semgrep

1.28.0 - 2023-06-21

Added

• Added lone decorators as a valid Python semgrep pattern, so for example $NAME($X) will
  generate two seperate findings here:

  @hello("world")
  @hi("semgrep!")
  def shift():
    return "left!"
  ``` (gh-4722)
  

• Add tags to the python wheel for 3.10 and 3.11 (gh-8040)

• JS/TS: Patterns for class properties can now have the static
  and async modifiers.

  For instance:

  @Foo(...)
  async bar(...) {
    ...
  }
  

  or

  @Foo(...)
  static bar(...) {
    ...
  }
  ``` (pa-2675)
  

• Semgrep Language Server now supports multi-folder workspaces (pa-2772)

• New pre-commit hook semgrep-ci to use CI rules in pre-commit, which will pull from the rule board + block those in the block column (pa-2795)

• Added support for date comparison and functionality to get current date.
  Currently this requires date strings to be in the format "yyyy-mm-dd" next step is to support other formats. (pa-7992)

Changed

• The output of --debug will be much less verbose by default, it will only show
  internal warning and error messages. (debug-1)
• Updated the maximum number of cores autodetected to 16 to prevent overloading on large machines when users do not specify number of jobs themselves (pa-2807)

Fixed

• taint analysis: Improve handling of dataflow for tainted value propagation in class field definitions

  This change resolves an issue where dataflow was not correctly accounted for
  when tainted values flowed through field definitions in class/object
  definitions. For instance, in Kotlin or Scala, singleton objects are commonly
  used to encapsulate executable logic, where each field definition behaves like
  a statement during object initialization. In order to handle this scenario, we
  have introduced an additional step to analyze a sequence of field definitions
  as a sequence of statements for taint analysis. This enhancement allows us to
  accurately track tainted values during object initialization. (gh-7742)

• Allow any characters in file paths used to create dotted rule IDs. File path
  characters that aren't allowed in rule IDs are simply removed. For example, a
  rule whose ID is my-rule found in the file hello/@world/rules.yaml
  becomes hello.world.my-rule. (gh-8057)

• Diff aware scans now work when git state isn't clean (pa-2795)

1.27.0 - 2023-06-13

Added

• PHP: Added composer ecosystem parser (gh-7734)
• Pro: taint-mode: Java: Semgrep can now relate Java properties and their corresponding
  getters/setters even when these are autogenerated (so the actual getters/setters are
  not declared in the sources). (pa-2833)

Fixed

• semgrep-core now validates rule IDs. This should not affect users since rule
  ID validation is done by the Python wrapper. (gh-8026)

1.26.0 - 2023-06-09

Added

• In Java, Semgrep can now track taint through more getters and setters. It could already relate setters to getters (e.g. o.setX(taint); o.getX() but now it can relate setters and getters to properties (e.g. o.setX(taint); o.x). (getters)
• taint-mode: Added experimental options taint_assume_safe_booleans and
  taint_assume_safe_numbers to avoid propagating taint coming from expressions
  with Boolean or number (integer, float) types. (pa-2777)

Fixed

• swift: Support if let shorthand for shadowing an existing optional variable. (gh-7583)
• Elixir: fix the string extraction used for -filter_irrelevant_rules (gh-7855)
• Fixed comparison of taint information that was causing duplicate taints to be tracked.
  Interfile analysis on large repos will see a small speedup. (misc-1)
• taint-mode: Fixed performance regression in 1.24.0 that affected taint rules. (pa-2777-1)
• Fix a recent regression that caused failures to match in certain cases that combined metavariable-regex and typed metavariables which themselves contain metavariables (e.g. in Go ($X: $T) with a metavariable-regex operating on $T). (pa-2822)
• Gomod comments: fix parsing comments that end in ')' (sc-716)

1.25.0 - 2023-06-06

Added

• aliengrep: new option 'generic_caseless' to achieve case-insensitive matching (gh-7883)
• Semgrep now includes heuristics based on the Java standard library and common naming patterns. These allow Semgrep to determine the types of more expressions in Java, for use with typed metavariables (https://semgrep.dev/docs/writing-rules/pattern-syntax/#typed-metavariables). (heuristics)
• Language server now supports search (and replace) with semgrep patterns through semgrep/search (ls-search)
• Language Server will now notify users of errors, and reason for crash (pa-2791)

