Draft: Specify more SAST analyzers for sort order (!82342) · Merge requests · GitLab.org / GitLab

rossfuhrman requested to merge rf-order-more-analyzers into master Mar 07, 2022

What does this MR do and why?

These SAST analyzers also have coverage from Semgrep. We need to give them a sort order for deduplication purposes.

Request access to see an example of this bug: https://gitlab.com/rossfuhrman/more-testing/-/security/vulnerability_report https://gitlab.com/rossfuhrman/more-testing/-/security/vulnerability_report

Steps to reproduce current bug:

Merge MR that has Python and Go vulnerabilities and has the bandit and gosec analyzers run, but excludes the semgrep analyzer.
Note that vulnerabilities show for both languages.
Merge MR that turns on semgrep, so that it runs alongside bandit and gosec.
Note that the bandit vulnerabilities are not duplicated, but the gosec vulnerabilities are.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Apr 08, 2022 by rossfuhrman

Draft: Specify more SAST analyzers for sort order

What does this MR do and why?

Steps to reproduce current bug:

MR acceptance checklist

Merge request reports