chore(deps): update dependency semgrep to v1.74.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
semgrep	==1.69.0 -> ==1.74.0

---

Release Notes

returntocorp/semgrep (semgrep)

v1.74.0

Compare Source

Fixed

• One part of interfile tainting was missing a constant propagation phase, which causes semgrep to miss some true positives in some cases during interfile analysis.

  This fix adds the missing constant propagation. (saf-1032)

• Semgrep now matches YAML tags (e.g. !number in !number 42) correctly rather
  than ignoring them. (saf-1046)

• Upgraded Semgrep's Dockerfile parser. This brings in various
  fixes from
  tree-sitter-dockerfile
  including minimal support for heredoc templates, support for variables in keys
  of LABEL instructions, support for multiple parameters for ADD and COPY
  instructions, tolerance for blanks after the backslash of a line continuation.
  As a result of supporting variables in LABEL keys, the multiple key/value
  pairs found in LABEL instructions are now treated as if they each had they own
  LABEL instruction. It allows a pattern LABEL a=b to match LABEL a=b c=d
  without the need for an ellipsis (LABEL a=b ...). Another consequence is
  that the pattern LABEL a=b c=d can no longer match LABEL c=d a=b but it
  will match a LABEL a=b instruction immediately followed by a separate
  LABEL c=d. (upgrade-dockerfile-parser)

v1.73.0

Compare Source

Added

• Added new AWS validator syntax for Secrets (scrt-278)

Fixed

• Fix couldn't find metavar $MT in the match results error, which may occur
  when we capture FQN with the metavariable and use metavariable-type filter on
  it. (code-7042)
• Fixes the crash (during scan) caused by improper handling of unicode characters present in the source code. (gh-8421)
• [Pro Engine Only] Tainted values are now tracked through instantiation of React functional components via JSX. (jsx-taint)

v1.72.0

Compare Source

Fixed

• Dockerfile support: Avoid a silent parsing error that was possibly accompanied
  with a segfault when parsing Dockerfiles that lack a trailing newline
  character. (gh-10084)

• Fixed bug that was preventing the use of metavariable-pattern with
  the aliengrep engine of the generic mode. (gh-10222)

• Added support for function declarations on object literals in the dataflow analysis.

  For example, previously taint rules would not have matched the
  following javascript code but now would.

  let tainted = source()
  let o = {
      someFuncDecl(x) {
          sink(tainted)
      }
  }
  ``` (saf-1001)
  

• Osemgrep only:

  When rules have metavariable-type, they don't show up in the SARIF output. This change fixes that.

  Also right now dataflow traces are always shown in SARIF even when --dataflow-traces is not passed. This change also fixes that. (saf-1020)

• Fixed bug in rule parsing preventing patternless SCA rules from being validated. (saf-1030)

v1.71.0

Compare Source

Added

• Pro: const-prop: Previously inter-procedural const-prop could only infer whether
  a function returned an arbitrary string constant. Now it will be able to infer
  whether a function returns a concrete constant value, e.g.:

  def bar():
    return "bar"
  
  def test():
    x = bar()
    foo(x) # now also matches pattern `foo("bar")`, previously only `foo("...")`
  ``` (flow-61)

• Python: const-prop: Semgrep will now recognize "..." * N expression as arbitrary
  constant string literals (thus matching the pattern "..."). (flow-75)

Changed

• The --beta-testing-secrets-enabled option, deprecated for several months, is now removed. Use --secrets as its replacement. (gh-9987)

Fixed

• When using semgrep --test --json, we now report in the
  config_missing_fixtests field in the JSON output not just rule files
  containing a fix: without a corresponding ".fixed" test file; we now also
  report rule files using a fix-regex: but without a corresponding a
  .fixed test file, and the fix: or fix-regex: can be in
  any rule in the file (not just the first rule). (fixtest)

• Fixes matching for go struct field tags metadata.

  For example given the program:

  type Rectangle struct {
      Top    int `json:"top"`
      Left   int `json:"left"`
      Width  int `json:"width"`
      Height int `json:"height"`
  }
  

  The pattern,

  type Rectangle struct {
      ...
      $NAME $TYPE $TAGS
      ...
  }
  

  will now match each field and the $TAGS metavariable will be
  bound when used in susequent patterns. (saf-949)

• Matching: Patterns of statements ending in ellipsis metavariables, such as
  x = 1
  $...STMTS
  will now properly extend the match range to accommodate whatever is captured by
  the ellipsis metavariable ($...STMTS). (saf-961)

• The SARIF output format should have the tag "security" when the "cwe"
  section is present in the rule. Moreover, duplicate tags should be
  de-duped.

  Osemgrep wasn't doing this before, but with this fix, now it does. (saf-991)

• Fixed bug in mix.lock parser where it was possible to fail on a python None error. Added handler for arbitrary exceptions during lockfile parsing. (sc-1466)

• Moved --historical-secrets to the "Pro Engine" option group, instead of
  "Output formats", where it was previously (in error). (scrt-570)

v1.70.0

Compare Source

Added

• Added guidance for resolving API token issues in CI environments. (gh-10133)

• The osemgrep show command supports 2 new options: dump-ast dump-pattern.
  See osemgrep show --help for more information. (osemgrep_show)

• Added additional output flags which allow you to write output to multiple files in multiple formats.

  For example, the comand semgrep ci --text --json-output=result.json --sarif-output=result.sarif.json
  Displays text output on stdout, writes the output that would be generated by passing the --json flag
  to result.json, and writes the output that would be generated by passing the --sarif to result.sarif.json. (saf-341)

• Added an experimental feature for users to use osemgrep to format
  SARIF output.

  When both the flags --sarif and --use-osemgrep-sarif are specified,
  semgrep will use the ocaml implementation to format SARIF.

  This flag is experimental and can be removed any time. Users must not
  rely on it being available. (saf-978)

Changed

• The main regex engine is now PCRE2 (was PCRE). While the syntax is mostly
  compatible, there are some minor instances where updates to rules may be
  needed, since PCRE2 is slightly more strict in some cases. For example, while
  we previously accepted [\w-.], such a pattern would now need to be written
  [\w.-] or [\w\-.] since PCRE2 rejects the first as having an invalid range. (scrt-467)

Fixed

• Semgrep LS now waits longer for users to login (gh-10109)

• When semgrep ci finishes scanning and uploads findings, it tells the
  app to mark the scan as completed.

  For large findings, this may take a while and marking the scan as
  completed may timeout. When a scan is not marked as completed, the app
  may show that the repo is still processing, and confuses the user.

  This change increases the timeout (previously 20 minutes) to 30
  minutes. (saf-980)

• Fix semgrep ci --oss-only when secrets product is enabled. (scrt-223)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.