You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Create summary table of all languages for Code and Supply Chain (#1918)
* begin adding summary table
* update supported languages product summary table
* move some sections down
* begin making more in depth changes
* arranged tables
* separate out code vs ce table, shorten page
* add cleanup
* add the semgrep CE languages to sidebars
* create separate doc for CE languages
* finish up supported languages in semgrep ce
* remove manifest in cell
* update tables
* reachability def
* update with definitions
* remove callout
* Update docs/supported-languages.md
Co-authored-by: Katie Horne <[email protected]>
* try to simplify table
* address review notes
* update header
* clarify the blank values under reachability
---------
Co-authored-by: Katie Horne <[email protected]>
Semgrep CE supports more than two dozen languages. Learn about the language support differences between Semgrep CE and Semgrep Code.
7
+
tags:
8
+
- Semgrep CE
9
+
- Semgrep Code
10
+
---
11
+
12
+
import SupportedLanguagesCe from '/src/components/reference/_supported-languages-ce.md'
13
+
import LanguageMaturityCode from '/src/components/reference/_language-maturity-code.md'
14
+
15
+
# Supported languages for Semgrep CE
16
+
17
+
This document provides information about supported languages for Semgrep Community Edition (Semgrep CE) and Semgrep Code.
18
+
19
+
## Semgrep Code and Community Edition
20
+
21
+
Semgrep CE is a fast, lightweight program analysis tool that can help you detect bugs in your code. It makes use of Semgrep's LGPL 2.1 open source engine. These languages are supported by the Semgrep community, at best effort.
22
+
23
+
Semgrep Code is a static application security testing (SAST) solution designed to detect complex security vulnerabilities. It makes use of proprietary Semgrep analyses, such as cross-file (interfile) dataflow analysis and framework specific analyses, in addition to Semgrep CE. This results in a [**higher true positive rate than Semgrep CE**](/semgrep-pro-vs-oss). Semgrep Code provides the highest quality support by the Semgrep team: reported issues are resolved promptly.
24
+
25
+
Use either tool to scan local code or integrate it into your CI/CD pipeline to automate the continuous scanning of your repositories.
26
+
27
+
<SupportedLanguagesCe />
28
+
29
+
## Language maturity definitions
30
+
31
+
Semgrep Code languages can be classified into four maturity levels:
32
+
33
+
* Generally available (GA)
34
+
* Beta
35
+
* Experimental
36
+
* Community supported\*
37
+
38
+
\*Community supported languages meet the parse rate and syntax requirements of **Experimental** languages. Users can still access community rules or write their own rules.
Copy file name to clipboardexpand all lines: docs/semgrep-supply-chain/glossary.md
+3-3
Original file line number
Diff line number
Diff line change
@@ -8,6 +8,8 @@ title: Supply Chain glossary
8
8
hide_title: true
9
9
---
10
10
11
+
import DefReachability from "/src/components/concept/_def-reachability.md"
12
+
11
13
# Semgrep Supply Chain glossary
12
14
13
15
The terms and definitions provided here are specific to Semgrep Supply Chain.
@@ -60,9 +62,7 @@ See also [Reachability](#reachability).
60
62
61
63
## Reachability
62
64
63
-
Reachability refers to whether or not a vulnerable piece of code from a dependency is used in the codebase that imports it. In Semgrep Supply Chain, both a dependency's vulnerable version and code pattern must match for a vulnerability to be considered reachable.
64
-
65
-
See [Overview of Semgrep Supply Chain](/semgrep-supply-chain/overview) to learn how Semgrep leverages its code-scanning and rule syntax capabilities to provide high-signal rules that determine a finding's reachability. This assists security engineers in remediation and triage processes.
Copy file name to clipboardexpand all lines: docs/supported-languages.md
+97-87
Original file line number
Diff line number
Diff line change
@@ -12,98 +12,60 @@ title: Supported languages
12
12
13
13
import SupportedLanguagesTable from '/src/components/reference/_supported-languages-table.mdx'
14
14
import SscIntro from "/src/components/concept/_ssc-intro.md"
15
-
15
+
import LanguageMaturityCode from '/src/components/reference/_language-maturity-code.md'
16
16
import SemgrepProEngineIntroduction from "/src/components/concept/_semgrep-pro-engine-introduction.mdx"
17
+
import DefCrossFile from "/src/components/concept/_def-cross-file.mdx"
18
+
import DefCrossFunction from "/src/components/concept/_def-cross-function.mdx"
19
+
import DefReachability from "/src/components/concept/_def-reachability.md"
17
20
18
21
# Supported languages
19
22
20
23
This document provides information about supported languages and language maturity definitions for the following products:
21
24
22
-
* Semgrep Code
23
-
* Semgrep Community Edition (CE)
24
-
* Semgrep Supply Chain
25
-
26
-
## Semgrep Code and Community Edition
25
+
***Semgrep Code (SAST)** - a static application security testing (SAST) solution designed to detect complex security vulnerabilities.
