Skip to content

SAST/SD: Shared remote ruleset configuration is not applied during report generation phase, and disabled rules are not filtered out of the report

Summary

SAST supports the use of a remote custom ruleset file specified via the SAST_RULESET_GIT_REFERENCE variable. However, this file is not used during the "Creating report" step after the scan has run. This means that if rules are disabled in the remote file they are not filtered out of the gl- sast-report.json file and unwanted findings appear in GitLab.

Steps to reproduce

  1. Create a project with a Terraform main.tf file containing a known KICS vulnerability.
  2. Create another project with a custom .gitlab/sast-ruleset.toml file which disables the vulnerability rule.
  3. Run a kics-iast-sast scan against the project - the vulnerability is still reported.
  4. Now copy the custom ruleset to the .gitlab folder in the project being scanned.
  5. Repeat the scan against the project - now the vulnerability is not present in the report.

Example Project

https://gitlab.com/jfarmiloe/sast-remote-config-issue

What is the current bug behavior?

The remote configuration is not applied when the report is filtered for disable rules.

What is the expected correct behavior?

The disabled rules should not create findings in the report.

Relevant logs and/or screenshots

From job log:

Remote config file is retrieved.

[DEBU] [kics] [2023-09-20T01:57:17Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/ruleset/v2@v2.0.6/git.go:52] ▶ Copy /tmp/glsastruleset2323527327 to /tmp/glsastrulesetremoteref3713855747

No config file found during report creation, ruleset support disabled

[INFO] [kics] [2023-09-20T01:58:28Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/command/v2@v2.2.0/run.go:179] ▶ Creating report
[DEBU] [kics] [2023-09-20T01:58:28Z] [/go/src/app/convert.go:42] ▶ Converting report with the root path: /builds/jfarmiloe/sast-remote-config-issue
[DEBU] [kics] [2023-09-20T01:58:28Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/report/v4@v4.1.5/report.go:231] ▶ /builds/jfarmiloe/sast-remote-config-issue/.gitlab/sast-ruleset.toml not found, ruleset support will be disabled.
[DEBU] [kics] [2023-09-20T01:58:28Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/report/v4@v4.1.5/report.go:284] ▶ Applying report overrides
[DEBU] [kics] [2023-09-20T01:58:28Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/report/v4@v4.1.5/report.go:292] ▶ /builds/jfarmiloe/sast-remote-config-issue/.gitlab/sast-ruleset.toml not found, ruleset support will be disabled.
[DEBU] [kics] [2023-09-20T01:58:28Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/command/v2@v2.2.0/jsonout.go:54] ▶ Optimizing JSON Output

Output of checks

Results of GitLab environment info

Issue currently occurs on gitlab.com.

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of: \\\\\\\\\\\\\\\`sudo gitlab-rake gitlab:env:info\\\\\\\\\\\\\\\`) (For installations from source run and paste the output of: \\\\\\\\\\\\\\\`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production\\\\\\\\\\\\\\\`)

Results of GitLab application Check

Expand for output related to the GitLab application check 

(For installations with omnibus-gitlab package run and paste the output of: \\\\\\\`sudo gitlab-rake gitlab:check SANITIZE=true\\\\\\\`) (For installations from source run and paste the output of: \\\\\\\`sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true\\\\\\\`) (we will only investigate if the tests are passing)

Possible fixes

Edited by Justin Farmiloe