semgrep ci now defaults to fail open and will always exit with exit code 0, which is equivalent to passing --suppress-errors.
To disable this behavior, you can pass --no-suppress-errors and semgrep will behave as it did previously, surfacing any exit codes that may result. (app-1951)
Fixed
taint-mode: Taint traces (--dataflow-traces) should no longer report "strange"
intermediate variables when there are record accesses involved. This happened e.g.
if foo was a tainted record and the code accessed some of its fields as in
foo.bar.baz. This was related to the use of auxiliary variables in the Dataflow IL.
These variables got tainted, but they had real tokens attached corresponding to the
dot . operator. Now we do not include these variables in the taint trace. (pa-1672)
Infra/Release Changes
GHA runner-image macos-10.15 is deprecated and will be unsupported by 30AUG2022. We've tested and can upgrade to macos-12 to avoid issues with brownouts or end of support. (devop-586)
Updated SCA finding generation so that the following hold:
One SCA finding per vulnerable dependency. If one rule matches multiple dependencies in one lockfile,
that will produce multiple findings. This still needs to be codified in the typed interface
No findings in files that were not targeted. If foo.py depends on Pipfile.lock,
and foo.py is targeted but Pipfile.lock is not, then we can produce reachable findings
in foo.py but not non-reachable findings in Pipfile.lock. If Pipfile.lock is included in
our targets then we can produce non-reachable findings inside of it
semgrep ci now defaults to fail open and will always exit with exit code 0, which is equivalent to passing --suppress-errors.
To disable this behavior, you can pass --no-suppress-errors and semgrep will behave as it did previously, surfacing any exit codes that may result. (app-1951)
Fixed
taint-mode: Taint traces (--dataflow-traces) should no longer report "strange"
intermediate variables when there are record accesses involved. This happened e.g.
if foo was a tainted record and the code accessed some of its fields as in
foo.bar.baz. This was related to the use of auxiliary variables in the Dataflow IL.
These variables got tainted, but they had real tokens attached corresponding to the
dot . operator. Now we do not include these variables in the taint trace. (pa-1672)
Infra/Release Changes
GHA runner-image macos-10.15 is deprecated and will be unsupported by 30AUG2022. We've tested and can upgrade to macos-12 to avoid issues with brownouts or end of support. (devop-586)
Updated SCA finding generation so that the following hold:
One SCA finding per vulnerable dependency. If one rule matches multiple dependencies in one lockfile,
that will produce multiple findings. This still needs to be codified in the typed interface
No findings in files that were not targeted. If foo.py depends on Pipfile.lock,
and foo.py is targeted but Pipfile.lock is not, then we can produce reachable findings
in foo.py but not non-reachable findings in Pipfile.lock. If Pipfile.lock is included in
our targets then we can produce non-reachable findings inside of it
No massive single scan for lockfiles. (sca-127)
Fixed
Fixed issue when scan fails due to pending changes in submodule. (cli-272)
Semgrep CI now accepts more formats of git url for metadata provided to semgrep.dev and lets the user provide a fallback for repo name (SEMGREP_REPO_NAME) and repo url (SEMGREP_REPO_URL) if they are undefined by CI. (cli-280)
Fixed a crash that occurred when reporting results when join mode and taint mode were used together (gh-5839)
JS: Allowed decorators to appear in Semgrep patterns for class methods and fields. (pa-1677)
Quick fix for a regression introduced in 0.107.0 (presumably by taint labels)
that could cause some taint rules to crash Semgrep with:
Invalid_argument "output_value: abstract value (Custom)" (pa-1724)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
dependabot[bot]
commented
2 years ago
Bumps semgrep from 0.76.2 to 0.109.0.
Release notes
Sourced from semgrep's releases.
... (truncated)
Changelog
Sourced from semgrep's changelog.
... (truncated)
Commits
bc9f795chore: Bump version to 0.109.0b16964cupdate fail-open ci to include a header for log filtering (#5906)89d3003Default to Fail Open (#5886)934bc90AST_to_IL: Require fresh variables to have fake tokens (#5883)70fbdabupdate macos gha env (#5902)761791dUpdate dead link to contributing guides (#5894)6dee799Update language to shouldafound so its explicit about sensitive information (...cbdeb3fmake slack message PR links clickable (#5882)0ec2ea9Merge pull request #5875 from returntocorp/release-0.108.0e8a46f4feat(swift): added swift labeled statements for parsing (#5864)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)