semgrep

0.117.0 - 2022-10-12

Added

• taint-mode: It is now possible to use pattern-propagators to propagate taint
  through higher-order iterators such as forEach in Java. For example:

    pattern-propagators:
      - pattern: $X.forEach(($Y) -> ...)
        from: $X
        to: $Y
  ``` (gh-5971)
  
  

Changed

• Change default behavior of Travis CI configurations. If a user manually sets their environment variables (i.e. SEMGREP_REPO_NAME, SEMGREP_REPO_URL, SEMGREP_BRANCH, SEMGREP_JOB_URL, SEMGREP_COMMIT, SEMGREP_PR_ID), use it before falling back on autodetection.

Fixed

• Scala: Fixed a bug where generators would not parse if newlines were present, in certain cases (pa-1902)
• Fixed bug where nested dependencies in package-lock.json files were not detected (sc-247)
• Removed Gradle as a separate supply chain ecosystem. Maven rules now work on Gradle projects (sc-256)
• Lockfiles are no longer subject to size filtering during file targetting, so very large lockfiles can now generate unreachable findings (sc-293)

0.116.0 - 2022-10-06

Added

• Added support for named arguments in taint tracking. This is only relevant for DeepSemgrep users. (pa-1886)

Changed

• Change default behavior of Jenkins CI configurations. If a user manually sets their environment variables (i.e. SEMGREP_BRANCH, SEMGREP_JOB_URL, SEMGREP_COMMIT), use it before falling back on autodetection. (app-2432)
• Change default behavior of Azure Pipelines configurations. If a user manually sets their environment variables (i.e. SEMGREP_REPO_NAME, SEMGREP_REPO_URL, SEMGREP_BRANCH, SEMGREP_JOB_URL, SEMGREP_COMMIT), use it before falling back on autodetection. (app-2433)
• taint-mode: Removed experimental poor-man's support for wrapper functions around
  taint sources. This was an early experiment to make Semgrep inter-procedural, but
  it was later abandoned in favor of DeepSemgrep. (pa-1838)
• Disabled Bloom filter optimization by default, due to undesired interactions with
  constant and symbolic propagation, while it appears to not provide a net major
  performance benefit (nowadays). If you do notice a significant drop in performance
  after this change, please let us know. (pa-1927)
• Semgrep-core will no longer accept a rule file containing only one rule object,
  rules must be given in an array unde the rules: key. This change does not
  affect Semgrep CLI which never accepted that relaxed format. (pa-1931)
• Changed command line flag for supply chain scans from --sca to --supply-chain.
  Correspondinly changed --config sca to --config supply-chain (sca-ssc)

Fixed

• Change default behavior of Jenkins CI configurations. If the SEMGREP_REPO_URL is set, use it. Otherwise, default to autodetection. (app-2406)
• fix: Ensure the docker image uses the latest base packages (docker)
• Fixed symbolic propagation of the new operator, that had been broken since
  version 0.98.0. You can again e.g. use the pattern new A().foo() to match
  a.foo(), with a = new A(). (gh-6161)
• Some crypto code like hashing algorithms can lead to a very large amount of
  symbolically propageted values, which previously caused Semgrep's Bloom filter
  to hang. (pa-1920)
• taint-mode: It is now possible for this or this.x to be a source of taint. (pa-1929)
• taint-mode: Fixed a bug that made Semgrep miss taint findings when the sink was
  located inside an if condition or a throw (aka raise) expression/statement. (pa-1933)

0.115.0 - 2022-09-27

Added

• Adds support for a .semgrepconfig file. Users can add metadata (such as a list of tags) to the .semgrepconfig YAML file which will automatically be assigned to the project. (app-2112)
• Modify the CLI output to separate non-blocking and blocking findings and show a list of the blocking rules that fired. (app-2306)

Changed

• generic mode: allow text input without human-readable indentation up to 500
  bytes. This value is subject to change. This relaxing is intended to
  facilitate testing where someone might copy-paste a long line without a
  trailing newline. Semgrep users should not expect files that are not
  human-readable to be processed in semgrep's generic mode, or in any mode for
  the matter. (gh-6071)
• Changed behavior for renamed files on diff scans (scans in which a baseline ref is provided).