26
+
***Semgrep Supply Chain (SCA)** - a software composition analysis (SCA) tool that detects security vulnerabilities in your codebase introduced by open source dependencies.
27
27
28
-
Semgrep CE is a fast, lightweight program analysis tool that can help you detect bugs in your code. It makes use of Semgrep's LGPL 2.1 open source engine. These languages are supported by the Semgrep community, at best effort.
28
+
Semgrep Code and Semgrep Supply Chain are free for [small teams](https://semgrep.dev/pricing).
29
29
30
-
Semgrep Code is a static application security testing (SAST) solution designed to detect complex security vulnerabilities. It makes use of proprietary Semgrep analyses, such as cross-file (interfile) dataflow analysis and framework specific analyses, in addition to Semgrep CE. This results in a [**higher true positive rate than Semgrep CE**](/semgrep-pro-vs-oss). Semgrep Code provides the highest quality support by the Semgrep team: reported issues are resolved promptly.
30
+
## Language maturity summary
31
31
32
-
Use either tool to scan local code or integrate it into your CI/CD pipeline to automate the continuous scanning of your repositories.
32
+
The following table lists all **Generally available (GA)** and **Beta** languages for Semgrep Code and Semgrep Supply Chain.
33
33
34
-
### Language support
35
-
36
-
Semgrep Code supports over 35 languages.
34
+
Languages are arranged by feature completeness from most to least. **Cross-file (interfile)** analysis for Semgrep Code and **reachability** analysis for Semgrep Supply Chain are the most advanced analyses that Semgrep provides; see [Feature definitions](#feature-definitions) for more details.
37
35
38
36
<SupportedLanguagesTable />
39
37
40
-
### Language maturity levels
38
+
### Feature definitions
41
39
42
-
Semgrep Code languages can be classified into four maturity levels:
40
+
<details>
41
+
<summary>Cross-file dataflow analysis</summary>
43
42
44
-
* Generally available (GA)
45
-
* Beta
46
-
* Experimental
47
-
* Community supported\*
43
+
<DefCrossFile />
48
44
49
-
\*Community supported languages meet the parse rate and syntax requirements of **Experimental** languages. Users can still access community rules or write their own rules.
45
+
Languages with cross-file support also include cross-function support.
50
46
51
-
Their differences are outlined in the following table:
47
+
</details>
52
48
53
-
<table>
54
-
<thead><tr>
55
-
<td><strong>Feature</strong></td>
56
-
<td><strong>GA</strong></td>
57
-
<td><strong>Beta</strong></td>
58
-
<td><strong>Experimental</strong></td>
59
-
<td><strong>Community supported</strong></td>
60
-
</tr></thead>
61
-
<tbody>
62
-
<tr>
63
-
<td>Support</td>
64
-
<td>Highest quality support by the Semgrep team. Reported issues are resolved promptly.</td>
65
-
<td>Supported by the Semgrep team. Reported issues are fixed after GA languages.</td>
66
-
<td>There are limitations to this language's functionality. Reported issues are tracked and prioritized with best effort.</td>
67
-
<td>These languages are supported by the Semgrep community. While Semgrep may develop rules or engine updates for these languages, they are not prioritized.</td>
68
-
</tr>
69
-
<tr>
70
-
<td>Parse Rate</td>
71
-
<td>99%+</td>
72
-
<td>95%+</td>
73
-
<td colspan="2">90%+</td>
74
-
</tr>
75
-
<tr>
76
-
<td>Number of Pro rules</td>
77
-
<td>10+</td>
78
-
<td>5+</td>
79
-
<td colspan="2">0+. Query the <a href="https://semgrep.dev/r">Registry</a> to see if any rules exist for your language.</td>
80
-
</tr>
81
-
<tr>
82
-
<td>Semgrep syntax</td>
83
-
<td>Regex, equivalence, deep expression operators, types and typing. All features supported in Beta.</td>
84
-
<td>Complete metavariable support, metavariable equality. All features supported in Experimental.</td>
*[`semgrep-core` test files](https://github.com/semgrep/semgrep/tree/develop/tests)
54
+
<details>
55
+
<summary>Reachability analysis</summary>
56
+
<DefReachability />
94
57
95
-
Visit the Semgrep public language dashboard to see the parse rates for each language
96
-
* See [Parse rates by language](https://dashboard.semgrep.dev/).
