chore(deps): update dependency semgrep to ~=1.70.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
semgrep	~=1.68.0 -> ~=1.70.0

---

Release Notes

returntocorp/semgrep (semgrep)

v1.70.0

Compare Source

Added

• Added guidance for resolving API token issues in CI environments. (gh-10133)

• The osemgrep show command supports 2 new options: dump-ast dump-pattern.
  See osemgrep show --help for more information. (osemgrep_show)

• Added additional output flags which allow you to write output to multiple files in multiple formats.

  For example, the comand semgrep ci --text --json-output=result.json --sarif-output=result.sarif.json
  Displays text output on stdout, writes the output that would be generated by passing the --json flag
  to result.json, and writes the output that would be generated by passing the --sarif to result.sarif.json. (saf-341)

• Added an experimental feature for users to use osemgrep to format
  SARIF output.

  When both the flags --sarif and --use-osemgrep-sarif are specified,
  semgrep will use the ocaml implementation to format SARIF.

  This flag is experimental and can be removed any time. Users must not
  rely on it being available. (saf-978)

Changed

• The main regex engine is now PCRE2 (was PCRE). While the syntax is mostly
  compatible, there are some minor instances where updates to rules may be
  needed, since PCRE2 is slightly more strict in some cases. For example, while
  we previously accepted [\w-.], such a pattern would now need to be written
  [\w.-] or [\w\-.] since PCRE2 rejects the first as having an invalid range. (scrt-467)

Fixed

• Semgrep LS now waits longer for users to login (gh-10109)

• When semgrep ci finishes scanning and uploads findings, it tells the
  app to mark the scan as completed.

  For large findings, this may take a while and marking the scan as
  completed may timeout. When a scan is not marked as completed, the app
  may show that the repo is still processing, and confuses the user.

  This change increases the timeout (previously 20 minutes) to 30
  minutes. (saf-980)

• Fix semgrep ci --oss-only when secrets product is enabled. (scrt-223)

v1.69.0

Compare Source

Added

• Tracing: remove support for SEMGREP_OTEL_ENDPOINT and replace with
  --trace-endpoint <url>.
  This change is for an internal feature for debugging performance. (saf-885)

Changed

• Passing --debug to Semgrep should now print less logs. We do
  not want --debug's output to be enormous, as it tends not to be useful and yet
  cause some problems. Note that --debug is mainly intended for Semgrep developers,
  please ask for help if needed. (gh-10044)

Fixed

• In generic mode (default, spacegrep engine), matching a pattern that
  ends with an ellipsis now favors the longest match rather than the shortest
  match when multiple matches are possible. For example, for a given target
  program a a b, the pattern a ... b will match a b as before but
  the pattern a ... will now match the longer a a b rather than a b. (gh-10039)
• Fixed the inter-file diff scan issue where the removal of pre-existing findings
  didn't work properly when adding a new file or renaming an existing file. (saf-897)

---

Configuration

📅 Schedule: Branch creation - "* 0-4 * * 3" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[github-actions]

[puLL-Merge] - returntocorp/[email protected]

Here is my review of the PR diff:

Description

This PR updates Semgrep to version 1.69.0 and makes several changes to improve tracing capabilities, extend the /semgrep/search LSP endpoint, fix some bugs, and adopt Nix for building the project.

The main motivations seem to be:

1. Adding support for Nix builds to have reproducible development environments
2. Streaming search results back for the /semgrep/search LSP endpoint
3. Fixing some small bugs and updating dependencies

Changes

Changes

Major changes by file:

.dockerignore, .envrc, .gitignore, .pre-commit-config.yaml

• Ignore some Nix related files and directories

CHANGELOG.md

• Add new entry for version 1.69.0 detailing changes

cli/pyproject.toml, cli/setup.py

• Update Python dependencies
• Bump version to 1.69.0

cli/src/semgrep/commands/ci.py, scan.py

• Add new trace_endpoint option for configuring the OpenTelemetry trace endpoint

libs/spacegrep/*

• Change Makefile to use dune build, symlinks
• Fix bug with overlapping matches with open end ellipsis favoring longest match now

libs/tracing/Tracing.mli

• Add trace_endpoint parameter to with_tracing function

src/engine/Match_search_mode.ml

• Reverse negation explanations when folding to preserve original rule order

src/osemgrep/language_server/custom_requests/Search.ml

• Implement streaming search for /semgrep/search LSP endpoint, servicing partial results
• Add support for include/exclude filters

flake.nix, flake.lock

• Add Nix configuration for reproducible Semgrep builds

Security Hotspots

• None of the changes appear to introduce new major security risks. The main additions are around tracing and Nix builds.

• One potential area to verify is the new trace_endpoint configuration and make sure arbitrary endpoints cannot be supplied that may leak sensitive data. It looks like there are some specific allowed values though.

• As always, dependencies should be checked for any new vulnerabilities, especially in setup.py.

Let me know if you have any other questions!