Generic mode: new option generic_ellipsis_max_span for controlling
how many lines an ellipsis can match (#5211)
Generic mode: new option generic_comment_style for ignoring
comments that follow the specified syntax (C style, C++ style, or
Shell style) (#3428)
Metrics now include a list of features used during an execution.
Examples of such features are: languages scanned, CLI options passed, keys used in rules, or certain code paths reached, such as using an :include instruction in a .semgrepignore file.
These strings will NOT include user data or specific settings. As an example, with semgrep scan --output=secret.txt we might send "option/output" but will NOT send "option/output=secret.txt".
Changed
The output summarizing a scan's results has been simplified.
r2c-internal-project-depends-on: support for poetry and gradle lockfiles
M1 Mac support added to PyPi
Accept SEMGREP_BASELINE_REF as alias for SEMGREP_BASELINE_COMMIT
r2c-internal-project-depends-on:
pretty printing for SCA results
support for poetry and gradle lockfiles
taint-mode: Taint tracking will now analyze lambdas in their surrounding context.
Previously, if a variable became tainted outside a lambda, and this variable was
used inside the lambda causing the taint to reach a sink, this was not being
detected because any nested lambdas were "opaque" to the analysis. (Taint tracking
looked at lambdas but as isolated functions.) Now lambas are simply analyzed as if
they were statement blocks. However, taint tracking still does not follow the flow
of taint through the lambda's arguments!
Metrics now include an anonymous Event ID. This is an ID generated at send-time
and will be used to de-duplicate events that potentially get duplicated during transmission.
Metrics now include an anonymous User ID. This ID is stored in the ~/.semgrep/settings.yml file. If the ID disappears, the next run will generate a new one randomly. See the Anonymous User ID in PRIVACY.md for more details.
Fixed
M1 Mac installed via pip now links tree-sitter properly
Generic mode: new option generic_ellipsis_max_span for controlling
how many lines an ellipsis can match (#5211)
Generic mode: new option generic_comment_style for ignoring
comments that follow the specified syntax (C style, C++ style, or
Shell style) (#3428)
Metrics now include a list of features used during an execution.
Examples of such features are: languages scanned, CLI options passed, keys used in rules, or certain code paths reached, such as using an :include instruction in a .semgrepignore file.
These strings will NOT include user data or specific settings. As an example, with semgrep scan --output=secret.txt we might send "option/output" but will NOT send "option/output=secret.txt".
Changed
The output summarizing a scan's results has been simplified.
r2c-internal-project-depends-on: support for poetry and gradle lockfiles
M1 Mac support added to PyPi
Accept SEMGREP_BASELINE_REF as alias for SEMGREP_BASELINE_COMMIT
r2c-internal-project-depends-on:
pretty printing for SCA results
support for poetry and gradle lockfiles
taint-mode: Taint tracking will now analyze lambdas in their surrounding context.
Previously, if a variable became tainted outside a lambda, and this variable was
used inside the lambda causing the taint to reach a sink, this was not being
detected because any nested lambdas were "opaque" to the analysis. (Taint tracking
looked at lambdas but as isolated functions.) Now lambas are simply analyzed as if
they were statement blocks. However, taint tracking still does not follow the flow
of taint through the lambda's arguments!
Metrics now include an anonymous Event ID. This is an ID generated at send-time
and will be used to de-duplicate events that potentially get duplicated during transmission.
Metrics now include an anonymous User ID. This ID is stored in the ~/.semgrep/settings.yml file. If the ID disappears, the next run will generate a new one randomly. See the Anonymous User ID in PRIVACY.md for more details.
Fixed
M1 Mac installed via pip now links tree-sitter properly
Restore --sca
Changed
The ci CLI command will now include ignored matches in output formats
that dictate they should always be included
Previously, you could use $X in a message to interpolate the variable captured
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
dependabot[bot]
commented
2 years ago
Bumps semgrep from 0.76.2 to 0.96.0.
Release notes
Sourced from semgrep's releases.
... (truncated)
Changelog
Sourced from semgrep's changelog.
... (truncated)
Commits
470575bUpdate changelog33f326bchore: Bump version to 0.96.0c7ef807feat(metrics): Mask details of reported registry queries (#5426)179e0daMerge pull request #5414 from returntocorp/release-0.95.069869a7pre-commit97805faMerge branch 'develop' into release-0.95.0b4a4480Update build script (#5427)221dfabRevert "include sca output in app findings (#5385)" (#5428)aa25a08Upgrade release-docker workflow (#5417)906e364style: Remove "internal rules" from ci output (#5323)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)