Warn when no files are being scanned by an analyzer
Description
Secure analysers that use the shared command
package are hardcoded to log Found relevant files in project, analyzing entire repository
in most situations. cfg.AnalyzeAll
is false by default, but many analysers override this to true
as they're designed to scan the entire project:
- https://gitlab.com/gitlab-org/security-products/analyzers/semgrep/-/blob/c9eb90a6f402ed93cb1b87bc6710415a82f0a0c2/main.go#L20
- https://gitlab.com/gitlab-org/security-products/analyzers/eslint/-/blob/master/main.go#L30
- https://gitlab.com/gitlab-org/security-products/analyzers/flawfinder/-/blob/master/main.go#L29
- and so on
This can be misleading if the analyser was in fact configured to exclude all files from being scanned, e.g. via SAST_EXCLUDE_PATHS
.
Proposal
Reword the log line so it's more apparent that an internal analyser configuration was set (cfg.AnalyzeAll
) rather than expressing that files were found and the entire repository will be scanned.
Tasks
-
Update log message in command
: gitlab-org/security-products/analyzers/command!33 (merged) -
Bump command version in the following analyzers that support multi project: -
spotbugs (https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs/-/releases/v3.2.2) -
security-code-scan (gitlab-org/security-products/analyzers/security-code-scan!119 (merged)) -
flawfinder gitlab-org/security-products/analyzers/flawfinder!80 (merged) -
mobsf gitlab-org/security-products/analyzers/mobsf!53 (merged) -
php-security-audit gitlab-org/security-products/analyzers/phpcs-security-audit!69 (merged) -
semgrep gitlab-org/security-products/analyzers/semgrep!138 (merged) -
secrets gitlab-org/security-products/analyzers/secrets!171 (merged) -
kics gitlab-org/security-products/analyzers/kics!48 (merged) -
nodejs-scan gitlab-org/security-products/analyzers/nodejs-scan!120 (merged) -
pmd-apex gitlab-org/security-products/analyzers/pmd-apex!90 (merged)
-
Edited by Zach Rice