|
| 1 | +--- |
| 2 | +slug: february-2025 |
| 3 | +title: February 2025 |
| 4 | +hide_title: true |
| 5 | +description: >- |
| 6 | + Release notes include the changes, fixes, and additions in specific versions of Semgrep. |
| 7 | +tags: |
| 8 | + - Release notes |
| 9 | +--- |
| 10 | + |
| 11 | +# Semgrep release notes for February 2025 |
| 12 | + |
| 13 | +## 🌐 Semgrep AppSec Platform |
| 14 | + |
| 15 | +### Added |
| 16 | + |
| 17 | +- Semgrep Managed Scans for repositories hosted by **Bitbucket Cloud** is now in public beta. |
| 18 | +- You can now manage your projects' enrollment in Semgrep Managed Scans through the Semgrep API's `/project` and `/project/managed-scan` endpoints. |
| 19 | +- A new **My teams ** view for managers is now in private beta. To join this beta, reach out to [< i class= "fa-regular fa-envelope"></ i> [email protected]](mailto:[email protected]). This view enables managers to view all the teams they are a manager of. |
| 20 | + |
| 21 | +### Changed |
| 22 | + |
| 23 | +- The Semgrep AppSec Platform-specific metadata fields `semgrep.dev:` and `semgrep.policy:` are now filtered from the JSON output if you aren't signed into your Semgrep account. See [Semgrep JSON and SARIF fields](https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#json) for more information. |
| 24 | +- The Semgrep Docker image has been updated to use Python 3.12 and OCaml 5.2.1. |
| 25 | +- **CLI**: The output generated from running `semgrep ci --help` no longer includes information about experimental features and flags. |
| 26 | +- **Jira**: Jira tickets for Supply Chain findings now display recommended versions of packages in the description. |
| 27 | + |
| 28 | +### Fixed |
| 29 | + |
| 30 | +- Fixed an issue in Semgrep Editor's Structure Mode where some of the larger language icons overlapped due to limited space. |
| 31 | +- Fixed an issue where the instruction links for adding a CI job all lead to GitHub-specific instructions. |
| 32 | +- Fixed an issue where the Median Open Age chart didn't display all relevant findings. |
| 33 | +- Fixed an issue where Semgrep scans did not complete if there were failures involving `git worktree remove`; instead of erring out, Semgrep completes the scan but logs the error. |
| 34 | + |
| 35 | +## 💻 Semgrep Code |
| 36 | + |
| 37 | +### Added |
| 38 | + |
| 39 | +- Added support for **Critical** severity level to denote the highest severity level for a Code finding. You can now filter by Critical severity level in Semgrep AppSec Platform, and you can filter for and identify rules that generate critical severity findings in the Semgrep Registry. <!-- Copied this over from Secrets since these two notes are almost identical. --> |
| 40 | + - Semgrep Pro rules, which are included in `p/default`, have been updated to use this new severity level. |
| 41 | +- New rules for JavaScript and TypeScript have been added to Semgrep's default ruleset, `p/default`. The new rules cover the OWASP Top 10 and the most popular server-side frameworks, like Express, NestJS, Hapi, and Koa. |
| 42 | +- Cross-file (interfile) analysis now processes JavaScript and TypeScript files together, so that dataflow can be tracked across both languages. |
| 43 | + |
| 44 | +### Changed |
| 45 | + |
| 46 | +- Improved detection for JavaScript and TypeScript dependency injection, import resolution, and dataflow through callbacks. |
| 47 | +- Upgrade from OCaml 4.14.0 to OCaml 5.2.1 for Semgrep PyPI and Homebrew distributions. Note that Docker images have been built with OCaml 5.2.1 since Semgrep 1.107.0. |
| 48 | + |
| 49 | + |
| 50 | +## ⛓️ Semgrep Supply Chain |
| 51 | + |
| 52 | +### Added |
| 53 | + |
| 54 | +- You can now [configure policies](/semgrep-supply-chain/policies) for Supply Chain findings. These policies let you set certain conditions by which developers are notified of findings through a PR or MR comment, or potentially blocked from merging a PR or MR. |
