feat: Add support for scope_offset_compressed signature type
What does this MR do and why?
The new scope_offset_compressed
algorithm is used for calculating more
stable signatures for uniquely identifying vulnerabilities as they move
around a codebase.
This MR must be merged before we can product the new signatures types within Category:SAST analyzers or the reports will be rejected.
Relates to [internal only] https://gitlab.com/gitlab-org/gitlab/-/issues/404529+s
How to set up and validate locally
- Update a project with SAST vulnerabilities CI configuration to point at patched semgrep container:
semgrep-sast: image: name: registry.gitlab.com/gitlab-org/security-products/analyzers/semgrep:bump-tc
- Run pipeline
- Ensure report was ingested successfully
- Open rails console
- Check
Vulnerabilities::FindingSignature.where(algorithm_type: 4).count.positive?
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Adam Cohen