chore(deps): update returntocorp/semgrep docker tag to v1.47.0

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
returntocorp/semgrep	container	minor	1.46.0 -> 1.47.0

---

Release Notes

returntocorp/semgrep (returntocorp/semgrep)

v1.47.0

Compare Source

1.47.0 - 2023-11-01

Added

• taint-mode: Added a Boolean exact option to sources and sanitizers to make
  matching stricter (default is false).

  If you specify a source such as foo(...), and Semgrep encounters foo(x),
  by default foo(x), foo, and x, will all be considered tainted. If you add
  exact: true to the source specification, then only foo(x) will be regarded
  as tainted, that is the "exact" match for the specification. The same applies
  to "exact" sanitizers. (gh-5897)

• Added sg alias for semgrep binary which is functionally equivalent to

  alias sg="/opt/homebrew/bin/semgrep"

  with one fewer step. (gh-9117)

• secrets: Added independent targeting from other semgrep products.

  This change allows Secrets to scan all tracked files. In particular, those ignored
  by semgrepignore will now get scanned. There will be additional changes
  in the future to allow configuring the files that are scanned secrets. (gh-9125)

• Adds an optional --no-secrets-validation flag to skip secrets validation. (no-secrets-validation)

• Secrets rules (i.e., with metadata product: secrets) now mask, by replacing
  with *s the ending component of the matched content. (pa-2333)

• Commutativity Support for Comparison Operators EQ and NOT_EQ

  We've introduced the commutative_compop rule option, enabling commutativity
  for comparison operators EQ and NOT_EQ. With this option, a == b will also
  match b == a, and a != b will also match b != a. (pa-3140)

• Validation errors are separated from unvalided findings in the terminal output. (validation-error)

Changed

• For taint rules using labels (experimental) Semgrep now preferably picks a
  source without requires for the taint trace

  Semgrep now prioritizes taint sources without requires condition when
  choosing a representative taint trace from multiple source traces. This helps
  users to more clearly identify the initial taint source when multiple traces
  are involved. (pa-3122)

• Unreachable supply chain findings report only on line dependency was found in (no longer incorrectly including the next line)
  this change could affect syntactic_id generated by said findings (sc-727)

• When running semgrep ci --supply-chain, defaults to using OSS engine even if
  PRO engine would otherwise be used (turned on in semgrep.dev, or with --pro flag) (supply-chain-oss)

Fixed

• • Semgrep no longer supports python 3.7 (gh-8698)
• Semgrep will now refuse to run incompatible versions of the Pro Engine, rather than crashing with a confusing error message. (gh-8873)
• Fixed an issue that prevented the use of semgrep install-semgrep-pro --custom-binary ... when logged out. (gh-9051)
• The --severity=XXX scan flag is working again. (gh-9062)
• The --sarif does not crash when semgrep itself encountered errors
  while processing targets. (gh-9091)
• Fixed how the end positions assigned to metavariable bindings are computed, in
  order to handle trailing newlines. This affected Semgrep's JSON output. If a
  metavariable $X was bound to a piece of text containing a trailing newline,
  such as "a\n", where the starting position was e.g. at line 1, Semgrep reported
  that the end position was at line 2, when in fact the text is entirely within
  line 1. If the text happened to be at the end of a file, Semgrep could report
  an end position that was outside the bounds of the file. (lang-18)
• • Semgrep Language Server now only scans open files on startup
  • Semgrep Language Server no longer scans with pro engine rules (ls)
• Rust: unsafe blocks are now translated into the Dataflow IL so e.g. it becomes
  possible for taint analysis to track taint from/to an unsafe block. (pa-3218)
• Correctly handle parsing toolchain directive in go.mod files (parsegomode)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[github-actions]

Test results

16 tests  ±0   16 ✔️ ±0   0s ⏱️ ±0s
  2 suites ±0     0 💤 ±0 
  1 files   ±0     0 ❌ ±0 

Results for commit cedfe51. ± Comparison against base commit 9fa9d15.

♻️ This comment has been updated with latest results.

[github-actions]

Pull Request Test Coverage Report for Build 6728558351

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at 39.314%

---

Totals
Change from base Build 6727062186:	0.0%
Covered Lines:	298
Relevant Lines:	758

---

💛 - Coveralls

[kristof-mattei]

🎉 This PR is included in version 1.3.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