Refactor php-related SAST rules
Proposal
I attempted to adjust the SAST rules for PHP to prevent both a semgprep-sast and gitlab-advanced-sast pipeline from running when a php file is present, however, there were some issues with the approach, as pointed out by @philipcunningham here:
if someone sets
GITLAB_ADVANCED_SAST_ENABLED: truebutFF_GLAS_ENABLE_PHP_SUPPORT: false, thegitlab-advanced-sastjob will run but skip PHP files internally, whilesemgrep-sastwon't run for PHP files since they've been removed from.semgrep-with-advanced-sast-exist-rules. This leaves PHP files with no scanning coverage at all.
After further consideration, I decided against adjusting the SAST rules for now, and creating another issue to track a different process instead, which is the purpose of this issue.
Implementation Plan
-
Close Adjust SAST exists rule for php (!200262 - merged) • Adam Cohen • 18.4, and create a new MR containing only the new tests that were added in Adjust SAST exists rule for php (!200262 - merged) • Adam Cohen • 18.4. Add tests for php exist pattern in SAST template (!200379 - merged) • Adam Cohen • 18.3
-
Remove the additional complexity added in Upgrade to latest rules (components/sast!27 - merged) • Klok so that both the ci component and the SAST.latest.gitlab-ci.yml template contain the same logic. Simplify SAST component to match CI template (components/sast!34 - merged) • Adam Cohen
-
Implement [Feature flag] Cleanup FF_GLAS_ENABLE_PHP_SUPPORT (#556849 - closed) • Adam Cohen • 18.4. -
Re-open and merge the code from Adjust SAST exists rule for php (!200262 - merged) • Adam Cohen • 18.4 now that FF_GLAS_ENABLE_PHP_SUPPORThas been removed.