chore(deps): update pre-commit hook returntocorp/semgrep to v1.92.0

[alma-renovate-bot]

This PR contains the following updates:

Package	Type	Update	Change
returntocorp/semgrep	repository	minor	v1.27.0 -> v1.92.0

Note: The pre-commit manager in Renovate is not supported by the pre-commit maintainers or community. Please do not report any problems there, instead create a Discussion in the Renovate repository if you have any questions.

---

Release Notes

returntocorp/semgrep (returntocorp/semgrep)

v1.92.0

Compare Source

1.92.0 - 2024-10-17

Added

• Pro: taint-mode: Semgrep has now basic support to track taint through callbacks,
  when they lead to a sink, e.g.:

  function unsafe_callback(x) {
    sink(x); // finding here now !
  }
  
  function withCallback(val, callback) {
    callback(val);
  }
  
  withCallback(taint, unsafe_callback); (code-7476)
  

• New subcommand dump-cst for tree-sitter languages available via semgrep show. This shows the concrete syntax tree for a given file. (code-7653)

• Pro only: Updated C# parser supporting all versions of the language up to 13.0 (.NET 9) (saf-1610)

• Added support for the Move-on-sui language! (sui)

• Pro-only: semgrep test now supports the --pro flag to not only use pro languages
  but also run the tests with the --pro-intrafile engine flag. If a finding
  is detected only by the pro engine, please use proruleid: instead of ruleid:
  and if an OSS finding is actually a false positive for the pro engine, please
  add the prook: to your test annotation. (test_pro)

Fixed

• pro: dataflow: Fixed a bug that could cause a class constructor to not be analyzed
  in the correct dependency order, potentially leading to FNs. (code-7649)

• Display an ✘ instead of a ✔ in the scan status print out when scanning with Semgrep OSS code
  is not enabled. (grow-422)

• semgrep will no longer randomly segfault when --trace is on with -j > 2 (saf-1590)

• Previously, semgrep fails when --trace-endpoint is specified, but --trace is not.

  Now, we relax this requirement a bit. In this case, we disable tracing, print out a warning, and continue to scan. (sms-550)

v1.91.0

Compare Source

1.91.0 - 2024-10-10

Added

• Type inference in the Pro engine has been improved for class fields in
  TypeScript that are assigned a new instance but lack an explicit type
  definition. When no explicit type is provided for a class field, its type is
  inferred from the type of the expression assigned to it. For example, in the
  class definition class Foo { private readonly bar = new Bar(); }, the type of
  bar is inferred to be Bar. (code-7635)
• Cargo.lock parser can now associate dependencies with lockfile line numbers (sc-1140)

Fixed

• Address python rich.errors.LiveError where attempting to display multiple progress bars
  raises an exception as flagged in #​10562. (grow-414)
• C: Fix a regression causing pattern -n to sometimes not match code -n. (saf-1592)
• When a scan runs into an exception, the app is appropriately notified
  about the failure. Previously, in the app, it would seem to the user
  that the scan is still in progress. (sms-502)

v1.90.0

Compare Source

1.90.0 - 2024-09-25

Added

• Expanded support for requirement lockfiles. Semgrep will now find any *requirement*.txt
  file and lockfiles in a requirements folder (**/requirements/*.txt). This functionality
  will be gated behind the --enable-experimental-requirements CLI flag. (sc-1752)

Changed

• Security update for code snippet storage & access methods. (gh-2038)

Fixed

• Errors that occur in semgrep scans with jobs > 1 will now have more detail (SAF-1628)
• Dockerfile matching: CMD $...ARGS now behaves like CMD ... and matches
  any CMD instruction that uses the array syntax such as CMD ["ls"]. This
  fix also applies to the other command-like instructions RUN
  and ENTRYPOINT. (gh-9726)
• Pro Engine: There is now improved type inference in Kotlin and Scala. Constructor invocations like
  Foo() will now be inferred properly to be of type Foo. (saf-1537)

v1.89.0

Compare Source

1.89.0 - 2024-09-19

Fixed

• Fix crash on certain SCA parse errors caused by an access to an unbound variable. (gh-2259)

v1.88.0

Compare Source

1.88.0 - 2024-09-18

Added

• The dataflow analysis in the Pro engine can now track method invocations on
  variables of an interface type, safely assuming that any implementation of the
  method can be called. For example, tainted input vulnerabilities in both
  implementation classes can now be detected in the following code:

  public interface MovieService {
    String vulnerableInjection(String input);
  }
  
  public class SimpleImpl implements MovieService {
    @​Override
    public String vulnerableInjection(String input) {
      return sink(input);
    }
  }
  
  public class MoreImpl implements MovieService {
    @​Override
    public String vulnerableInjection(String input) {
      return sink(input);
    }
  }
  
  public class AppController {
    private MovieService movieService;
  
    public String pwnTest(String taintedInput) {
      return movieService.vulnerableInjection(taintedInput);
    }
  }
  ``` (code-7435)

• Type inference for constructor parameter properties in TypeScript is now
  supported in the Pro engine. For example, the taint analysis can recognize that
  sampleFunction is defined in AbstractedService class in the following code:

  export class AppController {
      constructor(private readonly abstractedService: AbstractedService) {}
  
      async taintTest() {
          const src = source();
          await this.abstractedService.sampleFunction(src);
      }
  }
  ``` (code-7597)
  

