chore(deps): update dependency semgrep to v1.94.0 #81
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.86.0
->1.94.0
Release Notes
returntocorp/semgrep (semgrep)
v1.94.0
Compare Source
Fixed
pro: taint-mode: Semgrep should no longer confuse a
return
in a lambda witha
return
in its enclosing function.E.g. In the example below the return value of
foo
is NOT tainted:OCaml: matching will now recognized "local open" so that a pattern like
Foo.bar ...
will now correctly match code such aslet open Foo in bar 1
or
Foo.(bar 1)
in addition to the classicFoo.bar 1
. (local_open)Project files lacking sufficient read permissions are now skipped gracefully
by semgrep. (saf-1598)
Semgrep will now print stderr and additional debugging info when semgrep-core
exits with a fatal error code but still returns a json repsonse (finishes
scanning) (saf-1672)
semgrep ci should parse correctly git logs to compute the set of contributors
even if some authors have special characters in their names. (saf-1681)
v1.93.0
Compare Source
Added
require
) in arbitraryexpression contexts. Notably, in-line use of
require
should now be linked tothe correct module. For instance, the pattern
foo.bar
should now matchagainst
require('foo').bar
and taint is likewise similarily tracked. (code-7485)semgrep ci
output now includes a list of all secrets rules whichgenerated at least one blocking finding (similar to Code) (code-7663)
--allow-dynamic-dependency-resolution
for dynamic resolution of Maven and Gradle dependencies for projects that do not have lockfiles (in Semgrep Pro only). (gh-2389)find any requirement.txt file and lockfiles in a requirements folder (**/requirements/*.txt).
The existing experimental flag
--enable-experimental-requirements
is now deprecated andwill be removed in a future release. (gh-2441)
Changed
there was no community rules added and semgrep-vue is causing linking conflicts
when compiling semgrep under Windows so just simpler to remove support for Vue.
In theory, extract mode could be a good substitute to parse Vue files. (vue)
Fixed
v1.92.0
Compare Source
Added
Pro: taint-mode: Semgrep has now basic support to track taint through callbacks,
when they lead to a sink, e.g.:
New subcommand
dump-cst
for tree-sitter languages available viasemgrep show
. This shows the concrete syntax tree for a given file. (code-7653)Pro only: Updated C# parser supporting all versions of the language up to 13.0 (.NET 9) (saf-1610)
Added support for the Move-on-sui language! (sui)
Pro-only: semgrep test now supports the --pro flag to not only use pro languages
but also run the tests with the --pro-intrafile engine flag. If a finding
is detected only by the pro engine, please use
proruleid:
instead ofruleid:
and if an OSS finding is actually a false positive for the pro engine, please
add the
prook:
to your test annotation. (test_pro)Fixed
pro: dataflow: Fixed a bug that could cause a class constructor to not be analyzed
in the correct dependency order, potentially leading to FNs. (code-7649)
Display an ✘ instead of a ✔ in the scan status print out when scanning with Semgrep OSS code
is not enabled. (grow-422)
semgrep will no longer randomly segfault when --trace is on with -j > 2 (saf-1590)
Previously, semgrep fails when --trace-endpoint is specified, but --trace is not.
Now, we relax this requirement a bit. In this case, we disable tracing, print out a warning, and continue to scan. (sms-550)
v1.91.0
Compare Source
Added
TypeScript that are assigned a new instance but lack an explicit type
definition. When no explicit type is provided for a class field, its type is
inferred from the type of the expression assigned to it. For example, in the
class definition
class Foo { private readonly bar = new Bar(); }
, the type ofbar
is inferred to beBar
. (code-7635)Fixed
rich.errors.LiveError
where attempting to display multiple progress barsraises an exception as flagged in #10562. (grow-414)
-n
to sometimes not match code-n
. (saf-1592)about the failure. Previously, in the app, it would seem to the user
that the scan is still in progress. (sms-502)
v1.90.0
Compare Source
Added
*requirement*.txt
file and lockfiles in a requirements folder (
**/requirements/*.txt
). This functionalitywill be gated behind the
--enable-experimental-requirements
CLI flag. (sc-1752)Changed
Fixed
CMD $...ARGS
now behaves likeCMD ...
and matchesany CMD instruction that uses the array syntax such as
CMD ["ls"]
. Thisfix also applies to the other command-like instructions RUN
and ENTRYPOINT. (gh-9726)
Foo()
will now be inferred properly to be of typeFoo
. (saf-1537)v1.89.0
Compare Source
Fixed
v1.88.0
Compare Source
Added
The dataflow analysis in the Pro engine can now track method invocations on
variables of an interface type, safely assuming that any implementation of the
method can be called. For example, tainted input vulnerabilities in both
implementation classes can now be detected in the following code:
Type inference for constructor parameter properties in TypeScript is now
supported in the Pro engine. For example, the taint analysis can recognize that
sampleFunction
is defined inAbstractedService
class in the following code:Changed
v1.87.0
Compare Source
Added
Semgrep now infers more accurate type information for class fields in
TypeScript. This improves taint tracking for dependency injection in
TypeScript, such as in the following example:
Semgrep's interfile analysis (available with the Pro Engine) now ships with information about Python's standard library, improving its ability to resolve names and types in Python code and therefore its ability to produce findings. (py-libdefs)
Added support for comparing Golang pre-release versions. With this, strict
core versions, pseudo-versions and pre-release versions can all be
compared to each other. (sc-1739)
Changed
--pro
) Semgrep willnow try to recover from it and continue the interfile analysis without falling back
immediately to intrafile analysis. This allows using
--max-memory
with--pro
ina more effective way. (flow-81)
Fixed
pro: taint-mode: Restore missing taint findings after having improved index-
sensitivity:
The Semgrep proprietary engine added a new entropy analyzer
entropy_v2
that supports strictness options. (gh-1641)Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.