Fixed

• Pro (taint analysis): Check function calls without parameters or parenthesis in Ruby (gh-7787)
• Aliengrep: ellipsis patterns that would be useless because of being placed
  at the extremity of a pattern (always) or a line (in single-mode) are now
  anchored to the beginning/end of input/line. For example, ... in multiline
  mode matches the whole input rather than matching nothing many times. (gh-7881)
• Fixed bug in constant propagation that made Semgrep fail to compute the value of
  an integer constant when this was obtained via the multiplication of two other
  constants. (gh-7893)
• Fix regexps potentially vulnerable to ReDoS attacks in Python code for parsing
  git URLs. Sets maximum length of git URLs to 1024 characters since parsing is
  still perceptibly slow on 5000-byte input. Reported by Sebastian Chnelik,
  PyUp.io. (gh-7943)

1.24.1 - 2023-06-01

Fixed

• Yarn v1: fix parsing for package headers without version constraints (sc-749)

1.24.0 - 2023-05-31

Added

• New experimental aliengrep engine that can be used as an alternative to the
  default spacegrep engine with options.generic_engine: aliengrep. (aliengrep)

• Pro: Taint labels now mostly work interprocedurally, except for labeled propagators.
  Note that taint labels are experimental! (pa-2507)

• Pro: Taint-mode now supports inter-procedural field-sensitivity for JS/TS.

  For example, given this class:

  class Obj {
    constructor(x, y) {
      this.x = x;
      this.y = y;
    }
  }
  

  Semgrep knows that an object constructed by new Obj("tainted", "safe") has its
  x attribute tainted, whereas its y attribute is safe. (pa-2570)

Changed

• Set limits to the amount of taint that is tracked by Semgrep to prevent perf
  issues. (pa-2570)

Fixed

• Allow symbolic propagation for rvals in lhs of assignments. (gh-6780)
• XML: you can now use metavariable-comparison on XML attributes or XML text body (gh-7709)
• Java: support for record patterns (gh-7911)
• C#: support ellipsis in enum declarations (gh-7914)
• Fixed a recent regression which caused typed metavariables to fail to match when
  the type itself also contained a metavariable, and the target was a builtin
  type. For example, the pattern (List<$T> $X) would fail to match a value of
  type List<String>. (typed-mvar)

1.23.0 - 2023-05-24

Added

• On scan complete during logged in semgrep ci scans, check returned exit code to
  see if should block scans. This is to support incoming features that requires
  information from semgrep.dev (complete)

• Extract mode: users can now choose to include or exclude rules to run on, similar to paths:. For example,
  to only run on the rules example-1 and example-2, you would write

  rules:
     - id: test-rule
       mode: extract
       rules:
          include:
          - example-1
          - example-2
  

