[TEC-515] Supported languages

docs/cheat-sheets/overview.md

@@ -17,7 +17,7 @@ import CardImage from '@site/src/components/Card/CardImage'
 
 Semgrep **cheat sheets** serve as security reference guides with programming language–specific examples. They are designed to help you mitigate common risks in popular libraries and frameworks while ensuring secure practices in your source code.
 
-See [Supported Languages](/docs/supported-languages) for the complete set of languages and [package managers](/docs/supported-languages#package-manager-support) supported by Semgrep.
+See [Supported Languages](/docs/supported-languages) for the complete set of languages and [package managers](/semgrep-supply-chain/sca-package-manager-support) supported by Semgrep.
 
 <div class = "col-1-fixed">
   <Card className={'card-50'} link='/docs/category/go'>

docs/learn/security-foundations/supply-chain-security.md

@@ -68,7 +68,7 @@ Even if your dependencies are safe, if you fetch them over insecure channels, or
 - PyPi for Python
 - RubyGems for Ruby
 - Packagist for PHP
-- and [many more](/docs/supported-languages#package-manager-support)
+- and [many more](/semgrep-supply-chain/sca-package-manager-support)
 
 ## Detect and prioritize supply chain issues
 

docs/references/feature-definitions.md

@@ -0,0 +1,31 @@
+---
+slug: feature-definitions
+append_help_link: true
+title: Feature definitions
+hide_title: true
+description: Definitions for Semgrep Code and Supply Chain analysis features.
+tags:
+  - Reference
+---
+
+import DefCrossFile from "/src/components/concept/_def-cross-file.mdx"
+import DefCrossFunction from "/src/components/concept/_def-cross-function.mdx"
+import DefReachability from "/src/components/concept/_def-reachability.md"
+
+# Feature definitions
+
+Use these definitions to understand the analysis features referenced in the [Supported languages](/docs/supported-languages) page.
+
+## Cross-file dataflow analysis
+
+<DefCrossFile />
+
+Languages with cross-file support also include cross-function support.
+
+## Cross-function dataflow analysis
+
+<DefCrossFunction />
+
+## Reachability analysis
+
+<DefReachability />

docs/references/language-maturity-levels.md

@@ -0,0 +1,60 @@
+---
+slug: language-maturity-levels
+append_help_link: true
+title: Language maturity levels
+hide_title: true
+description: Definitions for language maturity levels across Semgrep products.
+tags:
+  - Reference
+---
+
+import LanguageMaturityCode from '/src/components/reference/_language-maturity-code.md'
+
+# Language maturity levels
+
+Use these definitions to understand the maturity levels shown on the [Supported languages](/docs/supported-languages) page.
+
+## Semgrep Code
+
+Semgrep Code languages can be classified into four maturity levels:
+
+- Generally available (GA)
+- Beta
+- Experimental
+- Community supported\*
+
+\*Community supported languages meet the parse rate and syntax requirements of
+**Experimental** languages. Users can still access community rules or write their
+own rules.
+
+<LanguageMaturityCode />
+
+## Semgrep Supply Chain
+
+Semgrep Supply Chain has two language maturity levels:
+
+- Generally available
+- Beta
+
+<table>
+  <tr>
+    <td><strong>Feature</strong></td>
+    <td><strong>Generally available</strong></td>
+    <td><strong>Beta</strong></td>
+  </tr>
+  <tr>
+    <td>Number of reachability rules</td>
+    <td>As defined by <a href="/semgrep-supply-chain/sca-feature-support#cve-coverage">CVE coverage</a>.</td>
+    <td>All critical severity CVEs from <a href="/semgrep-supply-chain/sca-feature-support#supported-sources">supported sources</a> starting 2022 onwards, for packages used by customers with an active, paid subscription.</td>
+  </tr>
+  <tr>
+    <td>Semgrep, Inc. rule-writing support</td>
+    <td>Quickly support CVE coverage with reachability analysis for all critical and high vulnerabilities based on the latest <a href="https://nvd.nist.gov/vuln">security advisories</a>.</td>
+    <td>Coverage for CVEs but without reachability analysis.</td>
+  </tr>
+  <tr>
+    <td>Semgrep Community Edition (CE) <a href='/supported-languages#semgrep-oss-language-support'>language support</a></td>
+    <td>Semgrep CE support is GA.</td>
+    <td>Semgrep CE support is at least Beta.</td>
+  </tr>
+</table>

docs/semgrep-code/overview.md

@@ -11,6 +11,7 @@ tags:
 
 
 import SemgrepScan from "/src/components/concept/_semgrep-scan.mdx"
+import SupportedLanguagesTable from '/src/components/reference/_supported-languages-table.mdx'
 
