Update dependency semgrep to >=1.101,<1.102

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
semgrep	>=1.99,<1.100 -> >=1.101,<1.102

---

Release Notes

returntocorp/semgrep (semgrep)

v1.101.0

Compare Source

Added

• Improved pnpm-lock.yaml parsing. (gh-2663)

Changed

• Re-ordered some terminal output of semgrep ci to allow semgrep-app to block scans based on specific findings (SECW-2740)
• A few fields in the JSON output (e.g., "fingerprint", "metavars") require now
  the user to be logged in to see them.
  See https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#json
  for more information. (json)
• We're renaming semgrep OSS to Semgrep Community Edition.
  See https://semgrep.dev/blog/2024/important-updates-to-semgrep-oss/
  for more information. (rename)
• A few fields in the SARIF output (e.g., "fingerprints") require now
  the user to be logged in to see them.
  See https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#sarif
  for more information. (sarif)

Fixed

• pro: Improved inter-file tracking of tainted global variables. (code-7054)

• Python (pro-only): Taint now correctly tracks through calls to class methods
  within a class, via the cls parameter.

  So for instance, we would be able to determine a source-to-sink
  vulnerability in the following code snippet:

  class A:
    def foo(self, x):
      sink(x)
  
    @​classmethod
    def bar(cls):
      cls.foo(source)
  ``` (saf-1765)
  

• pro: Fixed bug when generating inter-procedural taint traces, that it could
  cause a call-step to be missing in the trace. (saf-1783)

• Restored the "rules" field in the SARIF output, even when logged out. (saf-1794)

v1.100.0

Compare Source

Added

• Pro engine now correctly distinguishes overloaded Scala methods based on their
  arity and parameter types, e.g., foo(x: Int, y: String) vs. foo(x: String, y: Int). (code-7870)

Changed

• The minimum Python version for semgrep is now 3.9.
  We are dropping support for Python 3.8 (python)

Fixed

• pro: Fixed a bug in interprocedural index-sensitive taint analysis that caused
  false negatives when a function updated an arbitrary index, e.g.:

  var x = {};
  
  function foo(k) {
      x[k] = source();
  }
  
  function test(k) {
      foo(k);
      sink(x); // finding here!
  } (CODE-7838)
  

• Fixed bug affecting taint tracking through static fields when mixing accesses
  using the class name and using an instance object, e.g.:

  class C {
      static String s;
  }
  
  ...
  
          C o = new C();
          C.s = taint;
          sink(o.s); // finding ! (CODE-7871)
  

• No more RPC error when using --sarif with some join-mode rules.
  Moreover, regular rules without the 'languages:' field will be skipped
  instead of aborting the whole scan. (gh-10723)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud