Flawfinder regexp matches c# erroneously
Summary
In the SAST template we have the following regexp to match c/c++ in the project languages: /\b(c\+\+|c)\b/
.
However, since # is not a word boundary character, "c#" is also matched by this and flawfinder runs erroneously for c# projects.
Initially reported by customer in ZD (internal only).
Steps to reproduce
irb(main):061:0> var = Gitlab::Ci::Pipeline::Expression::Lexeme::Variable.new("LANG")
irb(main):062:0> patt = Gitlab::Ci::Pipeline::Expression::Lexeme::Pattern.new('/\b(c\+\+|c)\b/')
irb(main):067:0> Gitlab::Ci::Pipeline::Expression::Lexeme::Matches.new(var, patt).evaluate(LANG: "c#")
=> true
Example Project
What is the current bug behavior?
C# projects get matched for flawfinder to run.
What is the expected correct behavior?
C# project should not be matched for flawfinder.
Possible fixes
Possibly update the regexp in the SAST template.
The customer mentioned using this regex: /((^c(\+\+)?,)|,c(\+\+)?,|(c(\+\+)?$))/
, or a workaround until the regexp is fixed, to disable flowfinder completely unless specifically enabled, like:
diff --git a/sast-gitlab-ci.yml b/sast-gitlab-ci.yml
index ab412710f44fda11de0d0e4642739927e99974f9..a763eaa241ddfc074c8e73f131de0fe36c1aa2c8 100644
--- a/sast-gitlab-ci.yml
+++ b/sast-gitlab-ci.yml
@@ -9,6 +9,7 @@ variables:
SAST_DEFAULT_ANALYZERS: "bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, tslint, secrets, sobelow, pmd-apex, kubesec"
SAST_ANALYZER_IMAGE_TAG: 2
SCAN_KUBERNETES_MANIFESTS: "true"
+ SAST_ENABLE_FLAWFINDER: "false"
.sast-analyzer:
stage: test
@@ -66,7 +67,8 @@ flawfinder-sast:
variables:
- $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /flawfinder/ &&
- $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\b(c\+\+|c)\b/
+ $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\b(c\+\+|c)\b/ &&
+ $SAST_ENABLE_FLAWFINDER == 'true'
kubesec-sast:
extends: .sast-analyzer
Implementation plan
-
backend update SAST template regexes with proper word-boundary conditions; i.e. distinguishing c
fromc#
Edited by Lucas Charles