  Semgrep will not show old issues to developers when they rename a file now. (gh-6157)

Fixed

• Fixed nondeterministic failure of test_api test due to invalid settings file by
  configuring home directory to temporary directory. (app-2166)
• Change default behavior of Jenkins CI configurations. If the SEMGREP_REPO_NAME environment variable is set, use it. Otherwise, default autodetection. (app-2331)
• Dockerfile mode: Fix failure to match where image name and image alias should
  be the same. The problem was due to some names and identifiers being
  fragmented due to parsing rules and not pieced back together. (gh-5229)
• Scala: add support for ellipsis in match body (e.g., $X match { ... }) (gh-6131)
• Added a fix for a bug involving parsing of TS imports, where they were not allowed to appear as patterns to a rule. (pa-1910)

0.114.0 - 2022-09-19

Added

• Add functionality to exclude rules by id passing it by cli flag --exclude-rule (cli-2530)
• Fixes https://github.com/returntocorp/semgrep/issues/5686.
  You can now have multiple metavariables under focus-metavariable, which allows Semgrep to highlight the
  values matched by multiple metavariables more easily in certain circumstances.
  See the gist in the description of the original issue for an example. (gh-5686)

Fixed

• C++: support ellipsis in right-hand-side of an assignment (gh-1923)
• Rust: support ellipsis in struct declarations (gh-3759)
• Fixed incorrect stripping of '$' (literal dollar sign) in regexps used in the
  context of metavariable-regex. (gh-5987)
• Solidity: support constructor and modifier patterns (gh-6053)
• C#: support for metavariable ellipsis (e.g., $...ARGS) in arguments (gh-6065)
• Rust: support ellipsis inside module mody (gh-6066)
• Hold references to NamedTemporaryFile objects while their corresponding
  temporary files are still in use by the core runner. Failure to explicitly hold
  references to these objects on some Python implementations, such as PyPy,
  results in them sometimes being garbage-collected during processing. This,
  in turn, triggers removal of the temp files while they are still in use by
  the core runner or the worker subprocesses, resulting in various crashes and
  processing failures. (gh-6100)
• Swift: Fix parsing of statement ellipsis without a preceding semicolon (pa-1809)

0.113.0 - 2022-09-15

Added

• Adds backwards-compatibility with older versions of semgrep-app. Only relevant for customers with on-prem versions of the app. (gh-6098)
• taint-mode: Experimental support for basic field-sensitive taint tracking.
  Semgrep can now track x.a and x.b separately, so that e.g. x.a can be
  tainted at the same time as x.b is clean, hence sink(x.a) would produce
  a finding but sink(x.b) would not. It is also possible for x to be tainted
  while x.a is clean. We expect this to have an net positive effect by reducing
  false positives. (pa-1278)
• Update the supply chain API to include information about the transitivity of matched dependencies (sca-199)

Fixed

• Resolve imported classes when there are multiple chained classes.
  For example, if you import world.Hello, and create a
  new Hello.internal_class(), you can match that with
  new world.Hello.internal_class(). (gh-6001)
• Java: Correctly parse ellipsis in the body of top-level constructor patterns with privacy modifiers (e.g. public Foo() { ... }) (gh-6051)
• semgrep --test now fails when encountering a parsing error in target code. (gh-6068)
• Allowed metavariable-comparison to make use of the not in operator. (gh-6072)
• Fixed parsing of Rust impl definitions (gh-6078)
• Fixed a TypeError: unbound method set.intersection() needs an argument crash
  that occurred when all of a scan's rules were multilang (regex or generic). (gh-6093)

0.112.1 - 2022-09-08

Fixed

• Fixed a regression introduced with the previous release, involving a bug with pattern-inside. (gh-6059)

0.112.0 - 2022-09-07

Added

• JS/TS: Allow standalone switch cases as patterns (e.g. case 5: ...) (pa-1788)
• Symbolic propagation: Added propagation of all variables which are assigned to a single time. This will affect global variables and class attributes, in particular. (pa-1821)

Changed

• Use new semgrep-app endpoint that combines the two POST requests to upload findings and ignored findings into one POST request. (app-1446)

Fixed

• Update git url parser to support optional "org" after hostname. Example: https://some.enterprise.scm/myorg/owner/repo. (app-2202)
• Fix an incorrect autofix application when the fix includes Python f strings (gh-2995)
• Fix matching and autofix with bare tuples in Python array accesses (e.g. x[1, 2]) (gh-3387)
• Ruby: A pattern of the form /.../ can now match any regexp, including regexp templates such as /hello #{name}/. (gh-5147)