Changed

• include the exit code that semgrep will emit in the fail-open payload prior to exiting with a failure. (gh-2033)

v1.87.0

Compare Source

1.87.0 - 2024-09-13

Added

• Semgrep now infers more accurate type information for class fields in
  TypeScript. This improves taint tracking for dependency injection in
  TypeScript, such as in the following example:

  export class AppController {
      private readonly abstractedService: AbstractedService;
  
      constructor(abstractedService: AbstractedService) {
          this.abstractedService = abstractedService;
      }
  
      async taintTest() {
          const src = taintedSource();
          await this.abstractedService.sinkInHere(src);
      }
  }
  ``` (code-7591)
  

• Semgrep's interfile analysis (available with the Pro Engine) now ships with information about Python's standard library, improving its ability to resolve names and types in Python code and therefore its ability to produce findings. (py-libdefs)

• Added support for comparing Golang pre-release versions. With this, strict
  core versions, pseudo-versions and pre-release versions can all be
  compared to each other. (sc-1739)

Changed

• If there is an OOM error during interfile dataflow analysis (--pro) Semgrep will
  now try to recover from it and continue the interfile analysis without falling back
  immediately to intrafile analysis. This allows using --max-memory with --pro in
  a more effective way. (flow-81)
• Consolidates lockfile parsing logic to happen once, at the beginning of the scan. This consolidated parsing now considers both changed and unchanged lockfiles during all steps of diff scans. (gh-2051)

Fixed

• pro: taint-mode: Restore missing taint findings after having improved index-
  sensitivity:

  def foo(t):
      x = third_party_func(t)
      return x
  
  def test1():
      t = ("ok", taint)
      y = foo(t)
      sink(y) # now it's found! (code-7486)
  

• The Semgrep proprietary engine added a new entropy analyzer entropy_v2 that supports strictness options. (gh-1641)

v1.86.0

Compare Source

1.86.0 - 2024-09-04

Added

• The taint analysis can now track method invocations on variables of an
  interface type, when there is a single implementation. For example, the tainted
  input vulnerability can now be detected in the following code:

  public interface MovieService {
    String vulnerableInjection(String input);
  }
  
  @​Service
  public class MovieServiceImpl implements MovieService {
    @​Override
    public String vulnerableInjection(String input) {
      return sink(input);
    }
  }
  
  @​RestController("/")
  public class SpringController {
  
    @​Autowired
    private MovieService movieService;
  
    @​GetMapping("/pwn")
    public String pwnTest(@​RequestParam("input") String taintedInput) {
      return movieService.vulnerableInjection(taintedInput);
    }
  }

  When there are multiple implementations, the taint analysis will not follow any
  of them. We will add handling of cases with multiple implementations in
  upcoming updates. (code-7434)

• Uses of values imported via ECMAScript default imports (e.g., import example from 'mod';) can now be matched by qualified name patterns (e.g.,
  mod.default). (code-7463)

• Pro: taint-mode: Allow (experimental) control taint to propagate through returns.

  Now this taint rule:

  pattern-sources:
  - control: true
    pattern: taint()
  pattern-sinks:
  - pattern: sink()
  

  It is able to find this:

  def foo():
    taint()
  
  def test():
    foo()
    sink() # now it is found! (code-7490)
  

• A new flag --max-log-list-entries allows to control the
  maximum number of entries that will be shown in the log (e.g.,
  list of rule ids, list of skipped files).
  A zero or negative value disables this filter.
  The previous hardcoded limit was at 100 (and now becomes a default value). (max_log_list_entries)

Changed

• Semgrep will now log memory-related warnings/errors when run in --debug mode,
  without the need to set SEMGREP_LOG_SRCS=process_limits. (logging)

Fixed

• Fixed inter-file constant propagation to prevent some definitions from being
  incorrectly identified as constant, when they are modified in other parts of
  the codebase. (code-6793)

• pro: taint-mode: Fixed bug in taint signature instantiation that could cause an
  update to a field in a nested object to not be tracked.

  For example, in the code below, Semgrep knew that Nested.update updates the
  fld attribute of a Nested object. But due to this bug, Semgrep would not know that Wrapper.updateupdated thefldattribute of thenestedobject attribute in aWrapper` object.

  public class Nested {
  
      private String fld;
  
      public void update(String str) {
          fld = str;
      }
  
      // ...
  }
  
  public class Wrapper {
  
      private Nested nested;
  
      public void update(String str) {
          this.nested.update(str);
      }
  
  // ...
  } (code-7499)
  

• Fixed incorrect range matching parametrized type expressions in Julia (gh-10467)

• Fixed an edge case that could lead to a failure to name or type imported Python symbols during interfile analysis. (py-imports)

• Fix overly-aggressive match deduplication that could, under certain circumstances, lead to findings being closed and reopened in the app. (saf-1465)

• Fixed regex-fix numbered capture groups, where it used to be the case that
  a replacement: regex with numbered capture groups like \1\2\3 would effectivly
  be the same as \1\1\1.

  After the fix:

src.py

12345

