerabilities, and include a short hint on how to determine if your infrastructure is vulnerable. Semgrep App Advisories, Reachability review manually
    • You can now give feedback for Supply Chain rules. In the Semgrep App > Advisories page, click on an advisory to expand on it and click on the Leave feedback for this rule button. Give rule feedback menu
    • Added exposure property to SARIF output for Semgrep Supply Chain findings.

    Changes

    • The Semgrep App > Vulnerabilities now lets you filter by whether a vulnerability is from a direct or a transitive dependency. You can find these options under the Transitivity filter in the Semgrep App > Vulnerabilities page. All options are selected by default.
    • Lockfile parsers have been rewritten to be able to provide with improved error messages upon parse errors. This affects all supported ecosystems except Rust.
    • Removed support for reading dependencies from pom.xml files. Instead, Semgrep Supply Chain reads dependencies from maven_dep_tree.txt files, which can be generated using the following command: mvn dependency:tree -DoutputFile=maven_dep_tree.txt
      • You must generate a maven_dep_tree.txt for every pom.xml in your repository.

    Semgrep App

    Additions

    • Display findings grouped together by rules that detected them! Group by rule view helps you to identify patterns in your code and to triage findings easily. Findings grouped by rule are sorted by count from high to low. This enables you to know which rules have fired the most. In comparison, regularly grouped findings are sorted by their recency (most recent findings are at the top of the Findings page). Group by rule option on Findings page
    • Semgrep API now allows you to add or remove tags to a project. See Tagging projects documentation.

    Changes

    • The findings detail page has received a facelift. This update is preparing the ground for future updates and features. The following list provides an overview of the implemented improvements:
      • New read-only rule preview component at the bottom of the page to view the rule and test cases.
      • The interface is now standardized with the rest of the Findings page, showing information about the location of the finding under the heading.
      • New rule information card component that displays information about the rule. This information includes any references and information about the rule severity and confidence. Semgrep App finding details page
    • Previously, new users who logged into Semgrep App using GitLab landed on a GitLab Groups page. Users then had to enable the GitLab groups they wanted to onboard, then users had to log out of Semgrep App and then log back in to complete the onboarding process. Now, new users are immediately logged in to Semgrep App.
      • In order to associate their Semgrep account with their GitLab Groups, users need to use the GitLab “Add Org” workflow, which brings them to the GitLab Groups page. This change also addresses a bug when enabling a GitLab Group that would cause the app to crash.

    Semgrep CLI

    These release notes include upgrades for versions ranging between 1.3.0 and 1.6.0.

    Additions

    • Semgrep now provides experimental support for XML, Clojure, Lisp, Scheme, Dart, and Jsonnet languages.
    • Rust language support is now improved from Experimental to Beta!
    • Python: Constant propagation now recognizes the idiom cond and X or Y, as well as True and X and False or X. For example, cond and "a" or "b" is identified as constant string. (Issue #6079)

    Changes

    • Tests: Allow -test to process entire file trees rather than single files. See more information about the semgrep --test in the Testing rules documentation. (Issue #5487)
    • metavariable-pattern: For performance reasons the generic mode ignores target files that are machine-generated. However, this change prevented the use of the metavariable-pattern operator on the text that seemed or was machine-generated, such as an RSA key contained in a file. This issue has been fixed. Now, when the analysis is requested within a metavariable-pattern operator, the generic mode always matches any text even if it seems to be machine-generated.

    Semgrep Registry

    Changes

    • Semgrep Registry now displays gem icons on Team tier rules, and rulesets that contain Team tier rules.

    Documentation updates

    Additions

    Changes


    Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.