Skip to main content

    September 2022

    Semgrep App

    Changes

    • The Findings page has been updated with UX/UI improvements to its filtering and triage functions.
    • The Dashboard page has been updated with UI improvements.

    Bug fixes

    • Previously, users could not receive merge request (MR) comments within GitLab repositories. This issue has been fixed. Users can now receive MR comments in GitLab from Semgrep App.
    • Update git URL parser to support optional organization after the hostname. For example https://some.enterprise.scm/myorg/owner/repo.
    • Various fixes and improvements to speed.

    Semgrep CLI

    These release notes include upgrades for versions ranging between 0.112.0 and 0.115.0.

    Additions

    • Exclude rules by ID using CLI flag --exclude-rule. To exclude a specific rule, use for example semgrep --config=auto --exclude RULE_ID. (Issue 2530, PR 5974)

    • You can now have multiple metavariables under focus-metavariable, which allows. Semgrep to highlight the values matched by multiple metavariables more easily in certain circumstances. For more information, see Using multiple focus metavariables documentation. (Issue 5686)

    • You can add tags for specific projects in the Semgrep App on the configuration page of a project. With this update, you can create .semgrepconfig.yml file in the root directory of your repository and add tags in this file also. See Tagging projects.

    • The Semgrep CLI output now displays non-blocking and blocking findings separately. CLI output also provides a list of the blocking rules that matched the code.

    • taint-mode: Experimental support for basic field-sensitive taint tracking. Semgrep can now track x.a and x.b separately, so that for example: x.a can be tainted at the same time as x.b is clean, hence sink(x.a) can produce a finding but sink(x.b) does not. It is also possible for x to be tainted while x.a is clean. As a result, the number of false positives that Semgrep reports is reduced.

    Changes

    • generic mode: Allow text input up to 500 bytes without human-readable indentation. This value is subject to change. This relaxation is intended to facilitate testing a long line without a trailing newline. Semgrep users should not expect files that are not human-readable to be processed by Semgrep's generic mode, or in any mode. (Issues 6071, 6162)

    • Changed behavior for renamed files in diff-aware scans. Semgrep no longer displays old issues to developers when they rename a file. As a result, findings in renamed files are displayed for security engineers but do not block or spam developers. (Issue 6157)

    Additional information

    Minor bug fixes are not included in the release notes unless they are potentially breaking your workflow. To see the complete change notes for Semgrep CLI and CI that include fixes, visit the Semgrep changelog.

    Documentation updates


    Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.