Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build(deps): bump semgrep from 1.9.0 to 1.10.0 #53

Merged
merged 1 commit into from
Feb 9, 2023
Merged

build(deps): bump semgrep from 1.9.0 to 1.10.0 #53

merged 1 commit into from
Feb 9, 2023

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Feb 9, 2023

Bumps semgrep from 1.9.0 to 1.10.0.

Release notes

Sourced from semgrep's releases.

Release v1.10.0

1.10.0 - 2023-02-08

Added

  • Experimental support for XML (gh-5939)
  • Rust: Beta support for Rust. (gh-6545)
  • Rule syntax: Metavariable bindings bound within metavariable-pattern now persist to outside of the metavariable-pattern (pa-2490)
  • Updated all lockfile parsers (except Cargo.lock) to produce better error messages, at the cost of a couple seconds of lowdown on large (>10k lines) lockfiles (sc-better-parsers)

Changed

  • Pro: --pro will now enable all Pro features, including Apex, inter-procedural taint analysis, and also inter-file analysis for supported languages. For Apex support only (and more languages in the future) now use --pro-languages. For intra-file analysis only now use --pro-intrafile. Flags --interproc and --interfile are now deprecated. (pa-2488)
  • The output formatting of semgrep ci is getting revamped in the coming weeks. This release includes the first couple changes to the output. (sc-590)
  • Packages from the maven ecosystem are now parsed to include their org slug. This means a log4j rule must now use org.apache.logging.log4j:log4j-core instead of just log4j-core. This change is backwards incompatible, in that any Java Supply Chain rules not taking into account will stop producing any findings, since the packages parsed from lockfiles will include the org, but the old rules will not. (sc-maven-org)

Fixed

  • Rust: correctly parse the last expression in blocks (gh-7071)
  • Dataflow traces: Findings now always display the separating line with --dataflow-traces in the CLI, to reduce confusion over where the findings fall between the dataflow traces. (pa-2471)
  • CLI: Added install-semgrep-pro to the list of commands in the semgrep --help help text. (pa-2505)
  • Fixed bug where gradle.lockfile files would fail to parse if they contained a trailing newline, and bug where an error on a trailing newline would cause our lockfile parse error pretty printing to fail (sc-trailing-newline)
Changelog

Sourced from semgrep's changelog.

1.10.0 - 2023-02-08

Added

  • Experimental support for XML (gh-5939)
  • Rust: Beta support for Rust. (gh-6545)
  • Rule syntax: Metavariable bindings bound within metavariable-pattern now persist to outside of the metavariable-pattern (pa-2490)
  • Updated all lockfile parsers (except Cargo.lock) to produce better error messages, at the cost of a couple seconds of lowdown on large (>10k lines) lockfiles (sc-better-parsers)

Changed

  • Pro: --pro will now enable all Pro features, including Apex, inter-procedural taint analysis, and also inter-file analysis for supported languages. For Apex support only (and more languages in the future) now use --pro-languages. For intra-file analysis only now use --pro-intrafile. Flags --interproc and --interfile are now deprecated. (pa-2488)
  • The output formatting of semgrep ci is getting revamped in the coming weeks. This release includes the first couple changes to the output. (sc-590)
  • Packages from the maven ecosystem are now parsed to include their org slug. This means a log4j rule must now use org.apache.logging.log4j:log4j-core instead of just log4j-core. This change is backwards incompatible, in that any Java Supply Chain rules not taking into account will stop producing any findings, since the packages parsed from lockfiles will include the org, but the old rules will not. (sc-maven-org)

Fixed

  • Rust: correctly parse the last expression in blocks (gh-7071)
  • Dataflow traces: Findings now always display the separating line with --dataflow-traces in the CLI, to reduce confusion over where the findings fall between the dataflow traces. (pa-2471)
  • CLI: Added install-semgrep-pro to the list of commands in the semgrep --help help text. (pa-2505)
  • Fixed bug where gradle.lockfile files would fail to parse if they contained a trailing newline, and bug where an error on a trailing newline would cause our lockfile parse error pretty printing to fail (sc-trailing-newline)
Commits
  • 5e380e3 chore: Bump version to 1.10.0
  • 385fcff Mask the whitespace after the python version (#7110)
  • 19133ad feat(ci): allow users to run an individual repo in CI with a different engine...
  • 4e2d2ff fix(SSC): Include org name when parsing Maven packages (#7091)
  • 4376fc7 chore(SSC): Lots of new lockfile parsing tests, plus parsing fixes (#7094)
  • 3f02156 Update heading styles and debug info (#7103)
  • 45b19ec Python: convert "self" to IdSpecial Self in python_to_generic (#7101)
  • 1ae673b tech debt: get rid of resolved_name in AST_Python (#7100)
  • c94ee4d fix snapshots (#7097)
  • 3f0ab47 chore: handle unparsable URLs (#7081)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
build(deps): bump semgrep from 1.9.0 to 1.10.0
c907d4b 
Bumps [semgrep](https://github.com/returntocorp/semgrep) from 1.9.0 to 1.10.0.
- [Release notes](https://github.com/returntocorp/semgrep/releases)
- [Changelog](https://github.com/returntocorp/semgrep/blob/v1.10.0/CHANGELOG.md)
- [Commits](semgrep/semgrep@v1.9.0...v1.10.0)

---
updated-dependencies:
- dependency-name: semgrep
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Feb 9, 2023
@dependabot dependabot bot requested a review from chyccs February 9, 2023 05:48
@codeclimate
Copy link

codeclimate bot commented Feb 9, 2023

Code Climate has analyzed commit c907d4b and detected 0 issues on this pull request.

View more on Code Climate.

@github-actions github-actions bot changed the title build(deps): bump semgrep from 1.9.0 to 1.10.0 build(deps): bump semgrep from 1.9.0 to 1.10.0 Feb 9, 2023
@chyccs
Copy link
Owner

chyccs commented Feb 9, 2023

@dependabot squash and merge

@dependabot dependabot bot merged commit 69dd15e into master Feb 9, 2023
@dependabot dependabot bot deleted the dependabot/pip/semgrep-1.10.0 branch February 9, 2023 05:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chyccs chyccs Awaiting requested review from chyccs

Assignees

@chyccs chyccs

Labels
dependencies Pull requests that update a dependency file size/XS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@chyccs