| 55 | + - For example, you can create a policy to block a PR or MR from merging when a reachable finding with an available fix (upgrade) is detected. |
| 56 | + - Policies can have different scopes, which are the projects or project tags the policies are applied to. |
| 57 | +- Updated `Package.swift` parser to support the following: |
| 58 | + - The URL value in a `.package` entry doesn't have to end with `.git` |
| 59 | + - You can have an exact field that looks like `exact: "1.0.0"` instead of `.exact("1.0.0")` |
| 60 | + - The exact version can be an object like `Version(1,2,3)` instead of a string |
| 61 | + - You can have `.package` values with no URL, like this: `.package(name: "package", path: "foo/bar")` |
| 62 | +- Semgrep can now dynamically resolve dependencies for Python projects using pip, allowing it to determine transitive dependencies automatically. |
| 63 | +- Various parser updates for SwiftPM and Yarn. |
| 64 | + |
| 65 | +## 🤖 Semgrep Assistant |
| 66 | + |
| 67 | +### Added |
| 68 | + |
| 69 | +- Semgrep Assistant is now available for users with repositories hosted by Bitbucket Cloud and Azure DevOps. |
| 70 | + |
| 71 | +### Changed |
| 72 | + |
| 73 | +- Extended the amount of time you see the error message shown if Assistant can't parse or save a memory you provide. This error message includes a link to edit the memory. |
| 74 | + |
| 75 | +### Fixed |
| 76 | + |
| 77 | +- Fixed an issue with the Assistant Analyze button on Semgrep Code's Findings page hiding after analysis. |
| 78 | +- Fixed an issue where remediation guidance included secret key values if present in the source code. |
| 79 | + |
| 80 | +## 🔐 Semgrep Secrets |
| 81 | + |
| 82 | +### Added |
| 83 | + |
| 84 | +- Added support for **Critical** severity level to denote the highest severity level for a Secrets finding. You can now filter by Critical severity level in Semgrep AppSec Platform, and you can filter for and identify rules that generate critical severity findings in the Semgrep Registry. |
| 85 | + |
| 86 | +## 📝 Documentation and knowledge base |
| 87 | + |
| 88 | +### Added |
| 89 | + |
| 90 | +- Added the following new documents, articles, and sections: |
| 91 | + - [View Semgrep findings in Wiz's Security Graph](/semgrep-appsec-platform/wiz). |
| 92 | + - [JavaScript frameworks and analyses](/languages/javascript). |
| 93 | + - [Triage findings through PR comments with repositories hosted by Azure DevOps and Bitbucket Cloud](/semgrep-code/triage-remediation#triage-findings-through-pr-and-mr-comments). |
| 94 | + |
| 95 | +### Changed |
| 96 | + |
| 97 | +- Major updates to the following documents and sections: |
| 98 | + - [Add support for a new language](/contributing/adding-a-language). |
| 99 | + - [Semgrep Registry](/semgrep-code/glossary#registry-semgrep-registry) and [Semgrep FAQ](/faq/overview). |
| 100 | + - [Semgrep Supply Chain Policies](/semgrep-supply-chain/policies). |
| 101 | +- Minor clarifications involving: |
| 102 | + - Network Broker usage. |
| 103 | + - Required scopes for Managed Scans of Azure DevOps repositories. |
| 104 | + - Semgrep's Jira integration. |
| 105 | + - Supported languages. |
| 106 | +- Reorganization of Semgrep Assistant documentation. |
| 107 | + |
| 108 | +## 🔧 OSS Engine |
| 109 | + |
| 110 | +* The following versions of the OSS Engine were released in February 2025: |
| 111 | + * [<i class="fas fa-external-link fa-xs"></i>v1.107.0](https://github.com/semgrep/semgrep/releases/tag/v1.107.0) |
| 112 | + * [<i class="fas fa-external-link fa-xs"></i>v1.108.0](https://github.com/semgrep/semgrep/releases/tag/v1.108.0) |
| 113 | + * [<i class="fas fa-external-link fa-xs"></i>v1.109.0](https://github.com/semgrep/semgrep/releases/tag/v1.109.0) |
| 114 | + * [<i class="fas fa-external-link fa-xs"></i>v1.110.0](https://github.com/semgrep/semgrep/releases/tag/v1.110.0) |
0 commit comments