Bump semgrep from 1.40.0 to 1.41.0

[dependabot]

Bumps semgrep from 1.40.0 to 1.41.0.

Release notes

Sourced from semgrep's releases.

Release v1.41.0

Changed

• Rule validation no longer fails if a rule contains additional unknown fields. This makes it so older versions of semgrep do not fail rules that contain extra functionality. When writing a custom rule, the min-version field should be used to identify rules that should not be run, meaning that the additional functionality present in the min-version of Semgrep is necessary in running the rule. (#8712)
• Limit collection of the contributions from git log to the last 30 days of commits.

Fixed

• semgrep ci now shows a more specific error message if a scan cannot complete due to a user disabling all rules on semgrep.dev (#8716)
• Docker: For the nonroot Docker build stage, moved semgrep-core to /home/semgrep/bin and updated $PATH env variable with the new location. This avoids permissions issues when running and installing Pro Engine while using the nonroot Docker image. (#8685)
• Ruby: Fixed a bug where patterns such as <id> ... do ... end would not match properly. (#8714)
• Swift: Implemented key path expression parsing in Swift. The following example should now be correctly matched by the \$X.isActive pattern:

  employee.filter(\.isActive)
  

  Note that when the implicit type is used, the metavariable X binds to the backslash character instead of the type name. (#8694)
• C++: Translate for (T var : E) loops into the Dataflow IL as for-each loops, so that Semgrep reports no finding in the following code:

    for (int *p : set) {
      sink(p); // no finding
      source(p);
    }
  

  Since each p is (in principle) a different object, even if source(p) taints the current p, that should not affect the next one. (#8749)
• Ruby: Fixed patterns which involve command calls with blocks and Semgrep ellipses, when there are newlines around. For instance, the pattern

  $METHOD ... do
    ...
  end
  

  now parses properly. (#8758)

• Fixed a bug in which Semgrep miscategorized direct dependencies that were erroneously identified as transitive in Node.js v9, lockfile version 3 and above.

Changelog

Sourced from semgrep's changelog.

1.41.0 - 2023-09-19

Changed

• Rule validation no longer fails if a rule contains additional unknown fields. This makes it so older versions of semgrep do not fail rules that contain extra functionality. min-version field should be used to identify rules that should not be run (i.e. the additional functionality is necessary in running the rule) (gh-8712)
• Limit collection of the contributions from git log to the last 30 days of commits. (scp-965)

Fixed

• Ruby: Fixed a bug where patterns like <id> ... do ... end would not match properly. (gh-8714)

• Show more specific error message if scan cannot complete because user has disabled all rules on semgrep.dev (gh-8716)

• For the nonroot Docker build stage, moved semgrep-core to /home/semgrep/bin and updated $PATH env variable with the new location. This avoids permissions issues when running and installing Pro Engine while using the nonroot Docker image. (pa-3026)

• Implemented key path expression parsing in Swift. The following example should now be correctly matched by the $X.isActive pattern:

  employee.filter(\.isActive)
  

  Note that when the implicit type is used, the metavariable $X will bind to the backslash character instead of the type name. (pa-3070)

• C++: Translate for (T var : E) loops into the Dataflow IL as for-each loops, so that Semgrep reports no finding in the following code:

    for (int *p : set) {
      sink(p); // no finding
      source(p);
    }
  

  Since each p is (in principle) a different object, even if source(p) taints the current p, that should not affect the next one. (pa-3090)

• Ruby: Fixed patterns which involve command calls with blocks and Semgrep ellipses, when there are newlines around.

  For instance, the pattern

  $METHOD ... do
    ...
  end
  

... (truncated)

Commits

• d647638 chore: Bump version to 1.41.0
• ca2efd0 debug: update formatter and introduce bc test (#8759)
• 19591a2 fix(ruby): command call blocks with newlines (#8758)
• 35c59e5 chore: repin benchmarks (#8752)
• e9238e8 fix: Check if intellij for messages (#8734)
• 565f5fd Gracefully exit if semgrep scan --pro is called before install (#8746)
• 899505b cleanup: add IL node for fetch expressions used as statements (#8646)
• 1425eda Move the pre_post type and functions out of Core_scan.mli (#8750)
• e4df0c2 Generic-to-IL: Fix translation of C++ "foreach" loops (#8749)
• d15030e move the semgrep-core cli specific stuff out of core_scan/ (#8748)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)