```yaml
pattern: $X
fix-regex:
      regex: (1)(2)(3)(4)(5)
      replacement: \5\4\3\2\1

actually results in the fix

54321
``` (saf-1497)

v1.85.0

Compare Source

1.85.0 - 2024-08-15

Added

• Semgrep now recognizes files ending with the extention .tfvars as terraform files (saf-1481)

Changed

• The use of --debug will not generate anymore profiling information.
  Use --time instead. (debug)
• Updated link to the Supply Chain findings page on Semgrep AppSec Platform to filter to the specific repository and ref the findings are detected on. (secw-2395)

Fixed

• Fixed an error with julia list comprehentions where the pattern:

  [$A for $B in $C]
  

  would match

  [x for y in z]

  However we would only get one binding [$A/x]

  Behavior after fix: we get three bindings [$A/x,$B/y,$C/z] (saf-1480)

v1.84.1

Compare Source

1.84.1 - 2024-08-07

No significant changes.

v1.84.0

Compare Source

1.84.0 - 2024-08-06

Changed

• We switch from magenta to yellow when highlighting matches
  with the medium or warning severity. We now use magenta for
  cricical severity to be consistent with other tools such
  as npm. (color)

Fixed

• Workaround deadlock when interfile is run with j>1 and tracing is enabled. (saf-1157)
• Fixed file count to report the accurate number of files scanned by generic & regex
  so that no double counting occurs. (saf-507)

v1.83.0

Compare Source

1.83.0 - 2024-08-02

Added

• Dockerfile: Allow Semgrep Ellipsis (...) in patterns for HEALTHCHECK commands. (saf-1441)

Fixed

• The use of --debug should generate now far less log entries.
  Moreover, when the number of ignored files, or rules, or
  other entities exceed a big number, we instead replace them
  with a in the output to keep the output of semgrep
  small. (debuglogs)
• Fixed a bug introduced in 1.81.0 which caused files ignored for the Code
  product but not the Secrets product to fail to be scanned for secrets.
  Files that were not ignored for either product were not affected. (saf-1459)

v1.82.0

Compare Source

1.82.0 - 2024-07-30

Added

• Added testsuite/ as a filepath to the default value for .semgrepignore. (gh-1876)

Changed

• Update the library definitions for Java for the latest version of the JDK. (java-library-definitions)

Fixed

• Fixed metavariable comparison in step mode.

  Used to be that the rule:

      steps:
          - languages: [python]
            patterns:
              - pattern: x = f($VAR);
          - languages: [generic]
            patterns:
              - pattern-either:
                 - patterns:
                  - pattern: HI $VAR

  Wouldn't match, as one is an identifier, and the other an expression that has a
  string literal. The fix was chainging the equality used. (saf-1061)

v1.81.0

Compare Source

1.81.0 - 2024-07-24

Changed

• The --debug option will now display logging information from the semgrep-core
  binary directly, without waiting that the semgrep-core program finish. (incremental_debug)

Fixed

• C++: Scanning a project with header files (.h) now no longer causes a
  spurious warnings that the file is being skipped, or not analyzed. (code-6899)

• Semgrep will now be more strict (as it should be) when unifying identifiers.

  Patterns like the one below may not longer work, particularly in Semgrep Pro:

  patterns:
    - pattern-inside: |
        class A:
          ...
          def $F(...):
            ...
          ...
        ...
    - pattern-inside: |
        class B:
          ...
          def $F(...):
            ...
          ...
        ...
  

  Even if two classes A and B may both have a method named foo, these methods
  are not the same, and their ids are not unifiable via $F. The right way of doing
  this in Semgrep is the following:

  patterns:
    - pattern-inside: |
        class A:
          ...
          def $F1(...):
            ...
          ...
        ...
    - pattern-inside: |
        class B:
          ...
          def $F2(...):
            ...
          ...
        ...
    - metavariable-comparison:
        comparison: str($F1) == str($F2)
  

  We use a different metavariable to match each method, then we check whether they
  have the same name (i.e., same string). (code-7336)

• In the app, you can configure Secrets ignores separately from Code/SSC ignores. However, the
  files that were ignored by Code/SSC and not Secrets were still being scanned during the
  preprocessing stage for interfile analysis. This caused significantly longer scan times than
  expected for some users, since those ignored files can ignore library code. This PR fixes that
  behavior and makes Code/SSC ignores apply as expected. (saf-1087)

• Fixed typo that prevented users from using "--junit-xml-output" flag and added a tests that invokes the flag. (saf-1437)

v1.80.0

Compare Source

1.80.0 - 2024-07-18

Added

• OSemgrep now can take --exclude-minified-files to skip minified files. Additionally --no-exclude-minified-files will disable this option. It is off by default. (cdx-460)

• Users are now required to login before using semgrep scan --pro.

  Previously, semgrep will tell the users to log in, but the scan will still continue.

  With this change, semgrep will tell the users to log in and stop the scan. (saf-1137)

Fixed

• The language server no longer scans large or minified files (cdx-460)

• Pro: Improved module resolution for Python. Imports like from a.b import c where
  c is a module will now be resolved by Semgrep. And, if a module cannot be found
  in the search path, Semgrep will try to heuristically resolve the module by matching
  the module specifier against the files that are being scanned. (code-7069)

• A scan can occasionally freeze when using tracing with multiprocesses.

  This change disables tracing when scanning each target file unless the scan runs in a single process. (saf-1143)

• Improved error handling for rules with invalid patterns. Now, scans will still complete and findings from other rules will be reported. (saf-789)

• The "package-lock.json" parser incorrectly assumed that all paths in the "packages" component of "package-lock.json" started with "node_modules/".

  In reality, a dependency can be installed anywhere, so the parser was made more flexible to recognize alternative locations ("node_modules", "lib", etc). (sc-1576)

v1.79.0

Compare Source

1.79.0 - 2024-07-10

Added

• Preliminary support for the Move on Aptos language
  (see https://aptos.dev/move/move-on-aptos for more info on this language).
  Thanks a lot to Zhiping Liao (ArArgon) and Andrea Cappa for their contributions! (move_on_aptos)
• The language server now reports number of autofixes and ignores triggered throught IDE integrations when metrics are enabled (pdx-autofix-ignore)
• Added support for comparing Golang Pseudo-versions. After replacing calls to the
  packaging module with some custom logic, Pseudo-versions can now be compared against
  strict core versions and other pseudo versions accurately. (sc-1601)
• We now perform a git gc as a side-effect of historical scans. (scrt-630)

Fixed

• tainting: Fixed bug in --pro-intrafile that caused Semgrep to confuse a parameter
  with a top-level function with no arguments that happened to have the same name:

  def foo
    taint
  end
  
  def bar(foo)
    sink(foo) # no more FP here
  end (code-6923)
  

• Fixed fatal errors on files containing nosemgrep annotation without
  any rule ID after. (nosemgrep_exn)

• Matching explanations: Focus nodes now appear after filter nodes, which is
  the correct order of execution of pattern nodes. Filter nodes are now
  unreversed. (saf-1127)

• Autofix: Previews in the textual CLI output will now join differing lines
  with a space, rather than joining with no whitespace whatsoever. (saf-1135)

• Secrets: resolved some rare instances where historical scans would skip blobs
  depending on the structure of the local copy of the repository (i.e., blobs
  were only skipped if the specific copy of the git store had a certain
  structure). (scrt-630)

v1.78.0

Compare Source

1.78.0 - 2024-06-27

Added

• Matching of fully qualified type names in the metavariable-type operator has
  been improved. For example:

  from a.b import C
  
  x = C()
  

  The type of x will match both a.b.C and C.

    - pattern: $X = $Y()
    - metavariable-type:
        metavariable: $X
        types:
          - a.b.C  # or C
  ``` (code-7269)
  

Fixed

• Symbolic propagation now works on decorator functions, for example:

  x = foo
  @​x() # this is now matched by pattern `@foo()`
  def test():
    pass (code-6634)
  

• Fixed an issue where Python functions with annotations ending in endpoint,
  route, get, patch, post, put, delete, before_request or
  after_request (i.e., ones we associate with Flask) were incorrectly analyzed
  with the Code product in addition to the Secrets product when present in a file
  being ignored for Code analysis but included for Secrets. (scrt-609)

v1.77.0

Compare Source

1.77.0 - 2024-06-24

Added

• Semgrep will now report the id of the organization associated with logged in users when reporting metrics in the language server (cdx-508)

• Pro: taint-mode: Improved index-sensitive taint tracking for tuple/list (un)packing.

  Example 1:

   def foo():
       return ("ok", taint)
  
   def test():
        x, y = foo()
        sink(x)  # nothing, no FP
        sink(y)  # finding
  

  Example 2:

   def foo(t):
        (x, y) = t
        sink(x)  # nothing, no FP
        sink(y)  # finding
  
   def test():
        foo(("ok", taint)) (code-6935)
  

• Adds traces to help debug the performance of tainting. To send the traces added in the PR, pass
  --trace and also set the environment variable SEMGREP_TRACE_LEVEL=trace. To send them to a
  local endpoint instead of our default endpoint, use --trace-endpoint. (saf-1100)

Fixed

• Fixed a bug in the generation of the control-flow graph for try statements that
  could e.g. cause taint to report false positives:

  def test():
      data = taint
      try:
  

Semgrep assumes that clean could raise an exception, but

even if it does, the tainted data will never reach the sink !

          data = clean(data)
      except Exception:
          raise Exception()

data must be clean here

      sink(data) # no more FP (flow-78)

• The language server (and semgrep --experimental) should not report anymore errors from
  the metrics.semgrep.dev server such as "cannot read property 'map' of undefined". (metrics_error)
• Fixed a bug in the gemfile.lock parser which causes Semgrep to miss direct
  dependencies whose package name does not end in a version constraint. (sc-1568)

v1.76.0

Compare Source

1.76.0 - 2024-06-17

Added

• Added type inference support for basic operators in the Pro engine, including
  +, -, *, /, >, >=, <=, <, ==, !=, and not. For numeric
  computation operators such as + and -, if the left-hand side and right-hand
  side types are equal, the return type is assumed to be the same. Additionally,
  comparison operators like > and ==, as well as the negation operator not,
  are assumed to return a boolean type. (code-6940)

• Added guidance for resolving token issues for install-semgrep-pro in non-interactive environments. (gh-1668)

• Adds support for a new flag, --subdir <path>, for semgrep ci, which allows users to pass a
  subdirectory to scan instead of the entire directory. The path should be a relative path, and
  the directory where semgrep ci is run should be the root of the repository being scanned.
  Unless SEMGREP_REPO_DISPLAY_NAME is explicitly set, passing the subdirectory
  will cause the results to go to a project specific to that subdirectory.

  The intended use case for semgrep ci --subdir path/to/dir is to help users with very large
  repos scan the repo in parts. (saf-1056)

Fixed

• Language Server will now send error messages properly, and error handling is greatly improved (cdx-502)

• Pro: Calling a safe method on a tainted object should no longer propagate taint.

  Example:

  class A {
      String foo(String str) {
          return "ok";
      }
  }
  
  class Test {
      public static void test() {
          A a;
          String s;
          a = taint();
          // Despite `a` is tainted, `a.foo()` is entirely safe !!!
          s = a.foo("bar");
          sink(s); // No more FP here
      }
  } (code-6935)
  

• Fixing errors in matching identifiers from wildcard imports. For example, this
  update addresses the issue where the following top-level assignment:
  from pony.orm import *
  db = Database()
  is not matched with the following pattern:
  $DB = pony.orm.Database(...)
  ``` (code-7045)

• [Pro Interfile JS/TS] Improve taint propagation through callbacks passed to $X.map functions and similar. Previously, such callbacks needed to have a return value for taint to be properly tracked. After this fix, they do not. (js-taint)

• Rust: Constructors will now properly match to only other constructors with
  the same names, in patterns. (saf-1099)

v1.75.0

Compare Source

1.75.0 - 2024-06-03

Added

• Pro: Semgrep can now track taint through tuple/list (un)packing intra-procedurally
  (i.e., within a single function). For example:

  t = ["ok", "taint"]
  x, y = t
  sink(x) # OK, no finding
  sink(y) # tainted, finding
  ``` (code-6935)

• Optional type matching is supported in the Pro engine for Python. For example,
  in Python, Optional[str], str | None, and Union[str, None] represent the
  same type but in different type expressions. The optional type match support
  enables matching between these expressions, allowing any optional type
  expression to match any other optional type expression when used with
  metavariable-type filtering. It's important to note that syntactic pattern
  matching still distinguishes between these types. (code-6939)

• Add support for pnpm v9 (pnpm)

• Added a new rule option decorators_order_matters, which allows users to make decorators/ non-keyword attributes matching stricter. The default matching for attributes is order-agnostic, but if this rule option is set to true, non-keyword attributes (e.g. decorators in Python) will be matched in order, while keyword attributes (e.g. static, inline, etc) are not affected.

  An example usage will be a rule to detect any decorator that is outside of the route() decorator in Flask, since any decorator outside of the route() decorator takes no effect.

bad: another.func() takes no effect

@​another.func("func")
@​app.route("route")
def f():
pass

ok: route() is the outermost decorator

@​app.route("route")
@​another.func("func")
def f():
pass (saf-435)

Fixed

• Pro: taint-mode: Fixed issue causing findings to be missed (false negatives)
  when a global or class field was tainted, and then used in a sink after two
  or more function calls.

  For example:

  class Test {
      string bad;
  
      void test() {
          bad = "taint";
          foo();
      }
  
      void foo() {
          bar();
      }
  
      void bar() {
          sink(bad); // finding no longer missed
      }
  } (saf-1059)
  

• [Mostly applicable to Pro Engine] Typed metavariables will now match against the inferred type of a binding even if a constant is propagated for that binding, if we are unable to infer a type from the constant. Previously, we would simply fail to match in this case. (saf-1060)

• Removed the URLs at the end of the log when semgrep ci --dryrun is ran because dry run doesn't interact with the app so the URLs don't make sense. (saf-924)

v1.74.0

Compare Source

1.74.0 - 2024-05-23

Fixed

• One part of interfile tainting was missing a constant propagation phase, which causes semgrep to miss some true positives in some cases during interfile analysis.

  This fix adds the missing constant propagation. (saf-1032)

• Semgrep now matches YAML tags (e.g. !number in !number 42) correctly rather
  than ignoring them. (saf-1046)

• Upgraded Semgrep's Dockerfile parser. This brings in various
  fixes from
  tree-sitter-dockerfile
  including minimal support for heredoc templates, support for variables in keys
  of LABEL instructions, support for multiple parameters for ADD and COPY
  instructions, tolerance for blanks after the backslash of a line continuation.
  As a result of supporting variables in LABEL keys, the multiple key/value
  pairs found in LABEL instructions are now treated as if they each had they own
  LABEL instruction. It allows a pattern LABEL a=b to match LABEL a=b c=d
  without the need for an ellipsis (LABEL a=b ...). Another consequence is
  that the pattern LABEL a=b c=d can no longer match LABEL c=d a=b but it
  will match a LABEL a=b instruction immediately followed by a separate
  LABEL c=d. (upgrade-dockerfile-parser)

v1.73.0

Compare Source

1.73.0 - 2024-05-16

Added

• Added new AWS validator syntax for Secrets (scrt-278)

Fixed

• Fix couldn't find metavar $MT in the match results error, which may occur
  when we capture FQN with the metavariable and use metavariable-type filter on
  it. (code-7042)
• Fixes the crash (during scan) caused by improper handling of unicode characters present in the source code. (gh-8421)
• [Pro Engine Only] Tainted values are now tracked through instantiation of React functional components via JSX. (jsx-taint)

v1.72.0

Compare Source

1.72.0 - 2024-05-08

Fixed

• Dockerfile support: Avoid a silent parsing error that was possibly accompanied
  with a segfault when parsing Dockerfiles that lack a trailing newline
  character. (gh-10084)

• Fixed bug that was preventing the use of metavariable-pattern with
  the aliengrep engine of the generic mode. (gh-10222)

• Added support for function declarations on object literals in the dataflow analysis.

  For example, previously taint rules would not have matched the
  following javascript code but now would.

  let tainted = source()
  let o = {
      someFuncDecl(x) {
          sink(tainted)
      }
  }
  ``` (saf-1001)
  

• Osemgrep only:

  When rules have metavariable-type, they don't show up in the SARIF output. This change fixes that.

  Also right now dataflow traces are always shown in SARIF even when --dataflow-traces is not passed. This change also fixes that. (saf-1020)

• Fixed bug in rule parsing preventing patternless SCA rules from being validated. (saf-1030)

v1.71.0

Compare Source

1.71.0 - 2024-05-03

Added

• Pro: const-prop: Previously inter-procedural const-prop could only infer whether
  a function returned an arbitrary string constant. Now it will be able to infer
  whether a function returns a concrete constant value, e.g.:

  def bar():
    return "bar"
  
  def test():
    x = bar()
    foo(x) # now also matches pattern `foo("bar")`, previously only `foo("...")`
  ``` (flow-61)

• Python: const-prop: Semgrep will now recognize "..." * N expression as arbitrary
  constant string literals (thus matching the pattern "..."). (flow-75)

Changed

• The --beta-testing-secrets-enabled option, deprecated for several months, is now removed. Use --secrets as its replacement. (gh-9987)

Fixed

• When using semgrep --test --json, we now report in the
  config_missing_fixtests field in the JSON output not just rule files
  containing a fix: without a corresponding ".fixed" test file; we now also
  report rule files using a fix-regex: but without a corresponding a
  .fixed test file, and the fix: or fix-regex: can be in
  any rule in the file (not just the first rule). (fixtest)

• Fixes matching for go struct field tags metadata.

  For example given the program:

  type Rectangle struct {
      Top    int `json:"top"`
      Left   int `json:"left"`
      Width  int `json:"width"`
      Height int `json:"height"`
  }
  

  The pattern,

  type Rectangle struct {
      ...
      $NAME $TYPE $TAGS
      ...
  }
  

  will now match each field and the $TAGS metavariable will be
  bound when used in susequent patterns. (saf-949)

• Matching: Patterns of statements ending in ellipsis metavariables, such as
  x = 1
  $...STMTS
  will now properly extend the match range to accommodate whatever is captured by
  the ellipsis metavariable ($...STMTS). (saf-961)

• The SARIF output format should have the tag "security" when the "cwe"
  section is present in the rule. Moreover, duplicate tags should be
  de-duped.

  Osemgrep wasn't doing this before, but with this fix, now it does. (saf-991)

• Fixed bug in mix.lock parser where it was possible to fail on a python None error. Added handler for arbitrary exceptions during lockfile parsing. (sc-1466)

• Moved --historical-secrets to the "Pro Engine" option group, instead of
  "Output formats", where it was previously (in error). (scrt-570)

v1.70.0

Compare Source

1.70.0 - 2024-04-24

Added

• Added guidance for resolving API token issues in CI environments. (gh-10133)

• The osemgrep show command supports 2 new options: dump-ast dump-pattern.
  See osemgrep show --help for more information. (osemgrep_show)

• Added additional output flags which allow you to write output to multiple files in multiple formats.

  For example, the comand semgrep ci --text --json-output=result.json --sarif-output=result.sarif.json
  Displays text output on stdout, writes the output that would be generated by passing the --json flag
  to result.json, and writes the output that would be generated by passing the --sarif to result.sarif.json. (saf-341)

• Added an experimental feature for users to use osemgrep to format
  SARIF output.

  When both the flags --sarif and --use-osemgrep-sarif are specified,
  semgrep will use the ocaml implementation to format SARIF.

  This flag is experimental and can be removed any time. Users must not
  rely on it being available. (saf-978)

Changed

• The main regex engine is now PCRE2 (was PCRE). While the syntax is mostly
  compatible, there are some minor instances where updates to rules may be
  needed, since PCRE2 is slightly more strict in some cases. For example, while
  we previously accepted [\w-.], such a pattern would now need to be written
  [\w.-] or [\w\-.] since PCRE2 rejects the first as having an invalid range. (scrt-467)

Fixed

• Semgrep LS now waits longer for users to login (gh-10109)

• When semgrep ci finishes scanning and uploads findings, it tells the
  app to mark the scan as completed.

  For large findings, this may take a while and marking the scan as
  completed may timeout. When a scan is not marked as completed, the app
  may show that the repo is still processing, and confuses the user.

  This change increases the timeout (previously 20 minutes) to 30
  minutes. (saf-980)

• Fix semgrep ci --oss-only when secrets product is enabled. (scrt-223)

v1.69.0

Compare Source

1.69.0 - 2024-04-16

Added

• Tracing: remove support for SEMGREP_OTEL_ENDPOINT and replace with --trace-endpoint <url>.
  This change is for an internal feature for debugging performance. (saf-885)

Changed

• Passing --debug to Semgrep will not print much, unless a set of tags is specified
  via LOG_TAGS. You can get all debug logs with LOG_TAGS=everything. We do not
  want --debug's output to be enourmous, as it tends not to be useful and yet cause
  some problems. Note that --debug is mainly intended for Semgrep developers, please
  ask for help if needed. (gh-10044)
• • The environment variables used to select the debug-level log messages
    are now prefixed with SEMGREP_ (or PYTEST_SEMGREP_) to avoid namespace
    pollution and undesired cross-application side effects.
    The supported environment variables are now SEMGREP_LOG_TAGS
    and PYTEST_SEMGREP_LOG_TAGS. (gh-10087)
• The implicit tag to show all debug-level log messages changes from
  everything to all. All debug-level messages shown by default are
  now tagged and selectable with a default tag. (gh-10089)

