Migrate phpcs-security-audit coverage to Semgrep-based analyzer
The phpcs-security-audit analyzer should have its coverage converted to Semgrep.
Semgrep's PHP support is now GA as of this 2022-06-21 and there are some rules ported from phpcs-security-audit.
@idawson notes that recent Semgrep improvements should help with this conversion.
The phpcs-security-audit analyzer has also suffered a lack of maintenance since about March 2020, per #361157 (closed).d
Implementation Plan
-
Copy rules from https://semgrep.dev/p/phpcs-security-audit to https://gitlab.com/gitlab-org/security-products/sast-rules -
Find out how to adhere to the LGPL common clause license (#364060 (comment 1711983460)) Resolve this before moving forward. -
Ensure rules are in the LGPL directory -
Ensure each rule has the correct LGPL-CC license header example header -
Ensure each rule is tested by adding a test file of the format rule-(RULE_NAME).langext. If a test is not added the build will fail.
-
-
Map and create Primary Identifiers. (The way I've identified primary IDs before is to run the original scanner, in this case PHPCS on a fixture and find the identification tag in the generated report example) -
Add to semgrep -
Add rules to semgrep by copying them over in the Dockerfile -
Add integration spec -
Add a with PHPcontext -
add expected JSON which can be generated using analyzer-refresh-expected-json
-
-
-
Update semgrep-sast job of SAST.gitlab-ci.ymltemplate to include rule for'**/*.php'Add php support for semgrep (!143472 - merged) • Adam Cohen • 16.10
Rules Migrated from phpcs-security-audit to semgrep
As discussed here, we only added 9 rules to GitLab semgrep, however, there are 16 rules in GitLab phpcs-security-audit:
We plan on adding more rules as part of https://gitlab.com/gitlab-org/gitlab/-/issues/457901+s.