Skip to main content

Semgrep release notes for November 2024

๐ŸŒ Semgrep AppSec Platformโ€‹

Addedโ€‹

  • Added the ability to filter all findings by Last fixed and Last triaged dates in Semgrep AppSec Platform. Time period and status filters Figure. Time period and status filters.
  • Dashboard:
    • You can now view trends, comparing the previous time period to the current one, in the following charts:
      • Production backlog
      • Secure guardrails
      • Median open finding age
    • You can now export the Dashboard as a PDF. Sign in to Semgrep AppSec Platform, then click Dashboard > Download > Download as PDF (report).

Changedโ€‹

  • API: The GET /deployments/DEPLOYMENT_ID/policies endpoint now displays all policies for a given deployment for all Semgrep products.
  • Teams: You can now change roles in bulk:
    1. Click Settings > Teams, then the name of the team you want to edit.
    2. Select the target users, then click Bulk Edit.
    3. In the drop-down box, select the new role for those users.

Fixedโ€‹

  • Various improvements and fixes to Semgrep Managed Scans (SMS).

๐Ÿ’ป Semgrep Codeโ€‹

Addedโ€‹

  • C: Semgrep cross-file analysis now handles duplicate function names properly. When Semgrep finds duplicate functions, it assumes that any of them could be called. For example, if the function foo is defined in two files, Semgrep reports taint errors for both instances: 
    // "a/test.h"
    void foo(int x) {
        //deepruleid: dup-symbols
        sink(x);
    }

    // "b/test.h"
    void foo(int x) {
        //deepruleid: dup-symbols
        sink(x);
    }

    // "main.c"
    #ifdef HEADER_A
        #include "a/test.h"
    #else
        #include "b/test.h"
    #endif

    int main() {
        int x = source();
        foo(x);
    }
  • JavaScript and TypeScript:
    • Added Pro rules for JavaScript and TypeScript, including:
      • Code injection rules for the vm, vm2, and puppeteer libraries
      • NoSQL injection rules for mongodb and mongoose libraries
      • SQL injection rules for the knex, mysql, pg, sequelize, and sqlite libraries
      • Path traversal rules for fs and fs-extra
    • Improved existing rules to have more precise sources and sinks.
    • Improved JavaScript and TypeScript imports resolution.
    • Added support for JavaScript callbacks.

Changedโ€‹

  • The Findings page's Projects and branches filter now pins selected options to the top of the list for easy reference.
  • Cross-file analysis now resolves method invocations on abstract classes, enhancing dataflow tracking accuracy for dynamic method invocations.
  • Improved memory usage and time for scans with many findings due to reduced memory allocations by Semgrep while processing nosemgrep comments.
  • TypeScript: improved logic for interfile analysis for projects using project references.

Fixedโ€‹

  • Cross-file taint analysis has been optimized to scale better when there are many matched sources, propagators, sanitizers, and sinks within a function.
  • Semgrep now scans files containing special characters, as determined by Git, correctly instead of ignoring them.
  • Semgrep no longer freezes when running on a machine with a low memory limit with tracking enabled.
  • Fixed an issue with regex parsing during ReDoS analysis when Semgrep encountered a character class starting with [:, such as [:a-z].
  • Fixed an issue with semgrep scan where anchored semgrepignore patterns for folders such as /tests weren't honored. Previously, these patterns didn't affect target file filtering.
  • Fixed an issue where exceptions thrown during target processing caused the scan to fail. The scan now returns exit code 0 instead of 2, unless the scan was invoked with the --strict flag.
  • Fixed an issue where input containing multiple unclosed braces on the same line resulted in exponential parsing time, causing the scan to time out.
  • Improved error handling for networking errors.
  • Fixed an issue where autofix and nosemgrep didn't work in Semgrep Editor.
  • Swift: Ellipses and metavariable ellipses can now be used as function parameters in patterns.

โ›“๏ธ Semgrep Supply Chainโ€‹

Addedโ€‹

  • Supply Chain now provides reachability analysis for Scala and Swift.

Changedโ€‹

  • Parsers for poetry.lock and pyproject.toml now handle multi-line strings.

Fixedโ€‹

  • Fixed an issue where the Gradle parser failed to parse the lockfile if it didn't start with a specific block comment. Semgrep now ignores the comment, allowing any or no comment to exist.

๐Ÿค– Semgrep Assistantโ€‹

Addedโ€‹

  • Added Assistant-generated component tags for Semgrep Supply Chain and Semgrep Secrets findings.
  • Added support for Google Gemini.

๐Ÿ” Semgrep Secretsโ€‹

Addedโ€‹

  • Added the ability to validate temporary AWS tokens.

๐Ÿ“ Documentation and knowledge baseโ€‹

Addedโ€‹

Changedโ€‹

Fixedโ€‹

  • Improved site readability in mobile devices.

Removedโ€‹

  • Removed pattern-not versus pattern-not-inside video.

๐Ÿ”ง OSS Engineโ€‹

  • The following versions of the OSS Engine were released in November 2024:

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.