Update eslint scanner rules whitelist with `security/detect-new-buffer`
Problem to solve
When running eslint
against a new test project a number of warnings were raised for an unknown rule security/detect-new-buffer
. We should investigate whether this error should be reported.
This project is a stock auto-generated elixir application.
~/code/gl/security_products/tests/elixir_phoenix enable-sast*
❯ docker run \
> --interactive --tty --rm \
> --volume "$PWD":/code \
> --volume /var/run/docker.sock:/var/run/docker.sock \
> registry.gitlab.com/gitlab-org/security-products/sast:${VERSION:-latest} /app/bin/run /code
2019/03/26 22:55:14 Copy project directory to containers
2019/03/26 22:55:14 [bandit] Detect project using plugin
2019/03/26 22:55:14 [bandit] Project not compatible
2019/03/26 22:55:14 [brakeman] Detect project using plugin
2019/03/26 22:55:14 [brakeman] Project not compatible
2019/03/26 22:55:14 [eslint] Detect project using plugin
2019/03/26 22:55:14 [eslint] Project is compatible
2019/03/26 22:55:14 [eslint] Starting analyzer...
2: Pulling from gitlab-org/security-products/analyzers/eslint
Digest: sha256:07b2ca52bf2ddd6fbba196cf9e9221b2a027b324054d28c5492f3a43e041045a
Status: Image is up to date for registry.gitlab.com/gitlab-org/security-products/analyzers/eslint:2
Found project in /tmp/app/assets
No description for ESLint rule security/detect-new-buffer. Please open an issue on https://gitlab.com/gitlab-org/gitlab-ee/issues
No description for ESLint rule security/detect-new-buffer. Please open an issue on https://gitlab.com/gitlab-org/gitlab-ee/issues
No description for ESLint rule security/detect-new-buffer. Please open an issue on https://gitlab.com/gitlab-org/gitlab-ee/issues
No description for ESLint rule security/detect-new-buffer. Please open an issue on https://gitlab.com/gitlab-org/gitlab-ee/issues
No description for ESLint rule security/detect-new-buffer. Please open an issue on https://gitlab.com/gitlab-org/gitlab-ee/issues
No description for ESLint rule security/detect-new-buffer. Please open an issue on https://gitlab.com/gitlab-org/gitlab-ee/issues
No description for ESLint rule security/detect-new-buffer. Please open an issue on https://gitlab.com/gitlab-org/gitlab-ee/issues
No description for ESLint rule security/detect-new-buffer. Please open an issue on https://gitlab.com/gitlab-org/gitlab-ee/issues
No description for ESLint rule security/detect-new-buffer. Please open an issue on https://gitlab.com/gitlab-org/gitlab-ee/issues
...
Intended users
Further details
Proposal
Update rule descriptions whitelist with detect-new-buffer
: https://gitlab.com/gitlab-org/security-products/analyzers/eslint/blob/master/convert/convert.go#L78
Permissions and Security
No permission changes
Documentation
What does success look like, and how can we measure that?
This vulnerability class is captured when running sast eslint
analyzer
What is the type of buyer?
Links / references
Edited by Lucas Charles