58
+
</details>
97
59
98
-
<!-- coupling: If you modify the features in the levels below, change also
99
-
/semgrep/blob/develop/tests/Test.ml and its maturity level regression testing code.
100
-
-->
60
+
:::tip
61
+
See [Language maturity levels](#language-maturity-levels) to learn which features define GA or beta language support.
62
+
:::
101
63
102
-
## Semgrep Supply Chain
64
+
## Semgrep Supply Chain feature maturity
103
65
104
66
<SscIntro/>
105
67
106
-
For projects with lockfiles, Semgrep parses lockfiles for dependencies, then scans your codebase for reachable findings based on the lockfiles. Some languages, such as Java, have several supported lockfiles, depending on your repository's package manager. For a lockfile to be scanned by Semgrep Supply Chain, it must have one of the supported lockfile names.
68
+
For projects with lockfiles, Semgrep parses lockfiles for dependencies, then scans your codebase for reachable findings based on the lockfiles. For a lockfile to be scanned by Semgrep Supply Chain, it must have one of the supported lockfile names.
107
69
108
70
For some languages, such as JavaScript and Python, a lockfile or manifest file is parsed to determine [transitivity](/docs/semgrep-supply-chain/glossary/#transitive-or-indirect-dependency). For more information on transitivity, see [Transitive dependencies and reachability analysis](/docs/semgrep-supply-chain/overview/#transitive-dependencies-and-reachability-analysis).
109
71
@@ -118,7 +80,7 @@ Additionally, Semgrep offers beta support for the scanning of Java projects **wi
@@ -186,7 +152,8 @@ Additionally, Semgrep offers beta support for the scanning of Java projects **wi
186
152
<td>pip</td>
187
153
<tdrowspan="2">Any of the following: <ul><li>`*requirement*.txt` or `*requirement*.pip`</li><li>Any manifest file in a requirements folder, such as `**/requirements/*.txt` or `**/requirements/*.pip`</li></ul> The file must be generated automatically and have values set to exact versions (pinned dependencies).</td>
@@ -208,63 +175,97 @@ Additionally, Semgrep offers beta support for the scanning of Java projects **wi
208
175
<td><code>Gemfile.lock</code></td>
209
176
<tdstyle={{"text-align":"center"}}>GA</td>
210
177
<td>✅</td>
178
+
<tdstyle={{"text-align":"center"}}>GA</td>
211
179
</tr>
212
180
<tr>
213
181
<td>Scala</td>
214
182
<td>Maven</td>
215
183
<td>Maven-generated dependency tree (See <ahref="/docs/semgrep-supply-chain/setup-maven/">Setting up SSC scans for Apache Maven</a> for instructions.)</td>
216
184
<tdstyle={{"text-align":"center"}}>GA</td>
217
185
<td>✅</td>
186
+
<tdstyle={{"text-align":"center"}}>GA</td>
218
187
</tr>
219
188
<tr>
220
189
<td>Swift</td>
221
190
<td>SwiftPM</td>
222
191
<td><code>Package.swift</code> file and Swift-generated <code>Package.resolved</code> file. (See <ahref="https://www.swift.org/documentation/package-manager/">Swift documentation </a> for instructions.)</td>
223
192
<tdstyle={{"text-align":"center"}}>GA</td>
224
-
<td>✅ (License detection for new packages is asynchronous and processed after the initial scan. Policies aren't applied on first detection, but are enforced in subsequent scans.)</td>
193
+
<td>✅<strong>†</strong></td>
194
+
<tdstyle={{"text-align":"center"}}>GA</td>
225
195
</tr>
226
196
<tr>
227
197
<td>Rust</td>
228
198
<td>Cargo*</td>
229
199
<td><code>cargo.lock</code></td>
230
-
<tdstyle={{"text-align":"center"}}>--</td>
200
+
<tdrowspan="4">No reachability analysis. However, Semgrep can compare a package's version against a list of versions with known vulnerabilities.</td>
231
201
<td>✅</td>
232
-
<tdrowspan="5">Not applicable due to reachability support level</td>
202
+
<tdrowspan="4">Not applicable due to reachability support level.</td>
233
203
</tr>
234
204
<tr>
235
205
<td>Dart</td>
236
206
<td>Pub</td>
237
207
<td><code>pubspec.lock</code></td>
238
208
<tdstyle={{"text-align":"center"}}>--</td>
239
-
<td>--</td>
240
209
</tr>
241
210
<tr>
242
211
<td>Elixir</td>
243
212
<td>Hex</td>
244
213
<td><code>mix.lock</code></td>
245
214
<tdstyle={{"text-align":"center"}}>--</td>
246
-
<td>--</td>
247
215
</tr>
248
216
<tr>
249
217
