Bump semgrep from 1.86.0 to 1.87.0

[dependabot]

Bumps semgrep from 1.86.0 to 1.87.0.

Release notes

Sourced from semgrep's releases.

Release v1.87.0

1.87.0 - 2024-09-13

Added

• Semgrep now infers more accurate type information for class fields in TypeScript. This improves taint tracking for dependency injection in TypeScript, such as in the following example:

  export class AppController {
      private readonly abstractedService: AbstractedService;
  constructor(abstractedService: AbstractedService) {
      this.abstractedService = abstractedService;
  }
  async taintTest() {
  
  const src = taintedSource();
  
  await this.abstractedService.sinkInHere(src);
  
  }
  
  
  }
  </code></pre>
  </li>
  <li>
  <p>Semgrep's interfile analysis (available with the Pro Engine) now ships with information about Python's standard library, improving its ability to resolve names and types in Python code and therefore its ability to produce findings. (py-libdefs)</p>
  </li>
  <li>
  <p>Added support for comparing Golang pre-release versions. With this, strict
  core versions, pseudo-versions and pre-release versions can all be
  compared to each other. (sc-1739)</p>
  </li>
  </ul>
  <h3>Changed</h3>
  <ul>
  <li>If there is an OOM error during interfile dataflow analysis (<code>--pro</code>) Semgrep will
  now try to recover from it and continue the interfile analysis without falling back
  immediately to intrafile analysis. This allows using <code>--max-memory</code> with <code>--pro</code> in
  a more effective way. (flow-81)</li>
  <li>Consolidates lockfile parsing logic to happen once, at the beginning of the scan. This consolidated parsing now considers both changed and unchanged lockfiles during all steps of diff scans. (<a href="https://redirect.github.com/returntocorp/semgrep/issues/2051">gh-2051</a>)</li>
  </ul>
  <h3>Fixed</h3>
  <ul>
  <li>
  <p>pro: taint-mode: Restore missing taint findings after having improved index-
  sensitivity:</p>
  <pre><code>def foo(t):
      x = third_party_func(t)
      return x
  </code></pre>
  </li>
  </ul>
  <!-- raw HTML omitted -->
  </blockquote>
  <p>... (truncated)</p>
  </details>
  <details>
  <summary>Changelog</summary>
  <p><em>Sourced from <a href="https://github.com/semgrep/semgrep/blob/develop/CHANGELOG.md&quot;&gt;semgrep's changelog</a>.</em></p>
  
  <blockquote>
  
  <h2><a href="https://github.com/returntocorp/semgrep/releases/tag/v1.87.0&quot;&gt;1.87.0&lt;/a> - 2024-09-13</h2>
  
  <h3>Added</h3>
  
  <ul>
  
  <li>
  
  <p>Semgrep now infers more accurate type information for class fields in
  
  TypeScript. This improves taint tracking for dependency injection in
  
  TypeScript, such as in the following example:</p>
  
  <pre><code>export class AppController {
  
  private readonly abstractedService: AbstractedService;
  constructor(abstractedService: AbstractedService) {
      this.abstractedService = abstractedService;
  }
  
  async taintTest() {
      const src = taintedSource();
      await this.abstractedService.sinkInHere(src);
  }
  
  }
  &lt;/code&gt;&lt;/pre&gt;
  &lt;/li&gt;
  &lt;li&gt;
  &lt;p&gt;Semgrep's interfile analysis (available with the Pro Engine) now ships with information about Python's standard library, improving its ability to resolve names and types in Python code and therefore its ability to produce findings. (py-libdefs)&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
  &lt;p&gt;Added support for comparing Golang pre-release versions. With this, strict
  core versions, pseudo-versions and pre-release versions can all be
  compared to each other. (sc-1739)&lt;/p&gt;
  &lt;/li&gt;
  &lt;/ul&gt;
  &lt;h3&gt;Changed&lt;/h3&gt;
  &lt;ul&gt;
  &lt;li&gt;If there is an OOM error during interfile dataflow analysis (&lt;code&gt;--pro&lt;/code&gt;) Semgrep will
  now try to recover from it and continue the interfile analysis without falling back
  immediately to intrafile analysis. This allows using &lt;code&gt;--max-memory&lt;/code&gt; with &lt;code&gt;--pro&lt;/code&gt; in
  a more effective way. (flow-81)&lt;/li&gt;
  &lt;li&gt;Consolidates lockfile parsing logic to happen once, at the beginning of the scan. This consolidated parsing now considers both changed and unchanged lockfiles during all steps of diff scans. (&lt;a href=&quot;https://redirect.github.com/returntocorp/semgrep/issues/2051&quot;&gt;gh-2051&lt;/a&gt;)&lt;/li&gt;
  &lt;/ul&gt;
  &lt;h3&gt;Fixed&lt;/h3&gt;
  &lt;ul&gt;
  &lt;li&gt;
  &lt;p&gt;pro: taint-mode: Restore missing taint findings after having improved index-
  sensitivity:&lt;/p&gt;
  &lt;pre&gt;&lt;code&gt;def foo(t):
      x = third_party_func(t)
      return x
  &lt;/code&gt;&lt;/pre&gt;
  &lt;/li&gt;
  &lt;/ul&gt;
  &lt;!-- raw HTML omitted --&gt;
  &lt;/blockquote&gt;
  &lt;p&gt;... (truncated)&lt;/p&gt;
  &lt;/details&gt;
  &lt;details&gt;
  &lt;summary&gt;Commits&lt;/summary&gt;
  
