Files where only some part of the code had to be skipped due to a parse failure
will now be listed as "partially scanned" in the end-of-scan skip
report.
Licensing: The ocaml-tree-sitter-core component is now distributed
under the terms of the LGPL 2.1, rather than previously GPL 3.
A new field was added to metrics collection: isAuthenticated.
This is a boolean flag which is true if you ran semgrep login.
Fixed
semgrep ci used to incorrectly report the base branch as a CI job's branch
when running on a pull_request_target event in GitHub Actions.
By fixing this, Semgrep App can now track issue status history with on: pull_request_target jobs.
Metrics events were missing timestamps even though PRIVACY.md had already documented a timestamp field.
Release v0.92.1
Added
Datafow: The dataflow engine now handles if-then-else expressions as in OCaml,
Ruby, etc. Previously it only handled if-then-else statements. (#4965)
Fixed
Kotlin: support for ellispis in class parameters, e.g.. class Foo(...) {} (#5180)
fixed_lines is once again included in JSON output when running with --autofix --dryrun
Release v0.92.0
Added
The JSON output of semgrep scan is now fully specified using
ATD (https://atd.readthedocs.io/) and jsonschema (https://json-schema.org/).
See the semgrep-interfaces submodule under interfaces/
(e.g., interfaces/semgrep-interfaces/Semgrep_output_v0.atd for the ATD spec)
The JSON output of semgrep scan now contains a "version": field with the
version of Semgrep used to generate the match results.
taint-mode: Previously, to declare a function parameteter as a taint source,
we had to rely on a trick that declared that any occurence of the parameter
was a taint source. If the parameter was overwriten with safe data, this was
not recognized by the taint engine. Now, focus-metavariable can be used to
precisely specify that a function parameter is a source of taint, and the taint
engine will handle this as expected.
taint-mode: Add basic support for object destructuring in languages such as
Javascript. For example, given let {x} = E, Semgrep will now infer that x
is tainted if E is tainted.
Files where only some part of the code had to be skipped due to a parse failure
will now be listed as "partially scanned" in the end-of-scan skip
report.
Licensing: The ocaml-tree-sitter-core component is now distributed
under the terms of the LGPL 2.1, rather than previously GPL 3.
A new field was added to metrics collection: isAuthenticated.
This is a boolean flag which is true if you ran semgrep login.
Fixed
semgrep ci used to incorrectly report the base branch as a CI job's branch
when running on a pull_request_target event in GitHub Actions.
By fixing this, Semgrep App can now track issue status history with on: pull_request_target jobs.
Metrics events were missing timestamps even though PRIVACY.md had already documented a timestamp field.
The JSON output of semgrep scan is now fully specified using
ATD (https://atd.readthedocs.io/) and jsonschema (https://json-schema.org/).
See the semgrep-interfaces submodule under interfaces/
(e.g., interfaces/semgrep-interfaces/Semgrep_output_v0.atd for the ATD spec)
The JSON output of semgrep scan now contains a "version": field with the
version of Semgrep used to generate the match results.
taint-mode: Previously, to declare a function parameteter as a taint source,
we had to rely on a trick that declared that any occurence of the parameter
was a taint source. If the parameter was overwritten with safe data, this was
not recognized by the taint engine. Now, focus-metavariable can be used to
precisely specify that a function parameter is a source of taint, and the taint
engine will handle this as expected.
taint-mode: Add basic support for object destructuring in languages such as
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
dependabot[bot]
commented
2 years ago
Bumps semgrep from 0.76.2 to 0.93.0.
Release notes
Sourced from semgrep's releases.
... (truncated)
Changelog
Sourced from semgrep's changelog.
... (truncated)
Commits
6c6abbdchore: Bump version to 0.93.0fde6398fix(ci): Report correct ref for pull_request_target events (#5245)437b523fix(user_agent): Remove double parentheses (#5246)4c7cd49chore(metrics): Add isAuthenticated flag (#5225)6a6a93eUpdate pytest snapshots (#5242)05b5811Add info to version.py (#5233)7f14d41chore: Bump version to 0.92.1 (#5218)a9b7b94[JS/TS] allow ellipsis in import (#5237)5d6c4c9[JS] allow '...' in binding_pattern (#5236)4165b42feat(swift): Handle most class declarations (#5226)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)