Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency semgrep to >=1.88,<1.89 #842

Merged
merged 1 commit into from
Sep 19, 2024
Merged

Update dependency semgrep to >=1.88,<1.89 #842

merged 1 commit into from
Sep 19, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 19, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
semgrep >=1.87,<1.88 -> >=1.88,<1.89 age adoption passing confidence

Release Notes

returntocorp/semgrep (semgrep)

v1.88.0

Compare Source

Added

  • The dataflow analysis in the Pro engine can now track method invocations on
    variables of an interface type, safely assuming that any implementation of the
    method can be called. For example, tainted input vulnerabilities in both
    implementation classes can now be detected in the following code:

    public interface MovieService {
  String vulnerableInjection(String input);
}

public class SimpleImpl implements MovieService {
  @&#8203;Override
  public String vulnerableInjection(String input) {
    return sink(input);
  }
}

public class MoreImpl implements MovieService {
  @&#8203;Override
  public String vulnerableInjection(String input) {
    return sink(input);
  }
}

public class AppController {
  private MovieService movieService;

  public String pwnTest(String taintedInput) {
    return movieService.vulnerableInjection(taintedInput);
  }
}
``` (code-7435)

  • Type inference for constructor parameter properties in TypeScript is now
    supported in the Pro engine. For example, the taint analysis can recognize that
    sampleFunction is defined in AbstractedService class in the following code:

    export class AppController {
    constructor(private readonly abstractedService: AbstractedService) {}

    async taintTest() {
        const src = source();
        await this.abstractedService.sampleFunction(src);
    }
}
``` (code-7597)
Changed
  • include the exit code that semgrep will emit in the fail-open payload prior to exiting with a failure. (gh-2033)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@clavedeluna clavedeluna added this pull request to the merge queue Sep 19, 2024
Merged via the queue into main with commit 0050b33 Sep 19, 2024
14 checks passed
@clavedeluna clavedeluna deleted the renovate/semgrep-1.x branch September 19, 2024 12:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@clavedeluna clavedeluna clavedeluna approved these changes

@drdavella drdavella Awaiting requested review from drdavella drdavella is a code owner

@andrecsilva andrecsilva Awaiting requested review from andrecsilva andrecsilva is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@clavedeluna