  To run on everything except example-1 and example-2, you would write

  rules:
     - id: test-rule
       mode: extract
       rules:
          exclude:
          - example-1
          - example-2
  ``` (gh-7858)
  

• Kotlin: Added literal metavariables, from patterns like "$FOO".
  You can still match strings that only contain a single interpolated
  ident by using the brace notation, e.g. "${FOO}". (pa-2755)

• Increase timeout of semgrep ci upload findings network calls
  and make said timeout configurable with env var SEMGREP_UPLOAD_FINDINGS_TIMEOUT (timeout)

Changed

• Relaxed restrictions on symbolic propagation so that symbolic values survive
  branching statements. Now (with symbolic-propagation enabled) foo(bar()) will
  match match the following code:

  def test():
    x = bar()
    if cond:
      exit()
    foo(x)
  

  Previously any symbolically propagated value was lost after any kind of branching
  statement. (pa-2739)

Fixed

• swift: support ellipsis metavariable (gh-7666)
• Scala: You can now put an ellipsis inside of a catch, to
  write a pattern like:
  try {
  ...
  } catch {
  ...
  }
  which will match every kind of try-catch. (gh-7807)
• When scanning with -l dockerfile, files named dockerfile as well as Dockerfile will be scanned. (gh-7824)
• Fix for very long runtimes that could happen due to one of our optimizations. We now detect when that might
  happen and skip the optimization. (gh-7839)
• Improve type inference for some simple arithmetic expressions (inference)
• Fixed bug introduced in 1.19.0 that was causing some stack overflows. (pa-2740)

1.22.0 - 2023-05-15

Added

• Add support for language Cairo 1.0 (develop). Thanks to Frostweeds (Romain Jufer) for his contribution! (gh-7757)
• On logged in semgrep ci scans, report lockfile parse errors to display in webUI (lockfileparse)
• Pro: Java: Taint-mode can now do field-sensitive analysis of class constructors.
  For example, if the default constructor of a class C sets its field x to a
  tainted value, given o = new C(), Semgrep will know that o.getX() is tainted. (pa-2570)
• Kotlin: Added named ellipses, like $...X (pa-2710)
• Kotlin: Interpolated identifiers in strings, such as "$foo", are now properly
  able to match explicitly interpolated expressions, like "${...}". (pa-2711)

Changed

• Cleanup: Removed Bloom filter optimization. This optimization had been turned off by
  default since September 2022 (release 0.116.0) without any noticeable effect. It had
  its role in the past when it was first introduced, but now it's time for it to go! (cleanup-1)
• engine: The use of a matching cache for statements is now disabled by default,
  please let us know if you notice any performance degradation. We plan to remove
  this optimization in a few weeks. (cleanup-2)

Fixed

• Enable automatic removal of matched codes by allowing an empty string in the fix field. (gh-6318)
• Updated SARIF to use nested levels, added confidence to tags and included references with markdown links. (gh-7317)
• taint-mode: Fixed bug in taint labels that was causing some fatal errors:

  Failure "Call AST_utils.with_xxx_equal to avoid this error." (gh-7694)

1.21.0 - 2023-05-04

Added

• Scala: Most Scala 3 features can now be parsed (pa-2748)

Fixed

• Fixed an issue where parentheses were incorrectly removed when autofixing JS/TS code. (gh-6233)
• Fixed issue where the semgrep language server would crash with "No such file or directory: 'semgrep-core'" (pa-2745)

1.20.0 - 2023-04-28

Added

• Pro: Taint: Added support for simple cases of interprocedural taint labels (pa-2708)
• Language Server has been moved to OCaml core, with major speed improvements (pa-lsp)

Changed

• Pro: semgrep --pro still requires a single target, but this target no longer
  needs to be a directory, it can be an individual file too. (misc-1)
• Partially analyzed files are no longer reported as skipped by --verbose. And if we
  lack info about what lines have been skipped we no longer report that all lines have
  been skipped. That was not accurate. For example, an error while evaluating a
  metavariable-pattern operator in one rule may cause a finding to be missed, and
  the file being reported as partially analyzed. However, that error did not affect
  any other rules, and even the affected rule may be able to produce some findings. (pa-2683)

Fixed

• CLI: Fixed a bug where Git projects with URLs with subgroups would not parse correctly,
  and produce non-clickable links in Semgrep App. These are such as:
  https://gitlab.com/example/group2/group3/test-case.git (pa-2669)
• Taint: Fixed a bug where the new labeled propagators would sometimes not behave properly (pa-2682)
• Swift: Made it so that taint correctly propagates into
  the bodies of lambdas (pa-2718)
• Pro Engine: Fixed a bug where dataflow analysis would sometimes
  loop when analyzing interprocedural get<name> methods in a
  loop. (pro-56)
• The scan progress bar no longer gets stuck displaying 0% (zero-progress)

1.19.0 - 2023-04-21

Added

• Java: Private static variables that are defined just once in a static block,
  even if they are not declared final, will be considered as final by
