Previously, the following error message appears when metrics are not uploaded within the set timeout timeframe:
Error in send: HTTPSConnectionPool(host='metrics.semgrep.dev', port=443): Read timed out. (read timeout=3)
As this causes users confusion when running the CLI, the log level of the message is reduced to appear for development and debugging purposes only. Note that metrics are still successfully uploaded, but the success status is not sent in time for the curent timeout set. (app-1398)
Fixed
taint-mode: Fixed the translation from Generic to IL for expressions like
"some string".concat(x). Previously, when x was tainted, the concat
expression was not recognized as tainted and this caused false negatives. (pa-1787)
Introduced experimental support for Swift (gh-2232)
Add configuration options for using a tree-sitter library installed anywhere
on the system. (gh-5944)
Updated the supply chain finding API:
The API is now typed and defined entirely in semgrep_output_v0.atd
Supply chain findings now have only one dependency match, not a list, and only one resolved url
Supply chain findings now have a field called reachable and reachability_rule,
which indicate if the finding is reachable, and whether or not it was generated
by a reachability rule (rule that had a semgrep pattern)
Supply chain findings now include a schema version
The complete finding information sent to semgrep app now includes a mapping from lockfile
paths to the number of dependencies that were present in that lockfile (sca-197)
Fixed
When a YAML rule file had a string that contained an ISO timestamp, that would be parsed as a datetime object, which would then be rejected by Semgrep's rule schema validator. This is now fixed by keeping strings that contain an ISO timestamp as strings. (app-2157)
When parsing PHP with tree-sitter, parse $this similar to pfff, as an IdSpecial. This makes it possible to match $this when the pattern is parsed with pfff and the program with tree-sitter. (gh-5594)
Parse die() as exit() in tree-sitter PHP. This makes pfff and tree-sitter parse die() in the same way. (gh-5880)
All: Applied a fix so that qualified identifiers can unify with metavariables. Notably, this
affected Python decorators, among others. (pa-1700)
Previously, the following error message appears when metrics are not uploaded within the set timeout timeframe:
Error in send: HTTPSConnectionPool(host='metrics.semgrep.dev', port=443): Read timed out. (read timeout=3)
As this causes users confusion when running the CLI, the log level of the message is reduced to appear for development and debugging purposes only. Note that metrics are still successfully uploaded, but the success status is not sent in time for the curent timeout set. (app-1398)
Fixed
taint-mode: Fixed the translation from Generic to IL for expressions like
"some string".concat(x). Previously, when x was tainted, the concat
expression was not recognized as tainted and this caused false negatives. (pa-1787)
Introduced experimental support for Swift (gh-2232)
Add configuration options for using a tree-sitter library installed anywhere
on the system. (gh-5944)
Updated the supply chain finding API:
The API is now typed and defined entirely in semgrep_output_v0.atd
Supply chain findings now have only one dependency match, not a list, and only one resolved url
Supply chain findings now have a field called reachable and reachability_rule,
which indicate if the finding is reachable, and whether or not it was generated
by a reachability rule (rule that had a semgrep pattern)
Supply chain findings now include a schema version
The complete finding information sent to semgrep app now includes a mapping from lockfile
paths to the number of dependencies that were present in that lockfile (sca-197)
Fixed
When a YAML rule file had a string that contained an ISO timestamp, that would be parsed as a datetime object, which would then be rejected by Semgrep's rule schema validator. This is now fixed by keeping strings that contain an ISO timestamp as strings. (app-2157)
When parsing PHP with tree-sitter, parse $this similar to pfff, as an IdSpecial. This makes it possible to match $this when the pattern is parsed with pfff and the program with tree-sitter. (gh-5594)
Parse die() as exit() in tree-sitter PHP. This makes pfff and tree-sitter parse die() in the same way. (gh-5880)
All: Applied a fix so that qualified identifiers can unify with metavariables. Notably, this
affected Python decorators, among others. (pa-1700)
Fixed a regression in DeepSemgrep after the experimental taint labels feature
was introduced in 0.106.0. This prevented DeepSemgrep from reporting taint
findings when e.g. the sink was wrapped by another function. (pa-1750)
Fixed metavariable unification in JSON when one of the patterns is a single field. (pa-1763)
Changed symbolic propagation such that "redundant" matches are no
longer reported as findings. For instance:
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
dependabot[bot]
commented
2 years ago
Bumps semgrep from 0.76.2 to 0.111.1.
Release notes
Sourced from semgrep's releases.
... (truncated)
Changelog
Sourced from semgrep's changelog.
... (truncated)
Commits
d3a6dc7chore: Bump version to 0.111.135d5e78fix: Mark all unreachable supply chain findings as non-blocking (#5967)0e70333AST_to_IL: Fix translation of"some string".concat(E)exprs (#5964)257a5c9Add a 'homebrew-setup' target to the main makefile (#5955)12be215add an e2e test case for blocking findings (#5954)025ac12chore: reduce log level of metrics failure message (#5961)a08b161Merge pull request #5959 from returntocorp/release-0.111.0a6617c9chore: Bump version to 0.111.03ad675efix: Cast YAML timestamp to string (#5957)a1a3a05update m1 osx script (#5956)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)