Skip to main content

    Rule updates

    Welcome to monthly rule updates. This document includes selected new rules, removed or reduced number of false positives (FP) and false negatives (FN). These new rules and their updates are made by the Semgrep community and Semgrep, Inc.

    February 2023

    Community rules

    Thanks to Sjord, @artem-fedorov and @gabriellesc for their contributions!

    New rules from Semgrep community and Semgrep, Inc

    Updated Community rules

    Pro rules

    New Pro rules

    • Improved coverage for:
      • Deserialization issues in Java
      • Deserialization issues in Python
      • Weak hash algorithms in JavaScript
      • NoSQL injection in Java
      • NoSQL injection in JavaScript
      • ReDOS in JavaScript

    January 2023

    Community rules

    New rules from Semgrep community and Semgrep, Inc

    Updated Community rules

    Pro rules

    The Pro rules are created by Semgrep, Inc and targeted for security and software engineers who need accurate findings. These rules were previously marked as Team tier rules (see the updates below). As of this update, these rules are called the Pro rules and are available with the Team or higher tier.

    New Pro rules

    • New rules for hardcoded secrets:
      • Database libraries for Java
      • Database libraries for Ruby
    • New rules for JavaScript:
      • Weak symmetric cryptography
      • RegExp ReDos
      • XSS
      • Open Redirect
    • New rules for Java:
      • SSRF in Java Servlets and Spring Framework

    Updated Pro rules

    • FP reduction with improved pattern for taint mode:
      • Command Injection in Java Servlets and Spring Framework
      • XSS in Java Spring Framework
      • XXE in Java

    December 2022

    Community tier

    New rules from Semgrep community and Semgrep, Inc

    Updated community tier rules

    Team tier

    New and updated team tier rules

    New rules for hardcoded secrets:

    • Network libraries for Python and Java.

    • Database libraries for Python.

    • Generic secrets in JavaScript.

    • New rules for Angular.

    • New rules for SSRF in JavaScript.

    • New rules for Open Redirect in JavaScript.

    • Improve existing rules for React to cover more use cases.

    • Improve existing rules for hardcoded secrets to cover more use cases.

    • Improve existing rules for command injection in JavaScript to cover more use cases.

    • FP reduction for existing rules for SQLi in JavaScript.

    • FP reduction for existing rules for hardcoded secrets in Python.

    November 2022

    Community tier

    New rules from Semgrep community and Semgrep, Inc

    Updated community tier rules

    Metadata required by security category

    All security rules now adopt an improved set of metadata fields. These fields are required when you contribute to Semgrep Registry with rules in security category. For more details, see Including fields required by security category section.

    Team tier

    New and updated team tier rules

    New rules for hardcoded secrets:

    • Database libraries for Python.

    • Database libraries for JavaScript and TypeScript.

    • Improve existing rules for hardcoded secrets to cover more use cases.

    • FP reduction for existing rules for hardcoded secrets.

    • FP reduction for Go net/http rules.

    October 2022

    Community tier

    New rules from Semgrep community and Semgrep, Inc

    Updated community tier rules

    Team tier

    New team rules

    New rules for the Laravel PHP framework covering the following vulnerability classes:

    • Code injection
    • Command injection
    • SQL injection
    • Path traversal
    • CSRF
    • Cookie security
    • XSS
    • SSRF

    New rules for Go net/http package covering the following vulnerability classes:

    • SQL injection
    • Command injection

    September 2022

    Community tier

    New rules from Semgrep community and Semgrep, Inc

    Changed community tier rules

    New metadata keys

    Semgrep, Inc is adding new metadata fields to better communicate the intent and importance of findings that a rule generates. The following list provides details about new metadata fields:

    • Likelihood: How likely is the impact highlighted by this finding to occur? Examples:
      • Web application user input: HIGH
      • OS environment: MEDIUM
    • Impact: How much damage can this issue cause? Examples:
      • SQL Injection: HIGH
      • Information disclosure: LOW
    • Confidence: How confident is the author that this finding is exploitable? Examples:
      • User input + formatted SQL string + SQL sink + no intermediate function calls: HIGH
      • User input + SQL sink: MEDIUM
      • Formatted SQL string: LOW
    • Subcategory: A list of subcategories that allows the author to specify the intent of the rule. Current values are:
      • Audit: This rule indicates the possible presence of a vulnerability, provided other conditions are present
      • Vuln: This rule is specifically looking for an exploitable vulnerability
    • Addtionally, language rulesets (such as p/javascript) have been altered to include only rules that match the following conditions:
      • Subcategory: Vuln
      • Impact: HIGH

    Updated community tier rules

    Deprecated community tier rules

    These rules no longer produce findings:

    August 2022

    Community tier

    New rules from Semgrep community and Semgrep, Inc

    Updated community tier rules

    Deprecated community tier rules

    Semgrep does no longer match anything with the following rules:

    Team tier

    New Team tier rules

    Updated Team tier rules

    Added more sinks for the following rules:

    July 2022

    New rules from Segmrep community and Semgrep, Inc

    New rules from Semgrep community:

    New rules have been added with taint sources:

    There are now 80 team tier only rules covering Java, PHP, JavaScript, and TypeScript available in the Semgrep Registry. These rules are designed to have higher precision and lower false positive rates.

    Rule changes and updates

    Reduced severity to INFO:

    Limit sources to specific properties of Request object rather than all properties:

    The python.lang.security.audit.dangerous rules have been reworked. All Python -dangerous- rules have had their confidence level changed to LOW. Renamed rules:

    Added to p/default (p/default are rules that run automatically with semgrep --config p/default):

    Removed from p/default in Semgrep Registry:

    Expand the list with all removed rules

    Other:


    Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.