Release v1.95.0

1.95.0 - 2024-10-31

Changed

• Remove deprecated --enable-experimental-requirements flag. Functionality has
  been always enabled since Semgrep 1.93.0. (ssc-1903)

Fixed

• osemgrep: Running osemgrep with the Pro Engine now correctly runs rules with proprietary languages (saf-1686)
• Fixed bug where semgrep would crash if --trace was passed (saf-tracing)

Release v1.94.0

1.94.0 - 2024-10-30

Fixed

• pro: taint-mode: Semgrep should no longer confuse a return in a lambda with
  a return in its enclosing function.

  E.g. In the example below the return value of foo is NOT tainted:

  function foo() {
      bar(() => taint);
      return ok;
  } (code-7657)
  

• OCaml: matching will now recognized "local open" so that a pattern like
  Foo.bar ... will now correctly match code such as let open Foo in bar 1
  or Foo.(bar 1) in addition to the classic Foo.bar 1. (local_open)

• Project files lacking sufficient read permissions are now skipped gracefully
  by semgrep. (saf-1598)

• Semgrep will now print stderr and additional debugging info when semgrep-core
  exits with a fatal error code but still returns a json repsonse (finishes
  scanning) (saf-1672)

• semgrep ci should parse correctly git logs to compute the set of contributors
  even if some authors have special characters in their names. (saf-1681)

Release v1.93.0

1.93.0 - 2024-10-23

Added

• Improved naming for Common JS module imports (require) in arbitrary
  expression contexts. Notably, in-line use of require should now be linked to
  the correct module. For instance, the pattern foo.bar should now match
  against require('foo').bar and taint is likewise similarily tracked. (code-7485)
• Secrets: semgrep ci output now includes a list of all secrets rules which
  generated at least one blocking finding (similar to Code) (code-7663)
• Added experimental support via --allow-dynamic-dependency-resolution for dynamic resolution of Maven and Gradle dependencies for projects that do not have lockfiles (in Semgrep Pro only). (gh-2389)
• Expanded support for pip requirement lockfiles is now available by default. Semgrep will now
  find any requirement.txt file and lockfiles in a requirements folder (**/requirements/*.txt).
  The existing experimental flag --enable-experimental-requirements is now deprecated and
  will be removed in a future release. (gh-2441)

Changed

• Removed support for Vue. The tree-sitter grammar has not been updated in 3 years,
  there was no community rules added and semgrep-vue is causing linking conflicts
  when compiling semgrep under Windows so just simpler to remove support for Vue.
  In theory, extract mode could be a good substitute to parse Vue files. (vue)

Fixed

• semgrep will now print exit codes if a segfault/OOM/other terminating signal happens in semgrep-core, or any of semgrep-core's child processes (saf-1646)

Release v1.92.0

1.92.0 - 2024-10-17

Added

• Pro: taint-mode: Semgrep has now basic support to track taint through callbacks,
  when they lead to a sink, e.g.:

  function unsafe_callback(x) {
    sink(x); // finding here now !
  }
  
  function withCallback(val, callback) {
    callback(val);
  }
  
  withCallback(taint, unsafe_callback); (code-7476)
  

• New subcommand dump-cst for tree-sitter languages available via semgrep show. This shows the concrete syntax tree for a given file. (code-7653)

• Pro only: Updated C# parser supporting all versions of the language up to 13.0 (.NET 9) (saf-1610)

• Added support for the Move-on-sui language! (sui)

• Pro-only: semgrep test now supports the --pro flag to not only use pro languages
  but also run the tests with the --pro-intrafile engine flag. If a finding
  is detected only by the pro engine, please use proruleid: instead of ruleid:
  and if an OSS finding is actually a false positive for the pro engine, please
  add the prook: to your test annotation. (test_pro)

Fixed

• pro: dataflow: Fixed a bug that could cause a class constructor to not be analyzed
  in the correct dependency order, potentially leading to FNs. (code-7649)

• Display an ✘ instead of a ✔ in the scan status print out when scanning with Semgrep OSS code
  is not enabled. (grow-422)

• semgrep will no longer randomly segfault when --trace is on with -j > 2 (saf-1590)

• Previously, semgrep fails when --trace-endpoint is specified, but --trace is not.

