Update dependency semgrep to v1.72.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
semgrep	==1.67.0 -> ==1.72.0

---

Release Notes

returntocorp/semgrep (semgrep)

v1.72.0

Compare Source

Fixed

• Dockerfile support: Avoid a silent parsing error that was possibly accompanied
  with a segfault when parsing Dockerfiles that lack a trailing newline
  character. (gh-10084)

• Fixed bug that was preventing the use of metavariable-pattern with
  the aliengrep engine of the generic mode. (gh-10222)

• Added support for function declarations on object literals in the dataflow analysis.

  For example, previously taint rules would not have matched the
  following javascript code but now would.

  let tainted = source()
  let o = {
      someFuncDecl(x) {
          sink(tainted)
      }
  }
  ``` (saf-1001)
  

• Osemgrep only:

  When rules have metavariable-type, they don't show up in the SARIF output. This change fixes that.

  Also right now dataflow traces are always shown in SARIF even when --dataflow-traces is not passed. This change also fixes that. (saf-1020)

• Fixed bug in rule parsing preventing patternless SCA rules from being validated. (saf-1030)

v1.71.0

Compare Source

Added

• Pro: const-prop: Previously inter-procedural const-prop could only infer whether
  a function returned an arbitrary string constant. Now it will be able to infer
  whether a function returns a concrete constant value, e.g.:

  def bar():
    return "bar"
  
  def test():
    x = bar()
    foo(x) # now also matches pattern `foo("bar")`, previously only `foo("...")`
  ``` (flow-61)

• Python: const-prop: Semgrep will now recognize "..." * N expression as arbitrary
  constant string literals (thus matching the pattern "..."). (flow-75)

Changed

• The --beta-testing-secrets-enabled option, deprecated for several months, is now removed. Use --secrets as its replacement. (gh-9987)

Fixed

• When using semgrep --test --json, we now report in the
  config_missing_fixtests field in the JSON output not just rule files
  containing a fix: without a corresponding ".fixed" test file; we now also
  report rule files using a fix-regex: but without a corresponding a
  .fixed test file, and the fix: or fix-regex: can be in
  any rule in the file (not just the first rule). (fixtest)

• Fixes matching for go struct field tags metadata.

  For example given the program:

  type Rectangle struct {
      Top    int `json:"top"`
      Left   int `json:"left"`
      Width  int `json:"width"`
      Height int `json:"height"`
  }
  

  The pattern,

  type Rectangle struct {
      ...
      $NAME $TYPE $TAGS
      ...
  }
  

  will now match each field and the $TAGS metavariable will be
  bound when used in susequent patterns. (saf-949)

• Matching: Patterns of statements ending in ellipsis metavariables, such as
  x = 1
  $...STMTS
  will now properly extend the match range to accommodate whatever is captured by
  the ellipsis metavariable ($...STMTS). (saf-961)

• The SARIF output format should have the tag "security" when the "cwe"
  section is present in the rule. Moreover, duplicate tags should be
  de-duped.

  Osemgrep wasn't doing this before, but with this fix, now it does. (saf-991)

• Fixed bug in mix.lock parser where it was possible to fail on a python None error. Added handler for arbitrary exceptions during lockfile parsing. (sc-1466)

• Moved --historical-secrets to the "Pro Engine" option group, instead of
  "Output formats", where it was previously (in error). (scrt-570)

v1.70.0

Compare Source

Added

• Added guidance for resolving API token issues in CI environments. (gh-10133)

• The osemgrep show command supports 2 new options: dump-ast dump-pattern.
  See osemgrep show --help for more information. (osemgrep_show)

• Added additional output flags which allow you to write output to multiple files in multiple formats.

  For example, the comand semgrep ci --text --json-output=result.json --sarif-output=result.sarif.json
  Displays text output on stdout, writes the output that would be generated by passing the --json flag
  to result.json, and writes the output that would be generated by passing the --sarif to result.sarif.json. (saf-341)

• Added an experimental feature for users to use osemgrep to format
  SARIF output.

  When both the flags --sarif and --use-osemgrep-sarif are specified,
  semgrep will use the ocaml implementation to format SARIF.

  This flag is experimental and can be removed any time. Users must not
  rely on it being available. (saf-978)

Changed

• The main regex engine is now PCRE2 (was PCRE). While the syntax is mostly
  compatible, there are some minor instances where updates to rules may be
  needed, since PCRE2 is slightly more strict in some cases. For example, while
  we previously accepted [\w-.], such a pattern would now need to be written
  [\w.-] or [\w\-.] since PCRE2 rejects the first as having an invalid range. (scrt-467)

Fixed

• Semgrep LS now waits longer for users to login (gh-10109)

• When semgrep ci finishes scanning and uploads findings, it tells the
  app to mark the scan as completed.

  For large findings, this may take a while and marking the scan as
  completed may timeout. When a scan is not marked as completed, the app
  may show that the repo is still processing, and confuses the user.

  This change increases the timeout (previously 20 minutes) to 30
  minutes. (saf-980)

• Fix semgrep ci --oss-only when secrets product is enabled. (scrt-223)

v1.69.0

Compare Source

Added

• Tracing: remove support for SEMGREP_OTEL_ENDPOINT and replace with
  --trace-endpoint <url>.
  This change is for an internal feature for debugging performance. (saf-885)

Changed

• Passing --debug to Semgrep should now print less logs. We do
  not want --debug's output to be enormous, as it tends not to be useful and yet
  cause some problems. Note that --debug is mainly intended for Semgrep developers,
  please ask for help if needed. (gh-10044)

Fixed

• In generic mode (default, spacegrep engine), matching a pattern that
  ends with an ellipsis now favors the longest match rather than the shortest
  match when multiple matches are possible. For example, for a given target
  program a a b, the pattern a ... b will match a b as before but
  the pattern a ... will now match the longer a a b rather than a b. (gh-10039)
• Fixed the inter-file diff scan issue where the removal of pre-existing findings
  didn't work properly when adding a new file or renaming an existing file. (saf-897)

v1.68.0

Compare Source

Added

• Scan un-changed lockfiles in diff-aware scans (gh-9899)
• Languages: Added the QL language (used by CodeQL) to Semgrep (saf-947)
• SwiftPM parser will now report package url and reference. (sc-1218)
• Add support for Elixir (Mix) SCA parsing for pro engine users. (sc-1303)

Fixed

• Output for sarif format includes dataflow traces. (gh-10004)
• The environment variable LOG_LEVEL (as well as PYTEST_LOG_LEVEL) is
  no longer consulted by Semgrep to determine the log level. Only
  SEMGREP_LOG_LEVEL is consulted. PYTEST_SEMGREP_LOG_LEVEL is also
  consulted in the current implementation but should not be used outside of
  Semgrep's Pytest tests. This is to avoid accidentally affecting Semgrep
  when inheriting the LOG_LEVEL destined to another application. (gh-10044)
• Fixed swiftpm parser to no longer limit the amount of found packages in manifest file. (sc-1364)
• Fixed incorrect ecosystem being used for Elixir. Hex should be used instead of Mix. (sc-elixir)
• Fixed the match_based_ids of lockfile-only findings to differentiate between findings in cases where one rule produces multiple findings in one lockfile (sca-mid)
• Secrets historical scans: fixed a bug where historical scans could run on differential scans. (scrt-545)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.