chore(deps): update dependency semgrep to ~=1.96.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
semgrep	~=1.95.0 -> ~=1.96.0

---

Release Notes

returntocorp/semgrep (semgrep)

v1.96.0

Compare Source

Added

• The pro engine now handles duplicate function names in C. When duplicate
  functions are found, we assume that any of the duplicated functions could be
  called. For example, if the function foo is defined in two different files,
  taint errors will be reported for both instances:

  // "a/test.h"
  void foo(int x) {
      //deepruleid: dup-symbols
      sink(x);
  }
  
  // "b/test.h"
  void foo(int x) {
      //deepruleid: dup-symbols
      sink(x);
  }
  
  // "main.c"
  #ifdef HEADER_A
      #include "a/test.h"
  #else
      #include "b/test.h"
  #endif
  
  int main() {
      int x = source();
      foo(x);
  }
  ``` (code-7654)
  

Changed

• Reduced memory allocations while processing nosemgrep comments, improving memory use and time for scans with a large number of findings. (nosem-mem)

Fixed

• Optimized taint-mode (only in Pro) to scale better when there is a large number
  of matches of sources/propagators/sanitizers/sinks within a function. (flow-83)
• Fixed a bug in the supply chain scanner's gradle lockfile parser. Previously, semgrep would fail to parse
  any gradle lockfile which did not start with a specific block comment. Now, semgrep will parse gradle
  lockfiles correctly by ignoring the comment (allowing any or no comment at all to exist). (gh-10508)
• Exceptions thrown during the processing of a target should not fail
  the whole scan anymore (regression introduced in 1.94.0). The scan will
  have an exit code of 0 instead of 2 (unless the user passed --strict in which
  case it will exit with code 2). (incid-110)
• Fix exponential parsing time with generic mode on input containing many
  unclosed braces on the same line. (saf-1667)
• Fix regexp parsing error occurring during ReDoS analysis when encountering
  a character class starting with [: such as [:a-z]. (saf-1693)
• Fix in semgrep scan: anchored semgrepignore patterns for folders such
  as /tests are now honored properly. Such patterns had previously no
  effect of target file filtering. (semgrepignore-anchored-dirs)

---

Configuration

📅 Schedule: Branch creation - "* 0-4 * * 3" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

[puLL-Merge] - returntocorp/[email protected]

Description

This PR makes several changes to the Semgrep codebase, including improvements to error handling, performance optimizations, and additions to support distributed scans. It also updates various dependencies and adds new test cases.

Possible Issues

• The changes to error handling in Core_error.ml may potentially change the behavior of error reporting in some cases.
• The modifications to memory and time limit handling could affect performance or resource usage in unexpected ways.

Security Hotspots

No significant security vulnerabilities were identified in this change.

Changes

Changes

1. cli/src/semdep/matchers/base.py:

   • Added new matcher classes for dependency detection.

2. cli/src/semdep/matchers/gradle.py:

   • Implemented a new Gradle matcher for dependency detection.

3. cli/src/semdep/matchers/pip_requirements.py:

   • Added a PipRequirementsMatcher for handling pip requirements files.

4. cli/src/semgrep/__init__.py and cli/setup.py:

   • Updated version to 1.96.0.

5. cli/src/semgrep/app/auth.py:

   • Added is_logged_in_weak() function for a quick check of login status.

6. cli/src/semgrep/commands/ci.py and cli/src/semgrep/commands/scan.py:

   • Updated to use the new is_logged_in_weak() function.

7. cli/src/semgrep/core_runner.py:

   • Removed deprecated external/junit_xml.py and updated related code.

8. cli/src/semgrep/error.py:

   • Added DependencyResolutionError class.

9. cli/src/semgrep/ignore.py:

   • Refactored and optimized file ignoring logic.

10. libs/commons/UCmd.ml:

    • Added string_of_run_with_stderr function.

11. libs/process_limits/Memory_limit.ml and libs/process_limits/Time_limit.ml:

    • Updated to use new capability types.

12. src/core/Core_error.ml:

    • Modified error severity handling.

13. src/core_scan/Core_scan.ml:

    • Updated to use new capability types and improved error handling.

14. Various test files:

    • Added new test cases and updated existing ones.

15. CHANGELOG.md and release_changes.md:

    • Updated with new features and bug fixes for version 1.96.0.

The PR also includes numerous other minor changes and updates across the codebase.