metavariable-regex now supports an optional constant-propagation key.
When this is set to true, information learned from constant propagation
will be used when matching the metavariable against the regex. By default
it is set to false
Dockerfile: constant propagation now works on variables declared with ENV
shouldafound - False Negative reporting via the CLI
Changed
taint-mode: Let's say that e.g. taint(x) makes x tainted by side-effect.
Previously, we had to rely on a trick that declared that any occurrence of
x inside taint(x); ... was as taint source. If x was overwritten with
safe data, this was not recognized by the taint engine. Also, if taint(x)
occurred inside e.g. an if block, any occurrence of x outside that block
was not considered tainted. Now, if you specify that the code variable itself
is a taint source (using focus-metavariable), the taint engine will handle
this as expected, and it will not suffer from the aforementioned limitations.
We believe that this change should not break existing taint rules, but please
report any regressions that you may find.
taint-mode: Let's say that e.g. sanitize(x) sanitizes x by side-effect.
Previously, we had to rely on a trick that declared that any occurrence of
x inside sanitize(x); ... was sanitized. If x later overwritten with
tainted data, the taint engine would still regard x as safe. Now, if you
specify that the code variable itself is sanitized (using focus-metavariable),
the taint engine will handle this as expected and it will not suffer from such
limitation. We believe that this change should not break existing taint rules,
but please report any regressions that you may find.
The dot access ellipsis now matches field accesses in addition to method
calls.
Made error message for resource exhausion (exit code -11/-9) more actionable
Made error message for rules with patterns missing positive terms
more actionable (#5234)
In this version, we have made several performance improvements
to the code that surrounds our source parsing and matching core.
This includes file targeting, rule fetching, and similar parts of the codebase.
Running semgrep scan --config auto on the semgrep repo itself
went from 50-54 seconds to 28-30 seconds.
As part of these changes, we removed :include .gitignore and .git/
from the default .semgrepignore patterns.
This should not cause any difference in which files are targeted
as other parts of Semgrep ignore these files already.
A full breakdown of our performance updates,
including some upcoming ones,
can be found here returntocorp/semgrep#5257
If a metrics event request times out, we no longer retry the request.
metavariable-regex now supports an optional constant-propagation key.
When this is set to true, information learned from constant propagation
will be used when matching the metavariable against the regex. By default
it is set to false
Dockerfile: constant propagation now works on variables declared with ENV
shouldafound - False Negative reporting via the CLI
Changed
taint-mode: Let's say that e.g. taint(x) makes x tainted by side-effect.
Previously, we had to rely on a trick that declared that any occurrence of
x inside taint(x); ... was as taint source. If x was overwritten with
safe data, this was not recognized by the taint engine. Also, if taint(x)
occurred inside e.g. an if block, any occurrence of x outside that block
was not considered tainted. Now, if you specify that the code variable itself
is a taint source (using focus-metavariable), the taint engine will handle
this as expected, and it will not suffer from the aforementioned limitations.
We believe that this change should not break existing taint rules, but please
report any regressions that you may find.
taint-mode: Let's say that e.g. sanitize(x) sanitizes x by side-effect.
Previously, we had to rely on a trick that declared that any occurrence of
x inside sanitize(x); ... was sanitized. If x later overwritten with
tainted data, the taint engine would still regard x as safe. Now, if you
specify that the code variable itself is sanitized (using focus-metavariable),
the taint engine will handle this as expected and it will not suffer from such
limitation. We believe that this change should not break existing taint rules,
but please report any regressions that you may find.
The dot access ellipsis now matches field accesses in addition to method
calls.
Made error message for resource exhausion (exit code -11/-9) more actionable
Made error message for rules with patterns missing positive terms
more actionable (#5234)
In this version, we have made several performance improvements
to the code that surrounds our source parsing and matching core.
This includes file targeting, rule fetching, and similar parts of the codebase.
Running semgrep scan --config auto on the semgrep repo itself
went from 50-54 seconds to 28-30 seconds.
As part of these changes, we removed :include .gitignore and .git/
from the default .semgrepignore patterns.
This should not cause any difference in which files are targeted
as other parts of Semgrep ignore these files already.
A full breakdown of our performance updates,
including some upcoming ones,
can be found here returntocorp/semgrep#5257
If a metrics event request times out, we no longer retry the request.
This avoids Semgrep waiting 10-20 seconds before exiting if these requests are slow.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
dependabot[bot]
commented
2 years ago
Bumps semgrep from 0.76.2 to 0.94.0.
Release notes
Sourced from semgrep's releases.
... (truncated)
Changelog
Sourced from semgrep's changelog.
... (truncated)
Commits
0d23dc2chore: Bump version to 0.94.0b5c4f92perf: Pass rules to core as JSON (#5272)2200357Addsemgrep shouldafoundsupport (#5291)64f4bc5Add constant propagation to Dockerfile, support constant propagation for meta...547bc59fix Circle CI parsing-stats job (#5303)94d72fdfix: Attempt a match between Id and IdQualified (#5297)fbb69b6fix(parsing,py): Allows parentheses around context expressions (with) (#5299)a623afcSet up GitHub codespaces (#5131)51be0fcperf: Reduce time taken by metrics collection (#5288)c10e54ereport # of tests passed and failed in --test output (#5161)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)