Skip to main content

Semgrep release notes for March 2024

๐Ÿ”ง OSS Engineโ€‹

๐ŸŒ Cloud Platformโ€‹

Addedโ€‹

  • The Add to policy button in the Playground can now differentiate between custom Code and Secrets rules. When you click Add to policy, it detects which type of rule you have written and adds the rule to the corresponding policy board.

Fixedโ€‹

  • Fixed a bug in which users couldn't claim a license if they only had one organization.
  • Visual Studio Code extension: fixed an issue where rules weren't downloaded to the user's machine, which resulted in no findings detected.
  • Minor UI and in-app copy fixes in the following:
    • Editor
    • Settings page
    • Tutorial page
    • Onboarding process
  • Fixed a bug in which users were sometimes unable to delete their SSO configuration.

๐Ÿ’ป Codeโ€‹

Addedโ€‹

  • Added support for Python's yield keyword, enabling the detection of taint findings from taint sources returned by yield.
  • Added ability for users to copy file paths displayed in Semgrep Cloud Platform's Findings page if they aren't links.
  • Added the ability for users to see if there's a version of a rule they're currently using that supports interfile analysis.
  • Added Clear filters button when no findings appear in the Findings page after the user has set some filters.
  • API: added ability to get rules metadata from the API.

Changedโ€‹

  • Code analysis started by logged-in users running semgrep ci now includes cross-function (intrafile) analysis by default. This change affects CI jobs and CLI scans.
  • .phtml files are now processed as PHP files and analyzed using PHP rules.
  • Updated PR comments to include links to specific findings in Semgrep Cloud Platform.
  • Users can see all projects, even if they don't have any identified findings, in the Most findings list on Semgrep Cloud Platform's Dashboard page.
  • Semgrep Code now distinguishes between findings resolved by rule changes and findings resolved due to code modifications. This change applies only to new findings.
    • Only findings fixed due to code modifications are marked as fixed.
      • The fix rate calculated by Semgrep Code now includes only such findings.
    • Findings fixed due to rule changes are marked as resolved.
  • CLI: Semgrep clones the repository into the current working directory instead of a tmp folder when using the --remote flag.

Fixedโ€‹

  • Kotlin: Fixed a parsing error when a newline appears between the class name and the primary constructor.
  • Fixed an issue where autofix on variable definitions could not handle semicolons for Java, C++, C#, Rust, Cairo, Solidity, and Dart.
  • Fixed an issue with autofix application on lines with multi-byte characters.
  • Fixed issue where credentials were inadvertently included in a project URL when publishing a custom rule using semgrep publish. Running semgrep publish generates a rule-origin-note, which includes the project URL in the metadata. When this process occurs in a GitLab CI job, GitLab includes the CI job tokens in the project URL. Semgrep now removes the credential from the metadata.
  • Fixed an issue where reachability rules were deleted from Semgrep Registry.
  • Fixed an issue where the timestamp on the findings didn't correspond to the timestamp used by the filter; now, both use the relevant_since filter, which provides information about when findings were last reopened.

โ›“๏ธ Supply Chainโ€‹

Addedโ€‹

Changedโ€‹

  • Findings with a critical severity now display in Semgrep Cloud Platform with a darker red color to help distinguish them from high-severity findings.
  • Findings are now displayed in Semgrep Cloud Platform with readable names, such as git-url-parse: Inefficient Regular Expression Complexity instead of lodash.defaultsdeep: Improper Input Validation.

Fixedโ€‹

  • Fixed an issue where bulk triage didn't work in Semgrep Cloud Platform for Supply Chain findings.
  • Fixed an issue where Supply Chain rules and findings erroneously display a confidence label.

๐Ÿค– Assistantโ€‹

Semgrep Assistant is now generally available (GA). Read the docs and the blog post.

Addedโ€‹

  • Added the Agree and Ignore buttons to the No grouping view in the Semgrep Cloud Platform > Code page.
  • Added the AI component tags in the Finding details page and No grouping view.
  • Added the ability to use AI to generate Semgrep rules (beta). To try this feature:
    1. Navigate to the Editor and click on the black square with white circle plus sign.
    2. Select ...with Semgrep Assistant (beta) from the drop-down box. Generate rule with Semgrep Assistant form

Changedโ€‹

  • Improvements to in-app copy and UI.

๐Ÿ” Secretsโ€‹

Addedโ€‹

  • Historical scanning is now available as a public beta feature. Historical scanning allows users to find valid secrets in their Git commit history. To enable this feature:
    1. Log in to Semgrep Cloud Platform.
    2. Navigate to Settings > Deployments.
    3. Under Secrets, toggle on Historical scanning. Users can also include the --historical-secrets flag when running semgrep ci in the CLI.
  • Added the ability to view a Secrets rule if there's one that supersedes a Semgrep Code rule with similar functionality. These notifications are available in Semgrep Cloud Platform on:
    • The Findings and Finding Details pages
    • The Policies page In addition to the affected findings labeled with Secrets version available, users can look for findings using the Available rule upgrades filter.

Changedโ€‹

  • Moved the Settings page for Secrets from its Findings page to Settings > Deployment.

Fixedโ€‹

  • Fixed an issue where some Secrets findings were labeled as Code findings.
  • CLI: Fixed an issue where there were no warnings if Secrets is enabled, but users have no Secrets rules configured.

๐Ÿ“ Documentation and knowledge baseโ€‹

Addedโ€‹

Changedโ€‹


Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.