Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency semgrep to v1.112.0 #15

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 5, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
semgrep ==1.85.0 -> ==1.112.0 age adoption passing confidence

Release Notes

returntocorp/semgrep (semgrep)

v1.112.0

Compare Source

Added
  • TypeScript parser now allows ellipses in class bodies. For example, you can
    write the pattern like:
    class $C {
    ...
    $FUNC() { ... }
    ...
    }
    ``` (code-8242)
  • Semgrep will now present more detailed info when a scan is complete, such as what percent of lines were scanned. It is also formatted in a new manner (saf-details)
  • Verbose output will now print additional info about parsing and internal semgrep errors, such as what % of lines were skipped, and the lines they occured on (saf-verbose)
Fixed
  • pro: Fixed bug in (experimental) "at-exit" sinks feature that would prevent
    the identification of a statement like return foo() as one such sink. (code-8199)
  • FIX: --gitlab-secrets output has been updated to conform to GitLab JSON schema (scrt-849)
  • The behavior of --semgrepignore-v2 changed to be closer to the legacy
    Semgrepignore v1. .gitignore files are no longer loaded automatically
    as part of the Semgrepignore v2 exclusion mechanism.
    Loading a .gitignore file must be done
    by placing :include .gitignore in the .semgrepignore file
    as was the case with Semgrepignore v1. (semgrepignore-v1-compat)

v1.111.0

Compare Source

Changed
  • Removed .semgrepignore file lookup using the SEMGREP_R2C_INTERNAL_EXPLICIT_SEMGREPIGNORE environment variable. This was used by semgrep-action which
    has been deprecated. (semgrep-action)
Fixed
  • pro: Fixed bug that could prevent taint tracking from following a virtual call
    in JS/TS. (code-8065)
  • PRO: Restricted heuristic search of the Python module path to paths only under
    the project root to reduce inaccuracies in module resolution. This change
    mitigates the risk of resolving module specifiers to incorrect paths,
    particularly in cases involving common library names (e.g., django). (code-8146)
  • Fix the incorrect schema and analysis type in the JSON output of the secret
    findings when using the --gitlab-secrets flag. (scrt-833)

v1.110.0

Compare Source

Added
  • pro: Inter-file analysis will now process Javascript and Typescript files
    together, so that taint can be tracked across both languages. (code-8076)

  • Pro: new metavariable-name operator which allows for expressing a constraint
    against the fully qualified name or nearest equivalent of a metavariable
    (useful mainly in JavaScript and TypeScript, where there is no first-class
    syntax for this, or where such names or pseudo-names containt symbols which
    cannot appear in identifiers). Requires pro naming passes and works best with
    interfile naming.

    Additional documentation forthcoming. (code-8121)

Changed
  • Upgrade from OCaml 4.14.0 to OCaml 5.2.1 for our PyPI and Homebrew distributions. Our Docker images have been built with OCaml 5.2.1 since Semgrep 1.107.0. (ocaml5)
Fixed
  • Fixed a regression in pro interfile mode where type inference for the var
    keyword in Java was not functioning correctly. (code-7991)

  • PRO: Fix the range not found error when using a metavariable pattern match on
    a typed metavariable. For example, the following metavariable pattern rule will
    no longer trigger the error:

    patterns:
      - pattern: ($FOO $VAR).bar()
      - metavariable-pattern:
          metavariable: $FOO
          pattern-either:
            - pattern: org.foo.Foo
    ``` (code-8007)
    
  • lsp will no longer send diagnostics where the message is MarkupContent since
    our current implementation does not discriminate on the client capability for
    recieiving such diagnostics (to-be-added in 3.18). (code-8120)

  • Yarn.lock parser now correctly denotes NPM organization scope. (sc-2107)

  • Packages in Package.resolved without a version are now ignored. (sc-2116)

  • Updated Package.swift parser to support:

