Migrate phpcs-security-audit coverage to Semgrep-based analyzer
The phpcs-security-audit analyzer should have its coverage converted to Semgrep.
Semgrep's PHP support is now GA as of this 2022-06-21 and there are some rules ported from phpcs-security-audit.
@idawson notes that recent Semgrep improvements should help with this conversion.
The phpcs-security-audit analyzer has also suffered a lack of maintenance since about March 2020, per #361157 (closed).d
Implementation Plan
-
Copy rules from https://semgrep.dev/p/phpcs-security-audit to https://gitlab.com/gitlab-org/security-products/sast-rules -
Find out how to adhere to the LGPL common clause license (#364060 (comment 1711983460)) Resolve this before moving forward. -
Ensure rules are in the LGPL directory -
Ensure each rule has the correct LGPL-CC license header example header -
Ensure each rule is tested by adding a test file of the format rule-(RULE_NAME).langext
. If a test is not added the build will fail.
-
-
Map and create Primary Identifiers. (The way I've identified primary IDs before is to run the original scanner, in this case PHPCS on a fixture and find the identification tag in the generated report example) -
Add to semgrep -
Add rules to semgrep by copying them over in the Dockerfile -
Add integration spec -
Add a with PHP
context -
add expected JSON which can be generated using analyzer-refresh-expected-json
-
-
-
Update semgrep-sast job of SAST.gitlab-ci.yml
template to include rule for'**/*.php'
Add php support for semgrep (!143472 - merged) • Adam Cohen • 16.10