Update SAST analyzers to specify analyzerID as report.Analyzer
Summary
Within our Category:SAST analyzers, we should set report.Analyzer
to metadata.analyzerID
Improvements
With #235358 (closed) we updated our analyzers to specify report.Analyzer
explicitly, allowing parsing of rulesets based on the analyzer identifier. This introduced a small bug where nodejs-scan
was specified as nodejs_scan
. We should rely on a single constant instead to avoid this issue; i.e. metadata.analyzerID
Risks
It's possible this remapping is more significant than expected if there are more discrepancies. Ideally, this is a single bugfix for nodejs-scan
and a refactor for the remainder but problems may come up.
Involved components
https://gitlab.com/explore/projects?tag[]=GL-Secure+Analyzer&tag[]=Sast
-
bandit -
brakeman -
eslint -
flawfinder -
gosec -
kubesec -
mobSF -
nodejs-scan gitlab-org/security-products/analyzers/nodejs-scan!87 (merged) -
phpcs-security-audit -
pmd-apex -
secrets -
security-code-scan -
sobelow -
spotbugs
Edited by Lucas Charles