Map GoSec rules to CWEs to improve SAST for Go
Problem to solve
Our analyzer for Go only provides basic information to users, as shown on this issue: https://gitlab.com/gitlab-org/gitlab-ee/issues/14781 We decided in this issue to add a mapping between the rules of this tool, and CWEs to improve the user experience, and lead the developer to an easier remediation.
Intended users
Further details
Check https://gitlab.com/gitlab-org/gitlab-ee/issues/14781 for details. Our findings on Go are hard to investigate, because of the lack of context.
Proposal
Improve Gosec by contributing to the upstream project. If we can't, add the rules mapping to our analyzer.
As @dappelt mentioned, having CWEs in findings will also directly allow us to categorize the finding in one of the OWASP TOP 10 rule (according the CWE is listed on https://cwe.mitre.org/data/definitions/1026.html), in case some users need this information (cc @andyvolpe @kmann).
Permissions and Security
N/A.
Documentation
N/A.
Testing
N/A.
What does success look like, and how can we measure that?
Users have more fields and data in findings for Go projects.
What is the type of buyer?
Links / references
https://gitlab.com/gitlab-org/gitlab-ee/issues/14781
/cc @julianthome