Rulesets for Salesforce-specific JavaScript Frameworks (Aura and Lightning Component Framework)
Release notes
Problem to solve
Salesforce developers typically use Apex (which we support but is legacy) and, more recently, Lightning Component Framework or Aura which both appear to consist of JavaScript codebases. Although we can run SAST scans for JavaScript, it would be nice to have Rulesets that are specific to the Web Component Framework and Aura to detect weaknesses specific to Salesforce development.
From Brian Williams:
Aura / Lightning Components are a combination of regular JavaScript and also some special syntax specific to Salesforce. We can analyze the regular JavaScript (assuming the tools do not throw up when they encounter the special Salesforce syntax), but I do not expect vulnerabilities involving the special Salesforce syntax to be detected. There's a possibility that we can write rules to detect this. There's also a possibility that the existing tooling can give some coverage, but not 100%.
Intended users
Metrics
User experience goal
Upon committing code that is being built for Aura or Lightning Component Framework, GitLab would detect and run SAST scans to detect weaknesses.
Proposal
Further details
Attached are some rulesets that might be a good place to start: Internal Only
Permissions and Security
Documentation
Availability & Testing
Available Tier
What does success look like, and how can we measure that?
What is the type of buyer?
Is this a cross-stage feature?
Links / references
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.