From e0372bc910720c73123f16d9023c9bda56ebbe33 Mon Sep 17 00:00:00 2001 From: Katie Horne Date: Thu, 8 Feb 2024 13:55:02 -0600 Subject: [PATCH] January 2024 release notes (#1342) --- docs/release-notes/january-2024.md | 137 +++++++++++++++++++++ docs/release-notes/latest.md | 183 ++++++++++++++--------------- sidebars.js | 12 ++ 3 files changed, 237 insertions(+), 95 deletions(-) create mode 100644 docs/release-notes/january-2024.md diff --git a/docs/release-notes/january-2024.md b/docs/release-notes/january-2024.md new file mode 100644 index 000000000..45bfe3975 --- /dev/null +++ b/docs/release-notes/january-2024.md @@ -0,0 +1,137 @@ +--- +slug: january-2024 +hide_title: true +description: >- + Release notes include the changes, fixes, and additions in specific versions of Semgrep. +toc_max_heading_level: 3 +title: January 2024 +tags: + - Release notes +--- + +# Semgrep release notes for January 2024 + +## 🔧 OSS Engine + +* The following versions of the OSS Engine were released in January 2024: + * [1.55.1](https://github.com/semgrep/semgrep/releases/tag/v1.55.1) + * [1.55.2](https://github.com/semgrep/semgrep/releases/tag/v1.55.2) + * [1.56.0](https://github.com/semgrep/semgrep/releases/tag/v1.56.0) + * [1.57.0](https://github.com/semgrep/semgrep/releases/tag/v1.57.0) + * [1.58.0](https://github.com/semgrep/semgrep/releases/tag/v1.58.0) + * [1.59.0](https://github.com/semgrep/semgrep/releases/tag/v1.59.0) + +## 🌐 Cloud Platform + +### Added + +* Semgrep's Visual Studio Code extension now runs natively on Windows machines. +* Added ability for organizations to test connections to GitHub and GitLab by going to + **Settings** > **Source Code Managers**. +* Projects are now moved from the **Scanning** to **Not scanning** tab when the + corresponding GitHub repository is archived. +* **CLI tool**: + * Added color-coded severity icons, such as `❯❯❱`, to the CLI + output for findings of known severity. + * Metrics sent from the CLI and collected by Semgrep now include a breakdown of the number + of findings per product. + * Rules stored under a hidden directory, such as + `dir/.hidden/myrule.yml`, are now processed when scanning with the `--config` + flag. + +### Changed + +* Renamed the **Upgrade** page to **Usage & billing**. +* Redesigned the **Settings** > **Source Code Managers** page; changes include: + * Renamed the **Remove SCM config** button to **Disconnect**. + * Set the **Remove app** button to only show up for registered GitHub apps. +* Improved the page load times for the **Settings** > **Source Code Managers** + page, especially for organizations with many source code managers connected. +* Updated de-duplication logic for users with multiple source code managers. + +### Fixed + +* Fixed an issue where paid subscribers couldn't submit support cases through + the **Help** page. +* **CLI tool**: + * Fixed an issue where multi-line comments in Dockerfiles weren't + parsed correctly. + * Fixed an issue where Semgrep used `/tmp` instead of the path set + in the `TMPDIR` environment variable for the Semgrep cache. + * Fixed an issue where Semgrep would error on reading a + `nosemgrep` comment with multiple rule IDs. + +## 💻 Code + +### Added + +- **Swift**: Now supports typed metavariables, such as `($X : ty)`. +- **Java**: You can now use metavariable ellipses properly in function arguments, as statements, and as expressions. For instance, you may write the pattern: + ``` + public $F($...ARGS) { ... } + ``` +- **C++ with Semgrep Pro Engine**: Improved translation of delete expressions to the dataflow so that +recently added at-exit sinks work on them. Previously, delete expression at "exit" positions were not being properly recognized as such. + +### Changed + +- Improved loading times for **Dashboard** and **Findings** pages. +- Redesigned the **Findings** page to display issues present on multiple branches, + regardless of which branch is used as a filter. + +### Fixed + +- **Editor**: Fixed a bug where the editor could crash due to rules having more than one metadata subcategory. +- Fixed a bug in which **open** findings were counted differently between the **Code** and **Dashboard** pages in Semgrep Cloud Platform. The counts now match. +- **Findings** page: + - Fixed a bug in which leaving a note automatically triaged a finding. Now, the state of the finding does not change when a user leaves a note. + - Fixed a bug in which **fixed** findings were triagable despite their already fixed state through the rule group checkbox. Now these findings are not triagable. + - Fixed an issue where hovering over the Assistant's **Analyze** button caused the window to