Semgrep v1.158.0 Update: Faster Scans, New Linux Requirements

TL;DR #

• Significant performance gains for Semgrep Pro interfile taint analysis (20-40%).
• Parallel processing for taint configs, speeding up interfile scans.
• Updated system requirements for Linux binaries (glibc >=2.35).

Key Changes #

Semgrep v1.158.0 introduces notable updates focusing on performance, system compatibility, and bug fixes.

New Features & Performance: The release significantly boosts performance for interfile scans. Taint config computation, a major part of semgrep-core time, now runs in parallel, improving efficiency. Semgrep Pro users will see a redesigned interfile engine, offering an estimated 20-40% performance improvement in taint analysis. This redesign might subtly change how findings are generated, potentially yielding more true positives or fewer false positives. A new supply chain hook is also available for the Semgrep Plugin.

System Compatibility Updates: semgrep-core binaries for macOS, manylinux, and musllinux are now dynamically linked. For manylinux binaries, this introduces a minimum glibc version requirement of >=2.35, affecting systems like Ubuntu <22.04 or Debian <12. Users on older Linux distributions will need to upgrade their OS to meet this new dependency. The corresponding PyPI wheels are now tagged to reflect these glibc and musl libc requirements.

Fixes: Several issues have been addressed, including IDE login problems where network errors incorrectly cleared saved tokens. SARIF taint trace output is improved, now using correct file URIs and including full taint sink call traces. The --x-mem-policy flag now correctly propagates to RPC subprocesses, resolving memory tuning issues for dependency resolution.

For full details, refer to the official changelog.

Impact for QA Teams #

QA teams can expect faster security scan feedback, especially when using Semgrep Pro in CI/CD pipelines, enabling quicker identification of potential vulnerabilities. The redesigned taint analysis may provide more accurate findings, reducing time spent on false positives. However, Linux users should verify their OS glibc version to avoid compatibility issues with new binaries.