build(deps-dev): bump semgrep from 1.44.0 to 1.45.0 #402

dependabot · 2023-10-18T20:18:01Z

Bumps semgrep from 1.44.0 to 1.45.0.

Release notes

Release v1.45.0

1.45.0 - 2023-10-18

Changed
Previously, to ignore a finding from rule 'foo.bar.my-rule' we only accepted nosemgrep: foo.bar.my-rule, now we also accept nosemgrep: my-rule. (pa-3094)
[Breaking Change] Improved Matching of C++ Constructors

In this update, we've enhanced Semgrep's ability to match C++ constructors more accurately. C++ introduces a syntactic ambiguity between function and variable definitions, particularly with constructors. The C++ compiler determines how to interpret an expression based on contextual information, such as whether the immediate parent scope is a function or a class, and whether the identifiers within the parentheses represent variables or types. Due to this complexity, static analyzers face challenges in precisely parsing these expressions without additional information.

This commit introduces several workarounds to provide a better solution for handling this ambiguity:

By default, when parsing a target file, Semgrep will consider an expression like foo bar(x, y, z); defined within the body of a function as a variable definition with a constructor. This is because variable initialization is a more common use case within the body of a function.

Users can specify rule options that annotate, in patterns where the expression can be interpreted in both ways, which interpretation should take precedence. For instance, foo bar(x, y, z); will be parsed as a function definition when the as_fundef option is used and as a variable definition with a constructor when the as_vardef_with_ctor option is applied. It's worth noting that an expression like foo bar(1, y, z); will be parsed as a variable definition without any additional annotation since 1 cannot be a type.

Here's an example rule and its corresponding target file to illustrate these changes,
rules:
  - id: cpp-match-func-def
    message: Semgrep found a match
    options:
      cpp_parsing_pref: as_fundef
    languages:
      - cpp
    severity: WARNING
    pattern-either:

... (truncated)

Changelog

Sourced from semgrep's changelog.

1.45.0 - 2023-10-18

Changed
Previously, to ignore a finding from rule 'foo.bar.my-rule' we only accepted nosemgrep: foo.bar.my-rule, now we also accept nosemgrep: my-rule. (pa-3094)
[Breaking Change] Improved Matching of C++ Constructors

In this update, we've enhanced Semgrep's ability to match C++ constructors more accurately. C++ introduces a syntactic ambiguity between function and variable definitions, particularly with constructors. The C++ compiler determines how to interpret an expression based on contextual information, such as whether the immediate parent scope is a function or a class, and whether the identifiers within the parentheses represent variables or types. Due to this complexity, static analyzers face challenges in precisely parsing these expressions without additional information.

This commit introduces several workarounds to provide a better solution for handling this ambiguity:

By default, when parsing a target file, Semgrep will consider an expression like foo bar(x, y, z); defined within the body of a function as a variable definition with a constructor. This is because variable initialization is a more common use case within the body of a function.

Users can specify rule options that annotate, in patterns where the expression can be interpreted in both ways, which interpretation should take precedence. For instance, foo bar(x, y, z); will be parsed as a function definition when the as_fundef option is used and as a variable definition with a constructor when the as_vardef_with_ctor option is applied. It's worth noting that an expression like foo bar(1, y, z); will be parsed as a variable definition without any additional annotation since 1 cannot be a type.

Here's an example rule and its corresponding target file to illustrate these changes,
rules:
  - id: cpp-match-func-def
    message: Semgrep found a match
    options:
      cpp_parsing_pref: as_fundef
    languages:
      - cpp
    severity: WARNING
    pattern-either:
      - pattern: foo $X($Y);
      - pattern: foo $X($Y, $Z);

... (truncated)

Commits

ec48ff2 chore: Bump version to 1.45.0
ca89252 use string wrap in semgrep_output_v1.atd part 3, fpath (#9039)
c57b8c0 C/C++: tainting: Track this->xyz l-values (#8968)
e5da7b1 Use string wrap in semgrep_output_v1.atd part 2 (#9038)
8b9f3d3 Fix the String.rindex_from exn (#9035)
4f3b207 feat!: Improved Matching of C++ Constructors (#9012)
fc36315 libs/path: remove Realpath module from paths library (#9037)
7ce0e9e start to use 'string wrap' in semgrep_output_v1.atd (#9031)
d044dbe Avoid out-of-bounds crash when invalid byte position is provided (#9011)
a2f7b36 js: semgrep js pattern testing (#8902)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [semgrep](https://github.com/returntocorp/semgrep) from 1.44.0 to 1.45.0. - [Release notes](https://github.com/returntocorp/semgrep/releases) - [Changelog](https://github.com/returntocorp/semgrep/blob/v1.45.0/CHANGELOG.md) - [Commits](semgrep/semgrep@v1.44.0...v1.45.0) --- updated-dependencies: - dependency-name: semgrep dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot · 2023-10-19T13:44:36Z

Looks like semgrep is up-to-date now, so this is no longer needed.

dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Oct 18, 2023

dependabot bot closed this Oct 19, 2023

dependabot bot deleted the dependabot/pip/semgrep-1.45.0 branch October 19, 2023 13:44

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps-dev): bump semgrep from 1.44.0 to 1.45.0 #402

build(deps-dev): bump semgrep from 1.44.0 to 1.45.0 #402

dependabot bot commented on behalf of github Oct 18, 2023 •

edited

Loading

dependabot bot commented on behalf of github Oct 19, 2023

build(deps-dev): bump semgrep from 1.44.0 to 1.45.0 #402

build(deps-dev): bump semgrep from 1.44.0 to 1.45.0 #402

Conversation

dependabot bot commented on behalf of github Oct 18, 2023 • edited Loading

Release v1.45.0

1.45.0 - 2023-10-18

Changed

1.45.0 - 2023-10-18

Changed

dependabot bot commented on behalf of github Oct 19, 2023

dependabot bot commented on behalf of github Oct 18, 2023 •

edited

Loading