search

GSSTRhythmGame2021 / DataAcquisition

0 stars 2 forks source link

Bump semgrep from 0.76.2 to 0.95.0 #92

Closed dependabot[bot] closed 2 years ago

dependabot[bot] commented 2 years ago

Bumps semgrep from 0.76.2 to 0.95.0.

Release notes

Sourced from semgrep's releases.

Release v0.95.0

0.95.0 - 2022-06-02

Added

  • Sarif output format now includes fixes section
  • Rust: added support for method chaining patterns.
  • r2c-internal-project-depends-on: support for poetry and gradle lockfiles
  • M1 Mac support added to PyPi
  • Accept SEMGREP_BASELINE_REF as alias for SEMGREP_BASELINE_COMMIT
  • r2c-internal-project-depends-on:
    • pretty printing for SCA results
    • support for poetry and gradle lockfiles
  • taint-mode: Taint tracking will now analyze lambdas in their surrounding context. Previously, if a variable became tainted outside a lambda, and this variable was used inside the lambda causing the taint to reach a sink, this was not being detected because any nested lambdas were "opaque" to the analysis. (Taint tracking looked at lambdas but as isolated functions.) Now lambas are simply analyzed as if they were statement blocks. However, taint tracking still does not follow the flow of taint through the lambda's arguments!
  • Metrics now include an anonymous Event ID. This is an ID generated at send-time and will be used to de-duplicate events that potentially get duplicated during transmission.
  • Metrics now include an anonymous User ID. This ID is stored in the ~/.semgrep/settings.yml file. If the ID disappears, the next run will generate a new one randomly. See the Anonymous User ID in PRIVACY.md for more details.

Changed

  • The ci CLI command will now include ignored matches in output formats that dictate they should always be included
  • Previously, you could use $X in a message to interpolate the variable captured by a metavariable named $X, but there was no way to access the underlying value. However, sometimes that value is more important than the captured variable. Now you can use the syntax value($X) to interpolate the underlying propagated value if it exists (if not, it will just use the variable name). Example: Take a target file that looks like 
    x = 42
log(x)
    Now take a rule to find that log command: 
    - id: example_log
  message: Logged $SECRET: value($SECRET)
  pattern: log(42)
  languages: [python]
    Before, this would have given you the message Logged x: value(x). Now, it will give the message Logged x: 42.
  • A parameter pattern without a default value can now match a parameter with a default value (#5021)

... (truncated)

Changelog

Sourced from semgrep's changelog.

0.95.0 - 2022-06-02

Added

  • Sarif output format now includes fixes section
  • Rust: added support for method chaining patterns.
  • r2c-internal-project-depends-on: support for poetry and gradle lockfiles
  • M1 Mac support added to PyPi
  • Accept SEMGREP_BASELINE_REF as alias for SEMGREP_BASELINE_COMMIT
  • r2c-internal-project-depends-on:
    • pretty printing for SCA results
    • support for poetry and gradle lockfiles
  • taint-mode: Taint tracking will now analyze lambdas in their surrounding context. Previously, if a variable became tainted outside a lambda, and this variable was used inside the lambda causing the taint to reach a sink, this was not being detected because any nested lambdas were "opaque" to the analysis. (Taint tracking looked at lambdas but as isolated functions.) Now lambas are simply analyzed as if they were statement blocks. However, taint tracking still does not follow the flow of taint through the lambda's arguments!
  • Metrics now include an anonymous Event ID. This is an ID generated at send-time and will be used to de-duplicate events that potentially get duplicated during transmission.
  • Metrics now include an anonymous User ID. This ID is stored in the ~/.semgrep/settings.yml file. If the ID disappears, the next run will generate a new one randomly. See the Anonymous User ID in PRIVACY.md for more details.

Changed

  • The ci CLI command will now include ignored matches in output formats that dictate they should always be included

  • Previously, you could use $X in a message to interpolate the variable captured by a metavariable named $X, but there was no way to access the underlying value. However, sometimes that value is more important than the captured variable. Now you can use the syntax value($X) to interpolate the underlying propagated value if it exists (if not, it will just use the variable name).

    Example:

    Take a target file that looks like

    x = 42
log(x)

    Now take a rule to find that log command:

    - id: example_log
  message: Logged $SECRET: value($SECRET)
  pattern: log(42)
  languages: [python]

... (truncated)

Commits
  • 4c79d73 chore: Bump version to 0.95.0
  • d007f82 feat: Use value($X) to interpolate the value of a metavar (#5370)
  • be98d59 chore(tests): fix tests to include shouldafound output (#5412)
  • 2c2ea7c add(ci): M1 Mac Support (#5373)
  • bbe9ef5 include sca output in app findings (#5385)
  • 58bca12 Merge pull request #5386 from returntocorp/bence/anonid
  • 8a8371b feat(metrics): Add anonymous_user_id
  • c09fdce refactor: Move env vars onto SemgrepState
  • eab7046 refactor: Move settings onto SemgrepState
  • 8271b14 feat(metrics): Add event_id
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
dependabot[bot] commented 2 years ago

Superseded by #93.