Semgrep-SAST-analyzer runs for HTML-files but fails analyzing it
Summary
The SAST-Template lists HTML as one of the file-extensions semgrep should be started for (https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml#L231-240). However, HTML is not in the list of supported file extensions at the semgrep-analyzer (https://gitlab.com/gitlab-org/security-products/analyzers/semgrep/-/blob/main/plugin/plugin.go#L15) which makes the job to fail.
The HTML-extension has been added in !97216 (merged).
Steps to reproduce
- Configure SAST in the UI with default settings (https://docs.gitlab.com/ee/user/application_security/sast/#configure-sast-in-the-ui-with-default-settings)
- Add an html-file
- Run semgrep-job (if not started automatically)
- View semgrep-output
What is the current bug behavior?
Semgrep fails if there are HTML-files in the project (and no other files Semgrep supports).
What is the expected correct behavior?
Semgrep should not be started or Semgrep should analyze HTML-files.
Note: Semgrep has only experimental support for HTML (https://semgrep.dev/docs/supported-languages/)
Relevant logs and/or screenshots
[WARN] [Semgrep] [2022-09-22T13:40:28Z] ▶ No match in /builds/gitlab/main/project
Uploading artifacts...
WARNING: gl-sast-report.json: no matching files. Ensure that the artifact path is relative to the working directory
ERROR: No files to upload
Possible fixes
Removing .html from https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml#L231-240 (has been added in !97216 (merged))
Or
Adding .html to https://gitlab.com/gitlab-org/security-products/analyzers/semgrep/-/blob/main/plugin/plugin.go#L15