Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency semgrep to >=1.87,<1.88 #834

Merged
merged 1 commit into from
Sep 18, 2024
Merged

Update dependency semgrep to >=1.87,<1.88 #834

merged 1 commit into from
Sep 18, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 13, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
semgrep >=1.85,<1.87 -> >=1.87,<1.88 age adoption passing confidence

Release Notes

returntocorp/semgrep (semgrep)

v1.87.0

Compare Source

Added

  • Semgrep now infers more accurate type information for class fields in
    TypeScript. This improves taint tracking for dependency injection in
    TypeScript, such as in the following example:

    export class AppController {
    private readonly abstractedService: AbstractedService;

    constructor(abstractedService: AbstractedService) {
        this.abstractedService = abstractedService;
    }

    async taintTest() {
        const src = taintedSource();
        await this.abstractedService.sinkInHere(src);
    }
}
``` (code-7591)

  • Semgrep's interfile analysis (available with the Pro Engine) now ships with information about Python's standard library, improving its ability to resolve names and types in Python code and therefore its ability to produce findings. (py-libdefs)

  • Added support for comparing Golang pre-release versions. With this, strict
    core versions, pseudo-versions and pre-release versions can all be
    compared to each other. (sc-1739)

Changed
  • If there is an OOM error during interfile dataflow analysis (--pro) Semgrep will
    now try to recover from it and continue the interfile analysis without falling back
    immediately to intrafile analysis. This allows using --max-memory with --pro in
    a more effective way. (flow-81)
  • Consolidates lockfile parsing logic to happen once, at the beginning of the scan. This consolidated parsing now considers both changed and unchanged lockfiles during all steps of diff scans. (gh-2051)
Fixed

  • pro: taint-mode: Restore missing taint findings after having improved index-
    sensitivity:

    def foo(t):
    x = third_party_func(t)
    return x

def test1():
    t = ("ok", taint)
    y = foo(t)
    sink(y) # now it's found! (code-7486)

  • The Semgrep proprietary engine added a new entropy analyzer entropy_v2 that supports strictness options. (gh-1641)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@clavedeluna clavedeluna added this pull request to the merge queue Sep 16, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Sep 16, 2024
@renovate renovate bot force-pushed the renovate/semgrep-1.x branch 2 times, most recently from 5cc2f77 to 1738508 Compare September 17, 2024 12:00
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Sep 18, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@clavedeluna clavedeluna added this pull request to the merge queue Sep 18, 2024
Merged via the queue into main with commit affc539 Sep 18, 2024
13 checks passed
@clavedeluna clavedeluna deleted the renovate/semgrep-1.x branch September 18, 2024 11:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@clavedeluna clavedeluna clavedeluna approved these changes

@drdavella drdavella Awaiting requested review from drdavella drdavella is a code owner

@andrecsilva andrecsilva Awaiting requested review from andrecsilva andrecsilva is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@clavedeluna