Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency semgrep to v1.94.0 #81

Merged
merged 1 commit into from
Oct 31, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 13, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
semgrep 1.86.0 -> 1.94.0 age adoption passing confidence

Release Notes

returntocorp/semgrep (semgrep)

v1.94.0

Compare Source

Fixed
  • pro: taint-mode: Semgrep should no longer confuse a return in a lambda with
    a return in its enclosing function.

    E.g. In the example below the return value of foo is NOT tainted:

    function foo() {
        bar(() => taint);
        return ok;
    } (code-7657)
    
  • OCaml: matching will now recognized "local open" so that a pattern like
    Foo.bar ... will now correctly match code such as let open Foo in bar 1
    or Foo.(bar 1) in addition to the classic Foo.bar 1. (local_open)

  • Project files lacking sufficient read permissions are now skipped gracefully
    by semgrep. (saf-1598)

  • Semgrep will now print stderr and additional debugging info when semgrep-core
    exits with a fatal error code but still returns a json repsonse (finishes
    scanning) (saf-1672)

  • semgrep ci should parse correctly git logs to compute the set of contributors
    even if some authors have special characters in their names. (saf-1681)

v1.93.0

Compare Source

Added
  • Improved naming for Common JS module imports (require) in arbitrary
    expression contexts. Notably, in-line use of require should now be linked to
    the correct module. For instance, the pattern foo.bar should now match
    against require('foo').bar and taint is likewise similarily tracked. (code-7485)
  • Secrets: semgrep ci output now includes a list of all secrets rules which
    generated at least one blocking finding (similar to Code) (code-7663)
  • Added experimental support via --allow-dynamic-dependency-resolution for dynamic resolution of Maven and Gradle dependencies for projects that do not have lockfiles (in Semgrep Pro only). (gh-2389)
  • Expanded support for pip requirement lockfiles is now available by default. Semgrep will now
    find any requirement.txt file and lockfiles in a requirements folder (**/requirements/*.txt).
    The existing experimental flag --enable-experimental-requirements is now deprecated and
    will be removed in a future release. (gh-2441)
Changed
  • Removed support for Vue. The tree-sitter grammar has not been updated in 3 years,
    there was no community rules added and semgrep-vue is causing linking conflicts
    when compiling semgrep under Windows so just simpler to remove support for Vue.
    In theory, extract mode could be a good substitute to parse Vue files. (vue)
Fixed
  • semgrep will now print exit codes if a segfault/OOM/other terminating signal happens in semgrep-core, or any of semgrep-core's child processes (saf-1646)

v1.92.0

Compare Source

Added
  • Pro: taint-mode: Semgrep has now basic support to track taint through callbacks,
    when they lead to a sink, e.g.:

    function unsafe_callback(x) {
      sink(x); // finding here now !
    }
    
    function withCallback(val, callback) {
      callback(val);
    }
    
    withCallback(taint, unsafe_callback); (code-7476)
    
  • New subcommand dump-cst for tree-sitter languages available via semgrep show. This shows the concrete syntax tree for a given file. (code-7653)

  • Pro only: Updated C# parser supporting all versions of the language up to 13.0 (.NET 9) (saf-1610)

  • Added support for the Move-on-sui language! (sui)

  • Pro-only: semgrep test now supports the --pro flag to not only use pro languages
    but also run the tests with the --pro-intrafile engine flag. If a finding
    is detected only by the pro engine, please use proruleid: instead of ruleid:
    and if an OSS finding is actually a false positive for the pro engine, please
    add the prook: to your test annotation. (test_pro)

Fixed
  • pro: dataflow: Fixed a bug that could cause a class constructor to not be analyzed
    in the correct dependency order, potentially leading to FNs. (code-7649)

  • Display an ✘ instead of a ✔ in the scan status print out when scanning with Semgrep OSS code
    is not enabled. (grow-422)

  • semgrep will no longer randomly segfault when --trace is on with -j > 2 (saf-1590)

  • Previously, semgrep fails when --trace-endpoint is specified, but --trace is not.

    Now, we relax this requirement a bit. In this case, we disable tracing, print out a warning, and continue to scan. (sms-550)

v1.91.0

Compare Source

Added
  • Type inference in the Pro engine has been improved for class fields in
    TypeScript that are assigned a new instance but lack an explicit type
    definition. When no explicit type is provided for a class field, its type is
    inferred from the type of the expression assigned to it. For example, in the
    class definition class Foo { private readonly bar = new Bar(); }, the type of
    bar is inferred to be Bar. (code-7635)
  • Cargo.lock parser can now associate dependencies with lockfile line numbers (sc-1140)
Fixed
  • Address python rich.errors.LiveError where attempting to display multiple progress bars
    raises an exception as flagged in #​10562. (grow-414)
  • C: Fix a regression causing pattern -n to sometimes not match code -n. (saf-1592)
  • When a scan runs into an exception, the app is appropriately notified
    about the failure. Previously, in the app, it would seem to the user
    that the scan is still in progress. (sms-502)

v1.90.0

Compare Source

Added
  • Expanded support for requirement lockfiles. Semgrep will now find any *requirement*.txt
    file and lockfiles in a requirements folder (**/requirements/*.txt). This functionality
    will be gated behind the --enable-experimental-requirements CLI flag. (sc-1752)
Changed
  • Security update for code snippet storage & access methods. (gh-2038)
Fixed
  • Errors that occur in semgrep scans with jobs > 1 will now have more detail (SAF-1628)
  • Dockerfile matching: CMD $...ARGS now behaves like CMD ... and matches
    any CMD instruction that uses the array syntax such as CMD ["ls"]. This
    fix also applies to the other command-like instructions RUN
    and ENTRYPOINT. (gh-9726)
  • Pro Engine: There is now improved type inference in Kotlin and Scala. Constructor invocations like
    Foo() will now be inferred properly to be of type Foo. (saf-1537)

