Upgrade SAST analyzers to use v15 of the Security Report Schema
Problem to solve
Upgrade groupstatic analysis analyzers to produce reports adhering to version 15 of the Security Report Schema.
Among other improvements, it fully deprecates the cve field which has been troublesome, confusing, and seldom used.
groupstatic analysis analyzers produce the JSON reports with the help of the shared report package. The package is responsible for serialising the findings, along with metadata such as the schema version of the report. For example, this Semgrep report for a Go scan adheres to version 14.0.4 of the SAST report schema.
Proposal
Options:
Modify thereportpackage to be capable of generating reports that are compliant with v14 and v15 of the schema. The type of report to be generated is determined by theCI_SERVER_VERSION_MAJORenv var. Publish a new version ofreportand bump it across all analysers as a minor version bump. Result: folks running an older version of GitLab self-managed can continue to use the latest analysers.- Modify the
reportpackage to only generate v15 compliant reports. Publish a new version ofreportand bump it across all analyzers as a major version bump. Other shared packages likecommandmay also need to be updated with a major version bump ifreportis being pulled as a transitive dependency. Update the SAST, IaC, and SD jobs to pin to the latest major series. Result: folks running an older version of GitLab self-managed can only use older versions of the analysers.
We have decided on Option 2.
Here's a checklist of the analyzers which need updating:
Analyzers
-
https://gitlab.com/gitlab-org/security-products/analyzers/brakeman | gitlab-org/security-products/analyzers/brakeman!120 (merged) -
https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan | no longer supported starting in 16.0 so no analyzer update is needed -
https://gitlab.com/gitlab-org/security-products/analyzers/semgrep | gitlab-org/security-products/analyzers/semgrep!239 (merged) -
Remove high-FP conditional filtering and always drop high-FP rule, see discussion
-
-
https://gitlab.com/gitlab-org/security-products/analyzers/mobsf | gitlab-org/security-products/analyzers/mobsf!72 (merged) -
https://gitlab.com/gitlab-org/security-products/analyzers/flawfinder | gitlab-org/security-products/analyzers/flawfinder!96 (merged) -
https://gitlab.com/gitlab-org/security-products/analyzers/kics | gitlab-org/security-products/analyzers/kics!69 (merged) -
https://gitlab.com/gitlab-org/security-products/analyzers/sobelow | gitlab-org/security-products/analyzers/sobelow!96 (merged) -
https://gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit | gitlab-org/security-products/analyzers/phpcs-security-audit!83 (merged) -
https://gitlab.com/gitlab-org/security-products/analyzers/secrets | gitlab-org/security-products/analyzers/secrets!214 (merged) -
https://gitlab.com/gitlab-org/security-products/analyzers/kubesec | gitlab-org/security-products/analyzers/kubesec!84 (merged) -
https://gitlab.com/gitlab-org/security-products/analyzers/nodejs-scan | gitlab-org/security-products/analyzers/nodejs-scan!136 (merged) -
https://gitlab.com/gitlab-org/security-products/analyzers/pmd-apex | gitlab-org/security-products/analyzers/pmd-apex!105 (merged) -
https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs | gitlab-org/security-products/analyzers/spotbugs!167 (merged)
Templates
-
Open an MR for the SAST and SAST.latest templates bumping the analyzer versions | !118836 (merged) -
Open an MR for the Secret-Detection and Secret-Detection.latest template bumping the analyzer version | Secret Detection: !118833 (merged) and Secret-Detection.latest: -
Open an MR for the SAST-IaC and SAST-IaC.latest template bumping the analyzer version |
Both sets of tasks are ready for development but the template MRs should not be merged until a day or two before 16.0 is completed.