SAST findings can be difficult for people to understand. What should I do about the particular issue I've just been told about? How do I fix it?
Currently we use the description field to describe the problem, but sometimes we don't do a great job of helping people know what to do to fix the problem.
Proposal
Sweep through GitLab-maintained rules and ensure that there is enough information to allow a competent developer (who is not necessarily a security expert) to know what to do next, or at least what research to do.
One is the key ask i get a lot from the fields are vulnerability/remediated code examples based on the language.
Just thinking out loud that since we are based on semgrep, could we probably link to the semgrep registry e.g., Python SQL injection as they do provide those information for their rules.
Our rules aren't sourced from the community-maintained rules in the Semgrep registry, so I don't think that's the right solution. (Our rules themselves do show up in the registry though.)
@idawson has been going through the rules improving the text significantly as part of a few related issues. May be able to close this one out as a duplicate of those, in fact.
I won't close this yet as we seem not to have done these yet:
JavaScript (including TS and React)
Scala
Python
But, I'm referring to this effort in a %16.1 release post item (gitlab-com/www-gitlab-com!126064 (merged)). It seems worse to promote to an epic (which would invalidate current links).