Semgrep release notes for October 2024
๐ Semgrep AppSec Platformโ
Addedโ
- Added a Scan details page and pane for all completed scans. Use this to troubleshoot or view information about individual scans.
Figure. Scan details pane with the permalink icon indicated in a box. - The Dashboard now provides a Teams filter, enabling you to create views based on a selection of Teams you are a part of. Click Dashboard > Filters to access the filter.
- By default, the Dashboard now displays findings from teams you are a part of. Your finding count may differ from your colleagues based on your Teams.
- Added a Jira API endpoint to create Jira tickets, either by passing a list of
issue_idsor filter query parameters to select findings. Refer to the Jira API documentation. - Semgrep now supports Move on Sui, thanks to the contributions of the Sui team.
Changedโ
- Various UI improvements to the Settings > SCM tab.
Figure. Previous and current SCM card UI. - Semgrep Managed Scans: scans now follow fail open behavior, consistent with how Semgrep in CI behaves. Failing open means that Semgrep scans with internal errors do not result in a failed job.
- The Project details page's See findings button is now a drop-down box, enabling you to select which product you want to view findings for.
Fixedโ
- When a scan runs into an exception, Semgrep AppSec Platform displays information about the failure. Previously, within the AppSec Platform UI, it would appear to the user that the scan is still in progress.
- Fixed a bug where Semgrep would crash if
--tracewas passed.
๐ป Semgrep Codeโ
Addedโ
- Updated the C# parser to support all versions of the language up to 13.0 (.NET 9).
- Developers can now triage findings by replying to a GitHub PR comment from Semgrep, without the need to log in to Semgrep Cloud Platform. See Triage findings through comments for more information.
- Added an API endpoint you can use to triage findings in bulk, either by passing a list of
issue_idsor filter query parameters to select findings. Refer to Bulk triage API documentation. - Taint analysis now supports tracking sinks through callbacks for all applicable Semgrep-supported languages. For example:
function unsafe_callback(x) {
sink(x); // Semgrep detects a finding here now!
}
function withCallback(val, callback) {
callback(val);
}
withCallback(taint, unsafe_callback)
Removedโ
- Removed support for Vue. The
tree-sittergrammar has not been updated in 3 years and no community rules have been added. In theory, extract mode could be a good substitute to parse Vue files.
โ๏ธ Semgrep Supply Chainโ
Addedโ
- Supply Chain now provides reachability analysis for Kotlin, including support for Gradle and Maven.
- Improved support and flexibility to Python dependency parsing (public beta):
- Semgrep now finds non-standard
requirements.txtnames and parses them for dependencies. - Semgrep parses lockfiles in a
/requirementsfolder.
- Semgrep now finds non-standard
cargo.lockparser can now associate dependencies with lockfile line numbers.
Changedโ
- Improvements to the Advisories page UI.
- Dependency search: the Ecosystem filter has been replaced by a Language filter. Several languages can share the same ecosystem, such as Java and Kotlin both using Maven. For accurate filtering, the Dependencies page now uses a Language filter so that you can view that language's packages from any ecosystem supported by Semgrep for that language.
Fixedโ
- Advisories page: improved speed when fetching advisories.
๐ค Semgrep Assistantโ
Addedโ
- Users can now use Semgrep Assistant with their own OpenAI API key.
- Enterprise users can also use the following API providers:
- Azure OpenAI
- AWS Bedrock
- Google Gemini See the AI provider documentation for more details.
- Enterprise users can also use the following API providers:
- PR comments made by Semgrep Assistant now reference the Git commits that it used to generate the fix.
Figure. Semgrep Assistant referencing multiple commits.
๐ Semgrep Secretsโ
semgrep cioutput now includes a list of all Secrets rules which generated at least one blocking finding. This behavior is consistent with that of Semgrep Code.
๐ Documentation and knowledge baseโ
Addedโ
- Documented new triage workflows.
- Improvements to the Network broker documentation.
- Updated Supported languages with new languages and features.
- Added new sections in Semgrep AppSec Platform vs Semgrep OSS.
- Added a new knowledge base article: FedRAMP Authorization Guidance
Changedโ
- Reorganized and clarified the following:
- Semgrep Supply Chain documentation
- How Semgrep's Block mode works
- GitLab SCM connections and MR comments
- Broadened language around Semgrep Assistant AI now that Assistant supports various LLMs.
Fixedโ
- Various fixes to mobile UI.
๐ง OSS Engineโ
- The following versions of the OSS Engine were released in October 2024:
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.