-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update dependency semgrep to v1.103.0 #15
Open
renovate
wants to merge
1
commit into
main
Choose a base branch
from
renovate/semgrep-1.x
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
renovate
bot
force-pushed
the
renovate/semgrep-1.x
branch
from
September 14, 2024 02:53
bbdf4f3
to
6c833fb
Compare
renovate
bot
changed the title
Update dependency semgrep to v1.86.0
Update dependency semgrep to v1.87.0
Sep 14, 2024
renovate
bot
force-pushed
the
renovate/semgrep-1.x
branch
from
September 20, 2024 05:52
6c833fb
to
2d38809
Compare
renovate
bot
changed the title
Update dependency semgrep to v1.87.0
Update dependency semgrep to v1.89.0
Sep 20, 2024
renovate
bot
force-pushed
the
renovate/semgrep-1.x
branch
from
September 26, 2024 02:41
2d38809
to
d7bbee7
Compare
renovate
bot
changed the title
Update dependency semgrep to v1.89.0
Update dependency semgrep to v1.90.0
Sep 26, 2024
renovate
bot
changed the title
Update dependency semgrep to v1.90.0
Update dependency semgrep to v1.91.0
Oct 11, 2024
renovate
bot
force-pushed
the
renovate/semgrep-1.x
branch
from
October 11, 2024 08:52
d7bbee7
to
14d1834
Compare
renovate
bot
force-pushed
the
renovate/semgrep-1.x
branch
from
October 18, 2024 23:48
14d1834
to
6e7e0a4
Compare
renovate
bot
changed the title
Update dependency semgrep to v1.91.0
Update dependency semgrep to v1.92.0
Oct 18, 2024
renovate
bot
force-pushed
the
renovate/semgrep-1.x
branch
from
October 23, 2024 23:43
6e7e0a4
to
34d4cd4
Compare
renovate
bot
changed the title
Update dependency semgrep to v1.92.0
Update dependency semgrep to v1.93.0
Oct 23, 2024
renovate
bot
force-pushed
the
renovate/semgrep-1.x
branch
from
October 31, 2024 23:55
34d4cd4
to
0910328
Compare
renovate
bot
changed the title
Update dependency semgrep to v1.93.0
Update dependency semgrep to v1.95.0
Oct 31, 2024
renovate
bot
force-pushed
the
renovate/semgrep-1.x
branch
from
November 8, 2024 08:56
0910328
to
94793e1
Compare
renovate
bot
changed the title
Update dependency semgrep to v1.95.0
Update dependency semgrep to v1.96.0
Nov 8, 2024
renovate
bot
changed the title
Update dependency semgrep to v1.96.0
Update dependency semgrep to v1.97.0
Nov 20, 2024
renovate
bot
force-pushed
the
renovate/semgrep-1.x
branch
from
November 20, 2024 05:48
94793e1
to
7fb5f0d
Compare
renovate
bot
force-pushed
the
renovate/semgrep-1.x
branch
from
December 6, 2024 23:39
7fb5f0d
to
c5cb7e1
Compare
renovate
bot
changed the title
Update dependency semgrep to v1.97.0
Update dependency semgrep to v1.99.0
Dec 6, 2024
renovate
bot
force-pushed
the
renovate/semgrep-1.x
branch
from
December 14, 2024 01:55
c5cb7e1
to
9b5ca2e
Compare
renovate
bot
changed the title
Update dependency semgrep to v1.99.0
Update dependency semgrep to v1.100.0
Dec 14, 2024
renovate
bot
force-pushed
the
renovate/semgrep-1.x
branch
from
December 21, 2024 14:57
9b5ca2e
to
aef73a5
Compare
renovate
bot
changed the title
Update dependency semgrep to v1.100.0
Update dependency semgrep to v1.101.0
Dec 21, 2024
renovate
bot
force-pushed
the
renovate/semgrep-1.x
branch
from
January 10, 2025 03:14
aef73a5
to
f511860
Compare
renovate
bot
changed the title
Update dependency semgrep to v1.101.0
Update dependency semgrep to v1.102.0
Jan 10, 2025
renovate
bot
force-pushed
the
renovate/semgrep-1.x
branch
from
January 15, 2025 23:35
f511860
to
9b9a358
Compare
renovate
bot
changed the title
Update dependency semgrep to v1.102.0
Update dependency semgrep to v1.103.0
Jan 15, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
None yet
0 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==1.85.0
->==1.103.0
Release Notes
returntocorp/semgrep (semgrep)
v1.103.0
Compare Source
Added
pro: taint: Support for lambdas as callbacks.
