Introducing Semgrep Fix Rate
A major new Semgrep App release adds fix rate: it measures if developers actually fix Semgrep issues. Log in to see what your fix rate looks like, and read our co-founder Luke’s blog post on whether it’s a good idea to ban random(). We’ve also added a setup button that makes it much faster to add Semgrep to many projects.
⬆️ Upgrade to Semgrep v0.39.1
New in Semgrep CLI:
- Homebrew: $ brew upgrade semgrep
- PyPI: $ python -m pip install --upgrade semgrep
- Docker: $ docker pull returntocorp/semgrep:latest
Note: please update your CLI to v0.39.1 to get the latest and greatest! You can watch for releases here.
- TypeScript and Ruby moved from beta to full (GA) support!
- Improved intraprocedural dataflow: see a live example
- pattern-not-regex to filter findings using a regular expression
- Typed metavariables can now match field access when Semgrep can propagate a field’s type
- Constant propagation for Java final fields (using this.field syntax)
- Experimental Semgrep rule (meta)linter
🧰 Executable XSS cheat sheets
Run these to check for code patterns of potential XSS (cross site scripting) in an application. Instead of scrutinizing code for exploitable vulnerabilities, the recommendations in these cheat sheets (for Django, Flask, Java/JSP, and Ruby on Rails) pave a safe road for developers that mitigates the possibility of XSS in your code.
Get the cheat sheets →
🛡 Appsec Development: Keeping it together at scale
Clint Gibler (r2c) and Jacob Salassi (Snowflake) share tons of details, actionable insights, and a few spot-on memes in this article on threat modeling.
Read the post →
🧯 A short lesson from Huawei’s source code
If developers don’t believe in code hardening ideas, things can go wrong in amusing ways. Isaac Evans, r2c’s CEO, illustrates this through the lens of a review of Huawei source code.
Read the post →
Got a question? Want to chat about Semgrep patterns, writing rules, or how to enforce code standards in your organization? Join the r2c Community Slack to say “hi” or ask questions — there’s a friendly and active community ready to help 🤗!
The r2c team