Create sarif to GitLab SAST report tool

Proposal

We do not currently provide a means by which a customer can convert a generic SARIF report format into the gitlab SAST report format.

The library we use internally is part of our report golang library, you can see an example of its usage in our semgrep analyzer.

This is primarily used internally, hence, not separately documented. It could be nice to have a self-contained converter but there isn't one at present. Alternatively, we could explore allowing uploads of SARIF reports directly and handling the conversion within our report parsing functionality.

Tasks

• Create a transformer binary
• Documention

Workaround

Conversion can be performed natively by several of our analyzers which expose the library via subcommands. In the case of semgrep the report can be converted as follows:

docker run --rm --platform linux/amd64 -e SECURE_LOG_LEVEL=error -e SEARCH_MAX_DEPTH=40 -v $PWD:/tmp/app -w /tmp/app registry.gitlab.com/security-products/semgrep:4 /analyzer convert testdata/reports/semgrep.sarif > gl-sast-report.json

This can be performed with a CI job like so, leveraging a previous SARIF-generated artifact:

convert_sarif_to_gitlab_report:
  stage: test
  needs: sarif_generating_job
  image:
    name: "gitlab.com/security-products/semgrep:4"
  artifacts:
    reports:
      sast: gl-sast-report.json
  script:
    - /analyzer convert report.sarif > gl-sast-report.json

NOTE: this may lead to unexpected behavior as report conversion is not a 1-1 mapping between fields.