jitter. + +## ⛓️ Supply Chain + +### Added + +* Added ability to manually create custom dependency exceptions under **Supply + Chain** > **Settings**. This helps prevent blocking a pull request or merge + request due to licensing issues. For example, if `bitwarden/cli@2023.9.0`, + which has a GPL-3.0 license, is on the allowlist, setting a custom dependency + exception means that the exclusion won't fail when upgrading to + `bitwarden/cli@2023.9.1`. + +### Changed + +- **Vulnerabilities page**: Improved filtering performance. +- Software bill of materials (SBOM) generation is now generally available (GA). +- The **Dependencies** tab is now GA. + +### Fixed + +* Fixed an issue where Semgrep couldn't parse a Pipfile correctly if it had a + `[dev-packages]` section. +* Fixed a bug where `Gemfile.lock` files with multiple `GEM` sections weren't parsed correctly. + +## 🔐 Secrets (beta) + +### Fixed + +- Fixed a bug with custom secrets rules in which rule visibility could be set to `unlisted`. Now, to protect the privacy of secrets rules, users cannot set Secrets rules to any other visibility except for **private**. + +## 📝 Documentation and knowledge base + +### Added + +- Added [legal information](/semgrep-code/semgrep-assistant-code/#privacy-and-legal-considerations) about Semgrep Assistant. +- Added documentation about Semgrep Assistant's Component and Recommendation filters. +- Knowledge base articles: + - Troubleshoot why [SAML stops working](/kb/semgrep-cloud-platform/saml-stops-working/) + - [Troubleshooting "You are seeing this because the engine was killed" on monorepos](/kb/semgrep-code/scan-engine-kill/) +- Added guidance on running Semgrep Supply Chain scans [in the CLI](/semgrep-supply-chain/getting-started/#run-a-scan-using-the-cli ). + +### Changed + + +- Updated the Semgrep Supply Chain [languages table](/supported-languages/#semgrep-supply-chain) to clarify that **lockfile-only** languages do not have reachable rules. +- Updated documentation on event triggers for diff-aware and full scans. +- Updated [Licensing](/licensing) documentation for Semgrep Supply Chain and Semgrep Secrets. +- Updated the [Findings](/docs/semgrep-code/findings/) documentation page. diff --git a/docs/release-notes/latest.md b/docs/release-notes/latest.md index d85f1ccfe..46a79372c 100644 --- a/docs/release-notes/latest.md +++ b/docs/release-notes/latest.md @@ -9,136 +9,129 @@ tags: - Release notes --- -# Semgrep release notes for December 2023 +# Semgrep release notes for January 2024 ## 🔧 OSS Engine -* The following versions of the OSS Engine were released in December 2023: - - * [ - 1.52.0](https://github.com/returntocorp/semgrep/releases/tag/v1.52.0) - * [ - 1.53.0](https://github.com/returntocorp/semgrep/releases/tag/v1.53.0) - * [ - 1.54.0](https://github.com/returntocorp/semgrep/releases/tag/v1.54.0) - * [ - 1.54.1](https://github.com/returntocorp/semgrep/releases/tag/v1.54.1) +* The following versions of the OSS Engine were released in January 2024: + * [1.55.1](https://github.com/semgrep/semgrep/releases/tag/v1.55.1) + * [1.55.2](https://github.com/semgrep/semgrep/releases/tag/v1.55.2) + * [1.56.0](https://github.com/semgrep/semgrep/releases/tag/v1.56.0) + * [1.57.0](https://github.com/semgrep/semgrep/releases/tag/v1.57.0) + * [1.58.0](https://github.com/semgrep/semgrep/releases/tag/v1.58.0) + * [1.59.0](https://github.com/semgrep/semgrep/releases/tag/v1.59.0) ## 🌐 Cloud Platform ### Added -* Semgrep IDE integrations now cache information about the current repository so - that it doesn't traverse the entire repository on every scan to determine if - the files are valid targets for scanning; this improves scan times. -* Users can now ignore findings locally in Semgrep IDE extensions. The changes -persist between restarts, though they're not reported back to Semgrep Cloud -Platform and don't affect the remote repository or other users. Note that these findings -are still detected when Semgrep scans your code, typically when opening a pull -request or merge request. -* The metrics collected now include more granular information to help -differentiate scans using different engine capabilities, such as intraprocedural -scans without secrets validation versus intraprocedural scans *with* secrets -validation. -* **CLI tool**: Added new `semgrep test` subcommand, which is an alias for -`semgrep scan --test`. **Note**: If the **name** of the directory you are -scanning is `test`, use `semgrep scan test` to avoid confusion with the new -`semgrep test` subcommand. +* Semgrep's Visual Studio Code extension now runs natively on Windows machines. +* Added ability for organizations to test