Flawfinder-sast should ignore invalid csv output when creating reports

Release notes

Flawfinder-sast now ignores invalid CSV output by flawfinder when parsing it to produce gl-sast-report.json.

Problem to solve

Flawfinder outputs it's own internal error messages when it fails to parse code, specifically macros in C/C++.

This non-csv output is captured in /tmp/flawfinder.csv, causes analyzer.go to fail with record on line 2: wrong number of fields when attempting to convert flawfinder.csv > gl-sast-report.json.

Proposal

Flawfinder-sast should ignore non-csv output from flawfinder while creating gl-sast-report.json reports.

Intended users

• Sam (Security Analyst)

User experience goal

Flawfinder-sast generates gl-sast-report.json regardless if flawfinder includes internal errors in its CSV output.

Further details

• #327032 (closed)
• https://github.com/david-a-wheeler/flawfinder/issues/25
• Support ticket from Ultimate customer (internal only)

Relevant code

• https://gitlab.com/gitlab-org/security-products/analyzers/flawfinder/-/blob/master/analyze.go#L43
• https://gitlab.com/gitlab-org/security-products/analyzers/flawfinder/-/blob/master/analyze.go#L18
• https://github.com/david-a-wheeler/flawfinder/blob/master/flawfinder.py#L514-L590

Availability & Testing

This section needs to be retained and filled in during the workflow planning breakdown phase of this feature proposal, if not earlier.

What risks does this change pose to our availability? How might it affect the quality of the product? What additional test coverage or changes to tests will be needed? Will it require cross-browser testing?

Please list the test areas (unit, integration and end-to-end) that needs to be added or updated to ensure that this feature will work as intended. Please use the list below as guidance.

• Unit test changes
• Integration test changes
• End-to-end test change

See the test engineering planning process and reach out to your counterpart Software Engineer in Test for assistance: https://about.gitlab.com/handbook/engineering/quality/test-engineering/#test-planning

What does success look like, and how can we measure that?

Flawfinder-sast produces valid json reports even if flawfinder fails to parse specific lines of code.

Is this a cross-stage feature?

Nope.

CC @twoodham @theoretick @dsearles

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.