January 2025 release notes

docs/release-notes/january-2025.md

@@ -0,0 +1,134 @@
+---
+slug: january-2025
+title: January 2025
+hide_title: true
+description: >-
+ Release notes include the changes, fixes, and additions in specific versions of Semgrep.
+tags:
+ - Release notes
+---
+
+# Semgrep release notes for January 2025
+
+<!-- Remember to update latest endpoint -->
+<!-- Remember to update index page -->
+
+
+## 🌐 Semgrep AppSec Platform
+
+- The **Policy Management API** is now generally available. The Policy Management API allows you to automate tasks such as:
+  - Add, update, and disable rules across multiple policies.
+  - Apply rules in different modes, such as monitor, comment, block, or disable, to align with security workflows.
+  - Integrate policy management into CI/CD pipelines to ensure consistent enforcement during software development.
+- **Semgrep Managed Scans:**
+  - Managed scans for repositories hosted by **Azure DevOps** is now in public beta.
+  - GitHub users can turn on or off full scans and diff-aware scans for individual projects scanned by Semgrep Managed Scans.
+- **Jira:** added the ability to map the **Team** information back to Semgrep.  
+- Org admins can now invite new users to Semgrep by email. Invited users receive an email with instructions on how to join the organization's Semgrep account.
+- Added pagination to the **Settings > Access > Members** page, as well as the ability to search for members.
+
+## Changed
+
+- The **search bar** in the **Projects** page now loads faster.  <!-- 18697 -->
+- Links to the **Project Settings** and **Scans** pages now use project IDs instead of project names. Existing links using project names continue to function normally.
+
+## Fixed
+
+- Fixed an issue where commands not prefixed with `/semgrep` or `/` weren't correctly handled.
+- Fixed an issue where reports generated by Semgrep AppSec Platform weren't correctly displaying the age of findings.
+- Fixed an issue where the first page of Bitbucket Data Center repositories wasn't displayed.
+- Fixed the formatting of Bitbucket Cloud PR comments.
+
+## 💻 Semgrep Code
+
+### Added
+
+- Added support for lambdas (anonymous functions) as callbacks. This is supported for all languages that have lambdas.
+  ```javascript
+    var tainted = source();
+
+    function withCallback1(val, callback) {
+        if (val) {
+            callback(val);
+      }
+    }
+
+    withCallback1(tainted, function (val) {
+        sink(val); // finding !
+    });
+  ```
+
+### Changed
+
+- Removed **pip** from the Semgrep Docker image. If necessary, you can install it by running `apk add py3-pip`.
+
+### Fixed
+
+- The `semgrep test` and `semgrep validate` commands have been correctly documented as **EXPERIMENTAL** in `semgrep --help`.
+  - Those commands are not GA. It is recommended to use the `semgrep scan --test` and `semgrep scan --validate`.
+- Improve error handling for capabilities ancillary to a scan, such as looking for `nosemgrep` comments and rendering autofixes, to reduce the likelihood of an unexpected error in such a component causing the scan to error.
+- Fix the behavior of Semgrep when running into broken symlinks. If such a path is passed explicitly as a scanning root on the command line, it results in an error. Otherwise, if it's a file discovered while scanning the file system, it's a warning.
+- Fixed an issue with crashes due to an exception in `lines_of_file`. The code should now be more robust and not stop the whole scan when an out-of-bound line access happens during `nosemgrep` analysis or when displaying the lines of a match.
+
+## ⛓️ Semgrep Supply Chain
+
+### Added
+
+<!-- Dependency graphs? -->
+- [Dependency Paths](/semgrep-supply-chain/dependency-search#view-the-dependency-path) are now available for the following languages and package managers:
+  - **JavaScript**: all package managers are supported by Semgrep.
+  - **Python**: Only Poetry is supported.
+- **C#**: Semgrep can now scan NuGet codebases without the need for a lockfile. This feature is in **private beta**. See also [Scan a project without lockfiles](/semgrep-supply-chain/getting-started#scan-a-project-without-lockfiles-beta). Reach out to [<i class="fa-regular fa-envelope"></i> [email protected]](mailto:[email protected]) to join the beta program.
+- Semgrep now ingests CVE information from [<i class="fas fa-external-link fa-xs"></i> Electron release notes](https://releases.electronjs.org/releases/stable). This information is used to generate rules that can detect if you're affected by CVEs from this source.
+
+### Changed
+
+- Semgrep Supply Chain [Policies](/semgrep-supply-chain/policies) are now in public beta. Creating a policy enables you to:
+  - Customize when Semgrep sends a finding as a PR or MR comment or fails the CI job.
+  - Customize the projects and conditions that send a comment or fail a CI job.
+
+### Fixed
+
+- Fixed bug where Supply Chain diff-aware scans of `package-lock.json` v2 projects incorrectly produced non-new findings.
+
+## 🤖 Semgrep Assistant 
+
+### Added
+
+- **Noise filtering** is now in public beta. With Noise Filtering, Assistant evaluates each Semgrep Code finding to determine if it's a true positive using additional context and prevents a PR comment from being posted in the developer workflow if it's not.
+- **Auto-triage Memories** is now in public beta. With this feature, you can identify findings that are safe to ignore and write triage notes indicating why this is so. Assistant then stores this information as a memory and uses it to assess whether similar findings are shown to developers in the future. Assistant also takes that memory, reanalyzes similar findings in your backlog, and suggests issues that may be safe to close.
+
+## 📝 Documentation and knowledge base
+
+### Added 
+- Added the following new documents, articles, and sections:
+  - Set up [Semgrep Managed Scans with Azure DevOps](/deployment/managed-scanning/azure).
+  - [Semgrep for developers](/for-developers/overview), a new series of documents that aims to:
+    - Help AppSec engineers educate developers about Semgrep and secure coding.
+    - Inform developers of how to resolve Semgrep findings in various environments, such as their pull requests or merge requests.
+  - [Semgrep Assistant metrics](/semgrep-assistant/metrics), which explains how Assistant's metrics and benchmarks are analyzed.
+  - [SAML single-sign on with Google Workspace](/kb/semgrep-appsec-platform/saml-google-workspace).
+  - [Reference for Semgrepignore v2](/semgrepignore-v2-reference).
+  - [Customize semgrep in `pre-commit`](/kb/integrations/customize-semgrep-precommit).
+- Minor additions and updates:
+  - Added instructions to remove projects scanned with Semgrep Managed Scans.
+- Major updates have been made to the following documentation:
+  - [Supported languages](/supported-languages) now provides a summary table for both Code and Supply Chain features for each language.
+- Thanks to [savq](https://github.com/savq) for their improvements to Semgrep's contributing documentation.
+
+### Changed
+
+- Clarified language around manifest files and lockfiles.
+- Updated Semgrep rules licensing documentation.
+
+### Removed
+
+- Removed references to the asdf-semgrep plugin.
+
+## 🔧 Semgrep Community Edition (CE)
+
+* The following versions of Semgrep CE were released in January 2025:
+
+  - [<i class="fas fa-external-link fa-xs"></i> 1.102.0](https://github.com/semgrep/semgrep/releases/tag/v1.102.0) 
+  - [<i class="fas fa-external-link fa-xs"></i> 1.103.0](https://github.com/semgrep/semgrep/releases/tag/v1.103.0)
+  - [<i class="fas fa-external-link fa-xs"></i> 1.104.0](https://github.com/semgrep/semgrep/releases/tag/v1.104.0)

docs/semgrep-supply-chain/dependency-search.md

@@ -105,12 +105,12 @@ Semgrep generates dependency paths for JavaScript projects that utilize `pnpm` a
 
 Semgrep generates dependency paths for Python projects that utilize `poetry` and include a `poetry.lock` file whenever you invoke a scan using `semgrep ci`.
 
-### View the dependency graph
+### View the dependency path
 
-Once the scan completes, view the dependency graph in Semgrep AppSec Platform on:
+Once the scan completes, view the dependency path in Semgrep AppSec Platform on:
 
 - The **Finding Details** page for a transitive finding
-- The **Supply Chain > Dependencies** tab when you view a transitive dependency; click **Transitive** to launch the dependency graph
+- The **Supply Chain > Dependencies** tab when you view a transitive dependency; click **Transitive** to launch the dependency path
 
 ![Supply Chain dependency graph](/img/ssc-dependency-graph.png#md-width)
 _**Figure**. Supply Chain findings with a dependency graph shown._

docs/semgrep-supply-chain/policies.md

@@ -24,7 +24,7 @@ You can create as many policies as you need.
 
 ## Feature maturity
 
-The Supply Chain policies feature is in **private beta**. To apply to this beta, reach out to [<i class="fa-regular fa-envelope"></i> [email protected]](mailto:[email protected]).
+The Supply Chain policies feature is in **public beta**. To apply to this beta, reach out to [<i class="fa-regular fa-envelope"></i> [email protected]](mailto:[email protected]).
 
 ## Prerequisites
 

sidebars.js

@@ -669,6 +669,18 @@ module.exports = {
         link: {type: 'doc', id: 'release-notes/introduction'},
         items: [
             'release-notes/latest',
+            {
+              type: 'category',
+              label: '2025',
+              collapsible: true,
+                link: {
+                    type: 'generated-index',
+                    title: '2024 Release notes'
+                },
+                items: [
+                  'release-notes/january-2025',
+                ],
+            },
             {
               type: 'category',
               label: '2024',