Incorporate Application Context when running SAST scans

Problem to solve

At the moment, our security rules in sast-rules do not take into consideration the context (application context = type of application + operational context) of an application. This can cause False Positives and not including the application context makes it generally harder to prioritise findings: differentiate more important issues from less important ones.

However, the type of an application as well as its operational context can be important factors to determine the severity of a vulnerability:

1. Type of an application: For example, if we are looking at a CLI application, there are whole classes of vulnerabilities that can be ranked down. It is unlikely that a CLI tool that formats XML files is vulnerable to web-security issues such as XSS, SSRF, CSRF, or session management issues so that we may want to deprioritise such findings.
2. Operational Context: If an application is deployed in the form of a Docker image, we can probably deprioritize findings related to DoS, file-system based attacks etc.

Proposal

@idawson already implemented a tool called tstackor that can be used to detect the tech-stack of an application. This information could be used to create a profile of an application. This profile could include information about the type of the Application (CLI, Web, Server, Deamon, UI) which we can infer from files, libraries and API calls, and the operational context (Docker file, Terraform, OS package, ...).

This information could be used in different ways. Two possibilities include:

1. Prioritisation of findings in the Vulnerability Report.
2. Activation or Deactivation of semgrep rules. We could introduce a guard to the semgrep rule syntax that disables or enables a particular rule based on the type of application or operational context. Just to illustrate the idea, in the example below, we have a guard not(docker) that deactivates the rules for dockerized applications.

- id: "go_filesystem_rule-tempfiles"
  guards: 
  - "not(docker)"
  languages:
  - "go"
  patterns:
  - pattern-either:
    - pattern: |
        os.WriteFile("$ARG", ...)

Intended users

Personas are described at https://handbook.gitlab.com/handbook/product/personas/

• Rachel (Release Manager)
• Simone (Software Engineer in Test)
• Amy (Application Security Engineer)
• Cameron (Compliance Manager)

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.