Adopt Semgrep for C# and .NET

Proposal

There was a recent announcement of C# in GA for Semgrep. This issue proposes to adopt Semgrep for C#/.NET scanning:

• Consistent with the shift of other language support (python, js, php, go) going to semgrep
• Less complexity compared to security-code-scan:
  • No need to build .net application in a mono environment
  • Automatic multi-project support with Semgrep
• Support sales motions and less friction in evaluations

C#/.NET Rules - https://semgrep.dev/r?lang=C%23

Questions:

1. Should security-code-scan be deprecated in 15.0 in favor of semgrep rules?
2. Are the current rules implemented provide sufficient coverage? Gaps that we can contribute to?
3. What .NET framework/versions are captured in the rule registry?

Additional notes

• #345171 (comment 728751807)
• Parse extension: https://gitlab.com/gitlab-org/security-products/analyzers/semgrep/-/tree/add-csharp

Steps

• Enhancing https://gitlab.com/gitlab-org/secure/gsoc-sast-vulnerability-rules/rule-testing-framework/rules-project-scaffolder to support C# project scaffolding. (https://gitlab.com/gitlab-org/secure/gsoc-sast-vulnerability-rules/rule-testing-framework/rules-project-scaffolder/-/merge_requests/2)
• Integrating csharp sub-directory to https://gitlab.com/gitlab-org/secure/gsoc-sast-vulnerability-rules/playground/sast-rules. (https://gitlab.com/gitlab-org/secure/gsoc-sast-vulnerability-rules/playground/sast-rules/-/merge_requests/77)
• Adding a first test case for a random rule. (https://gitlab.com/gitlab-org/secure/gsoc-sast-vulnerability-rules/playground/sast-rules/-/merge_requests/77)
• Adding .cs to the set of supported extensions in semgrep: https://gitlab.com/gitlab-org/security-products/analyzers/semgrep/-/blob/main/plugin/plugin.go#L15 and generate a semgrep docker image with csharp support (semgrep-csharp) (gitlab-org/security-products/analyzers/semgrep!137 (merged)).
• Create Import issue: https://gitlab.com/gitlab-org/secure/gsoc-sast-vulnerability-rules/playground/sast-rules/-/issues/27.
• Integrating enhanced rules-project-scaffolder + sempgrep-csharp into the CI configuration of the rule-testing-framework.
• Integrating security-code-scan into the rule-testing-framework CI configuration (https://gitlab.com/gitlab-org/secure/gsoc-sast-vulnerability-rules/rule-testing-framework/rule-testing/-/merge_requests/19).
• Integrating a new mappings file for security-code-scan (https://gitlab.com/gitlab-org/secure/gsoc-sast-vulnerability-rules/playground/sast-rules/-/merge_requests/77).
• Translating rules and using the rule-testing-framework as a compass to see whether or not we are on par. While doing this we will document the gaps in the README.md.
• Once have completed the translation, we can integrate the security-code-scan ruleset into semgrep and prepare a new release. (MR: gitlab-org/security-products/analyzers/semgrep!137 (merged))
• Adding the .cs extension to the SAST template: https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml#L242. (MR: !95802 (merged))
• Modify the SAST documentation to mention that Semgrep supports C# (MR: !97616 (merged))