Skip to content

Bump semgrep from 1.99.0 to 1.100.0#126

Merged
asullivan-blze merged 1 commit intomainfrom
dependabot/pip/semgrep-1.100.0
Dec 19, 2024
Merged

Bump semgrep from 1.99.0 to 1.100.0#126
asullivan-blze merged 1 commit intomainfrom
dependabot/pip/semgrep-1.100.0

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Dec 16, 2024

Bumps semgrep from 1.99.0 to 1.100.0.

Release notes

Sourced from semgrep's releases.

Release v1.100.0

1.100.0 - 2024-12-12

Added

  • Pro engine now correctly distinguishes overloaded Scala methods based on their arity and parameter types, e.g., foo(x: Int, y: String) vs. foo(x: String, y: Int). (code-7870)

Changed

  • The minimum Python version for semgrep is now 3.9. We are dropping support for Python 3.8 (python)

Fixed

  • pro: Fixed a bug in interprocedural index-sensitive taint analysis that caused false negatives when a function updated an arbitrary index, e.g.:

    var x = {};

    function foo(k) {
x[k] = source();
}
    

    function test(k) {
foo(k);
sink(x); // finding here!
} (CODE-7838)

  • Fixed bug affecting taint tracking through static fields when mixing accesses using the class name and using an instance object, e.g.:

    class C {
    static String s;
}

    ...
    

        C o = new C();
    C.s = taint;
    sink(o.s); // finding ! (CODE-7871)

  • No more RPC error when using --sarif with some join-mode rules. Moreover, regular rules without the 'languages:' field will be skipped instead of aborting the whole scan. (gh-10723)

Changelog

Sourced from semgrep's changelog.

1.100.0 - 2024-12-12

Added

  • Pro engine now correctly distinguishes overloaded Scala methods based on their arity and parameter types, e.g., foo(x: Int, y: String) vs. foo(x: String, y: Int). (code-7870)

Changed

  • The minimum Python version for semgrep is now 3.9. We are dropping support for Python 3.8 (python)

Fixed

  • pro: Fixed a bug in interprocedural index-sensitive taint analysis that caused false negatives when a function updated an arbitrary index, e.g.:

    var x = {};

    function foo(k) {
x[k] = source();
}
    

    function test(k) {
foo(k);
sink(x); // finding here!
} (CODE-7838)

  • Fixed bug affecting taint tracking through static fields when mixing accesses using the class name and using an instance object, e.g.:

    class C {
    static String s;
}

    ...
    

        C o = new C();
    C.s = taint;
    sink(o.s); // finding ! (CODE-7871)

  • No more RPC error when using --sarif with some join-mode rules. Moreover, regular rules without the 'languages:' field will be skipped instead of aborting the whole scan. (gh-10723)

Commits
  • 2a5266d chore: release version 1.100.0
  • f598c5dsemgrep/semgrep-proprietary#2786
  • e8219f9 chore: Remove check-builtin-literals pre-commit from OSS (semgrep/semgrep-pro...
  • 28b6672semgrep/semgrep-proprietary#2773
  • 8da1b56semgrep/semgrep-proprietary#2778
  • 77cd7a6 Fix osemgrep target selection bugs for reg file and symlinks on the command l...
  • 0dc9518 Add format_context to SARIF RPC and gate some fields (semgrep/semgrep-proprie...
  • 75361cbsemgrep/semgrep-proprietary#2605
  • dd81e79semgrep/semgrep-proprietary#2763
  • 47faae9semgrep/semgrep-proprietary#2762
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump semgrep from 1.99.0 to 1.100.0
fcc1ba9 
Bumps [semgrep](https://github.com/returntocorp/semgrep) from 1.99.0 to 1.100.0.
- [Release notes](https://github.com/returntocorp/semgrep/releases)
- [Changelog](https://github.com/semgrep/semgrep/blob/develop/CHANGELOG.md)
- [Commits](semgrep/semgrep@v1.99.0...v1.100.0)

---
updated-dependencies:
- dependency-name: semgrep
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Dec 16, 2024
@asullivan-blze asullivan-blze merged commit fcc7c65 into main Dec 19, 2024
@asullivan-blze asullivan-blze deleted the dependabot/pip/semgrep-1.100.0 branch December 19, 2024 18:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@asullivan-blze asullivan-blze asullivan-blze approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@asullivan-blze