May 2021

Version 0.52.0

This version also includes release notes for Semgrep version 0.53.0.

Alpha support for C#
Metavariables match both a constant variable occurrence and that same constant value (#3058)

OCaml: fix useless-else false positives by generating appropriate AST for if without an else.
JavaScript/TypeScript: Propagate constant definitions without declaration

JavaScript/TypeScript: allow the deep expression operator <... ...> in expression statement position, for example:

ARG = [$V];

...

<... $O[$ARG] ...>; // this works now

Show log messages from semgrep-core when running semgrep with --debug
By default, targets larger than 1 MB are now excluded from Semgrep scans. The new option --max-target-bytes 0 restores the previous behavior.
Report relative path instead of absolute when using --time

Empty yaml files do not crash
Autofix does not insert newline characters for patterns from semgrep.live (#3045)
Autofix printout is grouped with its own finding rather than the one below it (#3046)
Do not assign constant values to assigned variables (#2805)
A --time flag instead of --json-time which shows a summary of the timing information when invoked with normal output and adds a time field to the json output when --json is also present

Moved some debug logging to verbose logging
$...ARGS can now match an empty list of arguments, just like ... (#3177)
JSON and SARIF outputs sort keys for predictable results
.git/ directories are ignored when scanning
External Python API (semgrep_main.invoke_semgrep) now takes an optional OutputSettings argument for controlling output
json_time has moved to OutputSettings.output_time, this and many other OutputSettings arguments have been made optional