connections to GitHub and GitLab by going to + **Settings** > **Source Code Managers**. +* Projects are now moved from the **Scanning** to **Not scanning** tab when the + corresponding GitHub repository is archived. +* **CLI tool**: + * Added color-coded severity icons, such as `❯❯❱`, to the CLI + output for findings of known severity. + * Metrics sent from the CLI and collected by Semgrep now include a breakdown of the number + of findings per product. + * Rules stored under a hidden directory, such as + `dir/.hidden/myrule.yml`, are now processed when scanning with the `--config` + flag. ### Changed -* **OCaml**: Switched to a tree-sitter-based parser instead of the Menhir - parser. -* **Rust**: Updated the parser used for Rust. +* Renamed the **Upgrade** page to **Usage & billing**. +* Redesigned the **Settings** > **Source Code Managers** page; changes include: + * Renamed the **Remove SCM config** button to **Disconnect**. + * Set the **Remove app** button to only show up for registered GitHub apps. +* Improved the page load times for the **Settings** > **Source Code Managers** + page, especially for organizations with many source code managers connected. +* Updated de-duplication logic for users with multiple source code managers. ### Fixed -* Fixed an issue where webhooks stopped working. -* Fixed an issue so that clicking **Start Tour** now restarts the Getting Started - tutorial. -* Fixed an issue where the **Members** page doesn't display a user's new role until - the page reloads. -* Fixed an issue where users switching organizations would result in a 404. - -* Fixed the **Connect to** button under **Settings** > **Source Code Managers** - so that it displays correctly based on whether the user can connect to a - source code manager. -* **CLI tool**: Updated CLI error message to clarify that users should log in - before running either: - * `semgrep ci` - * `semgrep scan --config` - -## 💻 Code +* Fixed an issue where paid subscribers couldn't submit support cases through + the **Help** page. +* **CLI tool**: + * Fixed an issue where multi-line comments in Dockerfiles weren't + parsed correctly. + * Fixed an issue where Semgrep used `/tmp` instead of the path set + in the `TMPDIR` environment variable for the Semgrep cache. + * Fixed an issue where Semgrep would error on reading a + `nosemgrep` comment with multiple rule IDs. -### Fixed +## 💻 Code -* Fixed an issue where Semgrep Code findings marked as **fixed** can be triaged through - the rule group. Once a finding is fixed, its triage status can't be changed back - to **ignored**. - -* Fixed an issue where the rule information card and the rule preview are missing - for older findings; all findings now display this information. - -* Fixed an issue where the finding's severity displayed doesn't match the rule's - severity once the rule has been updated. +### Added -## ⛓️ Semgrep Supply Chain +- **Swift**: Now supports typed metavariables, such as `($X : ty)`. +- **Java**: You can now use metavariable ellipses properly in function arguments, as statements, and as expressions. For instance, you may write the pattern: + ``` + public $F($...ARGS) { ... } + ``` +- **C++ with Semgrep Pro Engine**: Improved translation of delete expressions to the dataflow so that +recently added at-exit sinks work on them. Previously, delete expression at "exit" positions were not being properly recognized as such. ### Changed -* Fixed an issue where empty tables in `pyproject.toml` files would fail to parse. +- Improved loading times for **Dashboard** and **Findings** pages. +- Redesigned the **Findings** page to display issues present on multiple branches, + regardless of which branch is used as a filter. -## 🤖 Assistant (beta) +### Fixed + +- **Editor**: Fixed a bug where the editor could crash due to rules having more than one metadata subcategory. +- Fixed a bug in which **open** findings were counted differently between the **Code** and **Dashboard** pages in Semgrep Cloud Platform. The counts now match. +- **Findings** page: + - Fixed a bug in which leaving a note automatically triaged a finding. Now, the state of the finding does not change when a user leaves a note. + - Fixed a bug in which **fixed** findings were triagable despite their already fixed state through the rule group checkbox. Now these findings are not triagable. + - Fixed an issue where hovering over the Assistant's **Analyze** button caused the window to jitter. + +## ⛓️ Supply Chain ### Added -* Added the **Analyze** button to Semgrep Cloud Platform's **Code** page, which -triggers all Assistant functions on selected findings, including autofix, autotriage, and