SAST findings in generated files are effectively 404 links
Summary
If SAST is run against a project that generates some artifacts as part of its CI pipeline, and a vulnerability is found in one of those generated files, the finding in the UI links to that file. But, because that file doesn't exist in the repository, it's effectively a 404.
Steps to reproduce
- Visit https://gitlab.com/gitlab-org/gitlab-runner/pipelines/123102017/security
- Open the
Generic secret
finding modal - Click on the link to the file
- Observe the page which says that the file cannot be found
Example Project
https://gitlab.com/gitlab-org/gitlab-runner/pipelines/123102017/security
What is the current bug behavior?
The link it provided to a file that doesn't exist.
What is the expected correct behavior?
I'm not sure what the correct behaviour is. A few of possibilities:
- We don't link to generated files, i.e., that aren't in the repo. This would be weird as well, however, since we're still reporting a finding on it, except we'd not be saying where the file is...
- We don't scan generated files. I imagine this is not desirable, since they can legitimately and meaningfully be scanned.
- We name the file, but don't link to it, perhaps indicating that it's a generated file.
- We link to the generated artifact, rather than the file in the repo.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com