    • The url value in a .package entry doesn't have to end with .git
    • You can have an exact field that looks like exact: "1.0.0" instead of .exact("1.0.0")
    • The exact version can be an object like Version(1,2,3) instead of a string
    • You can have .package values with no url, like this: .package(name: "package", path: "foo/bar") (sc-2117)

v1.109.0

Compare Source

Changed
  • Pyproject.toml files are now parsed using a toml parser (tomli). (sc-2054)
Fixed
  • pro: taint-mode: Fixed limitation in custom taint propagators.
    See https://semgrep.dev/playground/s/ReJQO (code-7967)
  • taint-mode: Disable symbolic-propagation when matching taint propagators
    to prevent unintended interactions. See https://semgrep.dev/playground/s/7KE0k. (code-8054)
  • Fixed pattern match deduplication to avoid an O(n^2) worst-case complexity, and
    optimized the matching of ordered ..., PAT, ... patterns. (saf-682)

v1.108.0

Compare Source

Added
  • pro: Semgrep can now dynamically resolve dependencies for Python projects using pip, allowing it to determine transitive dependencies automatically. (sc-2069)
Changed
  • Bump base Alpine docker image from 3.19 to 3.21. (alpine-version)
  • The semgrep-appsec-platform specific metadata fields "semgrep.dev:" and
    "semgrep.policy:" are now filtered from the JSON output unless you
    are logged in with the Semgrep appsec platform.
    See https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#json for more information. (metadata-filter)
  • The Semgrep Docker image now uses Python 3.12 (bumped from 3.11). (python-version)
Fixed
  • This PR changes the way we handle failures in git worktree remove more gracefully.
    Instead of erroring, we continue to scan so that the user can still get results, but
    log the error. It also adds a guard so that this failure is less likely to happen
    and will include more debugging information when it does. (sms-521)

v1.107.0

Compare Source

Added
  • More testing of pnpm-lock.yaml dependency parsing. (gh-2999)
  • Added a progress indicator during dependency resolution for supply chain scans. (sc-2045)
Fixed
  • The pro engine now respects the correct order of field resolution in Scala's
    multiple inheritance. The type that appears later takes precedence when
    resolving fields. For example, in class A extends B with C with D, the order
    of precedence is D, C, B, and A. (code-7891)
  • pro: taint: Fixed bug in callback support, see https://semgrep.dev/playground/s/oqobX (code-7976)
  • pro: python: Fixed resolution of calls to the implementation of abstract methods.
    See https://semgrep.dev/playground/s/X5kZ4. (code-7987)
  • Fixed the semgrep ci --help to not include experimental options
    like --semgrep-branch (saf-1746)
  • Peer dependency relationships in package-lock.json files are tracked when parsing a dependency graph (sc-2032)
  • Peer dependency relationships in pnpm-lock.yaml files are tracked when parsing a dependency graph (sc-2033)
Infra/Release Changes
  • Upgrade from OCaml 4.14.0 to OCaml 5.2.1 for our Docker images (ocaml5-docker)

v1.106.0

Compare Source

No significant changes.

v1.104.0

Compare Source

Changed
  • Supply chain diff scans now skip resolving dependencies for subprojects without changes. (SC-2026)
Fixed
  • pro: Fixed bug in inter-file matching of subtypes. When looking to match some
    type A, Semgrep will match any type B that is a subtype of A, but in certain
    situations this did not work. (code-7963)

  • taint-mode: Make traces record assignments that transfer taint via shapes.

    For example, in code like:

    B b = new B(taint);
    B b1 = b;
    sink(b1.getTaintedData());
    

    The assignment b1 = b should be recorded in the trace but previously it was not. (code-7966)

  • Python: Parser updated to the most recent tree-sitter grammar.
    Parse rate from 99.8% -> 99.998%. (saf-1810)

v1.103.0

Compare Source

Added
  • pro: taint: Support for lambdas as callbacks.

    var tainted = source();
    
    function withCallback1(val, callback) {
        if (val) {
            callback(val);
        }
    }
    
    withCallback1(tainted, function (val) {
        sink(val); // finding !
    }); (code-7626)
    
  • pro: python: Semgrep will now consider top-level lambdas like x below for
    inter-procedural analysis:

    x = lambda s: sink(s) # now we get a finding !
    
    x(taint) (gh-10731)
    