pro: python: Semgrep will now consider top-level lambdas like
x
below forinter-procedural analysis:
Changed
pip
from the Semgrep Docker image. If you need it, you may install it by runningapk add py3-pip
. (saf-1774)Fixed
with
s, like this:with (
f() as a,
g() as b,
):
pass
``` (saf-1802)
v1.102.0
Compare Source
Added
Fixed
semgrep test
andsemgrep validate
commands have beencorrectly documented as EXPERIMENTAL (in semgrep --help).
Those commands are not GA yet and people should still
use the
semgrep scan --test
andsemgrep scan --validate
(orthe variants without the implicit "scan") commands (unless
they want to experiment with getting results faster and are ok
with incomplete coverage of the legacy
semgrep --test
and
semgrep --validate
). (experimental)If such a path is passed explicitly as a scanning root on the
command line, it results in an error. Otherwise if it's a file discovered
while scanning the file system, it's a warning. (saf-1776)
should now be more robust and not abort the whole scan when
an out of bound line access happens during the nosemgrep analysis
or when outputing the lines of a match. (saf-1778)
v1.101.0
Compare Source
Added
Changed
semgrep ci
to allow semgrep-app to block scans based on specific findings (SECW-2740)the user to be logged in to see them.
See https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#json
for more information. (json)
See https://semgrep.dev/blog/2024/important-updates-to-semgrep-oss/
for more information. (rename)
the user to be logged in to see them.
See https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#sarif
for more information. (sarif)
Fixed
pro: Improved inter-file tracking of tainted global variables. (code-7054)
Python (pro-only): Taint now correctly tracks through calls to class methods
within a class, via the
cls
parameter.So for instance, we would be able to determine a source-to-sink
vulnerability in the following code snippet:
pro: Fixed bug when generating inter-procedural taint traces, that it could
cause a call-step to be missing in the trace. (saf-1783)
Restored the "rules" field in the SARIF output, even when logged out. (saf-1794)
v1.100.0
Compare Source
Added
arity and parameter types, e.g.,
foo(x: Int, y: String)
vs.foo(x: String, y: Int)
. (code-7870)Changed
We are dropping support for Python 3.8 (python)
Fixed
pro: Fixed a bug in interprocedural index-sensitive taint analysis that caused
false negatives when a function updated an arbitrary index, e.g.:
Fixed bug affecting taint tracking through static fields when mixing accesses
using the class name and using an instance object, e.g.:
No more RPC error when using --sarif with some join-mode rules.
Moreover, regular rules without the 'languages:' field will be skipped
instead of aborting the whole scan. (gh-10723)
v1.99.0
Compare Source
Fixed
the spec and not use the RFC 3339.
Thanks to Elias Haeussler for the fix. (saf-1755)
v1.97.0
Compare Source
Added
project references. (code-7677)
addition to the existing resolution for interface method invocations, this
change further enhances dataflow tracking accuracy for dynamic method
invocations. (code-7750)
Fixed
disconnection). In some cases this would previously cause a fatal error, but we
should instead be able to recover in most instances (and now can). (code-7715)
(according to git) are now scanned correctly instead of being ignored. (saf-1687)
v1.96.0
Compare Source
Added
The pro engine now handles duplicate function names in C. When duplicate
functions are found, we assume that any of the duplicated functions could be
called. For example, if the function
foo
is defined in two different files,taint errors will be reported for both instances:
Changed
Fixed
of matches of sources/propagators/sanitizers/sinks within a function. (flow-83)
any gradle lockfile which did not start with a specific block comment. Now, semgrep will parse gradle
lockfiles correctly by ignoring the comment (allowing any or no comment at all to exist). (gh-10508)
the whole scan anymore (regression introduced in 1.94.0). The scan will
have an exit code of 0 instead of 2 (unless the user passed --strict in which
case it will exit with code 2). (incid-110)
unclosed braces on the same line. (saf-1667)
a character class starting with
[:
such as[:a-z]
. (saf-1693)semgrep scan
: anchored semgrepignore patterns for folders suchas
/tests
are now honored properly. Such patterns had previously noeffect of target file filtering. (semgrepignore-anchored-dirs)
v1.95.0
Compare Source
Changed
--enable-experimental-requirements
flag. Functionality hasbeen always enabled since Semgrep 1.93.0. (ssc-1903)
Fixed
osemgrep
with the Pro Engine now correctly runs rules with proprietary languages (saf-1686)v1.94.0
Compare Source
Fixed
pro: taint-mode: Semgrep should no longer confuse a
return
in a lambda witha
return
in its enclosing function.E.g. In the example below the return value of
foo
is NOT tainted:OCaml: matching will now recognized "local open" so that a pattern like
Foo.bar ...
