Update converted SAST analyzers with new rules from upstream
Proposal
Conduct a one-time census to identify rules added upstream after we converted open-source analyzers to Semgrep-based scanning. Add rules whenever feasible.
- Bandit
- Gosec
- SpotBugs/find-sec-bugs
- eslint
- security-code-scan
Implementation Plan
Steps
- Pull the newly added rules from the Upstream, excluding the rules which could not be translated due to Semgrep limitations.
- Translate these rules into Semgrep-equivalent rules and add them along with the mapping of native analyzer's IDs into
sast-rulesrepository. - Generate a new ruleset distribution using the instructions described here.
- Copy over the new ruleset distribution into
Semgrep/rulesto reflect rule changes in the Analyzer. NOTE: Follow this step only until gitlab-org/security-products/analyzers/semgrep!147 (closed) is merged.
New Rules from Upstream
There are a few new rules across the above-mentioned upstreams that are as follows:
-
Bandit: 10 new rules | https://gitlab.com/gitlab-org/secure/gsoc-sast-vulnerability-rules/playground/sast-rules/-/merge_requests/112 -
Gosec: 4 new rules | MR -
SpotBugs/find-sec-bugs: 7 new rules | MR -
ESLint: 2 new rules | MR -
security-code-scan: 1 new rule | NA (Check task for details)
A task is created for each analyzer in this issue to track the progress of the sync process.
Edited by Vishwa Bhat