Update dependency semgrep to v1.100.0 #15
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==1.85.0
->==1.100.0
Release Notes
returntocorp/semgrep (semgrep)
v1.100.0
Compare Source
Added
arity and parameter types, e.g.,
foo(x: Int, y: String)
vs.foo(x: String, y: Int)
. (code-7870)Changed
We are dropping support for Python 3.8 (python)
Fixed
pro: Fixed a bug in interprocedural index-sensitive taint analysis that caused
false negatives when a function updated an arbitrary index, e.g.:
Fixed bug affecting taint tracking through static fields when mixing accesses
using the class name and using an instance object, e.g.:
No more RPC error when using --sarif with some join-mode rules.
Moreover, regular rules without the 'languages:' field will be skipped
instead of aborting the whole scan. (gh-10723)
v1.99.0
Compare Source
Fixed
the spec and not use the RFC 3339.
Thanks to Elias Haeussler for the fix. (saf-1755)
v1.97.0
Compare Source
Added
project references. (code-7677)
addition to the existing resolution for interface method invocations, this
change further enhances dataflow tracking accuracy for dynamic method
invocations. (code-7750)
Fixed
disconnection). In some cases this would previously cause a fatal error, but we
should instead be able to recover in most instances (and now can). (code-7715)
(according to git) are now scanned correctly instead of being ignored. (saf-1687)
v1.96.0
Compare Source
Added
The pro engine now handles duplicate function names in C. When duplicate
functions are found, we assume that any of the duplicated functions could be
called. For example, if the function
foo
is defined in two different files,taint errors will be reported for both instances:
Changed
Fixed
of matches of sources/propagators/sanitizers/sinks within a function. (flow-83)
any gradle lockfile which did not start with a specific block comment. Now, semgrep will parse gradle
lockfiles correctly by ignoring the comment (allowing any or no comment at all to exist). (gh-10508)
the whole scan anymore (regression introduced in 1.94.0). The scan will
have an exit code of 0 instead of 2 (unless the user passed --strict in which
case it will exit with code 2). (incid-110)
unclosed braces on the same line. (saf-1667)
a character class starting with
[:
such as[:a-z]
. (saf-1693)semgrep scan
: anchored semgrepignore patterns for folders suchas
/tests
are now honored properly. Such patterns had previously noeffect of target file filtering. (semgrepignore-anchored-dirs)
v1.95.0
Compare Source
Changed
--enable-experimental-requirements
flag. Functionality hasbeen always enabled since Semgrep 1.93.0. (ssc-1903)
Fixed
osemgrep
with the Pro Engine now correctly runs rules with proprietary languages (saf-1686)v1.94.0
Compare Source
Fixed
pro: taint-mode: Semgrep should no longer confuse a
return
in a lambda witha
return
in its enclosing function.E.g. In the example below the return value of
foo
is NOT tainted:OCaml: matching will now recognized "local open" so that a pattern like
Foo.bar ...
will now correctly match code such aslet open Foo in bar 1
or
Foo.(bar 1)
in addition to the classicFoo.bar 1
. (local_open)Project files lacking sufficient read permissions are now skipped gracefully
by semgrep. (saf-1598)
Semgrep will now print stderr and additional debugging info when semgrep-core
exits with a fatal error code but still returns a json repsonse (finishes
scanning) (saf-1672)
semgrep ci should parse correctly git logs to compute the set of contributors
even if some authors have special characters in their names. (saf-1681)
v1.93.0
Compare Source
Added
require
) in arbitraryexpression contexts. Notably, in-line use of
require
should now be linked tothe correct module. For instance, the pattern
foo.bar
should now matchagainst
require('foo').bar
and taint is likewise similarily tracked. (code-7485)semgrep ci
output now includes a list of all secrets rules whichgenerated at least one blocking finding (similar to Code) (code-7663)
--allow-dynamic-dependency-resolution
for dynamic resolution of Maven and Gradle dependencies for projects that do not have lockfiles (in Semgrep Pro only). (gh-2389)find any requirement.txt file and lockfiles in a requirements folder (**/requirements/*.txt).
The existing experimental flag
--enable-experimental-requirements
is now deprecated andwill be removed in a future release. (gh-2441)
Changed
there was no community rules added and semgrep-vue is causing linking conflicts
when compiling semgrep under Windows so just simpler to remove support for Vue.
In theory, extract mode could be a good substitute to parse Vue files. (vue)
Fixed
v1.92.0
Compare Source
Added
Pro: taint-mode: Semgrep has now basic support to track taint through callbacks,
when they lead to a sink, e.g.:
New subcommand
dump-cst
for tree-sitter languages available viasemgrep show
. This shows the concrete syntax tree for a given file. (code-7653)Pro only: Updated C# parser supporting all versions of the language up to 13.0 (.NET 9) (saf-1610)
Added support for the Move-on-sui language! (sui)
Pro-only: semgrep test now supports the --pro flag to not only use pro languages
but also run the tests with the --pro-intrafile engine flag. If a finding
is detected only by the pro engine, please use
proruleid:
instead ofruleid:
and if an OSS finding is actually a false positive for the pro engine, please
add the
prook:
to your test annotation. (test_pro)Fixed
pro: dataflow: Fixed a bug that could cause a class constructor to not be analyzed
in the correct dependency order, potentially leading to FNs. (code-7649)
Display an ✘ instead of a ✔ in the scan status print out when scanning with Semgrep OSS code
is not enabled. (grow-422)
semgrep will no longer randomly segfault when --trace is on with -j > 2 (saf-1590)
Previously, semgrep fails when --trace-endpoint is specified, but --trace is not.
