Manage release of sast-rules removals
Context
The sast-rules main branch currently includes a number of rule removals that delete rules that are likely to produce false positives. These removals must be released in stages so that when the rules are removed, large numbers of auto resolutions for the removed rules won't be triggered.
To add complexity to this, the current version of sast-rules that has been released in semgrep is 1.3.30+2. This is a patched version of 1.3.30 to fix two critical rule errors.
When releasing the rule removals, these fixes must stay in place.
Proposal
Step 1 - Revert all rule removals from the sast-rules main branch
The main branch of sast-rules can not be released to semgrep as doing so has the potential to cause extra load on the monolith that could cause failure. Reverting the unreleased rule removals from the main branch will allow main to be releasable again.
Create sast-rules 1.3.39 by
-
revert all removals from main - gitlab-org/security-products/sast-rules!214 (merged) -
ensure the fixes in 1.3.30+1 and 1.3.30+2 are included in main - gitlab-org/security-products/sast-rules!214 (merged)
Release this version of sast-rules in semgrep
Step 2 - Create new rule removal MRs but do not merge
Create an MR for each rule removal so that they can be re-merged in stages when we're confident that monolith can handle the load.
Create new MRs for:
-
gitlab-org/security-products/sast-rules!193 (merged) - gitlab-org/security-products/sast-rules!220 (merged) -
gitlab-org/security-products/sast-rules!198 (merged) - gitlab-org/security-products/sast-rules!219 (merged) -
gitlab-org/security-products/sast-rules!199 (merged) - gitlab-org/security-products/sast-rules!218 (merged) -
gitlab-org/security-products/sast-rules!197 (merged) - gitlab-org/security-products/sast-rules!217 (merged) -
gitlab-org/security-products/sast-rules!194 (merged) - gitlab-org/security-products/sast-rules!216 (merged) -
gitlab-org/security-products/sast-rules!188 (merged) - gitlab-org/security-products/sast-rules!215 (merged)
Step 3 - Merge and release rule removals in stages
Merge and release to semgrep each of the new rule removal MRs. When each removal is released, monitor the monolith to ensure the load is not too great.
| Ruleset | Target Release Date | Status | SA Engineer | VR Engineer |
|---|---|---|---|---|
| C | 2023-10-23 | Released - MR | @craigmsmith | @idawson |
| Go | 2023-10-31 | Released - MR | @craigmsmith | @idawson |
| Python | 2023-11-06 | Released - MR | @craigmsmith | @idawson |
| Javascript | 2023-11-13 | Released MR | @craigmsmith | |
| C Sharp | 2023-11-20 | Released MR | @craigmsmith | |
| Java | 2023-11-28 | Released MR | @craigmsmith |
Comms Strategy
-
Notify the following stakeholders that rule removals are coming up, and auto-resolution will happen for those vulns once customers receive the relevant automatic updates: -
Support pod and CS stable counterparts via a Support Readiness issue -
AppSec via Slack -
Threat Insights via Slack - DRI: Development ( @amarpatel)
-
-
Create release post announcing the change - DRI: @sarahwaldner