component -tagging. After Assistant performs these functions, users -can see their results if they filter for findings based on **Recommendation** or -by **Component**. Additionally, users who choose **No Grouping** instead of -**Group by Rule** see false positive and true positive recommendations when -viewing their finding details pages. +* Added ability to manually create custom dependency exceptions under **Supply + Chain** > **Settings**. This helps prevent blocking a pull request or merge + request due to licensing issues. For example, if `bitwarden/cli@2023.9.0`, + which has a GPL-3.0 license, is on the allowlist, setting a custom dependency + exception means that the exclusion won't fail when upgrading to + `bitwarden/cli@2023.9.1`. -## 🔐 Secrets (beta) +### Changed -### Added +- **Vulnerabilities page**: Improved filtering performance. +- Software bill of materials (SBOM) generation is now generally available (GA). +- The **Dependencies** tab is now GA. + +### Fixed + +* Fixed an issue where Semgrep couldn't parse a Pipfile correctly if it had a + `[dev-packages]` section. +* Fixed a bug where `Gemfile.lock` files with multiple `GEM` sections weren't parsed correctly. -* Added support for custom validator rules, which can be written using Semgrep's - Rules Editor and run using `semgrep ci --allow-untrusted-validators`. Note - that custom validator rules are private and can't be shared to Semgrep - Registry. +## 🔐 Secrets (beta) ### Fixed -* Fixed an issue where the **Ignore** button doesn't work when triaging Secrets. - +- Fixed a bug with custom secrets rules in which rule visibility could be set to `unlisted`. Now, to protect the privacy of secrets rules, users cannot set Secrets rules to any other visibility except for **private**. ## 📝 Documentation and knowledge base ### Added -* Added [Quickstart](/docs/getting-started/quickstart/). -* Added [Privacy and legal considerations](/docs/semgrep-code/semgrep-assistant-code#privacy-and-legal-considerations) information for Semgrep Assistant. -* New knowledge base articles: - * [Fix pattern parse errors when running rules](/docs/kb/rules/pattern-parse-error) - * [How to scan a large monorepo](/docs/kb/semgrep-code/scanning-large-monorepo) - * [Scanning a monorepo in parts](/kb/semgrep-ci/scan-monorepo-in-parts) - * [SSO Error: Signature validation failed. SAML Response rejected](/docs/kb/semgrep-cloud-platform/saml-bad-signature) - * [Troubleshooting "You are seeing this because the engine was killed" on monorepos](/docs/kb/semgrep-code/scan-engine-kill) +- Added [legal information](/semgrep-code/semgrep-assistant-code/#privacy-and-legal-considerations) about Semgrep Assistant. +- Added documentation about Semgrep Assistant's Component and Recommendation filters. +- Knowledge base articles: + - Troubleshoot why [SAML stops working](/kb/semgrep-cloud-platform/saml-stops-working/) + - [Troubleshooting "You are seeing this because the engine was killed" on monorepos](/kb/semgrep-code/scan-engine-kill/) +- Added guidance on running Semgrep Supply Chain scans [in the CLI](/semgrep-supply-chain/getting-started/#run-a-scan-using-the-cli ). ### Changed -* Updated overview articles for [Semgrep Code](/semgrep-code/overview/) and - [Semgrep Supply Chain](/docs/semgrep-supply-chain/overview/). -* Updated documentation on setting up pull request or merge request comments for - [GitHub](/docs/semgrep-cloud-platform/github-pr-comments/), - [GitLab](/docs/semgrep-cloud-platform/gitlab-mr-comments/), and - [Bitbucket](/docs/semgrep-cloud-platform/bitbucket-pr-comments/) users. -* General improvements to API docs, including clarification of usage - instructions for Supply Chain and Secrets endpoints. - -### Fixed - -* Minor corrections and updates to various articles. + +- Updated the Semgrep Supply Chain [languages table](/supported-languages/#semgrep-supply-chain) to clarify that **lockfile-only** languages do not have reachable rules. +- Updated documentation on event triggers for diff-aware and full scans. +- Updated [Licensing](/licensing) documentation for Semgrep Supply Chain and Semgrep Secrets. +- Updated the [Findings](/docs/semgrep-code/findings/) documentation page. diff --git a/sidebars.js b/sidebars.js index 6cb30d18b..a18394b88 100644 --- a/sidebars.js +++ b/sidebars.js @@ -508,6 +508,18 @@ module.exports = { link: {type: 'doc', id: 'release-notes/introduction'}, items: [ 'release-notes/latest', + { + type: 'category', + label: '2024', + collapsible: true, + link: { + type: 'generated-index', + title: '2024 Release notes' + }, + items: [ + 'release-notes/january-2024' + ] + }, { type: 'category', label: '2023',