search

GSSTRhythmGame2021 / DataAcquisition

0 stars 2 forks source link

Bump semgrep from 0.76.2 to 0.84.0 #56

Closed dependabot[bot] closed 2 years ago

dependabot[bot] commented 2 years ago

Bumps semgrep from 0.76.2 to 0.84.0.

Release notes

Sourced from semgrep's releases.

Release v0.84.0

Added

  • new --show-supported-languages CLI flag to display the list of languages supported by semgrep. Thanks to John Wu for his contribution! (#4754)
  • --validate will check that metavariable-x doesn't use an invalid metavariable
  • Add r2c-internal-project-depends on support for Java, Go, Ruby, and Rust
  • PHP: .tpl files are now considered PHP files (#4763)
  • Scala: Support for custom string interpolators (#4655)
  • Scala: Support parsing Scala scripts that contain plain definitions outside an Object or Class
  • JSX: JSX singleton elements (a.k.a XML elements), e.g., <foo /> used to match also more complex JSX elements, e.g., <foo >some child</foo>. This can now be disabled via rule options: with xml_singleton_loose_matching: false (#4730)
  • JSX: new matching option xml_attrs_implicit_ellipsis that allows disabling the implicit ... that was added to JSX attributes patterns.
  • new focus-metavariable: experimental operator (#4735) (the syntax may change in the near futur)

Fixed

  • Report parse errors even when invoked with --strict
  • Show correct findings count when using --config auto (#4674)
  • Kotlin: store trailing lambdas in the AST (#4741)
  • Autofix: Semgrep no longer errors during --dry-runs where one fix changes the line numbers in a file that also has a second autofix.
  • Performance regression when running with --debug (#4761)
  • Allow metrics flag and metrics env var at the same time if both are set to the same value (#4703)
  • Scan yarn.lock dependencies that do not specify a hash
  • Run project-depends-on rules with only pattern-inside at their leaves
  • Dockerfile patterns no longer need a trailing newline (#4773)

Release v0.83.0

Added

  • semgrep saves logs of last run to ~/.semgrep/last.log
  • A new recursive operator, -->, for join mode rules for recursively chaining together Semgrep rules based on metavariable contents.
  • Semgrep now lists the scanned paths in its JSON output under the paths.scanned key.
  • When using --verbose, the skipped paths are also listed under the paths.skipped key.
  • C#: added support for typed metavariables (#4657)
  • Undocumented, experimental metavariable-analysis feature supporting two kinds of analyses: prediction of regular expression denial-of-service vulnerabilities (ReDoS, redos analyzer, #4700) and high-entropy string detection (entropy analyzer, #4672).
  • A new subcommand semgrep publish allows users to upload private, unlisted, or public rules to the Semgrep Registry

... (truncated)

Changelog

Sourced from semgrep's changelog.

0.84.0 - 2022-03-09

Added

  • new --show-supported-languages CLI flag to display the list of languages supported by semgrep. Thanks to John Wu for his contribution! (#4754)
  • --validate will check that metavariable-x doesn't use an invalid metavariable
  • Add r2c-internal-project-depends on support for Java, Go, Ruby, and Rust
  • PHP: .tpl files are now considered PHP files (#4763)
  • Scala: Support for custom string interpolators (#4655)
  • Scala: Support parsing Scala scripts that contain plain definitions outside an Object or Class
  • JSX: JSX singleton elements (a.k.a XML elements), e.g., <foo /> used to match also more complex JSX elements, e.g., <foo >some child</foo>. This can now be disabled via rule options: with xml_singleton_loose_matching: false (#4730)
  • JSX: new matching option xml_attrs_implicit_ellipsis that allows disabling the implicit ... that was added to JSX attributes patterns.
  • new focus-metavariable: experimental operator (#4735) (the syntax may change in the near futur)

Fixed

  • Report parse errors even when invoked with --strict
  • Show correct findings count when using --config auto (#4674)
  • Kotlin: store trailing lambdas in the AST (#4741)
  • Autofix: Semgrep no longer errors during --dry-runs where one fix changes the line numbers in a file that also has a second autofix.
  • Performance regression when running with --debug (#4761)
  • SARIF output formatter not handling lists of OWASP or CWE metadata (#4673)
  • Allow metrics flag and metrics env var at the same time if both are set to the same value (#4703)
  • Scan yarn.lock dependencies that do not specify a hash
  • Run project-depends-on rules with only pattern-inside at their leaves
  • Dockerfile patterns no longer need a trailing newline (#4773)

0.83.0 - 2022-02-24

Added

  • semgrep saves logs of last run to ~/.semgrep/last.log
  • A new recursive operator, -->, for join mode rules for recursively chaining together Semgrep rules based on metavariable contents.
  • A new recursive operator, -->, for join mode rules for recursively chaining together Semgrep rules based on metavariable contents.
  • Semgrep now lists the scanned paths in its JSON output under the paths.scanned key.
  • When using --verbose, the skipped paths are also listed under the paths.skipped key.
  • C#: added support for typed metavariables (#4657)
  • Undocumented, experimental metavariable-analysis feature supporting two kinds of analyses: prediction of regular expression

... (truncated)

Commits
  • 8b5e886 Release 0.84.0
  • 4ea97d7 [JSX] new option: xml_singleton_loose_matching (#4774)
  • 1102792 Allow dockerfile patterns without a trailing newline (#4773)
  • 9698023 Parse Scala files that contain plain blocks (#4769)
  • 842c986 project-depends-on: scan yarn.lock dependencies without hashes, and run rules...
  • a9a3537 get rid of bad log4j version (#4768)
  • 59e4523 Support custom string interpolators (#4767)
  • 169f0a0 fix(metrics): dont raise if both metrics value are the same (#4703)
  • dc1ade9 Support Java, Go, Ruby, and Rust in project-depends-on patterns (#4699)
  • 03940f0 chore(docker): pin primary build by sha hash (#4750)
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
dependabot[bot] commented 2 years ago

Superseded by #60.