search

GSSTRhythmGame2021 / DataAcquisition

0 stars 2 forks source link

Bump semgrep from 0.76.2 to 0.86.5 #68

Closed dependabot[bot] closed 2 years ago

dependabot[bot] commented 2 years ago

Bumps semgrep from 0.76.2 to 0.86.5.

Release notes

Sourced from semgrep's releases.

Release v0.86.5

Changed

  • pin urllib3 to ~=1.26

Release v0.86.4

0.86.0 - 2022-03-24

Added

  • Semgrep can now output findings in GitLab's SAST report and secret scanning report formats with --gitlab-sast and --gitlab-secrets.
  • JSON output now includes a fingerprint of each finding. This fingerprint remains consistent when matching code is just moved around or reindented.
  • Go: use latest tree-sitter-go with support for Go 1.18 generics (#4823)
  • Terraform: basic support for constant propagation of locals (#1147) and variables (#4816)
  • HTML: you can now use metavariable ellipsis inside (#4841) (e.g., <script>$...JS</script>)
  • A semgrep ci subcommand that auto-detects settings from your CI environment and can upload findings to Semgrep App when logged in.

Changed

  • SARIF output will include matching code snippet (#4812)
  • semgrep-core should now be more tolerant to rules using futur extensions by skipping those rules instead of just crashing (#4835)
  • Removed tests from published python wheel
  • Findings are now considered identical between baseline and current scans based on the same logic as Semgrep CI uses, which means:
    • Two findings are now identical after whitespace changes such as re-indentation
    • Two findings are now identical after a nosemgrep comment is added
    • Findings are now different if the same code triggered them on different lines
  • Docker image now runs as root to allow the docker image to be used in CI/CD pipelines
  • Support XDG Base directory specification (#4818)

Fixed

  • Entropy analysis: strings made of repeated characters such as 'xxxxxxxxxxxxxx' are no longer reported has having high entropy (#4833)
  • Symlinks found in directories are skipped from being scanned again. This is a fix for a regression introduced in 0.85.0.
  • HTML: multiline raw text tokens now contain the newline characters (#4855)
  • Go: fix unicode parsing bugs (#4725) by switching to latest tree-sitter-go
  • Constant propagation: A conditional expression where both alternatives are constant will also be considered constant (#4301)
  • Constant propagation now recognizes operators ++ and -- as side-effectful (#4667)

0.86.1…0.86.4 - 2022-03-25

... (truncated)

Changelog

Sourced from semgrep's changelog.

0.86.5 - 2022-03-28

Changed

  • Set minimum urllib3 version

0.86.4 - 2022-03-25

Changed

  • Increase rule fetch timeout from 20s to 30s

0.86.3 - 2022-03-25

Fixed

  • Network timeouts during rule download are now less likely.

0.86.2 - 2022-03-24

Fixed

  • Some finding fingerprints were not matching what semgrep-agent would return.

0.86.1 - 2022-03-24

Fixed

  • The fingerprint of findings ignored with # nosemgrep is supposed to be the same as if the ignore comment wasn't there. This has previously only worked for single-line findings, including in semgrep-agent. Now the fingerprint is consistent as expected for multiline findings as well.

Changed

  • --timeout-threshold default set to 3 instead of 0

0.86.0 - 2022-03-24

Added

  • Semgrep can now output findings in GitLab's SAST report and secret scanning report formats with --gitlab-sast and --gitlab-secrets.
  • JSON output now includes a fingerprint of each finding. This fingerprint remains consistent when matching code is just moved around or reindented.
  • Go: use latest tree-sitter-go with support for Go 1.18 generics (#4823)
  • Terraform: basic support for constant propagation of locals (#1147) and variables (#4816)
  • HTML: you can now use metavariable ellipsis inside (#4841)

... (truncated)

Commits


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
dependabot[bot] commented 2 years ago

Superseded by #77.