Skip to content

Commit

Permalink
chore(deps-dev): bump semgrep from 1.99.0 to 1.100.0 (#12)
Browse files Browse the repository at this point in the history 
Bumps [semgrep](https://github.com/returntocorp/semgrep) from 1.99.0 to 1.100.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/returntocorp/semgrep/releases">semgrep's releases</a>.</em></p>
<blockquote>
<h2>Release v1.100.0</h2>
<h2><a href="https://github.com/semgrep/semgrep/releases/tag/v1.100.0">1.100.0</a> - 2024-12-12</h2>
<h3>Added</h3>
<ul>
<li>Pro engine now correctly distinguishes overloaded Scala methods based on their
arity and parameter types, e.g., <code>foo(x: Int, y: String)</code> vs. <code>foo(x: String, y: Int)</code>. (code-7870)</li>
</ul>
<h3>Changed</h3>
<ul>
<li>The minimum Python version for semgrep is now 3.9.
We are dropping support for Python 3.8 (python)</li>
</ul>
<h3>Fixed</h3>
<ul>
<li>
<p>pro: Fixed a bug in interprocedural index-sensitive taint analysis that caused
false negatives when a function updated an arbitrary index, e.g.:</p>
<pre><code>var x = {};
<p>function foo(k) {
x[k] = source();
}</p>
<p>function test(k) {
foo(k);
sink(x); // finding here!
} (CODE-7838)
</code></pre></p>
</li>
<li>
<p>Fixed bug affecting taint tracking through static fields when mixing accesses
using the class name and using an instance object, e.g.:</p>
<pre><code>class C {
    static String s;
}
<p>...</p>
<pre><code>    C o = new C();
    C.s = taint;
    sink(o.s); // finding ! (CODE-7871)
</code></pre>
<p></code></pre></p>
</li>
<li>
<p>No more RPC error when using --sarif with some join-mode rules.
Moreover, regular rules without the 'languages:' field will be skipped
instead of aborting the whole scan. (<a href="https://redirect.github.com/returntocorp/semgrep/issues/10723">gh-10723</a>)</p>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/semgrep/semgrep/blob/develop/CHANGELOG.md">semgrep's changelog</a>.</em></p>
<blockquote>
<h2><a href="https://github.com/semgrep/semgrep/releases/tag/v1.100.0">1.100.0</a> - 2024-12-12</h2>
<h3>Added</h3>
<ul>
<li>Pro engine now correctly distinguishes overloaded Scala methods based on their
arity and parameter types, e.g., <code>foo(x: Int, y: String)</code> vs. <code>foo(x: String, y: Int)</code>. (code-7870)</li>
</ul>
<h3>Changed</h3>
<ul>
<li>The minimum Python version for semgrep is now 3.9.
We are dropping support for Python 3.8 (python)</li>
</ul>
<h3>Fixed</h3>
<ul>
<li>
<p>pro: Fixed a bug in interprocedural index-sensitive taint analysis that caused
false negatives when a function updated an arbitrary index, e.g.:</p>
<pre><code>var x = {};
<p>function foo(k) {
x[k] = source();
}</p>
<p>function test(k) {
foo(k);
sink(x); // finding here!
} (CODE-7838)
</code></pre></p>
</li>
<li>
<p>Fixed bug affecting taint tracking through static fields when mixing accesses
using the class name and using an instance object, e.g.:</p>
<pre><code>class C {
    static String s;
}
<p>...</p>
<pre><code>    C o = new C();
    C.s = taint;
    sink(o.s); // finding ! (CODE-7871)
</code></pre>
<p></code></pre></p>
</li>
<li>
<p>No more RPC error when using --sarif with some join-mode rules.
Moreover, regular rules without the 'languages:' field will be skipped
instead of aborting the whole scan. (<a href="https://redirect.github.com/returntocorp/semgrep/issues/10723">gh-10723</a>)</p>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/semgrep/semgrep/commit/2a5266de179ef4928bf8f67d0aebf39d0a3e0822"><code>2a5266d</code></a> chore: release version 1.100.0</li>
<li><a href="https://github.com/semgrep/semgrep/commit/f598c5d55b334a8aaaa3ac081eaa83413ea5bbe9"><code>f598c5d</code></a><code>semgrep/semgrep-proprietary#2786</code></li>
<li><a href="https://github.com/semgrep/semgrep/commit/e8219f99a0b32a24aef48faba10c37e2ea5bb4aa"><code>e8219f9</code></a> chore: Remove check-builtin-literals pre-commit from OSS (semgrep/semgrep-pro...</li>
<li><a href="https://github.com/semgrep/semgrep/commit/28b6672f36e2780304ef30bc6c1f3c712f2c6392"><code>28b6672</code></a><code>semgrep/semgrep-proprietary#2773</code></li>
<li><a href="https://github.com/semgrep/semgrep/commit/8da1b56a8a60661965b19b53e63f8137d5649ed1"><code>8da1b56</code></a><code>semgrep/semgrep-proprietary#2778</code></li>
<li><a href="https://github.com/semgrep/semgrep/commit/77cd7a6a757dab2ad503a4a994957a3c155d51b8"><code>77cd7a6</code></a> Fix osemgrep target selection bugs for reg file and symlinks on the command l...</li>
<li><a href="https://github.com/semgrep/semgrep/commit/0dc95189024af096e2865b87dfe09660a36cf350"><code>0dc9518</code></a> Add format_context to SARIF RPC and gate some fields (semgrep/semgrep-proprie...</li>
<li><a href="https://github.com/semgrep/semgrep/commit/75361cb3d627f4184e85e988ff20e296da870557"><code>75361cb</code></a><code>semgrep/semgrep-proprietary#2605</code></li>
<li><a href="https://github.com/semgrep/semgrep/commit/dd81e79121318910a4e8d28227e6ccf431c211ec"><code>dd81e79</code></a><code>semgrep/semgrep-proprietary#2763</code></li>
<li><a href="https://github.com/semgrep/semgrep/commit/47faae913ac69def687c1aece7a01522f85271c7"><code>47faae9</code></a><code>semgrep/semgrep-proprietary#2762</code></li>
<li>Additional commits viewable in <a href="https://github.com/returntocorp/semgrep/compare/v1.99.0...v1.100.0">compare view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=semgrep&package-manager=pip&previous-version=1.99.0&new-version=1.100.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)


</details>
  • Loading branch information
@dependabot
dependabot[bot] authored Dec 13, 2024
1 parent 33e4f7f commit d5e8f14
Showing 1 changed file with 17 additions and 12 deletions.
29 changes: 17 additions & 12 deletions poetry.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit d5e8f14

Please sign in to comment.