Include security severity levels in semgrep rules
Problem
Currently our semgrep rules only output severity of Info
, Medium
and Critical
. This does not match what our documentation says for severity levels.
Proposed solution
semgrep has a field for security-severity that we can include in our rules to have it output the correct severity level. I've confirmed locally this metadata field will carry over into the sarif output.
Example rule:
---
rules:
- id: "c/buffer/rule-strcpyA_strcpyW"
languages:
- "c"
message: |
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused).
metadata:
security-severity: "HIGH"
//cc @julianthome @theoretick @amarpatel
Implementation Plan
The security-severity field was added to each rule in Add metadata severity to all rules (gitlab-org/security-products/sast-rules!395 - merged) • Craig Smith • 16.10.
that metadata.security-severity
field for each rule must be updated to match the rule -> severity mapping defined in https://docs.google.com/spreadsheets/d/1TiQn1LIDeYL1LzZx2llL_m8e6ognHRBzQtA60Pkmwww/edit#gid=0
Related comment - gitlab-org/security-products/sast-rules!395 (comment 1773849796)
-
Write a script that iteration through the spreadsheet and updates the rule (labeled under the Rule
column) filesmetadata.security-severity
field withActual Severity
and apply those changes -
Update changelog -
include the changes made
-
-
In a subsequent MR, update the changelog to include any rule changes made since the last sast rules release - @craigmsmith or @bhavyakaushal219-ext can help with this step -
Release SAST rules -
Update semgrep with the newly released sast rules