will now correctly match code such aslet open Foo in bar 1
or
Foo.(bar 1)
in addition to the classicFoo.bar 1
. (local_open)Project files lacking sufficient read permissions are now skipped gracefully
by semgrep. (saf-1598)
Semgrep will now print stderr and additional debugging info when semgrep-core
exits with a fatal error code but still returns a json repsonse (finishes
scanning) (saf-1672)
semgrep ci should parse correctly git logs to compute the set of contributors
even if some authors have special characters in their names. (saf-1681)
v1.93.0
Compare Source
Added
require
) in arbitraryexpression contexts. Notably, in-line use of
require
should now be linked tothe correct module. For instance, the pattern
foo.bar
should now matchagainst
require('foo').bar
and taint is likewise similarily tracked. (code-7485)semgrep ci
output now includes a list of all secrets rules whichgenerated at least one blocking finding (similar to Code) (code-7663)
--allow-dynamic-dependency-resolution
for dynamic resolution of Maven and Gradle dependencies for projects that do not have lockfiles (in Semgrep Pro only). (gh-2389)find any requirement.txt file and lockfiles in a requirements folder (**/requirements/*.txt).
The existing experimental flag
--enable-experimental-requirements
is now deprecated andwill be removed in a future release. (gh-2441)
Changed
there was no community rules added and semgrep-vue is causing linking conflicts
when compiling semgrep under Windows so just simpler to remove support for Vue.
In theory, extract mode could be a good substitute to parse Vue files. (vue)
Fixed
v1.92.0
Compare Source
Added
Pro: taint-mode: Semgrep has now basic support to track taint through callbacks,
when they lead to a sink, e.g.:
New subcommand
dump-cst
for tree-sitter languages available viasemgrep show
. This shows the concrete syntax tree for a given file. (code-7653)Pro only: Updated C# parser supporting all versions of the language up to 13.0 (.NET 9) (saf-1610)
Added support for the Move-on-sui language! (sui)
Pro-only: semgrep test now supports the --pro flag to not only use pro languages
but also run the tests with the --pro-intrafile engine flag. If a finding
is detected only by the pro engine, please use
proruleid:
instead ofruleid:
and if an OSS finding is actually a false positive for the pro engine, please
add the
prook:
to your test annotation. (test_pro)Fixed
pro: dataflow: Fixed a bug that could cause a class constructor to not be analyzed
in the correct dependency order, potentially leading to FNs. (code-7649)
Display an ✘ instead of a ✔ in the scan status print out when scanning with Semgrep OSS code
is not enabled. (grow-422)
semgrep will no longer randomly segfault when --trace is on with -j > 2 (saf-1590)
Previously, semgrep fails when --trace-endpoint is specified, but --trace is not.
