Remove high-FP-rate `detect-object-injection` eslint and semgrep rule
Problem to solve
A number of eslint, and the matching semgrep eslint, rules output a significant amount of false positives. The detect-object-injection
rule in particular matches on almost every access to an object's properties via []
notation.
Proposal
Remove the detect-object-injection
rule from both Semgrep and eslint.
Document how to find and restore the rule if people want it, perhaps as a disabled_rules.yaml
file or similar at a documented path. Interested customers could then use the existing rule customization features to add back this or similar rules if desired.
Timing
It is acceptable to make changes in both eslint
and semgrep
and assume that users will either:
- update both, and thus receive the update in both analyzers
- update neither, and thus not experience a change in their ruleset
It is also acceptable, if removing the rule from eslint would be too difficult, to leave it in eslint. We expect that removing from Semgrep and leaving in eslint would cause:
- Keep the finding, if both eslint and semgrep are running
- Keep the finding, if eslint is still running
- Remove the finding, if only Semgrep is running
Then, when analyzer consolidation ships, the finding will no longer be detected. (See SAST Deprecation: Analyzer consolidation and CI... (#352554 - closed)).
What does success look like, and how can we measure that?
Our FP rates, or rates of dismissal, decreases for these analyzers.
What is the type of buyer?
GitLab Ultimate buyer, but useful to all users across tiers.
Links / references
Internal links (team members only):