Release Version 1.92.0 (semgrep/semgrep-proprietary#2435)

# Release Checklist - [ ] Tests/CI passes on this Pull Request - [x] At least one approval on this PR Don't forget to merge this PR to move on to the next step of the release! Co-authored-by: aryx <aryx@users.noreply.github.com> synced from Pro 840ea1d787a7f2fddd5b7e1ce325109627df4971
semgrep · Oct 17, 2024 · f3693be · f3693be
1 parent 8dac090
commit f3693be
Show file tree

Hide file tree

Showing 16 changed files with 78 additions and 49 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,48 @@
 
 <!-- insertion point -->
 
+## [1.92.0](https://github.com/returntocorp/semgrep/releases/tag/v1.92.0) - 2024-10-17
+
+
+### Added
+
+
+- Pro: taint-mode: Semgrep has now basic support to track taint through callbacks,
+  when they lead to a sink, e.g.:
+
+      function unsafe_callback(x) {
+        sink(x); // finding here now !
+      }
+
+      function withCallback(val, callback) {
+        callback(val);
+      }
+
+      withCallback(taint, unsafe_callback); (code-7476)
+- New subcommand `dump-cst` for tree-sitter languages available via `semgrep
+  show`. This shows the concrete syntax tree for a given file. (code-7653)
+- Pro only: Updated C# parser supporting all versions of the language up to 13.0 (.NET 9) (saf-1610)
+- Added support for the Move-on-sui language! (sui)
+- Pro-only: semgrep test now supports the --pro flag to not only use pro languages
+  but also run the tests with the --pro-intrafile engine flag. If a finding
+  is detected only by the pro engine, please use `proruleid:` instead of `ruleid:`
+  and if an OSS finding is actually a false positive for the pro engine, please
+  add the `prook:` to your test annotation. (test_pro)
+
+
+### Fixed
+
+
+- pro: dataflow: Fixed a bug that could cause a class constructor to not be analyzed
+  in the correct dependency order, potentially leading to FNs. (code-7649)
+- Display an ✘ instead of a ✔ in the scan status print out when scanning with Semgrep OSS code
+  is not enabled. (grow-422)
+- semgrep will no longer randomly segfault when --trace is on with -j > 2 (saf-1590)
+- Previously, semgrep fails when --trace-endpoint is specified, but --trace is not.
+
+  Now, we relax this requirement a bit. In this case, we disable tracing, print out a warning, and continue to scan. (sms-550)
+
+
 ## [1.91.0](https://github.com/returntocorp/semgrep/releases/tag/v1.91.0) - 2024-10-10
 
 

diff --git a/changelog.d/code-7476.added b/changelog.d/code-7476.added
diff --git a/changelog.d/code-7649.fixed b/changelog.d/code-7649.fixed
diff --git a/changelog.d/code-7653.added b/changelog.d/code-7653.added
diff --git a/changelog.d/grow-422.fixed b/changelog.d/grow-422.fixed
diff --git a/changelog.d/saf-1590.fixed b/changelog.d/saf-1590.fixed
diff --git a/changelog.d/saf-1610.added b/changelog.d/saf-1610.added
diff --git a/changelog.d/sms-550.fixed b/changelog.d/sms-550.fixed
diff --git a/changelog.d/sui.added b/changelog.d/sui.added
diff --git a/changelog.d/test_pro.added b/changelog.d/test_pro.added
diff --git a/cli/setup.py b/cli/setup.py
@@ -139,7 +139,7 @@ def find_executable(env_name, exec_name):
 
 setuptools.setup(
     name="semgrep",
-    version="1.91.0",
+    version="1.92.0",
     author="Semgrep Inc.",
     author_email="support@semgrep.com",
     description="Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.",

diff --git a/cli/src/semgrep/__init__.py b/cli/src/semgrep/__init__.py
@@ -1 +1 @@
-__VERSION__ = "1.91.0"
+__VERSION__ = "1.92.0"
diff --git a/dune-project b/dune-project
@@ -21,7 +21,7 @@
 (generate_opam_files)
 
 ;; set here so the semgrep package below can use it and we can easily bump it
-(version 1.91.0)
+(version 1.92.0)
 
 ;; Default attributes of opam packages
 (source (github semgrep/semgrep))

diff --git a/release_changes.md b/release_changes.md
@@ -1,24 +1,40 @@
-## [1.91.0](https://github.com/returntocorp/semgrep/releases/tag/v1.91.0) - 2024-10-10
+## [1.92.0](https://github.com/returntocorp/semgrep/releases/tag/v1.92.0) - 2024-10-17
 
 
 ### Added
 
 
-- Type inference in the Pro engine has been improved for class fields in
-  TypeScript that are assigned a new instance but lack an explicit type
-  definition. When no explicit type is provided for a class field, its type is
-  inferred from the type of the expression assigned to it. For example, in the
-  class definition `class Foo { private readonly bar = new Bar(); }`, the type of
-  `bar` is inferred to be `Bar`. (code-7635)
-- Cargo.lock parser can now associate dependencies with lockfile line numbers (sc-1140)
+- Pro: taint-mode: Semgrep has now basic support to track taint through callbacks,
+  when they lead to a sink, e.g.:
+
+      function unsafe_callback(x) {
+        sink(x); // finding here now !
+      }
+
+      function withCallback(val, callback) {
+        callback(val);
+      }
+
+      withCallback(taint, unsafe_callback); (code-7476)
+- New subcommand `dump-cst` for tree-sitter languages available via `semgrep
+  show`. This shows the concrete syntax tree for a given file. (code-7653)
+- Pro only: Updated C# parser supporting all versions of the language up to 13.0 (.NET 9) (saf-1610)
+- Added support for the Move-on-sui language! (sui)
+- Pro-only: semgrep test now supports the --pro flag to not only use pro languages
+  but also run the tests with the --pro-intrafile engine flag. If a finding
+  is detected only by the pro engine, please use `proruleid:` instead of `ruleid:`
+  and if an OSS finding is actually a false positive for the pro engine, please
+  add the `prook:` to your test annotation. (test_pro)
 
 
 ### Fixed
 
 
-- Address python `rich.errors.LiveError` where attempting to display multiple progress bars
-  raises an exception as flagged in #10562. (grow-414)
-- C: Fix a regression causing pattern `-n` to sometimes not match code `-n`. (saf-1592)
-- When a scan runs into an exception, the app is appropriately notified
-  about the failure. Previously, in the app, it would seem to the user
-  that the scan is still in progress. (sms-502)
+- pro: dataflow: Fixed a bug that could cause a class constructor to not be analyzed
+  in the correct dependency order, potentially leading to FNs. (code-7649)
+- Display an ✘ instead of a ✔ in the scan status print out when scanning with Semgrep OSS code
+  is not enabled. (grow-422)
+- semgrep will no longer randomly segfault when --trace is on with -j > 2 (saf-1590)
+- Previously, semgrep fails when --trace-endpoint is specified, but --trace is not.
+
+  Now, we relax this requirement a bit. In this case, we disable tracing, print out a warning, and continue to scan. (sms-550)
diff --git a/setup.py b/setup.py
@@ -5,7 +5,7 @@
 
 setup(
     name="semgrep_pre_commit_package",
-    version="1.91.0",
-    install_requires=["semgrep==1.91.0"],
+    version="1.92.0",
+    install_requires=["semgrep==1.92.0"],
     packages=[],
 )
diff --git a/src/core/Version.ml b/src/core/Version.ml
@@ -3,4 +3,4 @@
 
   Automatically modified by scripts/release/bump.
 *)
-let version = "1.91.0"
+let version = "1.92.0"