Now, we relax this requirement a bit. In this case, we disable tracing, print out a warning, and continue to scan. (sms-550)
v1.91.0
Compare Source
Added
TypeScript that are assigned a new instance but lack an explicit type
definition. When no explicit type is provided for a class field, its type is
inferred from the type of the expression assigned to it. For example, in the
class definition
class Foo { private readonly bar = new Bar(); }
, the type ofbar
is inferred to beBar
. (code-7635)Fixed
rich.errors.LiveError
where attempting to display multiple progress barsraises an exception as flagged in #10562. (grow-414)
-n
to sometimes not match code-n
. (saf-1592)about the failure. Previously, in the app, it would seem to the user
that the scan is still in progress. (sms-502)
v1.90.0
Compare Source
Added
*requirement*.txt
file and lockfiles in a requirements folder (
**/requirements/*.txt
). This functionalitywill be gated behind the
--enable-experimental-requirements
CLI flag. (sc-1752)Changed
Fixed
CMD $...ARGS
now behaves likeCMD ...
and matchesany CMD instruction that uses the array syntax such as
CMD ["ls"]
. Thisfix also applies to the other command-like instructions RUN
and ENTRYPOINT. (gh-9726)
Foo()
will now be inferred properly to be of typeFoo
. (saf-1537)v1.89.0
Compare Source
Fixed
v1.88.0
Compare Source
Added
The dataflow analysis in the Pro engine can now track method invocations on
variables of an interface type, safely assuming that any implementation of the
method can be called. For example, tainted input vulnerabilities in both
implementation classes can now be detected in the following code:
Type inference for constructor parameter properties in TypeScript is now
supported in the Pro engine. For example, the taint analysis can recognize that
sampleFunction
is defined inAbstractedService
class in the following code:Changed
v1.87.0
Compare Source
Added
Semgrep now infers more accurate type information for class fields in
TypeScript. This improves taint tracking for dependency injection in
TypeScript, such as in the following example:
Semgrep's interfile analysis (available with the Pro Engine) now ships with information about Python's standard library, improving its ability to resolve names and types in Python code and therefore its ability to produce findings. (py-libdefs)
Added support for comparing Golang pre-release versions. With this, strict
core versions, pseudo-versions and pre-release versions can all be
compared to each other. (sc-1739)
Changed
--pro
) Semgrep willnow try to recover from it and continue the interfile analysis without falling back
immediately to intrafile analysis. This allows using
--max-memory
with--pro
ina more effective way. (flow-81)
Fixed
pro: taint-mode: Restore missing taint findings after having improved index-
sensitivity:
The Semgrep proprietary engine added a new entropy analyzer
entropy_v2
that supports strictness options. (gh-1641)v1.86.0
Compare Source
Added
The taint analysis can now track method invocations on variables of an
interface type, when there is a single implementation. For example, the tainted
input vulnerability can now be detected in the following code:
When there are multiple implementations, the taint analysis will not follow any
of them. We will add handling of cases with multiple implementations in
upcoming updates. (code-7434)
Uses of values imported via ECMAScript
default
imports (e.g.,import example from 'mod';
) can now be matched by qualified name patterns (e.g.,mod.default
). (code-7463)Pro: taint-mode: Allow (experimental) control taint to propagate through
return
s.Now this taint rule:
It is able to find this:
A new flag --max-log-list-entries allows to control the
maximum number of entries that will be shown in the log (e.g.,
list of rule ids, list of skipped files).
A zero or negative value disables this filter.
The previous hardcoded limit was at 100 (and now becomes a default value). (max_log_list_entries)
Changed
--debug
mode,without the need to set
SEMGREP_LOG_SRCS=process_limits
. (logging)Fixed
Fixed inter-file constant propagation to prevent some definitions from being
incorrectly identified as constant, when they are modified in other parts of
the codebase. (code-6793)
pro: taint-mode: Fixed bug in taint signature instantiation that could cause an
update to a field in a nested object to not be tracked.
For example, in the code below, Semgrep knew that
Nested.update
updates thefld
attribute of aNested
object. But due to this bug, Semgrep would not know that
Wrapper.updateupdated the
fldattribute of the
nestedobject attribute in a
Wrapper` object.Fixed incorrect range matching parametrized type expressions in Julia (gh-10467)
Fixed an edge case that could lead to a failure to name or type imported Python symbols during interfile analysis. (py-imports)
Fix overly-aggressive match deduplication that could, under certain circumstances, lead to findings being closed and reopened in the app. (saf-1465)
Fixed regex-fix numbered capture groups, where it used to be the case that
a
replacement:
regex with numbered capture groups like\1\2\3
would effectivlybe the same as
\1\1\1
.After the fix:
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.