Incorrect location property set in SAST report when CI_PROJECT_DIR path exists in source code's file hierarchy
Problem
In Semgrep analyzer, if the source contains the same path hierarchy as $CI_PROJECT_DIR
, the analyzer sets the $CI_PROJECT_DIR
prefix-trimmed path to location.file
property for those vulnerabilities that are found in the matching directory instead of retaining the actual path.
Ex: Suppose $CI_PROJECT_DIR
= /builds/app
and the source code has the following file hierarchy:
|-- src
|-- test.py
|-- test_2.py
|-- builds
|-- app
|-- test_3.py
|-- main.py
|-- requirements.txt
Assuming test_3.py
has a vulnerable code, the upstream scanner identifies the vulnerability. However, since the test_3.py
file exists in the same path as the value $CI_PROJECT_DIR
, the analyzer sets the location.file
value as just test_3.py
instead of /builds/app/test_3.py
.
Further Reasoning
In Semgrep analyzer, The directory path for scanning is changed from the absolute path($CI_PROJECT_DIR
) to the relative path of the project. However, the change does not correspond with the security-products/report
module since it trims the root path(earlier $CI_PROJECT_DIR
, now empty) of each vulnerability's file location path while generating SAST report.