Semgrep release notes for January 2024
๐ง OSS Engineโ
- The following versions of the OSS Engine were released in January 2024:
๐ Cloud Platformโ
Addedโ
- Semgrep's Visual Studio Code extension now runs natively on Windows machines.
- Added ability for organizations to test connections to GitHub and GitLab by going to Settings > Source Code Managers.
- Projects are now moved from the Scanning to Not scanning tab when the corresponding GitHub repository is archived.
- CLI tool:
- Added color-coded severity icons, such as
โฏโฏโฑ
, to the CLI output for findings of known severity. - Metrics sent from the CLI and collected by Semgrep now include a breakdown of the number of findings per product.
- Rules stored under a hidden directory, such as
dir/.hidden/myrule.yml
, are now processed when scanning with the--config
flag.
- Added color-coded severity icons, such as
Changedโ
- Renamed the Upgrade page to Usage & billing.
- Redesigned the Settings > Source Code Managers page; changes include:
- Renamed the Remove SCM config button to Disconnect.
- Set the Remove app button to only show up for registered GitHub apps.
- Improved the page load times for the Settings > Source Code Managers page, especially for organizations with many source code managers connected.
- Updated de-duplication logic for users with multiple source code managers.
Fixedโ
- Fixed an issue where paid subscribers couldn't submit support cases through the Help page.
- CLI tool:
- Fixed an issue where multi-line comments in Dockerfiles weren't parsed correctly.
- Fixed an issue where Semgrep used
/tmp
instead of the path set in theTMPDIR
environment variable for the Semgrep cache. - Fixed an issue where Semgrep would error on reading a
nosemgrep
comment with multiple rule IDs.
๐ป Codeโ
Addedโ
- Swift: Now supports typed metavariables, such as
($X : ty)
. - Java: You can now use metavariable ellipses properly in function arguments, as statements, and as expressions. For instance, you may write the pattern:
public $F($...ARGS) { ... }
- C++ with Semgrep Pro Engine: Improved translation of delete expressions to the dataflow so that recently added at-exit sinks work on them. Previously, delete expression at "exit" positions were not being properly recognized as such.
Changedโ
- Improved loading times for Dashboard and Findings pages.
- Redesigned the Findings page to display issues present on multiple branches, regardless of which branch is used as a filter.
Fixedโ
- Editor: Fixed a bug where the editor could crash due to rules having more than one metadata subcategory.
- Fixed a bug in which open findings were counted differently between the Code and Dashboard pages in Semgrep Cloud Platform. The counts now match.
- Findings page:
- Fixed a bug in which leaving a note automatically triaged a finding. Now, the state of the finding does not change when a user leaves a note.
- Fixed a bug in which fixed findings were triagable despite their already fixed state through the rule group checkbox. Now these findings are not triagable.
- Fixed an issue where hovering over the Assistant's Analyze button caused the window to jitter.
โ๏ธ Supply Chainโ
Addedโ
- Added ability to manually create custom dependency exceptions under Supply
Chain > Settings. This helps prevent blocking a pull request or merge
request due to licensing issues. For example, if
bitwarden/cli@2023.9.0
, which has a GPL-3.0 license, is on the allowlist, setting a custom dependency exception means that the exclusion won't fail when upgrading tobitwarden/cli@2023.9.1
.
Changedโ
- Vulnerabilities page: Improved filtering performance.
- Software bill of materials (SBOM) generation is now generally available (GA).
- The Dependencies tab is now GA.
Fixedโ
- Fixed an issue where Semgrep couldn't parse a Pipfile correctly if it had a
[dev-packages]
section. - Fixed a bug where
Gemfile.lock
files with multipleGEM
sections weren't parsed correctly.
๐ Secrets (beta)โ
Fixedโ
- Fixed a bug with custom secrets rules in which rule visibility could be set to
unlisted
. Now, to protect the privacy of secrets rules, users cannot set Secrets rules to any other visibility except for private.
๐ Documentation and knowledge baseโ
Addedโ
- Added legal information about Semgrep Assistant.
- Added documentation about Semgrep Assistant's Component and Recommendation filters.
- Knowledge base articles:
- Added guidance on running Semgrep Supply Chain scans in the CLI.
Changedโ
- Updated the Semgrep Supply Chain languages table to clarify that lockfile-only languages do not have reachable rules.
- Updated documentation on event triggers for diff-aware and full scans.
- Updated Licensing documentation for Semgrep Supply Chain and Semgrep Secrets.
- Updated the Findings documentation page.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.