Release v1.100.0

1.100.0 - 2024-12-12

Added

• Pro engine now correctly distinguishes overloaded Scala methods based on their
  arity and parameter types, e.g., foo(x: Int, y: String) vs. foo(x: String, y: Int). (code-7870)

Changed

• The minimum Python version for semgrep is now 3.9.
  We are dropping support for Python 3.8 (python)

Fixed

• pro: Fixed a bug in interprocedural index-sensitive taint analysis that caused
  false negatives when a function updated an arbitrary index, e.g.:

  var x = {};
  
  function foo(k) {
      x[k] = source();
  }
  
  function test(k) {
      foo(k);
      sink(x); // finding here!
  } (CODE-7838)
  

• Fixed bug affecting taint tracking through static fields when mixing accesses
  using the class name and using an instance object, e.g.:

  class C {
      static String s;
  }
  
  ...
  
          C o = new C();
          C.s = taint;
          sink(o.s); // finding ! (CODE-7871)
  

• No more RPC error when using --sarif with some join-mode rules.
  Moreover, regular rules without the 'languages:' field will be skipped
  instead of aborting the whole scan. (gh-10723)

Release v1.99.0

1.99.0 - 2024-12-05

Fixed

• Fix the date format used in --gitlab-sast option to match
  the spec and not use the RFC 3339.
  Thanks to Elias Haeussler for the fix. (saf-1755)

Release v1.97.0

1.97.0 - 2024-11-19

Added

• Improved logic for interfile analysis in TypeScript projects using
  project references. (code-7677)
• Semgrep Pro engine now resolves method invocations on abstract classes. In
  addition to the existing resolution for interface method invocations, this
  change further enhances dataflow tracking accuracy for dynamic method
  invocations. (code-7750)
• Added the ability to validate temporary AWS tokens in the secrets product. (gh-2554)
• Poetry.lock & Pyproject.toml parsers can now handle multiline strings. (ssc-1942)

Fixed

• Improved error handling for some networking errors (e.g., premature server
  disconnection). In some cases this would previously cause a fatal error, but we
  should instead be able to recover in most instances (and now can). (code-7715)
• Target file selection in git projects: files containing special characters
  (according to git) are now scanned correctly instead of being ignored. (saf-1687)
• Swift: Ellipses and metavariable ellipses can now be used as function parameters in patterns. (saf-1721)
• Semgrep will no longer freeze when tracing is enabled and it has a low memory limit (saf-1722)
• osemgrep-pro: Autofix and nosemgrep now work properly (saf-1724)

Release v1.96.0

1.96.0 - 2024-11-07

Added

• The pro engine now handles duplicate function names in C. When duplicate
  functions are found, we assume that any of the duplicated functions could be
  called. For example, if the function foo is defined in two different files,
  taint errors will be reported for both instances:

  // "a/test.h"
  void foo(int x) {
      //deepruleid: dup-symbols
      sink(x);
  }
  
  // "b/test.h"
  void foo(int x) {
      //deepruleid: dup-symbols
      sink(x);
  }
  
  // "main.c"
  #ifdef HEADER_A
      #include "a/test.h"
  #else
      #include "b/test.h"
  #endif
  