<td>PHP</td>
250
218
<td>Composer</td>
251
219
<td><code>composer.lock</code></td>
252
220
<tdstyle={{"text-align":"center"}}>--</td>
253
-
<td>--</td>
254
221
</tr>
255
222
</tbody>
256
223
</table>
257
224
</div>
258
-
_*Supply Chain does not analyze the transitivity of packages for these language and manifest file or lockfile combinations. All dependencies are listed as **No Reachability Analysis.**_
225
+
_<strong>*</strong>Supply Chain does not analyze the transitivity of packages for these language and manifest file or lockfile combinations. All dependencies are listed as **No Reachability Analysis.**_<br />
226
+
_<strong>†</strong>License detection for new packages is asynchronous and processed after the initial scan. Policies aren't applied on first detection, but are enforced in subsequent scans._
227
+
228
+
#### Reachability support level
229
+
230
+
GA coverage means that Semgrep provides full reachability analysis for that language.
231
+
232
+
#### Rule coverage support level
233
+
234
+
**GA** coverage means that Semgrep provides coverage and rules for the following:
259
235
260
-
### Maturity levels
236
+
- 80% of all **critical** severity CVEs since **2017**
237
+
- 100% of **critical** and **high** severity CVEs since **May 2022**
261
238
262
-
Semgrep Supply Chain has two maturity levels:
239
+
## Language maturity levels
240
+
241
+
### Semgrep Code
242
+
243
+
Semgrep Code languages can be classified into four maturity levels:
244
+
245
+
* Generally available (GA)
246
+
* Beta
247
+
* Experimental
248
+
* Community supported\*
249
+
250
+
\*Community supported languages meet the parse rate and syntax requirements of **Experimental** languages. Users can still access community rules or write their own rules.
251
+
252
+
<details>
253
+
<summary>Click to view table of definitions.</summary>
254
+
255
+
<LanguageMaturityCode />
256
+
257
+
</details>
258
+
259
+
### Semgrep Supply Chain
260
+
261
+
Semgrep Supply Chain has two language maturity levels:
263
262
264
263
* Generally available
265
264
* Beta
266
265
267
-
Their differences are outlined in the following table:
266
+
267
+
<details>
268
+
<summary>Click to view table of definitions.</summary>
268
269
269
270
<table>
270
271
<tr>
@@ -275,7 +276,7 @@ Their differences are outlined in the following table:
275
276
<tr>
276
277
<td>Number of reachability rules</td>
277
278
<td>10+</td>
278
-
<td>1+</td>
279
+
<td>No required number</td>
279
280
</tr>
280
281
<tr>
281
282
<td>Semgrep, Inc. rule-writing support</td>
@@ -289,11 +290,20 @@ Their differences are outlined in the following table:
289
290
</tr>
290
291
</table>
291
292
292
-
:::info Feature and product maturity levels
293
-
* The detailed specifications previously provided apply only to language support. Language maturity levels differ from feature and product maturity levels.
294
-
* Semgrep features and products documented as experimental, beta, or GA generally follow the definitions in a [Software release life cycle](https://en.wikipedia.org/wiki/Software_release_life_cycle).
295
-
:::
293
+
</details>
296
294
297
-
#### Reachability support level
295
+
### Feature and product maturity levels
296
+
297
+
The detailed specifications previously provided apply only to language support. Language maturity levels differ from feature and product maturity levels.
298
+
299
+
## More information
300
+
301
+
Visit the cheat sheet generation script and associated semgrep-core test files to learn more about each feature:
*[`semgrep-core` test files](https://github.com/semgrep/semgrep/tree/develop/tests)
304
+
305
+
To see the **parse rates** for each language, visit the Semgrep [public language dashboard](https://dashboard.semgrep.dev/).
298
306
299
-
Reachability support level refers to the level of support for reachability analysis for the language. At the minimum, Semgrep Supply Chain compares a package's version against a list of versions with known vulnerabilities
307
+
<!-- coupling: If you modify the features in the levels below, change also
308
+
/semgrep/blob/develop/tests/Test.ml and its maturity level regression testing code.
0 commit comments