search

brave / security-action

Composite GitHub CI Action containing the minimal viable security lint for brave repositories
Mozilla Public License 2.0
17 stars 6 forks source link

chore(deps): update dependency semgrep to ~=1.87.0 #676

Closed renovate[bot] closed 2 months ago

renovate[bot] commented 2 months ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
semgrep ~=1.86.0 -> ~=1.87.0 age adoption passing confidence

Release Notes

returntocorp/semgrep (semgrep) ### [`v1.87.0`](https://redirect.github.com/returntocorp/semgrep/blob/HEAD/CHANGELOG.md#1870---2024-09-13) [Compare Source](https://redirect.github.com/returntocorp/semgrep/compare/v1.86.0...v1.87.0) ##### Added - Semgrep now infers more accurate type information for class fields in TypeScript. This improves taint tracking for dependency injection in TypeScript, such as in the following example: export class AppController { private readonly abstractedService: AbstractedService; constructor(abstractedService: AbstractedService) { this.abstractedService = abstractedService; } async taintTest() { const src = taintedSource(); await this.abstractedService.sinkInHere(src); } } ``` (code-7591) - Semgrep's interfile analysis (available with the Pro Engine) now ships with information about Python's standard library, improving its ability to resolve names and types in Python code and therefore its ability to produce findings. (py-libdefs) - Added support for comparing Golang pre-release versions. With this, strict core versions, pseudo-versions and pre-release versions can all be compared to each other. (sc-1739) ##### Changed - If there is an OOM error during interfile dataflow analysis (`--pro`) Semgrep will now try to recover from it and continue the interfile analysis without falling back immediately to intrafile analysis. This allows using `--max-memory` with `--pro` in a more effective way. (flow-81) - Consolidates lockfile parsing logic to happen once, at the beginning of the scan. This consolidated parsing now considers both changed and unchanged lockfiles during all steps of diff scans. ([gh-2051](https://redirect.github.com/returntocorp/semgrep/issues/2051)) ##### Fixed - pro: taint-mode: Restore missing taint findings after having improved index- sensitivity: def foo(t): x = third_party_func(t) return x def test1(): t = ("ok", taint) y = foo(t) sink(y) # now it's found! (code-7486) - The Semgrep proprietary engine added a new entropy analyzer `entropy_v2` that supports strictness options. ([gh-1641](https://redirect.github.com/returntocorp/semgrep/issues/1641))

Configuration

📅 Schedule: Branch creation - " 0-4 * 3" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR was generated by Mend Renovate. View the repository job log.

github-actions[bot] commented 2 months ago

[puLL-Merge] - returntocorp/semgrep@v1.86.0..v1.87.0

Description

This PR implements several changes to the semgrep codebase, primarily focusing on refactoring the taint analysis and rule validation logic. Key changes include:

  1. Restructuring the taint shape and signature handling in the Taint_sig module.
  2. Updating the rule validation process to use an RPC-based approach.
  3. Refactoring the test subcommand to improve handling of dependencies and rule testing.
  4. Various updates to CLI commands and output formats.
Changes ### Changes 1. `src/tainting/Taint_sig.ml` and `src/tainting/Taint_sig.mli`: - Introduced new types for taint shapes and cells. - Implemented functions for shape manipulation and taint propagation. 2. `src/rule/Rule.ml`: - Added `entropy_analysis_mode` to `metavar_analysis_kind`. 3. `src/parsing/Parse_rule_formula.ml`: - Updated parsing logic for analyzer options. 4. `cli/src/semgrep/rule_lang.py`: - Introduced RPC-based validation for rules. 5. `cli/src/semgrep/core_runner.py`: - Updated `plan_core_run` to handle SCA subprojects. 6. `cli/src/semgrep/cli_test/Test_subcommand.ml`: - Refactored test running logic to improve dependency handling. 7. Various updates to CLI output formatting and error handling across multiple files. 8. Removed `cli/src/semgrep/rule_model.py`, replacing Pydantic-based validation with RPC-based validation. 9. Updated version numbers and changelog entries.

Possible Issues

  1. The removal of Pydantic-based validation might affect existing workflows that depend on this validation method.
  2. The changes to taint analysis might require updates to existing rules or custom analyzers.

Security Hotspots

  1. The introduction of RPC-based rule validation (validate function in RPC_return.ml) should be carefully reviewed to ensure it doesn't introduce new security vulnerabilities.
  2. Changes to taint propagation logic in Taint_sig.ml should be thoroughly tested to ensure no regressions in security analysis capabilities.