chore(deps): update pre-commit repositories #164

alma-renovate-bot · 2024-07-01T10:17:36Z

This PR contains the following updates:

Package	Type	Update	Change
commitizen-tools/commitizen	repository	minor	`v3.27.0` -> `v3.29.0`
returntocorp/semgrep	repository	minor	`v1.73.0` -> `v1.87.0`

Note: The pre-commit manager in Renovate is not supported by the pre-commit maintainers or community. Please do not report any problems there, instead create a Discussion in the Renovate repository if you have any questions.

Release Notes

commitizen-tools/commitizen (commitizen-tools/commitizen)

`v3.29.0`

Compare Source

Feat

bump: add functionality to write the next version to stdout

`v3.28.0`

Compare Source

Feat

add argument to limit length of commit message in checks

returntocorp/semgrep (returntocorp/semgrep)

`v1.87.0`

Compare Source

1.87.0 - 2024-09-13

Added

Semgrep now infers more accurate type information for class fields in
TypeScript. This improves taint tracking for dependency injection in
TypeScript, such as in the following example:

export class AppController {
    private readonly abstractedService: AbstractedService;

    constructor(abstractedService: AbstractedService) {
        this.abstractedService = abstractedService;
    }

    async taintTest() {
        const src = taintedSource();
        await this.abstractedService.sinkInHere(src);
    }
}
``` (code-7591)

Semgrep's interfile analysis (available with the Pro Engine) now ships with information about Python's standard library, improving its ability to resolve names and types in Python code and therefore its ability to produce findings. (py-libdefs)
Added support for comparing Golang pre-release versions. With this, strict
core versions, pseudo-versions and pre-release versions can all be
compared to each other. (sc-1739)

Changed

If there is an OOM error during interfile dataflow analysis (--pro) Semgrep will
now try to recover from it and continue the interfile analysis without falling back
immediately to intrafile analysis. This allows using --max-memory with --pro in
a more effective way. (flow-81)
Consolidates lockfile parsing logic to happen once, at the beginning of the scan. This consolidated parsing now considers both changed and unchanged lockfiles during all steps of diff scans. (gh-2051)

Fixed

pro: taint-mode: Restore missing taint findings after having improved index-
sensitivity:

def foo(t):
    x = third_party_func(t)
    return x

def test1():
    t = ("ok", taint)
    y = foo(t)
    sink(y) # now it's found! (code-7486)

The Semgrep proprietary engine added a new entropy analyzer entropy_v2 that supports strictness options. (gh-1641)

`v1.86.0`

Compare Source

1.86.0 - 2024-09-04

Added

The taint analysis can now track method invocations on variables of an
interface type, when there is a single implementation. For example, the tainted
input vulnerability can now be detected in the following code:

public interface MovieService {
  String vulnerableInjection(String input);
}

@&#8203;Service
public class MovieServiceImpl implements MovieService {
  @&#8203;Override
  public String vulnerableInjection(String input) {
    return sink(input);
  }
}

@&#8203;RestController("/")
public class SpringController {

  @&#8203;Autowired
  private MovieService movieService;

  @&#8203;GetMapping("/pwn")
  public String pwnTest(@&#8203;RequestParam("input") String taintedInput) {
    return movieService.vulnerableInjection(taintedInput);
  }
}

When there are multiple implementations, the taint analysis will not follow any
of them. We will add handling of cases with multiple implementations in
upcoming updates. (code-7434)

Uses of values imported via ECMAScript default imports (e.g., import example from 'mod';) can now be matched by qualified name patterns (e.g.,
mod.default). (code-7463)

Pro: taint-mode: Allow (experimental) control taint to propagate through returns.

Now this taint rule:

pattern-sources:
- control: true
  pattern: taint()
pattern-sinks:
- pattern: sink()

It is able to find this:

def foo():
  taint()

def test():
  foo()
  sink() # now it is found! (code-7490)

A new flag --max-log-list-entries allows to control the
maximum number of entries that will be shown in the log (e.g.,
list of rule ids, list of skipped files).
A zero or negative value disables this filter.
The previous hardcoded limit was at 100 (and now becomes a default value). (max_log_list_entries)

Changed

Semgrep will now log memory-related warnings/errors when run in --debug mode,
without the need to set SEMGREP_LOG_SRCS=process_limits. (logging)

Fixed

Fixed inter-file constant propagation to prevent some definitions from being
incorrectly identified as constant, when they are modified in other parts of
the codebase. (code-6793)
pro: taint-mode: Fixed bug in taint signature instantiation that could cause an
update to a field in a nested object to not be tracked.

For example, in the code below, Semgrep knew that Nested.update updates the
fld attribute of a Nested object. But due to this bug, Semgrep would not know that Wrapper.updateupdated thefldattribute of thenestedobject attribute in aWrapper` object.
```
public class Nested {

    private String fld;

    public void update(String str) {
        fld = str;
    }

    // ...
}

public class Wrapper {

    private Nested nested;

    public void update(String str) {
        this.nested.update(str);
    }

// ...
} (code-7499)
```
Fixed incorrect range matching parametrized type expressions in Julia (gh-10467)
Fixed an edge case that could lead to a failure to name or type imported Python symbols during interfile analysis. (py-imports)
Fix overly-aggressive match deduplication that could, under certain circumstances, lead to findings being closed and reopened in the app. (saf-1465)
Fixed regex-fix numbered capture groups, where it used to be the case that
a replacement: regex with numbered capture groups like \1\2\3 would effectivly
be the same as \1\1\1.

After the fix:

src.py

12345

```yaml
pattern: $X
fix-regex:
      regex: (1)(2)(3)(4)(5)
      replacement: \5\4\3\2\1

actually results in the fix

54321
``` (saf-1497)

`v1.85.0`

Compare Source

1.85.0 - 2024-08-15

Added

Semgrep now recognizes files ending with the extention .tfvars as terraform files (saf-1481)

Changed

The use of --debug will not generate anymore profiling information.
Use --time instead. (debug)
Updated link to the Supply Chain findings page on Semgrep AppSec Platform to filter to the specific repository and ref the findings are detected on. (secw-2395)

Fixed

Fixed an error with julia list comprehentions where the pattern:
```
[$A for $B in $C]
```
would match
```
[x for y in z]
```
However we would only get one binding [$A/x]

Behavior after fix: we get three bindings [$A/x,$B/y,$C/z] (saf-1480)

`v1.84.1`

Compare Source

1.84.1 - 2024-08-07

No significant changes.

`v1.84.0`

Compare Source

1.84.0 - 2024-08-06

Changed

We switch from magenta to yellow when highlighting matches
with the medium or warning severity. We now use magenta for
cricical severity to be consistent with other tools such
as npm. (color)

Fixed

Workaround deadlock when interfile is run with j>1 and tracing is enabled. (saf-1157)
Fixed file count to report the accurate number of files scanned by generic & regex
so that no double counting occurs. (saf-507)

`v1.83.0`

Compare Source

1.83.0 - 2024-08-02

Added

Dockerfile: Allow Semgrep Ellipsis (...) in patterns for HEALTHCHECK commands. (saf-1441)

Fixed

The use of --debug should generate now far less log entries.
Moreover, when the number of ignored files, or rules, or
other entities exceed a big number, we instead replace them
with a in the output to keep the output of semgrep
small. (debuglogs)
Fixed a bug introduced in 1.81.0 which caused files ignored for the Code
product but not the Secrets product to fail to be scanned for secrets.
Files that were not ignored for either product were not affected. (saf-1459)

`v1.82.0`

Compare Source

1.82.0 - 2024-07-30

Added

Added testsuite/ as a filepath to the default value for .semgrepignore. (gh-1876)

Changed

Update the library definitions for Java for the latest version of the JDK. (java-library-definitions)

Fixed

Fixed metavariable comparison in step mode.

Used to be that the rule:

    steps:
        - languages: [python]
          patterns:
            - pattern: x = f($VAR);
        - languages: [generic]
          patterns:
            - pattern-either:
               - patterns:
                - pattern: HI $VAR

Wouldn't match, as one is an identifier, and the other an expression that has a
string literal. The fix was chainging the equality used. (saf-1061)

`v1.81.0`

Compare Source

1.81.0 - 2024-07-24

Changed

The --debug option will now display logging information from the semgrep-core
binary directly, without waiting that the semgrep-core program finish. (incremental_debug)

Fixed

C++: Scanning a project with header files (.h) now no longer causes a
spurious warnings that the file is being skipped, or not analyzed. (code-6899)

Semgrep will now be more strict (as it should be) when unifying identifiers.

Patterns like the one below may not longer work, particularly in Semgrep Pro:

patterns:
  - pattern-inside: |
      class A:
        ...
        def $F(...):
          ...
        ...
      ...
  - pattern-inside: |
      class B:
        ...
        def $F(...):
          ...
        ...
      ...

Even if two classes A and B may both have a method named foo, these methods
are not the same, and their ids are not unifiable via $F. The right way of doing
this in Semgrep is the following:

patterns:
  - pattern-inside: |
      class A:
        ...
        def $F1(...):
          ...
        ...
      ...
  - pattern-inside: |
      class B:
        ...
        def $F2(...):
          ...
        ...
      ...
  - metavariable-comparison:
      comparison: str($F1) == str($F2)

We use a different metavariable to match each method, then we check whether they
have the same name (i.e., same string). (code-7336)

In the app, you can configure Secrets ignores separately from Code/SSC ignores. However, the
files that were ignored by Code/SSC and not Secrets were still being scanned during the
preprocessing stage for interfile analysis. This caused significantly longer scan times than
expected for some users, since those ignored files can ignore library code. This PR fixes that
behavior and makes Code/SSC ignores apply as expected. (saf-1087)
Fixed typo that prevented users from using "--junit-xml-output" flag and added a tests that invokes the flag. (saf-1437)

`v1.80.0`

Compare Source

1.80.0 - 2024-07-18

Added

OSemgrep now can take --exclude-minified-files to skip minified files. Additionally --no-exclude-minified-files will disable this option. It is off by default. (cdx-460)
Users are now required to login before using semgrep scan --pro.

Previously, semgrep will tell the users to log in, but the scan will still continue.

With this change, semgrep will tell the users to log in and stop the scan. (saf-1137)

Fixed

The language server no longer scans large or minified files (cdx-460)
Pro: Improved module resolution for Python. Imports like from a.b import c where
c is a module will now be resolved by Semgrep. And, if a module cannot be found
in the search path, Semgrep will try to heuristically resolve the module by matching
the module specifier against the files that are being scanned. (code-7069)
A scan can occasionally freeze when using tracing with multiprocesses.

This change disables tracing when scanning each target file unless the scan runs in a single process. (saf-1143)
Improved error handling for rules with invalid patterns. Now, scans will still complete and findings from other rules will be reported. (saf-789)
The "package-lock.json" parser incorrectly assumed that all paths in the "packages" component of "package-lock.json" started with "node_modules/".

In reality, a dependency can be installed anywhere, so the parser was made more flexible to recognize alternative locations ("node_modules", "lib", etc). (sc-1576)

`v1.79.0`

Compare Source

1.79.0 - 2024-07-10

Added

Preliminary support for the Move on Aptos language
(see https://aptos.dev/move/move-on-aptos for more info on this language).
Thanks a lot to Zhiping Liao (ArArgon) and Andrea Cappa for their contributions! (move_on_aptos)
The language server now reports number of autofixes and ignores triggered throught IDE integrations when metrics are enabled (pdx-autofix-ignore)
Added support for comparing Golang Pseudo-versions. After replacing calls to the
packaging module with some custom logic, Pseudo-versions can now be compared against
strict core versions and other pseudo versions accurately. (sc-1601)
We now perform a git gc as a side-effect of historical scans. (scrt-630)

Fixed

tainting: Fixed bug in --pro-intrafile that caused Semgrep to confuse a parameter
with a top-level function with no arguments that happened to have the same name:
```
def foo
  taint
end

def bar(foo)
  sink(foo) # no more FP here
end (code-6923)
```
Fixed fatal errors on files containing nosemgrep annotation without
any rule ID after. (nosemgrep_exn)
Matching explanations: Focus nodes now appear after filter nodes, which is
the correct order of execution of pattern nodes. Filter nodes are now
unreversed. (saf-1127)
Autofix: Previews in the textual CLI output will now join differing lines
with a space, rather than joining with no whitespace whatsoever. (saf-1135)
Secrets: resolved some rare instances where historical scans would skip blobs
depending on the structure of the local copy of the repository (i.e., blobs
were only skipped if the specific copy of the git store had a certain
structure). (scrt-630)

`v1.78.0`

Compare Source

1.78.0 - 2024-06-27

Added

Matching of fully qualified type names in the metavariable-type operator has
been improved. For example:

from a.b import C

x = C()

The type of x will match both a.b.C and C.

  - pattern: $X = $Y()
  - metavariable-type:
      metavariable: $X
      types:
        - a.b.C  # or C
``` (code-7269)

Fixed

Symbolic propagation now works on decorator functions, for example:

x = foo
@&#8203;x() # this is now matched by pattern `@foo()`
def test():
  pass (code-6634)

Fixed an issue where Python functions with annotations ending in endpoint,
route, get, patch, post, put, delete, before_request or
after_request (i.e., ones we associate with Flask) were incorrectly analyzed
with the Code product in addition to the Secrets product when present in a file
being ignored for Code analysis but included for Secrets. (scrt-609)

`v1.77.0`

Compare Source

1.77.0 - 2024-06-24

Added

Semgrep will now report the id of the organization associated with logged in users when reporting metrics in the language server (cdx-508)

Pro: taint-mode: Improved index-sensitive taint tracking for tuple/list (un)packing.

Example 1:

 def foo():
     return ("ok", taint)

 def test():
      x, y = foo()
      sink(x)  # nothing, no FP
      sink(y)  # finding

Example 2:

 def foo(t):
      (x, y) = t
      sink(x)  # nothing, no FP
      sink(y)  # finding

 def test():
      foo(("ok", taint)) (code-6935)

Adds traces to help debug the performance of tainting. To send the traces added in the PR, pass
--trace and also set the environment variable SEMGREP_TRACE_LEVEL=trace. To send them to a
local endpoint instead of our default endpoint, use --trace-endpoint. (saf-1100)

Fixed

Fixed a bug in the generation of the control-flow graph for try statements that
could e.g. cause taint to report false positives:
```
def test():
    data = taint
    try:
```

Semgrep assumes that `clean` could raise an exception, but

even if it does, the tainted `data` will never reach the sink !

          data = clean(data)
      except Exception:
          raise Exception()

`data` must be clean here

      sink(data) # no more FP (flow-78)

The language server (and semgrep --experimental) should not report anymore errors from
the metrics.semgrep.dev server such as "cannot read property 'map' of undefined". (metrics_error)
Fixed a bug in the gemfile.lock parser which causes Semgrep to miss direct
dependencies whose package name does not end in a version constraint. (sc-1568)

`v1.76.0`

Compare Source

1.76.0 - 2024-06-17

Added

Added type inference support for basic operators in the Pro engine, including
+, -, *, /, >, >=, <=, <, ==, !=, and not. For numeric
computation operators such as + and -, if the left-hand side and right-hand
side types are equal, the return type is assumed to be the same. Additionally,
comparison operators like > and ==, as well as the negation operator not,
are assumed to return a boolean type. (code-6940)
Added guidance for resolving token issues for install-semgrep-pro in non-interactive environments. (gh-1668)
Adds support for a new flag, --subdir <path>, for semgrep ci, which allows users to pass a
subdirectory to scan instead of the entire directory. The path should be a relative path, and
the directory where semgrep ci is run should be the root of the repository being scanned.
Unless SEMGREP_REPO_DISPLAY_NAME is explicitly set, passing the subdirectory
will cause the results to go to a project specific to that subdirectory.

The intended use case for semgrep ci --subdir path/to/dir is to help users with very large
repos scan the repo in parts. (saf-1056)

Fixed

Language Server will now send error messages properly, and error handling is greatly improved (cdx-502)

Pro: Calling a safe method on a tainted object should no longer propagate taint.

Example:

class A {
    String foo(String str) {
        return "ok";
    }
}

class Test {
    public static void test() {
        A a;
        String s;
        a = taint();
        // Despite `a` is tainted, `a.foo()` is entirely safe !!!
        s = a.foo("bar");
        sink(s); // No more FP here
    }
} (code-6935)

Fixing errors in matching identifiers from wildcard imports. For example, this
update addresses the issue where the following top-level assignment:
from pony.orm import *
db = Database()
is not matched with the following pattern:
$DB = pony.orm.Database(...)
``` (code-7045)
[Pro Interfile JS/TS] Improve taint propagation through callbacks passed to $X.map functions and similar. Previously, such callbacks needed to have a return value for taint to be properly tracked. After this fix, they do not. (js-taint)
Rust: Constructors will now properly match to only other constructors with
the same names, in patterns. (saf-1099)

`v1.75.0`

Compare Source

1.75.0 - 2024-06-03

Added

Pro: Semgrep can now track taint through tuple/list (un)packing intra-procedurally
(i.e., within a single function). For example:
```
t = ["ok", "taint"]
x, y = t
sink(x) # OK, no finding
sink(y) # tainted, finding
``` (code-6935)
```
Optional type matching is supported in the Pro engine for Python. For example,
in Python, Optional[str], str | None, and Union[str, None] represent the
same type but in different type expressions. The optional type match support
enables matching between these expressions, allowing any optional type
expression to match any other optional type expression when used with
metavariable-type filtering. It's important to note that syntactic pattern
matching still distinguishes between these types. (code-6939)
Add support for pnpm v9 (pnpm)
Added a new rule option decorators_order_matters, which allows users to make decorators/ non-keyword attributes matching stricter. The default matching for attributes is order-agnostic, but if this rule option is set to true, non-keyword attributes (e.g. decorators in Python) will be matched in order, while keyword attributes (e.g. static, inline, etc) are not affected.

An example usage will be a rule to detect any decorator that is outside of the route() decorator in Flask, since any decorator outside of the route() decorator takes no effect.

bad: another.func() takes no effect

@another.func("func")
@app.route("route")
def f():
pass

ok: route() is the outermost decorator

@app.route("route")
@another.func("func")
def f():
pass (saf-435)

Fixed

Pro: taint-mode: Fixed issue causing findings to be missed (false negatives)
when a global or class field was tainted, and then used in a sink after two
or more function calls.

For example:

class Test {
    string bad;

    void test() {
        bad = "taint";
        foo();
    }

    void foo() {
        bar();
    }

    void bar() {
        sink(bad); // finding no longer missed
    }
} (saf-1059)

[Mostly applicable to Pro Engine] Typed metavariables will now match against the inferred type of a binding even if a constant is propagated for that binding, if we are unable to infer a type from the constant. Previously, we would simply fail to match in this case. (saf-1060)
Removed the URLs at the end of the log when semgrep ci --dryrun is ran because dry run doesn't interact with the app so the URLs don't make sense. (saf-924)

`v1.74.0`

Compare Source

1.74.0 - 2024-05-23

Fixed

One part of interfile tainting was missing a constant propagation phase, which causes semgrep to miss some true positives in some cases during interfile analysis.

This fix adds the missing constant propagation. (saf-1032)
Semgrep now matches YAML tags (e.g. !number in !number 42) correctly rather
than ignoring them. (saf-1046)
Upgraded Semgrep's Dockerfile parser. This brings in various
fixes from
tree-sitter-dockerfile
including minimal support for heredoc templates, support for variables in keys
of LABEL instructions, support for multiple parameters for ADD and COPY
instructions, tolerance for blanks after the backslash of a line continuation.
As a result of supporting variables in LABEL keys, the multiple key/value
pairs found in LABEL instructions are now treated as if they each had they own
LABEL instruction. It allows a pattern LABEL a=b to match LABEL a=b c=d
without the need for an ellipsis (LABEL a=b ...). Another consequence is
that the pattern LABEL a=b c=d can no longer match LABEL c=d a=b but it
will match a LABEL a=b instruction immediately followed by a separate
LABEL c=d. (upgrade-dockerfile-parser)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

sonarqubecloud · 2024-09-16T10:16:57Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

github-actions · 2024-09-16T10:17:07Z

⏳E2E tests are currently running.
➡️ You can follow their progression here.

github-actions · 2024-09-16T11:30:43Z

❌ E2E tests have failed.
➡️ You can find the results here.

alma-renovate-bot bot requested a review from a team as a code owner July 1, 2024 10:17