Skip to content

Update dependency semgrep to >=1.103,<1.104#954

Closed
renovate[bot] wants to merge 1 commit intomainfrom
renovate/semgrep-1.x
Closed

Update dependency semgrep to >=1.103,<1.104#954
renovate[bot] wants to merge 1 commit intomainfrom
renovate/semgrep-1.x

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Dec 13, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
semgrep >=1.99,<1.100 -> >=1.103,<1.104 age adoption passing confidence

Release Notes

returntocorp/semgrep (semgrep)

v1.103.0

Compare Source

Added

  • pro: taint: Support for lambdas as callbacks.

    var tainted = source();

function withCallback1(val, callback) {
    if (val) {
        callback(val);
    }
}

withCallback1(tainted, function (val) {
    sink(val); // finding !
}); (code-7626)

  • pro: python: Semgrep will now consider top-level lambdas like x below for
    inter-procedural analysis:

    x = lambda s: sink(s) # now we get a finding !

x(taint) (gh-10731)
Changed
  • Removed pip from the Semgrep Docker image. If you need it, you may install it by running apk add py3-pip. (saf-1774)
Fixed
  • Python: Now correctly parsing files with parenthesized withs, like this:
    with (
    f() as a,
    g() as b,
    ):
    pass
    ``` (saf-1802)
  • Semgrep will now truncate error messages that are produced when they are very long (saf-333)

v1.102.0

Compare Source

Added
  • Added pro-only support for parsing a dependency graph from package-lock.json v1 files (SC-1858)
  • Added pro-only support for parsing a dependency graph from package-lock.json v2 and v3 files (SC-1991)
  • The poetry.lock parser can now parse dependency relationships (ssc-1970)
  • The Yarn.lock V1 and V2 parsers can parse dependency relationships. (ssc-1988)
Fixed
  • The semgrep test and semgrep validate commands have been
    correctly documented as EXPERIMENTAL (in semgrep --help).
    Those commands are not GA yet and people should still
    use the semgrep scan --test and semgrep scan --validate (or
    the variants without the implicit "scan") commands (unless
    they want to experiment with getting results faster and are ok
    with incomplete coverage of the legacy semgrep --test
    and semgrep --validate). (experimental)
  • Improve error handling for functionality ancillary to a scan (such as looking for nosemgrep comments and rendering autofixes) to reduce the likelihood of an unexpected error in such a component bringing down the entire scan. (saf-1737)
  • Fix the behavior of semgrep when running into broken symlinks.
    If such a path is passed explicitly as a scanning root on the
    command line, it results in an error. Otherwise if it's a file discovered
    while scanning the file system, it's a warning. (saf-1776)
  • Fixed another crash due to exception in lines_of_file. The code
    should now be more robust and not abort the whole scan when
    an out of bound line access happens during the nosemgrep analysis
    or when outputing the lines of a match. (saf-1778)
  • Direct dev dependencies in yarn/npm lockfiles are now correctly marked as direct (sc-1996)

v1.101.0

Compare Source

Added
  • Improved pnpm-lock.yaml parsing. (gh-2663)
Changed
Fixed

  • pro: Improved inter-file tracking of tainted global variables. (code-7054)

  • Python (pro-only): Taint now correctly tracks through calls to class methods
    within a class, via the cls parameter.

    So for instance, we would be able to determine a source-to-sink
    vulnerability in the following code snippet:

    class A:
  def foo(self, x):
    sink(x)

  @&#8203;classmethod
  def bar(cls):
    cls.foo(source)
``` (saf-1765)

  • pro: Fixed bug when generating inter-procedural taint traces, that it could
    cause a call-step to be missing in the trace. (saf-1783)

  • Restored the "rules" field in the SARIF output, even when logged out. (saf-1794)

v1.100.0

Compare Source

Added
  • Pro engine now correctly distinguishes overloaded Scala methods based on their
    arity and parameter types, e.g., foo(x: Int, y: String) vs. foo(x: String, y: Int). (code-7870)
Changed
  • The minimum Python version for semgrep is now 3.9.
    We are dropping support for Python 3.8 (python)
Fixed

  • pro: Fixed a bug in interprocedural index-sensitive taint analysis that caused
    false negatives when a function updated an arbitrary index, e.g.:

    var x = {};

function foo(k) {
    x[k] = source();
}

function test(k) {
    foo(k);
    sink(x); // finding here!
} (CODE-7838)

  • Fixed bug affecting taint tracking through static fields when mixing accesses
    using the class name and using an instance object, e.g.:

    class C {
    static String s;
}

...

        C o = new C();
        C.s = taint;
        sink(o.s); // finding ! (CODE-7871)

  • No more RPC error when using --sarif with some join-mode rules.
    Moreover, regular rules without the 'languages:' field will be skipped
    instead of aborting the whole scan. (gh-10723)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot changed the title Update dependency semgrep to >=1.100,<1.101 Update dependency semgrep to >=1.101,<1.102 Dec 18, 2024
@renovate renovate bot force-pushed the renovate/semgrep-1.x branch 3 times, most recently from dd4a77e to 03847df Compare December 20, 2024 20:00
@renovate renovate bot force-pushed the renovate/semgrep-1.x branch 3 times, most recently from d4aee6f to 7aa7b55 Compare January 8, 2025 22:49
@renovate renovate bot changed the title Update dependency semgrep to >=1.101,<1.102 Update dependency semgrep to >=1.102,<1.103 Jan 8, 2025
@renovate renovate bot force-pushed the renovate/semgrep-1.x branch 2 times, most recently from 13beab9 to b8e61ee Compare January 9, 2025 14:33
@renovate renovate bot changed the title Update dependency semgrep to >=1.102,<1.103 Update dependency semgrep to >=1.103,<1.104 Jan 16, 2025
@renovate renovate bot force-pushed the renovate/semgrep-1.x branch from b8e61ee to 021f76d Compare January 16, 2025 01:00
@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 16, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@renovate
Copy link
Contributor Author

renovate bot commented Jan 16, 2025

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (>=1.103,<1.104). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

@renovate renovate bot deleted the renovate/semgrep-1.x branch January 16, 2025 11:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@drdavella drdavella Awaiting requested review from drdavella drdavella is a code owner

@andrecsilva andrecsilva Awaiting requested review from andrecsilva andrecsilva is a code owner

@clavedeluna clavedeluna Awaiting requested review from clavedeluna clavedeluna is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@clavedeluna