• Fix parsing of Java constructors with privacy modifiers as patterns, e.g. the pattern public Foo() { } (gh-5558)
• Java: correctly parse class literal patterns (gh-6002)
• Solidity: correctly parse try statements (gh-6031)
• Python: Now support match statements (pa-1739)
• Fixed bug in constant propagation that caused incorrect constants to be inferred
  in the presence of subtraction. (pa-1846)

0.111.1 - 2022-08-23

Changed

• Previously, the following error message appears when metrics are not uploaded within the set timeout timeframe:

  Error in send: HTTPSConnectionPool(host='metrics.semgrep.dev', port=443): Read timed out. (read timeout=3)

  As this causes users confusion when running the CLI, the log level of the message is reduced to appear for development and debugging purposes only. Note that metrics are still successfully uploaded, but the success status is not sent in time for the curent timeout set. (app-1398)

Fixed

• taint-mode: Fixed the translation from Generic to IL for expressions like
  "some string".concat(x). Previously, when x was tainted, the concat
  expression was not recognized as tainted and this caused false negatives. (pa-1787)

0.111.0 - 2022-08-22

Added

• Introduced experimental support for Swift (gh-2232)
• Add configuration options for using a tree-sitter library installed anywhere
  on the system. (gh-5944)
• Updated the supply chain finding API:
  • The API is now typed and defined entirely in semgrep_output_v0.atd
  • Supply chain findings now have only one dependency match, not a list, and only one resolved url
  • Supply chain findings now have a field called reachable and reachability_rule,
    which indicate if the finding is reachable, and whether or not it was generated
    by a reachability rule (rule that had a semgrep pattern)
  • Supply chain findings now include a schema version
  • The complete finding information sent to semgrep app now includes a mapping from lockfile
    paths to the number of dependencies that were present in that lockfile (sca-197)

Fixed

• When a YAML rule file had a string that contained an ISO timestamp, that would be parsed as a datetime object, which would then be rejected by Semgrep's rule schema validator. This is now fixed by keeping strings that contain an ISO timestamp as strings. (app-2157)

• When parsing PHP with tree-sitter, parse $this similar to pfff, as an IdSpecial. This makes it possible to match $this when the pattern is parsed with pfff and the program with tree-sitter. (gh-5594)

• Parse die() as exit() in tree-sitter PHP. This makes pfff and tree-sitter parse die() in the same way. (gh-5880)

• All: Applied a fix so that qualified identifiers can unify with metavariables. Notably, this
  affected Python decorators, among others. (pa-1700)

• Fixed a regression in DeepSemgrep after the experimental taint labels feature
  was introduced in 0.106.0. This prevented DeepSemgrep from reporting taint
  findings when e.g. the sink was wrapped by another function. (pa-1750)

• Fixed metavariable unification in JSON when one of the patterns is a single field. (pa-1763)

• Changed symbolic propagation such that "redundant" matches are no
  longer reported as findings. For instance:

  def foo():
    x = g(5)
    f(x)
  

  If we are looking for the pattern g(5), we should not match on line 3,
  since we will match on line 2 anyways, and this is just repeating information that
  we already know.

  This patch changes it so that we do not match on line 3 anymore. (pa-1772)

• Semgrep now passes -j to DeepSemgrep engine so --deep became noticeably faster. (pa-1776)

• taint-mode: Due to a mistake in the instantiation of a visitor, named function
  definitions were being analyzed twice! This is now fixed and you may observe
  significant speed ups in some cases. (pa-1778)

• Extract mode: fixed a possible exception in normal usage introduced due to
  changes in handling of search/taint rules. (pa-1786)

• Changed the fail-open message body (pm-194)

Infra/Release Changes

• GHA Runner macos-12 is unreliable and has begun failing without
  a clear explanation as to why: this downgrades to macos-11,
  since 10.15 is to be depracted ~10 from now. (devop-609)
• Keep the tree-sitter library inside a local folder rather than requiring
  a global installation. (gh-2956)

0.110.0 - 2022-08-15

Changed

• Parse several built-in PHP functions in the same way in pfff and tree-sitter. This makes it possible to match exit, eval, empty and isset, even if the pattern is parsed with pfff and the PHP file with tree-sitter. (gh-5382)

Fixed

• Skip fail-open for exit code 1 (app-2073)

0.109.0 - 2022-08-11

Changed

• semgrep ci now defaults to fail open and will always exit with exit code 0, which is equivalent to passing --suppress-errors.
