October 2022
Semgrep Supply Chain
Semgrep, Inc now offers a new product: Semgrep Supply Chain. Semgrep Supply Chain is a high-signal dependency scanner that detects reachable vulnerabilities in open source, third-party libraries in your code. Learn more about Semgrep Supply Chain.
Semgrep App
Additions
-
New demo project allows you to try out Semgrep App workflows. If your organization in Semgrep App does not have any projects assigned in the Projects page, you can add the new demo project by clicking Explore a demo project.
-
You can now triage through PR comments, for more information see Ignoring findings through comments documentation.
-
Semgrep Playground now displays its version number. To see the exact version that Semgrep Playground uses, click the three-dot button, and then see the version number after the icon.
Changes
- Previously, when you removed a rule you had to rescan the code to remove findings associated with the rule. With this change, findings made by the removed rule are now automatically removed without rescanning. If you add a removed rule back, then you need to rescan your code to get the findings from the previously removed rule again. For more information, see Triaging findings.
- New Findings page styling. See Managing findings in Semgrep App documentation for additional information.
- Semgrep App experience is generally improved due to a significant number of fixed bugs.
Semgrep CLI
These release notes include upgrades for versions ranging between 0.116.0 and 0.118.0.
Additions
Taint mode
- Taint mode now tracks taint coming from the default values of function parameters. For example, given
def test(url = "http://example.com"):
, if"http://example.com"
is a taint source (as a consequence of not using TLS protocol), thenurl
is marked as tainted. (Issue #6298) - Two new rule options that help to minimize false positives:
- The
taint_assume_safe_indexes
, which makes Semgrep assume that an array-access expression is safe even if the index expression is tainted. Otherwise Semgrep assumes that for example:a[i]
is tainted ifi
is tainted, even ifa
is not. Enabling this option is recommended for high-signal rules, whereas disabling is preferred for audit rules. Currently, it is disabled by default to attain backwards compatibility, but this can change in the near future after some evaluation. To enable this option, include thetaint_assume_safe_indexes: true
under theoptions
key. For more information, see Rule syntax documentation. (PR #6327) - The
taint_assume_safe_functions
, makes Semgrep assume that function calls do not propagate taint from their arguments to their output. Otherwise, Semgrep always assumes that functions may propagate taint. This is intended to replace not-conflicting sanitizers (added in v0.69.0, for more information, see Minimizing false positives via sanitizers) in the future. This option is still experimental and needs to be complemented by other changes in future releases. To enable this option, include thetaint_assume_safe_functions: true
under theoptions
key. For more information, see Rule syntax documentation. (PR #6327)
- The
- It is now possible to use
pattern-propagators
to propagate taint through higher-order iterators such asforEach
in Java. For example:(Issue #5971)pattern-propagators:
- pattern: $X.forEach(($Y) -> ...)
from: $X
to: $Y - The following update is only relevant for users of DeepSemgrep: Added support for named arguments in taint mode.
Changes
- Disabled Bloom filter optimization by default, due to undesired interactions with constant and symbolic propagation, while it appears to not provide a net major performance benefit. If you do notice a significant drop in performance after this change, please let us know.
Taint mode
- Removed basic experimental support for wrapper functions around taint sources. This was an early experiment to make Semgrep inter-procedural, but it was abandoned in favor of DeepSemgrep.
Previously, if Semgrep found a definition such as
wrapper() { return taint_source; }
, it recognized thatwrapper
was propagating taint fromtaint_source
. If the code included something assink(wrapper())
, Semgrep flagged it. However, for Semgrep to match such code, awrapper
had to be defined earlier in the source file before its use. DeepSemgrep is able to handle this case and many more. If you relied on this feature, it can generally be worked around using for example:pattern-sources:
- patterns:
- pattern-inside: |
$FUNC(...) {
...
return tainted_source;
}
...
- pattern: $FUNC(...)
Semgrep in CI
Changes
-
Previously, Semgrep overrode user-defined environment variables with values it detected from the CI provider. Now, user-defined environment variables take precedence (override) Semgrep's detected values. By enabling you to override CI variables, you are able to troubleshoot issues such as hyperlinks to code in the Findings page and receiving comments in pull or merge requests.
- This change affects the following CI providers:
- Azure Pipelines
- BitBucket Pipelines
- Jenkins
- Travis CI
- This change affects the following variables:
SEMGREP_REPO_NAME
SEMGREP_REPO_URL
SEMGREP_BRANCH
SEMGREP_JOB_URL
SEMGREP_COMMIT
SEMGREP_PR_ID
- This change affects the following CI providers:
-
The
--scan-unknown-extensions
option is now set to false by default. This means that from now on--skip-unknown-extensions
is the default. This is an important change that prevents many errors when using Semgrep in a pre-commit context or in CI.
Documentation updates
Additions
Semgrep Supply Chain
The following guides are now available for Semgrep Supply Chain:
- Scanning open source dependencies - Walks the user through setting up Semgrep Supply Chain scans and how Semgrep performs reachability analysis.
- Triaging and remediating dependency findings - Provides workflows for triaging dependency findings.
- Ignoring lockfiles and dependencies - Provides commands to fine-tune what files should not be scanned.
The following references are available for Semgrep Supply Chain:
- Supported languages - All languages supported by Semgrep Supply Chain and their maturity levels.
- Glossary - A list of terms related to software composition analysis and how Semgrep Supply Chain relates to those terms
Semgrep App
- Ignoring findings through comments section documents how to triage findings through GitHub comments.
Semgrep CLI
- New section Connecting to Semgrep Registry through a proxy.
Changes
- CI configuration reference now includes all environment variables for CI, their uses, and how to set them.
- Getting started with Semgrep App now includes information about the last 10 supported versions of the Semgrep CLI.
- Running Semgrep in continuous integration (CI) with Semgrep App now includes a new video Scanning code with Semgrep using GitHub Actions.
- Updated a document and section that provides information on how to add multiple focus metavariables in:
- Removing rules from a rule board now removes all associated findings. This change is reflected in the following documents:
- Adjustments to the structure of the documentation in our left sidebar. Many iterative changes, improvements, and fixes to improve your docs reading experience.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.