search

brave / security-action

Composite GitHub CI Action containing the minimal viable security lint for brave repositories
Mozilla Public License 2.0
17 stars 6 forks source link

chore(deps): update dependency semgrep to ~=1.91.0 #688

Closed renovate[bot] closed 1 month ago

renovate[bot] commented 1 month ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
semgrep ~=1.90.0 -> ~=1.91.0 age adoption passing confidence

Release Notes

returntocorp/semgrep (semgrep) ### [`v1.91.0`](https://redirect.github.com/returntocorp/semgrep/blob/HEAD/CHANGELOG.md#1910---2024-10-10) [Compare Source](https://redirect.github.com/returntocorp/semgrep/compare/v1.90.0...v1.91.0) ##### Added - Type inference in the Pro engine has been improved for class fields in TypeScript that are assigned a new instance but lack an explicit type definition. When no explicit type is provided for a class field, its type is inferred from the type of the expression assigned to it. For example, in the class definition `class Foo { private readonly bar = new Bar(); }`, the type of `bar` is inferred to be `Bar`. (code-7635) - Cargo.lock parser can now associate dependencies with lockfile line numbers (sc-1140) ##### Fixed - Address python `rich.errors.LiveError` where attempting to display multiple progress bars raises an exception as flagged in [#​10562](https://redirect.github.com/returntocorp/semgrep/issues/10562). (grow-414) - C: Fix a regression causing pattern `-n` to sometimes not match code `-n`. (saf-1592) - When a scan runs into an exception, the app is appropriately notified about the failure. Previously, in the app, it would seem to the user that the scan is still in progress. (sms-502)

Configuration

📅 Schedule: Branch creation - " 0-4 * 3" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR was generated by Mend Renovate. View the repository job log.

github-actions[bot] commented 1 month ago

[puLL-Merge] - returntocorp/semgrep@v1.90.0..v1.91.0

Description

This PR introduces several changes to the Semgrep codebase, including improvements to type inference, support for new languages, bug fixes, and various code refactorings. The changes span across multiple components of the system, including the core engine, CLI, and language-specific parsers.

Possible Issues

  1. The addition of new languages and features may introduce unexpected behavior or compatibility issues with existing rules or workflows.
  2. The refactoring of taint analysis and signature instantiation logic could potentially impact the accuracy or performance of security checks.

Security Hotspots

  1. Changes to the taint analysis logic in Match_taint_spec.ml and Dataflow_tainting.ml should be carefully reviewed to ensure they don't introduce new vulnerabilities or miss existing ones.
  2. The addition of support for new languages (e.g., Move on Sui) should be thoroughly tested to ensure proper handling of language-specific security patterns.
Changes ### Changes 1. `CHANGELOG.md`: - Added entries for version 1.91.0, including improvements to type inference and Cargo.lock parsing. 2. `Dockerfile`: - Added `opam update` command to ensure up-to-date packages. 3. `Makefile`: - Modified the `REQUIRED_DEPS` variable to include additional opam files for building semgrep as part of a larger project. 4. `cli/setup.py` and `cli/src/semgrep/__init__.py`: - Updated version number to 1.91.0. 5. `cli/src/semdep/lockfile.py`: - Refactored lockfile parsing logic, including support for new lockfile formats and improved error handling. 6. `cli/src/semgrep/app/scans.py`: - Modified timeout logic to use `datetime.now()` instead of `datetime.utcnow()`. 7. `cli/src/semgrep/commands/ci.py`: - Added support for rule partitioning with a new `--x-dump-rule-partitions` flag. 8. `cli/src/semgrep/git.py`: - Improved error messaging for git-related issues. 9. `cli/tests/default/e2e-other/test_ci.py`: - Added tests for new failure reporting functionality. 10. `src/analyzing/AST_to_IL.ml`, `src/core/Version.ml`, `src/engine/Formula_cache.ml`: - Added new modules for formula caching and version updates. 11. `src/engine/Match_taint_spec.ml`, `src/engine/Match_tainting_mode.ml`: - Refactored taint analysis logic and introduced new data structures for handling taint specifications. 12. `src/osemgrep/cli/Help.ml`: - Updated CLI documentation URL. 13. `src/parsing/Parsing_plugin.ml`: - Added support for new languages and improved plugin management. 14. `src/tainting/Dataflow_tainting.ml`, `src/tainting/Sig_inst.ml`: - Refactored taint analysis and signature instantiation logic. 15. Various test files: - Added new test cases and moved existing tests to different directories. These changes represent a significant update to the Semgrep codebase, improving its capabilities and maintainability. The security-related changes, particularly in taint analysis, should be carefully reviewed and tested to ensure they maintain or improve the system's ability to detect vulnerabilities.