You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A metavariable-comparison operator for evaluating numeric comparisons on metavariable values, such as comparison: $KEY_SIZE < 2048. This is a safe alternative to pattern-where-python snippets. Check the full documentation of this feature!
Matching 1-to-N attributes with a ... wildcard in JSX tags' attribute lists, such as <$TAG attr="1" ... />
Matching only the function signature without the function body, such as function foo(...). This is useful to have cleaner match output when the body content doesn't matter in a rule. This works on JavaScript, TypeScript, and Java code currently.
SARIF output now includes the exact CWE and OWASP categories as tags. Thanks @hunt3rkillerz!
Matching of annotation patterns for Java (like @SomeAnnot(...)) in any context.
Fixed
PHP superglobals such as $_GET, which start with a dollar sign just like Semgrep metavariables, are now correctly interpreted as PHP code instead of Semgrep pattern code.
Calls to isset(...) in PHP look like function calls, but technically are not functions calls. Now you can match them anyway!
It's now possible to write unit tests for OCaml rules.
JavaScript's special identifiers, such as this, can now be captured into a metavariable.
A Java pattern for implements B will now also match code that does implements A, B, C.
Addressed off by one errors when applying autofixes
Missing characters in metavariable interpolation in messages