Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bump(semgrep): update to v1.88.0 #7266

Merged
merged 1 commit into from
Sep 19, 2024
Merged

bump(semgrep): update to v1.88.0 #7266

merged 1 commit into from
Sep 19, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 19, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
semgrep 1.87.0 -> 1.88.0 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

returntocorp/semgrep (semgrep)

v1.88.0

Compare Source

Added

  • The dataflow analysis in the Pro engine can now track method invocations on
    variables of an interface type, safely assuming that any implementation of the
    method can be called. For example, tainted input vulnerabilities in both
    implementation classes can now be detected in the following code:

    public interface MovieService {
  String vulnerableInjection(String input);
}

public class SimpleImpl implements MovieService {
  @​Override
  public String vulnerableInjection(String input) {
    return sink(input);
  }
}

public class MoreImpl implements MovieService {
  @​Override
  public String vulnerableInjection(String input) {
    return sink(input);
  }
}

public class AppController {
  private MovieService movieService;

  public String pwnTest(String taintedInput) {
    return movieService.vulnerableInjection(taintedInput);
  }
}
``` (code-7435)

  • Type inference for constructor parameter properties in TypeScript is now
    supported in the Pro engine. For example, the taint analysis can recognize that
    sampleFunction is defined in AbstractedService class in the following code:

    export class AppController {
    constructor(private readonly abstractedService: AbstractedService) {}

    async taintTest() {
        const src = source();
        await this.abstractedService.sampleFunction(src);
    }
}
``` (code-7597)
Changed
  • include the exit code that semgrep will emit in the fail-open payload prior to exiting with a failure. (gh-2033)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot enabled auto-merge (squash) September 19, 2024 06:47
@renovate renovate bot merged commit 1c4176d into main Sep 19, 2024
18 checks passed
@renovate renovate bot deleted the renovate/semgrep-1.x branch September 19, 2024 06:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants