Njsscan update
What does this MR do?
This MR updates the nodejs-scan analyzer to use the njsscan
OSS project. The njsscan
project is currently at v0.1.5 and uses semgrep for linting. This MR also adds custom ruleset support.
A new test project has been created for this update. Below is an example of the security dashboard.
-
Note 1: there is a
nodejsscan
andnjsscan
project.nodejsscan
includes a web gui which we don't need, hence why we are usingnjsscan
. - Note 2: integration tests have been removed as the QA test cover e2e integration testing
- Note 3: I know dangebot is saying there are too many changes in this MR and it should be split up into multiple MRs... however, this is an analyzer rewrite so I'm not sure how we would split this up into multiple MRs/what benefit we would get.
What are the relevant issue numbers?
gitlab-org/gitlab#220847 (closed)
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer
Edited by Lucas Charles