Now, we relax this requirement a bit. In this case, we disable tracing, print out a warning, and continue to scan. (sms-550)
v1.91.0
Compare Source
Added
TypeScript that are assigned a new instance but lack an explicit type
definition. When no explicit type is provided for a class field, its type is
inferred from the type of the expression assigned to it. For example, in the
class definition
class Foo { private readonly bar = new Bar(); }
, the type ofbar
is inferred to beBar
. (code-7635)Fixed
rich.errors.LiveError
where attempting to display multiple progress barsraises an exception as flagged in #10562. (grow-414)
-n
to sometimes not match code-n
. (saf-1592)about the failure. Previously, in the app, it would seem to the user
that the scan is still in progress. (sms-502)
v1.90.0
Compare Source
Added
*requirement*.txt
file and lockfiles in a requirements folder (
**/requirements/*.txt
). This functionalitywill be gated behind the
--enable-experimental-requirements
CLI flag. (sc-1752)Changed
Fixed
CMD $...ARGS
now behaves likeCMD ...
and matchesany CMD instruction that uses the array syntax such as
CMD ["ls"]
. Thisfix also applies to the other command-like instructions RUN
and ENTRYPOINT. (gh-9726)
Foo()
will now be inferred properly to be of typeFoo
. (saf-1537)v1.89.0
Compare Source
Fixed
v1.88.0
Compare Source
Added
The dataflow analysis in the Pro engine can now track method invocations on
variables of an interface type, safely assuming that any implementation of the
method can be called. For example, tainted input vulnerabilities in both
implementation classes can now be detected in the following code:
Type inference for constructor parameter properties in TypeScript is now
supported in the Pro engine. For example, the taint analysis can recognize that
sampleFunction
is defined inAbstractedService
class in the following code:Changed
v1.87.0
Compare Source
Added
Semgrep now infers more accurate type information for class fields in
TypeScript. This improves taint tracking for dependency injection in
TypeScript, such as in the following example:
Semgrep's interfile analysis (available with the Pro Engine) now ships with information about Python's standard library, improving its ability to resolve names and types in Python code and therefore its ability to produce findings. (py-libdefs)
Added support for comparing Golang pre-release versions. With this, strict
core versions, pseudo-versions and pre-release versions can all be
compared to each other. (sc-1739)
Changed
--pro
) Semgrep willnow try to recover from it and continue the interfile analysis without falling back
immediately to intrafile analysis. This allows using
--max-memory
with--pro
ina more effective way. (flow-81)
Fixed
pro: taint-mode: Restore missing taint findings after having improved index-
sensitivity:
The Semgrep proprietary engine added a new entropy analyzer
entropy_v2
that supports strictness options. (gh-1641)v1.86.0
Compare Source
Added
The taint analysis can now track method invocations on variables of an
interface type, when there is a single implementation. For example, the tainted
input vulnerability can now be detected in the following code:
When there are multiple implementations, the taint analysis will not follow any
of them. We will add handling of cases with multiple implementations in
upcoming updates. (code-7434)
Uses of values imported via ECMAScript
default
imports (e.g.,import example from 'mod';
) can now be matched by qualified name patterns (e.g.,mod.default
). (code-7463)Pro: taint-mode: Allow (experimental) control taint to propagate through
return
s.Now this taint rule:
It is able to find this:
A new flag --max-log-list-entries allows to control the
maximum number of entries that will be shown in the log (e.g.,
list of rule ids, list of skipped files).
A zero or negative value disables this filter.
The previous hardcoded limit was at 100 (and now becomes a default value). (max_log_list_entries)
Changed
--debug
mode,without the need to set
SEMGREP_LOG_SRCS=process_limits
. (logging)Fixed
Fixed inter-file constant propagation to prevent some definitions from being
incorrectly identified as constant, when they are modified in other parts of
the codebase. (code-6793)
pro: taint-mode: Fixed bug in taint signature instantiation that could cause an
update to a field in a nested object to not be tracked.
For example, in the code below, Semgrep knew that
Nested.update
updates thefld
attribute of aNested
object. But due to this bug, Semgrep would not know that
Wrapper.updateupdated the
fldattribute of the
nestedobject attribute in a
Wrapper` object.Fixed incorrect range matching parametrized type expressions in Julia (gh-10467)
Fixed an edge case that could lead to a failure to name or type imported Python symbols during interfile analysis. (py-imports)
Fix overly-aggressive match deduplication that could, under certain circumstances, lead to findings being closed and reopened in the app. (saf-1465)
Fixed regex-fix numbered capture groups, where it used to be the case that
a
replacement:
regex with numbered capture groups like\1\2\3
would effectivlybe the same as
\1\1\1
.After the fix:
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.