v1.89.0

Compare Source

Fixed
  • Fix crash on certain SCA parse errors caused by an access to an unbound variable. (gh-2259)

v1.88.0

Compare Source

Added
  • The dataflow analysis in the Pro engine can now track method invocations on
    variables of an interface type, safely assuming that any implementation of the
    method can be called. For example, tainted input vulnerabilities in both
    implementation classes can now be detected in the following code:

    public interface MovieService {
      String vulnerableInjection(String input);
    }
    
    public class SimpleImpl implements MovieService {
      @​Override
      public String vulnerableInjection(String input) {
        return sink(input);
      }
    }
    
    public class MoreImpl implements MovieService {
      @​Override
      public String vulnerableInjection(String input) {
        return sink(input);
      }
    }
    
    public class AppController {
      private MovieService movieService;
    
      public String pwnTest(String taintedInput) {
        return movieService.vulnerableInjection(taintedInput);
      }
    }
    ``` (code-7435)
  • Type inference for constructor parameter properties in TypeScript is now
    supported in the Pro engine. For example, the taint analysis can recognize that
    sampleFunction is defined in AbstractedService class in the following code:

    export class AppController {
        constructor(private readonly abstractedService: AbstractedService) {}
    
        async taintTest() {
            const src = source();
            await this.abstractedService.sampleFunction(src);
        }
    }
    ``` (code-7597)
    
Changed
  • include the exit code that semgrep will emit in the fail-open payload prior to exiting with a failure. (gh-2033)

v1.87.0

Compare Source

Added
  • Semgrep now infers more accurate type information for class fields in
    TypeScript. This improves taint tracking for dependency injection in
    TypeScript, such as in the following example:

    export class AppController {
        private readonly abstractedService: AbstractedService;
    
        constructor(abstractedService: AbstractedService) {
            this.abstractedService = abstractedService;
        }
    
        async taintTest() {
            const src = taintedSource();
            await this.abstractedService.sinkInHere(src);
        }
    }
    ``` (code-7591)
    
  • Semgrep's interfile analysis (available with the Pro Engine) now ships with information about Python's standard library, improving its ability to resolve names and types in Python code and therefore its ability to produce findings. (py-libdefs)

  • Added support for comparing Golang pre-release versions. With this, strict
    core versions, pseudo-versions and pre-release versions can all be
    compared to each other. (sc-1739)

Changed
  • If there is an OOM error during interfile dataflow analysis (--pro) Semgrep will
    now try to recover from it and continue the interfile analysis without falling back
    immediately to intrafile analysis. This allows using --max-memory with --pro in
    a more effective way. (flow-81)
  • Consolidates lockfile parsing logic to happen once, at the beginning of the scan. This consolidated parsing now considers both changed and unchanged lockfiles during all steps of diff scans. (gh-2051)
Fixed
  • pro: taint-mode: Restore missing taint findings after having improved index-
    sensitivity:

    def foo(t):
        x = third_party_func(t)
        return x
    
    def test1():
        t = ("ok", taint)
        y = foo(t)
        sink(y) # now it's found! (code-7486)
    
  • The Semgrep proprietary engine added a new entropy analyzer entropy_v2 that supports strictness options. (gh-1641)


Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/semgrep-1.x-lockfile branch from 8f94027 to 8a19ded Compare September 19, 2024 04:39
@renovate renovate bot changed the title chore(deps): update dependency semgrep to v1.87.0 chore(deps): update dependency semgrep to v1.88.0 Sep 19, 2024
@renovate renovate bot force-pushed the renovate/semgrep-1.x-lockfile branch from 8a19ded to 33f91fb Compare September 20, 2024 04:12
@renovate renovate bot changed the title chore(deps): update dependency semgrep to v1.88.0 chore(deps): update dependency semgrep to v1.89.0 Sep 20, 2024
@renovate renovate bot force-pushed the renovate/semgrep-1.x-lockfile branch from 33f91fb to d1cf0b6 Compare September 26, 2024 02:17
@renovate renovate bot changed the title chore(deps): update dependency semgrep to v1.89.0 chore(deps): update dependency semgrep to v1.90.0 Sep 26, 2024
@renovate renovate bot force-pushed the renovate/semgrep-1.x-lockfile branch from d1cf0b6 to 351e50e Compare October 11, 2024 08:07
@renovate renovate bot changed the title chore(deps): update dependency semgrep to v1.90.0 chore(deps): update dependency semgrep to v1.91.0 Oct 11, 2024
@renovate renovate bot force-pushed the renovate/semgrep-1.x-lockfile branch from 351e50e to ec5159c Compare October 17, 2024 15:00
@renovate renovate bot changed the title chore(deps): update dependency semgrep to v1.91.0 chore(deps): update dependency semgrep to v1.92.0 Oct 17, 2024
@renovate renovate bot changed the title chore(deps): update dependency semgrep to v1.92.0 chore(deps): update dependency semgrep to v1.93.0 Oct 23, 2024
@renovate renovate bot force-pushed the renovate/semgrep-1.x-lockfile branch from ec5159c to 42b3080 Compare October 23, 2024 18:15
@renovate renovate bot force-pushed the renovate/semgrep-1.x-lockfile branch from 42b3080 to 58cdbe8 Compare October 31, 2024 02:26
@renovate renovate bot changed the title chore(deps): update dependency semgrep to v1.93.0 chore(deps): update dependency semgrep to v1.94.0 Oct 31, 2024
@Zebradil Zebradil merged commit 3e5466e into master Oct 31, 2024
6 checks passed
@Zebradil Zebradil deleted the renovate/semgrep-1.x-lockfile branch October 31, 2024 10:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant