Bash: Support for subshell syntax i.e. commands in parentheses (#5629)
Changed
Fixed
semgrep ci: CI runs were failing to checkout the PR head in GitHub Actions, which is
corrected here.
TS: fixed the parsing of type predicates and typeof queries
Deep expression matching now works on HTML in JavaScript
taint-mode: Taint propagation via pattern-propagators now works correclty when the
from or to metavariables match a function call. For example, given
sqlBuilder.append(page.getOrderBy()), we can now propagate taint from
page.getOrderBy() to sqlBuilder.
Will no longer print "files were not tracked by git" if not in a git repo
Will no longer print "Some files were skipped" if no files were skipped
Fixed bug where semgrep would crash in nonexistent directory (#4785)
taint-mode: Correctly propagate taint in for-each loops with typed iteration
variables (as in Java or C#). If the iterator object is tainted, that taint will
now be propagated to the iteration variable. This should fix some false negatives
(i.e., findings not being reported) in the presence of for-each loops. (#5590)
taint-mode: New experimental pattern-propagators feature that allows to specify
arbitrary patterns for the propagation of taint by side-effect. In particular,
this allows to specify how taint propagates through side-effectful function calls.
For example, you can specify that when tainted data is added to an array then the
array itself becomes tainted. (#4509)
Changed
--config auto no longer sends the name of the repository being scanned to the Semgrep Registry.
As of June 21st, this data is not recorded by the Semgrep Registry backend, even if an old Semgrep version sends it.
Also as of June 21st, none of the previously collected repository names are retained by the Semgrep team;
any historical data has been wiped.
Gitlab SAST output is now v14.1.2 compliant
Removed the following deprecated semgrep scan options:
--json-stats, --json-time, --debugging-json, --save-test-output-tar, --synthesize-patterns,
--generate-config/-g, --dangerously-allow-arbitrary-code-execution-from-rules,
and --apply (which was an easter egg for job applications, not the same as --autofix)
PHP: switch to GA maturity! Thanks a lot to Sjoerd Langkemper for most of the
heavy work
Fixed
Inline join mode rules can now run taint-mode rules
Python: correctly handle with context expressions where the value is not
bound (#5513)
Bash: Support for subshell syntax i.e. commands in parentheses (#5629)
Changed
Fixed
semgrep ci: CI runs were failing to checkout the PR head in GitHub Actions, which is
corrected here.
TS: fixed the parsing of type predicates and typeof queries
Deep expression matching now works on HTML in JavaScript
taint-mode: Taint propagation via pattern-propagators now works correclty when the
from or to metavariables match a function call. For example, given
sqlBuilder.append(page.getOrderBy()), we can now propagate taint from
page.getOrderBy() to sqlBuilder.
Will no longer print "files were not tracked by git" if not in a git repo
Will no longer print "Some files were skipped" if no files were skipped
Fixed bug where semgrep would crash in nonexistent directory (#4785)
taint-mode: Correctly propagate taint in for-each loops with typed iteration
variables (as in Java or C#). If the iterator object is tainted, that taint will
now be propagated to the iteration variable. This should fix some false negatives
(i.e., findings not being reported) in the presence of for-each loops. (#5590)
taint-mode: New experimental pattern-propagators feature that allows to specify
arbitrary patterns for the propagation of taint by side-effect. In particular,
this allows to specify how taint propagates through side-effectful function calls.
For example, you can specify that when tainted data is added to an array then the
array itself becomes tainted. (#4509)
Changed
--config auto no longer sends the name of the repository being scanned to the Semgrep Registry.
As of June 21st, this data is not recorded by the Semgrep Registry backend, even if an old Semgrep version sends it.
Also as of June 21st, none of the previously collected repository names are retained by the Semgrep team;
any historical data has been wiped.
Gitlab SAST output is now v14.1.2 compliant
Removed the following deprecated semgrep scan options:
--json-stats, --json-time, --debugging-json, --save-test-output-tar, --synthesize-patterns,
--generate-config/-g, --dangerously-allow-arbitrary-code-execution-from-rules,
and --apply (which was an easter egg for job applications, not the same as --autofix)
PHP: switch to GA maturity! Thanks a lot to Sjoerd Langkemper for most of the
heavy work
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
dependabot[bot]
commented
2 years ago
Bumps semgrep from 0.76.2 to 0.101.0.
Release notes
Sourced from semgrep's releases.
... (truncated)
Changelog
Sourced from semgrep's changelog.
... (truncated)
Commits
d02e285chore: Bump version to 0.101.0ee31c3eFix changelog (#5639)730a09fchore: remove confusingly named, unneeded workflow (#5637)7f300f1C++: use latest ocaml-tree-sitter-core (#5636)0add15bBash: add support for subshells (#5629)c2eff2btainting: Fix function calls as from/to in taint propagators (#5628)4df4833Resurrect job to run a nightly homebrew test (#5619)c8126a3docs(privacy): Make explicit that IP addresses are collectedec5e501Enable deep expression matching on HTML in JS (#5616)0431addTS: use latest tree-sitter-typescript parsing complex types (#5626)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)