Fixed

• In generic mode (default, spacegrep engine), matching a pattern that
  ends with an ellipsis now favors the longest match rather than the shortest
  match when multiple matches are possible. For example, for a given target
  program a a b, the pattern a ... b will match a b as before but
  the pattern a ... will now match the longer a a b rather than a b. (gh-10039)
• Fixed the inter-file diff scan issue where the removal of pre-existing findings
  didn't work properly when adding a new file or renaming an existing file. (saf-897)

v1.68.0

Compare Source

1.68.0 - 2024-04-08

Added

• Scan un-changed lockfiles in diff-aware scans (gh-9899)
• Languages: Added the QL language (used by CodeQL) to Semgrep (saf-947)
• SwiftPM parser will now report package url and reference. (sc-1218)
• Add support for Elixir (Mix) SCA parsing for pro engine users. (sc-1303)

Fixed

• Output for sarif format includes dataflow traces. (gh-10004)
• The environment variable LOG_LEVEL (as well as PYTEST_LOG_LEVEL) is
  no longer consulted by Semgrep to determine the log level. Only
  SEMGREP_LOG_LEVEL is consulted. PYTEST_SEMGREP_LOG_LEVEL is also
  consulted in the current implementation but should not be used outside of
  Semgrep's Pytest tests. This is to avoid accidentally affecting Semgrep
  when inheriting the LOG_LEVEL destined to another application. (gh-10044)
• Fixed swiftpm parser to no longer limit the amount of found packages in manifest file. (sc-1364)
• Fixed incorrect ecosystem being used for Elixir. Hex should be used instead of Mix. (sc-elixir)
• Fixed the match_based_ids of lockfile-only findings to differentiate between findings in cases where one rule produces multiple findings in one lockfile (sca-mid)
• Secrets historical scans: fixed a bug where historical scans could run on differential scans. (scrt-545)

v1.67.0

Compare Source

1.67.0 - 2024-03-28

Added

• --historical-secrets flag for running Semgrep Secrets regex rules on git
  history (requires Semgrep Secrets). This flag is not yet implemented for
  --experimental. (scrt-531)

Changed

• Files with the .phtml extension are now treated as PHP files. (gh-10009)

• [IMPORTANT] Logged in users running semgrep ci will now run the pro engine by default! All semgrep ci scans will run with our proprietary languages (Apex and Elixir), as well as cross-function taint within a single file, and other single file pro optimizations we have developed. This is equivalent to semgrep ci --pro-intrafile. Users will likely see improved results if they are running semgrep ci and did not already have additional configuration to enable pro analysis.

  The current default engine does not include cross-file analysis. To scan with cross-file analysis, turn on the app toggle or pass in the flag --pro. We recommend this unless you have very large repos (talk to our support to get help enabling cross-file analysis on monorepos!)

  To revert back to our OSS analysis, pass the flag --oss-only (or use --pro-languages to continue to receive our proprietary languages).

  Reminder: because we release first to our canary image, this change will only immediately affect you if you are using semgrep/semgrep:canary. If you are using semgrep/semgrep:latest, it will affect you when we bump canary to latest. (saf-845)

Fixed

• Fixed a parsing error in Kotlin when there's a newline between the class name and the primary constructor.

  This could not parse before

  class C
  constructor(arg:Int){}
  

  because of the newline between the class name and the constructor.

  Now it's fixed. (saf-899)

v1.66.2

Compare Source

1.66.2 - 2024-03-26

Added

• osemgrep now respects HTTP_PROXY and HTTPS_PROXY when making network requests (cdx-253)

Changed

• [IMPORTANT] The public rollout of inter-file differential scanning has been
  temporarily reverted for further polishing of the feature. We will reintroduce
  it in a later version. (saf-268)

Fixed

• Autofix on variable definitions should now handle the semicolon
  in Java, C++, and C#. (saf-928)

v1.66.1

Compare Source

1.66.1 - 2024-03-25

Fixed

• Autofix on variable definitions should now handle the semicolon
  in Rust, Cairo, Solidity, Dart. (autofix_vardef)
• [IMPORTANT] we restored bash, jq, and curl in our semgrep docker image as some
  users were relying on it. We might remove them in the futur but in the
  mean time we restored the packages and if we remove them we will announce
  it more loudly. We also created a new page giving more information
  about our policy for our docker images:
  https://semgrep.dev/docs/semgrep-ci/packages-in-semgrep-docker/ (docker_bash)
• Fixed autofix application on lines containing multi-byte characters. (multibyte)

v1.66.0

Compare Source

1.66.0 - 2024-03-19

Added

• Added information about interfile pre-processing to --max-memory help. (gh-9932)
• We've implemented basic support for the yield keyword in Python. The Pro
  engine now detects taint findings from taint sources returned by the yield
  keyword. (saf-281)

Changed

• osemgrep --remote will no longer clone into a tmp folder, but instead the CWD (cdx-remote)

• [IMPORTANT] Inter-file differential scanning is now enabled for all Pro users.

