License notices are incorrectly applied in sast-rules distribution package
Problem to Solve
Some of the rules mapped in mappings/gitlab_java.yml are licensed incorrectly.
rule-JacksonUnsafeDeserialization.yml is licensed under the GitLab EE license and released under the same license. This rule is licensed and released correctly.
The following rules are correctly stored but released under GitLab EE when they should be released under LGPL+CC
- https://gitlab.com/gitlab-org/security-products/sast-rules/-/blob/ac58a76f867687747c33b5b8daa4822495010b34/rules/lgpl-cc/java/ftp/rule-FTPInsecureTransport.yml#L1
- https://gitlab.com/gitlab-org/security-products/sast-rules/-/blob/fd89824d784b3f91758b658f93e7ce404b1c6983/rules/lgpl-cc/java/password/rule-HardcodeKey.yml#L1
- https://gitlab.com/gitlab-org/security-products/sast-rules/-/blob/fd89824d784b3f91758b658f93e7ce404b1c6983/rules/lgpl-cc/java/crypto/rule-JwtNoneAlgorithm.yml#L1
Because these mis-licensed rules are released to dist/gitlab/gitlab_java.yml
, they have not been included in semgrep and so are not available to customers. Once the rules are properly released, they should also be included in semgrep.
Edited by Craig Smith