bug: Autoresolving of SAST findings works via rule deletion, not rule disablement
Summary
Following #368284 (closed) there's a nuance in terms of rule removal that we missed. There are 3 cases in which we auto-resolve:
- Rule is removed from default ruleset
- Rule is overridden via custom ruleset
- Rule is disabled via customized rulesets
Internally, 1 and 2 work via the same mechanism and work as expected. 3 is mechanically distinct in post-processing the generated report. As such, it is not correctly filtering out the disabled values. This should behave the same
Steps to reproduce
- Fork https://gitlab.com/theoretick/insecure-js (note the custom ruleset disablement
- Run pipeline
- Note that
scan.primary_identifiers
still contains both identifiers - Rule is not auto-resolved
Example Project
https://gitlab.com/theoretick/insecure-js
What is the current bug behavior?
Custom ruleset disablement does not auto-resolve vulnerabilities, only removal of rule
What is the expected correct behavior?
Custom ruleset disablement should auto-resolve vulnerabilities
Output of checks
This bug happens on GitLab.com
Possible fixes
- Update
report.FilterDisabledRules
to modifyscan.primary_identifiers
(if present) - bump
report
andcommand
versions to latest withinsemgrep
andkics
analyzers