Changed
  • Removed pip from the Semgrep Docker image. If you need it, you may install it by running apk add py3-pip. (saf-1774)
Fixed
  • Python: Now correctly parsing files with parenthesized withs, like this:
    with (
    f() as a,
    g() as b,
    ):
    pass
    ``` (saf-1802)
  • Semgrep will now truncate error messages that are produced when they are very long (saf-333)

v1.102.0

Compare Source

Added
  • Added pro-only support for parsing a dependency graph from package-lock.json v1 files (SC-1858)
  • Added pro-only support for parsing a dependency graph from package-lock.json v2 and v3 files (SC-1991)
  • The poetry.lock parser can now parse dependency relationships (ssc-1970)
  • The Yarn.lock V1 and V2 parsers can parse dependency relationships. (ssc-1988)
Fixed
  • The semgrep test and semgrep validate commands have been
    correctly documented as EXPERIMENTAL (in semgrep --help).
    Those commands are not GA yet and people should still
    use the semgrep scan --test and semgrep scan --validate (or
    the variants without the implicit "scan") commands (unless
    they want to experiment with getting results faster and are ok
    with incomplete coverage of the legacy semgrep --test
    and semgrep --validate). (experimental)
  • Improve error handling for functionality ancillary to a scan (such as looking for nosemgrep comments and rendering autofixes) to reduce the likelihood of an unexpected error in such a component bringing down the entire scan. (saf-1737)
  • Fix the behavior of semgrep when running into broken symlinks.
    If such a path is passed explicitly as a scanning root on the
    command line, it results in an error. Otherwise if it's a file discovered
    while scanning the file system, it's a warning. (saf-1776)
  • Fixed another crash due to exception in lines_of_file. The code
    should now be more robust and not abort the whole scan when
    an out of bound line access happens during the nosemgrep analysis
    or when outputing the lines of a match. (saf-1778)
  • Direct dev dependencies in yarn/npm lockfiles are now correctly marked as direct (sc-1996)

v1.101.0

Compare Source

Added
  • Improved pnpm-lock.yaml parsing. (gh-2663)
Changed
Fixed
  • pro: Improved inter-file tracking of tainted global variables. (code-7054)

  • Python (pro-only): Taint now correctly tracks through calls to class methods
    within a class, via the cls parameter.

    So for instance, we would be able to determine a source-to-sink
    vulnerability in the following code snippet:

    class A:
      def foo(self, x):
        sink(x)
    
      @​classmethod
      def bar(cls):
        cls.foo(source)
    ``` (saf-1765)
    
  • pro: Fixed bug when generating inter-procedural taint traces, that it could
    cause a call-step to be missing in the trace. (saf-1783)

  • Restored the "rules" field in the SARIF output, even when logged out. (saf-1794)

v1.100.0

Compare Source

Added
  • Pro engine now correctly distinguishes overloaded Scala methods based on their
    arity and parameter types, e.g., foo(x: Int, y: String) vs. foo(x: String, y: Int). (code-7870)
Changed
  • The minimum Python version for semgrep is now 3.9.
    We are dropping support for Python 3.8 (python)
Fixed
  • pro: Fixed a bug in interprocedural index-sensitive taint analysis that caused
    false negatives when a function updated an arbitrary index, e.g.:

    var x = {};
    
    function foo(k) {
        x[k] = source();
    }
    
    function test(k) {
        foo(k);
        sink(x); // finding here!
    } (CODE-7838)
    
  • Fixed bug affecting taint tracking through static fields when mixing accesses
    using the class name and using an instance object, e.g.:

    class C {
        static String s;
    }
    
    ...
    
            C o = new C();
            C.s = taint;
            sink(o.s); // finding ! (CODE-7871)
    
  • No more RPC error when using --sarif with some join-mode rules.
    Moreover, regular rules without the 'languages:' field will be skipped
    instead of aborting the whole scan. (gh-10723)

v1.99.0

Compare Source

Fixed
  • Fix the date format used in --gitlab-sast option to match
    the spec and not use the RFC 3339.
    Thanks to Elias Haeussler for the fix. (saf-1755)

v1.97.0

Compare Source

Added
  • Improved logic for interfile analysis in TypeScript projects using
    project references. (code-7677)
  • Semgrep Pro engine now resolves method invocations on abstract classes. In
    addition to the existing resolution for interface method invocations, this
    change further enhances dataflow tracking accuracy for dynamic method
    invocations. (code-7750)
  • Added the ability to validate temporary AWS tokens in the secrets product. (gh-2554)
  • Poetry.lock & Pyproject.toml parsers can now handle multiline strings. (ssc-1942)
Fixed
  • Improved error handling for some networking errors (e.g., premature server
    disconnection). In some cases this would previously cause a fatal error, but we
    should instead be able to recover in most instances (and now can). (code-7715)
  • Target file selection in git projects: files containing special characters
    (according to git) are now scanned correctly instead of being ignored. (saf-1687)
  • Swift: Ellipses and metavariable ellipses can now be used as function parameters in patterns. (saf-1721)
  • Semgrep will no longer freeze when tracing is enabled and it has a low memory limit (saf-1722)
  • osemgrep-pro: Autofix and nosemgrep now work properly (saf-1724)

