Bump semgrep from 0.91.0 to 1.52.0 in /dependencies/python

[dependabot]

Bumps semgrep from 0.91.0 to 1.52.0.

Release notes

Sourced from semgrep's releases.

Release v1.52.0

1.52.0 - 2023-12-05

Added

• Java: Semgrep will now recognize String.format(...) expressions as constant strings when all their arguments are constant, but it will still not know what exact string it is. For example, code String.format("Abc %s", "123") will match pattern "..." but it will not match pattern "Abc 123". (pa-3284)

Changed

• Inter-file diff scan will be gradually introduced to a small percentage of users through a slow rollout process. Users who enable the pro engine and engage in differential PR scans on Github or Gitlab may experience the impact of this update. (ea-268)
• secrets: now performs more aggressive deduplication for instances where an invalid and valid match are reported at the same range. Instead of reporting both, we now report only the valid match when they are otherwise visually identical. (scrt-271)

Fixed

• In expression-based languages, definitions are also expressions.

  This change allows dataflow to properly handle definition expressions.

  For example, the pattern 0 == 0 will match x == 0 in

  def f(c) do
    x = (y = 0)
    x == 0
  end

  because now dataflow is able to handle the expression y = 0. (pa-3262)

• In version 1.14.0 (pa-2477) we made sink-matching more precise when the sink specification was like:

  pattern-sinks:
    - patterns:
       - pattern: sink($X, ...)

... (truncated)

Changelog

Sourced from semgrep's changelog.

1.52.0 - 2023-12-05

Added

• Java: Semgrep will now recognize String.format(...) expressions as constant strings when all their arguments are constant, but it will still not know what exact string it is. For example, code String.format("Abc %s", "123") will match pattern "..." but it will not match pattern "Abc 123". (pa-3284)

Changed

• Inter-file diff scan will be gradually introduced to a small percentage of users through a slow rollout process. Users who enable the pro engine and engage in differential PR scans on Github or Gitlab may experience the impact of this update. (ea-268)
• secrets: now performs more aggressive deduplication for instances where an invalid and valid match are reported at the same range. Instead of reporting both, we now report only the valid match when they are otherwise visually identical. (scrt-271)

Fixed

• In expression-based languages, definitions are also expressions.

  This change allows dataflow to properly handle definition expressions.

  For example, the pattern 0 == 0 will match x == 0 in

  def f(c) do
    x = (y = 0)
    x == 0
  end

  because now dataflow is able to handle the expression y = 0. (pa-3262)

• In version 1.14.0 (pa-2477) we made sink-matching more precise when the sink specification was like:

  pattern-sinks:
    - patterns:
        - pattern: sink($X, ...)
        - focus-metavariable: $X

  Where the sink specification most likely has the intent to specify the first argument of sink as a sink, and sink(ok1 if tainted else ok2) should NOT produce a finding, because tainted is not really what is being passed to

... (truncated)

Commits

• d250452 chore: Bump version to 1.52.0
• c1ce7d4 feat(secrets): Use validation_state for priority, not uniqueness (#9349)
• da7a02f fix(internal): Unify Local IDs between Scan and Findings (#9383)
• 9a0bd67 osemgrep: standardize on run_conf and rename to Rule_tests.ml (#9389)
• 1a789f9 Move few functions from Common to String_ (#9388)
• 7ce03b1 SPcre.ml -> Pcre_.ml (#9387)
• dc397cc tainting: Make identification of sinks (even) more precise (#9342)
• 100a6b0 Small cleanup comments in Common.mli (#9386)
• cf1fe35 Fix Hannes's Test_subcommand.ml with latest semgrep (#9385)
• 09d0f12 Add test subcommand to osemgrep (#9247)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #1477.