Update dependency semgrep to >=1.103,<1.104

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
semgrep	>=1.99,<1.100 -> >=1.103,<1.104

---

Release Notes

returntocorp/semgrep (semgrep)

v1.103.0

Compare Source

Added

• pro: taint: Support for lambdas as callbacks.

  var tainted = source();
  
  function withCallback1(val, callback) {
      if (val) {
          callback(val);
      }
  }
  
  withCallback1(tainted, function (val) {
      sink(val); // finding !
  }); (code-7626)
  

• pro: python: Semgrep will now consider top-level lambdas like x below for
  inter-procedural analysis:

  x = lambda s: sink(s) # now we get a finding !
  
  x(taint) (gh-10731)
  

Changed

• Removed pip from the Semgrep Docker image. If you need it, you may install it by running apk add py3-pip. (saf-1774)

Fixed

• Python: Now correctly parsing files with parenthesized withs, like this:
  with (
  f() as a,
  g() as b,
  ):
  pass
  ``` (saf-1802)
• Semgrep will now truncate error messages that are produced when they are very long (saf-333)

v1.102.0

Compare Source

Added

• Added pro-only support for parsing a dependency graph from package-lock.json v1 files (SC-1858)
• Added pro-only support for parsing a dependency graph from package-lock.json v2 and v3 files (SC-1991)
• The poetry.lock parser can now parse dependency relationships (ssc-1970)
• The Yarn.lock V1 and V2 parsers can parse dependency relationships. (ssc-1988)

Fixed

• The semgrep test and semgrep validate commands have been
  correctly documented as EXPERIMENTAL (in semgrep --help).
  Those commands are not GA yet and people should still
  use the semgrep scan --test and semgrep scan --validate (or
  the variants without the implicit "scan") commands (unless
  they want to experiment with getting results faster and are ok
  with incomplete coverage of the legacy semgrep --test
  and semgrep --validate). (experimental)
• Improve error handling for functionality ancillary to a scan (such as looking for nosemgrep comments and rendering autofixes) to reduce the likelihood of an unexpected error in such a component bringing down the entire scan. (saf-1737)
• Fix the behavior of semgrep when running into broken symlinks.
  If such a path is passed explicitly as a scanning root on the
  command line, it results in an error. Otherwise if it's a file discovered
  while scanning the file system, it's a warning. (saf-1776)
• Fixed another crash due to exception in lines_of_file. The code
  should now be more robust and not abort the whole scan when
  an out of bound line access happens during the nosemgrep analysis
  or when outputing the lines of a match. (saf-1778)
• Direct dev dependencies in yarn/npm lockfiles are now correctly marked as direct (sc-1996)

v1.101.0

Compare Source

Added

• Improved pnpm-lock.yaml parsing. (gh-2663)

Changed

• Re-ordered some terminal output of semgrep ci to allow semgrep-app to block scans based on specific findings (SECW-2740)
• A few fields in the JSON output (e.g., "fingerprint", "metavars") require now
  the user to be logged in to see them.
  See https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#json
  for more information. (json)
• We're renaming semgrep OSS to Semgrep Community Edition.
  See https://semgrep.dev/blog/2024/important-updates-to-semgrep-oss/
  for more information. (rename)
• A few fields in the SARIF output (e.g., "fingerprints") require now
  the user to be logged in to see them.
  See https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#sarif
  for more information. (sarif)

Fixed

• pro: Improved inter-file tracking of tainted global variables. (code-7054)

• Python (pro-only): Taint now correctly tracks through calls to class methods
  within a class, via the cls parameter.

  So for instance, we would be able to determine a source-to-sink
  vulnerability in the following code snippet:

  class A:
    def foo(self, x):
      sink(x)
  
    @​classmethod
    def bar(cls):
      cls.foo(source)
  ``` (saf-1765)
  

• pro: Fixed bug when generating inter-procedural taint traces, that it could
  cause a call-step to be missing in the trace. (saf-1783)

• Restored the "rules" field in the SARIF output, even when logged out. (saf-1794)

v1.100.0

Compare Source

Added

• Pro engine now correctly distinguishes overloaded Scala methods based on their
  arity and parameter types, e.g., foo(x: Int, y: String) vs. foo(x: String, y: Int). (code-7870)

Changed

• The minimum Python version for semgrep is now 3.9.
  We are dropping support for Python 3.8 (python)

Fixed

• pro: Fixed a bug in interprocedural index-sensitive taint analysis that caused
  false negatives when a function updated an arbitrary index, e.g.:

  var x = {};
  
  function foo(k) {
      x[k] = source();
  }
  
  function test(k) {
      foo(k);
      sink(x); // finding here!
  } (CODE-7838)
  

• Fixed bug affecting taint tracking through static fields when mixing accesses
  using the class name and using an instance object, e.g.:

  class C {
      static String s;
  }
  
  ...
  
          C o = new C();
          C.s = taint;
          sink(o.s); // finding ! (CODE-7871)
  

• No more RPC error when using --sarif with some join-mode rules.
  Moreover, regular rules without the 'languages:' field will be skipped
  instead of aborting the whole scan. (gh-10723)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (>=1.103,<1.104). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.