  To disable this behavior, you can pass --no-suppress-errors and semgrep will behave as it did previously, surfacing any exit codes that may result. (app-1951)

Fixed

• taint-mode: Taint traces (--dataflow-traces) should no longer report "strange"
  intermediate variables when there are record accesses involved. This happened e.g.
  if foo was a tainted record and the code accessed some of its fields as in
  foo.bar.baz. This was related to the use of auxiliary variables in the Dataflow IL.
  These variables got tainted, but they had real tokens attached corresponding to the
  dot . operator. Now we do not include these variables in the taint trace. (pa-1672)

Infra/Release Changes

• GHA runner-image macos-10.15 is deprecated and will be unsupported by 30AUG2022. We've tested and can upgrade to macos-12 to avoid issues with brownouts or end of support. (devop-586)

0.108.0 - 2022-08-03

Added

• Metrics now include language-aggregated parse rates (files, bytes). The purpose
  of this is to help drive parsing improvements more intelligently. See
  PRIVACY.md for more details. (pa-1678)

Changed

• Updated SCA finding generation so that the following hold:
  • One SCA finding per vulnerable dependency. If one rule matches multiple dependencies in one lockfile,
    that will produce multiple findings. This still needs to be codified in the typed interface
  • No findings in files that were not targeted. If foo.py depends on Pipfile.lock,
    and foo.py is targeted but Pipfile.lock is not, then we can produce reachable findings
    in foo.py but not non-reachable findings in Pipfile.lock. If Pipfile.lock is included in
    our targets then we can produce non-reachable findings inside of it
  • No massive single scan for lockfiles. (sca-127)

Fixed

• Fixed issue when scan fails due to pending changes in submodule. (cli-272)

• Semgrep CI now accepts more formats of git url for metadata provided to semgrep.dev and lets the user provide a fallback for repo name (SEMGREP_REPO_NAME) and repo url (SEMGREP_REPO_URL) if they are undefined by CI. (cli-280)

• Fixed a crash that occurred when reporting results when join mode and taint mode were used together (gh-5839)

• JS: Allowed decorators to appear in Semgrep patterns for class methods and fields. (pa-1677)

• Quick fix for a regression introduced in 0.107.0 (presumably by taint labels)
  that could cause some taint rules to crash Semgrep with:

  Invalid_argument "output_value: abstract value (Custom)" (pa-1724)
  

• Increase timeout for network calls to semgrep.dev from 30s to 60s (timeout-1)

0.107.0 - 2022-07-29

Added

• Added metadata in App-connected scans to report extensions of files that do not match the language of any enabled rules in order to enable more effective language prioritization while developing new rules. (app-1354)
• Support fail-open in CI: adds --suppress-errors/--no-suppress-errors (defaults to --no-suppress-errors) (cli-254)
• New language Elixir with experimental support. (gh-3698)
• Kotlin: support for ellipsis in field access (e.g., obj. ... .bar()) (gh-5819)
• Changed semgrep-core so that it can now be run with -rules on .yaml files which do not have a top-level rules: ... key. This means you can now copy paste from the playground editor directly into a .yaml file for use with semgrep-core. (implicit-rules-sc-core)
• Add experimental support for taint labels, that is the ability to attach labels to
  different kinds of taint. Both sources and sinks can retrict what labels are present
  in the data that passes through them in order to apply. This allows to write more
  complex taint rules that previously required ugly workarounds. Taint labels are also
  useful for writing certain classes of typestate analyses (e.g., check that a file
  descriptor is not used after being closed). (pa-1362)
• Introduced the --dataflow-traces flag, which directs the Semgrep CLI to explain how non-local values lead to a finding. Currently, this only applies to taint mode findings and it will trace the path from the taint source to the taint sink. (pa-1599)

Changed

• Made breaking changes to the dataflow_trace JSON output to make it more easily consumable by the App. Added content for taint_source and intermediate_vars, and collapsed the multile taint_source locations into one. (dataflow-trace-json)
• Removed the unique_id field from the semgrep (and semgrep-core) JSON output
  for metavariables. (unique-id-json)

Fixed

• Fixed format of repository urls so links to findings can be properly displayed on semgrep.dev (cli-278)
• Scala: Allow metavariables in import patterns (gh-5219)
• Rules reported for LSP metrics now are hashed before sending (lsp-metrixs)
• -filter_irrelevant_rules was incorrectly skipping files when the PCRE engine threw
  an error, while trying to match a regex that determines whether a rule is relevant
  for a file. This has been fixed so that, in case of a PCRE error, we assume that the
  rule could be relevant and we do run it on the file. (pa-1635)

