Migrate NodeJS scan rules to Semgrep-based analyzer
Proposal
Migrate NodeJS Scan rules to the Semgrep-based analyzer's ruleset (managed by GitLab) and deprecate NodeJS Scan.
Only the active NodeJS Scan rules should be migrated:
Technical discovery for this issue was done in #362849 (closed)
Implementation Plan
-
Update sast-rules so LGPL rules and MIT rules are stored in different directories -
ensure the correct license is stored next to the rules
-
-
Import all njsscan rules to sast-rules - gitlab-org/security-products/sast-rules!204 (merged) -
include rules -
include tests -
add mapping and ensure the IDs are the same as those generated in nodejs scan -
ensure template rules have been added#395487 (comment 1724540054) -
Compare primary IDs to NodeJS Scan Primary IDs -
Ensure long primary IDs don't affect the vulnerability report on Gitlab.com -
The rules directory should be included in ci/testcase_presence_check.rb -
Fix severity
-
-
Update semgrep with the new version of sast-rules -
Update semgrep and release -
Add deprecation notice to nodeJS scan
Edited by Craig Smith