v1.96.0

Compare Source

Added
  • The pro engine now handles duplicate function names in C. When duplicate
    functions are found, we assume that any of the duplicated functions could be
    called. For example, if the function foo is defined in two different files,
    taint errors will be reported for both instances:

    // "a/test.h"
    void foo(int x) {
        //deepruleid: dup-symbols
        sink(x);
    }
    
    // "b/test.h"
    void foo(int x) {
        //deepruleid: dup-symbols
        sink(x);
    }
    
    // "main.c"
    #ifdef HEADER_A
        #include "a/test.h"
    #else
        #include "b/test.h"
    #endif
    
    int main() {
        int x = source();
        foo(x);
    }
    ``` (code-7654)
    
Changed
  • Reduced memory allocations while processing nosemgrep comments, improving memory use and time for scans with a large number of findings. (nosem-mem)
Fixed
  • Optimized taint-mode (only in Pro) to scale better when there is a large number
    of matches of sources/propagators/sanitizers/sinks within a function. (flow-83)
  • Fixed a bug in the supply chain scanner's gradle lockfile parser. Previously, semgrep would fail to parse
    any gradle lockfile which did not start with a specific block comment. Now, semgrep will parse gradle
    lockfiles correctly by ignoring the comment (allowing any or no comment at all to exist). (gh-10508)
  • Exceptions thrown during the processing of a target should not fail
    the whole scan anymore (regression introduced in 1.94.0). The scan will
    have an exit code of 0 instead of 2 (unless the user passed --strict in which
    case it will exit with code 2). (incid-110)
  • Fix exponential parsing time with generic mode on input containing many
    unclosed braces on the same line. (saf-1667)
  • Fix regexp parsing error occurring during ReDoS analysis when encountering
    a character class starting with [: such as [:a-z]. (saf-1693)
  • Fix in semgrep scan: anchored semgrepignore patterns for folders such
    as /tests are now honored properly. Such patterns had previously no
    effect of target file filtering. (semgrepignore-anchored-dirs)

v1.95.0

Compare Source

Changed
  • Remove deprecated --enable-experimental-requirements flag. Functionality has
    been always enabled since Semgrep 1.93.0. (ssc-1903)
Fixed
  • osemgrep: Running osemgrep with the Pro Engine now correctly runs rules with proprietary languages (saf-1686)
  • Fixed bug where semgrep would crash if --trace was passed (saf-tracing)

v1.94.0

Compare Source

Fixed
  • pro: taint-mode: Semgrep should no longer confuse a return in a lambda with
    a return in its enclosing function.

    E.g. In the example below the return value of foo is NOT tainted:

    function foo() {
        bar(() => taint);
        return ok;
    } (code-7657)
    
  • OCaml: matching will now recognized "local open" so that a pattern like
    Foo.bar ... will now correctly match code such as let open Foo in bar 1
    or Foo.(bar 1) in addition to the classic Foo.bar 1. (local_open)

  • Project files lacking sufficient read permissions are now skipped gracefully
    by semgrep. (saf-1598)

  • Semgrep will now print stderr and additional debugging info when semgrep-core
    exits with a fatal error code but still returns a json repsonse (finishes
    scanning) (saf-1672)

  • semgrep ci should parse correctly git logs to compute the set of contributors
    even if some authors have special characters in their names. (saf-1681)

v1.93.0

Compare Source

Added
  • Improved naming for Common JS module imports (require) in arbitrary
    expression contexts. Notably, in-line use of require should now be linked to
    the correct module. For instance, the pattern foo.bar should now match
    against require('foo').bar and taint is likewise similarily tracked. (code-7485)
  • Secrets: semgrep ci output now includes a list of all secrets rules which
    generated at least one blocking finding (similar to Code) (code-7663)
  • Added experimental support via --allow-dynamic-dependency-resolution for dynamic resolution of Maven and Gradle dependencies for projects that do not have lockfiles (in Semgrep Pro only). (gh-2389)
  • Expanded support for pip requirement lockfiles is now available by default. Semgrep will now
    find any requirement.txt file and lockfiles in a requirements folder (**/requirements/*.txt).
    The existing experimental flag --enable-experimental-requirements is now deprecated and
    will be removed in a future release. (gh-2441)
Changed
  • Removed support for Vue. The tree-sitter grammar has not been updated in 3 years,
    there was no community rules added and semgrep-vue is causing linking conflicts
    when compiling semgrep under Windows so just simpler to remove support for Vue.
    In theory, extract mode could be a good substitute to parse Vue files. (vue)
Fixed
  • semgrep will now print exit codes if a segfault/OOM/other terminating signal happens in semgrep-core, or any of semgrep-core's child processes (saf-1646)

v1.92.0

Compare Source

Added
  • Pro: taint-mode: Semgrep has now basic support to track taint through callbacks,
    when they lead to a sink, e.g.:

    function unsafe_callback(x) {
      sink(x); // finding here now !
    }
    
    function withCallback(val, callback) {
      callback(val);
    }
    
    withCallback(taint, unsafe_callback); (code-7476)
    
  • New subcommand dump-cst for tree-sitter languages available via semgrep show. This shows the concrete syntax tree for a given file. (code-7653)

  • Pro only: Updated C# parser supporting all versions of the language up to 13.0 (.NET 9) (saf-1610)

  • Added support for the Move-on-sui language! (sui)

  • Pro-only: semgrep test now supports the --pro flag to not only use pro languages
    but also run the tests with the --pro-intrafile engine flag. If a finding
    is detected only by the pro engine, please use proruleid: instead of ruleid:
    and if an OSS finding is actually a false positive for the pro engine, please
    add the prook: to your test annotation. (test_pro)

Fixed
  • pro: dataflow: Fixed a bug that could cause a class constructor to not be analyzed
    in the correct dependency order, potentially leading to FNs. (code-7649)

  • Display an ✘ instead of a ✔ in the scan status print out when scanning with Semgrep OSS code
    is not enabled. (grow-422)

  • semgrep will no longer randomly segfault when --trace is on with -j > 2 (saf-1590)

  • Previously, semgrep fails when --trace-endpoint is specified, but --trace is not.

    Now, we relax this requirement a bit. In this case, we disable tracing, print out a warning, and continue to scan. (sms-550)

v1.91.0

Compare Source

Added
  • Type inference in the Pro engine has been improved for class fields in
    TypeScript that are assigned a new instance but lack an explicit type
    definition. When no explicit type is provided for a class field, its type is
    inferred from the type of the expression assigned to it. For example, in the
    class definition class Foo { private readonly bar = new Bar(); }, the type of
    bar is inferred to be Bar. (code-7635)
  • Cargo.lock parser can now associate dependencies with lockfile line numbers (sc-1140)
Fixed
  • Address python rich.errors.LiveError where attempting to display multiple progress bars
    raises an exception as flagged in #​10562. (grow-414)
  • C: Fix a regression causing pattern -n to sometimes not match code -n. (saf-1592)
  • When a scan runs into an exception, the app is appropriately notified
    about the failure. Previously, in the app, it would seem to the user
    that the scan is still in progress. (sms-502)

v1.90.0

Compare Source

Added
  • Expanded support for requirement lockfiles. Semgrep will now find any *requirement*.txt
    file and lockfiles in a requirements folder (**/requirements/*.txt). This functionality
    will be gated behind the --enable-experimental-requirements CLI flag. (sc-1752)
Changed
  • Security update for code snippet storage & access methods. (gh-2038)
Fixed
  • Errors that occur in semgrep scans with jobs > 1 will now have more detail (SAF-1628)
  • Dockerfile matching: CMD $...ARGS now behaves like CMD ... and matches
    any CMD instruction that uses the array syntax such as CMD ["ls"]. This
    fix also applies to the other command-like instructions RUN
    and ENTRYPOINT. (gh-9726)
  • Pro Engine: There is now improved type inference in Kotlin and Scala. Constructor invocations like
    Foo() will now be inferred properly to be of type Foo. (saf-1537)