  Inter-file differential scanning is now enabled for all Pro users. While it may
  take longer than intra-file differential scanning, which is the current default
  for pro users, it offers deeper analysis of dataflow paths compared to
  intra-file differential scanning. Additionally, it is significantly faster
  than non-differential inter-file scanning, with scan times reduced to
  approximately 1/10 of the non-differential inter-file scan. Users who
  enable the pro engine and engage in differential PR scans on GitHub or
  GitLab may experience the impact of this update. If needed, users can
  revert to the previous intra-file differential scan behavior by configuring
  the --no-interfile-diff-scan command-line option. (saf-268)

Fixed

• The official semgrep docker image does not contain anymore the
  bash, jq, and curl utilities, to reduce its attack surface. (saf-861)

v1.65.0

Compare Source

1.65.0 - 2024-03-11

Changed

• Removed the extract-mode rules experimental feature. (extract_mode)

v1.64.0

Compare Source

1.64.0 - 2024-03-07

Changed

• Removed the AST caching experimental feature (--experimental --ast-caching
  in osemgrep and -parsing_cache_dir in semgrep-core). (ast_caching)
• Removed the Registry caching experimental feature (--experimental --registry-caching)
  in osemgrep. (registry_caching)

Fixed

• Clean any credentials from project URL before using it, to prevent leakage. (saf-876)
• ci: Updated logic for informational message printed when no rules are sent to
  correctly display when secrets is enabled (in additional to
  when code is). (scrt-455)

v1.63.0

Compare Source

1.63.0 - 2024-02-27

Added

• Dataflow: Added support for nested record patterns such as { body: { param } }
  in the LHS of an assignment. Now given { body: { param } } = tainted Semgrep
  will correctly mark param as tainted. (flow-68)
• Matching: metavariable-regex can now match on metavariables of interpolated
  strings which use variables that have known values. (saf-865)
• Add support for parsing Swift Package Manager manifest and lockfiles (sc-1217)

Fixed

• fix: taint signatures do not capture changes to parameters' fields (flow-70)
• Scan summary links printed after semgrep ci scans now reflect a custom SEMGREP_APP_URL, if one is set. (saf-353)

v1.62.0

Compare Source

1.62.0 - 2024-02-22

Added

• Pro: Adds support for python constructors to taint analysis.

  If interfile naming resolves that a python constructor is called taint
  will now track these objects with less heuristics. Without interfile
  analysis these changes have no effect on the behavior of tainting.
  The overall result is that in the following program the oss analysis
  would match both calls to sink while the interfile analysis would only
  match the second call to sink.

  class A:
      untainted = "not"
      tainted = "not"
      def __init__(self, x):
      	self.tainted = x
  
  a = A("tainted")
  

OK:

sink(a.untainted)

MATCH:

sink(a.tainted)

- Pro: taint-mode: Added basic support for "index sensitivity", that is,
Semgrep will track taint on individual indexes of a data structure when
these are constant values (integers or strings), and the code uses the
built-in syntax for array indexing in the corresponding language
(typically `E[i]`). For example, in the Python code below Semgrep Pro
will _not_ report a finding on `sink(x)` or `sink(x[1])` because it will
know that only `x[42]` is tainted:

```python
x[1] = safe
x[42] = source()
sink(x) // no more finding
sink(x[1]) // no more finding
sink(x[42]) // finding
sink(x[i]) // finding

There is still a finding for sink(x[i]) when i is not constant. (flow-7)

Changed

• taint-mode: Added exact: false sinks so that one can specify that anything
  inside a code region is a sink, e.g. if (...) { ... }. This used to be the
  semantics of sink specifications until Semgrep 1.1.0, when we made sink matching
  more precise by default. Now we allow reverting to the old semantics.

  In addition, when exact: true (the default), we simplified the heuristic used
  to support traditional sink(...)-like specs together with the option
  taint_assume_safe_functions: true, now we will consider that if the spec
  formula is not a patterns with a focus-metavarible, then we must look for
  taint in the arguments of a function call. (flow-1)

• The project name for repos scanned locally will now be local_scan/<repo_name> instead
  of simply <repo_name>. This will clarify the origin of those findings. Also, the
  "View Results" URL displayed for findings now includes the repository and branch names. (saf-856)

Fixed

• taint-mode: experimental: For now Semgrep CLI taint traces are not adapted to
  support multiple labels, so Semgrep picks one arbitrary label to report, which
  sometimes it's not the desired one. As a temporary workaround, Semgrep will
  look at the requires of the sink, and if it has the shape A and ..., then
  it will pick A as the preferred label and report its trace. (flow-65)
• Fixed trailing newline parsing in pyproject.toml and poetry.lock files. (gh-9777)
• Fixed an issue that led to incorrect autofix application in certain cases where multiple fixes were applied to the same line. (saf-863)
• The tokens for type parameters brackets are now stored in the generic AST allowing
  to correctly autofix those constructs. (tparams)

v1.61.1

Compare Source

1.61.1 - 2024-02-14

Added

• Added performance metrics using OpenTelemetry for better visualization.
  Users wishing to understand the performance of their Semgrep scans or
  to help optimize Semgrep can configure the backend collector created in
  libs/tracing/unix/Tracing.ml.

  This is experimental and both the implementation and flags are likely to

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[sonarcloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud