Skip to content

Update all dependencies

GitLab Dependency Botrequested to merge
gitlab-renovate-forks/semgrep:renovate/all-dependencies into smtan/configure-renovate

This MR contains the following updates:

Package Type Update Change
github.com/stretchr/testify require minor v1.10.0 -> v1.11.1
gitlab.com/gitlab-org/security-products/analyzers/report/v6 require patch v6.2.0 -> v6.2.1
gitlab.com/gitlab-org/security-products/analyzers/ruleset/v3 require patch v3.3.2 -> v3.3.3
go (source) toolchain minor 1.23.1 -> 1.25.1
golang stage minor 1.23.2-alpine -> 1.25.1-alpine
python final minor 3.12-alpine -> 3.13-alpine
registry.gitlab.com/security-products/post-analyzers/tracking-calculator stage minor 2.6.0 -> 2.8.0
semgrep minor 1.118.0 -> 1.139.0

Release Notes

stretchr/testify (github.com/stretchr/testify)

v1.11.1

Compare Source

This release fixes #​1785 introduced in v1.11.0 where expected argument values implementing the stringer interface (String() string) with a method which mutates their value, when passed to mock.Mock.On (m.On("Method", <expected>).Return()) or actual argument values passed to mock.Mock.Called may no longer match one another where they previously did match. The behaviour prior to v1.11.0 where the stringer is always called is restored. Future testify releases may not call the stringer method at all in this case.

What's Changed

Full Changelog: https://github.com/stretchr/testify/compare/v1.11.0...v1.11.1

v1.11.0

Compare Source

What's Changed

Functional Changes

v1.11.0 Includes a number of performance improvements.

Fixes
Documentation, Build & CI

New Contributors

Full Changelog: https://github.com/stretchr/testify/compare/v1.10.0...v1.11.0

gitlab-org/security-products/analyzers/report (gitlab.com/gitlab-org/security-products/analyzers/report/v6)

v6.2.1

Compare Source

  • Fixed identifier sorting to skip the primary identifier (!126 (closed))
gitlab-org/security-products/analyzers/ruleset (gitlab.com/gitlab-org/security-products/analyzers/ruleset/v3)

v3.3.3

Compare Source

Security
  • Upgrade github.com/go-git/go-git/v5 version to v5.16.0 to fix ssh vulnerability (!58 (merged))
returntocorp/semgrep (semgrep)

v1.139.0

Compare Source

Added
  • --pro-intrafile scans will now add built-in taint propagators, like --pro does, hence producing extra findings. For example, in Java, list.add(taint) will now make list tainted even if the rule does not explicitly request that. Scan times should not be generally affected in a significant way. (code-9103)
  • Scala: Enable pattern { ... } to match partial functions like { case 1 => "1" }. (code-9106)
  • Associate Containerfiles with the dockerfile language (gh-11091)
Changed
  • Rule parsing now happens solely in OCaml. This should have no change in the behavior of whether a rule successfully parses or not, but will change the parse errors emitted (#​4346, #​4269, #​4379) (gh-4379)
  • MCP: Removed the config parameter from the semgrep_scan tools, to prevent agents from inserting unwanted config files to scan with. (saf-2258)
Fixed
  • scala: Fixed matching of { case ... => ... } patterns. (code-9111)
  • Fixed a bug preventing metavariable-comparisons with more than two subsequent "and" or "or" conditions from producing findings. For example, the condition $X > 1 or $Y > 1 or $Z > 1 would previously always evaluate to false. Now, it will behave as expected. (gh-11209)
  • MCP: Fixed an issue where the semgrep_scan tool, when invoking the RPC-based scanning approach, would return JSON output not consistent with the CLI tool. (saf-2250)
  • MCP: The semgrep_findings tool now gives a suitable error message when erring due to insufficient permissions on standard semgrep login tokens. (saf-2254)
  • MCP: Fixed a bug where if the user is already logged in when running the setup flow, the Semgrep Pro Engine installation step would be ignored. (saf-2259)

v1.138.0

Compare Source

Added
  • pro: scala: Method dispatching through traits (code-9092)
Changed
  • Pro: additionally improved prefiltering for taint rules, especially when using taint labels. This allows for the generation of more specific conditions than the previously released version (v1.133.0). (code-9097)
Fixed
  • pro: python: Fix resolution of implicit namespace modules (code-9008)
  • We now filter SEMGREP_APP_TOKEN from any request made to non semgrep URLs passed to -f/-c/--config during config/rules fetching. (gh-11016)
  • Typescript: Made it so that the pattern var $X = $FUNC($REQ, $RES, ...) {...} no longer fails to parse. (saf-2159)
  • pro: improved performance of tsconfig.json matching for Typescript projects that contain multiple tsconfig.jsons. (saf-2163)
  • Semgrep no longer fails to validate a config when a rule lang is capitalized (Introduced 1.137.0) (saf-2247)

v1.137.0

Compare Source

Added
  • pro: typescript: Improved name resolution for destructuring parameters. (code-9088)
  • Added a new semgrep mcp subcommand, which runs the Semgrep MCP server, which previously used to live at https://github.com/semgrep/mcp. That repository will be deprecated as of this release, and future MCP contributions / issues should go into this repo. (saf-2239)
Changed
  • Update semgrep-interfaces to only accept valid lanugage keys for editor (MR-4600)
  • The minimum Python version for Semgrep is now 3.10. We are dropping support for Python 3.9.
Fixed
  • Fix incorrect interpretation of \# and \ in glob patterns found in Semgrepignore and included Gitignore files. (fix-glob-escape)
  • Removed pkg_resources is deprecated warning by bumping opentelemetry-* packages (gh-11069)
  • Fixes an issue in Dart language processing to return better results (gh-11173)

v1.136.0

Compare Source

No significant changes.

v1.135.0

Compare Source

No significant changes.

v1.134.0

Compare Source

Added
  • pro: First version of inter-file (whole-program) analysis for Scala. (code-9029)

v1.133.0

Compare Source

Added
  • Pro: improved prefiltering for interfile rules. This allows the engine to skip interfile rules earlier in the process when we determine they cannot match in a given scan, which should improve performance. (code-8524)
  • Semgrep will now display emotional support ascii art and a backtrace, with function names and sometimes files/line #s, when it segfaults, or receives other similar critical signals (pretty-segv)
Fixed
  • Pro: Fixed a bug that prevented taint tracking through new in some cases. (code-9047)
  • We now substitute metavariables for their values in a deterministic order to ensure keys for match-based IDs are stable. (gh-4459)
  • Fixed incorrect YAML parsing of strings like nan as well as some more obscure cases that were interpreted as a float instead of a string. This might affect any area of Semgrep that deals with YAML files containing the string nan. (yaml-float-parsing)

v1.132.0

Compare Source

Added
  • PHP: When enabling option taint_assume_safe_booleans the return values of boolval, is_bool, and || will be considered safe. When enabling taint_assume_safe_numbers the return values of intval, floatval, +, -, *, / and % will also be considered safe. (php)
  • When performing secrets validation, the amount of time that the HTTP request took to complete will now be visible in the debug logs. (#​2130)
  • Introduces a timeout to internal HTTP requests, to prevent remote endpoints from indefinitely hanging the engine. (#​4295)
Changed
  • Pro scans will no longer attempt to parse tsconfig files for non-typescript scans. (gh-4407)
Fixed
  • Language server: Made it so that errors which occur no longer pop up in while using the IDE. They still log, but will no longer be displayed via UX. (saf-2193)
  • When validating the results of a secrets scan, do not have more than 256 outstanding validators executing at a given time. (#​2130)

