Update dependency semgrep to v1.43.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
semgrep	1.41.0 -> 1.43.0

---

Release Notes

returntocorp/semgrep (semgrep)

v1.43.0

Compare Source

Added

• Dart: Full Semgrep support for Dart has been added, whereas previously
  most Semgrep constructs (and Semgrep itself) would not work correctly. (pa-2968)

Changed

• We have reduced the default timeout (per-rule and per-file) to 2s (down from 30s).
  Typically, running a rule on a file should take a fraction of a second. When a rule
  takes more than a couple of seconds is often because the rule is not optimally
  written, or because the file is unusually large (a minified file or machine-
  generated code), so waiting 30s for it does not tend to bring any value. Plus, by
  cutting it earlier, we may prevent a potential OOM crash when running the rule is
  very memory intensive. (pa-3155)

Fixed

• The language server will no longer surface committed findings when a user types but does not save (pdx-ls-git)

v1.42.0

Compare Source

Added

• Rule-writing: Capture group metavariables used in regexes in a
  metavariable-regex can now introduce their bindings into the
  scope of the pattern, similarly to metavariable-pattern.

  For instance, in the pattern:
  patterns:

  • pattern: |
    foo($BAR)
  • metavariable-regex:
    metavariable: $BAR
    regex: "(?.*)end"
  • focus-metavariable: $X

  the rule will match the contents of what is inside of the
  foo to the regex that binds anything before an "end" to
  the metavariable $X. This metavariable can then be focused
  at a later time, or processed somewhere above this pattern. (pa-3011)

• Try-catch-else-finally is now supported in taint analysis.

  This change also includes some updates to our analysis. Previously we assumed that
  any statement inside the try clause may throw an exception, but now only
  function calls are assumed to possibly throw exceptions.

  Throw statements always throw an exception as it was before.

  This kind of statement is supported in languages including Python, Ruby, and Julia.

  Python example:

  def f(tainted_input):
    try:
      a = 0
      b = 0
      c = tainted_input
      d = tainted_input
    except RuntimeError:
      a = tainted_input
      c = sanitize(c)
    else:
      b = tainted_input
    finally:
      d = sanitize(d)

a is not tainted because exception wasn't assumed to be thrown

sink(a)

b is tainted through the else clause

sink(b)

c is tainted at the beginning, but it was not sanitized

because an exception was not thrown

sink(c)

d is tainted at the beginning, but it was sanitized

because the finally clause is always executed

sink(d)

• Pro: Semgrep can now derive facts about constants from equality tests.

  For example, pattern foobar(&nullptr) will not match here:

  int* ptr = nullptr;
  
  do_something(ptr);
  
  if (ptr == nullptr) {
      return;
  }
  
  foobar(&ptr); // OK

  But it will match here:

  if (ptr != nullptr) {
      return;
  }
  
  foobar(&ptr); // finding
  ``` (pa-3091)

• Metavariable-type rule support for C, C++

  Users now can use metavariable-type rules in both C and C++. For instance, the
  provided code snippet:

  #include <fstream>
  
  using namespace std;
  
  void test_001() {
      ifstream in;
      // ruleid: match-simple-metavar-type
      in.get(str, 2);
  
      mystream my;
      // ok: type mismatch
      my.get(str, 2);
  }
  

  can be matched by the following rule:

  rules:
    - id: match-simple-metavar-type
      patterns:
        - pattern: $X.get($SRC, ...)
        - metavariable-type:
            metavariable: $X
            type: ifstream
      message: Semgrep found a match
      languages:
        - cpp
      severity: WARNING
  ``` (pa-3106)
  

• C/C++: If conditions such as if (int x = f()) are now correctly translated
  into the Dataflow IL, so Semgrep can report a finding in the example below:

  if (const char *tainted_or_null = source("PATH"))
  {
      // ruleid:
      sink(tainted_or_null);
  }
  ``` (pa-3107)

Changed

• The _comment field in the JSON output of semgrep scan has been removed. (_comment)
• Use config=auto by default for the scan command when other options are not specified (grow-50)
• Use subprocess.run to get contributions instead of StreamingSemgrepCore so crashes don't affect the actual scan. (os-967)

Fixed

• The CLI autocompletion code has been removed. It was not currently working
  and nobody reported it, which probably means nobody was using it. (autocomplete)

• The --core-opts flag has been removed. (core_opts)

• fix: metavariable-type now correctly matches non-primitive types in php (gh-8781)

• fixed the regression in --registry-caching and add better error message
  to tell the user he needs also --experimental. (gh-8828)

• Support labeled let bindings within Swift case statements

  Correctly parsing labeled let bindings within Swift case statements.
  For instance, the code snippet:

  switch self {
    case .bar(_, _, x: let y):
      return y
  }
  

  now successfully matches the pattern:

  switch self {case .$X(..., $Y: $Z): ...}
  ``` (pa-3120)
  

• Add parsing support for various rare Swift constructs (swift-parsing)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.