Skip to content

Release v1.59.0
Compare
Choose a tag to compare
@semgrep-ci semgrep-ci released this 30 Jan 12:47
· 106 commits to main since this release
v1.59.0
32488fd
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

1.59.0 - 2024-01-30

Added

  • Swift: Now supports typed metavariables, such as ($X : ty). (pa-3370)

Changed

  • Add Elixir to Pro languages list in help information. (gh-9609)

  • Removed sg alias to avoid naming conflicts
    with the shadow-utils sg command for Linux systems. (gh-9642)

  • Prevent unnecessary computation when running scans without verbose logging enabled (gh-9661)

  • Deprecated option taint_match_on introduced in 1.51.0, it is being renamed
    to taint_focus_on. Note that taint_match_on was experimental, and
    taint_focus_on is experimental too. Option taint_match_on will continue
    to work but it will be completely removed at some point after 1.63.0. (pa-3272)

  • Added information on product-related flags to help output, especially for Semgrep Secrets. (pa-3383)

  • taint-mode: Improve inference of best matches for exact-sources, exact-sanitizers,
    and sinks. Now we also avoid FPs in cases such as:

    dangerouslySetInnerHTML = {
  // ok:
  {__html: props ? DOMPurify.sanitize(props.text) : ''} // no more FPs!
}

    where props is tainted and the sink specification is:

    patterns:
  - pattern: |
     dangerouslySetInnerHTML={{__html: $X}}
  - focus-metavariable: $X

    Previously Semgrep wrongly considered the individual subexpressions of the
    conditional as sinks, including the props in props ? ..., thus producing a
    false positive. Now it will only consider the conditional expression as a whole
    as the sink. (rules-6457)

  • Removed an internal legacy syntax for secrets rules (mode: semgrep_internal_postprocessor). (scrt-320)

Fixed

  • Autofix: Fixes that span multiple lines will now try to align
    inserted fixed lines with each other. (gh-3070)

  • Matching: Try blocks with catch clauses can now match try blocks that have
    extraneous catch clauses, as long as it matches a subset. For instance,
    the pattern

    try:
  ...
catch A:
  ...

    can now match

    try:
  ...
catch A:
  ...
catch B:
  ...
``` (gh-3362)

  • Previously, some people got the error:

    Encountered error when running rules: Other syntax error at line NO FILE INFO YET:-1:
Invalid_argument: String.sub / Bytes.sub

    Semgrep should now report this error properly with a file name and line number and
    handle it gracefully. (gh-9628)

  • Fixed Dockerfile parsing bug where multiline comments were parsed incorrectly. (gh-9628-2)

  • The language server will now properly respect findings that have been ignored via the app (lsp-fingerprints)

  • taint-mode: Pro: Semgrep will now propagate taint via instance variables when
    calling methods within the same class, making this example work:

    class Test {

  private String str;

  public setStr() {
    this.str = "tainted";
  }

  public useStr() {
    //ruleid: test
    sink(this.str);
  }

  public test() {
    setStr();
    useStr();
  }

}
``` (pa-3372)

  • taint-mode: Pro: Taint traces will now reflect when taint is propagated via
    class fields, such as in this example:

    class Test {

  private String str;

  public setStr() {
    this.str = "tainted";
  }

  public useStr() {
    //ruleid: test
    sink(this.str);
  }

  public test() {
    setStr();
    useStr();
  }

}

    Previously Semgrep will report that taint originated at this.str = "tainted",
    but it would not tell you how the control flow got there. Now the taint trace
    will indicate that we get there by calling setStr() inside test(). (pa-3373)

  • Addressed an issue related to matching top-level identifiers with meta-variable
    qualified patterns in C++, such as matching ::foo with ::$A::$B. This problem
    was specific to Pro Engine-enabled scans. (pa-3375)

Assets 3
Loading