Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build(deps): bump semgrep from 1.13.0 to 1.14.0 #71

Merged
merged 1 commit into from
Mar 2, 2023
Merged

build(deps): bump semgrep from 1.13.0 to 1.14.0 #71

merged 1 commit into from
Mar 2, 2023

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 2, 2023

Bumps semgrep from 1.13.0 to 1.14.0.

Release notes

Sourced from semgrep's releases.

Release v1.14.0

1.14.0 - 2023-03-01

Added

  • Add new hashes of a match (finding) to send to the app:
    • code_hash
    • pattern_hash
    • start_line_hash
    • end-line_hash (gh-7218)

Changed

  • taint-mode: Historically, the matching of taint sinks has been somewhat imprecise. For example, sink(ok if tainted else ok) was flagged. Recently, we made sink- matching more precise for sinks like sink(...) declaring that any argument of a given function is a sink. Now we make it more precise when specific arguments of a function are sinks, like:

    pattern-sinks:
- patterns:
  - pattern: sink($X, ...)
  - focus-metavariable: $X

    So sink(ok1 if tainted else ok2), sink(not_a_propagator(tainted)), and sink(some_array[tainted]), will not be reported as findings. (pa-2477)

  • The --gitlab-sast and --gitlab-secrets output formats have been upgraded. The output is now valid with the GitLab v15 schema, while staying valid with the GitLab v14 schema as well. Code findings now include the confidence of the rule. Supply Chain findings now include the exposure type. (sc-635)

Fixed

  • Fix: Semgrep Pro previously reported a crash for user errors such as invalid patterns. It will now give a good error message. (gh-7028)
  • Dataflow: Fixed incorrect translation of side-effects inside Boolean expressions, this was (for example) causing if (cond && x = 42) S1; S2 to be interpreted as x = 42; if (cond && x) S1; S2, thus incorrectly flagging x as a constant inside S2. (gh-7199)
  • Solidity: support enum and event patterns (gh-7230)
  • Kotlin: allow to match extended class in any order

... (truncated)

Changelog

Sourced from semgrep's changelog.

1.14.0 - 2023-03-01

Added

  • Add new hashes of a match (finding) to send to the app:
    • code_hash
    • pattern_hash
    • start_line_hash
    • end-line_hash (gh-7218)

Changed

  • taint-mode: Historically, the matching of taint sinks has been somewhat imprecise. For example, sink(ok if tainted else ok) was flagged. Recently, we made sink- matching more precise for sinks like sink(...) declaring that any argument of a given function is a sink. Now we make it more precise when specific arguments of a function are sinks, like:

    pattern-sinks:
  - patterns:
      - pattern: sink($X, ...)
      - focus-metavariable: $X

    So sink(ok1 if tainted else ok2), sink(not_a_propagator(tainted)), and sink(some_array[tainted]), will not be reported as findings. (pa-2477)

  • The --gitlab-sast and --gitlab-secrets output formats have been upgraded. The output is now valid with the GitLab v15 schema, while staying valid with the GitLab v14 schema as well. Code findings now include the confidence of the rule. Supply Chain findings now include the exposure type. (sc-635)

Fixed

  • Fix: Semgrep Pro previously reported a crash for user errors such as invalid patterns. It will now give a good error message. (gh-7028)
  • Dataflow: Fixed incorrect translation of side-effects inside Boolean expressions, this was (for example) causing if (cond && x = 42) S1; S2 to be interpreted as x = 42; if (cond && x) S1; S2, thus incorrectly flagging x as a constant inside S2. (gh-7199)
  • Solidity: support enum and event patterns (gh-7230)
  • Kotlin: allow to match extended class in any order (e.g., the pattern class $X : Foo will also match class Stuff : Bar, Foo). (gh-7248)
  • taint-mode: Code such as sink(sanitizer(source) if source else ok) will not be incorrectly reported as a tainted sink. This follows a previous attempt at fixing these issues in version 1.1.0. (pa-2509)
  • metavariable-pattern: Fixed regression introduced in version 1.9.0 that broke the use of pattern-not within metavariable-pattern in some cases. (pa-2510)

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
build(deps): bump semgrep from 1.13.0 to 1.14.0
1179c9b 
Bumps [semgrep](https://github.com/returntocorp/semgrep) from 1.13.0 to 1.14.0.
- [Release notes](https://github.com/returntocorp/semgrep/releases)
- [Changelog](https://github.com/returntocorp/semgrep/blob/develop/CHANGELOG.md)
- [Commits](semgrep/semgrep@v1.13.0...v1.14.0)

---
updated-dependencies:
- dependency-name: semgrep
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Mar 2, 2023
@dependabot dependabot bot requested a review from chyccs March 2, 2023 01:20
@github-actions github-actions bot changed the title build(deps): bump semgrep from 1.13.0 to 1.14.0 build(deps): bump semgrep from 1.13.0 to 1.14.0 Mar 2, 2023
@codeclimate
Copy link

codeclimate bot commented Mar 2, 2023

Code Climate has analyzed commit 1179c9b and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 65.3% (0.0% change).

View more on Code Climate.

@chyccs chyccs merged commit 7a071e4 into master Mar 2, 2023
@chyccs chyccs deleted the dependabot/pip/semgrep-1.14.0 branch March 2, 2023 05:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chyccs chyccs Awaiting requested review from chyccs

Assignees

@chyccs chyccs

Labels
dependencies Pull requests that update a dependency file pipfile size/XS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@chyccs