chore(deps): update pre-commit hook returntocorp/semgrep to v1.86.0

[alma-renovate-bot]

This PR contains the following updates:

Package	Type	Update	Change
returntocorp/semgrep	repository	minor	v1.84.1 -> v1.86.0

Note: The pre-commit manager in Renovate is not supported by the pre-commit maintainers or community. Please do not report any problems there, instead create a Discussion in the Renovate repository if you have any questions.

---

Release Notes

returntocorp/semgrep (returntocorp/semgrep)

v1.86.0

Compare Source

1.86.0 - 2024-09-04

Added

• The taint analysis can now track method invocations on variables of an
  interface type, when there is a single implementation. For example, the tainted
  input vulnerability can now be detected in the following code:

  public interface MovieService {
    String vulnerableInjection(String input);
  }
  
  @​Service
  public class MovieServiceImpl implements MovieService {
    @​Override
    public String vulnerableInjection(String input) {
      return sink(input);
    }
  }
  
  @​RestController("/")
  public class SpringController {
  
    @​Autowired
    private MovieService movieService;
  
    @​GetMapping("/pwn")
    public String pwnTest(@​RequestParam("input") String taintedInput) {
      return movieService.vulnerableInjection(taintedInput);
    }
  }

  When there are multiple implementations, the taint analysis will not follow any
  of them. We will add handling of cases with multiple implementations in
  upcoming updates. (code-7434)

• Uses of values imported via ECMAScript default imports (e.g., import example from 'mod';) can now be matched by qualified name patterns (e.g.,
  mod.default). (code-7463)

• Pro: taint-mode: Allow (experimental) control taint to propagate through returns.

  Now this taint rule:

  pattern-sources:
  - control: true
    pattern: taint()
  pattern-sinks:
  - pattern: sink()
  

  It is able to find this:

  def foo():
    taint()
  
  def test():
    foo()
    sink() # now it is found! (code-7490)
  

• A new flag --max-log-list-entries allows to control the
  maximum number of entries that will be shown in the log (e.g.,
  list of rule ids, list of skipped files).
  A zero or negative value disables this filter.
  The previous hardcoded limit was at 100 (and now becomes a default value). (max_log_list_entries)

Changed

• Semgrep will now log memory-related warnings/errors when run in --debug mode,
  without the need to set SEMGREP_LOG_SRCS=process_limits. (logging)

Fixed

• Fixed inter-file constant propagation to prevent some definitions from being
  incorrectly identified as constant, when they are modified in other parts of
  the codebase. (code-6793)

• pro: taint-mode: Fixed bug in taint signature instantiation that could cause an
  update to a field in a nested object to not be tracked.

  For example, in the code below, Semgrep knew that Nested.update updates the
  fld attribute of a Nested object. But due to this bug, Semgrep would not know that Wrapper.updateupdated thefldattribute of thenestedobject attribute in aWrapper` object.

  public class Nested {
  
      private String fld;
  
      public void update(String str) {
          fld = str;
      }
  
      // ...
  }
  
  public class Wrapper {
  
      private Nested nested;
  
      public void update(String str) {
          this.nested.update(str);
      }
  
  // ...
  } (code-7499)
  

• Fixed incorrect range matching parametrized type expressions in Julia (gh-10467)

• Fixed an edge case that could lead to a failure to name or type imported Python symbols during interfile analysis. (py-imports)

• Fix overly-aggressive match deduplication that could, under certain circumstances, lead to findings being closed and reopened in the app. (saf-1465)

• Fixed regex-fix numbered capture groups, where it used to be the case that
  a replacement: regex with numbered capture groups like \1\2\3 would effectivly
  be the same as \1\1\1.

  After the fix:

src.py

12345

```yaml
pattern: $X
fix-regex:
      regex: (1)(2)(3)(4)(5)
      replacement: \5\4\3\2\1

actually results in the fix

54321
``` (saf-1497)

v1.85.0

Compare Source

1.85.0 - 2024-08-15

Added

• Semgrep now recognizes files ending with the extention .tfvars as terraform files (saf-1481)

Changed

• The use of --debug will not generate anymore profiling information.
  Use --time instead. (debug)
• Updated link to the Supply Chain findings page on Semgrep AppSec Platform to filter to the specific repository and ref the findings are detected on. (secw-2395)

Fixed

• Fixed an error with julia list comprehentions where the pattern:

  [$A for $B in $C]
  

  would match

  [x for y in z]

  However we would only get one binding [$A/x]

  Behavior after fix: we get three bindings [$A/x,$B/y,$C/z] (saf-1480)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[github-actions]

⏳E2E tests are currently running.
➡️ You can follow their progression here.

[sonarcloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[github-actions]

❌ E2E tests have failed.
➡️ You can find the results here.

[github-actions]

❌ E2E tests have failed.
➡️ You can find the results here.