semgrep

semgrep - Release full source with submodules

Published by aryx over 1 year ago

semgrep - v0.4.9

Published by brendongo over 4 years ago

Changed

Only print out number of configs and rules when running with verbose flag
Match let and const to var in javascript:
```
var $F = "hello"
```
will now match any of the following expressions:
```
var foo = "hello";
let bar = "hello";
const baz = "hello";
```

Added

Print out --dump-ast
Print out version with --version
Allow ... in arrays
```
[..., 1]
```
will now match
```
[3, 2, 1]
```
Support Metavariable match on keyword arguments in python:
```
foo(..., $K=$B, ...)
```
will now match
```
foo(1, 2, bar=baz, 3)
```

Support constant propogation in f-strings in python:

$M = "..."
...
$Q = f"...{$M}..."

will now match

foo = "bar"
baz = f"qux {foo}"

Constant propogation in javascript:

api("literal");

will now match with any of the following:

api("literal");
const LITERAL = "literal";
api(LITERAL);
const LIT = "lit";
api(LIT + "eral");
const LIT = "lit";
api(`${LIT}eral`);

Deep statement matching:
Elipsis operator (...) will also include going deeper in scope (i.e. if-else, try-catch, loop, etc.)
```
foo()
...
bar()
```
will now match
```
foo()
if baz():
    try:
        bar()
    except Exception:
        pass
```

Unified import resolution in python:

import foo.bar.baz

will now match any of the following statements:

import foo.bar.baz
import foo.bar.baz.qux
import foo.bar.baz as flob
import foo.bar.baz.qux as flob
from foo.bar import baz
from foo.bar.baz import qux
from foo.bar import baz as flob
from foo.bar.bax import qux as flob

Support for anonymous functions in javascript:

function() {
    ...
}

will now match

var bar = foo(
    //matches the following line
    function () { console.log("baz"); }
);

Support arrow function in javascript

(a) => { ... }

will now match:

foo( (a) => { console.log("foo"); });
foo( a => console.log("foo"));
// arrows are normalized in regular Lambda, so an arrow pattern
// will match also old-style anynonous function.
foo(function (a) { console.log("foo"); });

Python implicit string concatenation

$X = "..."

will now match

# python implicitly concatenates strings
foo = "bar"       "baz"              "qux"

Resolve alias in attributes and decorators in python

@foo.bar.baz
def $X(...):
    ...

will now match

from foo.bar import baz
@baz
def qux():
    print("hello")

Fixed

Handle misordered multiple object destructuring assignments in javascript:
```
var {foo, bar} = qux;
```
will now match
```
var {bar, baz, foo} = qux;
```

Defining properties/functions in different order:

var $F = {
    two: 2,
    one: 1
};

will now match both

var foo = {
  two: 2,
  one: 1
};
var bar = {
    one: 1,
    two: 2
};

Metavariables were not matching due to go parser adding empty statements in golang

semgrep - 0.4.8

Published by ievans over 4 years ago

Main features:

Constant propagation for some langauges. Golang example:

pattern: dangerous1("...") 
will match:

const Bar = "password"
func foo() {
     dangerous1(Bar);
}

Import matching equivalences

pattern: import foo.bar.a2
matches code: from foo.bar import a1, a2

Deep expression matching - see (#264)

pattern: bar();
matches code: print(bar())

Full changelog:

Add sgrep.live to readme
refactor sgrep py (#221)
cleanup imports, move config resolution to separate file (#222)
add extra paths to check and also don't break just print out a helpful warning message
improve parsing error for invalid types in valid yaml
Update sgrep_lint/evaluation.py
remove -r2c from ocaml sgrep core
- lib/generic_vs_generic.ml: collateral evolutions after the Name to Id vs IdQualified split in pfff/.../ast_generic.ml
Basic constant propagation for constants!
Add less_inheritance test for java, js, go (#237)
Add less_inheritance test for java, js, go
move tests to .TODO
change the shape of evaluate expression to take a single expression (#233)
use ellipsis in class body
build sgrep lint separately (#254)
Ie/bugfix evaluation (#257)
eagerly intersect ranges for ANDed children (fixes bugs with where-python)
move test.py into sgrep lint (#256)
Add ellipsis into java class/enum/interface body
Test examples showing name resolution for locals is now working for Go (#253)
Feature/generic import matching (#249)

With returntocorp/pfff#44, adds support for the following:

code: from foo.bar import a1, a2
pattern: import foo.bar.a2

We use the conversion to generic_ast to normalize code: from foo.bar import a1, a2 into:

from foo.bar import a1
from foo.bar import a2

add golang multivar test (#224)
Deep expression matching (#264)
make docker builds work (#265)
remove -r2c and update paths in pre-commit

semgrep - 0.4.7

Published by ievans over 4 years ago

Breaking change: Python is no longer the default language when using -e EXPR.
Other changes: colored output, better config search, improvements to Golang, Javascript, and Java support.

Changelog:

Add many new tests for ... in more places for Go, Js, and Java. (#170)
lib/generic_vs_generic.ml: CEs latest changes in pfff on AST generic (#181)
ignore hidden files not just hidden dirs
tests/go/dots_params.go: support!
tests/go/misc_import.go: test file for issue #185
tests/python/misc_dots_stmts.py: test files for issue #186
tests/go/equivalence_naming_import.go: test file! (#190)
search full path not just directories
add a command to fail on code parse errors (#194)
add a command to fail on code parse errors
add config=r2c-develop
highlight and color output matched range (#203)
colorama output
pattern-where-python (#198)
flags.dangerously_allow_arbitrary_code_execution_from_rules
remove python as default language for patterns (#204)
remove python as default
sgrep main change default to unset
make readme explicit about language python

semgrep - 0.4.6