chore: Bump version to 0.118.0

LordCasser · Oct 19, 2022 · 108dfeb · 108dfeb
1 parent 974ee2a
commit 108dfeb
Show file tree

Hide file tree

Showing 11 changed files with 43 additions and 32 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,44 @@ This project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html
 
 <!-- insertion point -->
 
+## [0.118.0](https://github.com/returntocorp/semgrep/releases/tag/v0.118.0) - 2022-10-19
+
+### Added
+
+- Taint mode will now track taint coming from the default values of function
+  parameters. For example, given `def test(url = "http://example.com"):`,
+  if `"http://example.com"` is a taint source (due to not using TLS), then
+  `url` will be marked as tainted during the analysis of `test`. (gh-6298)
+- taint-mode: Added two new rule `options` that help minimizing false positives.
+
+  First one is `taint_assume_safe_indexes`, which makes Semgrep assume that an
+  array-access expression is safe even if the index expression is tainted. Otherwise
+  Semgrep assumes that e.g. `a[i]` is tainted if `i` is tainted, even if `a` is not.
+  Enabling this option is recommended for high-signal rules, whereas disabling it
+  may be preferred for audit rules. Currently, it is disabled by default for pure
+  backwards compatibility reasons, but this may change in the near future after some
+  evaluation.
+
+  The other one is `taint_assume_safe_functions`, which makes Semgrep assume that
+  function calls do _NOT_ propagate taint from their arguments to their output.
+  Otherwise, Semgrep always assumes that functions may propagate taint. This is
+  intended to replace _not conflicting_ sanitizers (added in v0.69.0) in the future.
+  This option is still experimental and needs to be complemented by other changes
+  to be made in future releases. (pa-1541)
+
+### Changed
+
+- Ignore the .npm/ directory by default in Semgrep scans (gh-6315)
+- The `--scan-unknown-extensions` option is now set to false by default.
+  This means that from now on `--skip-unknown-extensions` is the default.
+  This is an important change that prevents many errors when using
+  Semgrep in a pre-commit context or in CI. (pa-1932)
+
+### Fixed
+
+- Add autodetection for pull request numbers for Azure Pipelines. If SEMGREP_PR_ID is set, override the autodetection. (app-2083)
+- Fixed an autofix regression that caused Semgrep to fail to replace metavariables in string literals, e.g. `foo("xyz $X")`. (autofix-string-metavar)
+
 ## [0.117.0](https://github.com/returntocorp/semgrep/releases/tag/v0.117.0) - 2022-10-12
 
 ### Added

diff --git a/changelog.d/app-2083.fixed b/changelog.d/app-2083.fixed
diff --git a/changelog.d/autofix-string-metavar.fixed b/changelog.d/autofix-string-metavar.fixed
diff --git a/changelog.d/gh-6298.added b/changelog.d/gh-6298.added
diff --git a/changelog.d/gh-6315.changed b/changelog.d/gh-6315.changed
diff --git a/changelog.d/pa-1541.added b/changelog.d/pa-1541.added
diff --git a/changelog.d/pa-1932.changed b/changelog.d/pa-1932.changed
diff --git a/cli/setup.py b/cli/setup.py
@@ -139,7 +139,7 @@ def find_executable(env_name, exec_name):
 
 setuptools.setup(
     name="semgrep",
-    version="0.117.0",
+    version="0.118.0",
     author="Return To Corporation",
     author_email="support@r2c.dev",
     description="Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.",

diff --git a/cli/src/semgrep/__init__.py b/cli/src/semgrep/__init__.py
@@ -1 +1 @@
-__VERSION__ = "0.117.0"
+__VERSION__ = "0.118.0"
diff --git a/semgrep-core/src/core_cli/version.ml b/semgrep-core/src/core_cli/version.ml
@@ -3,4 +3,4 @@
 
   Automatically modified by scripts/release/bump.
 *)
-let version = "0.117.0"
+let version = "0.118.0"
diff --git a/setup.py b/setup.py
@@ -5,7 +5,7 @@
 
 setup(
     name="semgrep_pre_commit_package",
-    version="0.117.0",
-    install_requires=["semgrep==0.117.0"],
+    version="0.118.0",
+    install_requires=["semgrep==0.118.0"],
     packages=[],
 )