SAST/SD: Shared remote ruleset configuration is not applied during report generation phase, and disabled rules are not filtered out of the report
Summary
SAST supports the use of a remote custom ruleset file specified via the SAST_RULESET_GIT_REFERENCE
variable. However, this file is not used during the "Creating report" step after the scan has run. This means that if rules are disabled in the remote file they are not filtered out of the gl- sast-report.json
file and unwanted findings appear in GitLab.
Steps to reproduce
- Create a project with a Terraform
main.tf
file containing a known KICS vulnerability. - Create another project with a custom
.gitlab/sast-ruleset.toml
file which disables the vulnerability rule. - Run a
kics-iast-sast
scan against the project - the vulnerability is still reported. - Now copy the custom ruleset to the
.gitlab
folder in the project being scanned. - Repeat the scan against the project - now the vulnerability is not present in the report.
Example Project
https://gitlab.com/jfarmiloe/sast-remote-config-issue
What is the current bug behavior?
The remote configuration is not applied when the report is filtered for disable rules.
What is the expected correct behavior?
The disabled rules should not create findings in the report.
Relevant logs and/or screenshots
From job log:
Remote config file is retrieved.
[DEBU] [kics] [2023-09-20T01:57:17Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/ruleset/v2@v2.0.6/git.go:52] ▶ Copy /tmp/glsastruleset2323527327 to /tmp/glsastrulesetremoteref3713855747
No config file found during report creation, ruleset support disabled
[INFO] [kics] [2023-09-20T01:58:28Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/command/v2@v2.2.0/run.go:179] ▶ Creating report
[DEBU] [kics] [2023-09-20T01:58:28Z] [/go/src/app/convert.go:42] ▶ Converting report with the root path: /builds/jfarmiloe/sast-remote-config-issue
[DEBU] [kics] [2023-09-20T01:58:28Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/report/v4@v4.1.5/report.go:231] ▶ /builds/jfarmiloe/sast-remote-config-issue/.gitlab/sast-ruleset.toml not found, ruleset support will be disabled.
[DEBU] [kics] [2023-09-20T01:58:28Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/report/v4@v4.1.5/report.go:284] ▶ Applying report overrides
[DEBU] [kics] [2023-09-20T01:58:28Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/report/v4@v4.1.5/report.go:292] ▶ /builds/jfarmiloe/sast-remote-config-issue/.gitlab/sast-ruleset.toml not found, ruleset support will be disabled.
[DEBU] [kics] [2023-09-20T01:58:28Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/command/v2@v2.2.0/jsonout.go:54] ▶ Optimizing JSON Output
Output of checks
Results of GitLab environment info
Issue currently occurs on gitlab.com.
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: \\\\\\\\\\\\\\\`sudo gitlab-rake gitlab:env:info\\\\\\\\\\\\\\\`) (For installations from source run and paste the output of: \\\\\\\\\\\\\\\`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production\\\\\\\\\\\\\\\`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of: \\\\\\\`sudo gitlab-rake gitlab:check SANITIZE=true\\\\\\\`) (For installations from source run and paste the output of: \\\\\\\`sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true\\\\\\\`) (we will only investigate if the tests are passing)
Possible fixes
Edited by Justin Farmiloe