Upgrade Semgrep past v1.75.0

Problem to solve

Upgrading the GitLab semgrep analyzer to semgrep v1.75.0 or beyond, causes the analyzer to flag vulnerabilities where previously it did not.

For example:

As of semgrep v1.75.0, Improper neutralization of input during web page generation Cross-site Scripting is now being detected in rule-express_xss.js#L27.

The rule:

  mode: taint
  pattern-sources:
  - patterns:
    - pattern: $REQ
    - pattern: function ($REQ, $RES, ...) {...}
  - patterns:
    - pattern: $REQ
    - pattern: function $FUNC($REQ, $RES, ...) {...}
  pattern-propagators:
  - pattern: $ARR.push($IN)
    from: $IN
    to: $ARR
  pattern-sanitizers:
  - pattern: "encodeURI(...)"
  - pattern: "encodeURIComponent(...)"
  pattern-sinks:
  - pattern: $RES.send(...)
  - pattern: $RES.write(...)

Code:

router.get('/safe/1', (req, res) => {
    var name = encodeURI(req.query.name);
    // ok: rules_lgpl_javascript_xss_rule-express-xss
    res.send('index', { title: name });
})

Proposal

Research this change and its effect on the rules currently shipped with semgrep.