v1.131.0

Compare Source

Fixed
  • Semgrep diff scans can now query the app for which merge base to use. This fixes the issue where some diff scans on shallow clones would use the wrong merge base, and do a diff scan on commits not in a MR. (better-merge-base)
  • Fix a possibility that an empty file be created in place of a missing input file. This bug had been introduced with Semgrep 1.115.0. (dont-create-missing-input-files)
  • When processing a target with debug logging enabled, we now only log the target path rather than the entire internal structure representation. This allows for more succinct log files and no longer introduces mid-entry newlines, which can break log-parsing tooling. (gh-4315)
  • Language server: Fixed a bug which broke the Sign in command (saf-2151)
  • CiScanComplete.dependencies is now populated with parsed dependencies (sc-2468)
  • Print error details when a SemgrepError exception is raised and causes semgrep to fail. (silent-semgrep-error)

v1.130.0

Compare Source

Fixed
  • Fix the Python parser to correctly handle and parse valid structural dictionary patterns. (gh-11100)

v1.128.0

Compare Source

Added
  • HTTP{,S}_PROXY=... now accepts URIs without a scheme (e.g HTTP_PROXY=domain.com:port) (saf-2082)
Fixed
  • Java: Deprecated class $A partial class pattern, in favor of class $A { ... } ``` (safe-2104)

v1.127.0

Compare Source

Fixed
  • pro: typescript: Prevent stack overflows and out-of-memory issues when reading TS configs. (code-8678)

v1.126.0

Compare Source

Fixed
  • Missing version constraints in yarn.lock descriptors no longer raise parsing errors (sc-2293)

v1.125.0

Compare Source

Added
  • Dependency resolution errors that result from local builds are now reported in the scan log by default. (SC-2442)
  • Adds reporting of SSC subproject dependency resolution to the output when using --json. (SC-2458)
  • Semgrep's JSON output now will always include some basic profiling data (WIP). (code-8529)
  • C# Dependency Parsing can now handle dependencies with "Project" & "CentralTransitive" transitivities. (sc-2376)
Fixed
  • Fixed an issue present since v1.117.0 that led .semgrepignore excludes to be applied to Secrets product scans. Now, Semgrep will once again scan files that have been excluded from Code and SSC scans for possible leaked secrets. (SAF-2067)
  • Added support for npm aliasing in package-lock.json, fixing a bug where packages would rarely be misidentified. (SC-2387)
  • Fixed scenario where case statements with ellipsis did not match patterns correctly. (gh-10086)
  • Nosemgrep ignore comments no longer require exactly one space before, allowing for more commenting styles. (gh-11041)
  • Fixed bug where Javascript autofix breaks syntax for if statements by consuming parentheses. (gh-9522)
  • Fix: the Semgrep findings returned by the Semgrep language server (LSP) are now sorted correctly based on their location within files. This benefits all the Semgrep IDE extensions (VSCode, IntelliJ). (ide-findings-order)
  • fixed an issue where semgrep ci logs in GitLab would return an incorrect URL with the wrong &ref=... argument. (saf-959)

v1.124.0

Compare Source

Added
  • Parallelizes rule validation to improve performance when scanning with many rule files. (SAF-2061)
  • Semgrep should now respect ALL_PROXY, HTTP_PROXY, HTTPS_PROXY, NO_PROXY, PROXY_USERNAME and PROXY_PASSWORD for all networking (including that done via the OCaml components). Moreover, the environment variable OCAML_EXTRA_CA_CERTS should now allow additional CA certs to be used for network operations done by OCaml components. (code-8157)
Fixed
  • Stop attempting to parse build.gradle.kts files as build.gradle. (SC-2209)
  • Taint rules using the experimental feature labels, and specifying sinks with a requires: of the form not A, could produce findings with an empty list of traces, potentially causing a crash. We now recognize the issue and prevent the crash from happening. (code-8531)
  • Fixed inconsistency where the empty Python fstring f"" was not matched by the pattern "...". (gh-10047)
  • Fixed bug where dev depenencies (and their dependencies, and so on) were incorrectly marked as "transitivity: unknown" when parsing package-lock.json projects, specifically v3 lockfiles. (gh-4003)
  • Fixed scenario where a multiplication expression of ints was not considered an int. This will help with metavariable-type. Concretely, "2 * groups" was not considered an int, where groups is an int. Additionally adds type inference for mod, floor division, and pow. (gh-9855)
  • pro: python: Fixed a regression that could (in rare cases) cause naming to take a disproportionate amount of time significantly slowing down scans. (saf-1978)

