Disabling vulnerability from remote ruleset is not working
Summary
When trying to disable a vulnerability from a remote ruleset with passthrough type url , the rule is simply being ignored, and the vulnerability will show up in the vulnerability report. This happens for Semgrep Analyzer version >= 5.3.3
Steps to reproduce
- Create a new project, and enabling SAST
- Copy the example
.gitlab-ci.yml,test.pyandsast-ruleset.tomlfiles from the example projects listed below - Make sure that the
.gitlab-ci.ymlcontains the following section:-
semgrep-sast: variables: SAST_ANALYZER_IMAGE_TAG: "5.3.3"(or newer image versions)
-
- Notice that not all the disabled vulnerabilities from remote are actually disabled.
Example Project
Example for version 5.3.2, where this is still working: https://gitlab.com/gitlab-com/support/test-projects/ci-examples/secure/custom-rulesets/python-disable-ruleset/-/pipelines/1368097153/security
Example for version 5.3.3 , where this is no longer working: https://gitlab.com/gitlab-com/support/test-projects/ci-examples/secure/custom-rulesets/python-disable-ruleset/-/pipelines/1368096064/security
Example for version 5.5.0, where it is still not working as expected: https://gitlab.com/sc-ultimate-group/training/sast/semgrep_test_project/-/pipelines/1373802037/security
What is the current bug behavior?
When trying to disable a vulnerability from a remote ruleset with passthrough type url , the rule is simply being ignored, and the vulnerability will show up in the vulnerability report.
What is the expected correct behavior?
When disabling a vulnerability from a remote ruleset with passthrough type url , the rule should get respected, and the vulnerability should not show up in the vulnerability report.
Output of checks
This happens on GitLab.com