search

HackUCF / OnboardLite

MIT License
0 stars 2 forks source link

Update dependency semgrep to v1.90.0 #205

Open renovate[bot] opened 1 month ago

renovate[bot] commented 1 month ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
semgrep ==1.85.0 -> ==1.90.0 age adoption passing confidence

Release Notes

returntocorp/semgrep (semgrep) ### [`v1.90.0`](https://redirect.github.com/returntocorp/semgrep/blob/HEAD/CHANGELOG.md#1900---2024-09-25) [Compare Source](https://redirect.github.com/returntocorp/semgrep/compare/v1.89.0...v1.90.0) ##### Added - Expanded support for requirement lockfiles. Semgrep will now find any `*requirement*.txt` file and lockfiles in a requirements folder (`**/requirements/*.txt`). This functionality will be gated behind the `--enable-experimental-requirements` CLI flag. (sc-1752) ##### Changed - Security update for code snippet storage & access methods. ([gh-2038](https://redirect.github.com/returntocorp/semgrep/issues/2038)) ##### Fixed - Errors that occur in semgrep scans with jobs > 1 will now have more detail (SAF-1628) - Dockerfile matching: `CMD $...ARGS` now behaves like `CMD ...` and matches any CMD instruction that uses the array syntax such as `CMD ["ls"]`. This fix also applies to the other command-like instructions RUN and ENTRYPOINT. ([gh-9726](https://redirect.github.com/returntocorp/semgrep/issues/9726)) - Pro Engine: There is now improved type inference in Kotlin and Scala. Constructor invocations like `Foo()` will now be inferred properly to be of type `Foo`. (saf-1537) ### [`v1.89.0`](https://redirect.github.com/returntocorp/semgrep/blob/HEAD/CHANGELOG.md#1890---2024-09-19) [Compare Source](https://redirect.github.com/returntocorp/semgrep/compare/v1.88.0...v1.89.0) ##### Fixed - Fix crash on certain SCA parse errors caused by an access to an unbound variable. ([gh-2259](https://redirect.github.com/returntocorp/semgrep/issues/2259)) ### [`v1.88.0`](https://redirect.github.com/returntocorp/semgrep/blob/HEAD/CHANGELOG.md#1880---2024-09-18) [Compare Source](https://redirect.github.com/returntocorp/semgrep/compare/v1.87.0...v1.88.0) ##### Added - The dataflow analysis in the Pro engine can now track method invocations on variables of an interface type, safely assuming that any implementation of the method can be called. For example, tainted input vulnerabilities in both implementation classes can now be detected in the following code: ````java public interface MovieService { String vulnerableInjection(String input); } public class SimpleImpl implements MovieService { @​Override public String vulnerableInjection(String input) { return sink(input); } } public class MoreImpl implements MovieService { @​Override public String vulnerableInjection(String input) { return sink(input); } } public class AppController { private MovieService movieService; public String pwnTest(String taintedInput) { return movieService.vulnerableInjection(taintedInput); } } ``` (code-7435) ```` - Type inference for constructor parameter properties in TypeScript is now supported in the Pro engine. For example, the taint analysis can recognize that `sampleFunction` is defined in `AbstractedService` class in the following code: export class AppController { constructor(private readonly abstractedService: AbstractedService) {} async taintTest() { const src = source(); await this.abstractedService.sampleFunction(src); } } ``` (code-7597) ##### Changed - include the exit code that semgrep will emit in the fail-open payload prior to exiting with a failure. ([gh-2033](https://redirect.github.com/returntocorp/semgrep/issues/2033)) ### [`v1.87.0`](https://redirect.github.com/returntocorp/semgrep/blob/HEAD/CHANGELOG.md#1870---2024-09-13) [Compare Source](https://redirect.github.com/returntocorp/semgrep/compare/v1.86.0...v1.87.0) ##### Added - Semgrep now infers more accurate type information for class fields in TypeScript. This improves taint tracking for dependency injection in TypeScript, such as in the following example: export class AppController { private readonly abstractedService: AbstractedService; constructor(abstractedService: AbstractedService) { this.abstractedService = abstractedService; } async taintTest() { const src = taintedSource(); await this.abstractedService.sinkInHere(src); } } ``` (code-7591) - Semgrep's interfile analysis (available with the Pro Engine) now ships with information about Python's standard library, improving its ability to resolve names and types in Python code and therefore its ability to produce findings. (py-libdefs) - Added support for comparing Golang pre-release versions. With this, strict core versions, pseudo-versions and