Update SAST reports to latest schema version (v14.0.0)
Proposal
Our Category:SAST analyzers currently rely on the default version generated by report
module. This is a very old version that predates our security-report-schemas and largely inaccurate for what data we are returning. We should bump all analyzers to the latest (as of now v14.0.0
.
See secrets
as an example of setting the report version
Tasks
- Update analyzer
Convert
functions to setreport.Version
explicitly - Validate report matches schema within
qa-**
jobs
Assignments
These tasks will need to be executed across all our analyzers. As such, we will be swarming this work at the start of %13.11 and using the same breakdown we do for dependency updates. Assignments are below.
-
brakeman | gitlab-org/security-products/analyzers/brakeman!61 (merged) -
phpcs-security-audit | gitlab-org/security-products/analyzers/phpcs-security-audit!52 (merged) -
security-code-scan | gitlab-org/security-products/analyzers/security-code-scan!77 (merged)
-
bandit | gitlab-org/security-products/analyzers/bandit!68 (merged) -
eslint | gitlab-org/security-products/analyzers/eslint!74 (merged) -
mobSF | gitlab-org/security-products/analyzers/mobsf!20 (merged)
-
flawfinder | gitlab-org/security-products/analyzers/flawfinder!53 (merged) -
gosec | gitlab-org/security-products/analyzers/gosec!92 (merged) -
sobelow | gitlab-org/security-products/analyzers/sobelow!52 (merged)
-
kubesec | gitlab-org/security-products/analyzers/kubesec!47 (merged) -
nodejs-scan | gitlab-org/security-products/analyzers/nodejs-scan!95 (merged) -
secrets | gitlab-org/security-products/analyzers/secrets!103 (merged)
Edited by Zach Rice