January 2025 release notes (#1937)

Author: s-santillan

docs/index.md

@@ -119,17 +119,18 @@ See the [Supported languages](/supported-languages#semgrep-code-and-oss) documen
 </div>
 -->
 
-<h3>December 2024 release notes summary</h3>
+<h3>January 2025 release notes summary</h3>
 <!-- 5-7 bullets across the product suite -->
-- The Semgrep CLI tool requires a minimum version of **Python 3.9** as of Semgrep 1.100.0.
-- Semgrep OSS is now **Semgrep Community Edition (CE)**. Read the [Semgrep CE section](/release-notes/december-2024#-semgrep-community-edition-ce) for more details.
-- You can now export your findings in CSV format. Semgrep can export up to 10,000 most recent findings. For findings greater than 10,000, use the [<i class="fas fa-external-link fa-xs"></i> API](https://semgrep.dev/api/v1/docs/). See [Export findings](/semgrep-code/findings#export-findings) for more information.
-- Added new **Pro rules**:
-  - 4 new rules for **Express.js** that cover SQL injection, object injection, and misconfiguration vulnerabilities.
-  - 13 new rules for **NestJS** framework vulnerabilities that cover code injection, SQL injection, path traversal, log injection, XML external entity, and cross site scripting.
-- **Dependency Path**, which displays how transitive dependencies are imported into your code, is now in public beta for Java Gradle and Maven package managers.
-  - Dependency Path for Kotlin is in private beta.
-  - To join this beta, contact [<i class="fa-regular fa-envelope"></i> [email protected]](mailto:[email protected]).
-- Semgrep can now scan your Java Gradle and Maven codebases without the need for a lockfile. This feature is in public beta for Java and private beta for Kotlin Gradle and Maven. See also [Scan a project without lockfiles](/semgrep-supply-chain/getting-started#scan-a-project-without-lockfiles-beta).
+- The [Policy Management API](https://semgrep.dev/api/v1/docs/#tag/PoliciesService) is now generally available. The Policy Management API allows you to automate tasks such as:
+  - Add, update, and disable rules across multiple policies.
+  - Apply rules in different modes, such as monitor, comment, block, or disable, to align with security workflows.
+  - Integrate policy management into CI/CD pipelines to ensure consistent enforcement during software development.
+- [Semgrep Managed Scans](/deployment/managed-scanning/azure) for repositories hosted by **Azure DevOps** is now in public beta.
+- [Dependency Paths](/semgrep-supply-chain/dependency-search#view-the-dependency-path) are now available for the following languages and package managers:
+  - **JavaScript**: all package managers are supported by Semgrep.
+  - **Python**: Only Poetry is supported.
+- Semgrep now ingests CVE information from [<i class="fas fa-external-link fa-xs"></i> Electron release notes](https://releases.electronjs.org/releases/stable). This information is used to generate rules that can detect if you're affected by CVEs from this source.
+- [Noise filtering](/semgrep-assistant/overview#noise-filtering-beta) is now in public beta. With Noise Filtering, Assistant evaluates each Semgrep Code finding to determine if it's a true positive using additional context and prevents a PR comment from being posted in the developer workflow if it's not.
+- [Auto-triage Memories](/semgrep-assistant/getting-started#add-memory-during-triage) is now in public beta. With this feature, you can identify findings that are safe to ignore and write triage notes indicating why this is so. Assistant then stores this information as a memory and uses it to assess whether similar findings are shown to developers in the future. Assistant also takes that memory, reanalyzes similar findings in your backlog, and suggests issues that may be safe to close.
 
 [See the latest release notes <i class="fa-solid fa-arrow-right"></i>](/release-notes/latest)

