Scala: ellipsis are now allowed in for loop headers, so you can write patterns
like for (...; $X <- $Y if $COND; ...) { ... } to match nested for loops. (#5650)
Fixed
taint-mode: In some scenarios some statements were not being included in the
CFG used by taint tracking, and as a result some expected findings were not being
reported (i.e. false negatives). This affected mainly languages like Scala where
traditional control-flow constructs are expressions rather than statements (or,
seen in a different way, every statement returns a value). (#5652)
Changed
--verbose no longer toggles the display of timing information, use
--verbose --time to display this information.
Bash: Support for subshell syntax i.e. commands in parentheses (#5629)
Changed
Fixed
semgrep ci: CI runs were failing to checkout the PR head in GitHub Actions, which is
corrected here.
TS: fixed the parsing of type predicates and typeof queries
Deep expression matching now works on HTML in JavaScript
taint-mode: Taint propagation via pattern-propagators now works correclty when the
from or to metavariables match a function call. For example, given
sqlBuilder.append(page.getOrderBy()), we can now propagate taint from
page.getOrderBy() to sqlBuilder.
Will no longer print "files were not tracked by git" if not in a git repo
Will no longer print "Some files were skipped" if no files were skipped
Fixed bug where semgrep would crash in nonexistent directory (#4785)
taint-mode: Correctly propagate taint in for-each loops with typed iteration
variables (as in Java or C#). If the iterator object is tainted, that taint will
now be propagated to the iteration variable. This should fix some false negatives
(i.e., findings not being reported) in the presence of for-each loops. (#5590)
Scala: ellipsis are now allowed in for loop headers, so you can write patterns
like for (...; $X <- $Y if $COND; ...) { ... } to match nested for loops. (#5650)
The SEMGREP_GHA_MIN_FETCH_DEPTH environment variable which lets you set how many
commits semgrep ci fetches from the remote at the minimum when calculating the merge-base in GitHub Actions.
Having more commits available helps Semgrep determine what changes came from the current pull request,
fixing issues where Semgrep would report findings that weren't touched in a given pull request.
This value is set to 0 by default (#5664)
Fixed
taint-mode: In some scenarios some statements were not being included in the
CFG used by taint tracking, and as a result some expected findings were not being
reported (i.e. false negatives). This affected mainly languages like Scala where
traditional control-flow constructs are expressions rather than statements (or,
seen in a different way, every statement returns a value). (#5652)
Yaml: location information is fixed for unicode characters (#5660)
Changed
--verbose no longer toggles the display of timing information, use
--verbose --time to display this information.
Change timeout for git operations from 100s to 500s
Bash: Support for subshell syntax i.e. commands in parentheses (#5629)
Changed
Fixed
semgrep ci: CI runs were failing to checkout the PR head in GitHub Actions, which is
corrected here.
TS: fixed the parsing of type predicates and typeof queries
Deep expression matching now works on HTML in JavaScript
taint-mode: Taint propagation via pattern-propagators now works correclty when the
from or to metavariables match a function call. For example, given
sqlBuilder.append(page.getOrderBy()), we can now propagate taint from
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
dependabot[bot]
commented
2 years ago
Bumps semgrep from 0.76.2 to 0.102.0.
Release notes
Sourced from semgrep's releases.
... (truncated)
Changelog
Sourced from semgrep's changelog.
... (truncated)
Commits
a8fb411chore: Bump version to 0.102.0b0634faFix changelog (#5667)6fcc672feat: Expose taint traces in semgrep-core text output (#5662)6368cffScala: allow ellipsis in for loop headers (#5661)175e6d7AST_to_IL: Make sure any StmtExpr is in the final IL (#5658)4fb6976feat: log stderr on git failures (#5649)cef7738Plumb spans for partial parsing errors (#5655)2234ae8semgrep-core: just display a WARNING for partial parsing errors (#5656)f155804fix(deep): Store alternate names in ResolvedName (#5654)2bb5a83infra: ensure release scripts update versions (#5653)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)