0.106.0 - 2022-07-21

Changed

• metavariable-comparison: The metavariable field is now optional, except
  if strip: true. When strip: false (the default) the metavaraible field
  has no use so it was pointless to require it. (metavariable-comparison-metavariable)

• metavariable-comparison now also works on metavariables that cannot be evaluated
  to simple literals. In such cases, we take the string representation of the code
  bound by the metavariable. The way to access this string representation is via
  str($MVAR). For example:

  - metavariable-comparison:
      metavariable: $X
      comparison: str($X) == str($Y)
  

  Here $X and $Y may bind to two different code variables, and we check whether
  these two code variables have the same name (e.g. two different variables but both
  named x). (pa-1659)

• When running an SCA scan with semgrep ci --sca,
  SCA findings will no longer be considered blocking if they are unreachable. (sca-128)

Fixed

• Fixed a regression in name resolution that occurred with metavariable patterns (gh-5690)

• Rust: Fixed a bug with matching for scoped identifiers

  Basically, scoped identifiers were only looking at the last identifier. So something like A::B::C would result in something like C. (gh-5717)

0.105.0 - 2022-07-20

Added

• Experimental LSP support for: metavariable inlay hints, hot reloading, App integation, scan commands, and much much more (cli-235)
• Added a concatenation reduction for extract mode, so that disjoint snippets
  within a file can be treated as one unified file. (extract-reductions)
• Extract mode: taint trace positions are now updated to correspond to the source
  file. (extract-taint-traces)
• Extract mode: generic is now permitted as a languages value (pa-1648)
• Added handling for EXPERIMENT severity to allow the ability to test rules as experiments. (rules-680)

Changed

• Do not store time or skipped targets output unless requested. This reduces memory consumption significantly in large repos (pa-1618)
• Reduce memory consumption of semgrep by passing the targets in a more condensed
  structure. Previously, we told semgrep which rules to run on which target by
  listing out all the rule_ids each target should run. Now, we have a separate
  rule_id list and for each target we only ilst the rule_id indices. On large
  repos, particularly when run with multiple processes, this has a significant
  impact. (pa-1618-2)

Fixed

• C#: Improved error message when function parameters are declared with var (gh-5068)

• Scala/others: Added a fix allowing percolation of name information from class parameters

  For example, classes which take in arguments like the following in Scala:

  class ExampleClass(val x: TypeName) {
  }
  

  do not properly enter the context. So in our analysis, we would not know that the identifier
  x has type TypeName, within the body of ExampleClass. (gh-5506)

• Fixed the logged message describing the endpoint where rules are fetched from when SEMGREP_URL is set (gh-5753)

• Fixed what data was used for indexing match results to used match based id data (index)

0.104.0 - 2022-07-13

Added

• semgrep ci will now not block builds on triage ignored issues (cli-162)
• Add support to cli/scripts/compare.py for podman environments (compare-script-podman)
• A new experimental 'extract' mode. This mode runs a Semgrep rule on a codebase
  and "extracts" code from matches, treating it as a different language. This
  allows users to supplement an existing set of rules, e.g., for JavaScript, by
  writing additional rules to find JavaScript in non-JavaScript files, e.g.,
  JavaScript contained in HTML or template files. While this is somewhat possible
  with metavariable-pattern, this reduces the work from an M * N problem to an M + N one. (gh-4478)
• Added taint traces as part of Semgrep's JSON output. This helps explain how the sink became tainted. (pa-1271)

Changed

• Metavariable-pattern now uses the same metavariable context as its parent. This will potentially
  cause breaking changes for rules that reuse metavariables in the pattern. For example, consider
  the following formula:

  - patterns:
     - pattern-either:
         - pattern-inside: $OBJ.output($RESP)
     - pattern: $RESP
     - metavariable-pattern:
         metavariable: $RESP
         pattern: `...{ $OBJ }...`
  

  Previously, the $OBJ in the metavariable-pattern would be a new metavariable. The formula would
  behave the same if that $OBJ was $A instead. Now, $OBJ will try to unify with the value bound
  by $OBJ in the pattern-inside. (gh-5060)

• The semgrep test output used to produce expected lines and reported lines which is difficult to read and interpret. This change introduces missed lines and incorrect lines to make it easier for the users to pinpoint the differences in output. (gh-5600)

• Separator lines are no longer drawn between findings that have no source code snippet. (sca-ui)

• Using ellipses in XML/HTML elements is now more permissive of whitespace.
