Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency semgrep to v1.111.0 #257

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

Update dependency semgrep to v1.111.0 #257

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Feb 19, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
semgrep ==1.108.0 -> ==1.111.0 age adoption passing confidence

Release Notes

returntocorp/semgrep (semgrep)

v1.111.0

Compare Source

Changed
  • Removed .semgrepignore file lookup using the SEMGREP_R2C_INTERNAL_EXPLICIT_SEMGREPIGNORE environment variable. This was used by semgrep-action which
    has been deprecated. (semgrep-action)
Fixed
  • pro: Fixed bug that could prevent taint tracking from following a virtual call
    in JS/TS. (code-8065)
  • PRO: Restricted heuristic search of the Python module path to paths only under
    the project root to reduce inaccuracies in module resolution. This change
    mitigates the risk of resolving module specifiers to incorrect paths,
    particularly in cases involving common library names (e.g., django). (code-8146)
  • Fix the incorrect schema and analysis type in the JSON output of the secret
    findings when using the --gitlab-secrets flag. (scrt-833)

v1.110.0

Compare Source

Added

  • pro: Inter-file analysis will now process Javascript and Typescript files
    together, so that taint can be tracked across both languages. (code-8076)

  • Pro: new metavariable-name operator which allows for expressing a constraint
    against the fully qualified name or nearest equivalent of a metavariable
    (useful mainly in JavaScript and TypeScript, where there is no first-class
    syntax for this, or where such names or pseudo-names containt symbols which
    cannot appear in identifiers). Requires pro naming passes and works best with
    interfile naming.

    Additional documentation forthcoming. (code-8121)

Changed
  • Upgrade from OCaml 4.14.0 to OCaml 5.2.1 for our PyPI and Homebrew distributions. Our Docker images have been built with OCaml 5.2.1 since Semgrep 1.107.0. (ocaml5)
Fixed

  • Fixed a regression in pro interfile mode where type inference for the var
    keyword in Java was not functioning correctly. (code-7991)

  • PRO: Fix the range not found error when using a metavariable pattern match on
    a typed metavariable. For example, the following metavariable pattern rule will
    no longer trigger the error:

    patterns:
  - pattern: ($FOO $VAR).bar()
  - metavariable-pattern:
      metavariable: $FOO
      pattern-either:
        - pattern: org.foo.Foo
``` (code-8007)

  • lsp will no longer send diagnostics where the message is MarkupContent since
    our current implementation does not discriminate on the client capability for
    recieiving such diagnostics (to-be-added in 3.18). (code-8120)

  • Yarn.lock parser now correctly denotes NPM organization scope. (sc-2107)

  • Packages in Package.resolved without a version are now ignored. (sc-2116)

  • Updated Package.swift parser to support:

    • The url value in a .package entry doesn't have to end with .git
    • You can have an exact field that looks like exact: "1.0.0" instead of .exact("1.0.0")
    • The exact version can be an object like Version(1,2,3) instead of a string
    • You can have .package values with no url, like this: .package(name: "package", path: "foo/bar") (sc-2117)

v1.109.0

Compare Source

Changed
  • Pyproject.toml files are now parsed using a toml parser (tomli). (sc-2054)
Fixed
  • pro: taint-mode: Fixed limitation in custom taint propagators.
    See https://semgrep.dev/playground/s/ReJQO (code-7967)
  • taint-mode: Disable symbolic-propagation when matching taint propagators
    to prevent unintended interactions. See https://semgrep.dev/playground/s/7KE0k. (code-8054)
  • Fixed pattern match deduplication to avoid an O(n^2) worst-case complexity, and
    optimized the matching of ordered ..., PAT, ... patterns. (saf-682)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot changed the title Update dependency semgrep to v1.109.0 Update dependency semgrep to v1.110.0 Feb 27, 2025
@renovate renovate bot force-pushed the renovate/semgrep-1.x branch from ca8cc72 to 5e8f961 Compare February 27, 2025 03:12
@renovate renovate bot force-pushed the renovate/semgrep-1.x branch from 5e8f961 to 395e8b9 Compare March 5, 2025 03:08
@renovate renovate bot changed the title Update dependency semgrep to v1.110.0 Update dependency semgrep to v1.111.0 Mar 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants