chore(deps): update dependency semgrep to ~=1.85.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
semgrep	~=1.80.0 -> ~=1.85.0

---

Release Notes

returntocorp/semgrep (semgrep)

v1.85.0

Compare Source

Added

• Semgrep now recognizes files ending with the extention .tfvars as terraform files (saf-1481)

Changed

• The use of --debug will not generate anymore profiling information.
  Use --time instead. (debug)
• Updated link to the Supply Chain findings page on Semgrep AppSec Platform to filter to the specific repository and ref the findings are detected on. (secw-2395)

Fixed

• Fixed an error with julia list comprehentions where the pattern:

  [$A for $B in $C]
  

  would match

  [x for y in z]

  However we would only get one binding [$A/x]

  Behavior after fix: we get three bindings [$A/x,$B/y,$C/z] (saf-1480)

v1.84.1

Compare Source

No significant changes.

v1.84.0

Compare Source

Changed

• We switch from magenta to yellow when highlighting matches
  with the medium or warning severity. We now use magenta for
  cricical severity to be consistent with other tools such
  as npm. (color)

Fixed

• Workaround deadlock when interfile is run with j>1 and tracing is enabled. (saf-1157)
• Fixed file count to report the accurate number of files scanned by generic & regex
  so that no double counting occurs. (saf-507)

v1.83.0

Compare Source

Added

• Dockerfile: Allow Semgrep Ellipsis (...) in patterns for HEALTHCHECK commands. (saf-1441)

Fixed

• The use of --debug should generate now far less log entries.
  Moreover, when the number of ignored files, or rules, or
  other entities exceed a big number, we instead replace them
  with a in the output to keep the output of semgrep
  small. (debuglogs)
• Fixed a bug introduced in 1.81.0 which caused files ignored for the Code
  product but not the Secrets product to fail to be scanned for secrets.
  Files that were not ignored for either product were not affected. (saf-1459)

v1.82.0

Compare Source

Added

• Added testsuite/ as a filepath to the default value for .semgrepignore. (gh-1876)

Changed

• Update the library definitions for Java for the latest version of the JDK. (java-library-definitions)

Fixed

• Fixed metavariable comparison in step mode.

  Used to be that the rule:

      steps:
          - languages: [python]
            patterns:
              - pattern: x = f($VAR);
          - languages: [generic]
            patterns:
              - pattern-either:
                 - patterns:
                  - pattern: HI $VAR

  Wouldn't match, as one is an identifier, and the other an expression that has a
  string literal. The fix was chainging the equality used. (saf-1061)

v1.81.0

Compare Source

Changed

• The --debug option will now display logging information from the semgrep-core
  binary directly, without waiting that the semgrep-core program finish. (incremental_debug)

Fixed

• C++: Scanning a project with header files (.h) now no longer causes a
  spurious warnings that the file is being skipped, or not analyzed. (code-6899)

• Semgrep will now be more strict (as it should be) when unifying identifiers.

  Patterns like the one below may not longer work, particularly in Semgrep Pro:

  patterns:
    - pattern-inside: |
        class A:
          ...
          def $F(...):
            ...
          ...
        ...
    - pattern-inside: |
        class B:
          ...
          def $F(...):
            ...
          ...
        ...
  

  Even if two classes A and B may both have a method named foo, these methods
  are not the same, and their ids are not unifiable via $F. The right way of doing
  this in Semgrep is the following:

  patterns:
    - pattern-inside: |
        class A:
          ...
          def $F1(...):
            ...
          ...
        ...
    - pattern-inside: |
        class B:
          ...
          def $F2(...):
            ...
          ...
        ...
    - metavariable-comparison:
        comparison: str($F1) == str($F2)
  

  We use a different metavariable to match each method, then we check whether they
  have the same name (i.e., same string). (code-7336)

• In the app, you can configure Secrets ignores separately from Code/SSC ignores. However, the
  files that were ignored by Code/SSC and not Secrets were still being scanned during the
  preprocessing stage for interfile analysis. This caused significantly longer scan times than
  expected for some users, since those ignored files can ignore library code. This PR fixes that
  behavior and makes Code/SSC ignores apply as expected. (saf-1087)

• Fixed typo that prevented users from using "--junit-xml-output" flag and added a tests that invokes the flag. (saf-1437)

---

Configuration

📅 Schedule: Branch creation - "* 0-4 * * 3" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

[puLL-Merge] - returntocorp/[email protected]

Description

This pull request refactors the codebase by moving rule-related code from src/core to a new src/rule directory. It also introduces a new Rule_error module to handle rule parsing errors more systematically. The PR also includes some changes to error handling and logging, as well as minor updates to various tests and snapshots.

Changes

Changes

1. src/rule/:

   • New directory created for rule-related code
   • Moved files from src/core/ to src/rule/: Lang.ml, Language.ml, Mini_rule.ml, Pattern.ml, Rule.ml, Rule_ID.ml, Target_selector.ml, Xlang.ml, Xpattern.ml, rule_schema_v2.atd, rule_schema_v2_adapter.ml, semgrep_output_v1.atd
   • Added new files: Mvar.ml, Rule_error.ml, Visit_rule.ml

2. src/core/:

   • Removed rule-related files that were moved to src/rule/
   • Updated remaining files to use new module paths

3. src/target/:

   • New directory created for target-related code
   • Moved files from src/core/: Lockfile_kind.ml, Lockfile_xtarget.ml, Manifest_kind.ml, Target.ml, Xtarget.ml

4. Error handling:

   • Introduced Rule_error module to handle rule parsing errors
   • Updated error handling in various files to use the new Rule_error module

5. Logging:

   • Updated some logging statements to use debug level instead of warn
   • Added error output logging in some cases

6. Other changes:

   • Removed C-specific code from various files, now using C++ parser for C
   • Updated dependencies and module references throughout the codebase
   • Made minor adjustments to test files and snapshots

Possible Issues

1. The removal of C-specific parsing code and reliance on the C++ parser for C files may cause unexpected behavior or performance issues for C-only projects.

2. The extensive refactoring of rule-related code may introduce regressions or compatibility issues with existing tools or workflows that depended on the previous structure.

Security Hotspots

No significant security hotspots were identified in this change. The refactoring primarily focuses on code organization and error handling improvements.

[github-actions]

_{reported by reviewdog 🐶}
[semgrep] The programmer accidentally uses the wrong operator, which changes the application logic in security-relevant ways. These types of errors are generally the result of a typo. This rule also covers some other common typo patterns. (see $EXPR1)

Source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/client/typos.yaml


Cc @thypon