  Previously, in order to have a element with an ellipsis no leading/trailing
  whitespace was permitted in the element contents, i.e., <tag>...</tag> was
  the only permitted form. Now, leading or trailing whitespace is ignored when
  the substantive content of the element is only an ellipsis. (xml-permissive-ellipsis)

Fixed

• Semgrep App's links to repositories, code snippets, and pull requests are no longer broken for projects that run Semgrep in Circle CI, Bitbucket, and Buildkite. (cli-267)
• When running Semgrep via Docker for Mac,
  all volume-mounted files were considered executable and thus a candidate for scanning Bash code,
  making target collection take longer, and sometimes targeting more files than intended.
  This was fixed by using os.stat instead of os.access to determine if a file is executable. (gh-5560)
• Semgrep used to crash when trying to print findings that match only whitespace, such as when a rule disallows two newlines at the end of a file. This crash is now fixed. (gh-5633)
• Memory usage improvement: don't save skipped targets when --debug isn't passed
  since it isn't read unless --debug is used (pa-1618)

Infra/Release Changes

• Updated the GH Release creation to publish the release instead of drafting one - this avoids a failure of validation jobs on release. (cli-243)
• Using some building blocks from release, set up a workflow to test semgrep ci e2e. (cli-253)
• Updated our changelog management system to towncrier to avoid merge conflicts in changelog on release (cli-77)
• The opening of PRs in other repos is automated with semgrep release - there is still a manual review required to build confidence. (cli-84)

0.103.0 - 2022-07-05

Added

• Expression statement patterns (e.g. foo();) used to also match when
  they were a bit deeper in the expression (e.g., x = foo();).
  This can now be disabled via rule options:
  with implicit_deep_exprstmt: false (#5472)
• The timeout for git commands Semgrep runs is now configurable by setting the
  SEMGREP_GIT_COMMAND_TIMEOUT environment variable.
  The unit used is seconds. The default value is 300.

Fixed

• Error messages in JSON output used to contain ANSI color codes,
  this was fixed so they are now uncolored (and readable!) plain text.

Added

• Scala: ellipsis are now allowed in for loop headers, so you can write patterns
  like for (...; $X <- $Y if $COND; ...) { ... } to match nested for loops. (#5650)

Fixed

• taint-mode: In some scenarios some statements were not being included in the
  CFG used by taint tracking, and as a result some expected findings were not being
  reported (i.e. false negatives). This affected mainly languages like Scala where
  traditional control-flow constructs are expressions rather than statements (or,
  seen in a different way, every statement returns a value). (#5652)

Changed

• --verbose no longer toggles the display of timing information, use
  --verbose --time to display this information.

0.101.1 - 2022-06-28

Fixed

• semgrep ci: CI runs in GitHub Actions failed to checkout the commit assoociated with the head branch, and is fixed here.

0.101.0 - 2022-06-27

Added

• Bash: Support for subshell syntax i.e. commands in parentheses (#5629)

Changed

Fixed

• semgrep ci: CI runs were failing to checkout the PR head in GitHub Actions, which is
  corrected here.
• TS: fixed the parsing of type predicates and typeof queries
• Deep expression matching now works on HTML in JavaScript
• taint-mode: Taint propagation via pattern-propagators now works correclty when the
  from or to metavariables match a function call. For example, given
  sqlBuilder.append(page.getOrderBy()), we can now propagate taint from
  page.getOrderBy() to sqlBuilder.
• Will no longer print "files were not tracked by git" if not in a git repo
• Will no longer print "Some files were skipped" if no files were skipped
• Fixed bug where semgrep would crash in nonexistent directory (#4785)
• taint-mode: Correctly propagate taint in for-each loops with typed iteration
  variables (as in Java or C#). If the iterator object is tainted, that taint will
  now be propagated to the iteration variable. This should fix some false negatives
  (i.e., findings not being reported) in the presence of for-each loops. (#5590)