Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency semgrep to ~=1.87.0 #676

Merged
merged 1 commit into from
Sep 18, 2024
Merged

chore(deps): update dependency semgrep to ~=1.87.0 #676

merged 1 commit into from
Sep 18, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 18, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
semgrep ~=1.86.0 -> ~=1.87.0 age adoption passing confidence

Release Notes

returntocorp/semgrep (semgrep)

v1.87.0

Compare Source

Added

  • Semgrep now infers more accurate type information for class fields in
    TypeScript. This improves taint tracking for dependency injection in
    TypeScript, such as in the following example:

    export class AppController {
    private readonly abstractedService: AbstractedService;

    constructor(abstractedService: AbstractedService) {
        this.abstractedService = abstractedService;
    }

    async taintTest() {
        const src = taintedSource();
        await this.abstractedService.sinkInHere(src);
    }
}
``` (code-7591)

  • Semgrep's interfile analysis (available with the Pro Engine) now ships with information about Python's standard library, improving its ability to resolve names and types in Python code and therefore its ability to produce findings. (py-libdefs)

  • Added support for comparing Golang pre-release versions. With this, strict
    core versions, pseudo-versions and pre-release versions can all be
    compared to each other. (sc-1739)

Changed
  • If there is an OOM error during interfile dataflow analysis (--pro) Semgrep will
    now try to recover from it and continue the interfile analysis without falling back
    immediately to intrafile analysis. This allows using --max-memory with --pro in
    a more effective way. (flow-81)
  • Consolidates lockfile parsing logic to happen once, at the beginning of the scan. This consolidated parsing now considers both changed and unchanged lockfiles during all steps of diff scans. (gh-2051)
Fixed

  • pro: taint-mode: Restore missing taint findings after having improved index-
    sensitivity:

    def foo(t):
    x = third_party_func(t)
    return x

def test1():
    t = ("ok", taint)
    y = foo(t)
    sink(y) # now it's found! (code-7486)

  • The Semgrep proprietary engine added a new entropy analyzer entropy_v2 that supports strictness options. (gh-1641)

Configuration

📅 Schedule: Branch creation - "* 0-4 * * 3" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from thypon as a code owner September 18, 2024 01:46
@github-actions GitHub Actions
Copy link

[puLL-Merge] - returntocorp/[email protected]

Description

This PR implements several changes to the semgrep codebase, primarily focusing on refactoring the taint analysis and rule validation logic. Key changes include:

  1. Restructuring the taint shape and signature handling in the Taint_sig module.
  2. Updating the rule validation process to use an RPC-based approach.
  3. Refactoring the test subcommand to improve handling of dependencies and rule testing.
  4. Various updates to CLI commands and output formats.
Changes

Changes

  1. src/tainting/Taint_sig.ml and src/tainting/Taint_sig.mli:

    • Introduced new types for taint shapes and cells.
    • Implemented functions for shape manipulation and taint propagation.

  2. src/rule/Rule.ml:

    • Added entropy_analysis_mode to metavar_analysis_kind.

  3. src/parsing/Parse_rule_formula.ml:

    • Updated parsing logic for analyzer options.

  4. cli/src/semgrep/rule_lang.py:

    • Introduced RPC-based validation for rules.

  5. cli/src/semgrep/core_runner.py:

    • Updated plan_core_run to handle SCA subprojects.

  6. cli/src/semgrep/cli_test/Test_subcommand.ml:

    • Refactored test running logic to improve dependency handling.

  7. Various updates to CLI output formatting and error handling across multiple files.

  8. Removed cli/src/semgrep/rule_model.py, replacing Pydantic-based validation with RPC-based validation.

  9. Updated version numbers and changelog entries.

Possible Issues

  1. The removal of Pydantic-based validation might affect existing workflows that depend on this validation method.
  2. The changes to taint analysis might require updates to existing rules or custom analyzers.

Security Hotspots

  1. The introduction of RPC-based rule validation (validate function in RPC_return.ml) should be carefully reviewed to ensure it doesn't introduce new security vulnerabilities.
  2. Changes to taint propagation logic in Taint_sig.ml should be thoroughly tested to ensure no regressions in security analysis capabilities.

@thypon thypon merged commit 56a5100 into main Sep 18, 2024
8 checks passed
@thypon thypon deleted the renovate/semgrep-1.x branch September 18, 2024 14:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thypon thypon Awaiting requested review from thypon thypon is a code owner

Assignees
No one assigned
Labels
puLL-Merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@thypon