chore(deps): update dependency semgrep to ~=1.91.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
semgrep	~=1.90.0 -> ~=1.91.0

---

Release Notes

returntocorp/semgrep (semgrep)

v1.91.0

Compare Source

Added

• Type inference in the Pro engine has been improved for class fields in
  TypeScript that are assigned a new instance but lack an explicit type
  definition. When no explicit type is provided for a class field, its type is
  inferred from the type of the expression assigned to it. For example, in the
  class definition class Foo { private readonly bar = new Bar(); }, the type of
  bar is inferred to be Bar. (code-7635)
• Cargo.lock parser can now associate dependencies with lockfile line numbers (sc-1140)

Fixed

• Address python rich.errors.LiveError where attempting to display multiple progress bars
  raises an exception as flagged in #​10562. (grow-414)
• C: Fix a regression causing pattern -n to sometimes not match code -n. (saf-1592)
• When a scan runs into an exception, the app is appropriately notified
  about the failure. Previously, in the app, it would seem to the user
  that the scan is still in progress. (sms-502)

---

Configuration

📅 Schedule: Branch creation - "* 0-4 * * 3" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

[puLL-Merge] - returntocorp/[email protected]

Description

This PR introduces several changes to the Semgrep codebase, including improvements to type inference, support for new languages, bug fixes, and various code refactorings. The changes span across multiple components of the system, including the core engine, CLI, and language-specific parsers.

Possible Issues

1. The addition of new languages and features may introduce unexpected behavior or compatibility issues with existing rules or workflows.
2. The refactoring of taint analysis and signature instantiation logic could potentially impact the accuracy or performance of security checks.

Security Hotspots

1. Changes to the taint analysis logic in Match_taint_spec.ml and Dataflow_tainting.ml should be carefully reviewed to ensure they don't introduce new vulnerabilities or miss existing ones.
2. The addition of support for new languages (e.g., Move on Sui) should be thoroughly tested to ensure proper handling of language-specific security patterns.

Changes

Changes

1. CHANGELOG.md:

   • Added entries for version 1.91.0, including improvements to type inference and Cargo.lock parsing.

2. Dockerfile:

   • Added opam update command to ensure up-to-date packages.

3. Makefile:

   • Modified the REQUIRED_DEPS variable to include additional opam files for building semgrep as part of a larger project.

4. cli/setup.py and cli/src/semgrep/__init__.py:

   • Updated version number to 1.91.0.

5. cli/src/semdep/lockfile.py:

   • Refactored lockfile parsing logic, including support for new lockfile formats and improved error handling.

6. cli/src/semgrep/app/scans.py:

   • Modified timeout logic to use datetime.now() instead of datetime.utcnow().

7. cli/src/semgrep/commands/ci.py:

   • Added support for rule partitioning with a new --x-dump-rule-partitions flag.

8. cli/src/semgrep/git.py:

   • Improved error messaging for git-related issues.

9. cli/tests/default/e2e-other/test_ci.py:

   • Added tests for new failure reporting functionality.

10. src/analyzing/AST_to_IL.ml, src/core/Version.ml, src/engine/Formula_cache.ml:

    • Added new modules for formula caching and version updates.

11. src/engine/Match_taint_spec.ml, src/engine/Match_tainting_mode.ml:

    • Refactored taint analysis logic and introduced new data structures for handling taint specifications.

12. src/osemgrep/cli/Help.ml:

    • Updated CLI documentation URL.

13. src/parsing/Parsing_plugin.ml:

    • Added support for new languages and improved plugin management.

14. src/tainting/Dataflow_tainting.ml, src/tainting/Sig_inst.ml:

    • Refactored taint analysis and signature instantiation logic.

15. Various test files:

    • Added new test cases and moved existing tests to different directories.

These changes represent a significant update to the Semgrep codebase, improving its capabilities and maintainability. The security-related changes, particularly in taint analysis, should be carefully reviewed and tested to ensure they maintain or improve the system's ability to detect vulnerabilities.