Opengrep

🫶 🫡 🫡 🫡 see you in the arena: https://lnkd.in/dJeszvVf

there are 2 new Opengrep releases this week, full with improvements as well as some annoying bug fixes. higlights below 👇 • support for PHP lambdas (arrow functions) • improvements in PHP parsing • better parsing of template strings in Kotlin • fix for concurrency 🐞 bug that caused deadlocks, and could be responsible for some reports of "forever" scans • faster scanning when logs are on; some are on by default, so performance should be improved for all users. ⚡ ⚡ ⚡ • 🐞 bug fix for windows: in some cases .semgrepignore was ignored, and a lot of files in normally excluded directories like vendor/ were scanned, leading to big slowdowns 😅 we ship every week, try out the engine, submit a PR, you know the drill: https://lnkd.in/dBu8YJ6A

2 new releases this week ⚡ here's what shipped in opengrep 1.1.3 & 1.1.4 • better parsing of template strings in Kotlin • improvements in PHP parsing • support for PHP lambdas (arrow functions) • faster scanning when logs are on; some are on by default, so performance should be improved for all users. and some 🐞 fixes: • fix for concurrency bug that caused deadlocks, and could be responsible for some reports of "forever" scans • bug fix for windows: in some cases .semgrepignore was ignored, and a lot of files in normally excluded directories like vendor/ were scanned, leading to big slowdowns see you next week 🫡

openMITRE 👀

Is this the time for an openMITRE? The CWE and CVE databases are cornerstones of the AppSec world. It's what allows companies like ours, practitioners and researchers to have a common way of dealing with threats. With the unconfirmed news that support for MITRE might be ending, we as a security community need to come together on this. Who's in?

Say "tree-sitter context" 5 times fast

Since our first official release, v1.0.0, we made a number of improvements, incl restoring functionality & introducing brand new features. Highlights: ✅ We brought back Elixir support 🔥 (restored feature) with some improvements when parsing ellipsis ✅ We now publish ARM binaries for Linux (new feature) ✅ We improved the parsing of verbatim strings and raw string literals in C# ✅ We added a new flag --𝚘𝚞𝚝𝚙𝚞𝚝-𝚎𝚗𝚌𝚕𝚘𝚜𝚒𝚗𝚐-𝚌𝚘𝚗𝚝𝚎𝚡𝚝 that can be added to the 𝚜𝚌𝚊𝚗 command, which adds information about the surrounding context of the matched fragments of code, such as the enclosed function and/or class in which the match occurs– irrespective of location! (new feature) Try it out: 𝚘𝚙𝚎𝚗𝚐𝚛𝚎𝚙 𝚜𝚌𝚊𝚗 --𝚎𝚡𝚙𝚎𝚛𝚒𝚖𝚎𝚗𝚝𝚊𝚕 --𝚘𝚞𝚝𝚙𝚞𝚝-𝚎𝚗𝚌𝚕𝚘𝚜𝚒𝚗𝚐-𝚌𝚘𝚗𝚝𝚎𝚡𝚝 --𝚓𝚜𝚘𝚗 -𝚌 <𝚛𝚞𝚕𝚎𝚜> <𝚌𝚘𝚍𝚎> We ship every week. Stay tuned for more updates. In the meantime, open an issue on /opengrep or submit a PR – we review asap and merge on merit. See you next week 🫡 #cybersecurity #devsecops #opengrep #sast

In open source #SAST news: Opengrep has restored fingerprint and metavariable support in JSON and SARIF outputs, addressing a major gap in Semgrep CE for CI/CD security workflows. https://lnkd.in/eQFG8NdW

Semgrep CE removed fingerprinting– we restored it. Fingerprint & metavariable fields are now back in Opengrep, in JSON & SARIF outputs. • For security scanning, CI/CD workflows, and automation, these fields help prioritize, track, and understand issues more effectively. • Semgrep CE still has SARIF – that "works" but lacks issue tracking, deduplication, and detailed context, making security scanning less efficient. Next: Code changes can happen in arbitrary ways, so being able to relate fingerprints on changing code is hard. We are now preparing to release a new feature (#103), to expose the surrounding context in findings, for example which class or module contains each finding. This will improve fingerprint tracking significantly. Stay tuned 👍

FYI We ship every week. Follow along the public roadmap /opengrep/issues We weighed requests from community & orgs, most are aligned– everyone wants an OSS engine that has: - cross-function analysis - inter-file analysis - more & better language support - advanced features So that's what we're building. What's shipped so far: ✅ windows compatibility (beta) ✅ fingerprints & metavariables restored (SARIF & JSON) ✅ desktop app for rule crafting ⏭️ elixir support ⏭️ cross-function analysis ⌛ Inter-file (language by language)... Link to the public roadmap session below. Everything is open on github issues.