returntocorp/semgrep (semgrep)
### [`v1.90.0`](https://redirect.github.com/returntocorp/semgrep/blob/HEAD/CHANGELOG.md#1900---2024-09-25)
[Compare Source](https://redirect.github.com/returntocorp/semgrep/compare/v1.89.0...v1.90.0)
##### Added
- Expanded support for requirement lockfiles. Semgrep will now find any `*requirement*.txt`
file and lockfiles in a requirements folder (`**/requirements/*.txt`). This functionality
will be gated behind the `--enable-experimental-requirements` CLI flag. (sc-1752)
##### Changed
- Security update for code snippet storage & access methods. ([gh-2038](https://redirect.github.com/returntocorp/semgrep/issues/2038))
##### Fixed
- Errors that occur in semgrep scans with jobs > 1 will now have more detail (SAF-1628)
- Dockerfile matching: `CMD $...ARGS` now behaves like `CMD ...` and matches
any CMD instruction that uses the array syntax such as `CMD ["ls"]`. This
fix also applies to the other command-like instructions RUN
and ENTRYPOINT. ([gh-9726](https://redirect.github.com/returntocorp/semgrep/issues/9726))
- Pro Engine: There is now improved type inference in Kotlin and Scala. Constructor invocations like
`Foo()` will now be inferred properly to be of type `Foo`. (saf-1537)
### [`v1.89.0`](https://redirect.github.com/returntocorp/semgrep/blob/HEAD/CHANGELOG.md#1890---2024-09-19)
[Compare Source](https://redirect.github.com/returntocorp/semgrep/compare/v1.88.0...v1.89.0)
##### Fixed
- Fix crash on certain SCA parse errors caused by an access to an unbound variable. ([gh-2259](https://redirect.github.com/returntocorp/semgrep/issues/2259))
### [`v1.88.0`](https://redirect.github.com/returntocorp/semgrep/blob/HEAD/CHANGELOG.md#1880---2024-09-18)
[Compare Source](https://redirect.github.com/returntocorp/semgrep/compare/v1.87.0...v1.88.0)
##### Added
- The dataflow analysis in the Pro engine can now track method invocations on
variables of an interface type, safely assuming that any implementation of the
method can be called. For example, tainted input vulnerabilities in both
implementation classes can now be detected in the following code:
````java
public interface MovieService {
String vulnerableInjection(String input);
}
public class SimpleImpl implements MovieService {
@Override
public String vulnerableInjection(String input) {
return sink(input);
}
}
public class MoreImpl implements MovieService {
@Override
public String vulnerableInjection(String input) {
return sink(input);
}
}
public class AppController {
private MovieService movieService;
public String pwnTest(String taintedInput) {
return movieService.vulnerableInjection(taintedInput);
}
}
``` (code-7435)
````
- Type inference for constructor parameter properties in TypeScript is now
supported in the Pro engine. For example, the taint analysis can recognize that
`sampleFunction` is defined in `AbstractedService` class in the following code:
export class AppController {
constructor(private readonly abstractedService: AbstractedService) {}
async taintTest() {
const src = source();
await this.abstractedService.sampleFunction(src);
}
}
``` (code-7597)
##### Changed
- include the exit code that semgrep will emit in the fail-open payload prior to exiting with a failure. ([gh-2033](https://redirect.github.com/returntocorp/semgrep/issues/2033))
Configuration
📅 Schedule: Branch creation - " 0-4 * 3" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
~=1.87.0->~=1.90.0Release Notes
returntocorp/semgrep (semgrep)
### [`v1.90.0`](https://redirect.github.com/returntocorp/semgrep/blob/HEAD/CHANGELOG.md#1900---2024-09-25) [Compare Source](https://redirect.github.com/returntocorp/semgrep/compare/v1.89.0...v1.90.0) ##### Added - Expanded support for requirement lockfiles. Semgrep will now find any `*requirement*.txt` file and lockfiles in a requirements folder (`**/requirements/*.txt`). This functionality will be gated behind the `--enable-experimental-requirements` CLI flag. (sc-1752) ##### Changed - Security update for code snippet storage & access methods. ([gh-2038](https://redirect.github.com/returntocorp/semgrep/issues/2038)) ##### Fixed - Errors that occur in semgrep scans with jobs > 1 will now have more detail (SAF-1628) - Dockerfile matching: `CMD $...ARGS` now behaves like `CMD ...` and matches any CMD instruction that uses the array syntax such as `CMD ["ls"]`. This fix also applies to the other command-like instructions RUN and ENTRYPOINT. ([gh-9726](https://redirect.github.com/returntocorp/semgrep/issues/9726)) - Pro Engine: There is now improved type inference in Kotlin and Scala. Constructor invocations like `Foo()` will now be inferred properly to be of type `Foo`. (saf-1537) ### [`v1.89.0`](https://redirect.github.com/returntocorp/semgrep/blob/HEAD/CHANGELOG.md#1890---2024-09-19) [Compare Source](https://redirect.github.com/returntocorp/semgrep/compare/v1.88.0...v1.89.0) ##### Fixed - Fix crash on certain SCA parse errors caused by an access to an unbound variable. ([gh-2259](https://redirect.github.com/returntocorp/semgrep/issues/2259)) ### [`v1.88.0`](https://redirect.github.com/returntocorp/semgrep/blob/HEAD/CHANGELOG.md#1880---2024-09-18) [Compare Source](https://redirect.github.com/returntocorp/semgrep/compare/v1.87.0...v1.88.0) ##### Added - The dataflow analysis in the Pro engine can now track method invocations on variables of an interface type, safely assuming that any implementation of the method can be called. For example, tainted input vulnerabilities in both implementation classes can now be detected in the following code: ````java public interface MovieService { String vulnerableInjection(String input); } public class SimpleImpl implements MovieService { @Override public String vulnerableInjection(String input) { return sink(input); } } public class MoreImpl implements MovieService { @Override public String vulnerableInjection(String input) { return sink(input); } } public class AppController { private MovieService movieService; public String pwnTest(String taintedInput) { return movieService.vulnerableInjection(taintedInput); } } ``` (code-7435) ```` - Type inference for constructor parameter properties in TypeScript is now supported in the Pro engine. For example, the taint analysis can recognize that `sampleFunction` is defined in `AbstractedService` class in the following code: export class AppController { constructor(private readonly abstractedService: AbstractedService) {} async taintTest() { const src = source(); await this.abstractedService.sampleFunction(src); } } ``` (code-7597) ##### Changed - include the exit code that semgrep will emit in the fail-open payload prior to exiting with a failure. ([gh-2033](https://redirect.github.com/returntocorp/semgrep/issues/2033))Configuration
📅 Schedule: Branch creation - " 0-4 * 3" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.