  int main() {
      int x = source();
      foo(x);
  }
  ``` (code-7654)
  
  
  

Changed

• Reduced memory allocations while processing nosemgrep comments, improving memory use and time for scans with a large number of findings. (nosem-mem)

Fixed

• Optimized taint-mode (only in Pro) to scale better when there is a large number
  of matches of sources/propagators/sanitizers/sinks within a function. (flow-83)
• Fixed a bug in the supply chain scanner's gradle lockfile parser. Previously, semgrep would fail to parse
  any gradle lockfile which did not start with a specific block comment. Now, semgrep will parse gradle
  lockfiles correctly by ignoring the comment (allowing any or no comment at all to exist). (gh-10508)
• Exceptions thrown during the processing of a target should not fail
  the whole scan anymore (regression introduced in 1.94.0). The scan will
  have an exit code of 0 instead of 2 (unless the user passed --strict in which
  case it will exit with code 2). (incid-110)
• Fix exponential parsing time with generic mode on input containing many
  unclosed braces on the same line. (saf-1667)
• Fix regexp parsing error occurring during ReDoS analysis when encountering
  a character class starting with [: such as [:a-z]. (saf-1693)
• Fix in semgrep scan: anchored semgrepignore patterns for folders such
  as /tests are now honored properly. Such patterns had previously no
  effect of target file filtering. (semgrepignore-anchored-dirs)

Release v1.95.0

1.95.0 - 2024-10-31

Changed

• Remove deprecated --enable-experimental-requirements flag. Functionality has
  been always enabled since Semgrep 1.93.0. (ssc-1903)

Fixed

• osemgrep: Running osemgrep with the Pro Engine now correctly runs rules with proprietary languages (saf-1686)
• Fixed bug where semgrep would crash if --trace was passed (saf-tracing)

Release v1.94.0

1.94.0 - 2024-10-30

Fixed

• pro: taint-mode: Semgrep should no longer confuse a return in a lambda with
  a return in its enclosing function.

  E.g. In the example below the return value of foo is NOT tainted:

  function foo() {
      bar(() => taint);
      return ok;
  } (code-7657)
  

• OCaml: matching will now recognized "local open" so that a pattern like
  Foo.bar ... will now correctly match code such as let open Foo in bar 1
  or Foo.(bar 1) in addition to the classic Foo.bar 1. (local_open)

• Project files lacking sufficient read permissions are now skipped gracefully
  by semgrep. (saf-1598)

• Semgrep will now print stderr and additional debugging info when semgrep-core
  exits with a fatal error code but still returns a json repsonse (finishes
  scanning) (saf-1672)

• semgrep ci should parse correctly git logs to compute the set of contributors
  even if some authors have special characters in their names. (saf-1681)

Release v1.93.0

1.93.0 - 2024-10-23

Added

• Improved naming for Common JS module imports (require) in arbitrary
  expression contexts. Notably, in-line use of require should now be linked to
  the correct module. For instance, the pattern foo.bar should now match
  against require('foo').bar and taint is likewise similarily tracked. (code-7485)
• Secrets: semgrep ci output now includes a list of all secrets rules which
  generated at least one blocking finding (similar to Code) (code-7663)
• Added experimental support via --allow-dynamic-dependency-resolution for dynamic resolution of Maven and Gradle dependencies for projects that do not have lockfiles (in Semgrep Pro only). (gh-2389)
• Expanded support for pip requirement lockfiles is now available by default. Semgrep will now
  find any requirement.txt file and lockfiles in a requirements folder (**/requirements/*.txt).
  The existing experimental flag --enable-experimental-requirements is now deprecated and
  will be removed in a future release. (gh-2441)

Changed

• Removed support for Vue. The tree-sitter grammar has not been updated in 3 years,
  there was no community rules added and semgrep-vue is causing linking conflicts
  when compiling semgrep under Windows so just simpler to remove support for Vue.
  In theory, extract mode could be a good substitute to parse Vue files. (vue)

Fixed

• semgrep will now print exit codes if a segfault/OOM/other terminating signal happens in semgrep-core, or any of semgrep-core's child processes (saf-1646)

Release v1.92.0

1.92.0 - 2024-10-17

Added

• Pro: taint-mode: Semgrep has now basic support to track taint through callbacks,
  when they lead to a sink, e.g.:

  function unsafe_callback(x) {
    sink(x); // finding here now !
  }
  
  function withCallback(val, callback) {
    callback(val);
  }
  
  withCallback(taint, unsafe_callback); (code-7476)
  

• New subcommand dump-cst for tree-sitter languages available via semgrep show. This shows the concrete syntax tree for a given file. (code-7653)

• Pro only: Updated C# parser supporting all versions of the language up to 13.0 (.NET 9) (saf-1610)

• Added support for the Move-on-sui language! (sui)

• Pro-only: semgrep test now supports the --pro flag to not only use pro languages
  but also run the tests with the --pro-intrafile engine flag. If a finding
  is detected only by the pro engine, please use proruleid: instead of ruleid:
  and if an OSS finding is actually a false positive for the pro engine, please
  add the prook: to your test annotation. (test_pro)

Fixed

• pro: dataflow: Fixed a bug that could cause a class constructor to not be analyzed
  in the correct dependency order, potentially leading to FNs. (code-7649)

• Display an ✘ instead of a ✔ in the scan status print out when scanning with Semgrep OSS code
  is not enabled. (grow-422)

• semgrep will no longer randomly segfault when --trace is on with -j > 2 (saf-1590)

• Previously, semgrep fails when --trace-endpoint is specified, but --trace is not.

  Now, we relax this requirement a bit. In this case, we disable tracing, print out a warning, and continue to scan. (sms-550)

Release v1.91.0

1.91.0 - 2024-10-10

Added

• Type inference in the Pro engine has been improved for class fields in
  TypeScript that are assigned a new instance but lack an explicit type
  definition. When no explicit type is provided for a class field, its type is
  inferred from the type of the expression assigned to it. For example, in the
  class definition class Foo { private readonly bar = new Bar(); }, the type of
  bar is inferred to be Bar. (code-7635)
• Cargo.lock parser can now associate dependencies with lockfile line numbers (sc-1140)

Fixed

• Address python rich.errors.LiveError where attempting to display multiple progress bars
  raises an exception as flagged in #10562. (grow-414)
• C: Fix a regression causing pattern -n to sometimes not match code -n. (saf-1592)
• When a scan runs into an exception, the app is appropriately notified
  about the failure. Previously, in the app, it would seem to the user
  that the scan is still in progress. (sms-502)

Release v1.90.0

1.90.0 - 2024-09-25

Added

• Expanded support for requirement lockfiles. Semgrep will now find any *requirement*.txt
  file and lockfiles in a requirements folder (**/requirements/*.txt). This functionality
  will be gated behind the --enable-experimental-requirements CLI flag. (sc-1752)

Changed

• Security update for code snippet storage & access methods. (gh-2038)

Fixed

• Errors that occur in semgrep scans with jobs > 1 will now have more detail (SAF-1628)
• Dockerfile matching: CMD $...ARGS now behaves like CMD ... and matches
  any CMD instruction that uses the array syntax such as CMD ["ls"]. This
  fix also applies to the other command-like instructions RUN
  and ENTRYPOINT. (gh-9726)
• Pro Engine: There is now improved type inference in Kotlin and Scala. Constructor invocations like
  Foo() will now be inferred properly to be of type Foo. (saf-1537)