  &lt;ul&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/63ab4b3a150070583632e08505e455017db547a1&quot;&gt;&lt;code&gt;63ab4b3&lt;/code&gt;&lt;/a&gt; chore: release version 1.87.0&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/f064d2830c637370791e862bf3b12d3a0fef3418&quot;&gt;&lt;code&gt;f064d28&lt;/code&gt;&lt;/a&gt;&lt;code&gt;semgrep/semgrep-proprietary#2243&lt;/code&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/bdff35f11949d4be1160b7de6327c0c1e1a15dc3&quot;&gt;&lt;code&gt;bdff35f&lt;/code&gt;&lt;/a&gt;&lt;code&gt;semgrep/semgrep-proprietary#2239&lt;/code&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/a582679cfa94267af8363bb32305470b1abcf289&quot;&gt;&lt;code&gt;a582679&lt;/code&gt;&lt;/a&gt; Do not create an implicit field when an explicit field exists in Typescript (...&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/e955747f6d3fc57b9da5fb7cfda220e41aa617d8&quot;&gt;&lt;code&gt;e955747&lt;/code&gt;&lt;/a&gt;&lt;code&gt;semgrep/semgrep-proprietary#2236&lt;/code&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/ecf25a37d0fe13e4f0731ecfc51f0629642e7e7f&quot;&gt;&lt;code&gt;ecf25a3&lt;/code&gt;&lt;/a&gt;&lt;code&gt;semgrep/semgrep-proprietary#2218&lt;/code&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/f1481ad3e8d21c792a305fec3288413bf00414f4&quot;&gt;&lt;code&gt;f1481ad&lt;/code&gt;&lt;/a&gt; chore: fixes another incompatibility between pre-commit for Pro and OSS (semg...&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/b05e67416e966cf234f2423ddee74f279703297a&quot;&gt;&lt;code&gt;b05e674&lt;/code&gt;&lt;/a&gt;&lt;code&gt;semgrep/semgrep-proprietary#2225&lt;/code&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/3c640c39c6f642de6c6b25e10b827ffd3907cf35&quot;&gt;&lt;code&gt;3c640c3&lt;/code&gt;&lt;/a&gt; Remove the lsif_fn closure, store the graph instead (semgrep/semgrep-propriet...&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/daef82e089bb406ce31445e053b70530cae10c48&quot;&gt;&lt;code&gt;daef82e&lt;/code&gt;&lt;/a&gt;&lt;code&gt;semgrep/semgrep-proprietary#2223&lt;/code&gt;&lt;/li&gt;
  &lt;li&gt;Additional commits viewable in &lt;a href=&quot;https://github.com/returntocorp/semgrep/compare/v1.86.0...v1.87.0&quot;&gt;compare view&lt;/a&gt;&lt;/li&gt;
  &lt;/ul&gt;
  &lt;/details&gt;
  
  &lt;br /&gt;
  </code></pre>
  
  
  [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=semgrep&package-manager=pip&previous-version=1.86.0&new-version=1.87.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
  
  Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
  
  [//]: # (dependabot-automerge-start)
  [//]: # (dependabot-automerge-end)
  
  ---
  
  <details>
  <summary>Dependabot commands and options</summary>
  <br />
  
  You can trigger Dependabot actions by commenting on this PR:
  - `@dependabot rebase` will rebase this PR
  - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
  - `@dependabot merge` will merge this PR after your CI passes on it
  - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
  - `@dependabot cancel merge` will cancel a previously requested merge and block automerging
  - `@dependabot reopen` will reopen this PR if it is closed
  - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
  - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  
  
  </details>
  

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.