 # Semgrep Code overview
 
@@ -35,6 +36,17 @@ Semgrep AppSec Platform displays Semgrep Code's findings. Additionally, the plat
 * Customize how Semgrep Code scans your repositories
 * Manage your users and facilitate team collaboration in remediating security issues
 
+## Language support and integrations
+
+Semgrep Code supports a broad set of programming languages, with varying levels of analysis capabilities and language maturity. 
+
+* See the full list of [supported programming languages](/docs/supported-languages)
+* For definitions of language maturity levels, visit the [Language maturity levels](/references/language-maturity-levels) page.
+* For analysis terminology, see [Feature definitions](/references/feature-definitions).
+* For a list of supported source code managers (SCM), visit [Supported source code managers](/getting-started/scm-support) or learn how to [Connect a source code manager](/deployment/connect-scm).
+
+
+
 ## Semgrep Community Edition (CE) versus Semgrep Code analysis
 
 By default, Semgrep Code can analyze interactions beyond a single function but within a single file, a process known as **cross-function or interprocedural analysis**. This smaller scope of analysis makes it faster and easier to integrate into developer workflows.

docs/semgrep-supply-chain/feature-support.md

@@ -0,0 +1,155 @@
+---
+slug: sca-feature-support
+append_help_link: true
+title: Feature support
+hide_title: true
+description: Feature coverage for Semgrep Supply Chain across supported languages.
+tags:
+  - Semgrep Supply Chain
+---
+
+import SscIntro from "/src/components/concept/_ssc-intro.md"
+
+# Supply Chain feature support
+
+<SscIntro/>
+For projects with lockfiles, Semgrep parses lockfiles for dependencies, then scans your codebase for reachable findings based on the lockfiles. For a lockfile to be scanned by Semgrep Supply Chain, it must have one of the supported lockfile names.
+
+For some languages, a lockfile or manifest file is parsed to determine [transitivity](/semgrep-supply-chain/glossary/#transitive-or-indirect-dependency). See [Transitive dependencies and reachability analysis](/semgrep-supply-chain/overview/#transitive-dependencies-and-reachability-analysis) for more information.
+
+Additionally, Semgrep offers beta support for the scanning of projects written in the following languages **without lockfiles**:
+
+- C#
+- Java
+- Kotlin
+- Python
+- Ruby
+
+## Supply Chain features for each language
+<!-- *************************************************************************
+ARE YOU EDITING THE SUPPORTED LANGUAGES IN ANY WAY? ADDING A FEATURE? ETC?
+
+Don't forget to update:
+- table at Semgrep CE vs Semgrep
+- the individual language's page
+- and most importantly, the index!!
+*************************************************************************** -->
+
+The following table lists all Supply Chain features for each language. Languages with **reachability** support are listed first.
+
+<table>
+<thead>
+<tr>
+<th>Language</th>
+<th align="center">Reachability<br />(see <a href="#cve-coverage">CVE coverage</a>)</th>
+<th><a href="/docs/semgrep-supply-chain/getting-started#scan-a-project-without-lockfiles-beta">Scan without lockfiles (beta)</a></th>
+<th>License detection</th>
+<th>Malicious dependency<br />detection</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>C#</td>
+<td align="center">✅</td>
+<td align="center">✅</td>
+<td align="center">✅</td>
+<td align="center">✅</td>
+</tr>
+<tr>
+<td>Go</td>
+<td align="center">✅</td>
+<td align="center">--</td>
+<td align="center">✅</td>
+<td align="center">✅</td>
+</tr>
+<tr>
+<td>Java</td>
+<td align="center">✅</td>
+<td align="center">✅</td>
+<td align="center">✅</td>
+<td align="center">--</td>
+</tr>
+<tr>
+<td>JavaScript or TypeScript</td>
