feat: Add tracking-calculator to gosec
What does this MR do?
Adds tracking-calculator
to gosec
image
This method is a bit of a departure from the way we built the image for brakeman, but I think it should be a bit more DRY as we build out other analyzers around the same scripts and tooling process. Happy to take thoughts/impressions.
Usage
❯ pwd
/Users/theoretick/code/gl/security-products/tests/go-modules
❯ docker run -it --rm --volume "$PWD":/tmp/project --env CI_PROJECT_DIR=/tmp/project --env GITLAB_FEATURES=vulnerability_finding_signatures analyzer
[INFO] [Gosec] [2021-05-04T22:43:06Z] ▶ GitLab Gosec analyzer v2.20.1
[INFO] [Gosec] [2021-05-04T22:43:06Z] ▶ Detecting project
[INFO] [Gosec] [2021-05-04T22:43:06Z] ▶ Found project in /tmp/project
[INFO] [Gosec] [2021-05-04T22:43:06Z] ▶ Running analyzer
[INFO] [Gosec] [2021-05-04T22:43:06Z] ▶ Copying modules into path...
[INFO] [Gosec] [2021-05-04T22:43:06Z] ▶ Fetching dependencies...
[INFO] [Gosec] [2021-05-04T22:43:10Z] ▶ Running gosec...
[INFO] [Gosec] [2021-05-04T22:43:11Z] ▶ Creating report
running post analyzer
[INFO] [2021-05-04T22:43:11Z] ▶ /tmp/project/gl-sast-report-post.json written
❯ cat gl-sast-report.json| jq '.vulnerabilities | map(.tracking)'
[
{
"type": "source",
"items": [
{
"file": "main.go",
"line_start": 14,
"line_end": 14,
"signatures": [
{
"algorithm": "scope_offset",
"value": "main.go|main[0]:1"
}
]
}
]
},
null,
{
"type": "source",
"items": [
{
"file": "main.go",
"line_start": 16,
"line_end": 16,
"signatures": [
{
"algorithm": "scope_offset",
"value": "main.go|main[0]:3"
}
]
}
]
},
{
"type": "source",
"items": [
{
"file": "main.go",
"line_start": 22,
"line_end": 22,
"signatures": [
{
"algorithm": "scope_offset",
"value": "main.go|main[0]:9"
}
]
}
]
}
]
What are the relevant issue numbers?
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer
Edited by Lucas Charles