Release v1.108.0

1.108.0 - 2025-02-12

Added

• pro: Semgrep can now dynamically resolve dependencies for Python projects using pip, allowing it to determine transitive dependencies automatically. (sc-2069)

Changed

• Bump base Alpine docker image from 3.19 to 3.21. (alpine-version)
• The semgrep-appsec-platform specific metadata fields "semgrep.dev:" and
  "semgrep.policy:" are now filtered from the JSON output unless you
  are logged in with the Semgrep appsec platform.
  See https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#json for more information. (metadata-filter)
• The Semgrep Docker image now uses Python 3.12 (bumped from 3.11). (python-version)

Fixed

• This PR changes the way we handle failures in git worktree remove more gracefully.
  Instead of erroring, we continue to scan so that the user can still get results, but
  log the error. It also adds a guard so that this failure is less likely to happen
  and will include more debugging information when it does. (sms-521)

Release v1.107.0

1.107.0 - 2025-02-04

Added

• More testing of pnpm-lock.yaml dependency parsing. (gh-2999)
• Added a progress indicator during dependency resolution for supply chain scans. (sc-2045)

Fixed

• The pro engine now respects the correct order of field resolution in Scala's
  multiple inheritance. The type that appears later takes precedence when
  resolving fields. For example, in class A extends B with C with D, the order
  of precedence is D, C, B, and A. (code-7891)
• pro: taint: Fixed bug in callback support, see https://semgrep.dev/playground/s/oqobX (code-7976)
• pro: python: Fixed resolution of calls to the implementation of abstract methods.
  See https://semgrep.dev/playground/s/X5kZ4. (code-7987)
• Fixed the semgrep ci --help to not include experimental options
  like --semgrep-branch (saf-1746)
• Peer dependency relationships in package-lock.json files are tracked when parsing a dependency graph (sc-2032)
• Peer dependency relationships in pnpm-lock.yaml files are tracked when parsing a dependency graph (sc-2033)

Infra/Release Changes

• Upgrade from OCaml 4.14.0 to OCaml 5.2.1 for our Docker images (ocaml5-docker)

Release v1.106.0

1.106.0 - 2025-01-29

See 1.105.0 Changelog:

1.105.0 - 2025-01-29

Added

• Semgrep can dynamically resolve dependencies for C# Solutions denoted by *.csproj (sc-2015)

Changed

• Added extra defensive try/catch around lockfile parsing (parsing)

Fixed

• LSP shortlinks in diagnostics should no longer drop anchors or query parameters in URIs. (gh-10687)
• Some bug fixes to pnpm lockfile parsing. (gh-2955)
• Fix npm aliasing bug in yarn parser. (sc-2052)
• Fixed bug where supply chain diff scans of package-lock.json v2 projects incorrectly produced non-new findings (sc-2060)

Release v1.104.0

1.104.0 - 2025-01-22

Changed

• Supply chain diff scans now skip resolving dependencies for subprojects without changes. (SC-2026)

Fixed

• pro: Fixed bug in inter-file matching of subtypes. When looking to match some
  type A, Semgrep will match any type B that is a subtype of A, but in certain
  situations this did not work. (code-7963)

• taint-mode: Make traces record assignments that transfer taint via shapes.

  For example, in code like:

  B b = new B(taint);
  B b1 = b;
  sink(b1.getTaintedData());
  

  The assignment b1 = b should be recorded in the trace but previously it was not. (code-7966)

• Python: Parser updated to the most recent tree-sitter grammar.
  Parse rate from 99.8% -> 99.998%. (saf-1810)

Release v1.103.0

1.103.0 - 2025-01-15

Added

• pro: taint: Support for lambdas as callbacks.

  var tainted = source();
  
  function withCallback1(val, callback) {
      if (val) {
          callback(val);
      }
  }
  
  withCallback1(tainted, function (val) {
      sink(val); // finding !
  }); (code-7626)
  

• pro: python: Semgrep will now consider top-level lambdas like x below for
  inter-procedural analysis:

  x = lambda s: sink(s) # now we get a finding !
  
  x(taint) (gh-10731)
  

Changed

• Removed pip from the Semgrep Docker image. If you need it, you may install it by running apk add py3-pip. (saf-1774)

Fixed

• Python: Now correctly parsing files with parenthesized withs, like this:

