Semgrep release notes for November 2024
๐ Semgrep AppSec Platformโ
Addedโ
- Added the ability to filter all findings by Last fixed and Last triaged dates in Semgrep AppSec Platform. Figure. Time period and status filters.
- Dashboard:
- You can now view trends, comparing the previous time period to the current one, in the following charts:
- Production backlog
- Secure guardrails
- Median open finding age
- You can now export the Dashboard as a PDF. Sign in to Semgrep AppSec Platform, then click Dashboard > Download > Download as PDF (report).
- You can now view trends, comparing the previous time period to the current one, in the following charts:
Changedโ
- API: The
GET /deployments/DEPLOYMENT_ID/policies
endpoint now displays all policies for a given deployment for all Semgrep products. - Teams: You can now change roles in bulk:
- Click Settings > Teams, then the name of the team you want to edit.
- Select the target users, then click Bulk Edit.
- In the drop-down box, select the new role for those users.
Fixedโ
- Various improvements and fixes to Semgrep Managed Scans (SMS).
๐ป Semgrep Codeโ
Addedโ
- C: Semgrep cross-file analysis now handles duplicate function names properly. When Semgrep finds duplicate functions, it assumes that any of them could be called. For example, if the function
foo
is defined in two files, Semgrep reports taint errors for both instances:// "a/test.h"
void foo(int x) {
//deepruleid: dup-symbols
sink(x);
}
// "b/test.h"
void foo(int x) {
//deepruleid: dup-symbols
sink(x);
}
// "main.c"
#ifdef HEADER_A
#include "a/test.h"
#else
#include "b/test.h"
#endif
int main() {
int x = source();
foo(x);
} - JavaScript and TypeScript:
- Added Pro rules for JavaScript and TypeScript, including:
- Code injection rules for the
vm
,vm2
, and puppeteer libraries - NoSQL injection rules for
mongodb
andmongoose
libraries - SQL injection rules for the
knex
,mysql
,pg
,sequelize
, andsqlite
libraries - Path traversal rules for
fs
andfs-extra
- Code injection rules for the
- Improved existing rules to have more precise sources and sinks.
- Improved JavaScript and TypeScript imports resolution.
- Added support for JavaScript callbacks.
- Added Pro rules for JavaScript and TypeScript, including:
Changedโ
- The Findings page's Projects and branches filter now pins selected options to the top of the list for easy reference.
- Cross-file analysis now resolves method invocations on abstract classes, enhancing dataflow tracking accuracy for dynamic method invocations.
- Improved memory usage and time for scans with many findings due to reduced memory allocations by Semgrep while processing
nosemgrep
comments. - TypeScript: improved logic for interfile analysis for projects using project references.
Fixedโ
- Cross-file taint analysis has been optimized to scale better when there are many matched sources, propagators, sanitizers, and sinks within a function.
- Semgrep now scans files containing special characters, as determined by Git, correctly instead of ignoring them.
- Semgrep no longer freezes when running on a machine with a low memory limit with tracking enabled.
- Fixed an issue with regex parsing during ReDoS analysis when Semgrep encountered a character class starting with
[:
, such as[:a-z]
. - Fixed an issue with
semgrep scan
where anchoredsemgrepignore
patterns for folders such as/tests
weren't honored. Previously, these patterns didn't affect target file filtering. - Fixed an issue where exceptions thrown during target processing caused the scan to fail. The scan now returns exit code
0
instead of2
, unless the scan was invoked with the--strict
flag. - Fixed an issue where input containing multiple unclosed braces on the same line resulted in exponential parsing time, causing the scan to time out.
- Improved error handling for networking errors.
- Fixed an issue where autofix and
nosemgrep
didn't work in Semgrep Editor. - Swift: Ellipses and metavariable ellipses can now be used as function parameters in patterns.
โ๏ธ Semgrep Supply Chainโ
Addedโ
- Supply Chain now provides reachability analysis for Scala and Swift.
Changedโ
- Parsers for
poetry.lock
andpyproject.toml
now handle multi-line strings.
Fixedโ
- Fixed an issue where the Gradle parser failed to parse the lockfile if it didn't start with a specific block comment. Semgrep now ignores the comment, allowing any or no comment to exist.
๐ค Semgrep Assistantโ
Addedโ
- Added Assistant-generated component tags for Semgrep Supply Chain and Semgrep Secrets findings.
- Added support for Google Gemini.
๐ Semgrep Secretsโ
Addedโ
- Added the ability to validate temporary AWS tokens.
๐ Documentation and knowledge baseโ
Addedโ
- Added the following new documents, articles, and sections:
- A section about time period filters, which you can apply to narrow down findings in the Code, Supply Chain, and Secrets pages.
- How to exclude a Semgrep Supply Chain rule
- How to set up SMS with GitLab
- Why do new rules keep appearing in Comment or Block mode?
- Added the following sections in the docs homepage:
- A summary of the latest release notes
- A summary of supported languages for all Semgrep products
Changedโ
- Updated the following documents and sections:
- Clarified default behavior and options for how Semgrep handles exit codes.
- Clarified the relationship between ingress and egress IP addresses and the Semgrep Network Broker.
- Updated the wording in Semgrep Assistant > Privacy and legal considerations to include other large language models (LLMs).
Fixedโ
- Improved site readability in mobile devices.
Removedโ
- Removed
pattern-not
versuspattern-not-inside
video.
๐ง OSS Engineโ
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.