Skip to main content

    May 2021

    Version 0.52.0

    This version also includes release notes for Semgrep version 0.53.0.

    Additions

    • Alpha support for C#
    • Metavariables match both a constant variable occurrence and that same constant value (#3058)

    Fixes

    • OCaml: fix useless-else false positives by generating appropriate AST for if without an else.
    • JavaScript/TypeScript: Propagate constant definitions without declaration

    Version 0.51.0

    Additions

    • Keep track of and report rule parse time in addition to file parse time
    • v0 of opt-in, anonymous aggregate metrics

    Fixes

    • JavaScript/TypeScript: allow the deep expression operator <... ...> in expression statement position, for example:

    ARG = [$V];

    ...

    <... $O[$ARG] ...>; // this works now

    • PHP arrays with dots inside parse
    • Propagate constants in nested lvalues such as y in x[y]
    • Experimental support for C#

    Changes

    • Show log messages from semgrep-core when running semgrep with --debug
    • By default, targets larger than 1 MB are now excluded from Semgrep scans. The new option --max-target-bytes 0 restores the previous behavior.
    • Report relative path instead of absolute when using --time

    Version 0.50.1

    Additions

    • JS/TS: Infer global constants even if the const qualifier is missing (#2978)
    • PHP: Resolve names and infer global constants in the same way as for Python

    Fixes

    • Empty yaml files do not crash
    • Autofix does not insert newline characters for patterns from semgrep.live (#3045)
    • Autofix printout is grouped with its own finding rather than the one below it (#3046)
    • Do not assign constant values to assigned variables (#2805)
    • A --time flag instead of --json-time which shows a summary of the timing information when invoked with normal output and adds a time field to the json output when --json is also present

    Changes

    • Moved some debug logging to verbose logging
    • $...ARGS can now match an empty list of arguments, just like ... (#3177)
    • JSON and SARIF outputs sort keys for predictable results
    • .git/ directories are ignored when scanning
    • External Python API (semgrep_main.invoke_semgrep) now takes an optional OutputSettings argument for controlling output
    • json_time has moved to OutputSettings.output_time, this and many other OutputSettings arguments have been made optional

    Removed

    • --json-time flag in favor of --json + --time

    Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.