Fix Semgrep rule IDs for Security Code Scan
Summary
C# vulnerabilities detected by the new Semgrep ruleset (#347258 (closed)) are being reported with the incorrect rule ID, leading to duplicates.
Steps to reproduce
- Set up a C# repo with SAST enabled, where both SCS and Semgrep will execute.
- Observe duplicate findings in the vulnerability report.
Example Project
For a live example, search for SCS0005
in the vulnerability report of this test project.
Possible fixes
Modify convert.go to format Security Code Scan rule IDs correctly. The correct form of the ID is SCSxxxx
with no prefix or suffix.
We can do this after gitlab-org/security-products/analyzers/semgrep!147 (closed) is merged, as it changes some of the structure of the conversion functions.
Edited by James Liu