Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency semgrep to ~=1.66.0 #560

Merged
merged 1 commit into from
Mar 29, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 27, 2024

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
semgrep ~=1.65.0 -> ~=1.66.0 age adoption passing confidence

Release Notes

returntocorp/semgrep (semgrep)

v1.66.0

Compare Source

Added
  • Added information about interfile pre-processing to --max-memory help. (gh-9932)
  • We've implemented basic support for the yield keyword in Python. The Pro
    engine now detects taint findings from taint sources returned by the yield
    keyword. (saf-281)
Changed
  • osemgrep --remote will no longer clone into a tmp folder, but instead the CWD (cdx-remote)

  • [IMPORTANT] Inter-file differential scanning is now enabled for all Pro users.

    Inter-file differential scanning is now enabled for all Pro users. While it may
    take longer than intra-file differential scanning, which is the current default
    for pro users, it offers deeper analysis of dataflow paths compared to
    intra-file differential scanning. Additionally, it is significantly faster
    than non-differential inter-file scanning, with scan times reduced to
    approximately 1/10 of the non-differential inter-file scan. Users who
    enable the pro engine and engage in differential PR scans on GitHub or
    GitLab may experience the impact of this update. If needed, users can
    revert to the previous intra-file differential scan behavior by configuring
    the --no-interfile-diff-scan command-line option. (saf-268)

Fixed
  • The official semgrep docker image does not contain anymore the
    bash, jq, and curl utilities, to reduce its attack surface. (saf-861)

Configuration

📅 Schedule: Branch creation - "* 0-4 * * 3" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot requested a review from a team as a code owner March 27, 2024 04:09
Copy link

[puLL-Merge] - returntocorp/semgrep@v1.65.0..v1.66.0

Description

This PR introduces changes to the codebase to enable support for partial file exclusion in the analysis, improve GitHub actions configuration, and update several dependencies and library usages. The motivation for these changes is to enhance the functionality and maintain the dependencies up to date.

Changes

Changes

.circleci/config.yml

  • Removed the parsing stats section, making the benchmarks the primary focus.
  • Removed related comments and workflows for parsing stats.

.github/workflows/Makefile

  • Added cron-parsing-stats.yml to the list of objects for automation tasks related to parsing statistics.

.github/workflows/build-test-core-x86.jsonnet and related YML files

  • Adjusted the artifact creation and usage, including the renaming of artifact_name from ocaml-build-artifacts-release to semgrep-core-x86-artifact.
  • Made changes to the jobs to use the new artifact naming and handling method.

.github/workflows/check-semgrep-pro.jsonnet and related YML files

  • Adjusted to use the new container setup and made changes related to artifacts handling.
  • Removed previously used setup steps for Ocaml and used the preconfigured container directly.

.github/workflows/cron-parsing-stats.jsonnet and related YML files

  • Introduced a new workflow for updating parsing statistics, scheduled daily.

libs/actions.libsonnet and libs/semgrep.libsonnet

  • Added new functions for uploading and downloading artifacts.

libs/testo

  • Updated the submodule libs/testo to include new changes.

Other notable changes

  • Removed unused or old configurations related to parsing stats.
  • Updated the handling of various workflows and artifact usages across multiple GitHub workflows files.
  • Introduced adjustments to the CI configurations, including a new scheduled job for parsing statistics.

Security Hotspots

  • The changes introduced in .circleci/config.yml and GitHub workflow files might impact the CI/CD pipeline's security if not properly configured, especially regarding the handling of access permissions to artifacts and the execution environment for the CI jobs. However, no direct security hotspots related to code execution or sensitive data handling have been detected in the pull request changes.

@thypon thypon merged commit fcb6a63 into main Mar 29, 2024
11 checks passed
@thypon thypon deleted the renovate/semgrep-1.x branch March 29, 2024 10:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant