Update semgrep requirement from <1.54,>=1.50 to >=1.50,<1.55

[dependabot]

Updates the requirements on semgrep to permit the latest version.

Release notes

Sourced from semgrep's releases.

Release v1.54.0

1.54.0 - 2023-12-19

Added

• Pro only: taint-mode: In a function/method call, it is now possible to arbitrarily propagate taint between arguments and the callee. For example in C, one can propagate taint from the second argument of strcat to the first, that is, strcat($TO, $FROM). Another example, in C++ one can propagate taint from the left operand of >> to the right one, that is, $FROM >> $TO. (pa-3131)
• Semgrep IDE integrations will now cache workspace targets, so a full traversal of a workspace is no longer needed on every scan (pdx-148)

Changed

• OCaml: switch to using the tree-sitter based parser instead of the menhir parser, which has a more complete AST, especially for objects and classes. (ocaml)

Fixed

• solidity: support ellipsis in for loops header in the init part. (gh-9431)

• taint-mode: Fixed recently added by-side-effect: only option for taint sources, so that it does not incorrectly taint expressions that are not l-values, e.g. given this taint source:

  pattern-sources:
    - by-side-effect: only
      patterns:
        - pattern: delete $VAR;
        - focus-metavariable: $VAR

  The get(*from) expression should not become tainted since it's not an l-value:

  delete get(*from);
  ``` (pa-2980)

• In C++, the string literal now has a type of char *. It won't match with the string type. For instance,

  - metavariable-type:
      metavariable: $EXPR

... (truncated)

Changelog

Sourced from semgrep's changelog.

1.54.0 - 2023-12-19

Added

• Pro only: taint-mode: In a function/method call, it is now possible to arbitrarily propagate taint between arguments and the callee. For example in C, one can propagate taint from the second argument of strcat to the first, that is, strcat($TO, $FROM). Another example, in C++ one can propagate taint from the left operand of >> to the right one, that is, $FROM >> $TO. (pa-3131)
• Semgrep IDE integrations will now cache workspace targets, so a full traversal of a workspace is no longer needed on every scan (pdx-148)

Changed

• OCaml: switch to using the tree-sitter based parser instead of the menhir parser, which has a more complete AST, especially for objects and classes. (ocaml)

Fixed

• solidity: support ellipsis in for loops header in the init part. (gh-9431)

• taint-mode: Fixed recently added by-side-effect: only option for taint sources, so that it does not incorrectly taint expressions that are not l-values, e.g. given this taint source:

  pattern-sources:
    - by-side-effect: only
      patterns:
        - pattern: delete $VAR;
        - focus-metavariable: $VAR

  The get(*from) expression should not become tainted since it's not an l-value:

  delete get(*from);
  ``` (pa-2980)

• In C++, the string literal now has a type of char *. It won't match with the string type. For instance,

  - metavariable-type:
      metavariable: $EXPR
      type: string

... (truncated)

Commits

• 64e6f96 chore: Bump version to 1.54.0
• 084b36d fix(metrics): compact ruleStats (#9479)
• 95b21d2 fix: properly check for release branch build (#9487)
• 5c183e3 feat(LS): cache file targeting (#9447)
• 368a68b chore: Tidy module specification produced by python translation from generic....
• 6d9fb3a tainting: pro: Arbitrary propagation between callee and args (#9482)
• 2d17013 ojsonnet: fix Inf bug and first time std.format works! (#9483)
• 182eb36 ojsonnet: add call trace with --debug (#9481)
• 82d9707 switch to ojsonnet --envir for .github/workflow (#9480)
• 4cba38f fix(metrics): compact ruleHashesWithFindings (#9477)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[sonarqubecloud]

Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (2e4158f) 96.23% compared to head (202f84d) 96.23%.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #185   +/-   ##
=======================================
  Coverage   96.23%   96.23%           
=======================================
  Files          80       80           
  Lines        3772     3772           
=======================================
  Hits         3630     3630           
  Misses        142      142