+<td align="center">✅</td>
+<td align="center">--</td>
+<td align="center">✅</td>
+<td align="center">✅</td>
+</tr>
+<tr>
+<td>Kotlin</td>
+<td align="center">✅</td>
+<td align="center">✅</td>
+<td align="center">✅</td>
+<td align="center">--</td>
+</tr>
+<tr>
+<td>Python</td>
+<td align="center">✅</td>
+<td align="center">✅</td>
+<td align="center">✅<br /> For PyPi only</td>
+<td align="center">✅</td>
+</tr>
+<tr>
+<td>Ruby</td>
+<td align="center">✅</td>
+<td align="center">--</td>
+<td align="center">✅</td>
+<td align="center">✅</td>
+</tr>
+<tr>
+<td>Scala</td>
+<td align="center">✅</td>
+<td align="center">--</td>
+<td align="center">✅</td>
+<td align="center">--</td>
+</tr>
+<tr>
+<td>Swift</td>
+<td align="center">✅</td>
+<td align="center">--</td>
+<td align="center">✅†</td>
+<td align="center">--</td>
+</tr>
+<tr>
+<td>PHP</td>
+<td align="center">✅</td>
+<td align="center">--</td>
+<td align="center">✅</td>
+<td align="center">--</td>
+</tr>
+<tr>
+<td>Rust</td>
+<td align="center" width="180px" rowspan="3">No reachability analysis. However, Semgrep can compare a package's version against a list of versions with known vulnerabilities.</td>
+<td align="center">--</td>
+<td align="center">✅</td>
+<td align="center">✅</td>
+</tr>
+<tr>
+<td>Dart</td>
+<td align="center">--</td>
+<td align="center">--</td>
+<td align="center">--</td>
+</tr>
+<tr>
+<td>Elixir</td>
+<td align="center">--</td>
+<td align="center">--</td>
+<td align="center">--</td>
+</tr>
+</tbody>
+</table>
+
+
+_<strong>†</strong>License detection for new packages is asynchronous and processed after the initial scan. Policies aren't applied on first detection, but are enforced in subsequent scans._
+
+## CVE coverage
+
+For customers with an active paid subscription, Semgrep’s reachability analysis
+covers all **critical and high severity** CVEs from [supported sources](#supported-sources)
+starting in 2017 across all supported languages.
+
+### Supported sources
+
+- [<i class="fas fa-external-link fa-xs" /> Reviewed GitHub Security Advisories](https://github.com/advisories?query=type%3Areviewed)
+- [<i class="fas fa-external-link fa-xs" /> Electron release notes](https://releases.electronjs.org/releases/stable)

docs/semgrep-supply-chain/overview.md

@@ -53,6 +53,18 @@ However, some dependencies are vulnerable simply through their inclusion in a co
 
 Some package ecosystems allow the use of a transitive dependency as if it were a direct dependency. Though this feature is uncommon, Semgrep Supply Chain can scan for such usages and flag vulnerabilities in transitive dependencies as unreachable if not used directly.
 
+## Language support and integrations
+
+Semgrep Supply Chain supports a broad set of languages with varying feature coverage. 
+
+* See the full list of [supported programming languages](/supported-languages)
+* For a list of Semgrep-supported package managers for each language, see [Package manager support](/semgrep-supply-chain/sca-package-manager-support).
+* For feature support by language, see [Supply Chain feature support](/semgrep-supply-chain/sca-feature-support).
+* For definitions of language maturity levels, visit the [Language maturity levels](/docs/references/language-maturity-levels#semgrep-supply-chain) page.
+* For analysis terminology, see [Feature definitions](/docs/references/feature-definitions).
+* For a list of supported source code managers (SCM), visit [Supported source code managers](/getting-started/scm-support) or learn how to [Connect a source code manager](/docs/deployment/connect-scm).
+
+
 ## Software bill of materials
 
 Semgrep Supply Chain can [generate a software bill of materials (SBOM)](/semgrep-supply-chain/sbom), a complete inventory of your third-party or open source components, to assist you with your auditing procedures.