v1.89.0

Compare Source

Fixed
  • Fix crash on certain SCA parse errors caused by an access to an unbound variable. (gh-2259)

v1.88.0

Compare Source

Added
  • The dataflow analysis in the Pro engine can now track method invocations on
    variables of an interface type, safely assuming that any implementation of the
    method can be called. For example, tainted input vulnerabilities in both
    implementation classes can now be detected in the following code:

    public interface MovieService {
      String vulnerableInjection(String input);
    }
    
    public class SimpleImpl implements MovieService {
      @​Override
      public String vulnerableInjection(String input) {
        return sink(input);
      }
    }
    
    public class MoreImpl implements MovieService {
      @​Override
      public String vulnerableInjection(String input) {
        return sink(input);
      }
    }
    
    public class AppController {
      private MovieService movieService;
    
      public String pwnTest(String taintedInput) {
        return movieService.vulnerableInjection(taintedInput);
      }
    }
    ``` (code-7435)
  • Type inference for constructor parameter properties in TypeScript is now
    supported in the Pro engine. For example, the taint analysis can recognize that
    sampleFunction is defined in AbstractedService class in the following code:

    export class AppController {
        constructor(private readonly abstractedService: AbstractedService) {}
    
        async taintTest() {
            const src = source();
            await this.abstractedService.sampleFunction(src);
        }
    }
    ``` (code-7597)
    
Changed
  • include the exit code that semgrep will emit in the fail-open payload prior to exiting with a failure. (gh-2033)

v1.87.0

Compare Source

Added
  • Semgrep now infers more accurate type information for class fields in
    TypeScript. This improves taint tracking for dependency injection in
    TypeScript, such as in the following example:

    export class AppController {
        private readonly abstractedService: AbstractedService;
    
        constructor(abstractedService: AbstractedService) {
            this.abstractedService = abstractedService;
        }
    
        async taintTest() {
            const src = taintedSource();
            await this.abstractedService.sinkInHere(src);
        }
    }
    ``` (code-7591)
    
  • Semgrep's interfile analysis (available with the Pro Engine) now ships with information about Python's standard library, improving its ability to resolve names and types in Python code and therefore its ability to produce findings. (py-libdefs)

  • Added support for comparing Golang pre-release versions. With this, strict
    core versions, pseudo-versions and pre-release versions can all be
    compared to each other. (sc-1739)

Changed
  • If there is an OOM error during interfile dataflow analysis (--pro) Semgrep will
    now try to recover from it and continue the interfile analysis without falling back
    immediately to intrafile analysis. This allows using --max-memory with --pro in
    a more effective way. (flow-81)
  • Consolidates lockfile parsing logic to happen once, at the beginning of the scan. This consolidated parsing now considers both changed and unchanged lockfiles during all steps of diff scans. (gh-2051)
Fixed
  • pro: taint-mode: Restore missing taint findings after having improved index-
    sensitivity:

    def foo(t):
        x = third_party_func(t)
        return x
    
    def test1():
        t = ("ok", taint)
        y = foo(t)
        sink(y) # now it's found! (code-7486)
    
  • The Semgrep proprietary engine added a new entropy analyzer entropy_v2 that supports strictness options. (gh-1641)

v1.86.0

Compare Source

Added
  • The taint analysis can now track method invocations on variables of an
    interface type, when there is a single implementation. For example, the tainted
    input vulnerability can now be detected in the following code:

    public interface MovieService {
      String vulnerableInjection(String input);
    }
    
    @​Service
    public class MovieServiceImpl implements MovieService {
      @​Override
      public String vulnerableInjection(String input) {
        return sink(input);
      }
    }
    
    @​RestController("/")
    public class SpringController {
    
      @​Autowired
      private MovieService movieService;
    
      @​GetMapping("/pwn")
      public String pwnTest(@​RequestParam("input") String taintedInput) {
        return movieService.vulnerableInjection(taintedInput);
      }
    }

    When there are multiple implementations, the taint analysis will not follow any
    of them. We will add handling of cases with multiple implementations in
    upcoming updates. (code-7434)

  • Uses of values imported via ECMAScript default imports (e.g., import example from 'mod';) can now be matched by qualified name patterns (e.g.,
    mod.default). (code-7463)

  • Pro: taint-mode: Allow (experimental) control taint to propagate through returns.