  with (
    f() as a,
    g() as b,
  ):
    pass
  ``` (saf-1802)
  

• Semgrep will now truncate error messages that are produced when they are very long (saf-333)

Release v1.102.0

1.102.0 - 2025-01-08

Added

• Added pro-only support for parsing a dependency graph from package-lock.json v1 files (SC-1858)
• Added pro-only support for parsing a dependency graph from package-lock.json v2 and v3 files (SC-1991)
• The poetry.lock parser can now parse dependency relationships (ssc-1970)
• The Yarn.lock V1 and V2 parsers can parse dependency relationships. (ssc-1988)

Fixed

• The semgrep test and semgrep validate commands have been
  correctly documented as EXPERIMENTAL (in semgrep --help).
  Those commands are not GA yet and people should still
  use the semgrep scan --test and semgrep scan --validate (or
  the variants without the implicit "scan") commands (unless
  they want to experiment with getting results faster and are ok
  with incomplete coverage of the legacy semgrep --test
  and semgrep --validate). (experimental)
• Improve error handling for functionality ancillary to a scan (such as looking for nosemgrep comments and rendering autofixes) to reduce the likelihood of an unexpected error in such a component bringing down the entire scan. (saf-1737)
• Fix the behavior of semgrep when running into broken symlinks.
  If such a path is passed explicitly as a scanning root on the
  command line, it results in an error. Otherwise if it's a file discovered
  while scanning the file system, it's a warning. (saf-1776)
• Fixed another crash due to exception in lines_of_file. The code
  should now be more robust and not abort the whole scan when
  an out of bound line access happens during the nosemgrep analysis
  or when outputing the lines of a match. (saf-1778)
• Direct dev dependencies in yarn/npm lockfiles are now correctly marked as direct (sc-1996)

Release v1.101.0

1.101.0 - 2024-12-18

Added

• Improved pnpm-lock.yaml parsing. (gh-2663)

Changed

• Re-ordered some terminal output of semgrep ci to allow semgrep-app to block scans based on specific findings (SECW-2740)
• A few fields in the JSON output (e.g., "fingerprint", "metavars") require now
  the user to be logged in to see them.
  See https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#json
  for more information. (json)
• We're renaming semgrep OSS to Semgrep Community Edition.
  See https://semgrep.dev/blog/2024/important-updates-to-semgrep-oss/
  for more information. (rename)
• A few fields in the SARIF output (e.g., "fingerprints") require now
  the user to be logged in to see them.
  See https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#sarif
  for more information. (sarif)

Fixed

• pro: Improved inter-file tracking of tainted global variables. (code-7054)

• Python (pro-only): Taint now correctly tracks through calls to class methods
  within a class, via the cls parameter.

  So for instance, we would be able to determine a source-to-sink
  vulnerability in the following code snippet:

  class A:
    def foo(self, x):
      sink(x)
  
    @classmethod
    def bar(cls):
      cls.foo(source)
  ``` (saf-1765)
  

• pro: Fixed bug when generating inter-procedural taint traces, that it could
  cause a call-step to be missing in the trace. (saf-1783)

• Restored the "rules" field in the SARIF output, even when logged out. (saf-1794)

Release v1.100.0

1.100.0 - 2024-12-12

Added

• Pro engine now correctly distinguishes overloaded Scala methods based on their
  arity and parameter types, e.g., foo(x: Int, y: String) vs. foo(x: String, y: Int). (code-7870)

Changed

• The minimum Python version for semgrep is now 3.9.
  We are dropping support for Python 3.8 (python)

Fixed

• pro: Fixed a bug in interprocedural index-sensitive taint analysis that caused
  false negatives when a function updated an arbitrary index, e.g.:

  var x = {};
  
  function foo(k) {
      x[k] = source();
  }
  
  function test(k) {
      foo(k);
      sink(x); // finding here!
  } (CODE-7838)
  

• Fixed bug affecting taint tracking through static fields when mixing accesses
  using the class name and using an instance object, e.g.:

  class C {
      static String s;
  }
  
  ...
  
          C o = new C();
          C.s = taint;
          sink(o.s); // finding ! (CODE-7871)
  

• No more RPC error when using --sarif with some join-mode rules.
  Moreover, regular rules without the 'languages:' field will be skipped
  instead of aborting the whole scan. (gh-10723)

Release v1.99.0

1.99.0 - 2024-12-05

Fixed

• Fix the date format used in --gitlab-sast option to match
  the spec and not use the RFC 3339.
  Thanks to Elias Haeussler for the fix. (saf-1755)

Release v1.98.0

1.98.0 - 2024-12-04

Added

• taint-mode: Semgrep will now track invididual fields/keys in record/dict
  expressions.

  For example, in Semgrep Pro:

  def foo():
      return { 0: "safe", 1: taint }
  
  def test():
      t = foo()
      sink(t[0]) # safe thus NO finding
      sink(t[1]) # finding (code-7781)
  

• The TypeScript parser now supports ellipses in function parameters. For
  example, the following code is TypeScript (as opposed to pure JavaScript)
  because it uses decorators on function parameters:

  foo(x, @Bar() y, z): string { return ''; }
  

  You can match this method using the following pattern:

  function $FN(..., @Bar(...) $X, ...) { ... }
  ``` (code-7800)
  

• [Pro only] Patterns such as new $T(...) will now match C# target-typed new expressions such as new (). (csharp-new)

• Symbolic propagation will now propagate record expressions. (flow-86)

• Adds support for SwiftPM Package.resolved version 3 to Supply Chain (sc-1964)

Changed

• Optimize matching performance of dot access ellipsis (x. ... .foo) on very long strings of dot accesses in source files. (match-perf)
• Renames the flag to enable experimental lockfileless scanning from --allow-dynamic-dependency-resolution to --allow-local-builds to reflect the security risk that enabling the feature introduces. Also removes the opt-out flag, since we do not plan to make the feature enabled by default. (sc-2006)

Fixed

• taint-mode: Fixed what is considered a sink when a sink formula matches a
  lambda expression: it is the lambda itself that is the sink, not the
  individual statements in the lambda.

  Example:

  function test() {
    // no longer generates finding
    // note that `log(taint)` is *not* a sink
    sink(() => { log(taint); return "ok" });
  } (code-7758)
  

• taint-mode: Semgrep will no longer report an unexpected finding in cases like:

  var x = [taint];
  x = ["ok"];
  sink(x); // no finding, x is ok
  

  Variable x will be correctly cleaned after x = ["ok"]. (flow-87)

• Removed the experimental --use-osemgrep-sarif flag. (saf-1703)

• A single carriage return (CR) is not recognized anymore as a
  newline. This avoids out of bound error when reporting findings
  on old windows files using this old format. (saf-1743)