Migrate MobSF rules to Semgrep-based analyzer
Proposal
Migrate MobSF rules to the Semgrep-based analyzer's ruleset (managed by GitLab) and deprecate MobSF.
As suggested by #444289 (comment 1800533977)
- do more of a “the old scan results are gone; going forward here is the new scanning” approach
- filter the ruleset at this point based on security value
Technical discovery for this issue was done in #329712 (closed)
This issues is related to #412060 (closed)
Implementation plan
-
Import MobSF rules to sast-rules -
follow PM's advice, check security value -
Include rules -
Include tests -
Add mapping and ensure the IDs are the same as those generated in MobSF -
Compare primary IDs to MobSF Primary IDs -
Ensure long primary IDs don't affect the vulnerability report on Gitlab.com -
The rules directory should be included in ci/testcase_presence_check.rb
-
Fix severity -
Ensure LGPL license compliance -
ensure the correct license is stored next to the rules -
add comments about LGPL in each migrated rule
-
-
-
Test 'takeover' -
Check rule quality, test FP -
Add the following glob patterns: '**/*.swift'
'**/*.m'
To the
rules
section in thesemgrep-sast
job of the following templates: -
Deprecate the following mobsf-*
jobs:-
SAST.latest.gitlab-ci.yml
-
SAST.gitlab-ci.yml
-
-
Update the supportedExt variable in semgrep
to include.swift
,.m
-
Update semgrep with the new version of sast-rules -
Update semgrep and release -
Add deprecation notice to MobSF
MR: !518
Edited by Hua Yan