pre-release versions can all be compared to each other. (sc-1739) ##### Changed - If there is an OOM error during interfile dataflow analysis (`--pro`) Semgrep will now try to recover from it and continue the interfile analysis without falling back immediately to intrafile analysis. This allows using `--max-memory` with `--pro` in a more effective way. (flow-81) - Consolidates lockfile parsing logic to happen once, at the beginning of the scan. This consolidated parsing now considers both changed and unchanged lockfiles during all steps of diff scans. ([gh-2051](https://redirect.github.com/returntocorp/semgrep/issues/2051)) ##### Fixed - pro: taint-mode: Restore missing taint findings after having improved index- sensitivity: def foo(t): x = third_party_func(t) return x def test1(): t = ("ok", taint) y = foo(t) sink(y) # now it's found! (code-7486) - The Semgrep proprietary engine added a new entropy analyzer `entropy_v2` that supports strictness options. ([gh-1641](https://redirect.github.com/returntocorp/semgrep/issues/1641)) ### [`v1.86.0`](https://redirect.github.com/returntocorp/semgrep/blob/HEAD/CHANGELOG.md#1860---2024-09-04) [Compare Source](https://redirect.github.com/returntocorp/semgrep/compare/v1.85.0...v1.86.0) ##### Added - The taint analysis can now track method invocations on variables of an interface type, when there is a single implementation. For example, the tainted input vulnerability can now be detected in the following code: ```java public interface MovieService { String vulnerableInjection(String input); } @​Service public class MovieServiceImpl implements MovieService { @​Override public String vulnerableInjection(String input) { return sink(input); } } @​RestController("/") public class SpringController { @​Autowired private MovieService movieService; @​GetMapping("/pwn") public String pwnTest(@​RequestParam("input") String taintedInput) { return movieService.vulnerableInjection(taintedInput); } } ``` When there are multiple implementations, the taint analysis will not follow any of them. We will add handling of cases with multiple implementations in upcoming updates. (code-7434) - Uses of values imported via ECMAScript `default` imports (e.g., `import example from 'mod';`) can now be matched by qualified name patterns (e.g., `mod.default`). (code-7463) - Pro: taint-mode: Allow (experimental) control taint to propagate through `return`s. Now this taint rule: pattern-sources: - control: true pattern: taint() pattern-sinks: - pattern: sink() It is able to find this: def foo(): taint() def test(): foo() sink() # now it is found! (code-7490) - A new flag --max-log-list-entries allows to control the maximum number of entries that will be shown in the log (e.g., list of rule ids, list of skipped files). A zero or negative value disables this filter. The previous hardcoded limit was at 100 (and now becomes a default value). (max_log_list_entries) ##### Changed - Semgrep will now log memory-related warnings/errors when run in `--debug` mode, without the need to set `SEMGREP_LOG_SRCS=process_limits`. (logging) ##### Fixed - Fixed inter-file constant propagation to prevent some definitions from being incorrectly identified as constant, when they are modified in other parts of the codebase. (code-6793) - pro: taint-mode: Fixed bug in taint signature instantiation that could cause an update to a field in a nested object to not be tracked. For example, in the code below, Semgrep knew that `Nested.update` updates the `fld` attribute of a `Nested` object` . But due to this bug, Semgrep would not know that `Wrapper.update`updated the`fld`attribute of the`nested`object attribute in a`Wrapper\` object. public class Nested { private String fld; public void update(String str) { fld = str; } // ... } public class Wrapper { private Nested nested; public void update(String str) { this.nested.update(str); } // ... } (code-7499) - Fixed incorrect range matching parametrized type expressions in Julia ([gh-10467](https://redirect.github.com/returntocorp/semgrep/issues/10467)) - Fixed an edge case that could lead to a failure to name or type imported Python symbols during interfile analysis. (py-imports) - Fix overly-aggressive match deduplication that could, under certain circumstances, lead to findings being closed and reopened in the app. (saf-1465) - Fixed regex-fix numbered capture groups, where it used to be the case that a `replacement:` regex with numbered capture groups like `\1\2\3` would effectivly be the same as `\1\1\1`. After the fix: ```python ```

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR was generated by Mend Renovate. View the repository job log.