Update nodejs-scan sast analyzer to use njsscan v0.1.5
Problem to solve
We are using the rules from an external dependency for our nodejs-scan analyzer. The current release is v3.7 of this tool. v4.2 shipped August 26, 2020, and it is a full rewrite of the tool to utilize semgrep. We should update the analyzer to use the underlying tool rather than only using its tools.
A note on nodejs-scan : nodejs-scan is a project that includes a web front-end, which we do not need. The nodejs-scan project depends on another project by the same user, njsscan, which is the project the rewrite of this analyzer will want to pull from. The latest version of njsscan is at v0.14.0.
Proposal
Replace existing nodejs-scan analyzer with a new analyzer that fully utilizes the underlying OSS project to do detection of potential vulnerabilities.
Implementation Plan
-
Update Dockerfile to pull v0.14.0 of njsscan -
Rewrite the analyzer to wrap around njsscan. While we're at it, we should rewrite the analyzer to use an analyze
function rather thanrun
. -
Write new unit tests -
Create new QA test projects -
Remove old nodejs-scan QA test projects
Documentation
- Add new rows to the supported languages for SAST doc section
- Update analyzer data table with new capabilities
Release notes
Release notes MR - gitlab-com/www-gitlab-com!64549 (merged)