Releases: semgrep/semgrep-interfaces
Release v1.86.0
1.86.0 - 2024-09-04
Added
-
The taint analysis can now track method invocations on variables of an
interface type, when there is a single implementation. For example, the tainted
input vulnerability can now be detected in the following code:public interface MovieService { String vulnerableInjection(String input); } @Service public class MovieServiceImpl implements MovieService { @Override public String vulnerableInjection(String input) { return sink(input); } } @RestController("/") public class SpringController { @Autowired private MovieService movieService; @GetMapping("/pwn") public String pwnTest(@RequestParam("input") String taintedInput) { return movieService.vulnerableInjection(taintedInput); } }
When there are multiple implementations, the taint analysis will not follow any
of them. We will add handling of cases with multiple implementations in
upcoming updates. (code-7434) -
Uses of values imported via ECMAScript
defaultimports (e.g.,import example from 'mod';) can now be matched by qualified name patterns (e.g.,
mod.default). (code-7463) -
Pro: taint-mode: Allow (experimental) control taint to propagate through
returns.Now this taint rule:
pattern-sources: - control: true pattern: taint() pattern-sinks: - pattern: sink()It is able to find this:
def foo(): taint() def test(): foo() sink() # now it is found! (code-7490) -
A new flag --max-log-list-entries allows to control the
maximum number of entries that will be shown in the log (e.g.,
list of rule ids, list of skipped files).
A zero or negative value disables this filter.
The previous hardcoded limit was at 100 (and now becomes a default value). (max_log_list_entries)
Changed
- Semgrep will now log memory-related warnings/errors when run in
--debugmode,
without the need to setSEMGREP_LOG_SRCS=process_limits. (logging)
Fixed
-
Fixed inter-file constant propagation to prevent some definitions from being
incorrectly identified as constant, when they are modified in other parts of
the codebase. (code-6793) -
pro: taint-mode: Fixed bug in taint signature instantiation that could cause an
update to a field in a nested object to not be tracked.For example, in the code below, Semgrep knew that
Nested.updateupdates the
fldattribute of aNestedobject. But due to this bug, Semgrep would not know thatWrapper.updateupdated thefldattribute of thenestedobject attribute in aWrapper` object.public class Nested { private String fld; public void update(String str) { fld = str; } // ... } public class Wrapper { private Nested nested; public void update(String str) { this.nested.update(str); } // ... } (code-7499) -
Fixed incorrect range matching parametrized type expressions in Julia (gh-10467)
-
Fixed an edge case that could lead to a failure to name or type imported Python symbols during interfile analysis. (py-imports)
-
Fix overly-aggressive match deduplication that could, under certain circumstances, lead to findings being closed and reopened in the app. (saf-1465)
-
Fixed regex-fix numbered capture groups, where it used to be the case that
areplacement:regex with numbered capture groups like\1\2\3would effectivly
be the same as\1\1\1.After the fix:
# src.py 12345
pattern: $X fix-regex: regex: (1)(2)(3)(4)(5) replacement: \5\4\3\2\1
actually results in the fix
54321 ``` (saf-1497)
Release v1.85.0
1.85.0 - 2024-08-15
Added
- Semgrep now recognizes files ending with the extention
.tfvarsas terraform files (saf-1481)
Changed
- The use of --debug will not generate anymore profiling information.
Use --time instead. (debug) - Updated link to the Supply Chain findings page on Semgrep AppSec Platform to filter to the specific repository and ref the findings are detected on. (secw-2395)
Fixed
-
Fixed an error with julia list comprehentions where the pattern:
[$A for $B in $C]would match
[x for y in z]
However we would only get one binding [$A/x]
Behavior after fix: we get three bindings [$A/x,$B/y,$C/z] (saf-1480)
Release v1.84.1
1.84.1 - 2024-08-07
No significant changes.
Release v1.84.0
1.84.0 - 2024-08-06
Changed
- We switch from magenta to yellow when highlighting matches
with the medium or warning severity. We now use magenta for
cricical severity to be consistent with other tools such
as npm. (color)
Fixed
- Workaround deadlock when interfile is run with j>1 and tracing is enabled. (saf-1157)
- Fixed file count to report the accurate number of files scanned by generic & regex
so that no double counting occurs. (saf-507)
Release v1.83.0
1.83.0 - 2024-08-02
Added
- Dockerfile: Allow Semgrep Ellipsis (...) in patterns for HEALTHCHECK commands. (saf-1441)
Fixed
- The use of --debug should generate now far less log entries.
Moreover, when the number of ignored files, or rules, or
other entities exceed a big number, we instead replace them
with a in the output to keep the output of semgrep
small. (debuglogs) - Fixed a bug introduced in 1.81.0 which caused files ignored for the Code
product but not the Secrets product to fail to be scanned for secrets.
Files that were not ignored for either product were not affected. (saf-1459)
Release v1.82.0
1.82.0 - 2024-07-30
Added
- Added
testsuite/as a filepath to the default value for.semgrepignore. (gh-1876)
Changed
- Update the library definitions for Java for the latest version of the JDK. (java-library-definitions)
Fixed
-
Fixed metavariable comparison in step mode.
Used to be that the rule:
steps: - languages: [python] patterns: - pattern: x = f($VAR); - languages: [generic] patterns: - pattern-either: - patterns: - pattern: HI $VAR
Wouldn't match, as one is an identifier, and the other an expression that has a
string literal. The fix was chainging the equality used. (saf-1061)
Release v1.81.0
1.81.0 - 2024-07-24
Changed
- The --debug option will now display logging information from the semgrep-core
binary directly, without waiting that the semgrep-core program finish. (incremental_debug)
Fixed
-
C++: Scanning a project with header files (.h) now no longer causes a
spurious warnings that the file is being skipped, or not analyzed. (code-6899) -
Semgrep will now be more strict (as it should be) when unifying identifiers.
Patterns like the one below may not longer work, particularly in Semgrep Pro:
patterns: - pattern-inside: | class A: ... def $F(...): ... ... ... - pattern-inside: | class B: ... def $F(...): ... ... ...Even if two classes
AandBmay both have a method namedfoo, these methods
are not the same, and their ids are not unifiable via$F. The right way of doing
this in Semgrep is the following:patterns: - pattern-inside: | class A: ... def $F1(...): ... ... ... - pattern-inside: | class B: ... def $F2(...): ... ... ... - metavariable-comparison: comparison: str($F1) == str($F2)We use a different metavariable to match each method, then we check whether they
have the same name (i.e., same string). (code-7336) -
In the app, you can configure Secrets ignores separately from Code/SSC ignores. However, the
files that were ignored by Code/SSC and not Secrets were still being scanned during the
preprocessing stage for interfile analysis. This caused significantly longer scan times than
expected for some users, since those ignored files can ignore library code. This PR fixes that
behavior and makes Code/SSC ignores apply as expected. (saf-1087) -
Fixed typo that prevented users from using "--junit-xml-output" flag and added a tests that invokes the flag. (saf-1437)
Release v1.80.0
1.80.0 - 2024-07-18
Added
-
OSemgrep now can take
--exclude-minified-filesto skip minified files. Additionally--no-exclude-minified-fileswill disable this option. It is off by default. (cdx-460) -
Users are now required to login before using semgrep scan --pro.
Previously, semgrep will tell the users to log in, but the scan will still continue.
With this change, semgrep will tell the users to log in and stop the scan. (saf-1137)
Fixed
-
The language server no longer scans large or minified files (cdx-460)
-
Pro: Improved module resolution for Python. Imports like
from a.b import cwhere
cis a module will now be resolved by Semgrep. And, if a module cannot be found
in the search path, Semgrep will try to heuristically resolve the module by matching
the module specifier against the files that are being scanned. (code-7069) -
A scan can occasionally freeze when using tracing with multiprocesses.
This change disables tracing when scanning each target file unless the scan runs in a single process. (saf-1143)
-
Improved error handling for rules with invalid patterns. Now, scans will still complete and findings from other rules will be reported. (saf-789)
-
The "package-lock.json" parser incorrectly assumed that all paths in the "packages" component of "package-lock.json" started with "node_modules/".
In reality, a dependency can be installed anywhere, so the parser was made more flexible to recognize alternative locations ("node_modules", "lib", etc). (sc-1576)
Release v1.79.0
1.79.0 - 2024-07-10
Added
- Preliminary support for the Move on Aptos language
(see https://aptos.dev/move/move-on-aptos for more info on this language).
Thanks a lot to Zhiping Liao (ArArgon) and Andrea Cappa for their contributions! (move_on_aptos) - The language server now reports number of autofixes and ignores triggered throught IDE integrations when metrics are enabled (pdx-autofix-ignore)
- Added support for comparing Golang Pseudo-versions. After replacing calls to the
packaging module with some custom logic, Pseudo-versions can now be compared against
strict core versions and other pseudo versions accurately. (sc-1601) - We now perform a git gc as a side-effect of historical scans. (scrt-630)
Fixed
-
tainting: Fixed bug in
--pro-intrafilethat caused Semgrep to confuse a parameter
with a top-level function with no arguments that happened to have the same name:def foo taint end def bar(foo) sink(foo) # no more FP here end (code-6923) -
Fixed fatal errors on files containing nosemgrep annotation without
any rule ID after. (nosemgrep_exn) -
Matching explanations: Focus nodes now appear after filter nodes, which is
the correct order of execution of pattern nodes. Filter nodes are now
unreversed. (saf-1127) -
Autofix: Previews in the textual CLI output will now join differing lines
with a space, rather than joining with no whitespace whatsoever. (saf-1135) -
Secrets: resolved some rare instances where historical scans would skip blobs
depending on the structure of the local copy of the repository (i.e., blobs
were only skipped if the specific copy of the git store had a certain
structure). (scrt-630)
Release v1.78.0
1.78.0 - 2024-06-27
Added
-
Matching of fully qualified type names in the metavariable-type operator has
been improved. For example:from a.b import C x = C()The type of
xwill match botha.b.CandC.- pattern: $X = $Y() - metavariable-type: metavariable: $X types: - a.b.C # or C ``` (code-7269)
Fixed
-
Symbolic propagation now works on decorator functions, for example:
x = foo @x() # this is now matched by pattern `@foo()` def test(): pass (code-6634) -
Fixed an issue where Python functions with annotations ending in
endpoint,
route,get,patch,post,put,delete,before_requestor
after_request(i.e., ones we associate with Flask) were incorrectly analyzed
with the Code product in addition to the Secrets product when present in a file
being ignored for Code analysis but included for Secrets. (scrt-609)