Release v1.112.0

1.112.0 - 2025-03-13

Added

• TypeScript parser now allows ellipses in class bodies. For example, you can
  write the pattern like:

  class $C {
    ...
    $FUNC() { ... }
    ...
  }
  ``` (code-8242)
  

• Semgrep will now present more detailed info when a scan is complete, such as what percent of lines were scanned. It is also formatted in a new manner (saf-details)
• Verbose output will now print additional info about parsing and internal semgrep errors, such as what % of lines were skipped, and the lines they occured on (saf-verbose)

Fixed

• pro: Fixed bug in (experimental) "at-exit" sinks feature that would prevent
  the identification of a statement like return foo() as one such sink. (code-8199)
• FIX: --gitlab-secrets output has been updated to conform to GitLab JSON schema (scrt-849)
• The behavior of --semgrepignore-v2 changed to be closer to the legacy
  Semgrepignore v1. .gitignore files are no longer loaded automatically
  as part of the Semgrepignore v2 exclusion mechanism.
  Loading a .gitignore file must be done
  by placing :include .gitignore in the .semgrepignore file
  as was the case with Semgrepignore v1. (semgrepignore-v1-compat)

Release v1.111.0

1.111.0 - 2025-03-04

Changed

• Removed .semgrepignore file lookup using the SEMGREP_R2C_INTERNAL_EXPLICIT_SEMGREPIGNORE environment variable. This was used by semgrep-action which
  has been deprecated. (semgrep-action)

Fixed

• pro: Fixed bug that could prevent taint tracking from following a virtual call
  in JS/TS. (code-8065)
• PRO: Restricted heuristic search of the Python module path to paths only under
  the project root to reduce inaccuracies in module resolution. This change
  mitigates the risk of resolving module specifiers to incorrect paths,
  particularly in cases involving common library names (e.g., django). (code-8146)
• Fix the incorrect schema and analysis type in the JSON output of the secret
  findings when using the --gitlab-secrets flag. (scrt-833)

Release v1.110.0

1.110.0 - 2025-02-26

Added

• pro: Inter-file analysis will now process Javascript and Typescript files
  together, so that taint can be tracked across both languages. (code-8076)

• Pro: new metavariable-name operator which allows for expressing a constraint
  against the fully qualified name or nearest equivalent of a metavariable
  (useful mainly in JavaScript and TypeScript, where there is no first-class
  syntax for this, or where such names or pseudo-names containt symbols which
  cannot appear in identifiers). Requires pro naming passes and works best with
  interfile naming.

  Additional documentation forthcoming. (code-8121)

Changed

• Upgrade from OCaml 4.14.0 to OCaml 5.2.1 for our PyPI and Homebrew distributions. Our Docker images have been built with OCaml 5.2.1 since Semgrep 1.107.0. (ocaml5)

Fixed

• Fixed a regression in pro interfile mode where type inference for the var
  keyword in Java was not functioning correctly. (code-7991)

• PRO: Fix the range not found error when using a metavariable pattern match on
  a typed metavariable. For example, the following metavariable pattern rule will
  no longer trigger the error:

  patterns:
    - pattern: ($FOO $VAR).bar()
    - metavariable-pattern:
        metavariable: $FOO
        pattern-either:
          - pattern: org.foo.Foo
  ``` (code-8007)
  

• lsp will no longer send diagnostics where the message is MarkupContent since
  our current implementation does not discriminate on the client capability for
  recieiving such diagnostics (to-be-added in 3.18). (code-8120)

• Yarn.lock parser now correctly denotes NPM organization scope. (sc-2107)

• Packages in Package.resolved without a version are now ignored. (sc-2116)

• Updated Package.swift parser to support:

  • The url value in a .package entry doesn't have to end with .git
  • You can have an exact field that looks like exact: "1.0.0" instead of .exact("1.0.0")
  • The exact version can be an object like Version(1,2,3) instead of a string
  • You can have .package values with no url, like this: .package(name: "package", path: "foo/bar") (sc-2117)

Release v1.109.0

1.109.0 - 2025-02-19

Changed

• Pyproject.toml files are now parsed using a toml parser (tomli). (sc-2054)

Fixed

• pro: taint-mode: Fixed limitation in custom taint propagators.
  See https://semgrep.dev/playground/s/ReJQO (code-7967)
• taint-mode: Disable symbolic-propagation when matching taint propagators
  to prevent unintended interactions. See https://semgrep.dev/playground/s/7KE0k. (code-8054)
• Fixed pattern match deduplication to avoid an O(n^2) worst-case complexity, and
  optimized the matching of ordered ..., PAT, ... patterns. (saf-682)

Release v1.108.0

1.108.0 - 2025-02-12

Added

• pro: Semgrep can now dynamically resolve dependencies for Python projects using pip, allowing it to determine transitive dependencies automatically. (sc-2069)

Changed

• Bump base Alpine docker image from 3.19 to 3.21. (alpine-version)
• The semgrep-appsec-platform specific metadata fields "semgrep.dev:" and
  "semgrep.policy:" are now filtered from the JSON output unless you
  are logged in with the Semgrep appsec platform.
  See https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#json for more information. (metadata-filter)
• The Semgrep Docker image now uses Python 3.12 (bumped from 3.11). (python-version)

Fixed

• This PR changes the way we handle failures in git worktree remove more gracefully.
  Instead of erroring, we continue to scan so that the user can still get results, but
  log the error. It also adds a guard so that this failure is less likely to happen
  and will include more debugging information when it does. (sms-521)

Release v1.107.0

1.107.0 - 2025-02-04

Added

• More testing of pnpm-lock.yaml dependency parsing. (gh-2999)
• Added a progress indicator during dependency resolution for supply chain scans. (sc-2045)

Fixed

• The pro engine now respects the correct order of field resolution in Scala's
  multiple inheritance. The type that appears later takes precedence when
  resolving fields. For example, in class A extends B with C with D, the order
  of precedence is D, C, B, and A. (code-7891)
• pro: taint: Fixed bug in callback support, see https://semgrep.dev/playground/s/oqobX (code-7976)
• pro: python: Fixed resolution of calls to the implementation of abstract methods.
  See https://semgrep.dev/playground/s/X5kZ4. (code-7987)
• Fixed the semgrep ci --help to not include experimental options
  like --semgrep-branch (saf-1746)
• Peer dependency relationships in package-lock.json files are tracked when parsing a dependency graph (sc-2032)
• Peer dependency relationships in pnpm-lock.yaml files are tracked when parsing a dependency graph (sc-2033)

Infra/Release Changes

• Upgrade from OCaml 4.14.0 to OCaml 5.2.1 for our Docker images (ocaml5-docker)

Release v1.106.0

1.106.0 - 2025-01-29

See 1.105.0 Changelog:

1.105.0 - 2025-01-29

Added

• Semgrep can dynamically resolve dependencies for C# Solutions denoted by *.csproj (sc-2015)

Changed

• Added extra defensive try/catch around lockfile parsing (parsing)

Fixed

• LSP shortlinks in diagnostics should no longer drop anchors or query parameters in URIs. (gh-10687)
• Some bug fixes to pnpm lockfile parsing. (gh-2955)
• Fix npm aliasing bug in yarn parser. (sc-2052)
• Fixed bug where supply chain diff scans of package-lock.json v2 projects incorrectly produced non-new findings (sc-2060)

Release v1.104.0

1.104.0 - 2025-01-22

Changed

• Supply chain diff scans now skip resolving dependencies for subprojects without changes. (SC-2026)

Fixed

• pro: Fixed bug in inter-file matching of subtypes. When looking to match some
  type A, Semgrep will match any type B that is a subtype of A, but in certain
  situations this did not work. (code-7963)

• taint-mode: Make traces record assignments that transfer taint via shapes.

  For example, in code like:

  B b = new B(taint);
  B b1 = b;
  sink(b1.getTaintedData());
  

  The assignment b1 = b should be recorded in the trace but previously it was not. (code-7966)

• Python: Parser updated to the most recent tree-sitter grammar.
  Parse rate from 99.8% -> 99.998%. (saf-1810)

Release v1.103.0

1.103.0 - 2025-01-15

Added

• pro: taint: Support for lambdas as callbacks.

  var tainted = source();
  
  function withCallback1(val, callback) {
      if (val) {
          callback(val);
      }
  }
  
  withCallback1(tainted, function (val) {
      sink(val); // finding !
  }); (code-7626)
  

• pro: python: Semgrep will now consider top-level lambdas like x below for
  inter-procedural analysis:

  x = lambda s: sink(s) # now we get a finding !
  
  x(taint) (gh-10731)
  

Changed

• Removed pip from the Semgrep Docker image. If you need it, you may install it by running apk add py3-pip. (saf-1774)

Fixed

• Python: Now correctly parsing files with parenthesized withs, like this:

  with (
    f() as a,
    g() as b,
  ):
    pass
  ``` (saf-1802)
  

• Semgrep will now truncate error messages that are produced when they are very long (saf-333)

Release v1.102.0

1.102.0 - 2025-01-08

Added

• Added pro-only support for parsing a dependency graph from package-lock.json v1 files (SC-1858)
• Added pro-only support for parsing a dependency graph from package-lock.json v2 and v3 files (SC-1991)
• The poetry.lock parser can now parse dependency relationships (ssc-1970)
• The Yarn.lock V1 and V2 parsers can parse dependency relationships. (ssc-1988)

Fixed

• The semgrep test and semgrep validate commands have been
  correctly documented as EXPERIMENTAL (in semgrep --help).
  Those commands are not GA yet and people should still
  use the semgrep scan --test and semgrep scan --validate (or
  the variants without the implicit "scan") commands (unless
  they want to experiment with getting results faster and are ok
  with incomplete coverage of the legacy semgrep --test
  and semgrep --validate). (experimental)
• Improve error handling for functionality ancillary to a scan (such as looking for nosemgrep comments and rendering autofixes) to reduce the likelihood of an unexpected error in such a component bringing down the entire scan. (saf-1737)
• Fix the behavior of semgrep when running into broken symlinks.
  If such a path is passed explicitly as a scanning root on the
  command line, it results in an error. Otherwise if it's a file discovered
  while scanning the file system, it's a warning. (saf-1776)
• Fixed another crash due to exception in lines_of_file. The code
  should now be more robust and not abort the whole scan when
  an out of bound line access happens during the nosemgrep analysis
  or when outputing the lines of a match. (saf-1778)
• Direct dev dependencies in yarn/npm lockfiles are now correctly marked as direct (sc-1996)