Replace SpotBugs analyzer with semgrep rules (for Java)
Why are we doing this work
Come up with a good-enough SpotBugs semgrep ruleset in order to move Java analysis to Semgrep instead of the current analyzer. In this issues, when we write SpotBugs, we actually mean SpotBugs + FindSecBugs.
Relevant links
Non-functional requirements
-
Documentation: -
Feature flag: -
Performance: -
Testing:
Implementation plan
- Update the structure of https://gitlab.com/gitlab-org/secure/gsoc-sast-vulnerability-rules/playground/sast-rules to account for Java
- Identify the rules we have to migrate and find corresponding test case in the SpotBugs code repository
- For every rule, search a corresponding test cases in the code repository
- Adding a first rule+test-case in Java to https://gitlab.com/gitlab-org/secure/gsoc-sast-vulnerability-rules/playground/sast-rules so that we can try it with the testing-framework + SpotBugs|semgrep
- Create a branch https://gitlab.com/gitlab-org/security-products/analyzers/semgrep with Java support (enabling file extension
.java
) - Hook the (temp) semgrep docker image that has been created in step 5 into the testing framework by setting the corresponding variable (https://gitlab.com/gitlab-org/secure/gsoc-sast-vulnerability-rules/rule-testing-framework/rule-testing/-/blob/main/.gitlab-ci.yml#L15).
- Configure https://gitlab.com/gitlab-org/secure/gsoc-sast-vulnerability-rules/rule-testing-framework/rule-testing so that it uses SpotBugs and runs the test-case we added in step 2
- Systematically add further test-cases + rules (from step 2) to rule+test-case in Java to https://gitlab.com/gitlab-org/secure/gsoc-sast-vulnerability-rules/playground/sast-rules
Rules Completion Status
The rules and their completion status is tracked in this issue
Reference Links
Edited by Julian Thome