v1.123.0

Compare Source

Fixed
  • Fixed bug where supply chain reachability rules which match multiple dependencies could produce reachable findings on transitive dependencies even when the actually used direct dependency was not vulnerable. (SC-2088)
  • Fixed documentation to reflect that, for --metrics="auto", pseudoanonymous metrics are sent when the user is logged in. (gh-11028)

v1.122.0

Compare Source

Added
  • Adds support for the UV package manager in Supply Chain scans. (SC-1900)
Fixed

  • pro: Fixed inter-file naming bug affecting Go's struct-methods that could result in false negatives.

    Previously, adding a pattern-inside like

    func ($THING $TYPE) $FUNC(...) $R { ... }

    to a taint rule could cause some findings to incorrectly stop being reported. (code-7767)

  • PRO: Fixed the issue with type matching when a type has a type parameter, e.g., matching the pattern std::vector<$T> with the code std::vector<int> v in C++. (code-8443)

  • Make Nuget dependency child parsing case insensitive (sc-2355)

  • Fixed bug where direct dev depenencies were not marked as direct when parsing package-lock.json projects. (sc-dev)

v1.121.0

Compare Source

Added
  • pro: Improved handling of tsconfig.json in instances where multiple typescript "projects" (i.e., separately rooted source directories with their own configurations not joined by a single tsconfig.json with project references) are being scanned as one project under semgrep. This should result in better name/module resolution in TypeScript. (code-7798)
  • pro: Improved handling of include, exclude and files properties in tsconfig.json. Projects which use more than one tsconfig in a given directory which apply to different sets of files under that directory should see improvements in name/module resolution. (code-7798-a)
  • Improved Supply Chain scan output and logging. (sc-2356)
Changed
  • Upgrade the Julia parser to the tree-sitter-julia 0.22.0 (gh-10820)
Fixed
  • Fixed CI output so it shows per-product links depending on what product is enabled in a scan. (pr-3776)
  • CLI: Fixed a bug where --disable-nosem was not properly causing nosemgrep'd findings to be uploaded to the App. (saf-1982)
  • Exempt large manifests & lockfiles from being ignored by semgrep's file size filtering. This fixes a regression introduced in 1.117.0 (sca-1705). (sc-1705)

v1.120.0

Compare Source

Added
  • Added a few new entries in the .semgrepignore default file (e.g., _cargo, _opam, .svn) (semgrepignore)
  • Add an experimental option --x-semgrepignore-filename to change the name of .semgrepignore files to something else. This can be used to scan a subproject in a separate semgrep invocation as the rest of the containing project. (semgrepignore-filename)
Fixed
  • Fixed bug in pro package-lock.json parsing where dependencies with no specified version would cause an exception (SC-2150)
  • Fixed the default -j setting so as to take into account the cgroup CPU quota on Linux. This will affect Docker and other containerized environments that share resources on the same host. Use the new command semgrep show resources --experimental to show the default setting. (saf-1950)

v1.119.0

Compare Source

Added
  • python: Semgrep will now perform dataflow analysis within and through comprehensions. (saf-1560)
  • A new subcommand semgrep show project-root is now provided to display the project root path associated with a scan root. This is useful for troubleshooting Semgrepignore (v2) issues. (saf-1936)
Fixed

  • tainting: Apply taint_assume_safe_numbers and taint_assume_safe_booleans earlier when considering to track taint through class fields and function parameters. If the field/parameter has a number/Boolean type and the corresponding option is set, it will just not be tracked. In some cases this can help with performance.

    Also added short/Short to the list of integer types recognized by taint_assume_safe_numbers. (code-8345)

  • IDE: The Semgrep VS Code Extension will no longer hang on Getting code actions from Semgrep... on saving a file, when updating rules. (saf-1954)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This MR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Merge request reports