  constant-propagation. (pa-2228)

• Scala: Can now parse indented matches, like:

  e match
  case foo => "foo"
  case bar => "bar" (pa-2687)

• Scala: Can now parse arguments with using, as well as splatted arguments.

  E.g. foo(using bar) and foo(1, 2, bar*) (pa-2688)

• Scala: Added parsing of enum constructs. (pa-2691)

• Scala: Can now parse given definitions (pa-2692)

• Scala: Can now parse exports (pa-2693)

• Scala: Can now parse top-level definitions (as added in Scala 3) (pa-2694)

• Scala: Can now parse indented for expression, such as

  for
  _ <- 5
  yield
  ... (pa-2695)

• The title of Supply Chain findings will now consist of the package name and CVE,
  instead of just the rule's UUID. (sc-580)

Changed

• The different lists of skipped files output by Semgrep when given --verbose will
  now be sorted, to make it easier to diff the outputs of two runs. (pa-2700)

Fixed

• CLI: Setting Semgrep-specific environment variables for metadata (like
  SEMGREP_REPO_NAME, SEMGREP_REPO_URL, SEMGREP_PR_ID, and friends) now
  properly works on GitHub and GitLab CI scans.

  If not set, functionality is same as before. (pa-2644)

• CLI: Fixed a bug where repositories with a dot in the name would cause
  semgrep ci scans to crash (pa-2655)

1.18.0 - 2023-04-14

Added

• Metavariable comparison: Added support for **, the exponentiation operator. (gh-7474)

• Pro: Java: Semgrep is now able to track the propagation of taint from the
  arguments of a method, to the object being called. So e.g. given a method

  public void foo(int x) {
      this.x = x;
  }
  

  and a call o.foo(tainted), Semgrep will be able to track that the field
  x of o has been tainted. (pa-2570)

• Kotlin: Class fields will now receive the correct types, and be
  found by typed metavariables correctly

  This applies to examples such as:
  class Foo {
  var x : int
  }
  for the variable x (pa-2684)

• Supply Chain support for package-lock.json version 3 (sc-586)

Fixed

• metavariable-pattern: When used with the nested language key, if there was an
  error parsing the metavariable's content, that error could abort the analysis
  of the current file. If there were other rules that were going to produce findings
  on that file, those findings were not being reported. (gh-7271)

• Matching: Fixed a bug where explicit casts of expressions would produce two matches to
  other explicit casts.

  So for instance, a pattern (int $X) in Java would match twice to (int) 5. (gh-7403)

• taint-mode: Given x = tainted, then x.a = safe, then x.a.b = tainted, Semgrep
  did not report sink(x.a.b). Because x.a was clean, that made Semgrep disregard
  the tainting of any field of x.a such as x.a.b. This now works as expected. (pa-2486)

• When using metavariable-pattern to match embedded PHP code, Semgrep was
  unconditionally adding the <?php opening to the embedded code. When
  <?php was already present, this caused parsing errors. (pa-2696)

• Lockfile-only supply chain findings correctly include line numbers in their match data, improving the appearence of CLI output (sc-658)

• Increase timeout for semgrep install-semgrep-pro to avoid failures when the download is slow. (timeout)

• Fixed the range reported by findings for YAML files that include an anchor, so that the match does not include the original location of the snippet bound to the anchor. (yaml-alias)

1.17.1 - 2023-04-05

Fixed

• Fix an issue that could lead to a crash when printing findings that contain snippets that look like markup to the Rich Python library (rich-markup-crash)

1.17.0 - 2023-04-04

Added

• Scala: Added proper parsing for Scala 3 style imports (pa-2678)

Changed

• taint-mode: Added option taint_assume_safe_comparisons, disabled by default, that
  prevents comparison operators to propagate taint, so e.g. tainted != "something"
  will not be considered tainted. Note that this a syntactic check, if the operator
  is overloaded to perform a different operation this will not be detected. (pa-2645)

Fixed

• Fixed an issue where incorrect ranges for expressions containing parentheses could lead Semgrep to generate invalid autofixes in Python. (gh-2902)
• In rare cases, Semgrep could generate invalid autofixes where Python keyword arguments were placed before positional arguments. When using AST-based autofix, it no longer makes that error. (keywordarg-autofix)

1.16.0 - 2023-03-30

Added

• Kotlin: Added support for typed metavariables. You can write a pattern like:
  ($X : String)
  to find all instances of expressions with type String. (pa-2648)
• Scala: Semgrep can now parse programs that contain quoted expressions, context
  parameter clauses using using, and soft modifiers like inline and open. (pa-2672)
• Scala: Can now parse programs containing matches on types, such as:
  type t = K match {
  case Int => String
  } (pa-2673)
• Parsing rules can take multiple seconds at the start of a scan.
  When running in an interactive terminal with more than 500 rules,
  Semgrep will show a progress bar for this step. (rule-progress)

Changed

• Supply Chain scans will now understand maven_dep_tree.txt files
  that are made of multiple smaller maven_dep_tree.txt files concatenated with cat. (maven-dep-forest)
• Findings of a scan are now printed with section headers per group for the following categories:
  Code Blocking, Code Non-blocking, Supply Chain Reachable, Supply Chain Unreachable findings. (results-headings)
• Switched to using go.mod files to read go dependencies for Semgrep Supply Chain, instead of go.sum files (sc-gomod)

Fixed

• Clojure: parse 'foo/bar' as two separate tokens, so one can use
  metavariable in it and get '$X/bar' to match 'foo/bar' (gh-7311)
• HTML/XML: support attribute as pattern (e.g., foo="true") (gh-7344)
• Improved significantly the time to parse big rulesets such as p/default
  from 20s to a few seconds by parsing patterns lazily and by
  not using /tmp to parse those patterns. (pa-2597)
• Pipfiles with a line comment or inline comment will now parse correctly. (sc-664)

1.15.0 - 2023-03-15

Added

• On full sca scans with dep search feature on, send dependency data for dep search (depsearch)

• metavariable-comparison: Added support for bitwise operators ~, &, | and ^. (gh-7284)

• Taint: pattern-propagators now have optional fields requires and label,
  which are used identically to their counterparts in pattern-sources and pattern-sinks, for the experimental taint labels feature.

  For instance, we can define:

  pattern-propagators:
    - pattern: |
        $TO.foo($FROM)
      from: $FROM
      to: $TO
      requires: A
      replace-labels: [A, C]
      label: B
  

  to denote a propagator which only propagates from $FROM to $TO if $FROM has
  taint label A. In addition, it converts any taints from $TO with labels
  A or C to have label B.

  If label is not specified, the to is tainted with the same label of taint
  that $FROM has. If requires is not specified, it does not require $FROM to
  have a particular label of taint.

  Additionally, replace-labels only restricts the label being propagated if
  the output label is specified. (pa-1633)

• taint-mode: Java: Support for basic field sensitivity via getters and setters.
  Given obj.setX(tainted), Semgrep will identify that a subsequent obj.getX()
  carries the same taint as tainted. It will also differentiate between
  obj.getX() and obj.getY(). Note that Semgrep does not examine the definitions
  for the getter or setter methods, and it does not know whether e.g. some other
  method obj.clearX() clears the taint that obj.setX(tainted) adds. (pa-2585)

• Pro Engine: Semgrep CLI will now download a version of Semgrep Pro Engine
  compatible with the current version of Semgrep CLI, as opposed to the most
  recently released version.

  This behavior is only supported for Semgrep 1.12.1 and later. Previous
  versions will still download the most recently released version, as before. (pa-2595)

Changed

• Pro: semgrep ci will run intrafile interprocedural taint analysis by default
  in differential scans (aka PR scans). (Note that interfile analysis is not run
  in differential scans for performance reasons.) (pa-2565)

• Remove custom entrypoint for returntocorp/semgrep Docker images, now you must
  explicitly call semgrep.

  This won't work now: docker run -v $(pwd):/src returntocorp/semgrep scan ...
  Must do this instead: docker run -v $(pwd):/src returntocorp/semgrep semgrep scan ... (pa-2642)

• Changed Maven version comparison to more closely reflect usage, so versions with more than 3 increments will not be treated as plain strings (sc-656)

Fixed

• The AST dump produced by semgrep-core is now usable from Python
  with the provided ATD interface and the Python code derived from it with
  atdpy. (gh-7296)

• Terraform: Nested blocks can now be used as sources and sinks for taint.
  For instance, the block x in

  resource $A $B {
  x {
  ...
  }
  } (pa-2475)

• CLI: The scan progress bar now shows progress with higher granularity, and has fewer big jumps when using the Pro Engine.

  The abstract unit of 'tasks' has been removed, and now only a percentage number will be displayed. (pa-2526)

• Fix an error with rule targeting for extract mode. Previously, if a ruleset had
  two rules, the first being the extract rule, the second being the rule to run,
  no rules would run on the extracted targets. Additionally, with multiple rules
  the wrong rule might be run on the extracted target, causing errors. Now, in
  extract mode all the rules for the destination language will be run. (pa-2591)

• Metrics: logged in semgrep ci scans now send metrics, as our Privacy.md indicates
  (previously they incorrectly did not, which made it harder for us to track failure events) (pa-2592)

• Rust: Basic let-statement bindings (such as let x = tainted) now properly
  carry taint. (pa-2605)

• Improved error reporting for rule parsing by correctly reporting parse errors
  instead of engine errors in certain cases. (pa-2610)

• Taint: Fixed an issue where an error could be thrown if semgrep-core's output
  contained a dataflow trace without a sink. (pa-2625)

• Julia: Properly allow string literal metavariables like "$A" to be patterns. (pa-2630)

1.14.0 - 2023-03-01

Added

• Add new hashes of a match (finding) to send to the app:
  • code_hash
  • pattern_hash
  • start_line_hash
  • end-line_hash (gh-7218)

Changed

• taint-mode: Historically, the matching of taint sinks has been somewhat imprecise.
  For example, sink(ok if tainted else ok) was flagged. Recently, we made sink-
  matching more precise for sinks like sink(...) declaring that any argument of
  a given function is a sink. Now we make it more precise when specific arguments of
  a function are sinks, like:

  pattern-sinks:
  - patterns:
    - pattern: sink($X, ...)
    - focus-metavariable: $X
  

  So sink(ok1 if tainted else ok2), sink(not_a_propagator(tainted)), and
  sink(some_array[tainted]), will not be reported as findings. (pa-2477)

• The --gitlab-sast and --gitlab-secrets output formats have been upgraded.
  The output is now valid with the GitLab v15 schema,
  while staying valid with the GitLab v14 schema as well.
  Code findings now include the confidence of the rule.
  Supply Chain findings now include the exposure type. (sc-635)

Fixed

• Fix: Semgrep Pro previously reported a crash for user errors such as
  invalid patterns. It will now give a good error message. (gh-7028)
• Dataflow: Fixed incorrect translation of side-effects inside Boolean expressions,
  this was (for example) causing if (cond && x = 42) S1; S2 to be interpreted as
  x = 42; if (cond && x) S1; S2, thus incorrectly flagging x as a constant
  inside S2. (gh-7199)
• Solidity: support enum and event patterns (gh-7230)
• Kotlin: allow to match extended class in any order
  (e.g., the pattern class $X : Foo will also match class Stuff : Bar, Foo). (gh-7248)
• taint-mode: Code such as sink(sanitizer(source) if source else ok) will not be
  incorrectly reported as a tainted sink. This follows a previous attempt at fixing
  these issues in version 1.1.0. (pa-2509)
• metavariable-pattern: Fixed regression introduced in version 1.9.0 that broke
  the use of pattern-not within metavariable-pattern in some cases. (pa-2510)
• Make Semgrep parse HTML-style comments in JavaScript code. (pa-2560)
• Reduced peak memory usage during inter-file analysis (pa-2563)
• Supply Chain scans on a project using Pipenv
  will now detect transitivity from the committed Pipfile,
  instead of printing an error while trying to parse it. (pa-2577)
• --oss-only previously required --oss-only true to be passed. This PR fixes
  it so that --oss-only will invoke the oss engine. Note that --oss-only true
  will no longer be supported (pa-2587)

1.13.0 - 2023-02-24

Added

• Detect BITBUCKET_TOKEN from environment to authenticate with the Bitbucket API. (app-3691)
• taint-mode: Taint propagators can now specify by-side-effect, just like sources and
  sanitizers. However, the default value of by-side-effect for propagators is true
  (unlike for sources or sanitizers). When using rule option
  taint_assume_safe_functions: true, this allows to specify functions that must
  propagate taint, for example:

      pattern-propagators:
        - by-side-effect: false
          patterns:
            - pattern-inside: $F(..., $X, ...)
            - focus-metavariable: $F
            - pattern-either:
                - pattern: unsafe_function
          from: $X
          to: $F
  

  Without by-side-effect: true, unsafe_function itself would be tainted by side-
  effect, and subsequent invokations of this function, even if the arguments were safe,
  would be tainted. (pa-2400)
• CLI: SARIF output now includes a tag pertaining to which card of the Rule Board a rule originated from.
  This can be "rule-board-block", "rule-board-audit", or "rule-board-pr-comments". (pa-2519)

Fixed

• Fixed a couple of typos in help/usage. (gh-7184)
• Matching: Fixed a bug where expressions would not match to explicit type casts of matching expressions (pa-1133)
• Golang: Fixed a bug where metavariable ellipses as parameters to functions were not working properly (pa-2545)
• Apex: Fix name resolution of class attributes. Among other things, this will allow
  Semgrep to perform constant propagation of final class attributes.
  See https://semgrep.dev/s/DG6v. (pa-2551)
• Go: Fixed a bug where function arguments in a group that share the same type,
  such as "func foo(x, y, z int)", would parse all arguments after the first as
  having the name ",". For instance, "y" and "z" here would not have the correct
  names. (pa-2558)
• Fixed bug in comparison of Maven versions where multi digit versions would cause a default to raw string comparison (sc-maven-cmp-bug)

1.12.1 - 2023-02-17

Fixed

• Fix local scan hyperlinks by asking git for remote.origin.url if repo_url not provided (gh-7144)
• Improve error messages displayed with --verbose when the contents of a metavariable fails to parse. (pa-2537)
• Fixed parsing bug maven_dep_tree.txt files where dependency specs with 6 fields, or suffixed with (optional) would fail to parse (sc-622)
• Supply Chain rules now correctly understand Maven version strings, as described in https://docs.oracle.com/middleware/1212/core/MAVEN/maven_version.htm#MAVEN8855 (sc-maven-versions)
• package-lock.json files which contain "resolved": false as a result of a bug in NPM will now parse (sc-npm-bug)