docs/release-notes/january-2025.md

@@ -0,0 +1,130 @@
+---
+slug: january-2025
+title: January 2025
+hide_title: true
+description: >-
+ Release notes include the changes, fixes, and additions in specific versions of Semgrep.
+tags:
+ - Release notes
+---
+
+# Semgrep release notes for January 2025
+
+## 🌐 Semgrep AppSec Platform
+
+- The **Policy Management API** is now generally available. The Policy Management API allows you to automate tasks such as:
+  - Add, update, and disable rules across multiple policies.
+  - Apply rules in different modes, such as monitor, comment, block, or disable, to align with security workflows.
+  - Integrate policy management into CI/CD pipelines to ensure consistent enforcement during software development.
+- **Semgrep Managed Scans:**
+  - Managed scans for repositories hosted by **Azure DevOps** is now in public beta.
+  - GitHub users can turn on or off full scans and diff-aware scans for individual projects scanned by Semgrep Managed Scans.
+- **Jira:** added the ability to map the **Team** information back to Semgrep.  
+- Org admins can now invite new users to Semgrep by email. Invited users receive an email with instructions on how to join the organization's Semgrep account.
+- Added pagination to the **Settings > Access > Members** page, as well as the ability to search for members.
+
+## Changed
+
+- The **search bar** in the **Projects** page now loads faster.  <!-- 18697 -->
+- Links to the **Project Settings** and **Scans** pages now use project IDs instead of project names. Existing links using project names continue to function normally.
+
+## Fixed
+
+- Fixed an issue where commands not prefixed with `/semgrep` or `/` weren't correctly handled.
+- Fixed an issue where reports generated by Semgrep AppSec Platform weren't correctly displaying the age of findings.
+- Fixed an issue where the first page of Bitbucket Data Center repositories wasn't displayed.
+- Fixed the formatting of Bitbucket Cloud PR comments.
+
+## 💻 Semgrep Code
+
+### Added
+
+- Added support for lambdas (anonymous functions) as callbacks. This is supported for all languages that have lambdas.
+  ```javascript
+    var tainted = source();
+
+    function withCallback1(val, callback) {
+        if (val) {
+            callback(val);
+      }
+    }
+
+    withCallback1(tainted, function (val) {
+        sink(val); // finding !
+    });
+  ```
+
+### Changed
+
+- Removed **pip** from the Semgrep Docker image. If necessary, you can install it by running `apk add py3-pip`.
+
+### Fixed
+
+- The `semgrep test` and `semgrep validate` commands have been correctly documented as **EXPERIMENTAL** in `semgrep --help`.
+  - Those commands are not GA. It is recommended to use the `semgrep scan --test` and `semgrep scan --validate`.
+- Improve error handling for capabilities ancillary to a scan, such as looking for `nosemgrep` comments and rendering autofixes, to reduce the likelihood of an unexpected error in such a component causing the scan to error.
+- Fix the behavior of Semgrep when running into broken symlinks. If such a path is passed explicitly as a scanning root on the command line, it results in an error. Otherwise, if it's a file discovered while scanning the file system, it's a warning.
+- Fixed an issue with crashes due to an exception in `lines_of_file`. The code should now be more robust and not stop the whole scan when an out-of-bound line access happens during `nosemgrep` analysis or when displaying the lines of a match.
+
+## ⛓️ Semgrep Supply Chain
+
+### Added
+
+<!-- Dependency graphs? -->
+- [Dependency Paths](/semgrep-supply-chain/dependency-search#view-the-dependency-path) are now available for the following languages and package managers:
+  - **JavaScript**: all package managers are supported by Semgrep.
+  - **Python**: Only Poetry is supported.
+- **C#**: Semgrep can now scan NuGet codebases without the need for a lockfile. This feature is in **private beta**. See also [Scan a project without lockfiles](/semgrep-supply-chain/getting-started#scan-a-project-without-lockfiles-beta). Reach out to [<i class="fa-regular fa-envelope"></i> [email protected]](mailto:[email protected]) to join the beta program.
+- Semgrep now ingests CVE information from [<i class="fas fa-external-link fa-xs"></i> Electron release notes](https://releases.electronjs.org/releases/stable). This information is used to generate rules that can detect if you're affected by CVEs from this source.
+
+### Changed
+
+- Semgrep Supply Chain [Policies](/semgrep-supply-chain/policies) are now in public beta. Creating a policy enables you to:
+  - Customize when Semgrep sends a finding as a PR or MR comment or fails the CI job.
+  - Customize the projects and conditions that send a comment or fail a CI job.
+
+### Fixed
+
+- Fixed bug where Supply Chain diff-aware scans of `package-lock.json` v2 projects incorrectly produced non-new findings.
+
+## 🤖 Semgrep Assistant 
+
+### Added
+
+- **Noise filtering** is now in public beta. With Noise Filtering, Assistant evaluates each Semgrep Code finding to determine if it's a true positive using additional context and prevents a PR comment from being posted in the developer workflow if it's not.
+- **Auto-triage Memories** is now in public beta. With this feature, you can identify findings that are safe to ignore and write triage notes indicating why this is so. Assistant then stores this information as a memory and uses it to assess whether similar findings are shown to developers in the future. Assistant also takes that memory, reanalyzes similar findings in your backlog, and suggests issues that may be safe to close.
+
+## 📝 Documentation and knowledge base
+
+### Added 
+- Added the following new documents, articles, and sections:
+  - Set up [Semgrep Managed Scans with Azure DevOps](/deployment/managed-scanning/azure).
+  - [Semgrep for developers](/for-developers/overview), a new series of documents that aims to:
+    - Help AppSec engineers educate developers about Semgrep and secure coding.
+    - Inform developers of how to resolve Semgrep findings in various environments, such as their pull requests or merge requests.
+  - [Semgrep Assistant metrics](/semgrep-assistant/metrics), which explains how Assistant's metrics and benchmarks are analyzed.
+  - [SAML single-sign on with Google Workspace](/kb/semgrep-appsec-platform/saml-google-workspace).
+  - [Reference for Semgrepignore v2](/semgrepignore-v2-reference).
+  - [Customize semgrep in `pre-commit`](/kb/integrations/customize-semgrep-precommit).
+- Minor additions and updates:
+  - Added instructions to remove projects scanned with Semgrep Managed Scans.
+- Major updates have been made to the following documentation:
+  - [Supported languages](/supported-languages) now provides a summary table for both Code and Supply Chain features for each language.
+- Thanks to [savq](https://github.com/savq) for their improvements to Semgrep's contributing documentation.
+
+### Changed
+
+- Clarified language around manifest files and lockfiles.
+- Updated Semgrep rules licensing documentation.
+
+### Removed
+
+- Removed references to the asdf-semgrep plugin.
+
+## 🔧 Semgrep Community Edition (CE)
+
+* The following versions of Semgrep CE were released in January 2025:
+
+  - [<i class="fas fa-external-link fa-xs"></i> 1.102.0](https://github.com/semgrep/semgrep/releases/tag/v1.102.0) 
+  - [<i class="fas fa-external-link fa-xs"></i> 1.103.0](https://github.com/semgrep/semgrep/releases/tag/v1.103.0)
+  - [<i class="fas fa-external-link fa-xs"></i> 1.104.0](https://github.com/semgrep/semgrep/releases/tag/v1.104.0)