Bump semgrep from 1.75.0 to 1.76.0

[dependabot]

Bumps semgrep from 1.75.0 to 1.76.0.

Release notes

Sourced from semgrep's releases.

Release v1.76.0

1.76.0 - 2024-06-17

Added

• Added type inference support for basic operators in the Pro engine, including +, -, *, /, >, >=, <=, <, ==, !=, and not. For numeric computation operators such as + and -, if the left-hand side and right-hand side types are equal, the return type is assumed to be the same. Additionally, comparison operators like > and ==, as well as the negation operator not, are assumed to return a boolean type. (code-6940)

• Added guidance for resolving token issues for install-semgrep-pro in non-interactive environments. (gh-1668)

• Adds support for a new flag, --subdir <path>, for semgrep ci, which allows users to pass a subdirectory to scan instead of the entire directory. The path should be a relative path, and the directory where semgrep ci is run should be the root of the repository being scanned. Unless SEMGREP_REPO_DISPLAY_NAME is explicitly set, passing the subdirectory will cause the results to go to a project specific to that subdirectory.

  The intended use case for semgrep ci --subdir path/to/dir is to help users with very large repos scan the repo in parts. (saf-1056)

Fixed

• Language Server will now send error messages properly, and error handling is greatly improved (cdx-502)

• Pro: Calling a safe method on a tainted object should no longer propagate taint.

  Example:

  class A {
      String foo(String str) {
          return "ok";
      }
  }
  class Test {
  public static void test() {
  A a;
  String s;
  a = taint();
  // Despite a is tainted, a.foo() is entirely safe !!!
  s = a.foo("bar");
  sink(s); // No more FP here
  }
  } (code-6935)
  

• Fixing errors in matching identifiers from wildcard imports. For example, this update addresses the issue where the following top-level assignment:

... (truncated)

Changelog

Sourced from semgrep's changelog.

1.76.0 - 2024-06-17

Added

• Added type inference support for basic operators in the Pro engine, including +, -, *, /, >, >=, <=, <, ==, !=, and not. For numeric computation operators such as + and -, if the left-hand side and right-hand side types are equal, the return type is assumed to be the same. Additionally, comparison operators like > and ==, as well as the negation operator not, are assumed to return a boolean type. (code-6940)

• Added guidance for resolving token issues for install-semgrep-pro in non-interactive environments. (gh-1668)

• Adds support for a new flag, --subdir <path>, for semgrep ci, which allows users to pass a subdirectory to scan instead of the entire directory. The path should be a relative path, and the directory where semgrep ci is run should be the root of the repository being scanned. Unless SEMGREP_REPO_DISPLAY_NAME is explicitly set, passing the subdirectory will cause the results to go to a project specific to that subdirectory.

  The intended use case for semgrep ci --subdir path/to/dir is to help users with very large repos scan the repo in parts. (saf-1056)

Fixed

• Language Server will now send error messages properly, and error handling is greatly improved (cdx-502)

• Pro: Calling a safe method on a tainted object should no longer propagate taint.

  Example:

  class A {
      String foo(String str) {
          return "ok";
      }
  }
  class Test {
  public static void test() {
  A a;
  String s;
  a = taint();
  // Despite a is tainted, a.foo() is entirely safe !!!
  s = a.foo("bar");
  sink(s); // No more FP here
  }
  } (code-6935)
  

• Fixing errors in matching identifiers from wildcard imports. For example, this update addresses the issue where the following top-level assignment:

... (truncated)

Commits

• f64f936 chore: Bump version to 1.76.0
• 0d3b36a fix OSS CI: remove dropbox/firebase-dropbox-oauth repo (semgrep/semgrep-propr...
• f8debefsemgrep/semgrep-proprietary#1697
• 848e012 fix: Fix traces ppx on functions with multiple parameters (semgrep/semgrep-pr...
• 5b61bd7semgrep/semgrep-proprietary#1690
• 654f05fsemgrep/semgrep-proprietary#1689
• 1cfa86a chore: some more LS error handling improvements (semgrep/semgrep-proprietary#...
• 43e9378semgrep/semgrep-proprietary#1679
• 0ca4be7semgrep/semgrep-proprietary#1658
• 6762354semgrep/semgrep-proprietary#1683
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #23.