Update dependency semgrep to v1.90.0 #15
Open
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==1.85.0
->==1.90.0
Release Notes
returntocorp/semgrep (semgrep)
v1.90.0
Compare Source
Added
*requirement*.txt
file and lockfiles in a requirements folder (
**/requirements/*.txt
). This functionalitywill be gated behind the
--enable-experimental-requirements
CLI flag. (sc-1752)Changed
Fixed
CMD $...ARGS
now behaves likeCMD ...
and matchesany CMD instruction that uses the array syntax such as
CMD ["ls"]
. Thisfix also applies to the other command-like instructions RUN
and ENTRYPOINT. (gh-9726)
Foo()
will now be inferred properly to be of typeFoo
. (saf-1537)v1.89.0
Compare Source
Fixed
v1.88.0
Compare Source
Added
The dataflow analysis in the Pro engine can now track method invocations on
variables of an interface type, safely assuming that any implementation of the
method can be called. For example, tainted input vulnerabilities in both
implementation classes can now be detected in the following code:
Type inference for constructor parameter properties in TypeScript is now
supported in the Pro engine. For example, the taint analysis can recognize that
sampleFunction
is defined inAbstractedService
class in the following code:Changed
v1.87.0
Compare Source
Added
Semgrep now infers more accurate type information for class fields in
TypeScript. This improves taint tracking for dependency injection in
TypeScript, such as in the following example:
Semgrep's interfile analysis (available with the Pro Engine) now ships with information about Python's standard library, improving its ability to resolve names and types in Python code and therefore its ability to produce findings. (py-libdefs)
Added support for comparing Golang pre-release versions. With this, strict
core versions, pseudo-versions and pre-release versions can all be
compared to each other. (sc-1739)
Changed
--pro
) Semgrep willnow try to recover from it and continue the interfile analysis without falling back
immediately to intrafile analysis. This allows using
--max-memory
with--pro
ina more effective way. (flow-81)
Fixed
pro: taint-mode: Restore missing taint findings after having improved index-
sensitivity:
The Semgrep proprietary engine added a new entropy analyzer
entropy_v2
that supports strictness options. (gh-1641)v1.86.0
Compare Source
Added
The taint analysis can now track method invocations on variables of an
interface type, when there is a single implementation. For example, the tainted
input vulnerability can now be detected in the following code:
When there are multiple implementations, the taint analysis will not follow any
of them. We will add handling of cases with multiple implementations in
upcoming updates. (code-7434)
Uses of values imported via ECMAScript
default
imports (e.g.,import example from 'mod';
) can now be matched by qualified name patterns (e.g.,mod.default
). (code-7463)Pro: taint-mode: Allow (experimental) control taint to propagate through
return
s.Now this taint rule:
It is able to find this:
A new flag --max-log-list-entries allows to control the
maximum number of entries that will be shown in the log (e.g.,
list of rule ids, list of skipped files).
A zero or negative value disables this filter.
The previous hardcoded limit was at 100 (and now becomes a default value). (max_log_list_entries)
Changed
--debug
mode,without the need to set
SEMGREP_LOG_SRCS=process_limits
. (logging)Fixed
Fixed inter-file constant propagation to prevent some definitions from being
incorrectly identified as constant, when they are modified in other parts of
the codebase. (code-6793)
pro: taint-mode: Fixed bug in taint signature instantiation that could cause an
update to a field in a nested object to not be tracked.
For example, in the code below, Semgrep knew that
Nested.update
updates thefld
attribute of aNested
object. But due to this bug, Semgrep would not know that
Wrapper.updateupdated the
fldattribute of the
nestedobject attribute in a
Wrapper` object.Fixed incorrect range matching parametrized type expressions in Julia (gh-10467)
Fixed an edge case that could lead to a failure to name or type imported Python symbols during interfile analysis. (py-imports)
Fix overly-aggressive match deduplication that could, under certain circumstances, lead to findings being closed and reopened in the app. (saf-1465)
Fixed regex-fix numbered capture groups, where it used to be the case that
a
replacement:
regex with numbered capture groups like\1\2\3
would effectivlybe the same as
\1\1\1
.After the fix:
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.