    Now this taint rule:

    pattern-sources:
    - control: true
      pattern: taint()
    pattern-sinks:
    - pattern: sink()
    

    It is able to find this:

    def foo():
      taint()
    
    def test():
      foo()
      sink() # now it is found! (code-7490)
    
  • A new flag --max-log-list-entries allows to control the
    maximum number of entries that will be shown in the log (e.g.,
    list of rule ids, list of skipped files).
    A zero or negative value disables this filter.
    The previous hardcoded limit was at 100 (and now becomes a default value). (max_log_list_entries)

Changed
  • Semgrep will now log memory-related warnings/errors when run in --debug mode,
    without the need to set SEMGREP_LOG_SRCS=process_limits. (logging)
Fixed
  • Fixed inter-file constant propagation to prevent some definitions from being
    incorrectly identified as constant, when they are modified in other parts of
    the codebase. (code-6793)

  • pro: taint-mode: Fixed bug in taint signature instantiation that could cause an
    update to a field in a nested object to not be tracked.

    For example, in the code below, Semgrep knew that Nested.update updates the
    fld attribute of a Nested object. But due to this bug, Semgrep would not know that Wrapper.updateupdated thefldattribute of thenestedobject attribute in aWrapper` object.

    public class Nested {
    
        private String fld;
    
        public void update(String str) {
            fld = str;
        }
    
        // ...
    }
    
    public class Wrapper {
    
        private Nested nested;
    
        public void update(String str) {
            this.nested.update(str);
        }
    
    // ...
    } (code-7499)
    
  • Fixed incorrect range matching parametrized type expressions in Julia (gh-10467)

  • Fixed an edge case that could lead to a failure to name or type imported Python symbols during interfile analysis. (py-imports)

  • Fix overly-aggressive match deduplication that could, under certain circumstances, lead to findings being closed and reopened in the app. (saf-1465)

  • Fixed regex-fix numbered capture groups, where it used to be the case that
    a replacement: regex with numbered capture groups like \1\2\3 would effectivly
    be the same as \1\1\1.

    After the fix:


Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/semgrep-1.x branch from bbdf4f3 to 6c833fb Compare September 14, 2024 02:53
@renovate renovate bot changed the title Update dependency semgrep to v1.86.0 Update dependency semgrep to v1.87.0 Sep 14, 2024
@renovate renovate bot force-pushed the renovate/semgrep-1.x branch from 6c833fb to 2d38809 Compare September 20, 2024 05:52
@renovate renovate bot changed the title Update dependency semgrep to v1.87.0 Update dependency semgrep to v1.89.0 Sep 20, 2024
@renovate renovate bot force-pushed the renovate/semgrep-1.x branch from 2d38809 to d7bbee7 Compare September 26, 2024 02:41
@renovate renovate bot changed the title Update dependency semgrep to v1.89.0 Update dependency semgrep to v1.90.0 Sep 26, 2024
@renovate renovate bot changed the title Update dependency semgrep to v1.90.0 Update dependency semgrep to v1.91.0 Oct 11, 2024
@renovate renovate bot force-pushed the renovate/semgrep-1.x branch from d7bbee7 to 14d1834 Compare October 11, 2024 08:52
@renovate renovate bot force-pushed the renovate/semgrep-1.x branch from 14d1834 to 6e7e0a4 Compare October 18, 2024 23:48
@renovate renovate bot changed the title Update dependency semgrep to v1.91.0 Update dependency semgrep to v1.92.0 Oct 18, 2024
@renovate renovate bot force-pushed the renovate/semgrep-1.x branch from 6e7e0a4 to 34d4cd4 Compare October 23, 2024 23:43
@renovate renovate bot changed the title Update dependency semgrep to v1.92.0 Update dependency semgrep to v1.93.0 Oct 23, 2024
@renovate renovate bot force-pushed the renovate/semgrep-1.x branch from 34d4cd4 to 0910328 Compare October 31, 2024 23:55
@renovate renovate bot changed the title Update dependency semgrep to v1.93.0 Update dependency semgrep to v1.95.0 Oct 31, 2024
@renovate renovate bot force-pushed the renovate/semgrep-1.x branch from 0910328 to 94793e1 Compare November 8, 2024 08:56
@renovate renovate bot changed the title Update dependency semgrep to v1.95.0 Update dependency semgrep to v1.96.0 Nov 8, 2024
@renovate renovate bot changed the title Update dependency semgrep to v1.96.0 Update dependency semgrep to v1.97.0 Nov 20, 2024
@renovate renovate bot force-pushed the renovate/semgrep-1.x branch from 94793e1 to 7fb5f0d Compare November 20, 2024 05:48
@renovate renovate bot force-pushed the renovate/semgrep-1.x branch from 7fb5f0d to c5cb7e1 Compare December 6, 2024 23:39
@renovate renovate bot changed the title Update dependency semgrep to v1.97.0 Update dependency semgrep to v1.99.0 Dec 6, 2024
@renovate renovate bot force-pushed the renovate/semgrep-1.x branch from c5cb7e1 to 9b5ca2e Compare December 14, 2024 01:55
@renovate renovate bot changed the title Update dependency semgrep to v1.99.0 Update dependency semgrep to v1.100.0 Dec 14, 2024
@renovate renovate bot force-pushed the renovate/semgrep-1.x branch from 9b5ca2e to aef73a5 Compare December 21, 2024 14:57
@renovate renovate bot changed the title Update dependency semgrep to v1.100.0 Update dependency semgrep to v1.101.0 Dec 21, 2024
@renovate renovate bot force-pushed the renovate/semgrep-1.x branch from aef73a5 to f511860 Compare January 10, 2025 03:14
@renovate renovate bot changed the title Update dependency semgrep to v1.101.0 Update dependency semgrep to v1.102.0 Jan 10, 2025
@renovate renovate bot force-pushed the renovate/semgrep-1.x branch from f511860 to 9b9a358 Compare January 15, 2025 23:35
@renovate renovate bot changed the title Update dependency semgrep to v1.102.0 Update dependency semgrep to v1.103.0 Jan 15, 2025
@renovate renovate bot force-pushed the renovate/semgrep-1.x branch from 9b9a358 to 105594a Compare January 23, 2025 04:18
@renovate renovate bot changed the title Update dependency semgrep to v1.103.0 Update dependency semgrep to v1.104.0 Jan 23, 2025
@renovate renovate bot force-pushed the renovate/semgrep-1.x branch from 105594a to 5ce0d0a Compare January 31, 2025 16:10
@renovate renovate bot changed the title Update dependency semgrep to v1.104.0 Update dependency semgrep to v1.106.0 Jan 31, 2025
@renovate renovate bot force-pushed the renovate/semgrep-1.x branch from 5ce0d0a to 0a2dce7 Compare February 6, 2025 04:04
@renovate renovate bot changed the title Update dependency semgrep to v1.106.0 Update dependency semgrep to v1.107.0 Feb 6, 2025
@renovate renovate bot force-pushed the renovate/semgrep-1.x branch from 0a2dce7 to 7c8552c Compare February 15, 2025 07:31
@renovate renovate bot changed the title Update dependency semgrep to v1.107.0 Update dependency semgrep to v1.108.0 Feb 15, 2025
@renovate renovate bot force-pushed the renovate/semgrep-1.x branch from 7c8552c to b9b43d2 Compare February 20, 2025 08:02
@renovate renovate bot changed the title Update dependency semgrep to v1.108.0 Update dependency semgrep to v1.109.0 Feb 20, 2025
@renovate renovate bot force-pushed the renovate/semgrep-1.x branch from b9b43d2 to 453a9c1 Compare February 27, 2025 20:12
@renovate renovate bot changed the title Update dependency semgrep to v1.109.0 Update dependency semgrep to v1.110.0 Feb 27, 2025
@renovate renovate bot changed the title Update dependency semgrep to v1.110.0 Update dependency semgrep to v1.111.0 Mar 6, 2025
@renovate renovate bot force-pushed the renovate/semgrep-1.x branch from 453a9c1 to f7da948 Compare March 6, 2025 07:36
@renovate renovate bot force-pushed the renovate/semgrep-1.x branch from f7da948 to 2a5707a Compare March 15, 2025 03:49
@renovate renovate bot changed the title Update dependency semgrep to v1.111.0 Update dependency semgrep to v1.112.0 Mar 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants