Adopt Semgrep for C# and .NET
Proposal
There was a recent announcement of C# in GA for Semgrep. This issue proposes to adopt Semgrep for C#/.NET scanning:
- Consistent with the shift of other language support (python, js, php, go) going to semgrep
- Less complexity compared to security-code-scan:
- No need to build .net application in a mono environment
- Automatic multi-project support with Semgrep
- Support sales motions and less friction in evaluations
C#/.NET Rules - https://semgrep.dev/r?lang=C%23
Questions:
- Should security-code-scan be deprecated in 15.0 in favor of semgrep rules?
- Are the current rules implemented provide sufficient coverage? Gaps that we can contribute to?
- What .NET framework/versions are captured in the rule registry?
Additional notes
- #345171 (comment 728751807)
- Parse extension: https://gitlab.com/gitlab-org/security-products/analyzers/semgrep/-/tree/add-csharp
Steps
-
Enhancing https://gitlab.com/gitlab-org/secure/gsoc-sast-vulnerability-rules/rule-testing-framework/rules-project-scaffolder to support C# project scaffolding. (https://gitlab.com/gitlab-org/secure/gsoc-sast-vulnerability-rules/rule-testing-framework/rules-project-scaffolder/-/merge_requests/2) -
Integrating csharp
sub-directory to https://gitlab.com/gitlab-org/secure/gsoc-sast-vulnerability-rules/playground/sast-rules. (https://gitlab.com/gitlab-org/secure/gsoc-sast-vulnerability-rules/playground/sast-rules/-/merge_requests/77) -
Adding a first test case for a random rule. (https://gitlab.com/gitlab-org/secure/gsoc-sast-vulnerability-rules/playground/sast-rules/-/merge_requests/77) -
Adding .cs
to the set of supported extensions in semgrep: https://gitlab.com/gitlab-org/security-products/analyzers/semgrep/-/blob/main/plugin/plugin.go#L15 and generate a semgrep docker image with csharp support (semgrep-csharp) (gitlab-org/security-products/analyzers/semgrep!137 (merged)). -
Create Import issue: https://gitlab.com/gitlab-org/secure/gsoc-sast-vulnerability-rules/playground/sast-rules/-/issues/27. -
Integrating enhanced rules-project-scaffolder + sempgrep-csharp into the CI configuration of the rule-testing-framework. -
Integrating security-code-scan into the rule-testing-framework CI configuration (https://gitlab.com/gitlab-org/secure/gsoc-sast-vulnerability-rules/rule-testing-framework/rule-testing/-/merge_requests/19). -
Integrating a new mappings file for security-code-scan (https://gitlab.com/gitlab-org/secure/gsoc-sast-vulnerability-rules/playground/sast-rules/-/merge_requests/77). -
Translating rules and using the rule-testing-framework as a compass to see whether or not we are on par. While doing this we will document the gaps in the README.md. -
Once have completed the translation, we can integrate the security-code-scan ruleset into semgrep and prepare a new release. (MR: gitlab-org/security-products/analyzers/semgrep!137 (merged)) -
Adding the .cs
extension to the SAST template: https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml#L242. (MR: !95802 (merged)) -
Modify the SAST documentation to mention that Semgrep supports C# (MR: !97616 (merged))
Edited by Zach Rice