  Now, we relax this requirement a bit. In this case, we disable tracing, print out a warning, and continue to scan. (sms-550)

Release v1.91.0

1.91.0 - 2024-10-10

Added

• Type inference in the Pro engine has been improved for class fields in
  TypeScript that are assigned a new instance but lack an explicit type
  definition. When no explicit type is provided for a class field, its type is
  inferred from the type of the expression assigned to it. For example, in the
  class definition class Foo { private readonly bar = new Bar(); }, the type of
  bar is inferred to be Bar. (code-7635)
• Cargo.lock parser can now associate dependencies with lockfile line numbers (sc-1140)

Fixed

• Address python rich.errors.LiveError where attempting to display multiple progress bars
  raises an exception as flagged in #10562. (grow-414)
• C: Fix a regression causing pattern -n to sometimes not match code -n. (saf-1592)
• When a scan runs into an exception, the app is appropriately notified
  about the failure. Previously, in the app, it would seem to the user
  that the scan is still in progress. (sms-502)

Release v1.90.0

1.90.0 - 2024-09-25

Added

• Expanded support for requirement lockfiles. Semgrep will now find any *requirement*.txt
  file and lockfiles in a requirements folder (**/requirements/*.txt). This functionality
  will be gated behind the --enable-experimental-requirements CLI flag. (sc-1752)

Changed

• Security update for code snippet storage & access methods. (gh-2038)

Fixed

• Errors that occur in semgrep scans with jobs > 1 will now have more detail (SAF-1628)
• Dockerfile matching: CMD $...ARGS now behaves like CMD ... and matches
  any CMD instruction that uses the array syntax such as CMD ["ls"]. This
  fix also applies to the other command-like instructions RUN
  and ENTRYPOINT. (gh-9726)
• Pro Engine: There is now improved type inference in Kotlin and Scala. Constructor invocations like
  Foo() will now be inferred properly to be of type Foo. (saf-1537)

Release v1.89.0

1.89.0 - 2024-09-19

Fixed

• Fix crash on certain SCA parse errors caused by an access to an unbound variable. (gh-2259)

Release v1.88.0

1.88.0 - 2024-09-18

Added

• The dataflow analysis in the Pro engine can now track method invocations on
  variables of an interface type, safely assuming that any implementation of the
  method can be called. For example, tainted input vulnerabilities in both
  implementation classes can now be detected in the following code:

  public interface MovieService {
    String vulnerableInjection(String input);
  }
  
  public class SimpleImpl implements MovieService {
    @Override
    public String vulnerableInjection(String input) {
      return sink(input);
    }
  }
  
  public class MoreImpl implements MovieService {
    @Override
    public String vulnerableInjection(String input) {
      return sink(input);
    }
  }
  
  public class AppController {
    private MovieService movieService;
  
    public String pwnTest(String taintedInput) {
      return movieService.vulnerableInjection(taintedInput);
    }
  }
  ``` (code-7435)

• Type inference for constructor parameter properties in TypeScript is now
  supported in the Pro engine. For example, the taint analysis can recognize that
  sampleFunction is defined in AbstractedService class in the following code:

  export class AppController {
      constructor(private readonly abstractedService: AbstractedService) {}
  
      async taintTest() {
          const src = source();
          await this.abstractedService.sampleFunction(src);
      }
  }
  ``` (code-7597)
  
  
  

Changed

• include the exit code that semgrep will emit in the fail-open payload prior to exiting with a failure. (gh-2033)

Release v1.87.0

1.87.0 - 2024-09-13

Added

• Semgrep now infers more accurate type information for class fields in
  TypeScript. This improves taint tracking for dependency injection in
  TypeScript, such as in the following example:

  export class AppController {
      private readonly abstractedService: AbstractedService;
  
      constructor(abstractedService: AbstractedService) {
          this.abstractedService = abstractedService;
      }
  
      async taintTest() {
          const src = taintedSource();
          await this.abstractedService.sinkInHere(src);
      }
  }
  ``` (code-7591)
  

• Semgrep's interfile analysis (available with the Pro Engine) now ships with information about Python's standard library, improving its ability to resolve names and types in Python code and therefore its ability to produce findings. (py-libdefs)

• Added support for comparing Golang pre-release versions. With this, strict
  core versions, pseudo-versions and pre-release versions can all be
  compared to each other. (sc-1739)

Changed

• If there is an OOM error during interfile dataflow analysis (--pro) Semgrep will
  now try to recover from it and continue the interfile analysis without falling back
  immediately to intrafile analysis. This allows using --max-memory with --pro in
  a more effective way. (flow-81)
• Consolidates lockfile parsing logic to happen once, at the beginning of the scan. This consolidated parsing now considers both changed and unchanged lockfiles during all steps of diff scans. (gh-2051)

Fixed

• pro: taint-mode: Restore missing taint findings after having improved index-
  sensitivity:

  def foo(t):
      x = third_party_func(t)
      return x
  
  def test1():
      t = ("ok", taint)
      y = foo(t)
      sink(y) # now it's found! (code-7486)
  

• The Semgrep proprietary engine added a new entropy analyzer entropy_v2 that supports strictness options. (gh-1641)

Release v1.86.0

1.86.0 - 2024-09-04

Added

• The taint analysis can now track method invocations on variables of an
  interface type, when there is a single implementation. For example, the tainted
  input vulnerability can now be detected in the following code:

  public interface MovieService {
    String vulnerableInjection(String input);
  }
  
  @Service
  public class MovieServiceImpl implements MovieService {
    @Override
    public String vulnerableInjection(String input) {
      return sink(input);
    }
  }
  
  @RestController("/")
  public class SpringController {
  
    @Autowired
    private MovieService movieService;
  
    @GetMapping("/pwn")
    public String pwnTest(@RequestParam("input") String taintedInput) {
      return movieService.vulnerableInjection(taintedInput);
    }
  }

  When there are multiple implementations, the taint analysis will not follow any
  of them. We will add handling of cases with multiple implementations in
  upcoming updates. (code-7434)

• Uses of values imported via ECMAScript default imports (e.g., import example from 'mod';) can now be matched by qualified name patterns (e.g.,
  mod.default). (code-7463)

• Pro: taint-mode: Allow (experimental) control taint to propagate through returns.

  Now this taint rule:

  pattern-sources:
  - control: true
    pattern: taint()
  pattern-sinks:
  - pattern: sink()
  

  It is able to find this:

  def foo():
    taint()
  
  def test():
    foo()
    sink() # now it is found! (code-7490)
  

• A new flag --max-log-list-entries allows to control the
  maximum number of entries that will be shown in the log (e.g.,
  list of rule ids, list of skipped files).
  A zero or negative value disables this filter.
  The previous hardcoded limit was at 100 (and now becomes a default value). (max_log_list_entries)

Changed

• Semgrep will now log memory-related warnings/errors when run in --debug mode,
  without the need to set SEMGREP_LOG_SRCS=process_limits. (logging)

Fixed

• Fixed inter-file constant propagation to prevent some definitions from being
  incorrectly identified as constant, when they are modified in other parts of
  the codebase. (code-6793)

• pro: taint-mode: Fixed bug in taint signature instantiation that could cause an
  update to a field in a nested object to not be tracked.

  For example, in the code below, Semgrep knew that Nested.update updates the
  fld attribute of a Nested object. But due to this bug, Semgrep would not know that Wrapper.updateupdated thefldattribute of thenestedobject attribute in aWrapper` object.

  public class Nested {
  
      private String fld;
  
      public void update(String str) {
          fld = str;
      }
  
      // ...
  }
  
  public class Wrapper {
  
      private Nested nested;
  
      public void update(String str) {
          this.nested.update(str);
      }
  
  // ...
  } (code-7499)
  

• Fixed incorrect range matching parametrized type expressions in Julia (gh-10467)

• Fixed an edge case that could lead to a failure to name or type imported Python symbols during interfile analysis. (py-imports)

• Fix overly-aggressive match deduplication that could, under certain circumstances, lead to findings being closed and reopened in the app. (saf-1465)

• Fixed regex-fix numbered capture groups, where it used to be the case that
  a replacement: regex with numbered capture groups like \1\2\3 would effectivly
  be the same as \1\1\1.

  After the fix:

  # src.py
  12345

  pattern: $X
  fix-regex:
        regex: (1)(2)(3)(4)(5)
        replacement: \5\4\3\2\1

  actually results in the fix

  54321
  ``` (saf-1497)